Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/junkurihara/python-check_certchain

A sample code to check a certificate chain for a host, written in Python
https://github.com/junkurihara/python-check_certchain

Last synced: about 5 hours ago
JSON representation

A sample code to check a certificate chain for a host, written in Python

Host: GitHub
URL: https://github.com/junkurihara/python-check_certchain
Owner: junkurihara
License: mit
Created: 2021-05-21T05:49:04.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2024-08-07T02:17:03.000Z (3 months ago)
Last Synced: 2024-08-07T06:31:50.314Z (3 months ago)
Language: Python
Size: 109 KB
Stars: 2
Watchers: 3
Forks: 1
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # Simple checker of PKI certificate chain

## Setup

```python

$ python3 -m venv venv

$ source venv/bin/activate

(venv) $ pip install -r requirements.txt

```

## Usage

Sample commandline interface, which uses a custom logger.

```python

(venv) $ python ./src/check_cert_chain.py

Enter TLS/HTTPS host name to validate: www.google.com

<>

Certificate: 

subject: 

issuer : 

Certificate: 

subject: 

issuer : 

Trust anchor: 

subject: 

issuer : 

[DEBUG] <>

[DEBUG] 1) No certificate is expired

[DEBUG] 2) An valid trust anchor exists

[DEBUG] 3) Every cert is validated by its parent cert in the chain.

[DEBUG] 4) Domain name www.google.com is validated by checking SAN or CN of the leaf cert.

[DEBUG] Validation succeeded for www.google.com

Certificate for www.google.com verified: True

```

`src/CertChain.py` provides a class `CertChain` that is an object of the certificate chain and its trust anchor for the given domain name. `CertChain` instance provides a step-by-step validation method and a print method for the certificate. In the class, default log level is `INFO`.

## Check using badssl.com

```python

(venv) $  python ./src/check_cert_chain.py

Enter TLS/HTTPS host name to validate: expired.badssl.com

<>

Certificate: 

subject: 

issuer : 

Certificate: 

subject: 

issuer : 

Certificate: 

subject: 

issuer : 

[WARNING] No valid trust anchor was found for the domain name

[DEBUG] <>

[WARNING] Certificates expired

Certificate for expired.badssl.com verified: False

```

```python

(venv) $ python ./src/check_cert_chain.py

Enter TLS/HTTPS host name to validate: self-signed.badssl.com

<>

Certificate: 

subject: 

issuer : 

[WARNING] No valid trust anchor was found for the domain name

[DEBUG] <>

[DEBUG] 1) No certificate is expired

[WARNING] No valid trust anchor

Certificate for self-signed.badssl.com verified: False

```

```python

(venv) $ python ./src/check_cert_chain.py

Enter TLS/HTTPS host name to validate: untrusted-root.badssl.com

<>

Certificate: 

subject: 

issuer : 

Certificate: 

subject: 

issuer : 

[WARNING] No valid trust anchor was found for the domain name

[DEBUG] <>

[DEBUG] 1) No certificate is expired

[WARNING] No valid trust anchor

Certificate for untrusted-root.badssl.com verified: False

```

```python

(venv) $ python ./src/check_cert_chain.py

Enter TLS/HTTPS host name to validate: wrong.host.badssl.com

<>

Certificate: 

subject: 

issuer : 

Certificate: 

subject: 

issuer : 

Trust anchor: 

subject: 

issuer : 

[DEBUG] <>

[DEBUG] 1) No certificate is expired

[DEBUG] 2) An valid trust anchor exists

[DEBUG] 3) Every cert is validated by its parent cert in the chain.

[WARNING] Host name unmatched: ('Host name unmatched',)

Certificate for wrong.host.badssl.com verified: False

```

## Ceverts

- Revocation check is not supported (OCSP and CRL)