1use std::time::Duration;
12
13use chrono::{DateTime, Utc};
14use serde::{Deserialize, Serialize};
15use tokio::net::TcpStream;
16use tokio_native_tls::TlsConnector;
17use tracing::{debug, instrument};
18use x509_parser::oid_registry::Oid;
19use x509_parser::prelude::*;
20
21use crate::caa::{self, CaaPolicy};
22use crate::dns::DnsResolver;
23use crate::error::{Result, SeerError};
24use crate::net::resolve_public_host;
25use crate::validation::normalize_domain;
26
27const DEFAULT_TIMEOUT: Duration = Duration::from_secs(10);
29
30#[derive(Debug, Clone, Serialize, Deserialize)]
32pub struct SslReport {
33 pub domain: String,
35 pub chain: Vec<CertDetail>,
37 pub protocol_version: Option<String>,
39 pub san_names: Vec<String>,
41 pub is_valid: bool,
51 #[serde(default)]
59 pub hostname_verified: bool,
60 pub days_until_expiry: i64,
62 #[serde(skip_serializing_if = "Option::is_none")]
69 pub caa: Option<CaaPolicy>,
70}
71
72#[derive(Debug, Clone, Serialize, Deserialize)]
74pub struct CertDetail {
75 pub subject: String,
77 pub issuer: String,
79 pub valid_from: DateTime<Utc>,
81 pub valid_until: DateTime<Utc>,
83 pub serial_number: String,
85 pub signature_algorithm: Option<String>,
87 pub is_ca: bool,
89 pub key_type: Option<String>,
91 pub key_bits: Option<u32>,
93}
94
95#[derive(Debug, Clone)]
97pub struct SslChecker {
98 dns_resolver: DnsResolver,
100 timeout: Duration,
102}
103
104impl Default for SslChecker {
105 fn default() -> Self {
106 Self::new()
107 }
108}
109
110impl SslChecker {
111 pub fn new() -> Self {
113 Self {
114 dns_resolver: DnsResolver::new(),
115 timeout: DEFAULT_TIMEOUT,
116 }
117 }
118
119 pub fn with_timeout(mut self, timeout: Duration) -> Self {
121 self.timeout = timeout;
122 self.dns_resolver = DnsResolver::new().with_timeout(timeout);
123 self
124 }
125
126 #[instrument(skip(self), fields(domain = %domain))]
138 pub async fn check(&self, domain: &str) -> Result<SslReport> {
139 let domain = normalize_domain(domain)?;
140
141 debug!(domain = %domain, "Checking SSL certificate chain");
142
143 let caa_future = caa::lookup_caa(&self.dns_resolver, &domain);
147
148 let resolve_future = resolve_public_host(&domain, 443);
153
154 let (caa_policy, socket_addrs) = tokio::join!(caa_future, resolve_future);
155 let socket_addrs = socket_addrs.map_err(|e| {
156 SeerError::SslError(format!(
157 "could not resolve {} for SSL inspection: {}",
158 domain, e
159 ))
160 })?;
161
162 let connector = native_tls::TlsConnector::builder()
164 .danger_accept_invalid_certs(true)
165 .build()
166 .map_err(|e| SeerError::SslError(format!("Failed to create TLS connector: {}", e)))?;
167 let connector = TlsConnector::from(connector);
168
169 let stream =
171 tokio::time::timeout(self.timeout, TcpStream::connect(socket_addrs.as_slice()))
172 .await
173 .map_err(|_| SeerError::Timeout("SSL connection timed out".to_string()))?
174 .map_err(|e| {
175 SeerError::SslError(format!("Failed to connect to {}:443: {}", domain, e))
176 })?;
177
178 let tls_stream = tokio::time::timeout(self.timeout, connector.connect(&domain, stream))
180 .await
181 .map_err(|_| SeerError::Timeout("TLS handshake timed out".to_string()))?
182 .map_err(|e| SeerError::SslError(format!("TLS handshake failed: {}", e)))?;
183
184 let cert = tls_stream
186 .get_ref()
187 .peer_certificate()
188 .map_err(|e| SeerError::SslError(format!("Failed to get certificate: {}", e)))?
189 .ok_or_else(|| SeerError::SslError("No certificate presented".to_string()))?;
190
191 let der = cert
192 .to_der()
193 .map_err(|e| SeerError::SslError(format!("Failed to encode certificate: {}", e)))?;
194
195 let (_, x509) = X509Certificate::from_der(&der)
197 .map_err(|e| SeerError::SslError(format!("Failed to parse certificate: {}", e)))?;
198
199 let san_names = extract_sans(&x509);
201
202 let leaf_detail = parse_cert_detail(&x509)?;
205
206 let now = Utc::now();
207 let days_until_expiry = (leaf_detail.valid_until - now).num_days();
208 let is_valid = now >= leaf_detail.valid_from && now <= leaf_detail.valid_until;
209
210 let hostname_verified = san_names
217 .iter()
218 .any(|san| hostname_matches_pattern(&domain, san))
219 || subject_cn_matches_host(&x509, &domain);
220
221 let mut caa_policy = caa_policy;
224 caa_policy.issuer_match = Some(caa::classify_issuer(&leaf_detail.issuer, &caa_policy));
225
226 Ok(SslReport {
227 domain,
228 chain: vec![leaf_detail],
229 protocol_version: None,
230 san_names,
231 is_valid,
232 hostname_verified,
233 days_until_expiry,
234 caa: Some(caa_policy),
235 })
236 }
237}
238
239fn hostname_matches_pattern(host: &str, pattern: &str) -> bool {
244 let host = host.to_ascii_lowercase();
245 let pattern = pattern.to_ascii_lowercase();
246 if let Some(rest) = pattern.strip_prefix("*.") {
247 let Some(dot) = host.find('.') else {
248 return false;
249 };
250 let host_rest = &host[dot + 1..];
251 host_rest == rest
252 } else {
253 host == pattern
254 }
255}
256
257fn subject_cn_matches_host(cert: &X509Certificate, host: &str) -> bool {
261 for cn in cert.subject().iter_common_name() {
262 if let Ok(s) = cn.as_str() {
263 if hostname_matches_pattern(host, s) {
264 return true;
265 }
266 }
267 }
268 false
269}
270
271fn extract_sans(cert: &X509Certificate) -> Vec<String> {
273 let mut sans = Vec::new();
274 if let Ok(Some(ext)) = cert.subject_alternative_name() {
275 for name in &ext.value.general_names {
276 match name {
277 GeneralName::DNSName(dns) => {
278 sans.push(dns.to_string());
279 }
280 GeneralName::IPAddress(ip_bytes) => {
281 sans.push(format_ip_san(ip_bytes));
282 }
283 _ => {}
284 }
285 }
286 }
287 sans
288}
289
290fn format_ip_san(ip_bytes: &[u8]) -> String {
298 match ip_bytes.len() {
299 4 => {
300 let octets: [u8; 4] = [ip_bytes[0], ip_bytes[1], ip_bytes[2], ip_bytes[3]];
301 std::net::Ipv4Addr::from(octets).to_string()
302 }
303 16 => {
304 let mut octets = [0u8; 16];
305 octets.copy_from_slice(ip_bytes);
306 std::net::Ipv6Addr::from(octets).to_string()
307 }
308 _ => format!("{:?}", ip_bytes),
309 }
310}
311
312fn parse_cert_detail(cert: &X509Certificate) -> Result<CertDetail> {
314 let subject = cert.subject().to_string();
315 let issuer = cert.issuer().to_string();
316
317 let valid_from = asn1_time_to_chrono(cert.validity().not_before)?;
318 let valid_until = asn1_time_to_chrono(cert.validity().not_after)?;
319
320 let serial_number = cert.serial.to_str_radix(16);
321
322 let signature_algorithm = oid_to_name(&cert.signature_algorithm.algorithm);
323
324 let is_ca = cert.is_ca();
325
326 let spki = cert.public_key();
328 let (key_type, key_bits) = extract_key_info(spki);
329
330 Ok(CertDetail {
331 subject,
332 issuer,
333 valid_from,
334 valid_until,
335 serial_number,
336 signature_algorithm,
337 is_ca,
338 key_type,
339 key_bits,
340 })
341}
342
343fn extract_key_info(spki: &SubjectPublicKeyInfo) -> (Option<String>, Option<u32>) {
345 use x509_parser::public_key::PublicKey;
346 let oid = &spki.algorithm.algorithm;
347 let key_type = oid_to_key_type(oid);
348 let key_bits = match spki.parsed() {
349 Ok(PublicKey::RSA(rsa)) => Some(rsa.key_size() as u32),
350 Ok(PublicKey::EC(ec)) => Some(ec.key_size() as u32),
351 _ => None,
352 };
353 (key_type, key_bits)
354}
355
356fn oid_to_name(oid: &Oid) -> Option<String> {
358 let oid_str = format!("{}", oid);
359 match oid_str.as_str() {
360 "1.2.840.113549.1.1.11" => Some("SHA-256 with RSA".to_string()),
361 "1.2.840.113549.1.1.12" => Some("SHA-384 with RSA".to_string()),
362 "1.2.840.113549.1.1.13" => Some("SHA-512 with RSA".to_string()),
363 "1.2.840.113549.1.1.5" => Some("SHA-1 with RSA".to_string()),
364 "1.2.840.113549.1.1.14" => Some("SHA-224 with RSA".to_string()),
365 "1.2.840.10045.4.3.2" => Some("ECDSA with SHA-256".to_string()),
366 "1.2.840.10045.4.3.3" => Some("ECDSA with SHA-384".to_string()),
367 "1.2.840.10045.4.3.4" => Some("ECDSA with SHA-512".to_string()),
368 "1.3.101.112" => Some("Ed25519".to_string()),
369 "1.3.101.113" => Some("Ed448".to_string()),
370 _ => Some(oid_str),
371 }
372}
373
374fn oid_to_key_type(oid: &Oid) -> Option<String> {
376 let oid_str = format!("{}", oid);
377 match oid_str.as_str() {
378 "1.2.840.113549.1.1.1" => Some("RSA".to_string()),
379 "1.2.840.10045.2.1" => Some("EC".to_string()),
380 "1.3.101.112" => Some("Ed25519".to_string()),
381 "1.3.101.113" => Some("Ed448".to_string()),
382 _ => Some(oid_str),
383 }
384}
385
386fn asn1_time_to_chrono(time: ASN1Time) -> Result<DateTime<Utc>> {
388 let timestamp = time.timestamp();
389 DateTime::from_timestamp(timestamp, 0)
390 .ok_or_else(|| SeerError::SslError("invalid certificate timestamp".to_string()))
391}
392
393#[cfg(test)]
394mod tests {
395 use super::*;
396
397 #[test]
398 fn test_ssl_checker_creation() {
399 let _checker = SslChecker::new();
400 let _default_checker = SslChecker::default();
401 }
402
403 #[test]
404 fn test_oid_to_name() {
405 let oid = Oid::from(&[1, 2, 840, 113549, 1, 1, 11][..]).unwrap();
406 assert_eq!(oid_to_name(&oid), Some("SHA-256 with RSA".to_string()));
407 }
408
409 #[test]
410 fn test_oid_to_key_type() {
411 let oid = Oid::from(&[1, 2, 840, 113549, 1, 1, 1][..]).unwrap();
412 assert_eq!(oid_to_key_type(&oid), Some("RSA".to_string()));
413 }
414
415 #[tokio::test]
421 #[ignore = "requires network — performs a real TLS handshake"]
422 async fn check_live_example_com_succeeds() {
423 let report = SslChecker::new().check("example.com").await.unwrap();
424 assert_eq!(report.domain, "example.com");
425 assert!(!report.chain.is_empty(), "expected at least a leaf cert");
426 assert!(
427 report.is_valid,
428 "example.com's leaf cert should be currently valid"
429 );
430 }
431
432 #[test]
433 fn test_ssl_report_serialization() {
434 let report = SslReport {
435 domain: "example.com".to_string(),
436 chain: vec![CertDetail {
437 subject: "CN=example.com".to_string(),
438 issuer: "CN=R3, O=Let's Encrypt".to_string(),
439 valid_from: Utc::now(),
440 valid_until: Utc::now(),
441 serial_number: "abc123".to_string(),
442 signature_algorithm: Some("SHA-256 with RSA".to_string()),
443 is_ca: false,
444 key_type: Some("RSA".to_string()),
445 key_bits: Some(2048),
446 }],
447 protocol_version: None,
448 san_names: vec!["example.com".to_string(), "*.example.com".to_string()],
449 is_valid: true,
450 hostname_verified: true,
451 days_until_expiry: 90,
452 caa: None,
453 };
454 let json = serde_json::to_string(&report).unwrap();
455 assert!(json.contains("example.com"));
456 assert!(json.contains("SHA-256 with RSA"));
457 assert!(json.contains("\"is_valid\":true"));
458 assert!(json.contains("\"hostname_verified\":true"));
459 }
460
461 #[test]
462 fn format_ip_san_renders_canonical_addresses() {
463 assert_eq!(format_ip_san(&[192, 168, 0, 1]), "192.168.0.1");
465 let mut loopback = [0u8; 16];
467 loopback[15] = 1;
468 assert_eq!(format_ip_san(&loopback), "::1");
469 let mut addr = [0u8; 16];
472 addr[0] = 0x20;
473 addr[1] = 0x01;
474 addr[2] = 0x0d;
475 addr[3] = 0xb8;
476 addr[15] = 1;
477 assert_eq!(format_ip_san(&addr), "2001:db8::1");
478 }
479
480 #[test]
481 fn hostname_matches_pattern_exact_and_wildcard() {
482 assert!(hostname_matches_pattern("example.com", "example.com"));
483 assert!(hostname_matches_pattern("EXAMPLE.COM", "example.com"));
484 assert!(hostname_matches_pattern("a.example.com", "*.example.com"));
486 assert!(!hostname_matches_pattern("example.com", "*.example.com"));
488 assert!(!hostname_matches_pattern(
490 "a.b.example.com",
491 "*.example.com"
492 ));
493 assert!(!hostname_matches_pattern("evil.test", "example.com"));
495 }
496}