fluidasserts.format.x509 module

This module allows to check X509 certificates’ vulnerabilities.

fluidasserts.format.x509.is_cert_cn_not_equal_to_site(site, port=443)

Check if certificate Common Name (CN) is different from given sitename.

Name in certificate should be coherent with organization name, see REQ. 093

Parameters
  • site (str) – Site address.

  • port (int) – Port to connect to.

Returns

  • OPEN if the parameter site does not equal the certificate’s Common Name (CN).

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.format.x509.is_cert_cn_using_wildcard(site, port=443)

Check if certificate uses wildcard in CN.

Common Name in certificates should not use wildcards.

Parameters
  • site (str) – Site address.

  • port (int) – Port to connect to.

Returns

  • OPEN if the CN uses wildcards.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.format.x509.is_cert_inactive(site, port=443)

Check if certificate is no longer valid.

Fails if end of validity date obtained from certificate is beyond the time of execution.

Parameters
  • site (str) – Site address.

  • port (int) – Port to connect to.

Returns

  • OPEN if certificate’s not valid after date is less than or equal the current time.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.format.x509.is_cert_untrusted(site, port=443)

Check if certificate is trusted (signed by recognized CA).

Parameters
  • site (str) – Site address.

  • port (int) – Port to connect to.

Returns

  • OPEN if certificate’s is signed by a recognized Certificate Authority.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.format.x509.is_cert_validity_lifespan_unsafe(site, port=443)

Check if certificate lifespan is larger than two years which is insecure.

Parameters
  • site (str) – Site address.

  • port (int) – Port to connect to.

Returns

  • OPEN if certificate’s lifespan (not_valid_after - not_valid_before) is more than two 730 days.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.format.x509.is_md5_used(site, port=443)

Check if certificate was signed using the MD5 algorithm.

Use of this algorithm is not recommended. See Storing passwords safely.

Parameters
  • site (str) – Site address.

  • port (int) – Port to connect to.

Returns

  • OPEN if certificate’s signing algorithm is MD5.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.format.x509.is_sha1_used(site, port=443)

Check if certificate was signed using the SHA1 algorithm.

Use of this algorithm is not recommended. See Storing passwords safely.

Parameters
  • site (str) – Site address.

  • port (int) – Port to connect to.

Returns

  • OPEN if certificate’s signing algorithm is SHA1.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result