First commit

2018-07-04 18:12:38 +02:00 · 2018-07-04 18:12:38 +02:00 · 4743ae9ca3
commit 4743ae9ca3
2 changed files with 135 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,5 @@
 # API of HTTPS+ Checker
 It's a CGI API write in python3.
 The only one dependance is **dnspython**
--- a/index.py
+++ b/index.py
@ -0,0 +1,130 @@
 #!/usr/bin/python3
 #-*- coding: utf-8 -*-
 # IMPORTATION
 import cgi
 import json
 import urllib.request
 import ssl
 import hashlib
 import dns.query
 import dns.message
 import socket
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.serialization import Encoding
 from cryptography.hazmat.primitives.serialization import PublicFormat
 # MODULES
 def dnssec_validation(DOMAIN):
    qm = dns.message.make_query(DOMAIN, dns.rdatatype.A,want_dnssec=True)
    response = dns.query.udp(qm,"1.1.1.1")
    dnssec = dns.flags.to_text(response.flags)
    if "AD" in dnssec:
        return(True)
    else:
        return(False)
 def tlsa_validation(DOMAIN):
    def compute_hash(func, string):
        """compute hash of string using given hash function"""    
        h = func()                                                
        h.update(string)                                          
        return h.hexdigest()                                      
    qm = dns.message.make_query('_443._tcp.' + DOMAIN, dns.rdatatype.TLSA)
    response = dns.query.udp(qm,"1.1.1.1")
    if len(response.answer) is 0:
        return(False)
    else: 
        tlsaanswer = str(response.answer[-1])
        tlsatable = tlsaanswer.split()
        selector = str(tlsatable[5]) 
        mtype = str(tlsatable[6])
        hexdata1 = str(tlsatable[7])
        conn = ssl.create_connection((DOMAIN , 443))
        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
        sock = context.wrap_socket(conn, server_hostname=DOMAIN)
        cert = ssl.DER_cert_to_PEM_cert(sock.getpeercert(True))
        cert = cert.encode('ascii') 
        if selector == "0":
            certdata = cert.as_der()
        elif selector == "1":
            cert = x509.load_pem_x509_certificate(cert, default_backend())
            certdata = cert.public_key().public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
        else:
            raise ValueError("selector type %d not recognized" % selector)
        if mtype == "0":
            hexdata2 = hexdump(certdata)
        elif mtype == "1":
            hexdata2 = compute_hash(hashlib.sha256, certdata)
        elif mtype == "2":
            hexdata2 = compute_hash(hashlib.sha512, certdata)
        else:
            raise ValueError("matchtype %d not recognized" % matchtype)
        if hexdata1 == hexdata2:
            return True
        else:
            return False
 def headers_validation(DOMAIN):
    url = "https://" + DOMAIN + "/"
    try:
        headers = urllib.request.urlopen(url,timeout=3).info()
    except:
        return("NO HTTPS")
    if "public-key-pins" in str(headers).lower():
        RESULT="HPKP_TRUE"
    else:
        RESULT="HPKP _FALSE"
    if "strict-transport-security" in str(headers).lower():
        RESULT = RESULT + " HSTS_TRUE"
    else:
        RESULT = RESULT + " HSTS_FALSE"
    return(RESULT)
 # MAIN
 print("Content-Type: text/html")
 print("")
 fs = cgi.FieldStorage()
 JSON_RESULT= '{"DNSSEC": false,"DANE": false,"HSTS": false,"HPKP": false}'
 JSON_DATA = json.loads(JSON_RESULT)
 if "domain" not in fs: 
    print("{ERROR}")
    cgi.sys.exit(0)
 domain = cgi.escape(fs["domain"].value)
 if dnssec_validation(domain) is True:
    JSON_DATA["DNSSEC"] = True
 if tlsa_validation(domain) is True:
    JSON_DATA["DANE"] = True
 headers = headers_validation(domain)
 if "HSTS_TRUE" in headers:
    JSON_DATA["HSTS"] = True
 if "HPKP_TRUE" in headers:
    JSON_DATA["HPKP"] = True
 JSON_RESULT = json.dumps(JSON_DATA)
 print(JSON_RESULT)