Fix inspec#1617 Add dh_params resource

Signed-off-by: Doc Walker <4-20ma@wvfans.net>

docs/resources/dh_params.md

@@ -0,0 +1,191 @@
+---
+title: The dh_params Resource
+---
+
+# dh_params
+
+Use the `dh_params` InSpec audit resource to test Diffie-Hellman (DH) parameters.
+
+
+## Syntax
+
+A `dh_params` resource block declares a parameter file to be tested.
+
+    describe dh_params('/path/to/file.dh_pem') do
+      it { should be_dh_params }
+      it { should be_valid }
+      its('generator') { should eq 2 }
+      its('modulus') { should eq '00:91:a0:15:89:e5:bc:38:93:12:02:fc:...' }
+      its('prime_length') { should eq 2048 }
+      its('pem') { should eq '-----BEGIN DH PARAMETERS...' }
+      its('text') { should eq 'PKCS#3 DH Parameters: (2048 bit)...' }
+    end
+
+
+## Supported Properties
+
+### dh_params?
+
+Verify whether file contains DH parameters:
+
+    describe dh_params('/path/to/file.dh_pem') do
+      it { should be_dh_params }
+    end
+
+### valid?
+
+Verify whether DH parameters are valid:
+
+    describe dh_params('/path/to/file.dh_pem') do
+      it { should be_valid }
+    end
+
+### generator (Integer)
+
+Verify generator used for the Diffie-Hellman operation:
+
+    describe dh_params('/path/to/file.dh_pem') do
+      its('generator') { should eq 2 }
+    end
+
+### modulus (String)
+
+Verify prime modulus used for the Diffie-Hellman operation:
+
+    describe dh_params('/path/to/file.dh_pem') do
+      its('modulus') { should eq '00:91:a0:15:89:e5:bc:38:93:12:02:fc:...' }
+    end
+
+Example using multi-line string:
+
+    describe dh_params('/path/to/file.dh_pem') do
+      its('modulus') do
+        # regex removes all whitespace
+        should eq <<-EOF.gsub(/[[:space:]]+/, '')
+          00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
+          f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
+          48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
+          1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
+          2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
+          ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
+          30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
+          1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
+          28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
+          2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
+          01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
+          e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
+          3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
+          60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
+          31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
+          5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
+          4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
+          cd:13
+        EOF
+      end
+    end
+
+### prime_length (Integer)
+
+Verify length of prime modulus used for the Diffie-Hellman operation:
+
+    describe dh_params('/path/to/file.dh_pem') do
+      its('prime_length') { should eq 2048 }
+    end
+
+### pem (String)
+
+Verify `pem` output of DH parameters:
+
+    describe dh_params('/path/to/file.dh_pem') do
+      its('pem') { should eq '-----BEGIN DH PARAMETERS...' }
+    end
+
+Example using multi-line string:
+
+    its('pem') do
+      # regex removes all leading spaces
+      should eq <<-EOF.gsub(/^[[:blank:]]+/, '')
+        -----BEGIN DH PARAMETERS-----
+        MIIBCAKCAQEAkaAVieW8OJMSAvyRooX39yljLtNOeob37oT+QtBIvJyR1VT4eB3A
+        QXiixKwaJIudiFWYC6ynI+vCqisuqfmv1I5OEbx/NaKs2jrv8CVsmqT9ACh2hixX
+        h2cwXbHWWyKPcqHq3ovvnjMaQJJohQJUAgn6wGDBPE4oJtvtJY44IVZA3MDAZh8r
+        MsO0eKkmlOr3QSiy9VsBOAxGCYUmTWkSjZUPNeLmTkc6ht2Ksv5FFSfYWcI89GL/
+        X3Tpd5JQRzYrBVdg7nuhYMwceit3GIo398cxPhXLFX97Zpb7xr591gNeDWB1K1ti
+        KqM3tjT5/pZM9sXjoVKvAcFPx0Kgvu3NEwIBAg==
+        -----END DH PARAMETERS-----
+      EOF
+    end
+
+Verify via `openssl dhparam` command:
+
+    $ openssl dhparam -in file.dh_pem
+    -----BEGIN DH PARAMETERS-----
+    MIIBCAKCAQEAkaAVieW8OJMSAvyRooX39yljLtNOeob37oT+QtBIvJyR1VT4eB3A
+    QXiixKwaJIudiFWYC6ynI+vCqisuqfmv1I5OEbx/NaKs2jrv8CVsmqT9ACh2hixX
+    h2cwXbHWWyKPcqHq3ovvnjMaQJJohQJUAgn6wGDBPE4oJtvtJY44IVZA3MDAZh8r
+    MsO0eKkmlOr3QSiy9VsBOAxGCYUmTWkSjZUPNeLmTkc6ht2Ksv5FFSfYWcI89GL/
+    X3Tpd5JQRzYrBVdg7nuhYMwceit3GIo398cxPhXLFX97Zpb7xr591gNeDWB1K1ti
+    KqM3tjT5/pZM9sXjoVKvAcFPx0Kgvu3NEwIBAg==
+    -----END DH PARAMETERS-----
+
+### text (String)
+
+Verify human-readable text output of DH parameters:
+
+    describe dh_params('/path/to/file.dh_pem') do
+      its('text') { should eq 'PKCS#3 DH Parameters: (2048 bit)...' }
+    end
+
+Example using multi-line string:
+
+    its('text') do
+      # regex removes 2 leading spaces
+      should eq <<-EOF.gsub(/^[[:blank:]]{2}/, '')
+        PKCS#3 DH Parameters: (2048 bit)
+            prime:
+                00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
+                f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
+                48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
+                1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
+                2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
+                ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
+                30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
+                1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
+                28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
+                2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
+                01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
+                e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
+                3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
+                60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
+                31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
+                5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
+                4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
+                cd:13
+            generator: 2 (0x2)
+        EOF
+    end
+
+Verify via `openssl dhparam` command:
+
+    $ openssl dhparam -in file.dh_pem -noout -text
+    PKCS#3 DH Parameters: (2048 bit)
+        prime:
+            00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
+            f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
+            48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
+            1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
+            2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
+            ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
+            30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
+            1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
+            28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
+            2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
+            01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
+            e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
+            3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
+            60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
+            31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
+            5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
+            4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
+            cd:13
+        generator: 2 (0x2)

lib/inspec/resource.rb

@@ -80,6 +80,7 @@ def self.validate_resource_dsl_version!(version)
 require 'resources/bridge'
 require 'resources/command'
 require 'resources/crontab'
+require 'resources/dh_params'
 require 'resources/directory'
 require 'resources/etc_group'
 require 'resources/file'

lib/resources/dh_params.rb

@@ -0,0 +1,90 @@
+# encoding: utf-8
+# author: Doc Walker
+
+require 'openssl'
+
+class DhParams < Inspec.resource(1)
+  name 'dh_params'
+
+  desc '
+    Use the `dh_params` InSpec audit resource to test Diffie-Hellman (DH)
+    parameters.
+  '
+
+  example "
+    describe dh_params('/path/to/file.dh_pem') do
+      it { should be_dh_params }
+      it { should be_valid }
+      its('generator') { should eq 2 }
+      its('modulus') { should eq '00:91:a0:15:89:e5:bc:38:93:12:02:fc:...' }
+      its('prime_length') { should eq 2048 }
+      its('pem') { should eq '-----BEGIN DH PARAMETERS...' }
+      its('text') { should eq 'PKCS#3 DH Parameters: (2048 bit)...' }
+    end
+  "
+
+  def initialize(filename)
+    @dh_params_path = filename
+    file = inspec.file(@dh_params_path)
+    return skip_resource 'Unable to find DH parameters file ' \
+      "#{@dh_params_path}" unless file.exist?
+
+    begin
+      @dh_params = OpenSSL::PKey::DH.new file.content
+    rescue
+      @dh_params = nil
+      return skip_resource "Unable to load DH parameters #{@dh_params_path}"
+    end
+  end
+
+  # it { should be_dh_params }
+  def dh_params?
+    !@dh_params.nil?
+  end
+
+  # its('generator') { should eq 2 }
+  def generator
+    return if @dh_params.nil?
+    @dh_params.g.to_i
+  end
+
+  # its('g') { should eq 2 }
+  alias g generator
+
+  # its('modulus') { should eq '00:91:a0:15:89:e5:bc:38:93:12:02:fc:...' }
+  def modulus
+    return if @dh_params.nil?
+    '00:' + @dh_params.p.to_s(16).downcase.scan(/.{2}/).join(':')
+  end
+
+  # its('p') { should eq '00:91:a0:15:89:e5:bc:38:93:12:02:fc:...' }
+  alias p modulus
+
+  # its('pem') { should eq '-----BEGIN DH PARAMETERS...' }
+  def pem
+    return if @dh_params.nil?
+    @dh_params.to_pem
+  end
+
+  # its('prime_length') { should be 2048 }
+  def prime_length
+    return if @dh_params.nil?
+    @dh_params.p.num_bits
+  end
+
+  # its('text') { should eq 'human-readable-text' }
+  def text
+    return if @dh_params.nil?
+    @dh_params.to_text
+  end
+
+  # it { should be_valid }
+  def valid?
+    return if @dh_params.nil?
+    @dh_params.params_ok?
+  end
+
+  def to_s
+    "dh_params #{@dh_params_path}"
+  end
+end

test/cookbooks/os_prepare/recipes/default.rb

@@ -19,6 +19,7 @@
 include_recipe('os_prepare::iis_site')
 include_recipe('os_prepare::iptables') unless node['osprepare']['docker']
 include_recipe('os_prepare::x509')
+include_recipe('os_prepare::dh_params')
 
 # config file parsing
 include_recipe('os_prepare::json_yaml_csv_ini')

test/cookbooks/os_prepare/recipes/dh_params.rb

@@ -0,0 +1,8 @@
+if node['platform_family'] != 'windows'
+
+  openssl_dhparam '/tmp/example.dh_pem' do
+    key_length 2048
+    generator 2
+  end
+
+end

test/helper.rb

@@ -138,6 +138,8 @@ def md.directory?
       'test_certificate.rsa.crt.pem' => mockfile.call('test_certificate.rsa.crt.pem'),
       'test_certificate.rsa.key.pem' => mockfile.call('test_certificate.rsa.key.pem'),
       'test_ca_public.key.pem' => mockfile.call('test_ca_public.key.pem'),
+      # Test DH parameters, 2048 bit long safe prime, generator 2 for dh_params in PEM format
+      'dh_params.dh_pem' => mockfile.call('dh_params.dh_pem'),
     }
 
     # create all mock commands

test/integration/default/dh_params_spec.rb

@@ -0,0 +1,13 @@
+# encoding: utf-8
+
+if os.windows?
+  STDERR.puts "\033[1;33mTODO: Not running #{__FILE__} because we are not on Linux.\033[0m"
+  return
+end
+
+describe dh_params('/tmp/example.dh_pem') do
+  it { should be_dh_params }
+  it { should be_valid }
+  its('generator') { should eq 2 }
+  its('prime_length') { should eq 2048 }
+end

test/unit/mock/files/dh_params.dh_pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAjL3wJ5EAMH6SxgSWrSHItDmjHtXFC/z9sG4ytDkG2iO9UPkcY823
+1qJNN0JW7B88JtQfeXVBaSGSHc0DmbkhrT6hK7oR+v4so6fVnDNUYOnAtyakLlCS
+vJC3hqw5OmWLvg/fkg35xbQ9zg1bqvcdzeWFCGx7sm3XBqcfnydNtvZRGi3iGmwQ
+l0drb9o0l50IE7vsd+4uk21Ln1LmpP39dpimQCVlRxEraWzwaHfMwHD1dW6c15Ps
+96bENhRzpx7A6JDlwSnAQTu0Uc7nJbhZs+dMRCR2olnq5kFF61Jv03f2VdOMDxYl
+HkoauyOEUlPVBfhNHpkQLkGh++VLGaINkwIBAg==
+-----END DH PARAMETERS-----