Computer Systems Assignment
Project Overview - The aim of this project is to increase your awareness and familiarity with TLS Certificate checking. Whilst many applications will perform the certificate checking for you, it is important to understand the underlying process in order to be able to evaluate security. Your task is to write a program that validates TLS certificate files.
Your program must be written in C. Submissions that do not compile and run on a NeCTAR instance may receive zero marks. You must write your own certificate validation code using the OpenSSL library.
Project Details -
Your task is to write a C program that reads in a CSV (comma separated value) file that contains two columns. The first column provides the file path for the certificate to test. The second column provides the URL from which that certificate belongs. Your program must step through each line in the CSV file, load the certificate specified in column one, and validate it, including checking the URL contained in column two.
The output of your program should be another CSV file, called output.csv. It must contain one line per certificate checked, in the same order as the input CSV file. Each line should contain three columns, the two columns from the input file, and a third column containing either the value 1 if the certificate is valid, or 0 if the certificate is invalid.
The minimum checking you are expected to do is as follows:
1. validation of dates, both the Not Before and Not After dates
2. domain name validation (including Subject Alternative Name (SAN) extension) and wildcards
3. minimum key length of 2048 bits for RSA
4. correct key usage, including extensions
Your program must compile to an executable called certcheck and must take one command line argument, which is the relative path to the input CSV file. For example, the following should run your program and check the certificates listed in mytestfile.csv ./certcheck mytestfile.csv
You can assume that there are no restrictions on Subject Alternative Name's beyond the specification, and in particular that wildcard domains are allowed in both the Common Name and the SAN. Your checking code should handle such wildcards correctly. You can assume that all certificates will use RSA keys.
Assessment -
Code that does not compile and run on a NeCTAR instance will be awarded zero marks. Your submission will be tested and marked with the following criteria:
Part A Compiles from Git
- Code successfully added to your git repository on
- Make file included (and it works)
- Clarity and quality of code - appropriate comments and documentation where necessary
- Code correctly implements command line interface
Part B Basic Certificate Checking
- Reads input CSV and write output CSV
- Correctly validates Not Before date
- Correctly validates Not After date
- Correctly validates domain name in Common Name
Part C Advanced Certificate Checking
Correctly validates minimum RSA key length of 2048 bits
Correctly validates key usage and constraints
- BasicConstraints includes "CA:FALSE"
- Enhanced Key Usage includes "TLS Web Server Authentication"
Correctly validates Subject Alternative Name extension
Attachment:- Assignment Files.rar