School of Computing and Information Systems
COMP30023: Computer Systems
Assignment 2
Due date: No later than 11:59pm on Thursday 24th May 2018
Weight: 15%
Project Overview
The aim of this project is to increase your awareness and familiarity with TLS
Certi cate checking. Whilst many applications will perform. the certi cate
checking for you, it is important to understand the underlying process in
order to be able to evaluate security. Your task is to write a program that
validates TLS certi cate les.
Your program must be written in C. Submissions that do not compile and
run on a NeCTAR instance may receive zero marks. You must write your
own certi cate validation code using the OpenSSL library.
Project Details
Your task is to write a C program that reads in a CSV (comma separated
value) le that contains two columns. The rst column provides the le
path for the certi cate to test. The second column provides the URL from
which that certi cate belongs. Your program must step through each line
in the CSV le, load the certi cate speci ed in column one, and validate it,
including checking the URL contained in column two.
The output of your program should be another CSV le, called output.csv.
It must contain one line per certi cate checked, in the same order as the input
CSV le. Each line should contain three columns, the two columns from the
input le, and a third column containing either the value 1 if the certi cate
is valid, or 0 if the certi cate is invalid.
An example input le is shown below:
cert one.cer,www.comp30023test.com
cert two.cert,game1.onlinegaming.com
1
An example output le is shown below:
cert one.cer,www.comp30023test.com,1
cert two.cert,game1.onlinegaming.com,0
The minimum checking you are expected to do is as follows:
1. validation of dates, both the Not Before and Not After dates
2. domain name validation (including Subject Alternative Name (SAN)
extension) and wildcards
3. minimum key length of 2048 bits for RSA
4. correct key usage, including extensions
Your program must compile to an executable called certcheck and must
take one command line argument, which is the relative path to the input
CSV le. For example, the following should run your program and check the
certi cates listed in mytest le.csv ./certcheck mytestfile.csv
You can assume that there are no restrictions on Subject Alternative
Name’s beyond the speci cation, and in particular that wildcard domains
are allowed in both the Common Name and the SAN. Your checking code
should handle such wildcards correctly. You can assume that all certi cates
will use RSA keys.
Program execution / command line arguments
To run your program on your NeCTAR cloud instance prompt:
./certcheck pathToTestFile
where:
pathToTestFile is a valid relative path to the test CSV le.
Note: Program interface will be strictly enforced, if your pro-
gram does not comply with the required standard you may get zero
marks for part B and C.
2
Submission details
Please include your name and login id in a comment at the top of each le.
Our plan is to directly harvest your submissions on the due date from your
provided GitLab (https://gitlab.eng.unimelb.edu.au) git account. You
must create a repository called comp30023-2018-project-2 in your GitLab
account and push your submission to it.
You must submit program le(s), including a Make le. Make sure that
your Make le, header les and source les are added/committed and pushed
to your GitLab repository. Do not add/commit object les or executables.
Anything you want to mention about your submission, write a text le called
README.
If you do not use your Git repository for the project you will NOT have
a submission and will be awarded zero marks.
It should be possible to \checkout" the Git repository, then type make
clean and then make to produce the executable certcheck.
Late submissions will incur a deduction of 2 marks per day (or part
thereof).
If you submit late, you MUST email the lecturer, Chris Culnane
.
Extension policy: If you believe you have a valid reason to require an
extension you must contact the lecturer, Chris Culnane
at the earliest opportunity, which in most instances should be well before the
submission deadline.
Requests for extensions are not automatic and are considered on a case
by case basis. You will be required to supply supporting evidence such as a
medical certi cate. In addition, your git log le should illustrate the progress
made on the project up to the date of your request.
Plagiarism policy: You are reminded that all submitted project work in
this subject is to be your own individual work. Automated similarity checking
software will be used to compare submissions against each other and known
public source code. It is University policy that cheating by students in any
form. is not permitted, and that work submitted for assessment purposes
must be the independent work of the student concerned.
3
Using Git is an important step in the veri cation of authorship. You are
encouraged to commit regularly so that you have a record of your work. This
is also best practice when using version control software.
Assessment
Code that does not compile and run on a NeCTAR instance will be awarded
zero marks. Your submission will be tested and marked with the following
criteria:
Part A Compiles from Git (5 marks)
{ Code successfully added to your git repository on
https://gitlab.eng.unimelb.edu.au (1 mark)
{ Make le included (and it works) (1 mark)
{ Clarity and quality of code { appropriate comments and docu-
mentation where necessary (2 marks)
{ Code correctly implements command line interface (1 mark)
Part B Basic Certi cate Checking (5 marks)
{ Reads input CSV and write output CSV (1 mark)
{ Correctly validates Not Before date (1 mark)
{ Correctly validates Not After date (1 mark)
{ Correctly validates domain name in Common Name (2 mark)
Part C Advanced Certi cate Checking (5 marks)
{ Correctly validates minimum RSA key length of 2048 bits (1 mark)
{ Correctly validates key usage and constraints (2 mark)
BasicConstraints includes \CA:FALSE"
Enhanced Key Usage includes \TLS Web Server Authentica-
tion"
{ Correctly validates Subject Alternative Name extension (2 marks)
4
Example Code and Development
Example source code that opens an X509 certi cate and reads some values
from it, is available in the Assignment git repository:
https://gitlab.eng.unimelb.edu.au/COMP30023/Assignment2.git
This will show the basics of opening and reading values from an X509
certi cate le using OpenSSL in C. However, this will not provide all the
functionality that you require. Part of the exercise is to navigate through
the OpenSSL documentation and discover the appropriate methods to call
to extract and evaluate the data you need. Please Note: You must write
your own validation code, you cannot use the built in OpenSSL certi cate
validation functions.
The documentation is available at:
https://www.openssl.org/docs/manmaster/man3/
A list of function calls you may not use is as follows:
X509 check ca
X509 check host
X509 cmp current time
X509 cmp time
Testing your program
Your server will be partially evaluated using automated testing. A sample
test script. and sample certi cates will be provided in the repository:
https://gitlab.eng.unimelb.edu.au/COMP30023/Assignment2.git
You may use this script. to test your program successfully passes the
following assessment criteria:
Basic Certi cate Checking (5 marks