Support for checking expiry of intermediate certificates

app/CertificateScan.php

@@ -24,4 +24,9 @@ public function getExpiresInAttribute()
     {
         return now()->diffAsCarbonInterval($this->valid_to)->forHumans(['join' => true]);
     }
+
+    public function intermediates()
+    {
+        return $this->hasMany(IntermediateCertificateScan::class);
+    }
 }

app/Checkers/Certificate.php

@@ -4,6 +4,7 @@
 
 use App\Website;
 use App\CertificateScan;
+use App\IntermediateCertificateScan;
 use VisualAppeal\SslLabs;
 use App\Notifications\CertificateIsWeak;
 use Spatie\SslCertificate\SslCertificate;
@@ -31,21 +32,6 @@ public function run()
 
     private function fetch()
     {
-        $certificate = SslCertificate::createForHostName($this->website->certificate_hostname);
-
-        $scan = new CertificateScan([
-            'issuer' => $certificate->getIssuer(),
-            'domain' => $certificate->getDomain(),
-            'additional_domains' => $certificate->getAdditionalDomains(),
-            'valid_from' => $certificate->validFromDate(),
-            'valid_to' => $certificate->expirationDate(),
-            'was_valid' => $certificate->isValid(),
-            'did_expire' => $certificate->isExpired(),
-            'grade' => 'N/A',
-        ]);
-
-        $this->website->certificates()->save($scan);
-
         $labs = new SslLabs();
 
         $result = $labs->analyze(
@@ -58,6 +44,58 @@ private function fetch()
             $ignoreMismatch = false
         );
 
+        # Do proper SSL Check of whole chain
+        $ssloptions = array(
+            "capture_peer_cert_chain" => true,
+            "allow_self_signed"=>false,
+            "CN_match"=>$this->website->certificate_hostname,
+            "verify_peer"=>true,
+            "SNI_enabled"=>true,
+            "SNI_server_name"=>$this->website->certificate_hostname,
+            "cafile"=>'/etc/ssl/certs/ca-certificates.crt' //mozilla ca cert bundle: http://curl.haxx.se/docs/caextract.html
+        );
+
+        $ctx = stream_context_create( array("ssl" => $ssloptions) );
+        $result = stream_socket_client("ssl://".$this->website->certificate_hostname.":443", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $ctx);
+        $cont = stream_context_get_params($result);
+        $first = True;
+        $scan = Null;
+        foreach($cont["options"]["ssl"]["peer_certificate_chain"] as $cert)
+        {
+            openssl_x509_export($cert, $pem_encoded);
+            $certificate = SslCertificate::createFromString($pem_encoded);
+
+            if ($first) {
+                $first = False;
+
+                $scan = new CertificateScan([
+                    'issuer' => $certificate->getIssuer(),
+                    'domain' => $certificate->getDomain(),
+                    'additional_domains' => $certificate->getAdditionalDomains(),
+                    'valid_from' => $certificate->validFromDate(),
+                    'valid_to' => $certificate->expirationDate(),
+                    'was_valid' => $certificate->isValid(),
+                    'did_expire' => $certificate->isExpired(),
+                    'grade' => 'N/A',
+                ]);
+
+                $this->website->certificates()->save($scan);
+                continue;
+            }
+
+            $int_scan = new IntermediateCertificateScan([
+                'issuer' => $certificate->getIssuer(),
+                'certificate_scan_id' => $scan->id,
+                'common_name' => $certificate->getDomain(),
+                'valid_from' => $certificate->validFromDate(),
+                'valid_to' => $certificate->expirationDate(),
+                'was_valid' => $certificate->isValid(),
+                'did_expire' => $certificate->isExpired(),
+            ]);
+
+            $int_scan->save();
+        }
+
         foreach ($result->endpoints ?? [] as $endpoint) {
             if ($endpoint->statusMessage === 'Ready') {
                 $scan->grade = $endpoint->grade;
@@ -95,6 +133,19 @@ private function notify($notification = null)
             $notification = new CertificateIsWeak($this->website, $this->scan);
         }
 
+        # Check expiry of Intermediate Certificates
+        foreach(IntermediateCertificateScan::where('certificate_scan_id', $this->scan->id)->get() as $int_cert) {
+            if (!$int_cert->was_valid) {
+                $notification = new CertificateIsInvalid($this->website, $this->scan);
+            } elseif ($int_cert->did_expire) {
+                $notification = new CertificateHasExpired($this->website, $this->scan);
+            } elseif (now()->diffInHours($int_cert->valid_to) <= 24) {
+                $notification = new CertificateIsExpiring($this->website, $this->scan);
+            } elseif (now()->diffInDays($int_cert->valid_to) <= 7) {
+                $notification = new CertificateWillExpire($this->website, $this->scan);
+            }
+        }
+
         if (!$notification) {
             return null;
         }

app/HasIntermediateCertificates.php

@@ -0,0 +1,18 @@
+<?php
+
+namespace App;
+
+trait HasIntermediateCertificates
+{
+    public function intermediate_certificates()
+    {
+	$scan = $this->website->certificates()->latest()->first();
+        return $scan->hasMany(IntermediateCertificateScan::class);
+    }
+
+    public function getCertificateHostnameAttribute()
+    {
+        return parse_url($this->url, PHP_URL_HOST);
+    }
+}
+

app/Http/Controllers/CertificateReportController.php

@@ -21,7 +21,7 @@ public function __invoke(Request $request, Website $website)
             CertificateCheck::dispatchNow($website);
         }
 
-        $scan = $website->certificates()->latest()->first();
+        $scan = $website->certificates()->with('intermediates')->latest()->first();
 
         if (!$scan) {
             return [

app/IntermediateCertificateScan.php

@@ -0,0 +1,33 @@
+<?php
+
+namespace App;
+
+use Illuminate\Database\Eloquent\Model;
+
+class IntermediateCertificateScan extends Model
+{
+    protected $guarded = [];
+
+    protected $casts = [
+        'common_name' => 'string',
+        'valid_from' => 'datetime',
+        'valid_to' => 'datetime',
+        'was_valid' => 'boolean',
+        'did_expire' => 'boolean',
+    ];
+
+    protected $appends = [
+        'expires_in',
+    ];
+
+    public function getExpiresInAttribute()
+    {
+        return now()->diffAsCarbonInterval($this->valid_to)->forHumans(['join' => true]);
+    }
+
+    public function certificate()
+    {
+        return $this->belongsTo(CertificateScan::class);
+    }
+}
+

app/Website.php

@@ -161,7 +161,7 @@ public function runInitialScans()
             }
 
             if ($this->visual_diff_enabled) {
-                VisualDiffCheck::dispatch($this);
+                VisualDiffCheck::dispatch($this, $this->url);
             }
         } catch (Exception $e) {
             logger($e->getMessage());

database/migrations/2021_03_04_111337_create_intermediate_certificate_scans_table.php

@@ -0,0 +1,39 @@
+<?php
+
+use Illuminate\Support\Facades\Schema;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Migrations\Migration;
+
+class CreateIntermediateCertificateScansTable extends Migration
+{
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+        Schema::create('intermediate_certificate_scans', function (Blueprint $table) {
+            $table->bigIncrements('id');
+            $table->bigInteger('certificate_scan_id')->unsigned()->index();
+            $table->foreign('certificate_scan_id')->references('id')->on('certificate_scans')->onDelete('cascade');
+            $table->string('issuer');
+            $table->string('common_name');
+            $table->dateTime('valid_from');
+            $table->dateTime('valid_to');
+            $table->boolean('was_valid');
+            $table->boolean('did_expire');
+            $table->timestamps();
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        Schema::dropIfExists('intermediate_certificate_scans');
+    }
+}

resources/js/components/CertificateReport.js

@@ -130,6 +130,24 @@ export default class CertificateReport extends React.Component {
                         <div className="flex items-center" style={{ color: (this.state.did_expire ? RED : GREEN ) }}><Icon style={{ fontSize: 20, marginRight: 10 }} type={ this.state.did_expire ? 'check-circle' : 'close-circle' } /> { this.state.did_expire ? 'Yes' : 'No' }</div>
                     </div>
                 </div>
+                <hr />
+                <h3>Intermediate Certificates:</h3>
+                {this.state.intermediates.map((intermediate, i) => {
+                  return (<div className="flex flex-wrap mt-5">
+                    <div className="w-1/3 pr-5">
+                        <div className="font-bold mb-2">Common Name:</div>
+                        { intermediate.common_name }
+                    </div>
+                    <div className="w-1/3 mt-5 pr-32">
+                        <div className="font-bold mb-2">Expires In:</div>
+                        { intermediate.expires_in }
+                    </div>
+                    <div className="w-1/3 mt-5">
+                        <div className="font-bold mb-2">Has Expired:</div>
+                        <div className="flex items-center" style={{ color: (intermediate.did_expire ? RED : GREEN ) }}><Icon style={{ fontSize: 20, marginRight: 10 }} type={ intermediate.did_expire ? 'check-circle' : 'close-circle' } /> { intermediate.did_expire ? 'Yes' : 'No' }</div>
+                    </div>
+                </div>)
+                })}
             </>
         )
     };