Verify the fingerprint on api.stripe.com before making any requests

2025-08-10 00:01:09 -04:00 · 2014-04-09 18:50:28 -07:00 · 2014-04-09 18:50:28 -07:00 · 67f90ec108
commit 67f90ec108
parent 6944e4e97f
3 changed files with 74 additions and 1 deletions
--- a/lib/stripe.rb
+++ b/lib/stripe.rb
@ -25,6 +25,7 @@ require 'stripe/account'
 require 'stripe/balance'
 require 'stripe/balance_transaction'
 require 'stripe/customer'
+require 'stripe/certificate_blacklist'
 require 'stripe/invoice'
 require 'stripe/invoice_item'
 require 'stripe/charge'
@ -47,10 +48,13 @@ require 'stripe/errors/invalid_request_error'
 require 'stripe/errors/authentication_error'

 module Stripe
+  DEFAULT_CA_BUNDLE_PATH = File.dirname(__FILE__) + '/data/ca-certificates.crt'
  @api_base = 'https://api.stripe.com'

-  @ssl_bundle_path  = File.dirname(__FILE__) + '/data/ca-certificates.crt'
+  @ssl_bundle_path  = DEFAULT_CA_BUNDLE_PATH
  @verify_ssl_certs = true
+  @CERTIFICATE_VERIFIED = false
+

  class << self
    attr_accessor :api_key, :api_base, :verify_ssl_certs, :api_version
@ -83,6 +87,10 @@ module Stripe
                          :ssl_ca_file => @ssl_bundle_path)
    end

+    unless @CERTIFICATE_VERIFIED
+      @CERTIFICATE_VERIFIED = CertificateBlacklist.check_ssl_cert(@api_base, @ssl_bundle_path)
+    end
+
    params = Util.objects_to_ids(params)
    url = api_url(url)

--- a/lib/stripe/certificate_blacklist.rb
+++ b/lib/stripe/certificate_blacklist.rb
@ -0,0 +1,47 @@
+require 'uri'
+require 'digest/sha1'
+
+module Stripe
+  module CertificateBlacklist
+
+    BLACKLIST = {
+      "api.stripe.com" => [
+        '05c0b3643694470a888c6e7feb5c9e24e823dc53',
+      ],
+      "revoked.stripe.com" => [
+        '5b7dc7fbc98d78bf76d4d4fa6f597a0c901fad5c',
+      ]
+    }
+
+
+    def self.check_ssl_cert(uri, ca_file)
+      uri = URI.parse(uri)
+
+      sock = TCPSocket.new(uri.host, uri.port)
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.set_params(:verify_mode => OpenSSL::SSL::VERIFY_PEER,
+                     :ca_file => ca_file)
+
+      socket = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      socket.connect
+
+      certificate = socket.peer_cert.to_der
+      fingerprint = Digest::SHA1.hexdigest(certificate)
+
+      if blacklisted_certs = BLACKLIST[uri.host]
+        if blacklisted_certs.include?(fingerprint)
+          raise APIConnectionError.new(
+            "Invalid server certificate. You tried to connect to a server that" +
+            "has a revoked SSL certificate, which means we cannot securely send" +
+            "data to that server. Please email support@stripe.com if you need" +
+            "help connecting to the correct API server."
+          )
+        end
+      end
+
+      socket.close
+
+      return true
+    end
+  end
+end
--- a/test/stripe/certificate_blacklist_test.rb
+++ b/test/stripe/certificate_blacklist_test.rb
@ -0,0 +1,18 @@
+require File.expand_path('../../test_helper', __FILE__)
+
+module Stripe
+
+  class CertificateBlacklistTest < Test::Unit::TestCase
+    should "not trust revoked certificates" do
+      assert_raises(Stripe::APIConnectionError) {
+        Stripe::CertificateBlacklist.check_ssl_cert("https://revoked.stripe.com:444",
+                                                    Stripe::DEFAULT_CA_BUNDLE_PATH)
+      }
+    end
+
+    should "trust api.stripe.com" do
+      assert_true Stripe::CertificateBlacklist.check_ssl_cert("https://api.stripe.com",
+                                                              Stripe::DEFAULT_CA_BUNDLE_PATH)
+    end
+  end
+end