WinRb · hh · Oct 3, 2015 · Oct 4, 2015 · Oct 5, 2015 · Nov 30, 2015
diff --git a/lib/winrm/http/transport.rb b/lib/winrm/http/transport.rb
@@ -40,12 +40,13 @@ def initialize(endpoint)
       # @param [String] The XML SOAP message
       # @returns [REXML::Document] The parsed response body
       def send_request(message)
+        ssl_peer_fingerprint_verification!
         log_soap_message(message)
-        hdr = {
-          'Content-Type' => 'application/soap+xml;charset=UTF-8',
-          'Content-Length' => message.length }
+        hdr = { 'Content-Type' => 'application/soap+xml;charset=UTF-8',
+                'Content-Length' => message.length }
         resp = @httpcli.post(@endpoint, message, hdr)
         log_soap_message(resp.http_body.content)
+        verify_ssl_fingerprint(resp.peer_cert)
         handler = WinRM::ResponseHandler.new(resp.http_body.content, resp.status)
         handler.parse_to_xml
       end
@@ -67,6 +68,34 @@ def no_ssl_peer_verification!
         @httpcli.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
       end
 
+      # SSL Peer Fingerprint Verification prior to connecting
+      def ssl_peer_fingerprint_verification!
+        return unless @ssl_peer_fingerprint && ! @ssl_peer_fingerprint_verified
+        connection_cert = shady_ssl_connection.peer_cert_chain.last
+        verify_ssl_fingerprint(connection_cert)
+        @logger.info("initial ssl fingerprint #{@ssl_peer_fingerprint} verified\n")
+        @ssl_peer_fingerprint_verified = true
+        no_ssl_peer_verification!
+      end
+
+      # Connect without verification to retrieve untrusted ssl context
+      def shady_ssl_connection
+        noverify_peer_context = OpenSSL::SSL::SSLContext.new
+        noverify_peer_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        tcp_connection = TCPSocket.new(@endpoint.host, @endpoint.port)
+        shady_ssl_connection = OpenSSL::SSL::SSLSocket.new(tcp_connection,
+                                                           noverify_peer_context)
+        shady_ssl_connection.connect
+        shady_ssl_connection
+      end
+
+      # compare @ssl_peer_fingerprint to current ssl context
+      def verify_ssl_fingerprint(cert)
+        conn_fingerprint = OpenSSL::Digest::SHA1.new(cert.to_der).to_s
+        return unless @ssl_peer_fingerprint.casecmp(conn_fingerprint) != 0
+        fail "ssl fingerprint mismatch!!!!\n"
+      end
+
       # HTTP Client receive timeout. How long should a remote call wait for a
       # for a response from WinRM?
       def receive_timeout=(sec)
@@ -112,6 +141,7 @@ def initialize(endpoint, user, pass, ca_trust_path = nil, opts)
         no_sspi_auth! if opts[:disable_sspi]
         basic_auth_only! if opts[:basic_auth_only]
         no_ssl_peer_verification! if opts[:no_ssl_peer_verification]
+        @ssl_peer_fingerprint = opts[:ssl_peer_fingerprint]
       end
     end
 

diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -3,6 +3,7 @@
 require 'bundler/setup'
 require 'winrm'
 require 'json'
+require 'openssl'
 require_relative 'matchers'
 
 # Creates a WinRM connection for integration tests
@@ -41,6 +42,42 @@ def symbolize_keys(hash)
     end
   end
   # rubocop:enable Metrics/MethodLength
+
+  # create a simple cert for a public_key
+  def test_cert(public_key)
+    subject = OpenSSL::X509::Name.parse('/C=BE/O=Test/OU=Test/CN=Test')
+    cert = OpenSSL::X509::Certificate.new
+    cert.subject = cert.issuer = subject
+    cert.not_before = Time.now
+    cert.not_after = Time.now + 365 * 24 * 3600
+    cert.public_key = public_key
+    cert.serial = 0x0
+    cert.version = 2
+    cert
+  end
+
+  # add CA and subject extensions to cert
+  def add_cert_extensions(cert)
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.subject_certificate = cert
+    ef.issuer_certificate = cert
+    cert.extensions = [
+      ef.create_extension('basicConstraints', 'CA:TRUE', true),
+      ef.create_extension('subjectKeyIdentifier', 'hash'),
+      # ef.create_extension('keyUsage', 'cRLSign,keyCertSign', true),
+    ]
+    cert.add_extension ef.create_extension('authorityKeyIdentifier',
+                                           'keyid:always,issuer:always')
+    cert
+  end
+
+  # create a self-signed-cert from private key
+  def gen_self_signed_cert(key)
+    plain_cert = test_cert(key.public_key)
+    cert = add_cert_extensions(plain_cert)
+    cert.sign key, OpenSSL::Digest::SHA1.new
+    cert
+  end
 end
 
 RSpec.configure do |config|