blobfish-ejbca-client-ruby 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 2a90d0f1923a7f24fa47088401156615a585df0d89734e0b15fa4e35fe41b378
+  data.tar.gz: 2137758317788acf47eea3e70309de7adbc4ffbbbefca9fab2a7f6a1737a0ce5
+SHA512:
+  metadata.gz: 07bdeb0b43a002c890fd3e65f4797e75b3efbaef1fbcb621c9f37209713d1839fb1ba9d3cd29c7c6923d30f5e75b1552c9e0d54208b7f661710d5ae12f2def88
+  data.tar.gz: 98996e6d8dc19f8cdb21e1cf0433e4b4f07e171b6f3793a2b99c67faab8dda398285234db905d126b1a2e271ddfffd46b76c59e54e5bc10b26fe404a6f128eb6

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/.idea/
+/*.gem

data/Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in blobfish-ejbca-client-ruby.gemspec
+gemspec

data/README.md

@@ -0,0 +1,25 @@
+# Blobfish::Ejbca
+
+This gem allows integration with EJBCA services and currently supports: 
+
+- PFX generation on EJBCA side.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'blobfish-ejbca-client-ruby'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install blobfish-ejbca-client-ruby
+
+## Usage
+
+For a demonstration project (in spanish) see https://github.com/hablutzel1/blobfish-ejbca-client-ruby-demo.

data/blobfish-ejbca-client-ruby.gemspec

@@ -0,0 +1,25 @@
+# coding: utf-8
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "blobfish/ejbca/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "blobfish-ejbca-client-ruby"
+  spec.version       = Blobfish::Ejbca::VERSION
+  spec.authors       = ["Jaime Hablutzel"]
+  spec.email         = ["hablutzel1@gmail.com"]
+
+  spec.summary       = "Blobfish's Ruby client for EJBCA services."
+  spec.description   = "Ruby client currently allowing to perform certain operations with EJBCA services, e.g. requesting PFX generation."
+  spec.homepage      = "https://github.com/hablutzel1/blobfish-ejbca-client-ruby"
+
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.require_paths = ["lib"]
+  spec.add_runtime_dependency 'savon', '~> 2.12'
+  spec.add_development_dependency "bundler", "~> 1.16"
+end

data/lib/blobfish/ejbca.rb

@@ -0,0 +1,9 @@
+
+require 'blobfish/ejbca/version'
+require 'blobfish/ejbca/client'
+
+module Blobfish
+  module Ejbca
+        # Your code goes here...
+  end
+end

data/lib/blobfish/ejbca/certificate.rb

@@ -0,0 +1,11 @@
+
+module Blobfish
+  module Ejbca
+    # TODO evaluate to extract this class to a new Blobfish's crypto utilities gem.
+    class Certificate < OpenSSL::X509::Certificate
+      def serial_hex
+        serial.to_s(16)
+      end
+    end
+  end
+end

data/lib/blobfish/ejbca/client.rb

@@ -0,0 +1,162 @@
+
+require 'savon'
+require 'base64'
+require_relative 'certificate'
+
+module Blobfish
+  module Ejbca
+
+    # See too 'D:\d\ejbca\tests\ejbca_ws_client\src\p12onejbcaside' for a Java alternative for this client.
+    class Client
+      STATUS_NEW = 10
+      TOKEN_TYPE_P12 = 'P12'
+      TOKEN_TYPE_USERGENERATED = 'USERGENERATED'
+      RESPONSETYPE_CERTIFICATE = 'CERTIFICATE'
+      RESPONSETYPE_PKCS7WITHCHAIN = 'PKCS7WITHCHAIN'
+      REVOCATION_REASON_UNSPECIFIED = 0
+
+      # @param [String] ws_additional_trusted_anchors e.g. +ca-certificates.crt+. Required only if +wsdl_url+ uses a non-commercial SSL certificate, otherwise it should be +nil+.
+      def initialize(wsdl_url, ws_additional_trusted_anchors, ws_client_certificate, ws_client_key, ws_client_key_password, ca_name, cert_profile, ee_profile)
+        @savon_client = Savon.client(
+            wsdl: wsdl_url,
+            ssl_cert_file: ws_client_certificate,
+            ssl_cert_key_file: ws_client_key,
+            ssl_cert_key_password: ws_client_key_password,
+            ssl_ca_cert_file: ws_additional_trusted_anchors,
+        # log: true,
+        # log_level: :debug,
+        )
+        @ca_name = ca_name
+        @ca_dn = query_ca_dn(ca_name)
+        @cert_profile = cert_profile
+        @ee_profile = ee_profile
+      end
+
+      def self.escape_dn_attr_value(val)
+        # TODO study escaping rules in detail. Take a look at relevant standards and the EJBCA implementation. See too https://sourceforge.net/p/ejbca/discussion/123123/thread/d36bb985/.
+        val.gsub(",", "\\,")
+      end
+
+      # Note that it requires 'Allow validity override' set in the EJBCA certificate profile for the pair +validity_type,validity_value+ to be effective.
+      # 'subject_dn' should have its attributes values escaped using 'escape_dn_attr_value'.
+      # 'custom_friendly_name' is optional. It can be set to 'nil' to maintain the one set by EJBCA (TODO confirm if EJBCA actually sets a friendly name).
+      def request_pfx(ejbca_username, email_address, subject_dn, subject_alt_name, validity_type, validity_value, pfx_password, custom_friendly_name)
+        end_user = create_end_user(ejbca_username, pfx_password, TOKEN_TYPE_P12, email_address, subject_dn, subject_alt_name, validity_type, validity_value)
+        ws_call(:edit_user,
+                arg0: end_user)
+        ws_resp = ws_call(:pkcs12_req,
+                          arg0: ejbca_username,
+                          arg1: pfx_password,
+                          arg3: '2048',
+                          arg4: 'RSA'
+        )
+        pfx_bytes = Client.double_decode64(ws_resp[:keystore_data])
+        pkcs12 = OpenSSL::PKCS12.new(pfx_bytes, pfx_password)
+        unless custom_friendly_name.nil?
+          # NOTE that this is currently removing the friendlyName for all bundled CA certs, but this is not expected to produce problems.
+          updated_pkcs12 = OpenSSL::PKCS12.create(pfx_password, custom_friendly_name, pkcs12.key, pkcs12.certificate, pkcs12.ca_certs)
+          pfx_bytes = updated_pkcs12.to_der
+        end
+        {pfx: pfx_bytes, cert: Certificate.new(pkcs12.certificate)}
+
+      end
+
+      def request_from_csr(pem_csr, ejbca_username, email_address, subject_dn, subject_alt_name, validity_type, validity_value, response_type = RESPONSETYPE_CERTIFICATE)
+        end_user = create_end_user(ejbca_username, nil, TOKEN_TYPE_USERGENERATED, email_address, subject_dn, subject_alt_name, validity_type, validity_value)
+        ws_resp = ws_call(:certificate_request,
+                          arg0: end_user,
+                          arg1: pem_csr,
+                          arg2: 0,
+                          arg4: response_type)
+        resp_as_der = Client.double_decode64(ws_resp[:data])
+        if response_type == RESPONSETYPE_CERTIFICATE
+          Certificate.new(resp_as_der)
+        elsif response_type == RESPONSETYPE_PKCS7WITHCHAIN
+          OpenSSL::PKCS7.new(resp_as_der)
+        else
+          raise NotImplementedError
+        end
+      end
+
+      def revoke_cert(serial_number)
+        ws_call(:revoke_cert,
+                arg0: @ca_dn,
+                arg1: serial_number,
+                arg2: REVOCATION_REASON_UNSPECIFIED
+        )
+      end
+
+      def get_revocation_status(serial_number)
+        revocation_status = ws_call(:check_revokation_status,
+                                    arg0: @ca_dn,
+                                    arg1: serial_number,
+        )
+        raise "Certificate with serial number #{serial_number} doesn't exists for #{@ca_dn}" if revocation_status.nil?
+        revocation_status if revocation_status[:reason].to_i != -1
+      end
+
+      # NOTE that these entries aren't being ordered by issuance, but by the latest to expire, i.e. the latest cert to expire is returned first.
+      def get_all_certs(ejbca_username)
+        certs = ws_call(:find_certs,
+                        arg0: ejbca_username,
+                        arg1: false,
+        )
+        Enumerator.new do |yielder|
+          certs.each do |cert|
+            cert_as_der = Client.double_decode64(cert[:certificate_data])
+            yielder << Certificate.new(cert_as_der)
+          end
+        end
+      end
+
+      private
+
+      def create_end_user(ejbca_username, password, token_type, email_address, subject_dn, subject_alt_name, validity_type, validity_value)
+        end_user = {}
+        end_user[:username] = ejbca_username
+        # When password is nil, the element is excluded from the hash, otherwise it would produce <password xsi:nil="true"/> which is interpreted as "" in the EJBCA side. See https://github.com/savonrb/gyoku/#user-content-hash-values.
+        end_user[:password] = password unless password == nil
+        end_user[:status] = STATUS_NEW
+        end_user[:token_type] = token_type
+        end_user[:email] = email_address
+        end_user[:subjectDN] = subject_dn
+        end_user[:subject_alt_name] = subject_alt_name
+        end_user[:ca_name] = @ca_name
+        end_user[:certificate_profile_name] = @cert_profile
+        end_user[:end_entity_profile_name] = @ee_profile
+        if validity_type == :days_from_now
+          custom_endtime = "#{validity_value}:0:0"
+        elsif validity_type == :fixed_not_after
+          unless validity_value.is_a? Time
+            raise ArgumentError
+          end
+          not_after = validity_value.utc
+          custom_endtime = not_after.strftime('%Y-%m-%d %H:%M')
+        else
+          raise NotImplementedError
+        end
+        end_user[:extended_information] = [{name: 'customdata_ENDTIME', value: custom_endtime}]
+        end_user
+      end
+
+      def self.double_decode64(b64)
+        b64 = Base64.decode64(b64)
+        Base64.decode64(b64)
+      end
+
+      def query_ca_dn(ca_name)
+        ca_chain = ws_call(:get_last_ca_chain, arg0: ca_name)
+        ca_cert = ca_chain.kind_of?(Array) ? ca_chain[0] : ca_chain
+        ca_cert = Client.double_decode64(ca_cert[:certificate_data])
+        ca_cert = OpenSSL::X509::Certificate.new(ca_cert)
+        ca_cert.subject.to_s(OpenSSL::X509::Name::RFC2253)
+      end
+
+      def ws_call(operation_name, message)
+        response = @savon_client.call(operation_name, soap_action: false, message: message)
+        response.to_hash["#{operation_name}_response".to_sym][:return]
+      end
+
+    end
+  end
+end

data/lib/blobfish/ejbca/version.rb

@@ -0,0 +1,6 @@
+
+module Blobfish
+  module Ejbca
+    VERSION = '0.1.1'
+  end
+end

metadata

@@ -0,0 +1,79 @@
+--- !ruby/object:Gem::Specification
+name: blobfish-ejbca-client-ruby
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- Jaime Hablutzel
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-04-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: savon
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.12'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.12'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+description: Ruby client currently allowing to perform certain operations with EJBCA
+  services, e.g. requesting PFX generation.
+email:
+- hablutzel1@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- README.md
+- blobfish-ejbca-client-ruby.gemspec
+- lib/blobfish/ejbca.rb
+- lib/blobfish/ejbca/certificate.rb
+- lib/blobfish/ejbca/client.rb
+- lib/blobfish/ejbca/version.rb
+homepage: https://github.com/hablutzel1/blobfish-ejbca-client-ruby
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key: 
+specification_version: 4
+summary: Blobfish's Ruby client for EJBCA services.
+test_files: []