certificate-transparency 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/certificate-transparency/certificate_chain.rb +2 -0
  3. data/lib/certificate-transparency/signed_tree_head.rb +11 -3
  4. data/lib/tls/digitally_signed.rb +14 -13
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: a79a012d5182f45a32441f36a7d01853babefce5
4
- data.tar.gz: 52007f0dd5ee5ae0f695709ab333e146525aaaf3
3
+ metadata.gz: f22191737905aa6c892ecfb3a08ad89f7e294fbe
4
+ data.tar.gz: c0cdac47699adf0b56d0032da06f0ad256114c31
5
5
  SHA512:
6
- metadata.gz: 6deb537a51d4c064214b2017dbfacfd93ba430836bcaf1adb78d0f1bb28dd5c40233adc8d7591534189a394b8f7194129323640a3068bbbc2cf15386a446c184
7
- data.tar.gz: 2e0805987f1c1a2f69fc8cbda8cce94d0685bcf8339210fe4e38f6cb5d6d3a4c4aee4ef23c37a763f98168cbb2bdf51d738dcf556d94a9343ac354cb72f780c2
6
+ metadata.gz: 476fdeb0fa0e7d85c9bf1bb6e4f104786870176e196bda0c0a597aa5ecfba25afa7f1c9d74e463467a97b392876482ccea5f2c99d95f6528d551607d88c5a599
7
+ data.tar.gz: 0b92f1a6d0ee4251d7b1572939bcc17345dbbdbad0ac3b14e43e75276ebfb7f9a0bb1951da3e810fd9a1c9fc4cf9cd19eed5cf9857f2402e767e261589cf334f
data/lib/certificate-transparency/certificate_chain.rb CHANGED
@@ -1,3 +1,5 @@
1
+ require 'forwardable'
2
+
1
3
  # A chain of certificates, from an end-entity certificate to a root certificate
2
4
  # presumably trusted by the log.
3
5
  #
data/lib/certificate-transparency/signed_tree_head.rb CHANGED
@@ -26,13 +26,21 @@ class CertificateTransparency::SignedTreeHead
26
26
  # Determine whether or not the signature that was provided in the
27
27
  # signed tree head is a valid one, based on the provided key.
28
28
  #
29
- # @param pk [String] the raw binary form of the public key of the
30
- # log.
29
+ # @param pk [String, OpenSSL::PKey::PKey] either the raw binary form of
30
+ # the public key of the log, or an existing OpenSSL public key object.
31
31
  #
32
32
  # @return Boolean
33
33
  #
34
34
  def valid?(pk)
35
- key = OpenSSL::PKey::EC.new(pk)
35
+ key = if pk.is_a?(OpenSSL::PKey::PKey)
36
+ pk
37
+ else
38
+ begin
39
+ OpenSSL::PKey::EC.new(pk)
40
+ rescue ArgumentError
41
+ OpenSSL::PKey::RSA.new(pk)
42
+ end
43
+ end
36
44
 
37
45
  blob = [
38
46
  CT::Version[:v1],
data/lib/tls/digitally_signed.rb CHANGED
@@ -14,16 +14,17 @@ class TLS::DigitallySigned
14
14
  #
15
15
  # Takes a number of named options:
16
16
  #
17
- # * `:key` -- (required) An instance of `OpenSSL::PKey::EC`. If you pass
18
- # in `:blob` as well, then this can be either a public key or a private
19
- # key (because you only need a public key for validating a signature),
20
- # but if you only pass in `:content`, you must provide a private key
21
- # here.
17
+ # * `:key` -- (required) An instance of `OpenSSL::PKey::PKey`. If you
18
+ # pass in `:blob` as well, then this can be either a public key or a
19
+ # private key (because you only need a public key for validating a
20
+ # signature), but if you only pass in `:content`, you must provide a
21
+ # private key here.
22
22
  #
23
23
  # This key *must* be generated with the NIST P-256 curve (known to
24
- # OpenSSL as `prime256v1`) in order to be compliant with the CT spec.
25
- # However, we can't validate that, so it's up to you to make sure you
26
- # do it right.
24
+ # OpenSSL as `prime256v1`), or be an RSA key of at least 2048 bits, in
25
+ # order to be compliant with the CT spec. However, we can't validate
26
+ # some of those criteria, so it's up to you to make sure you do it
27
+ # right.
27
28
  #
28
29
  # * `:content` -- (required) The content to sign, or verify the signature
29
30
  # of. This can be any string.
@@ -37,9 +38,9 @@ class TLS::DigitallySigned
37
38
  def self.from_blob(blob)
38
39
  hash_algorithm, signature_algorithm, sig_blob = blob.unpack("CCa*")
39
40
 
40
- if signature_algorithm != ::TLS::SignatureAlgorithm[:ecdsa]
41
+ unless ::TLS::SignatureAlgorithm.values.include?(signature_algorithm)
41
42
  raise ArgumentError,
42
- "Signature specified in blob is not ECDSA"
43
+ "invalid signature type specified (#{signature_algorithm})"
43
44
  end
44
45
 
45
46
  if hash_algorithm != ::TLS::HashAlgorithm[:sha256]
@@ -62,7 +63,7 @@ class TLS::DigitallySigned
62
63
 
63
64
  # Set the key for this instance.
64
65
  #
65
- # @param k [OpenSSL::PKey::EC] a key to verify or generate the signature.
66
+ # @param k [OpenSSL::PKey::PKey] a key to verify or generate the signature.
66
67
  # If you only want to verify an existing signature (ie you created this
67
68
  # instance via {.from_blob}, then this key can be a public key.
68
69
  # Otherwise, if you want to generate a new signature, you must pass in
@@ -74,9 +75,9 @@ class TLS::DigitallySigned
74
75
  # appropriate type.
75
76
  #
76
77
  def key=(k)
77
- unless k.is_a? OpenSSL::PKey::EC
78
+ unless k.is_a?(OpenSSL::PKey::PKey)
78
79
  raise ArgumentError,
79
- "Key must be an instance of OpenSSL::PKey::EC"
80
+ "Key must be an instance of OpenSSL::PKey::PKey (got a #{k.class})"
80
81
  end
81
82
 
82
83
  @key = k
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: certificate-transparency
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.0
4
+ version: 0.6.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Matt Palmer
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-06-12 00:00:00.000000000 Z
11
+ date: 2015-06-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler