certificate-transparency 0.5.0 → 0.6.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/certificate-transparency/certificate_chain.rb +2 -0
  3. data/lib/certificate-transparency/signed_tree_head.rb +11 -3
  4. data/lib/tls/digitally_signed.rb +14 -13
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: a79a012d5182f45a32441f36a7d01853babefce5
4
- data.tar.gz: 52007f0dd5ee5ae0f695709ab333e146525aaaf3
3
+ metadata.gz: f22191737905aa6c892ecfb3a08ad89f7e294fbe
4
+ data.tar.gz: c0cdac47699adf0b56d0032da06f0ad256114c31
5
5
  SHA512:
6
- metadata.gz: 6deb537a51d4c064214b2017dbfacfd93ba430836bcaf1adb78d0f1bb28dd5c40233adc8d7591534189a394b8f7194129323640a3068bbbc2cf15386a446c184
7
- data.tar.gz: 2e0805987f1c1a2f69fc8cbda8cce94d0685bcf8339210fe4e38f6cb5d6d3a4c4aee4ef23c37a763f98168cbb2bdf51d738dcf556d94a9343ac354cb72f780c2
6
+ metadata.gz: 476fdeb0fa0e7d85c9bf1bb6e4f104786870176e196bda0c0a597aa5ecfba25afa7f1c9d74e463467a97b392876482ccea5f2c99d95f6528d551607d88c5a599
7
+ data.tar.gz: 0b92f1a6d0ee4251d7b1572939bcc17345dbbdbad0ac3b14e43e75276ebfb7f9a0bb1951da3e810fd9a1c9fc4cf9cd19eed5cf9857f2402e767e261589cf334f
data/lib/certificate-transparency/certificate_chain.rb CHANGED
@@ -1,3 +1,5 @@
1
+ require 'forwardable'
2
+
1
3
  # A chain of certificates, from an end-entity certificate to a root certificate
2
4
  # presumably trusted by the log.
3
5
  #
data/lib/certificate-transparency/signed_tree_head.rb CHANGED
@@ -26,13 +26,21 @@ class CertificateTransparency::SignedTreeHead
26
26
  # Determine whether or not the signature that was provided in the
27
27
  # signed tree head is a valid one, based on the provided key.
28
28
  #
29
- # @param pk [String] the raw binary form of the public key of the
30
- # log.
29
+ # @param pk [String, OpenSSL::PKey::PKey] either the raw binary form of
30
+ # the public key of the log, or an existing OpenSSL public key object.
31
31
  #
32
32
  # @return Boolean
33
33
  #
34
34
  def valid?(pk)
35
- key = OpenSSL::PKey::EC.new(pk)
35
+ key = if pk.is_a?(OpenSSL::PKey::PKey)
36
+ pk
37
+ else
38
+ begin
39
+ OpenSSL::PKey::EC.new(pk)
40
+ rescue ArgumentError
41
+ OpenSSL::PKey::RSA.new(pk)
42
+ end
43
+ end
36
44
 
37
45
  blob = [
38
46
  CT::Version[:v1],
data/lib/tls/digitally_signed.rb CHANGED
@@ -14,16 +14,17 @@ class TLS::DigitallySigned
14
14
  #
15
15
  # Takes a number of named options:
16
16
  #
17
- # * `:key` -- (required) An instance of `OpenSSL::PKey::EC`. If you pass
18
- # in `:blob` as well, then this can be either a public key or a private
19
- # key (because you only need a public key for validating a signature),
20
- # but if you only pass in `:content`, you must provide a private key
21
- # here.
17
+ # * `:key` -- (required) An instance of `OpenSSL::PKey::PKey`. If you
18
+ # pass in `:blob` as well, then this can be either a public key or a
19
+ # private key (because you only need a public key for validating a
20
+ # signature), but if you only pass in `:content`, you must provide a
21
+ # private key here.
22
22
  #
23
23
  # This key *must* be generated with the NIST P-256 curve (known to
24
- # OpenSSL as `prime256v1`) in order to be compliant with the CT spec.
25
- # However, we can't validate that, so it's up to you to make sure you
26
- # do it right.
24
+ # OpenSSL as `prime256v1`), or be an RSA key of at least 2048 bits, in
25
+ # order to be compliant with the CT spec. However, we can't validate
26
+ # some of those criteria, so it's up to you to make sure you do it
27
+ # right.
27
28
  #
28
29
  # * `:content` -- (required) The content to sign, or verify the signature
29
30
  # of. This can be any string.
@@ -37,9 +38,9 @@ class TLS::DigitallySigned
37
38
  def self.from_blob(blob)
38
39
  hash_algorithm, signature_algorithm, sig_blob = blob.unpack("CCa*")
39
40
 
40
- if signature_algorithm != ::TLS::SignatureAlgorithm[:ecdsa]
41
+ unless ::TLS::SignatureAlgorithm.values.include?(signature_algorithm)
41
42
  raise ArgumentError,
42
- "Signature specified in blob is not ECDSA"
43
+ "invalid signature type specified (#{signature_algorithm})"
43
44
  end
44
45
 
45
46
  if hash_algorithm != ::TLS::HashAlgorithm[:sha256]
@@ -62,7 +63,7 @@ class TLS::DigitallySigned
62
63
 
63
64
  # Set the key for this instance.
64
65
  #
65
- # @param k [OpenSSL::PKey::EC] a key to verify or generate the signature.
66
+ # @param k [OpenSSL::PKey::PKey] a key to verify or generate the signature.
66
67
  # If you only want to verify an existing signature (ie you created this
67
68
  # instance via {.from_blob}, then this key can be a public key.
68
69
  # Otherwise, if you want to generate a new signature, you must pass in
@@ -74,9 +75,9 @@ class TLS::DigitallySigned
74
75
  # appropriate type.
75
76
  #
76
77
  def key=(k)
77
- unless k.is_a? OpenSSL::PKey::EC
78
+ unless k.is_a?(OpenSSL::PKey::PKey)
78
79
  raise ArgumentError,
79
- "Key must be an instance of OpenSSL::PKey::EC"
80
+ "Key must be an instance of OpenSSL::PKey::PKey (got a #{k.class})"
80
81
  end
81
82
 
82
83
  @key = k
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: certificate-transparency
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.0
4
+ version: 0.6.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Matt Palmer
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-06-12 00:00:00.000000000 Z
11
+ date: 2015-06-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler