RubyGems - certificate_authority - Versions diffs - 0.1.1 - Mend

certificate_authority 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

data/Gemfile +9 -0
data/Gemfile.lock +35 -0
data/README.rdoc +68 -0
data/Rakefile +52 -0
data/VERSION.yml +5 -0
data/certificate_authority.gemspec +90 -0
data/lib/certificate_authority/certificate.rb +176 -0
data/lib/certificate_authority/certificate_revocation_list.rb +59 -0
data/lib/certificate_authority/distinguished_name.rb +39 -0
data/lib/certificate_authority/extensions.rb +251 -0
data/lib/certificate_authority/key_material.rb +62 -0
data/lib/certificate_authority/ocsp_handler.rb +77 -0
data/lib/certificate_authority/pkcs11_key_material.rb +65 -0
data/lib/certificate_authority/serial_number.rb +9 -0
data/lib/certificate_authority/signing_entity.rb +18 -0
data/lib/certificate_authority.rb +19 -0
data/lib/tasks/certificate_authority.rake +23 -0
data/spec/spec_helper.rb +4 -0
data/spec/units/certificate_authority_spec.rb +4 -0
data/spec/units/certificate_revocation_list_spec.rb +68 -0
data/spec/units/certificate_spec.rb +351 -0
data/spec/units/distinguished_name_spec.rb +38 -0
data/spec/units/extensions_spec.rb +53 -0
data/spec/units/key_material_spec.rb +96 -0
data/spec/units/ocsp_handler_spec.rb +104 -0
data/spec/units/serial_number_spec.rb +20 -0
data/spec/units/signing_entity_spec.rb +4 -0
data/spec/units/units_helper.rb +1 -0
metadata +148 -0

data/Gemfile ADDED Viewed

@@ -0,0 +1,9 @@
+source 'http://rubygems.org'
+gem 'activemodel'
+#group :development do
+	gem 'rspec'
+  gem "jeweler", "~> 1.5.2"
+  gem "rcov", ">= 0"
+#end

data/Gemfile.lock ADDED Viewed

@@ -0,0 +1,35 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    activemodel (3.0.6)
+      activesupport (= 3.0.6)
+      builder (~> 2.1.2)
+      i18n (~> 0.5.0)
+    activesupport (3.0.6)
+    builder (2.1.2)
+    diff-lcs (1.1.2)
+    git (1.2.5)
+    i18n (0.5.0)
+    jeweler (1.5.2)
+      bundler (~> 1.0.0)
+      git (>= 1.2.5)
+      rake
+    rake (0.8.7)
+    rcov (0.9.9)
+    rspec (2.5.0)
+      rspec-core (~> 2.5.0)
+      rspec-expectations (~> 2.5.0)
+      rspec-mocks (~> 2.5.0)
+    rspec-core (2.5.1)
+    rspec-expectations (2.5.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.5.0)
+PLATFORMS
+  ruby
+DEPENDENCIES
+  activemodel
+  jeweler (~> 1.5.2)
+  rcov
+  rspec

data/README.rdoc ADDED Viewed

@@ -0,0 +1,68 @@
+= CertificateAuthority - Because it shouldn't be this damned complicated
+This is meant to provide a programmer-friendly implementation of all the basic functionality contained in RFC-3280 to implement your own certificate authority.
+You can generate root certificates, intermediate certificates, and terminal certificates.  You can also generate/manage Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) messages.
+Because this library is built using the native Ruby bindings for OpenSSL it also supports PKCS#11 cryptographic hardware for secure maintenance of private key materials.
+= The important parts
+Coming soon.
+= Examples
+== Creating a self-signed certificate/root (probably what you want)
+	require 'certificate_authority'
+	root = CertificateAuthority::Certificate.new
+	root.subject.common_name "http://mydomain.com"
+	root.key_material.generate_key
+	root.signing_entity = true
+	root.sign!
+== Creating an intermediate certificate (much less common use-case)
+	require 'certificate_authority'
+	root = CertificateAuthority::Certificate.new
+	root.subject.common_name "My snazzy root!"
+	root.key_material.generate_key
+	root.signing_entity = true
+	root.sign!
+	intermediate = CertificateAuthority::Certificate.new
+	intermediate.subject.common_name "My snazzy intermediate!"
+	intermediate.key_material.generate_key
+	intermediate.signing_entity = true
+	intermediate.parent = root
+	intermediate.sign!
+== Creating a terminal (non-signing) cert
+  require 'certificate_authority'
+	plain_cert = CertificateAuthority::Certificate.new
+	plain_cert.subject.common_name "http://mydomain.com"
+	plain_cert.key_material.generate_key
+	plain_cert.parent = root # or intermediate
+	plain_cert.sign!
+== Getting the certificate body
+	...
+	certificate.sign!
+  certificate.to_pem # <= Returns a PEM formatted string of your certificate
+  certificate.key_material.private_key.to_pem # <= If you need the private key (and it's in memory)
+= Coming Soon
+* More PKCS#11 hardware (I need driver support from the manufacturers)
+* Configurable V3 extensions for all the extended functionality
+== Meta
+Written by Chris Chandler(http://chrischandler.name) of Flatterline(http://flatterline.com)
+Released under the MIT License: http://www.opensource.org/licenses/mit-license.php
+Main page: http://github.com/cchandler/certificateauthority
+Issue tracking: https://github.com/cchandler/certificateauthority/issues

data/Rakefile ADDED Viewed

@@ -0,0 +1,52 @@
+require 'rubygems'
+require 'bundler'
+require 'rspec'
+require 'rspec/core/rake_task'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+desc 'Default: run specs.'
+task :default => :spec
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+  gem.name = "certificate_authority"
+  gem.homepage = "http://github.com/cchandler/certificate_authority"
+  gem.license = "MIT"
+  gem.summary = 'Ruby gem for managing the core functions outlined in RFC-3280 for PKI'
+  # gem.description = ''
+  gem.email = "chris@flatterline.com"
+  gem.authors = ["Chris Chandler"]
+  gem.add_dependency('activemodel', '3.0.6')
+end
+Jeweler::RubygemsDotOrgTasks.new
+task :spec do
+  Rake::Task["spec:units"].invoke
+end
+namespace :spec do
+  desc "Run unit specs."
+  RSpec::Core::RakeTask.new(:units) do |t|
+    t.rspec_opts = ['--colour --format progress --tag ~pkcs11']
+  end
+  desc "Run integration specs."
+  RSpec::Core::RakeTask.new(:integrations) do |t|
+    t.rspec_opts   = ['--colour --format progress']
+  end
+end
+RSpec::Core::RakeTask.new(:doc) do |t|
+  t.rspec_opts   = ['--format specdoc ']
+end

data/VERSION.yml ADDED Viewed

@@ -0,0 +1,5 @@
+---
+:major: 0
+:minor: 1
+:build:
+:patch: 1

data/certificate_authority.gemspec ADDED Viewed

@@ -0,0 +1,90 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+Gem::Specification.new do |s|
+  s.name = %q{certificate_authority}
+  s.version = "0.1.1"
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Chris Chandler"]
+  s.date = %q{2011-04-20}
+  s.email = %q{chris@flatterline.com}
+  s.extra_rdoc_files = [
+    "README.rdoc"
+  ]
+  s.files = [
+    "Gemfile",
+    "Gemfile.lock",
+    "README.rdoc",
+    "Rakefile",
+    "VERSION.yml",
+    "certificate_authority.gemspec",
+    "lib/certificate_authority.rb",
+    "lib/certificate_authority/certificate.rb",
+    "lib/certificate_authority/certificate_revocation_list.rb",
+    "lib/certificate_authority/distinguished_name.rb",
+    "lib/certificate_authority/extensions.rb",
+    "lib/certificate_authority/key_material.rb",
+    "lib/certificate_authority/ocsp_handler.rb",
+    "lib/certificate_authority/pkcs11_key_material.rb",
+    "lib/certificate_authority/serial_number.rb",
+    "lib/certificate_authority/signing_entity.rb",
+    "lib/tasks/certificate_authority.rake",
+    "spec/spec_helper.rb",
+    "spec/units/certificate_authority_spec.rb",
+    "spec/units/certificate_revocation_list_spec.rb",
+    "spec/units/certificate_spec.rb",
+    "spec/units/distinguished_name_spec.rb",
+    "spec/units/extensions_spec.rb",
+    "spec/units/key_material_spec.rb",
+    "spec/units/ocsp_handler_spec.rb",
+    "spec/units/serial_number_spec.rb",
+    "spec/units/signing_entity_spec.rb",
+    "spec/units/units_helper.rb"
+  ]
+  s.homepage = %q{http://github.com/cchandler/certificate_authority}
+  s.licenses = ["MIT"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.7.2}
+  s.summary = %q{Ruby gem for managing the core functions outlined in RFC-3280 for PKI}
+  s.test_files = [
+    "spec/spec_helper.rb",
+    "spec/units/certificate_authority_spec.rb",
+    "spec/units/certificate_revocation_list_spec.rb",
+    "spec/units/certificate_spec.rb",
+    "spec/units/distinguished_name_spec.rb",
+    "spec/units/extensions_spec.rb",
+    "spec/units/key_material_spec.rb",
+    "spec/units/ocsp_handler_spec.rb",
+    "spec/units/serial_number_spec.rb",
+    "spec/units/signing_entity_spec.rb",
+    "spec/units/units_helper.rb"
+  ]
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<activemodel>, [">= 0"])
+      s.add_runtime_dependency(%q<rspec>, [">= 0"])
+      s.add_runtime_dependency(%q<jeweler>, ["~> 1.5.2"])
+      s.add_runtime_dependency(%q<rcov>, [">= 0"])
+      s.add_runtime_dependency(%q<activemodel>, ["= 3.0.6"])
+    else
+      s.add_dependency(%q<activemodel>, [">= 0"])
+      s.add_dependency(%q<rspec>, [">= 0"])
+      s.add_dependency(%q<jeweler>, ["~> 1.5.2"])
+      s.add_dependency(%q<rcov>, [">= 0"])
+      s.add_dependency(%q<activemodel>, ["= 3.0.6"])
+    end
+  else
+    s.add_dependency(%q<activemodel>, [">= 0"])
+    s.add_dependency(%q<rspec>, [">= 0"])
+    s.add_dependency(%q<jeweler>, ["~> 1.5.2"])
+    s.add_dependency(%q<rcov>, [">= 0"])
+    s.add_dependency(%q<activemodel>, ["= 3.0.6"])
+  end
+end

data/lib/certificate_authority/certificate.rb ADDED Viewed

@@ -0,0 +1,176 @@
+module CertificateAuthority
+  class Certificate
+    # include SigningEntity
+    include ActiveModel::Validations
+    attr_accessor :distinguished_name
+    attr_accessor :serial_number
+    attr_accessor :key_material
+    attr_accessor :not_before
+    attr_accessor :not_after
+    attr_accessor :revoked_at
+    attr_accessor :extensions
+    attr_accessor :openssl_body
+    alias :subject :distinguished_name #Same thing as the DN
+    attr_accessor :parent
+    validate do |certificate|
+      errors.add :base, "Distinguished name must be valid" unless distinguished_name.valid?
+      errors.add :base, "Key material name must be valid" unless key_material.valid?
+      errors.add :base, "Serial number must be valid" unless serial_number.valid?
+      errors.add :base, "Extensions must be valid" unless extensions.each do |item|
+        return true unless item.respond_to?(:valid?)
+        item.valid?
+      end
+    end
+    def initialize
+      self.distinguished_name = DistinguishedName.new
+      self.serial_number = SerialNumber.new
+      self.key_material = MemoryKeyMaterial.new
+      self.not_before = Time.now
+      self.not_after = Time.now + 60 * 60 * 24 * 365 #One year
+      self.parent = self
+      self.extensions = load_extensions()
+      self.signing_entity = false
+    end
+    def sign!(signing_profile={})
+      raise "Invalid certificate" unless valid?
+      merge_profile_with_extensions(signing_profile)
+      openssl_cert = OpenSSL::X509::Certificate.new
+      openssl_cert.version    = 2
+      openssl_cert.not_before = self.not_before
+      openssl_cert.not_after = self.not_after
+      openssl_cert.public_key = self.key_material.public_key
+      openssl_cert.serial = self.serial_number.number
+      openssl_cert.subject = self.distinguished_name.to_x509_name
+      openssl_cert.issuer = parent.distinguished_name.to_x509_name
+      require 'tempfile'
+      t = Tempfile.new("bullshit_conf")
+      # t = File.new("/tmp/openssl.cnf")
+      ## The config requires a file even though we won't use it
+      openssl_config = OpenSSL::Config.new(t.path)
+      factory = OpenSSL::X509::ExtensionFactory.new
+      factory.subject_certificate = openssl_cert
+      #NB: If the parent doesn't have an SSL body we're making this a self-signed cert
+      if parent.openssl_body.nil?
+        factory.issuer_certificate = openssl_cert
+      else
+        factory.issuer_certificate = parent.openssl_body
+      end
+      self.extensions.keys.each do |k|
+        config_extensions = extensions[k].config_extensions
+        openssl_config = merge_options(openssl_config,config_extensions)
+      end
+      # p openssl_config.sections
+      factory.config = openssl_config
+      self.extensions.keys.each do |k|
+        e = extensions[k]
+        next if e.to_s.nil? or e.to_s == "" ## If the extension returns an empty string we won't include it
+        ext = factory.create_ext(e.openssl_identifier, e.to_s)
+        openssl_cert.add_extension(ext)
+      end
+      digest = OpenSSL::Digest::Digest.new("SHA512")
+      self.openssl_body = openssl_cert.sign(parent.key_material.private_key,digest)
+      t.close! if t.is_a?(Tempfile)# We can get rid of the ridiculous temp file
+      self.openssl_body
+    end
+    def is_signing_entity?
+      self.extensions["basicConstraints"].ca
+    end
+    def signing_entity=(signing)
+      self.extensions["basicConstraints"].ca = signing
+    end
+    def revoked?
+      !self.revoked_at.nil?
+    end
+    def to_pem
+      raise "Certificate has no signed body" if self.openssl_body.nil?
+      self.openssl_body.to_pem
+    end
+    def is_root_entity?
+      self.parent == self && is_signing_entity?
+    end
+    def is_intermediate_entity?
+      (self.parent != self) && is_signing_entity?
+    end
+    private
+    def merge_profile_with_extensions(signing_profile={})
+      return self.extensions if signing_profile["extensions"].nil?
+      signing_config = signing_profile["extensions"]
+      signing_config.keys.each do |k|
+        extension = self.extensions[k]
+        items = signing_config[k]
+        items.keys.each do |profile_item_key|
+          if extension.respond_to?("#{profile_item_key}=".to_sym)
+            extension.send("#{profile_item_key}=".to_sym, items[profile_item_key] )
+          else
+            p "Tried applying '#{profile_item_key}' to #{extension.class} but it doesn't respond!"
+          end
+        end
+      end
+    end
+    def load_extensions
+      extension_hash = {}
+      temp_extensions = []
+      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
+      temp_extensions << basic_constraints
+      crl_distribution_points = CertificateAuthority::Extensions::CrlDistributionPoints.new
+      temp_extensions << crl_distribution_points
+      subject_key_identifier = CertificateAuthority::Extensions::SubjectKeyIdentifier.new
+      temp_extensions << subject_key_identifier
+      authority_key_identifier = CertificateAuthority::Extensions::AuthorityKeyIdentifier.new
+      temp_extensions << authority_key_identifier
+      authority_info_access = CertificateAuthority::Extensions::AuthorityInfoAccess.new
+      temp_extensions << authority_info_access
+      key_usage = CertificateAuthority::Extensions::KeyUsage.new
+      temp_extensions << key_usage
+      extended_key_usage = CertificateAuthority::Extensions::ExtendedKeyUsage.new
+      temp_extensions << extended_key_usage
+      subject_alternative_name = CertificateAuthority::Extensions::SubjectAlternativeName.new
+      temp_extensions << subject_alternative_name
+      certificate_policies = CertificateAuthority::Extensions::CertificatePolicies.new
+      temp_extensions << certificate_policies
+      temp_extensions.each do |extension|
+        extension_hash[extension.openssl_identifier] = extension
+      end
+      extension_hash
+    end
+    def merge_options(config,hash)
+      hash.keys.each do |k|
+        config[k] = hash[k]
+      end
+      config
+    end
+  end
+end

data/lib/certificate_authority/certificate_revocation_list.rb ADDED Viewed

@@ -0,0 +1,59 @@
+module CertificateAuthority
+  class CertificateRevocationList
+    include ActiveModel::Validations
+    attr_accessor :certificates
+    attr_accessor :parent
+    attr_accessor :crl_body
+    attr_accessor :next_update
+    validate do |crl|
+      errors.add :next_update, "Next update must be a positive value" if crl.next_update < 0
+      errors.add :parent, "A parent entity must be set" if crl.parent.nil?
+    end
+    def initialize
+      self.certificates = []
+      self.next_update = 60 * 60 * 4 # 4 hour default
+    end
+    def <<(cert)
+      raise "Only revoked certificates can be added to a CRL" unless cert.revoked?
+      self.certificates << cert
+    end
+    def sign!
+      raise "No parent entity has been set!" if self.parent.nil?
+      raise "Invalid CRL" unless self.valid?
+      revocations = self.certificates.collect do |certificate|
+        revocation = OpenSSL::X509::Revoked.new
+        x509_cert = OpenSSL::X509::Certificate.new(certificate.to_pem)
+        revocation.serial = x509_cert.serial
+        revocation.time = certificate.revoked_at
+        revocation
+      end
+      crl = OpenSSL::X509::CRL.new
+      revocations.each do |revocation|
+        crl.add_revoked(revocation)
+      end
+      crl.version = 1
+      crl.last_update = Time.now
+      crl.next_update = Time.now + self.next_update
+      signing_cert = OpenSSL::X509::Certificate.new(self.parent.to_pem)
+      digest = OpenSSL::Digest::Digest.new("SHA512")
+      crl.issuer = signing_cert.subject
+      self.crl_body = crl.sign(self.parent.key_material.private_key, digest)
+      self.crl_body
+    end
+    def to_pem
+      raise "No signed CRL body" if self.crl_body.nil?
+      self.crl_body.to_pem
+    end
+  end#CertificateRevocationList
+end