RubyGems - certificate_authority - Versions diffs - 0.1.1 - Mend

certificate_authority 0.1.1

Files changed (29) hide show

data/Gemfile +9 -0
data/Gemfile.lock +35 -0
data/README.rdoc +68 -0
data/Rakefile +52 -0
data/VERSION.yml +5 -0
data/certificate_authority.gemspec +90 -0
data/lib/certificate_authority/certificate.rb +176 -0
data/lib/certificate_authority/certificate_revocation_list.rb +59 -0
data/lib/certificate_authority/distinguished_name.rb +39 -0
data/lib/certificate_authority/extensions.rb +251 -0
data/lib/certificate_authority/key_material.rb +62 -0
data/lib/certificate_authority/ocsp_handler.rb +77 -0
data/lib/certificate_authority/pkcs11_key_material.rb +65 -0
data/lib/certificate_authority/serial_number.rb +9 -0
data/lib/certificate_authority/signing_entity.rb +18 -0
data/lib/certificate_authority.rb +19 -0
data/lib/tasks/certificate_authority.rake +23 -0
data/spec/spec_helper.rb +4 -0
data/spec/units/certificate_authority_spec.rb +4 -0
data/spec/units/certificate_revocation_list_spec.rb +68 -0
data/spec/units/certificate_spec.rb +351 -0
data/spec/units/distinguished_name_spec.rb +38 -0
data/spec/units/extensions_spec.rb +53 -0
data/spec/units/key_material_spec.rb +96 -0
data/spec/units/ocsp_handler_spec.rb +104 -0
data/spec/units/serial_number_spec.rb +20 -0
data/spec/units/signing_entity_spec.rb +4 -0
data/spec/units/units_helper.rb +1 -0
metadata +148 -0

data/Gemfile ADDED Viewed

@@ -0,0 +1,9 @@
+source 'http://rubygems.org'
+gem 'activemodel'
+#group :development do
+	gem 'rspec'
+  gem "jeweler", "~> 1.5.2"
+  gem "rcov", ">= 0"
+#end

data/Gemfile.lock ADDED Viewed

@@ -0,0 +1,35 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    activemodel (3.0.6)
+      activesupport (= 3.0.6)
+      builder (~> 2.1.2)
+      i18n (~> 0.5.0)
+    activesupport (3.0.6)
+    builder (2.1.2)
+    diff-lcs (1.1.2)
+    git (1.2.5)
+    i18n (0.5.0)
+    jeweler (1.5.2)
+      bundler (~> 1.0.0)
+      git (>= 1.2.5)
+      rake
+    rake (0.8.7)
+    rcov (0.9.9)
+    rspec (2.5.0)
+      rspec-core (~> 2.5.0)
+      rspec-expectations (~> 2.5.0)
+      rspec-mocks (~> 2.5.0)
+    rspec-core (2.5.1)
+    rspec-expectations (2.5.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.5.0)
+PLATFORMS
+  ruby
+DEPENDENCIES
+  activemodel
+  jeweler (~> 1.5.2)
+  rcov
+  rspec

data/README.rdoc ADDED Viewed

@@ -0,0 +1,68 @@
+= CertificateAuthority - Because it shouldn't be this damned complicated
+This is meant to provide a programmer-friendly implementation of all the basic functionality contained in RFC-3280 to implement your own certificate authority.
+You can generate root certificates, intermediate certificates, and terminal certificates.  You can also generate/manage Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) messages.
+Because this library is built using the native Ruby bindings for OpenSSL it also supports PKCS#11 cryptographic hardware for secure maintenance of private key materials.
+= The important parts
+Coming soon.
+= Examples
+== Creating a self-signed certificate/root (probably what you want)
+	require 'certificate_authority'
+	root = CertificateAuthority::Certificate.new
+	root.subject.common_name "http://mydomain.com"
+	root.key_material.generate_key
+	root.signing_entity = true
+	root.sign!
+== Creating an intermediate certificate (much less common use-case)
+	require 'certificate_authority'
+	root = CertificateAuthority::Certificate.new
+	root.subject.common_name "My snazzy root!"
+	root.key_material.generate_key
+	root.signing_entity = true
+	root.sign!
+	intermediate = CertificateAuthority::Certificate.new
+	intermediate.subject.common_name "My snazzy intermediate!"
+	intermediate.key_material.generate_key
+	intermediate.signing_entity = true
+	intermediate.parent = root
+	intermediate.sign!
+== Creating a terminal (non-signing) cert
+  require 'certificate_authority'
+	plain_cert = CertificateAuthority::Certificate.new
+	plain_cert.subject.common_name "http://mydomain.com"
+	plain_cert.key_material.generate_key
+	plain_cert.parent = root # or intermediate
+	plain_cert.sign!
+== Getting the certificate body
+	...
+	certificate.sign!
+  certificate.to_pem # <= Returns a PEM formatted string of your certificate
+  certificate.key_material.private_key.to_pem # <= If you need the private key (and it's in memory)
+= Coming Soon
+* More PKCS#11 hardware (I need driver support from the manufacturers)
+* Configurable V3 extensions for all the extended functionality
+== Meta
+Written by Chris Chandler(http://chrischandler.name) of Flatterline(http://flatterline.com)
+Released under the MIT License: http://www.opensource.org/licenses/mit-license.php
+Main page: http://github.com/cchandler/certificateauthority
+Issue tracking: https://github.com/cchandler/certificateauthority/issues

data/Rakefile ADDED Viewed

@@ -0,0 +1,52 @@
+require 'rubygems'
+require 'bundler'
+require 'rspec'
+require 'rspec/core/rake_task'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+desc 'Default: run specs.'
+task :default => :spec
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+  gem.name = "certificate_authority"
+  gem.homepage = "http://github.com/cchandler/certificate_authority"
+  gem.license = "MIT"
+  gem.summary = 'Ruby gem for managing the core functions outlined in RFC-3280 for PKI'
+  # gem.description = ''
+  gem.email = "chris@flatterline.com"
+  gem.authors = ["Chris Chandler"]
+  gem.add_dependency('activemodel', '3.0.6')
+end
+Jeweler::RubygemsDotOrgTasks.new
+task :spec do
+  Rake::Task["spec:units"].invoke
+end
+namespace :spec do
+  desc "Run unit specs."
+  RSpec::Core::RakeTask.new(:units) do |t|
+    t.rspec_opts = ['--colour --format progress --tag ~pkcs11']
+  end
+  desc "Run integration specs."
+  RSpec::Core::RakeTask.new(:integrations) do |t|
+    t.rspec_opts   = ['--colour --format progress']
+  end
+end
+RSpec::Core::RakeTask.new(:doc) do |t|
+  t.rspec_opts   = ['--format specdoc ']
+end

data/VERSION.yml ADDED Viewed

@@ -0,0 +1,5 @@
+---
+:major: 0
+:minor: 1
+:build:
+:patch: 1

data/certificate_authority.gemspec ADDED Viewed

@@ -0,0 +1,90 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+Gem::Specification.new do |s|
+  s.name = %q{certificate_authority}
+  s.version = "0.1.1"
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Chris Chandler"]
+  s.date = %q{2011-04-20}
+  s.email = %q{chris@flatterline.com}
+  s.extra_rdoc_files = [
+    "README.rdoc"
+  ]
+  s.files = [
+    "Gemfile",
+    "Gemfile.lock",
+    "README.rdoc",
+    "Rakefile",
+    "VERSION.yml",
+    "certificate_authority.gemspec",
+    "lib/certificate_authority.rb",
+    "lib/certificate_authority/certificate.rb",
+    "lib/certificate_authority/certificate_revocation_list.rb",
+    "lib/certificate_authority/distinguished_name.rb",
+    "lib/certificate_authority/extensions.rb",
+    "lib/certificate_authority/key_material.rb",
+    "lib/certificate_authority/ocsp_handler.rb",
+    "lib/certificate_authority/pkcs11_key_material.rb",
+    "lib/certificate_authority/serial_number.rb",
+    "lib/certificate_authority/signing_entity.rb",
+    "lib/tasks/certificate_authority.rake",
+    "spec/spec_helper.rb",
+    "spec/units/certificate_authority_spec.rb",
+    "spec/units/certificate_revocation_list_spec.rb",
+    "spec/units/certificate_spec.rb",
+    "spec/units/distinguished_name_spec.rb",
+    "spec/units/extensions_spec.rb",
+    "spec/units/key_material_spec.rb",
+    "spec/units/ocsp_handler_spec.rb",
+    "spec/units/serial_number_spec.rb",
+    "spec/units/signing_entity_spec.rb",
+    "spec/units/units_helper.rb"
+  ]
+  s.homepage = %q{http://github.com/cchandler/certificate_authority}
+  s.licenses = ["MIT"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.7.2}
+  s.summary = %q{Ruby gem for managing the core functions outlined in RFC-3280 for PKI}
+  s.test_files = [
+    "spec/spec_helper.rb",
+    "spec/units/certificate_authority_spec.rb",
+    "spec/units/certificate_revocation_list_spec.rb",
+    "spec/units/certificate_spec.rb",
+    "spec/units/distinguished_name_spec.rb",
+    "spec/units/extensions_spec.rb",
+    "spec/units/key_material_spec.rb",
+    "spec/units/ocsp_handler_spec.rb",
+    "spec/units/serial_number_spec.rb",
+    "spec/units/signing_entity_spec.rb",
+    "spec/units/units_helper.rb"
+  ]
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<activemodel>, [">= 0"])
+      s.add_runtime_dependency(%q<rspec>, [">= 0"])
+      s.add_runtime_dependency(%q<jeweler>, ["~> 1.5.2"])
+      s.add_runtime_dependency(%q<rcov>, [">= 0"])
+      s.add_runtime_dependency(%q<activemodel>, ["= 3.0.6"])
+    else
+      s.add_dependency(%q<activemodel>, [">= 0"])
+      s.add_dependency(%q<rspec>, [">= 0"])
+      s.add_dependency(%q<jeweler>, ["~> 1.5.2"])
+      s.add_dependency(%q<rcov>, [">= 0"])
+      s.add_dependency(%q<activemodel>, ["= 3.0.6"])
+    end
+  else
+    s.add_dependency(%q<activemodel>, [">= 0"])
+    s.add_dependency(%q<rspec>, [">= 0"])
+    s.add_dependency(%q<jeweler>, ["~> 1.5.2"])
+    s.add_dependency(%q<rcov>, [">= 0"])
+    s.add_dependency(%q<activemodel>, ["= 3.0.6"])
+  end
+end

data/lib/certificate_authority/certificate.rb ADDED Viewed

@@ -0,0 +1,176 @@
+module CertificateAuthority
+  class Certificate
+    # include SigningEntity
+    include ActiveModel::Validations
+    attr_accessor :distinguished_name
+    attr_accessor :serial_number
+    attr_accessor :key_material
+    attr_accessor :not_before
+    attr_accessor :not_after
+    attr_accessor :revoked_at
+    attr_accessor :extensions
+    attr_accessor :openssl_body
+    alias :subject :distinguished_name #Same thing as the DN
+    attr_accessor :parent
+    validate do |certificate|
+      errors.add :base, "Distinguished name must be valid" unless distinguished_name.valid?
+      errors.add :base, "Key material name must be valid" unless key_material.valid?
+      errors.add :base, "Serial number must be valid" unless serial_number.valid?
+      errors.add :base, "Extensions must be valid" unless extensions.each do |item|
+        return true unless item.respond_to?(:valid?)
+        item.valid?
+      end
+    end
+    def initialize
+      self.distinguished_name = DistinguishedName.new
+      self.serial_number = SerialNumber.new
+      self.key_material = MemoryKeyMaterial.new
+      self.not_before = Time.now
+      self.not_after = Time.now + 60 * 60 * 24 * 365 #One year
+      self.parent = self
+      self.extensions = load_extensions()
+      self.signing_entity = false
+    end
+    def sign!(signing_profile={})
+      raise "Invalid certificate" unless valid?
+      merge_profile_with_extensions(signing_profile)
+      openssl_cert = OpenSSL::X509::Certificate.new
+      openssl_cert.version    = 2
+      openssl_cert.not_before = self.not_before
+      openssl_cert.not_after = self.not_after
+      openssl_cert.public_key = self.key_material.public_key
+      openssl_cert.serial = self.serial_number.number
+      openssl_cert.subject = self.distinguished_name.to_x509_name
+      openssl_cert.issuer = parent.distinguished_name.to_x509_name
+      require 'tempfile'
+      t = Tempfile.new("bullshit_conf")
+      # t = File.new("/tmp/openssl.cnf")
+      ## The config requires a file even though we won't use it
+      openssl_config = OpenSSL::Config.new(t.path)
+      factory = OpenSSL::X509::ExtensionFactory.new
+      factory.subject_certificate = openssl_cert
+      #NB: If the parent doesn't have an SSL body we're making this a self-signed cert
+      if parent.openssl_body.nil?
+        factory.issuer_certificate = openssl_cert
+      else
+        factory.issuer_certificate = parent.openssl_body
+      end
+      self.extensions.keys.each do |k|
+        config_extensions = extensions[k].config_extensions
+        openssl_config = merge_options(openssl_config,config_extensions)
+      end
+      # p openssl_config.sections
+      factory.config = openssl_config
+      self.extensions.keys.each do |k|
+        e = extensions[k]
+        next if e.to_s.nil? or e.to_s == "" ## If the extension returns an empty string we won't include it
+        ext = factory.create_ext(e.openssl_identifier, e.to_s)
+        openssl_cert.add_extension(ext)
+      end
+      digest = OpenSSL::Digest::Digest.new("SHA512")
+      self.openssl_body = openssl_cert.sign(parent.key_material.private_key,digest)
+      t.close! if t.is_a?(Tempfile)# We can get rid of the ridiculous temp file
+      self.openssl_body
+    end
+    def is_signing_entity?
+      self.extensions["basicConstraints"].ca
+    end
+    def signing_entity=(signing)
+      self.extensions["basicConstraints"].ca = signing
+    end
+    def revoked?
+      !self.revoked_at.nil?
+    end
+    def to_pem
+      raise "Certificate has no signed body" if self.openssl_body.nil?
+      self.openssl_body.to_pem
+    end
+    def is_root_entity?
+      self.parent == self && is_signing_entity?
+    end
+    def is_intermediate_entity?
+      (self.parent != self) && is_signing_entity?
+    end
+    private
+    def merge_profile_with_extensions(signing_profile={})
+      return self.extensions if signing_profile["extensions"].nil?
+      signing_config = signing_profile["extensions"]
+      signing_config.keys.each do |k|
+        extension = self.extensions[k]
+        items = signing_config[k]
+        items.keys.each do |profile_item_key|
+          if extension.respond_to?("#{profile_item_key}=".to_sym)
+            extension.send("#{profile_item_key}=".to_sym, items[profile_item_key] )
+          else
+            p "Tried applying '#{profile_item_key}' to #{extension.class} but it doesn't respond!"
+          end
+        end
+      end
+    end
+    def load_extensions
+      extension_hash = {}
+      temp_extensions = []
+      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
+      temp_extensions << basic_constraints
+      crl_distribution_points = CertificateAuthority::Extensions::CrlDistributionPoints.new
+      temp_extensions << crl_distribution_points
+      subject_key_identifier = CertificateAuthority::Extensions::SubjectKeyIdentifier.new
+      temp_extensions << subject_key_identifier
+      authority_key_identifier = CertificateAuthority::Extensions::AuthorityKeyIdentifier.new
+      temp_extensions << authority_key_identifier
+      authority_info_access = CertificateAuthority::Extensions::AuthorityInfoAccess.new
+      temp_extensions << authority_info_access
+      key_usage = CertificateAuthority::Extensions::KeyUsage.new
+      temp_extensions << key_usage
+      extended_key_usage = CertificateAuthority::Extensions::ExtendedKeyUsage.new
+      temp_extensions << extended_key_usage
+      subject_alternative_name = CertificateAuthority::Extensions::SubjectAlternativeName.new
+      temp_extensions << subject_alternative_name
+      certificate_policies = CertificateAuthority::Extensions::CertificatePolicies.new
+      temp_extensions << certificate_policies
+      temp_extensions.each do |extension|
+        extension_hash[extension.openssl_identifier] = extension
+      end
+      extension_hash
+    end
+    def merge_options(config,hash)
+      hash.keys.each do |k|
+        config[k] = hash[k]
+      end
+      config
+    end
+  end
+end

data/lib/certificate_authority/certificate_revocation_list.rb ADDED Viewed

@@ -0,0 +1,59 @@
+module CertificateAuthority
+  class CertificateRevocationList
+    include ActiveModel::Validations
+    attr_accessor :certificates
+    attr_accessor :parent
+    attr_accessor :crl_body
+    attr_accessor :next_update
+    validate do |crl|
+      errors.add :next_update, "Next update must be a positive value" if crl.next_update < 0
+      errors.add :parent, "A parent entity must be set" if crl.parent.nil?
+    end
+    def initialize
+      self.certificates = []
+      self.next_update = 60 * 60 * 4 # 4 hour default
+    end
+    def <<(cert)
+      raise "Only revoked certificates can be added to a CRL" unless cert.revoked?
+      self.certificates << cert
+    end
+    def sign!
+      raise "No parent entity has been set!" if self.parent.nil?
+      raise "Invalid CRL" unless self.valid?
+      revocations = self.certificates.collect do |certificate|
+        revocation = OpenSSL::X509::Revoked.new
+        x509_cert = OpenSSL::X509::Certificate.new(certificate.to_pem)
+        revocation.serial = x509_cert.serial
+        revocation.time = certificate.revoked_at
+        revocation
+      end
+      crl = OpenSSL::X509::CRL.new
+      revocations.each do |revocation|
+        crl.add_revoked(revocation)
+      end
+      crl.version = 1
+      crl.last_update = Time.now
+      crl.next_update = Time.now + self.next_update
+      signing_cert = OpenSSL::X509::Certificate.new(self.parent.to_pem)
+      digest = OpenSSL::Digest::Digest.new("SHA512")
+      crl.issuer = signing_cert.subject
+      self.crl_body = crl.sign(self.parent.key_material.private_key, digest)
+      self.crl_body
+    end
+    def to_pem
+      raise "No signed CRL body" if self.crl_body.nil?
+      self.crl_body.to_pem
+    end
+  end#CertificateRevocationList
+end