certificate_authority 0.1.1

data/lib/certificate_authority/serial_number.rb

@@ -0,0 +1,9 @@
+module CertificateAuthority
+  class SerialNumber
+    include ActiveModel::Validations
+    
+    attr_accessor :number
+    
+    validates :number, :presence => true, :numericality => {:greater_than => 0}
+  end
+end

data/lib/certificate_authority/signing_entity.rb

@@ -0,0 +1,18 @@
+module CertificateAuthority
+  module SigningEntity
+    
+    def self.included(mod)
+      mod.class_eval do
+        attr_accessor :signing_entity 
+      end
+    end
+    
+    def signing_entity=(val)
+      raise "invalid param" unless [true,false].include?(val)
+      @signing_entity = val
+    end
+    
+    
+    
+  end
+end

data/lib/certificate_authority.rb

@@ -0,0 +1,19 @@
+$:.unshift(File.dirname(__FILE__)) unless $:.include?(File.dirname(__FILE__)) || $:.include?(File.expand_path(File.dirname(__FILE__)))
+
+#Exterior requirements
+require 'openssl'
+require 'active_model'
+
+#Internal modules
+require 'certificate_authority/signing_entity'
+require 'certificate_authority/distinguished_name'
+require 'certificate_authority/serial_number'
+require 'certificate_authority/key_material'
+require 'certificate_authority/pkcs11_key_material'
+require 'certificate_authority/extensions'
+require 'certificate_authority/certificate'
+require 'certificate_authority/certificate_revocation_list'
+require 'certificate_authority/ocsp_handler'
+
+module CertificateAuthority
+end

data/lib/tasks/certificate_authority.rake

@@ -0,0 +1,23 @@
+require 'certificate_authority'
+
+namespace :certificate_authority do
+  desc "Generate a quick self-signed cert"
+  task :self_signed do
+    
+    cn = "http://localhost"
+    cn = ENV['DOMAIN'] unless ENV['DOMAIN'].nil?
+    
+  	root = CertificateAuthority::Certificate.new
+  	root.subject.common_name= cn
+  	root.key_material.generate_key
+  	root.signing_entity = true
+  	root.valid?
+  	root.sign!
+  	
+  	print "Your cert for #{cn}\n"
+  	print root.to_pem
+  	
+  	print "Your private key\n"
+  	print root.key_material.private_key.to_pem
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,4 @@
+require 'rubygems'
+require 'rspec'
+
+require File.dirname(__FILE__) + '/../lib/certificate_authority'

data/spec/units/certificate_authority_spec.rb

@@ -0,0 +1,4 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+describe CertificateAuthority do
+end

data/spec/units/certificate_revocation_list_spec.rb

@@ -0,0 +1,68 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+describe CertificateAuthority::CertificateRevocationList do
+  before(:each) do
+    @crl = CertificateAuthority::CertificateRevocationList.new
+    
+    @root_certificate = CertificateAuthority::Certificate.new
+    @root_certificate.signing_entity = true
+    @root_certificate.subject.common_name = "CRL Root"
+    @root_certificate.key_material.generate_key
+    @root_certificate.serial_number.number = 1
+    @root_certificate.sign!
+    
+    @certificate = CertificateAuthority::Certificate.new
+    @certificate.key_material.generate_key
+    @certificate.subject.common_name = "http://bogusSite.com"
+    @certificate.parent = @root_certificate
+    @certificate.serial_number.number = 2
+    @certificate.sign!
+    
+    @crl.parent = @root_certificate
+    @certificate.revoked_at = Time.now
+  end
+  
+  it "should accept a list of certificates" do
+    @crl << @certificate
+  end
+  
+  it "should complain if you add a certificate without a revocation time" do
+    @certificate.revoked_at = nil
+    lambda{ @crl << @certificate}.should raise_error
+  end
+  
+  it "should have a 'parent' that will be responsible for signing" do
+    @crl.parent = @root_certificate
+    @crl.parent.should_not be_nil
+  end
+  
+  it "should raise an error if you try and sign a CRL without attaching a parent" do
+    @crl.parent = nil
+    lambda { @crl.sign! }.should raise_error
+  end
+  
+  it "should be able to generate a proper CRL" do
+    @crl << @certificate
+    lambda {@crl.to_pem}.should raise_error
+    @crl.parent = @root_certificate
+    @crl.sign!
+    @crl.to_pem.should_not be_nil
+    OpenSSL::X509::CRL.new(@crl.to_pem).should_not be_nil
+  end
+  
+  describe "Next update" do
+    it "should be able to set a 'next_update' value" do
+      @crl.next_update = (60 * 60 * 10) # 10 Hours
+      @crl.next_update.should_not be_nil
+    end
+    
+    it "should throw an error if we try and sign up with a negative next_update" do
+      @crl.sign!
+      @crl.next_update = - (60 * 60 * 10)
+      lambda{@crl.sign!}.should raise_error
+    end
+    
+  end
+  
+  
+end

data/spec/units/certificate_spec.rb

@@ -0,0 +1,351 @@
+require File.dirname(__FILE__) + '/units_helper'
+
+describe CertificateAuthority::Certificate do
+  before(:each) do
+    @certificate = CertificateAuthority::Certificate.new
+  end
+  
+  describe CertificateAuthority::SigningEntity do
+    it "should behave as a signing entity" do
+      @certificate.respond_to?(:is_signing_entity?).should be_true
+    end
+    
+    it "should only be a signing entity if it's identified as a CA", :rfc3280 => true do
+      @certificate.is_signing_entity?.should be_false
+      @certificate.signing_entity = true
+      @certificate.is_signing_entity?.should be_true
+    end
+    
+    describe "Root certificates" do
+      before(:each) do
+        @certificate.signing_entity = true
+      end
+      
+      it "should be able to be identified as a root certificate" do
+        @certificate.is_root_entity?.should be_true
+      end
+      
+      it "should only be a root certificate if the parent entity is itself", :rfc3280 => true do
+        @certificate.parent.should == @certificate
+      end
+      
+      it "should be a root certificate by default" do
+        @certificate.is_root_entity?.should be_true
+      end
+      
+      it "should be able to self-sign" do
+        @certificate.serial_number.number = 1
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.subject.to_s.should == cert.issuer.to_s
+      end
+      
+      it "should have the basicContraint CA:TRUE" do
+        @certificate.serial_number.number = 1
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map{|i| [i.oid,i.value] }.select{|i| i.first == "basicConstraints"}.first[1].should == "CA:TRUE"
+      end
+    end
+    
+    describe "Intermediate certificates" do
+      before(:each) do
+        @different_cert = CertificateAuthority::Certificate.new
+        @different_cert.signing_entity = true
+        @different_cert.subject.common_name = "chrischandler.name root"
+        @different_cert.key_material.generate_key
+        @different_cert.serial_number.number = 2
+        @different_cert.sign! #self-signed
+        @certificate.parent = @different_cert
+        @certificate.signing_entity = true
+      end
+      
+      it "should be able to be identified as an intermediate certificate" do
+        @certificate.is_intermediate_entity?.should be_true
+      end
+      
+      it "should not be identified as a root" do
+        @certificate.is_root_entity?.should be_false
+      end
+      
+      it "should only be an intermediate certificate if the parent is a different entity" do
+        @certificate.parent.should_not == @certificate
+        @certificate.parent.should_not be_nil
+      end
+      
+      it "should correctly be signed by a parent certificate" do
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key
+        @certificate.signing_entity = true
+        @certificate.serial_number.number = 1
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.subject.to_s.should_not == cert.issuer.to_s
+      end
+      
+      it "should have the basicContraint CA:TRUE" do
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key
+        @certificate.signing_entity = true
+        @certificate.serial_number.number = 3
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        # cert.extensions.first.value.should == "CA:TRUE"
+        cert.extensions.map{|i| [i.oid,i.value] }.select{|i| i.first == "basicConstraints"}.first[1].should == "CA:TRUE"
+      end
+      
+    end
+    
+    describe "Terminal certificates" do
+      before(:each) do
+        @different_cert = CertificateAuthority::Certificate.new
+        @different_cert.signing_entity = true
+        @different_cert.subject.common_name = "chrischandler.name root"
+        @different_cert.key_material.generate_key
+        @different_cert.serial_number.number = 1
+        @different_cert.sign! #self-signed
+        @certificate.parent = @different_cert
+      end
+      
+      it "should not be identified as an intermediate certificate" do
+        @certificate.is_intermediate_entity?.should be_false
+      end
+      
+      it "should not be identified as a root" do
+        @certificate.is_root_entity?.should be_false
+      end
+      
+      it "should have the basicContraint CA:FALSE" do
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key
+        @certificate.signing_entity = false
+        @certificate.serial_number.number = 1
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        # cert.extensions.first.value.should == "CA:FALSE"
+        cert.extensions.map{|i| [i.oid,i.value] }.select{|i| i.first == "basicConstraints"}.first[1].should == "CA:FALSE"
+      end
+    end
+    
+
+    it "should be able to be identified as a root certificate" do
+      @certificate.respond_to?(:is_root_entity?).should be_true
+    end
+  end #End of SigningEntity
+  
+  describe "Signed certificates" do
+    before(:each) do
+      @certificate = CertificateAuthority::Certificate.new
+      @certificate.subject.common_name = "chrischandler.name"
+      @certificate.key_material.generate_key
+      @certificate.serial_number.number = 1
+      @certificate.sign!
+    end
+    
+    it "should have a PEM encoded certificate body available" do
+      @certificate.to_pem.should_not be_nil
+      OpenSSL::X509::Certificate.new(@certificate.to_pem).should_not be_nil
+    end
+  end
+  
+  describe "X.509 V3 Extensions on Signed Certificates" do
+    before(:each) do
+      @certificate = CertificateAuthority::Certificate.new
+      @certificate.subject.common_name = "chrischandler.name"
+      @certificate.key_material.generate_key
+      @certificate.serial_number.number = 1
+      @signing_profile = {
+        "extensions" => {
+          "subjectAltName" => {"uris" => ["www.chrischandler.name"]},
+          "certificatePolicies" => { 
+            "policy_identifier" => "1.3.5.7", 
+            "cps_uris" => ["http://my.host.name/", "http://my.your.name/"],
+            "user_notice" => {
+             "explicit_text" => "Testing!", "organization" => "RSpec Test organization name", "notice_numbers" => "1,2,3,4"
+            }
+          }
+        }
+      }
+      @certificate.sign!(@signing_profile)
+    end
+    
+    describe "SubjectAltName" do
+      before(:each) do
+        @certificate = CertificateAuthority::Certificate.new
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key
+        @certificate.serial_number.number = 1
+      end
+      
+      it  "should have a subjectAltName if specified" do
+        @certificate.sign!({"extensions" => {"subjectAltName" => {"uris" => ["www.chrischandler.name"]}}})
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map(&:oid).include?("subjectAltName").should be_true
+      end
+      
+      it "should NOT have a subjectAltName if one was not specified" do
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map(&:oid).include?("subjectAltName").should be_false
+      end
+    end
+    
+    describe "CertificatePolicies" do
+      before(:each) do
+        @certificate = CertificateAuthority::Certificate.new
+        @certificate.subject.common_name = "chrischandler.name"
+        @certificate.key_material.generate_key
+        @certificate.serial_number.number = 1
+      end
+      
+      it "should have a certificatePolicy if specified" do
+        @certificate.sign!({
+          "extensions" => {
+            "certificatePolicies" => { 
+              "policy_identifier" => "1.3.5.7", 
+              "cps_uris" => ["http://my.host.name/", "http://my.your.name/"]
+            }
+          }
+        })
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map(&:oid).include?("certificatePolicies").should be_true
+      end
+      
+      it "should contain a nested userNotice if specified" do
+        pending
+        # @certificate.sign!({
+        #   "extensions" => {
+        #     "certificatePolicies" => { 
+        #       "policy_identifier" => "1.3.5.7", 
+        #       "cps_uris" => ["http://my.host.name/", "http://my.your.name/"],
+        #       "user_notice" => {
+        #        "explicit_text" => "Testing!", "organization" => "RSpec Test organization name", "notice_numbers" => "1,2,3,4"
+        #       }
+        #     }
+        #   }
+        # })
+        # cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        # cert.extensions.map(&:oid).include?("certificatePolicies").should be_true
+      end
+      
+      it "should NOT include a certificatePolicy if not specified" do
+        @certificate.sign!
+        cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+        cert.extensions.map(&:oid).include?("certificatePolicies").should be_false
+      end  
+    end
+    
+    
+    it "should support BasicContraints" do
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.extensions.map(&:oid).include?("basicConstraints").should be_true
+    end
+    
+    it "should support crlDistributionPoints" do
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.extensions.map(&:oid).include?("crlDistributionPoints").should be_true
+    end
+    
+    it "should support subjectKeyIdentifier" do
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.extensions.map(&:oid).include?("subjectKeyIdentifier").should be_true
+    end
+    
+    it "should support authorityKeyIdentifier" do
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.extensions.map(&:oid).include?("authorityKeyIdentifier").should be_true
+    end
+    
+    it "should support authorityInfoAccess" do
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.extensions.map(&:oid).include?("authorityInfoAccess").should be_true
+    end
+    
+    it "should support keyUsage" do
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.extensions.map(&:oid).include?("keyUsage").should be_true
+    end
+    
+    it "should support extendedKeyUsage" do
+      cert = OpenSSL::X509::Certificate.new(@certificate.to_pem)
+      cert.extensions.map(&:oid).include?("extendedKeyUsage").should be_true
+    end
+  end
+  
+  describe "Signing profile" do
+    before(:each) do
+      @certificate = CertificateAuthority::Certificate.new
+      @certificate.subject.common_name = "chrischandler.name"
+      @certificate.key_material.generate_key
+      @certificate.serial_number.number = 1
+      
+      @signing_profile = {
+        "extensions" => {
+          "basicConstraints" => {"ca" => false},
+          "crlDistributionPoints" => {"uri" => "http://notme.com/other.crl" },
+          "subjectKeyIdentifier" => {},
+          "authorityKeyIdentifier" => {},
+          "authorityInfoAccess" => {"ocsp" => ["http://youFillThisOut/ocsp/"] },
+          "keyUsage" => {"usage" => ["digitalSignature","nonRepudiation"] },
+          "extendedKeyUsage" => {"usage" => [ "serverAuth","clientAuth"]},
+          "subjectAltName" => {"uris" => ["http://subdomains.youFillThisOut/"]},
+          "certificatePolicies" => {
+          "policy_identifier" => "1.3.5.8", "cps_uris" => ["http://my.host.name/", "http://my.your.name/"], "user_notice" => {
+             "explicit_text" => "Explicit Text Here", "organization" => "Organization name", "notice_numbers" => "1,2,3,4"
+          }
+        }
+      }
+    }
+    end
+    
+    it "should be able to sign with an optional policy hash" do
+      @certificate.sign!(@signing_profile)
+    end
+    
+  end
+  
+  
+  it "should have a distinguished name" do
+    @certificate.distinguished_name.should_not be_nil
+  end
+  
+  it "should have a serial number" do
+    @certificate.serial_number.should_not be_nil
+  end
+  
+  it "should have a subject" do
+    @certificate.subject.should_not be_nil
+  end
+  
+  it "should be able to have a parent entity" do
+    @certificate.respond_to?(:parent).should be_true
+  end
+  
+  it "should have key material" do
+    @certificate.key_material.should_not be_nil
+  end
+  
+  it "should have a not_before field" do
+    @certificate.not_before.should_not be_nil
+  end
+  
+  it "should have a not_after field" do
+    @certificate.not_after.should_not be_nil
+  end
+  
+  it "should default to one year validity" do
+    @certificate.not_after.should < Time.now + 65 * 60 * 24 * 365 and
+    @certificate.not_after.should > Time.now + 55 * 60 * 24 * 365
+  end
+  
+  it "should be able to have a revoked at time" do
+    @certificate.revoked?.should be_false
+    @certificate.revoked_at = Time.now
+    @certificate.revoked?.should be_true
+  end
+  
+end