certificate_authority 0.1.2 → 1.0.0

data/Rakefile

@@ -1,35 +1,9 @@
-require 'rubygems'
-require 'bundler'
-require 'rspec'
-require 'rspec/core/rake_task'
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+require "rubocop/rake_task"
 
-begin
-  Bundler.setup(:default, :development)
-rescue Bundler::BundlerError => e
-  $stderr.puts e.message
-  $stderr.puts "Run `bundle install` to install missing gems"
-  exit e.status_code
-end
-
-require 'rake'
-
-desc 'Default: run specs.'
-task :default => :spec
-
-require 'jeweler'
-Jeweler::Tasks.new do |gem|
-  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
-  gem.name = "certificate_authority"
-  gem.homepage = "http://github.com/cchandler/certificate_authority"
-  gem.license = "MIT"
-  gem.summary = 'Ruby gem for managing the core functions outlined in RFC-3280 for PKI'
-  # gem.description = ''
-  gem.email = "chris@flatterline.com"
-  gem.authors = ["Chris Chandler"]
-  
-  # gem.add_dependency('activemodel', '3.0.6')
-end
-Jeweler::RubygemsDotOrgTasks.new
+desc "Default: run specs."
+task default: %i[spec]
 
 task :spec do
   Rake::Task["spec:units"].invoke
@@ -38,15 +12,6 @@ end
 namespace :spec do
   desc "Run unit specs."
   RSpec::Core::RakeTask.new(:units) do |t|
-    t.rspec_opts = ['--colour --format progress --tag ~pkcs11']
+    t.rspec_opts = ["--colour --format progress --tag ~pkcs11"]
   end
-
-  desc "Run integration specs."
-  RSpec::Core::RakeTask.new(:integrations) do |t|
-    t.rspec_opts   = ['--colour --format progress']
-  end
-end
-
-RSpec::Core::RakeTask.new(:doc) do |t|
-  t.rspec_opts   = ['--format specdoc ']
 end

data/certificate_authority.gemspec

@@ -1,87 +1,28 @@
-# Generated by jeweler
-# DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
-# -*- encoding: utf-8 -*-
+require File.expand_path("lib/certificate_authority/version", __dir__)
 
-Gem::Specification.new do |s|
-  s.name = %q{certificate_authority}
-  s.version = "0.1.2"
+Gem::Specification.new do |spec|
+  spec.name = "certificate_authority"
+  spec.version = CertificateAuthority::VERSION
+  spec.authors = ["Chris Chandler"]
+  spec.email = ["squanderingtime@gmail.com"]
 
-  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.authors = ["Chris Chandler"]
-  s.date = %q{2011-04-21}
-  s.email = %q{chris@flatterline.com}
-  s.extra_rdoc_files = [
-    "README.rdoc"
-  ]
-  s.files = [
-    "Gemfile",
-    "Gemfile.lock",
-    "README.rdoc",
-    "Rakefile",
-    "VERSION.yml",
-    "certificate_authority.gemspec",
-    "lib/certificate_authority.rb",
-    "lib/certificate_authority/certificate.rb",
-    "lib/certificate_authority/certificate_revocation_list.rb",
-    "lib/certificate_authority/distinguished_name.rb",
-    "lib/certificate_authority/extensions.rb",
-    "lib/certificate_authority/key_material.rb",
-    "lib/certificate_authority/ocsp_handler.rb",
-    "lib/certificate_authority/pkcs11_key_material.rb",
-    "lib/certificate_authority/serial_number.rb",
-    "lib/certificate_authority/signing_entity.rb",
-    "lib/tasks/certificate_authority.rake",
-    "spec/spec_helper.rb",
-    "spec/units/certificate_authority_spec.rb",
-    "spec/units/certificate_revocation_list_spec.rb",
-    "spec/units/certificate_spec.rb",
-    "spec/units/distinguished_name_spec.rb",
-    "spec/units/extensions_spec.rb",
-    "spec/units/key_material_spec.rb",
-    "spec/units/ocsp_handler_spec.rb",
-    "spec/units/serial_number_spec.rb",
-    "spec/units/signing_entity_spec.rb",
-    "spec/units/units_helper.rb"
-  ]
-  s.homepage = %q{http://github.com/cchandler/certificate_authority}
-  s.licenses = ["MIT"]
-  s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.7.2}
-  s.summary = %q{Ruby gem for managing the core functions outlined in RFC-3280 for PKI}
-  s.test_files = [
-    "spec/spec_helper.rb",
-    "spec/units/certificate_authority_spec.rb",
-    "spec/units/certificate_revocation_list_spec.rb",
-    "spec/units/certificate_spec.rb",
-    "spec/units/distinguished_name_spec.rb",
-    "spec/units/extensions_spec.rb",
-    "spec/units/key_material_spec.rb",
-    "spec/units/ocsp_handler_spec.rb",
-    "spec/units/serial_number_spec.rb",
-    "spec/units/signing_entity_spec.rb",
-    "spec/units/units_helper.rb"
-  ]
+  spec.summary  = "Ruby gem for managing the core functions outlined in RFC-3280 for PKI"
+  spec.homepage = "https://github.com/cchandler/certificate_authority"
+  spec.license  = "MIT"
 
-  if s.respond_to? :specification_version then
-    s.specification_version = 3
+  spec.metadata["homepage_uri"] = "https://github.com/cchandler/certificate_authority"
+  spec.metadata["source_code_uri"] = "https://github.com/cchandler/certificate_authority"
 
-    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<activemodel>, ["~> 3.0.6"])
-      s.add_development_dependency(%q<rspec>, [">= 0"])
-      s.add_development_dependency(%q<jeweler>, ["~> 1.5.2"])
-      s.add_development_dependency(%q<rcov>, [">= 0"])
-    else
-      s.add_dependency(%q<activemodel>, ["~> 3.0.6"])
-      s.add_dependency(%q<rspec>, [">= 0"])
-      s.add_dependency(%q<jeweler>, ["~> 1.5.2"])
-      s.add_dependency(%q<rcov>, [">= 0"])
-    end
-  else
-    s.add_dependency(%q<activemodel>, ["~> 3.0.6"])
-    s.add_dependency(%q<rspec>, [">= 0"])
-    s.add_dependency(%q<jeweler>, ["~> 1.5.2"])
-    s.add_dependency(%q<rcov>, [">= 0"])
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec/)}) }
   end
-end
+  spec.require_paths = ["lib"]
+
+  spec.required_ruby_version = ">= 2.4"
 
+  spec.add_development_dependency "coveralls"
+  spec.add_development_dependency "pry"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "rubocop"
+end

data/lib/certificate_authority.rb

@@ -1,11 +1,11 @@
-$:.unshift(File.dirname(__FILE__)) unless $:.include?(File.dirname(__FILE__)) || $:.include?(File.expand_path(File.dirname(__FILE__)))
-
-#Exterior requirements
+# Exterior requirements
 require 'openssl'
-require 'active_model'
 
-#Internal modules
+# Internal modules
+require 'certificate_authority/core_extensions'
 require 'certificate_authority/signing_entity'
+require 'certificate_authority/revocable'
+require 'certificate_authority/validations'
 require 'certificate_authority/distinguished_name'
 require 'certificate_authority/serial_number'
 require 'certificate_authority/key_material'
@@ -14,6 +14,7 @@ require 'certificate_authority/extensions'
 require 'certificate_authority/certificate'
 require 'certificate_authority/certificate_revocation_list'
 require 'certificate_authority/ocsp_handler'
+require 'certificate_authority/signing_request'
 
 module CertificateAuthority
-end
+end

data/lib/certificate_authority/certificate.rb

@@ -1,68 +1,88 @@
 module CertificateAuthority
   class Certificate
-    # include SigningEntity
-    include ActiveModel::Validations
-    
+    include Validations
+    include Revocable
+
     attr_accessor :distinguished_name
     attr_accessor :serial_number
     attr_accessor :key_material
     attr_accessor :not_before
     attr_accessor :not_after
-    attr_accessor :revoked_at
     attr_accessor :extensions
     attr_accessor :openssl_body
-    
+
     alias :subject :distinguished_name #Same thing as the DN
-    
+
     attr_accessor :parent
-    
-    validate do |certificate|
+
+    def validate
       errors.add :base, "Distinguished name must be valid" unless distinguished_name.valid?
-      errors.add :base, "Key material name must be valid" unless key_material.valid?
+      errors.add :base, "Key material must be valid" unless key_material.valid?
       errors.add :base, "Serial number must be valid" unless serial_number.valid?
       errors.add :base, "Extensions must be valid" unless extensions.each do |item|
-        return true unless item.respond_to?(:valid?)
-        item.valid?
+        unless item.respond_to?(:valid?)
+          true
+        else
+          item.valid?
+        end
       end
     end
-    
+
     def initialize
       self.distinguished_name = DistinguishedName.new
       self.serial_number = SerialNumber.new
       self.key_material = MemoryKeyMaterial.new
-      self.not_before = Time.now
-      self.not_after = Time.now + 60 * 60 * 24 * 365 #One year
+      self.not_before = Date.today.utc
+      self.not_after = Date.today.advance(:years => 1).utc
       self.parent = self
       self.extensions = load_extensions()
-      
+
       self.signing_entity = false
-      
+
     end
-    
+
+=begin
+    def self.from_openssl openssl_cert
+      unless openssl_cert.is_a? OpenSSL::X509::Certificate
+        raise "Can only construct from an OpenSSL::X509::Certificate"
+      end
+
+      certificate = Certificate.new
+      # Only subject, key_material, and body are used for signing
+      certificate.distinguished_name = DistinguishedName.from_openssl openssl_cert.subject
+      certificate.key_material.public_key = openssl_cert.public_key
+      certificate.openssl_body = openssl_cert
+      certificate.serial_number.number = openssl_cert.serial.to_i
+      certificate.not_before = openssl_cert.not_before
+      certificate.not_after = openssl_cert.not_after
+      # TODO extensions
+      certificate
+    end
+=end
+
     def sign!(signing_profile={})
       raise "Invalid certificate #{self.errors.full_messages}" unless valid?
       merge_profile_with_extensions(signing_profile)
-      
+
       openssl_cert = OpenSSL::X509::Certificate.new
-      openssl_cert.version    = 2
+      openssl_cert.version = 2
       openssl_cert.not_before = self.not_before
       openssl_cert.not_after = self.not_after
       openssl_cert.public_key = self.key_material.public_key
-      
+
       openssl_cert.serial = self.serial_number.number
-      
+
       openssl_cert.subject = self.distinguished_name.to_x509_name
       openssl_cert.issuer = parent.distinguished_name.to_x509_name
-      
+
       require 'tempfile'
       t = Tempfile.new("bullshit_conf")
-      # t = File.new("/tmp/openssl.cnf")
       ## The config requires a file even though we won't use it
       openssl_config = OpenSSL::Config.new(t.path)
-      
+
       factory = OpenSSL::X509::ExtensionFactory.new
       factory.subject_certificate = openssl_cert
-      
+
       #NB: If the parent doesn't have an SSL body we're making this a self-signed cert
       if parent.openssl_body.nil?
         factory.issuer_certificate = openssl_cert
@@ -74,51 +94,85 @@ module CertificateAuthority
         config_extensions = extensions[k].config_extensions
         openssl_config = merge_options(openssl_config,config_extensions)
       end
-      
+
       # p openssl_config.sections
-      
+
       factory.config = openssl_config
-      
-      self.extensions.keys.each do |k|
+
+      # Order matters: e.g. for self-signed, subjectKeyIdentifier must come before authorityKeyIdentifier
+      self.extensions.keys.sort{|a,b| b<=>a}.each do |k|
         e = extensions[k]
         next if e.to_s.nil? or e.to_s == "" ## If the extension returns an empty string we won't include it
-        ext = factory.create_ext(e.openssl_identifier, e.to_s)
+        ext = factory.create_ext(e.openssl_identifier, e.to_s, e.critical)
         openssl_cert.add_extension(ext)
       end
-      
-      digest = OpenSSL::Digest::Digest.new("SHA512")
-      self.openssl_body = openssl_cert.sign(parent.key_material.private_key,digest)
-      t.close! if t.is_a?(Tempfile)# We can get rid of the ridiculous temp file
-      self.openssl_body
+
+      if signing_profile["digest"].nil?
+        digest = OpenSSL::Digest.new("SHA512")
+      else
+        digest = OpenSSL::Digest.new(signing_profile["digest"])
+      end
+
+      self.openssl_body = openssl_cert.sign(parent.key_material.private_key, digest)
+    ensure
+      t.close! if t # We can get rid of the ridiculous temp file
     end
-    
+
     def is_signing_entity?
       self.extensions["basicConstraints"].ca
     end
-    
+
     def signing_entity=(signing)
       self.extensions["basicConstraints"].ca = signing
     end
-    
+
     def revoked?
       !self.revoked_at.nil?
     end
-    
+
     def to_pem
       raise "Certificate has no signed body" if self.openssl_body.nil?
       self.openssl_body.to_pem
     end
-    
+
+    def to_csr
+      csr = SigningRequest.new
+      csr.distinguished_name = self.distinguished_name
+      csr.key_material = self.key_material
+      factory = OpenSSL::X509::ExtensionFactory.new
+      exts = []
+      self.extensions.keys.each do |k|
+        ## Don't copy over key identifiers for CSRs
+        next if k == "subjectKeyIdentifier" || k == "authorityKeyIdentifier"
+        e = extensions[k]
+        ## If the extension returns an empty string we won't include it
+        next if e.to_s.nil? or e.to_s == ""
+        exts << factory.create_ext(e.openssl_identifier, e.to_s, e.critical)
+      end
+      attrval = OpenSSL::ASN1::Set([OpenSSL::ASN1::Sequence(exts)])
+      attrs = [
+        OpenSSL::X509::Attribute.new("extReq", attrval),
+        OpenSSL::X509::Attribute.new("msExtReq", attrval)
+      ]
+      csr.attributes = attrs
+      csr
+    end
+
+    def self.from_x509_cert(raw_cert)
+      openssl_cert = OpenSSL::X509::Certificate.new(raw_cert)
+      Certificate.from_openssl(openssl_cert)
+    end
+
     def is_root_entity?
       self.parent == self && is_signing_entity?
     end
-    
+
     def is_intermediate_entity?
       (self.parent != self) && is_signing_entity?
     end
-    
+
     private
-    
+
     def merge_profile_with_extensions(signing_profile={})
       return self.extensions if signing_profile["extensions"].nil?
       signing_config = signing_profile["extensions"]
@@ -127,50 +181,76 @@ module CertificateAuthority
         items = signing_config[k]
         items.keys.each do |profile_item_key|
           if extension.respond_to?("#{profile_item_key}=".to_sym)
-            extension.send("#{profile_item_key}=".to_sym, items[profile_item_key] ) 
+            if k == 'subjectAltName' && profile_item_key == 'emails'
+              items[profile_item_key].map do |email|
+                if email == 'email:copy'
+                  fail "no email address provided for subject: #{subject.to_x509_name}" unless subject.email_address
+                  "email:#{subject.email_address}"
+                else
+                  email
+                end
+              end
+            end
+            extension.send("#{profile_item_key}=".to_sym, items[profile_item_key] )
           else
             p "Tried applying '#{profile_item_key}' to #{extension.class} but it doesn't respond!"
           end
         end
       end
     end
-    
+
+    # Enumeration of the extensions. Not the worst option since
+    # the likelihood of these needing to be updated is low at best.
+    EXTENSIONS = [
+        CertificateAuthority::Extensions::BasicConstraints,
+        CertificateAuthority::Extensions::CrlDistributionPoints,
+        CertificateAuthority::Extensions::SubjectKeyIdentifier,
+        CertificateAuthority::Extensions::AuthorityKeyIdentifier,
+        CertificateAuthority::Extensions::AuthorityInfoAccess,
+        CertificateAuthority::Extensions::KeyUsage,
+        CertificateAuthority::Extensions::ExtendedKeyUsage,
+        CertificateAuthority::Extensions::SubjectAlternativeName,
+        CertificateAuthority::Extensions::CertificatePolicies
+    ]
+
     def load_extensions
       extension_hash = {}
-      
-      temp_extensions = []
-      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
-      temp_extensions << basic_constraints
-      crl_distribution_points = CertificateAuthority::Extensions::CrlDistributionPoints.new
-      temp_extensions << crl_distribution_points
-      subject_key_identifier = CertificateAuthority::Extensions::SubjectKeyIdentifier.new
-      temp_extensions << subject_key_identifier
-      authority_key_identifier = CertificateAuthority::Extensions::AuthorityKeyIdentifier.new
-      temp_extensions << authority_key_identifier
-      authority_info_access = CertificateAuthority::Extensions::AuthorityInfoAccess.new
-      temp_extensions << authority_info_access
-      key_usage = CertificateAuthority::Extensions::KeyUsage.new
-      temp_extensions << key_usage
-      extended_key_usage = CertificateAuthority::Extensions::ExtendedKeyUsage.new
-      temp_extensions << extended_key_usage
-      subject_alternative_name = CertificateAuthority::Extensions::SubjectAlternativeName.new
-      temp_extensions << subject_alternative_name
-      certificate_policies = CertificateAuthority::Extensions::CertificatePolicies.new
-      temp_extensions << certificate_policies
-      
-      temp_extensions.each do |extension|
+
+      EXTENSIONS.each do |klass|
+        extension = klass.new
         extension_hash[extension.openssl_identifier] = extension
       end
-      
+
       extension_hash
     end
-    
+
     def merge_options(config,hash)
       hash.keys.each do |k|
         config[k] = hash[k]
       end
       config
     end
-      
+
+    def self.from_openssl openssl_cert
+      unless openssl_cert.is_a? OpenSSL::X509::Certificate
+        raise "Can only construct from an OpenSSL::X509::Certificate"
+      end
+
+      certificate = Certificate.new
+      # Only subject, key_material, and body are used for signing
+      certificate.distinguished_name = DistinguishedName.from_openssl openssl_cert.subject
+      certificate.key_material.public_key = openssl_cert.public_key
+      certificate.openssl_body = openssl_cert
+      certificate.serial_number.number = openssl_cert.serial.to_i
+      certificate.not_before = openssl_cert.not_before
+      certificate.not_after = openssl_cert.not_after
+      EXTENSIONS.each do |klass|
+        _,v,c = (openssl_cert.extensions.detect { |e| e.to_a.first == klass::OPENSSL_IDENTIFIER } || []).to_a
+        certificate.extensions[klass::OPENSSL_IDENTIFIER] = klass.parse(v, c) if v
+      end
+
+      certificate
+    end
+
   end
-end
+end