certificate_authority 0.1.2 → 1.0.0

data/lib/certificate_authority/certificate_revocation_list.rb

@@ -1,59 +1,79 @@
 module CertificateAuthority
   class CertificateRevocationList
-    include ActiveModel::Validations
-    
+    include Validations
+
     attr_accessor :certificates
     attr_accessor :parent
     attr_accessor :crl_body
     attr_accessor :next_update
-    
-    validate do |crl|
-      errors.add :next_update, "Next update must be a positive value" if crl.next_update < 0
-      errors.add :parent, "A parent entity must be set" if crl.parent.nil?
+    attr_accessor :last_update_skew_seconds
+
+    def validate
+      errors.add :next_update, "Next update must be a positive value" if self.next_update < 0
+      errors.add :parent, "A parent entity must be set" if self.parent.nil?
     end
-    
+
     def initialize
       self.certificates = []
       self.next_update = 60 * 60 * 4 # 4 hour default
+      self.last_update_skew_seconds = 0
     end
-    
-    def <<(cert)
-      raise "Only revoked certificates can be added to a CRL" unless cert.revoked?
-      self.certificates << cert
+
+    def <<(revocable)
+      case revocable
+      when Revocable
+        raise "Only revoked entities can be added to a CRL" unless revocable.revoked?
+        self.certificates << revocable
+      when OpenSSL::X509::Certificate
+        raise "Not implemented yet"
+      else
+        raise "#{revocable.class} cannot be included in a CRL"
+      end
     end
-    
-    def sign!
+
+    def sign!(signing_profile={})
       raise "No parent entity has been set!" if self.parent.nil?
       raise "Invalid CRL" unless self.valid?
-      
-      revocations = self.certificates.collect do |certificate|
+
+      revocations = self.certificates.collect do |revocable|
         revocation = OpenSSL::X509::Revoked.new
-        x509_cert = OpenSSL::X509::Certificate.new(certificate.to_pem)
-        revocation.serial = x509_cert.serial
-        revocation.time = certificate.revoked_at
+
+        ## We really just need a serial number, now we have to dig it out
+        case revocable
+        when Certificate
+          x509_cert = OpenSSL::X509::Certificate.new(revocable.to_pem)
+          revocation.serial = x509_cert.serial
+        when SerialNumber
+          revocation.serial = revocable.number
+        end
+        revocation.time = revocable.revoked_at
         revocation
       end
-      
+
       crl = OpenSSL::X509::CRL.new
       revocations.each do |revocation|
         crl.add_revoked(revocation)
       end
-      
+
       crl.version = 1
-      crl.last_update = Time.now
+      crl.last_update = Time.now - self.last_update_skew_seconds
       crl.next_update = Time.now + self.next_update
-      
+
       signing_cert = OpenSSL::X509::Certificate.new(self.parent.to_pem)
-      digest = OpenSSL::Digest::Digest.new("SHA512")
+      if signing_profile["digest"].nil?
+        digest = OpenSSL::Digest.new("SHA512")
+      else
+        digest = OpenSSL::Digest.new(signing_profile["digest"])
+      end
       crl.issuer = signing_cert.subject
       self.crl_body = crl.sign(self.parent.key_material.private_key, digest)
-      
+
       self.crl_body
     end
-    
+
     def to_pem
       raise "No signed CRL body" if self.crl_body.nil?
       self.crl_body.to_pem
     end
   end#CertificateRevocationList
-end
+end

data/lib/certificate_authority/core_extensions.rb

@@ -0,0 +1,46 @@
+#
+# ActiveSupport has these modifications. Now that we don't use ActiveSupport,
+# these are added here as a kindness.
+#
+
+require 'date'
+
+unless nil.respond_to?(:blank?)
+  class NilClass
+    def blank?
+      true
+    end
+  end
+end
+
+unless String.respond_to?(:blank?)
+  class String
+    def blank?
+      self.empty?
+    end
+  end
+end
+
+class Date
+
+  def today
+    t = Time.now.utc
+    Date.new(t.year, t.month, t.day)
+  end
+
+  def utc
+    self.to_datetime.to_time.utc
+  end
+
+  unless Date.respond_to?(:advance)
+    def advance(options)
+      options = options.dup
+      d = self
+      d = d >> options.delete(:years) * 12 if options[:years]
+      d = d >> options.delete(:months)     if options[:months]
+      d = d +  options.delete(:weeks) * 7  if options[:weeks]
+      d = d +  options.delete(:days)       if options[:days]
+      d
+    end
+  end
+end

data/lib/certificate_authority/distinguished_name.rb

@@ -1,39 +1,106 @@
 module CertificateAuthority
   class DistinguishedName
-    include ActiveModel::Validations
-    
-    validates_presence_of :common_name
-    
+    include Validations
+
+    def validate
+      if self.common_name.nil? || self.common_name.empty?
+        errors.add :common_name, 'cannot be blank'
+      end
+    end
+
     attr_accessor :common_name
     alias :cn :common_name
-    
+    alias :cn= :common_name=
+
     attr_accessor :locality
     alias :l :locality
-    
+    alias :l= :locality=
+
     attr_accessor :state
     alias :s :state
-    
+    alias :st= :state=
+
     attr_accessor :country
     alias :c :country
-    
+    alias :c= :country=
+
     attr_accessor :organization
     alias :o :organization
-    
+    alias :o= :organization=
+
     attr_accessor :organizational_unit
     alias :ou :organizational_unit
-    
+    alias :ou= :organizational_unit=
+
+    attr_accessor :email_address
+    alias :emailAddress :email_address
+    alias :emailAddress= :email_address=
+
+    attr_accessor :serial_number
+    alias :serialNumber :serial_number
+    alias :serialNumber= :serial_number=
+
     def to_x509_name
       raise "Invalid Distinguished Name" unless valid?
-      
+
       # NB: the capitalization in the strings counts
       name = OpenSSL::X509::Name.new
-      name.add_entry("CN", common_name)
+      name.add_entry("serialNumber", serial_number) unless serial_number.blank?
+      name.add_entry("C", country) unless country.blank?
+      name.add_entry("ST", state) unless state.blank?
+      name.add_entry("L", locality) unless locality.blank?
       name.add_entry("O", organization) unless organization.blank?
-      name.add_entry("OU", common_name) unless organizational_unit.blank?
-      name.add_entry("S", common_name) unless state.blank?
-      name.add_entry("L", common_name) unless locality.blank?
-      
+      name.add_entry("OU", organizational_unit) unless organizational_unit.blank?
+      name.add_entry("CN", common_name)
+      name.add_entry("emailAddress", email_address) unless email_address.blank?
       name
     end
+
+    def ==(other)
+      # Use the established OpenSSL comparison
+      self.to_x509_name() == other.to_x509_name()
+    end
+
+    def self.from_openssl openssl_name
+      unless openssl_name.is_a? OpenSSL::X509::Name
+        raise "Argument must be a OpenSSL::X509::Name"
+      end
+
+      WrappedDistinguishedName.new(openssl_name)
+    end
+  end
+
+  ## This is a significantly more complicated case. It's possible that
+  ## generically handled certificates will include custom OIDs in the
+  ## subject.
+  class WrappedDistinguishedName < DistinguishedName
+    attr_accessor :x509_name
+
+    def initialize(x509_name)
+      @x509_name = x509_name
+
+      subject = @x509_name.to_a
+      subject.each do |element|
+        field = element[0].downcase
+        value = element[1]
+        #type = element[2] ## -not used
+        method_sym = "#{field}=".to_sym
+        if self.respond_to?(method_sym)
+          self.send("#{field}=",value)
+        else
+          ## Custom OID
+          @custom_oids = true
+        end
+      end
+
+    end
+
+    def to_x509_name
+      @x509_name
+    end
+
+    def custom_oids?
+      @custom_oids
+    end
   end
-end
+end

data/lib/certificate_authority/extensions.rb

@@ -4,61 +4,116 @@ module CertificateAuthority
       def to_s
         raise "Implementation required"
       end
-      
+
+      def self.parse(value, critical)
+        raise "Implementation required"
+      end
+
       def config_extensions
         {}
       end
-      
+
       def openssl_identifier
         raise "Implementation required"
       end
+
+      def ==(value)
+        raise "Implementation required"
+      end
     end
-    
-    class BasicContraints
+
+    # Specifies whether an X.509v3 certificate can act as a CA, signing other
+    # certificates to be verified. If set, a path length constraint can also be
+    # specified.
+    # Reference: Section 4.2.1.10 of RFC3280
+    # http://tools.ietf.org/html/rfc3280#section-4.2.1.10
+    class BasicConstraints
+      OPENSSL_IDENTIFIER = "basicConstraints"
+
       include ExtensionAPI
-      include ActiveModel::Validations
+      include Validations
+
+      attr_accessor :critical
       attr_accessor :ca
       attr_accessor :path_len
-      validates :ca, :inclusion => [true,false]
-      
+
+      def validate
+        unless [true, false].include? self.critical
+          errors.add :critical, 'must be true or false'
+        end
+        unless [true, false].include? self.ca
+          errors.add :ca, 'must be true or false'
+        end
+      end
+
       def initialize
-        self.ca = false
+        @critical = false
+        @ca = false
       end
-      
+
+      def openssl_identifier
+        OPENSSL_IDENTIFIER
+      end
+
       def is_ca?
-        self.ca
+        @ca
       end
-      
+
       def path_len=(value)
-        raise "path_len must be a non-negative integer" if value < 0 or !value.is_a?(Fixnum)
+        fail(ArgumentError, "path_len must be a non-negative integer") if !value.is_a?(Integer) || value < 0
         @path_len = value
       end
-      
-      def openssl_identifier
-        "basicConstraints"
-      end
-      
+
       def to_s
-        result = ""
-        result += "CA:#{self.ca}"
-        result += ",pathlen:#{self.path_len}" unless self.path_len.nil?
-        result
+        res = []
+        res << "CA:#{@ca}"
+        res << "pathlen:#{@path_len}" unless @path_len.nil?
+        res.join(',')
+      end
+
+      def ==(o)
+        o.class == self.class && o.state == state
+      end
+
+      def self.parse(value, critical)
+        obj = self.new
+        return obj if value.nil?
+        obj.critical = critical
+        value.split(/,\s*/).each do |v|
+          c = v.split(':', 2)
+          obj.ca = (c.last.upcase == "TRUE") if c.first == "CA"
+          obj.path_len = c.last.to_i if c.first == "pathlen"
+        end
+        obj
+      end
+
+      protected
+      def state
+        [@critical,@ca,@path_len]
       end
     end
-    
+
+    # Specifies where CRL information be be retrieved. This extension isn't
+    # critical, but is recommended for proper CAs.
+    # Reference: Section 4.2.1.14 of RFC3280
+    # http://tools.ietf.org/html/rfc3280#section-4.2.1.14
     class CrlDistributionPoints
+      OPENSSL_IDENTIFIER = "crlDistributionPoints"
+
       include ExtensionAPI
-      
-      attr_accessor :uri
-      
+
+      attr_accessor :critical
+      attr_accessor :uris
+
       def initialize
-        self.uri = "http://moo.crlendPoint.example.com/something.crl"
+        @critical = false
+        @uris = []
       end
-      
+
       def openssl_identifier
-        "crlDistributionPoints"
+        OPENSSL_IDENTIFIER
       end
-      
+
       ## NB: At this time it seems OpenSSL's extension handlers don't support
       ## any of the config options the docs claim to support... everything comes back
       ## "missing value" on GENERAL NAME. Even if copied verbatim
@@ -68,140 +123,386 @@ module CertificateAuthority
           # "issuer_sect" => {"CN" => "crlissuer.com", "C" => "US", "O" => "shudder"}
         }
       end
-      
+
+      # This is for legacy support. Technically it can (and probably should)
+      # be an array. But if someone is calling the old accessor we shouldn't
+      # necessarily break it.
+      def uri=(value)
+        @uris << value
+      end
+
       def to_s
-        "URI:#{self.uri}"
+        res = []
+        @uris.each do |uri|
+          res << "URI:#{uri}"
+        end
+        res.join(',')
+      end
+
+      def ==(o)
+        o.class == self.class && o.state == state
+      end
+
+      def self.parse(value, critical)
+        obj = self.new
+        return obj if value.nil?
+        obj.critical = critical
+        value.split(/,\s*/).each do |v|
+          c = v.split(':', 2)
+          obj.uris << c.last if c.first == "URI"
+        end
+        obj
+      end
+
+      protected
+      def state
+        [@critical,@uri]
       end
     end
-    
+
+    # Identifies the public key associated with a given certificate.
+    # Should be required for "CA" certificates.
+    # Reference: Section 4.2.1.2 of RFC3280
+    # http://tools.ietf.org/html/rfc3280#section-4.2.1.2
     class SubjectKeyIdentifier
+      OPENSSL_IDENTIFIER = "subjectKeyIdentifier"
+
       include ExtensionAPI
+
+      attr_accessor :critical
+      attr_accessor :identifier
+
+      def initialize
+        @critical = false
+        @identifier = "hash"
+      end
+
       def openssl_identifier
-        "subjectKeyIdentifier"
+        OPENSSL_IDENTIFIER
       end
-      
+
       def to_s
-        "hash"
+        res = []
+        res << @identifier
+        res.join(',')
+      end
+
+      def ==(o)
+        o.class == self.class && o.state == state
+      end
+
+      def self.parse(value, critical)
+        obj = self.new
+        return obj if value.nil?
+        obj.critical = critical
+        obj.identifier = value
+        obj
+      end
+
+      protected
+      def state
+        [@critical,@identifier]
       end
     end
-    
+
+    # Identifies the public key associated with a given private key.
+    # Reference: Section 4.2.1.1 of RFC3280
+    # http://tools.ietf.org/html/rfc3280#section-4.2.1.1
     class AuthorityKeyIdentifier
+      OPENSSL_IDENTIFIER = "authorityKeyIdentifier"
+
       include ExtensionAPI
-      
+
+      attr_accessor :critical
+      attr_accessor :identifier
+
+      def initialize
+        @critical = false
+        @identifier = ["keyid", "issuer"]
+      end
+
       def openssl_identifier
-        "authorityKeyIdentifier"
+        OPENSSL_IDENTIFIER
       end
-      
+
       def to_s
-        "keyid,issuer"
+        res = []
+        res += @identifier
+        res.join(',')
+      end
+
+      def ==(o)
+        o.class == self.class && o.state == state
+      end
+
+      def self.parse(value, critical)
+        obj = self.new
+        return obj if value.nil?
+        obj.critical = critical
+        obj.identifier = value.split(/,\s*/).last.chomp
+        obj
+      end
+
+      protected
+      def state
+        [@critical,@identifier]
       end
     end
-    
+
+    # Specifies how to access CA information and services for the CA that
+    # issued this certificate.
+    # Generally used to specify OCSP servers.
+    # Reference: Section 4.2.2.1 of RFC3280
+    # http://tools.ietf.org/html/rfc3280#section-4.2.2.1
     class AuthorityInfoAccess
+      OPENSSL_IDENTIFIER = "authorityInfoAccess"
+
       include ExtensionAPI
-      
+
+      attr_accessor :critical
       attr_accessor :ocsp
-      
+      attr_accessor :ca_issuers
+
       def initialize
-        self.ocsp = []
+        @critical = false
+        @ocsp = []
+        @ca_issuers = []
       end
-      
+
       def openssl_identifier
-        "authorityInfoAccess"
+        OPENSSL_IDENTIFIER
       end
-      
+
       def to_s
-        "OCSP;URI:#{self.ocsp}"
+        res = []
+        res += @ocsp.map {|o| "OCSP;URI:#{o}" }
+        res += @ca_issuers.map {|c| "caIssuers;URI:#{c}" }
+        res.join(',')
+      end
+
+      def ==(o)
+        o.class == self.class && o.state == state
+      end
+
+      def self.parse(value, critical)
+        obj = self.new
+        return obj if value.nil?
+        obj.critical = critical
+        value.split("\n").each do |v|
+          if v =~ /^OCSP/
+            obj.ocsp << v.split.last
+          end
+
+          if v =~ /^CA Issuers/
+            obj.ca_issuers << v.split.last
+          end
+        end
+        obj
+      end
+
+      protected
+      def state
+        [@critical,@ocsp,@ca_issuers]
       end
     end
-    
+
+    # Specifies the allowed usage purposes of the keypair specified in this certificate.
+    # Reference: Section 4.2.1.3 of RFC3280
+    # http://tools.ietf.org/html/rfc3280#section-4.2.1.3
+    #
+    # Note: OpenSSL when parsing an extension will return results in the form
+    # 'Digital Signature', but on signing you have to set it to 'digitalSignature'.
+    # So copying an extension from an imported cert isn't going to work yet.
     class KeyUsage
+      OPENSSL_IDENTIFIER = "keyUsage"
+
       include ExtensionAPI
-      
+
+      attr_accessor :critical
       attr_accessor :usage
-      
+
       def initialize
-        self.usage = ["digitalSignature", "nonRepudiation"]
+        @critical = false
+        @usage = ["digitalSignature", "nonRepudiation"]
       end
-      
+
       def openssl_identifier
-        "keyUsage"
+        OPENSSL_IDENTIFIER
       end
-      
+
       def to_s
-        "#{self.usage.join(',')}"
+        res = []
+        res += @usage
+        res.join(',')
+      end
+
+      def ==(o)
+        o.class == self.class && o.state == state
+      end
+
+      def self.parse(value, critical)
+        obj = self.new
+        return obj if value.nil?
+        obj.critical = critical
+        obj.usage = value.split(/,\s*/)
+        obj
+      end
+
+      protected
+      def state
+        [@critical,@usage]
       end
     end
-    
+
+    # Specifies even more allowed usages in addition to what is specified in
+    # the Key Usage extension.
+    # Reference: Section 4.2.1.13 of RFC3280
+    # http://tools.ietf.org/html/rfc3280#section-4.2.1.13
     class ExtendedKeyUsage
+      OPENSSL_IDENTIFIER = "extendedKeyUsage"
+
       include ExtensionAPI
-      
+
+      attr_accessor :critical
       attr_accessor :usage
-      
+
       def initialize
-        self.usage = ["serverAuth","clientAuth"]
+        @critical = false
+        @usage = ["serverAuth"]
       end
-      
+
       def openssl_identifier
-        "extendedKeyUsage"
+        OPENSSL_IDENTIFIER
       end
-      
+
       def to_s
-        "#{self.usage.join(',')}"
+        res = []
+        res += @usage
+        res.join(',')
+      end
+
+      def ==(o)
+        o.class == self.class && o.state == state
+      end
+
+      def self.parse(value, critical)
+        obj = self.new
+        return obj if value.nil?
+        obj.critical = critical
+        obj.usage = value.split(/,\s*/)
+        obj
+      end
+
+      protected
+      def state
+        [@critical,@usage]
       end
     end
-    
+
+    # Specifies additional "names" for which this certificate is valid.
+    # Reference: Section 4.2.1.7 of RFC3280
+    # http://tools.ietf.org/html/rfc3280#section-4.2.1.7
     class SubjectAlternativeName
+      OPENSSL_IDENTIFIER = "subjectAltName"
+
       include ExtensionAPI
-      
-      attr_accessor :uris
-      
+
+      attr_accessor :critical
+      attr_accessor :uris, :dns_names, :ips, :emails
+
       def initialize
-        self.uris = []
+        @critical = false
+        @uris = []
+        @dns_names = []
+        @ips = []
+        @emails = []
+      end
+
+      def openssl_identifier
+        OPENSSL_IDENTIFIER
       end
-      
+
       def uris=(value)
         raise "URIs must be an array" unless value.is_a?(Array)
         @uris = value
       end
-      
-      def openssl_identifier
-        "subjectAltName"
+
+      def dns_names=(value)
+        raise "DNS names must be an array" unless value.is_a?(Array)
+        @dns_names = value
+      end
+
+      def ips=(value)
+        raise "IPs must be an array" unless value.is_a?(Array)
+        @ips = value
+      end
+
+      def emails=(value)
+        raise "Emails must be an array" unless value.is_a?(Array)
+        @emails = value
       end
-      
+
       def to_s
-        if self.uris.empty?
-          return ""
+        res = []
+        res += @uris.map {|u| "URI:#{u}" }
+        res += @dns_names.map {|d| "DNS:#{d}" }
+        res += @ips.map {|i| "IP:#{i}" }
+        res += @emails.map {|i| "email:#{i}" }
+        res.join(',')
+      end
+
+      def ==(o)
+        o.class == self.class && o.state == state
+      end
+
+      def self.parse(value, critical)
+        obj = self.new
+        return obj if value.nil?
+        obj.critical = critical
+        value.split(/,\s*/).each do |v|
+          c = v.split(':', 2)
+          obj.uris << c.last if c.first == "URI"
+          obj.dns_names << c.last if c.first == "DNS"
+          obj.ips << c.last if c.first == "IP"
+          obj.emails << c.last if c.first == "EMAIL"
         end
-        "URI:#{self.uris.join(',URI:')}"
+        obj
+      end
+
+      protected
+      def state
+        [@critical,@uris,@dns_names,@ips,@emails]
       end
     end
-    
+
     class CertificatePolicies
+      OPENSSL_IDENTIFIER = "certificatePolicies"
+
       include ExtensionAPI
-      
+
+      attr_accessor :critical
       attr_accessor :policy_identifier
       attr_accessor :cps_uris
       ##User notice
       attr_accessor :explicit_text
       attr_accessor :organization
       attr_accessor :notice_numbers
-      
+
       def initialize
+        self.critical = false
         @contains_data = false
       end
-      
-      
+
       def openssl_identifier
-        "certificatePolicies"
+        OPENSSL_IDENTIFIER
       end
-      
+
       def user_notice=(value={})
         value.keys.each do |key|
           self.send("#{key}=".to_sym, value[key])
         end
       end
-      
+
       def config_extensions
         config_extension = {}
         custom_policies = {}
@@ -209,43 +510,129 @@ module CertificateAuthority
         unless self.policy_identifier.nil?
           custom_policies["policyIdentifier"] = self.policy_identifier
         end
-        
+
         if !self.cps_uris.nil? and self.cps_uris.is_a?(Array)
           self.cps_uris.each_with_index do |cps_uri,i|
             custom_policies["CPS.#{i}"] = cps_uri
           end
         end
-        
+
         unless self.explicit_text.nil?
           notice["explicitText"] = self.explicit_text
         end
-        
+
         unless self.organization.nil?
           notice["organization"] = self.organization
         end
-        
+
         unless self.notice_numbers.nil?
           notice["noticeNumbers"] = self.notice_numbers
         end
-        
+
         if notice.keys.size > 0
           custom_policies["userNotice.1"] = "@notice"
           config_extension["notice"] = notice
         end
-        
+
         if custom_policies.keys.size > 0
           config_extension["custom_policies"] = custom_policies
           @contains_data = true
         end
-        
+
         config_extension
       end
-      
+
       def to_s
         return "" unless @contains_data
-        "ia5org,@custom_policies"
+        res = []
+        res << "ia5org"
+        res += @config_extensions["custom_policies"] unless @config_extensions.nil?
+        res.join(',')
+      end
+
+      def self.parse(value, critical)
+        obj = self.new
+        return obj if value.nil?
+        obj.critical = critical
+        value.split(/,\s*/).each do |v|
+          c = v.split(':', 2)
+          obj.policy_identifier = c.last if c.first == "policyIdentifier"
+          obj.cps_uris << c.last if c.first =~ %r{CPS.\d+}
+          # TODO: explicit_text, organization, notice_numbers
+        end
+        obj
+      end
+    end
+
+    # DEPRECATED
+    # Specifics the purposes for which a certificate can be used.
+    # The basicConstraints, keyUsage, and extendedKeyUsage extensions are now used instead.
+    # https://www.openssl.org/docs/apps/x509v3_config.html#Netscape_Certificate_Type
+    class NetscapeCertificateType
+      OPENSSL_IDENTIFIER = "nsCertType"
+
+      include ExtensionAPI
+
+      attr_accessor :critical
+      attr_accessor :flags
+
+      def initialize
+        self.critical = false
+        self.flags = []
+      end
+
+      def openssl_identifier
+        OPENSSL_IDENTIFIER
+      end
+
+      def to_s
+        res = []
+        res += self.flags
+        res.join(',')
+      end
+
+      def self.parse(value, critical)
+        obj = self.new
+        return obj if value.nil?
+        obj.critical = critical
+        obj.flags = value.split(/,\s*/)
+        obj
+      end
+    end
+
+    # DEPRECATED
+    # Contains a comment which will be displayed when the certificate is viewed in some browsers.
+    # https://www.openssl.org/docs/apps/x509v3_config.html#Netscape_String_extensions_
+    class NetscapeComment
+      OPENSSL_IDENTIFIER = "nsComment"
+
+      include ExtensionAPI
+
+      attr_accessor :critical
+      attr_accessor :comment
+
+      def initialize
+        self.critical = false
+      end
+
+      def openssl_identifier
+        OPENSSL_IDENTIFIER
+      end
+
+      def to_s
+        res = []
+        res << self.comment if self.comment
+        res.join(',')
+      end
+
+      def self.parse(value, critical)
+        obj = self.new
+        return obj if value.nil?
+        obj.critical = critical
+        obj.comment = value
+        obj
       end
     end
-    
+
   end
-end
+end