certificate_authority 0.1.3 → 0.1.4

data/README.rdoc

@@ -24,14 +24,15 @@ Let's look at a complete example for generating a new root certificate. Assuming
 
 Generating a self-signed root certificate is fairly easy:
 
-	require 'certificate_authority'
-	root = CertificateAuthority::Certificate.new
-	root.subject.common_name= "http://mydomain.com"
-	root.serial_number.number=1
-	root.key_material.generate_key
-	root.signing_entity = true
-	root.sign!
-	
+  require 'certificate_authority'
+  root = CertificateAuthority::Certificate.new
+  root.subject.common_name= "http://mydomain.com"
+  root.serial_number.number=1
+  root.key_material.generate_key
+  root.signing_entity = true
+  signing_profile = {"extensions" => {"keyUsage" => {"usage" => ["critical", "keyCertSign"] }} }
+  root.sign!(signing_profile)
+
 The required elements for the gem at this time are a common name for the subject and a serial number for the certificate. Since this is our self-signed root we're going to give it the first serial available of 1. Because certificate_authority is not designed to manage the issuance lifecycle you'll be expected to store serial numbers yourself.
 
 Next, after taking care of required fields, we will require key material for the new certificate.  There's a convenience method made available on the key_material object for generating new keys.  The private key will be available in:
@@ -48,29 +49,30 @@ Lastly, we declare that the certificate we're about to sign is itself a signing
 
 == Creating a new intermediate
 
-Maybe you don't want to actually sign certificates with your super-secret root certificate. This is actually how a good number of most public certificate authorities do it. Rather than sign with the primary root, they generate an intermediate root that is then responsible for signing the final certificates.  If you wanted to create a root certificate you would do something like the following:
+Maybe you don't want to actually sign certificates with your super-secret root certificate. This is actually how a good number of most public certificate authorities do it. Rather than sign with the primary root, they generate an intermediate root that is then responsible for signing the final certificates.  If you wanted to create an intermediate root certificate you would do something like the following:
+
+  intermediate = CertificateAuthority::Certificate.new
+  intermediate.subject.common_name= "My snazzy intermediate!"
+  intermediate.serial_number.number=2
+  intermediate.key_material.generate_key
+  intermediate.signing_entity = true
+  intermediate.parent = root
+  signing_profile = {"extensions" => {"keyUsage" => {"usage" => ["critical", "keyCertSign"] }} }
+  intermediate.sign!(signing_profile)
 
-	intermediate = CertificateAuthority::Certificate.new
-	intermediate.subject.common_name= "My snazzy intermediate!"
-	intermediate.serial_number.number=2
-	intermediate.key_material.generate_key
-	intermediate.signing_entity = true
-	intermediate.parent = root
-	intermediate.sign!
-	
 All we have to do is create another certificate like we did with the root. In this example we gave it the next available serial number which for us, was 2.  We then generate (and save!) key material for this new entity.  Even the +signing_entity+ is set to true so this certificate can sign other certificates.  The difference here is that the +parent+ field is set to the root. Going forward, whatever entity you want to sign a certificate, you set that entity to be the parent. In this case, our root will be responsible for signing this intermediate when we call +sign!+.
 
 = Creating new certificates (in general)
 
 Now that we have a root certificate (and possibly an intermediate) we can sign end-user certificates.  It is, perhaps unsurprisingly, similar to all the others:
 
-	plain_cert = CertificateAuthority::Certificate.new
-	plain_cert.subject.common_name= "http://mydomain.com"
-	plain_cert.serial_number.number=4
-	plain_cert.key_material.generate_key
-	plain_cert.parent = root # or intermediate
-	plain_cert.sign!
-	
+  plain_cert = CertificateAuthority::Certificate.new
+  plain_cert.subject.common_name= "http://mydomain.com"
+  plain_cert.serial_number.number=4
+  plain_cert.key_material.generate_key
+  plain_cert.parent = root # or intermediate
+  plain_cert.sign!
+
 That's all there is to it!  In this example we generate the key material ourselves, but it's possible for the end-user to generate certificate signing request (CSR) that we can then parse and consume automatically (coming soon).  To get the PEM formatted certificate for the user you would need to call:
 
   plain_cert.to_pem
@@ -83,27 +85,27 @@ Creating basic certificates is all well and good, but maybe you want _more_ sign
 
 Here's an example of a full signing profile for most of the common V3 extensions:
 
-	 signing_profile = {
-	   "extensions" => {
-	     "basicConstraints" => {"ca" => false},
-	     "crlDistributionPoints" => {"uri" => "http://notme.com/other.crl" },
-	     "subjectKeyIdentifier" => {},
-	     "authorityKeyIdentifier" => {},
-	     "authorityInfoAccess" => {"ocsp" => ["http://youFillThisOut/ocsp/"] },
-	     "keyUsage" => {"usage" => ["digitalSignature","nonRepudiation"] },
-	     "extendedKeyUsage" => {"usage" => [ "serverAuth","clientAuth"]},
-	     "subjectAltName" => {"uris" => ["http://subdomains.youFillThisOut/"]},
-	     "certificatePolicies" => {
-	     "policy_identifier" => "1.3.5.8", "cps_uris" => ["http://my.host.name/", "http://my.your.name/"], 
-				 "user_notice" => {
-	        "explicit_text" => "Explicit Text Here", 
-				 "organization" => "Organization name",
-				 "notice_numbers" => "1,2,3,4"
-	       }
-	   	}
-	 	}
-	}
-	
+   signing_profile = {
+     "extensions" => {
+       "basicConstraints" => {"ca" => false},
+       "crlDistributionPoints" => {"uri" => "http://notme.com/other.crl" },
+       "subjectKeyIdentifier" => {},
+       "authorityKeyIdentifier" => {},
+       "authorityInfoAccess" => {"ocsp" => ["http://youFillThisOut/ocsp/"] },
+       "keyUsage" => {"usage" => ["digitalSignature","nonRepudiation"] },
+       "extendedKeyUsage" => {"usage" => [ "serverAuth","clientAuth"]},
+       "subjectAltName" => {"uris" => ["http://subdomains.youFillThisOut/"]},
+       "certificatePolicies" => {
+       "policy_identifier" => "1.3.5.8", "cps_uris" => ["http://my.host.name/", "http://my.your.name/"], 
+         "user_notice" => {
+          "explicit_text" => "Explicit Text Here", 
+         "organization" => "Organization name",
+         "notice_numbers" => "1,2,3,4"
+         }
+       }
+     }
+  }
+
 Using a signing profile is done this way:
 
   certificate.sign!(signing_profile)
@@ -128,33 +130,33 @@ This extension controls where a conformant client can go to obtain a list of cer
 
 This extension is required to be present, but doesn't offer any configurable parameters.  Directly from the RFC:
 
-	The subject key identifier extension provides a means of identifying
-	certificates that contain a particular public key.
-
-	To facilitate certification path construction, this extension MUST
-	appear in all conforming CA certificates, that is, all certificates
-	including the basic constraints extension (section 4.2.1.10) where
-	the value of cA is TRUE.  The value of the subject key identifier
-	MUST be the value placed in the key identifier field of the Authority
-	Key Identifier extension (section 4.2.1.1) of certificates issued by
-	the subject of this certificate.
-	
+  The subject key identifier extension provides a means of identifying
+  certificates that contain a particular public key.
+
+  To facilitate certification path construction, this extension MUST
+  appear in all conforming CA certificates, that is, all certificates
+  including the basic constraints extension (section 4.2.1.10) where
+  the value of cA is TRUE.  The value of the subject key identifier
+  MUST be the value placed in the key identifier field of the Authority
+  Key Identifier extension (section 4.2.1.1) of certificates issued by
+  the subject of this certificate.
+
 == Authority Key Identifier
 
 Just like the subject key identifier, this is required under most circumstances and doesn't contain any meaningful configuration options.  From the RFC:
 
-	The keyIdentifier field of the authorityKeyIdentifier extension MUST
-	be included in all certificates generated by conforming CAs to
-	facilitate certification path construction.  There is one exception;
-	where a CA distributes its public key in the form of a "self-signed"
-	certificate, the authority key identifier MAY be omitted.  The
-	signature on a self-signed certificate is generated with the private
-	key associated with the certificate's subject public key.  (This
-	proves that the issuer possesses both the public and private keys.)
-	In this case, the subject and authority key identifiers would be
-	identical, but only the subject key identifier is needed for
-	certification path building.
-	
+  The keyIdentifier field of the authorityKeyIdentifier extension MUST
+  be included in all certificates generated by conforming CAs to
+  facilitate certification path construction.  There is one exception;
+  where a CA distributes its public key in the form of a "self-signed"
+  certificate, the authority key identifier MAY be omitted.  The
+  signature on a self-signed certificate is generated with the private
+  key associated with the certificate's subject public key.  (This
+  proves that the issuer possesses both the public and private keys.)
+  In this case, the subject and authority key identifiers would be
+  identical, but only the subject key identifier is needed for
+  certification path building.
+
 == Authority Info Access
 
 The authority info access extension allows a CA to sign a certificate with information a client can use to get up-to-the-minute status information on a signed certificate.  This takes the form of an OCSP[link:http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol] (Online Certificate Status Protocol) endpoints.
@@ -197,20 +199,20 @@ If you happen to have a PKCS#11 compliant hardware token you can use +certificat
 
 To configure a certificate to utilize PKCS#11 instead of in memory keys all you need to do is:
 
-	root = CertificateAuthority::Certificate.new
-	root.subject.common_name= "http://mydomain.com"
-	root.serial_number.number=1
-	root.signing_entity = true
-	
-	key_material_in_hardware = CertificateAuthority::Pkcs11KeyMaterial.new
-	key_material_in_hardware.token_id = "46"
-	key_material_in_hardware.pkcs11_lib = "/usr/lib/libeTPkcs11.so"
-	key_material_in_hardware.openssl_pkcs11_engine_lib = "/usr/lib/engines/engine_pkcs11.so"
-	key_material_in_hardware.pin = "11111111"
-	
-	root.key_material = key_material_in_hardware
-	root.sign!
-	
+  root = CertificateAuthority::Certificate.new
+  root.subject.common_name= "http://mydomain.com"
+  root.serial_number.number=1
+  root.signing_entity = true
+
+  key_material_in_hardware = CertificateAuthority::Pkcs11KeyMaterial.new
+  key_material_in_hardware.token_id = "46"
+  key_material_in_hardware.pkcs11_lib = "/usr/lib/libeTPkcs11.so"
+  key_material_in_hardware.openssl_pkcs11_engine_lib = "/usr/lib/engines/engine_pkcs11.so"
+  key_material_in_hardware.pin = "11111111"
+
+  root.key_material = key_material_in_hardware
+  root.sign!
+
 Your current version of OpenSSL _must_ include dynamic engine support and you will need to have OpenSSL PKCS#11 engine support.  You will also require the actual PKCS#11 driver from the hardware manufacturer.  As of today the only tokens I've gotten to work are:
 
 [eTokenPro] Released by Aladdin (now SafeNet Inc.). I have only had success with the version 4 and 5 (32 bit only) copy of the driver. The newer authentication client released by SafeNet appears to be completely broken for interacting with the tokens outside of SafeNet's own tools. If anyone has a different experience I'd like to hear from you.
@@ -224,14 +226,18 @@ Also of note, I have gotten these to work with 32-bit copies of Ubuntu 10.10 and
 = Coming Soon
 
 * More PKCS#11 hardware (I need driver support from the manufacturers)
-* Configurable V3 extensions for all the extended functionality
+* Support for working with CSRs to request & issue certificates
+
+= Misc notes
+
+* Firefox will complain about root/intermediate certificates unless both digitalSignature and keyEncipherment are specified as keyUsage attributes. Thanks diogomonica
 
 == Meta
 
-Written by Chris Chandler(http://chrischandler.name) of Flatterline(http://flatterline.com)
+Written by Chris Chandler(http://chrischandler.name)
 
 Released under the MIT License: http://www.opensource.org/licenses/mit-license.php
 
-Main page: http://github.com/cchandler/certificateauthority
+Main page: http://github.com/cchandler/certificate_authority
 
-Issue tracking: https://github.com/cchandler/certificateauthority/issues
+Issue tracking: https://github.com/cchandler/certificate_authority/issues

data/VERSION.yml

@@ -1,5 +1,5 @@
---- 
+---
 :major: 0
 :minor: 1
-:patch: 3
+:patch: 4
 :build: 

data/certificate_authority.gemspec

@@ -4,13 +4,13 @@
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
-  s.name = %q{certificate_authority}
-  s.version = "0.1.3"
+  s.name = "certificate_authority"
+  s.version = "0.1.4"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Chris Chandler"]
-  s.date = %q{2011-05-08}
-  s.email = %q{chris@flatterline.com}
+  s.date = "2012-08-12"
+  s.email = "chris@flatterline.com"
   s.extra_rdoc_files = [
     "README.rdoc"
   ]
@@ -40,15 +40,16 @@ Gem::Specification.new do |s|
     "spec/units/extensions_spec.rb",
     "spec/units/key_material_spec.rb",
     "spec/units/ocsp_handler_spec.rb",
+    "spec/units/pkcs11_key_material_spec.rb",
     "spec/units/serial_number_spec.rb",
     "spec/units/signing_entity_spec.rb",
     "spec/units/units_helper.rb"
   ]
-  s.homepage = %q{http://github.com/cchandler/certificate_authority}
+  s.homepage = "http://github.com/cchandler/certificate_authority"
   s.licenses = ["MIT"]
   s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.7.2}
-  s.summary = %q{Ruby gem for managing the core functions outlined in RFC-3280 for PKI}
+  s.rubygems_version = "1.8.15"
+  s.summary = "Ruby gem for managing the core functions outlined in RFC-3280 for PKI"
   s.test_files = [
     "spec/spec_helper.rb",
     "spec/units/certificate_authority_spec.rb",
@@ -58,6 +59,7 @@ Gem::Specification.new do |s|
     "spec/units/extensions_spec.rb",
     "spec/units/key_material_spec.rb",
     "spec/units/ocsp_handler_spec.rb",
+    "spec/units/pkcs11_key_material_spec.rb",
     "spec/units/serial_number_spec.rb",
     "spec/units/signing_entity_spec.rb",
     "spec/units/units_helper.rb"

data/lib/certificate_authority.rb

@@ -16,4 +16,4 @@ require 'certificate_authority/certificate_revocation_list'
 require 'certificate_authority/ocsp_handler'
 
 module CertificateAuthority
-end
+end

data/lib/certificate_authority/certificate.rb

@@ -2,7 +2,7 @@ module CertificateAuthority
   class Certificate
     # include SigningEntity
     include ActiveModel::Validations
-    
+
     attr_accessor :distinguished_name
     attr_accessor :serial_number
     attr_accessor :key_material
@@ -11,24 +11,24 @@ module CertificateAuthority
     attr_accessor :revoked_at
     attr_accessor :extensions
     attr_accessor :openssl_body
-    
+
     alias :subject :distinguished_name #Same thing as the DN
-    
+
     attr_accessor :parent
-    
+
     validate do |certificate|
       errors.add :base, "Distinguished name must be valid" unless distinguished_name.valid?
-      errors.add :base, "Key material name must be valid" unless key_material.valid?
+      errors.add :base, "Key material must be valid" unless key_material.valid?
       errors.add :base, "Serial number must be valid" unless serial_number.valid?
       errors.add :base, "Extensions must be valid" unless extensions.each do |item|
         unless item.respond_to?(:valid?)
-          true 
+          true
         else
           item.valid?
         end
       end
     end
-    
+
     def initialize
       self.distinguished_name = DistinguishedName.new
       self.serial_number = SerialNumber.new
@@ -37,35 +37,35 @@ module CertificateAuthority
       self.not_after = Time.now + 60 * 60 * 24 * 365 #One year
       self.parent = self
       self.extensions = load_extensions()
-      
+
       self.signing_entity = false
-      
+
     end
-    
+
     def sign!(signing_profile={})
       raise "Invalid certificate #{self.errors.full_messages}" unless valid?
       merge_profile_with_extensions(signing_profile)
-      
+
       openssl_cert = OpenSSL::X509::Certificate.new
       openssl_cert.version    = 2
       openssl_cert.not_before = self.not_before
       openssl_cert.not_after = self.not_after
       openssl_cert.public_key = self.key_material.public_key
-      
+
       openssl_cert.serial = self.serial_number.number
-      
+
       openssl_cert.subject = self.distinguished_name.to_x509_name
       openssl_cert.issuer = parent.distinguished_name.to_x509_name
-      
+
       require 'tempfile'
       t = Tempfile.new("bullshit_conf")
       # t = File.new("/tmp/openssl.cnf")
       ## The config requires a file even though we won't use it
       openssl_config = OpenSSL::Config.new(t.path)
-      
+
       factory = OpenSSL::X509::ExtensionFactory.new
       factory.subject_certificate = openssl_cert
-      
+
       #NB: If the parent doesn't have an SSL body we're making this a self-signed cert
       if parent.openssl_body.nil?
         factory.issuer_certificate = openssl_cert
@@ -77,51 +77,56 @@ module CertificateAuthority
         config_extensions = extensions[k].config_extensions
         openssl_config = merge_options(openssl_config,config_extensions)
       end
-      
+
       # p openssl_config.sections
-      
+
       factory.config = openssl_config
-      
-      self.extensions.keys.each do |k|
+
+      # Order matters: e.g. for self-signed, subjectKeyIdentifier must come before authorityKeyIdentifier
+      self.extensions.keys.sort{|a,b| b<=>a}.each do |k|
         e = extensions[k]
         next if e.to_s.nil? or e.to_s == "" ## If the extension returns an empty string we won't include it
         ext = factory.create_ext(e.openssl_identifier, e.to_s)
         openssl_cert.add_extension(ext)
       end
-      
-      digest = OpenSSL::Digest::Digest.new("SHA512")
+
+      if signing_profile["digest"].nil?
+        digest = OpenSSL::Digest::Digest.new("SHA512")
+      else
+        digest = OpenSSL::Digest::Digest.new(signing_profile["digest"])
+      end
       self.openssl_body = openssl_cert.sign(parent.key_material.private_key,digest)
       t.close! if t.is_a?(Tempfile)# We can get rid of the ridiculous temp file
       self.openssl_body
     end
-    
+
     def is_signing_entity?
       self.extensions["basicConstraints"].ca
     end
-    
+
     def signing_entity=(signing)
       self.extensions["basicConstraints"].ca = signing
     end
-    
+
     def revoked?
       !self.revoked_at.nil?
     end
-    
+
     def to_pem
       raise "Certificate has no signed body" if self.openssl_body.nil?
       self.openssl_body.to_pem
     end
-    
+
     def is_root_entity?
       self.parent == self && is_signing_entity?
     end
-    
+
     def is_intermediate_entity?
       (self.parent != self) && is_signing_entity?
     end
-    
+
     private
-    
+
     def merge_profile_with_extensions(signing_profile={})
       return self.extensions if signing_profile["extensions"].nil?
       signing_config = signing_profile["extensions"]
@@ -130,17 +135,17 @@ module CertificateAuthority
         items = signing_config[k]
         items.keys.each do |profile_item_key|
           if extension.respond_to?("#{profile_item_key}=".to_sym)
-            extension.send("#{profile_item_key}=".to_sym, items[profile_item_key] ) 
+            extension.send("#{profile_item_key}=".to_sym, items[profile_item_key] )
           else
             p "Tried applying '#{profile_item_key}' to #{extension.class} but it doesn't respond!"
           end
         end
       end
     end
-    
+
     def load_extensions
       extension_hash = {}
-      
+
       temp_extensions = []
       basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
       temp_extensions << basic_constraints
@@ -160,20 +165,37 @@ module CertificateAuthority
       temp_extensions << subject_alternative_name
       certificate_policies = CertificateAuthority::Extensions::CertificatePolicies.new
       temp_extensions << certificate_policies
-      
+
       temp_extensions.each do |extension|
         extension_hash[extension.openssl_identifier] = extension
       end
-      
+
       extension_hash
     end
-    
+
     def merge_options(config,hash)
       hash.keys.each do |k|
         config[k] = hash[k]
       end
       config
     end
-      
+
+    def self.from_openssl openssl_cert
+      unless openssl_cert.is_a? OpenSSL::X509::Certificate
+        raise "Can only construct from an OpenSSL::X509::Certificate"
+      end
+
+      certificate = Certificate.new
+      # Only subject, key_material, and body are used for signing
+      certificate.distinguished_name = DistinguishedName.from_openssl openssl_cert.subject
+      certificate.key_material.public_key = openssl_cert.public_key
+      certificate.openssl_body = openssl_cert
+      certificate.serial_number.number = openssl_cert.serial.to_i
+      certificate.not_before = openssl_cert.not_before
+      certificate.not_after = openssl_cert.not_after
+      # TODO extensions
+      certificate
+    end
+
   end
-end
+end