certificate_authority 0.1.5 → 1.1.0

data/lib/certificate_authority/certificate.rb

@@ -1,14 +1,13 @@
 module CertificateAuthority
   class Certificate
-    # include SigningEntity
-    include ActiveModel::Validations
+    include Validations
+    include Revocable
 
     attr_accessor :distinguished_name
     attr_accessor :serial_number
     attr_accessor :key_material
     attr_accessor :not_before
     attr_accessor :not_after
-    attr_accessor :revoked_at
     attr_accessor :extensions
     attr_accessor :openssl_body
 
@@ -16,7 +15,7 @@ module CertificateAuthority
 
     attr_accessor :parent
 
-    validate do |certificate|
+    def validate
       errors.add :base, "Distinguished name must be valid" unless distinguished_name.valid?
       errors.add :base, "Key material must be valid" unless key_material.valid?
       errors.add :base, "Serial number must be valid" unless serial_number.valid?
@@ -33,8 +32,8 @@ module CertificateAuthority
       self.distinguished_name = DistinguishedName.new
       self.serial_number = SerialNumber.new
       self.key_material = MemoryKeyMaterial.new
-      self.not_before = Time.now
-      self.not_after = Time.now + 60 * 60 * 24 * 365 #One year
+      self.not_before = Date.today.utc
+      self.not_after = Date.today.advance(:years => 1).utc
       self.parent = self
       self.extensions = load_extensions()
 
@@ -42,12 +41,31 @@ module CertificateAuthority
 
     end
 
+=begin
+    def self.from_openssl openssl_cert
+      unless openssl_cert.is_a? OpenSSL::X509::Certificate
+        raise "Can only construct from an OpenSSL::X509::Certificate"
+      end
+
+      certificate = Certificate.new
+      # Only subject, key_material, and body are used for signing
+      certificate.distinguished_name = DistinguishedName.from_openssl openssl_cert.subject
+      certificate.key_material.public_key = openssl_cert.public_key
+      certificate.openssl_body = openssl_cert
+      certificate.serial_number.number = openssl_cert.serial.to_i
+      certificate.not_before = openssl_cert.not_before
+      certificate.not_after = openssl_cert.not_after
+      # TODO extensions
+      certificate
+    end
+=end
+
     def sign!(signing_profile={})
       raise "Invalid certificate #{self.errors.full_messages}" unless valid?
       merge_profile_with_extensions(signing_profile)
 
       openssl_cert = OpenSSL::X509::Certificate.new
-      openssl_cert.version    = 2
+      openssl_cert.version = 2
       openssl_cert.not_before = self.not_before
       openssl_cert.not_after = self.not_after
       openssl_cert.public_key = self.key_material.public_key
@@ -57,12 +75,6 @@ module CertificateAuthority
       openssl_cert.subject = self.distinguished_name.to_x509_name
       openssl_cert.issuer = parent.distinguished_name.to_x509_name
 
-      require 'tempfile'
-      t = Tempfile.new("bullshit_conf")
-      # t = File.new("/tmp/openssl.cnf")
-      ## The config requires a file even though we won't use it
-      openssl_config = OpenSSL::Config.new(t.path)
-
       factory = OpenSSL::X509::ExtensionFactory.new
       factory.subject_certificate = openssl_cert
 
@@ -73,31 +85,23 @@ module CertificateAuthority
         factory.issuer_certificate = parent.openssl_body
       end
 
-      self.extensions.keys.each do |k|
-        config_extensions = extensions[k].config_extensions
-        openssl_config = merge_options(openssl_config,config_extensions)
-      end
-
-      # p openssl_config.sections
-
-      factory.config = openssl_config
+      factory.config = build_openssl_config
 
       # Order matters: e.g. for self-signed, subjectKeyIdentifier must come before authorityKeyIdentifier
       self.extensions.keys.sort{|a,b| b<=>a}.each do |k|
         e = extensions[k]
         next if e.to_s.nil? or e.to_s == "" ## If the extension returns an empty string we won't include it
-        ext = factory.create_ext(e.openssl_identifier, e.to_s)
+        ext = factory.create_ext(e.openssl_identifier, e.to_s, e.critical)
         openssl_cert.add_extension(ext)
       end
 
       if signing_profile["digest"].nil?
-        digest = OpenSSL::Digest::Digest.new("SHA512")
+        digest = OpenSSL::Digest.new("SHA512")
       else
-        digest = OpenSSL::Digest::Digest.new(signing_profile["digest"])
+        digest = OpenSSL::Digest.new(signing_profile["digest"])
       end
-      self.openssl_body = openssl_cert.sign(parent.key_material.private_key,digest)
-      t.close! if t.is_a?(Tempfile)# We can get rid of the ridiculous temp file
-      self.openssl_body
+
+      self.openssl_body = openssl_cert.sign(parent.key_material.private_key, digest)
     end
 
     def is_signing_entity?
@@ -117,6 +121,34 @@ module CertificateAuthority
       self.openssl_body.to_pem
     end
 
+    def to_csr
+      csr = SigningRequest.new
+      csr.distinguished_name = self.distinguished_name
+      csr.key_material = self.key_material
+      factory = OpenSSL::X509::ExtensionFactory.new
+      exts = []
+      self.extensions.keys.each do |k|
+        ## Don't copy over key identifiers for CSRs
+        next if k == "subjectKeyIdentifier" || k == "authorityKeyIdentifier"
+        e = extensions[k]
+        ## If the extension returns an empty string we won't include it
+        next if e.to_s.nil? or e.to_s == ""
+        exts << factory.create_ext(e.openssl_identifier, e.to_s, e.critical)
+      end
+      attrval = OpenSSL::ASN1::Set([OpenSSL::ASN1::Sequence(exts)])
+      attrs = [
+        OpenSSL::X509::Attribute.new("extReq", attrval),
+        OpenSSL::X509::Attribute.new("msExtReq", attrval)
+      ]
+      csr.attributes = attrs
+      csr
+    end
+
+    def self.from_x509_cert(raw_cert)
+      openssl_cert = OpenSSL::X509::Certificate.new(raw_cert)
+      Certificate.from_openssl(openssl_cert)
+    end
+
     def is_root_entity?
       self.parent == self && is_signing_entity?
     end
@@ -135,6 +167,16 @@ module CertificateAuthority
         items = signing_config[k]
         items.keys.each do |profile_item_key|
           if extension.respond_to?("#{profile_item_key}=".to_sym)
+            if k == 'subjectAltName' && profile_item_key == 'emails'
+              items[profile_item_key].map do |email|
+                if email == 'email:copy'
+                  fail "no email address provided for subject: #{subject.to_x509_name}" unless subject.email_address
+                  "email:#{subject.email_address}"
+                else
+                  email
+                end
+              end
+            end
             extension.send("#{profile_item_key}=".to_sym, items[profile_item_key] )
           else
             p "Tried applying '#{profile_item_key}' to #{extension.class} but it doesn't respond!"
@@ -143,36 +185,80 @@ module CertificateAuthority
       end
     end
 
+    # Enumeration of the extensions. Not the worst option since
+    # the likelihood of these needing to be updated is low at best.
+    EXTENSIONS = [
+        CertificateAuthority::Extensions::BasicConstraints,
+        CertificateAuthority::Extensions::CrlDistributionPoints,
+        CertificateAuthority::Extensions::SubjectKeyIdentifier,
+        CertificateAuthority::Extensions::AuthorityKeyIdentifier,
+        CertificateAuthority::Extensions::AuthorityInfoAccess,
+        CertificateAuthority::Extensions::KeyUsage,
+        CertificateAuthority::Extensions::ExtendedKeyUsage,
+        CertificateAuthority::Extensions::SubjectAlternativeName,
+        CertificateAuthority::Extensions::CertificatePolicies
+    ]
+
     def load_extensions
       extension_hash = {}
 
-      temp_extensions = []
-      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
-      temp_extensions << basic_constraints
-      crl_distribution_points = CertificateAuthority::Extensions::CrlDistributionPoints.new
-      temp_extensions << crl_distribution_points
-      subject_key_identifier = CertificateAuthority::Extensions::SubjectKeyIdentifier.new
-      temp_extensions << subject_key_identifier
-      authority_key_identifier = CertificateAuthority::Extensions::AuthorityKeyIdentifier.new
-      temp_extensions << authority_key_identifier
-      authority_info_access = CertificateAuthority::Extensions::AuthorityInfoAccess.new
-      temp_extensions << authority_info_access
-      key_usage = CertificateAuthority::Extensions::KeyUsage.new
-      temp_extensions << key_usage
-      extended_key_usage = CertificateAuthority::Extensions::ExtendedKeyUsage.new
-      temp_extensions << extended_key_usage
-      subject_alternative_name = CertificateAuthority::Extensions::SubjectAlternativeName.new
-      temp_extensions << subject_alternative_name
-      certificate_policies = CertificateAuthority::Extensions::CertificatePolicies.new
-      temp_extensions << certificate_policies
-
-      temp_extensions.each do |extension|
+      EXTENSIONS.each do |klass|
+        extension = klass.new
         extension_hash[extension.openssl_identifier] = extension
       end
 
       extension_hash
     end
 
+    def build_openssl_config
+      OpenSSL::Config.parse(openssl_config_string)
+    end
+
+    def openssl_config_string
+      lines = openssl_config_without_multi_value + openssl_config_with_multi_value
+      return '' if lines.empty?
+      (["[extensions]" ]+ lines).join("\n")
+    end
+
+    def openssl_config_without_multi_value
+      no_multi_value_keys = self.extensions.keys.select { |k| extensions[k].config_extensions.empty? }
+
+      lines = no_multi_value_keys.map do |k|
+        value = extensions[k].to_s
+        value.empty? ? '' : "#{k} = #{value}"
+      end.reject(&:empty?)
+      lines
+    end
+
+    def openssl_config_with_multi_value
+      multi_value_keys = self.extensions.keys.reject { |k| extensions[k].config_extensions.empty? }
+      sections = {}
+
+      entries = multi_value_keys.map do |k|
+        sections.merge!(extensions[k].config_extensions)
+        value = comma_terminate(extensions[k]) + section_ref_str(extensions[k].config_extensions.keys)
+        "#{k} = #{value}"
+      end.reject(&:empty?)
+
+      section_lines = sections.keys.flat_map do |k|
+        section_lines(k, sections[k])
+      end 
+      entries + [''] + section_lines
+    end
+
+    def comma_terminate(val)
+      s = val.to_s
+      s.empty? ? s : "#{s},"
+    end
+
+    def section_ref_str(section_names)
+      section_names.map { |n| "@#{n}"}.join(',')
+    end
+
+    def section_lines(section_name, value_hash)
+      ["[#{section_name}]"] + value_hash.keys.map { |k| "#{k} = #{value_hash[k]}"} + ['']
+    end
+
     def merge_options(config,hash)
       hash.keys.each do |k|
         config[k] = hash[k]
@@ -193,7 +279,11 @@ module CertificateAuthority
       certificate.serial_number.number = openssl_cert.serial.to_i
       certificate.not_before = openssl_cert.not_before
       certificate.not_after = openssl_cert.not_after
-      # TODO extensions
+      EXTENSIONS.each do |klass|
+        _,v,c = (openssl_cert.extensions.detect { |e| e.to_a.first == klass::OPENSSL_IDENTIFIER } || []).to_a
+        certificate.extensions[klass::OPENSSL_IDENTIFIER] = klass.parse(v, c) if v
+      end
+
       certificate
     end
 

data/lib/certificate_authority/certificate_revocation_list.rb

@@ -1,36 +1,52 @@
 module CertificateAuthority
   class CertificateRevocationList
-    include ActiveModel::Validations
+    include Validations
 
     attr_accessor :certificates
     attr_accessor :parent
     attr_accessor :crl_body
     attr_accessor :next_update
+    attr_accessor :last_update_skew_seconds
 
-    validate do |crl|
-      errors.add :next_update, "Next update must be a positive value" if crl.next_update < 0
-      errors.add :parent, "A parent entity must be set" if crl.parent.nil?
+    def validate
+      errors.add :next_update, "Next update must be a positive value" if self.next_update < 0
+      errors.add :parent, "A parent entity must be set" if self.parent.nil?
     end
 
     def initialize
       self.certificates = []
       self.next_update = 60 * 60 * 4 # 4 hour default
+      self.last_update_skew_seconds = 0
     end
 
-    def <<(cert)
-      raise "Only revoked certificates can be added to a CRL" unless cert.revoked?
-      self.certificates << cert
+    def <<(revocable)
+      case revocable
+      when Revocable
+        raise "Only revoked entities can be added to a CRL" unless revocable.revoked?
+        self.certificates << revocable
+      when OpenSSL::X509::Certificate
+        raise "Not implemented yet"
+      else
+        raise "#{revocable.class} cannot be included in a CRL"
+      end
     end
 
-    def sign!
+    def sign!(signing_profile={})
       raise "No parent entity has been set!" if self.parent.nil?
       raise "Invalid CRL" unless self.valid?
 
-      revocations = self.certificates.collect do |certificate|
+      revocations = self.certificates.collect do |revocable|
         revocation = OpenSSL::X509::Revoked.new
-        x509_cert = OpenSSL::X509::Certificate.new(certificate.to_pem)
-        revocation.serial = x509_cert.serial
-        revocation.time = certificate.revoked_at
+
+        ## We really just need a serial number, now we have to dig it out
+        case revocable
+        when Certificate
+          x509_cert = OpenSSL::X509::Certificate.new(revocable.to_pem)
+          revocation.serial = x509_cert.serial
+        when SerialNumber
+          revocation.serial = revocable.number
+        end
+        revocation.time = revocable.revoked_at
         revocation
       end
 
@@ -40,11 +56,15 @@ module CertificateAuthority
       end
 
       crl.version = 1
-      crl.last_update = Time.now
+      crl.last_update = Time.now - self.last_update_skew_seconds
       crl.next_update = Time.now + self.next_update
 
       signing_cert = OpenSSL::X509::Certificate.new(self.parent.to_pem)
-      digest = OpenSSL::Digest::Digest.new("SHA512")
+      if signing_profile["digest"].nil?
+        digest = OpenSSL::Digest.new("SHA512")
+      else
+        digest = OpenSSL::Digest.new(signing_profile["digest"])
+      end
       crl.issuer = signing_cert.subject
       self.crl_body = crl.sign(self.parent.key_material.private_key, digest)
 

data/lib/certificate_authority/core_extensions.rb

@@ -0,0 +1,46 @@
+#
+# ActiveSupport has these modifications. Now that we don't use ActiveSupport,
+# these are added here as a kindness.
+#
+
+require 'date'
+
+unless nil.respond_to?(:blank?)
+  class NilClass
+    def blank?
+      true
+    end
+  end
+end
+
+unless String.respond_to?(:blank?)
+  class String
+    def blank?
+      self.empty?
+    end
+  end
+end
+
+class Date
+
+  def today
+    t = Time.now.utc
+    Date.new(t.year, t.month, t.day)
+  end
+
+  def utc
+    self.to_datetime.to_time.utc
+  end
+
+  unless Date.respond_to?(:advance)
+    def advance(options)
+      options = options.dup
+      d = self
+      d = d >> options.delete(:years) * 12 if options[:years]
+      d = d >> options.delete(:months)     if options[:months]
+      d = d +  options.delete(:weeks) * 7  if options[:weeks]
+      d = d +  options.delete(:days)       if options[:days]
+      d
+    end
+  end
+end

data/lib/certificate_authority/distinguished_name.rb

@@ -1,58 +1,106 @@
 module CertificateAuthority
   class DistinguishedName
-    include ActiveModel::Validations
+    include Validations
 
-    validates_presence_of :common_name
+    def validate
+      if self.common_name.nil? || self.common_name.empty?
+        errors.add :common_name, 'cannot be blank'
+      end
+    end
 
     attr_accessor :common_name
     alias :cn :common_name
+    alias :cn= :common_name=
 
     attr_accessor :locality
     alias :l :locality
+    alias :l= :locality=
 
     attr_accessor :state
     alias :s :state
+    alias :st= :state=
 
     attr_accessor :country
     alias :c :country
+    alias :c= :country=
 
     attr_accessor :organization
     alias :o :organization
+    alias :o= :organization=
 
     attr_accessor :organizational_unit
     alias :ou :organizational_unit
+    alias :ou= :organizational_unit=
+
+    attr_accessor :email_address
+    alias :emailAddress :email_address
+    alias :emailAddress= :email_address=
+
+    attr_accessor :serial_number
+    alias :serialNumber :serial_number
+    alias :serialNumber= :serial_number=
 
     def to_x509_name
       raise "Invalid Distinguished Name" unless valid?
 
       # NB: the capitalization in the strings counts
       name = OpenSSL::X509::Name.new
-      name.add_entry("CN", common_name)
-      name.add_entry("O", organization) unless organization.blank?
-      name.add_entry("OU", organizational_unit) unless organizational_unit.blank?
+      name.add_entry("serialNumber", serial_number) unless serial_number.blank?
+      name.add_entry("C", country) unless country.blank?
       name.add_entry("ST", state) unless state.blank?
       name.add_entry("L", locality) unless locality.blank?
-      name.add_entry("C", country) unless country.blank?
+      name.add_entry("O", organization) unless organization.blank?
+      name.add_entry("OU", organizational_unit) unless organizational_unit.blank?
+      name.add_entry("CN", common_name)
+      name.add_entry("emailAddress", email_address) unless email_address.blank?
       name
     end
 
+    def ==(other)
+      # Use the established OpenSSL comparison
+      self.to_x509_name() == other.to_x509_name()
+    end
+
     def self.from_openssl openssl_name
       unless openssl_name.is_a? OpenSSL::X509::Name
         raise "Argument must be a OpenSSL::X509::Name"
       end
 
-      name = DistinguishedName.new
-      openssl_name.to_a.each do |k,v|
-        case k
-        when "CN" then name.common_name = v
-        when "L" then name.locality = v
-        when "ST" then name.state = v
-        when "C" then name.country = v
-        when "O" then name.organization = v
-        when "OU" then name.organizational_unit = v
+      WrappedDistinguishedName.new(openssl_name)
+    end
+  end
+
+  ## This is a significantly more complicated case. It's possible that
+  ## generically handled certificates will include custom OIDs in the
+  ## subject.
+  class WrappedDistinguishedName < DistinguishedName
+    attr_accessor :x509_name
+
+    def initialize(x509_name)
+      @x509_name = x509_name
+
+      subject = @x509_name.to_a
+      subject.each do |element|
+        field = element[0].downcase
+        value = element[1]
+        #type = element[2] ## -not used
+        method_sym = "#{field}=".to_sym
+        if self.respond_to?(method_sym)
+          self.send("#{field}=",value)
+        else
+          ## Custom OID
+          @custom_oids = true
         end
       end
-      name
+
+    end
+
+    def to_x509_name
+      @x509_name
+    end
+
+    def custom_oids?
+      @custom_oids
     end
   end
 end