certificate_authority 0.1.5 → 1.1.0

data/lib/certificate_authority/ocsp_handler.rb

@@ -1,6 +1,74 @@
 module CertificateAuthority
+  class OCSPResponseBuilder
+    attr_accessor :ocsp_response
+    attr_accessor :verification_mechanism
+    attr_accessor :ocsp_request_reader
+    attr_accessor :parent
+    attr_accessor :next_update
+
+    GOOD = OpenSSL::OCSP::V_CERTSTATUS_GOOD
+    REVOKED = OpenSSL::OCSP::V_CERTSTATUS_REVOKED
+
+    NO_REASON=0
+    KEY_COMPROMISED=OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE
+    UNSPECIFIED=OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED
+
+    def build_response()
+      raise "Requires a parent for signing" if @parent.nil?
+      if @verification_mechanism.nil?
+        ## If no verification callback is provided we're marking it GOOD
+        @verification_mechanism = lambda {|cert_id| [GOOD,NO_REASON] }
+      end
+
+      @ocsp_request_reader.ocsp_request.certid.each do |cert_id|
+        result,reason = verification_mechanism.call(cert_id.serial)
+
+        ## cert_id, status, reason, rev_time, this update, next update, ext
+        ## - unit of time is seconds
+        ## - rev_time is currently set to "now"
+        @ocsp_response.add_status(cert_id,
+        result, reason,
+          0, 0, @next_update, nil)
+      end
+
+      @ocsp_response.sign(OpenSSL::X509::Certificate.new(@parent.to_pem), @parent.key_material.private_key, nil, nil)
+      OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, @ocsp_response)
+    end
+
+    def self.from_request_reader(request_reader,verification_mechanism=nil)
+      response_builder = OCSPResponseBuilder.new
+      response_builder.ocsp_request_reader = request_reader
+
+      ocsp_response = OpenSSL::OCSP::BasicResponse.new
+      ocsp_response.copy_nonce(request_reader.ocsp_request)
+      response_builder.ocsp_response = ocsp_response
+      response_builder.next_update = 60*15 #Default of 15 minutes
+      response_builder
+    end
+  end
+
+  class OCSPRequestReader
+    attr_accessor :raw_ocsp_request
+    attr_accessor :ocsp_request
+
+    def serial_numbers
+      @ocsp_request.certid.collect do |cert_id|
+        cert_id.serial
+      end
+    end
+
+    def self.from_der(request_body)
+      reader = OCSPRequestReader.new
+      reader.raw_ocsp_request = request_body
+      reader.ocsp_request = OpenSSL::OCSP::Request.new(request_body)
+
+      reader
+    end
+  end
+
+  ## DEPRECATED
   class OCSPHandler
-    include ActiveModel::Validations
+    include Validations
 
     attr_accessor :ocsp_request
     attr_accessor :certificate_ids
@@ -10,10 +78,10 @@ module CertificateAuthority
 
     attr_accessor :ocsp_response_body
 
-    validate do |crl|
+    def validate
       errors.add :parent, "A parent entity must be set" if parent.nil?
+      all_certificates_available
     end
-    validate :all_certificates_available
 
     def initialize
       self.certificates = {}
@@ -24,9 +92,11 @@ module CertificateAuthority
     end
 
     def extract_certificate_serials
-      raise "No valid OCSP request was supplied" if self.ocsp_request.nil?
-      openssl_request = OpenSSL::OCSP::Request.new(self.ocsp_request)
+      openssl_request = OpenSSL::OCSP::Request.new(@ocsp_request)
 
+      if openssl_request.certid.nil?
+        raise "Invalid openssl request"
+      end
       self.certificate_ids = openssl_request.certid.collect do |cert_id|
         cert_id.serial
       end

data/lib/certificate_authority/pkcs11_key_material.rb

@@ -1,8 +1,6 @@
 module CertificateAuthority
   class Pkcs11KeyMaterial
     include KeyMaterial
-    include ActiveModel::Validations
-    include ActiveModel::Serialization
 
     attr_accessor :engine
     attr_accessor :token_id

data/lib/certificate_authority/revocable.rb

@@ -0,0 +1,14 @@
+module CertificateAuthority
+  module Revocable
+    attr_accessor :revoked_at
+
+    def revoke!(time=Time.now)
+      @revoked_at = time
+    end
+
+    def revoked?
+      # If we have a time, then we're revoked
+      !@revoked_at.nil?
+    end
+  end
+end

data/lib/certificate_authority/serial_number.rb

@@ -1,9 +1,22 @@
+require 'securerandom'
+
 module CertificateAuthority
   class SerialNumber
-    include ActiveModel::Validations
+    include Validations
+    include Revocable
 
     attr_accessor :number
 
-    validates :number, :presence => true, :numericality => {:greater_than => 0}
+    def validate
+      if self.number.nil?
+        errors.add :number, "must not be empty"
+      elsif self.number.to_i <= 0
+        errors.add :number, "must be greater than zero"
+      end
+    end
+
+    def initialize
+      self.number = SecureRandom.random_number(2**128-1)
+    end
   end
 end

data/lib/certificate_authority/signing_request.rb

@@ -0,0 +1,91 @@
+module CertificateAuthority
+  class SigningRequest
+    attr_accessor :distinguished_name
+    attr_accessor :key_material
+    attr_accessor :raw_body
+    attr_accessor :openssl_csr
+    attr_accessor :digest
+    attr_accessor :attributes
+
+    def initialize()
+      @attributes = []
+    end
+
+    # Fake attribute for convenience because adding
+    # alternative names on a CSR is remarkably non-trivial.
+    def subject_alternative_names=(alt_names)
+      raise "alt_names must be an Array" unless alt_names.is_a?(Array)
+
+      factory = OpenSSL::X509::ExtensionFactory.new
+      name_list = alt_names.map{|m| "DNS:#{m}"}.join(",")
+      ext = factory.create_ext("subjectAltName",name_list,false)
+      ext_set = OpenSSL::ASN1::Set([OpenSSL::ASN1::Sequence([ext])])
+      attr = OpenSSL::X509::Attribute.new("extReq", ext_set)
+      @attributes << attr
+    end
+
+    def read_attributes_by_oid(*oids)
+      attributes.detect { |a| oids.include?(a.oid) }
+    end
+    protected :read_attributes_by_oid
+
+    def to_cert
+      cert = Certificate.new
+      if !@distinguished_name.nil?
+        cert.distinguished_name = @distinguished_name
+      end
+      cert.key_material = @key_material
+      if attribute = read_attributes_by_oid('extReq', 'msExtReq')
+        set = OpenSSL::ASN1.decode(attribute.value)
+        seq = set.value.first
+        seq.value.collect { |asn1ext| OpenSSL::X509::Extension.new(asn1ext).to_a }.each do |o, v, c|
+         Certificate::EXTENSIONS.each do |klass|
+            cert.extensions[klass::OPENSSL_IDENTIFIER] = klass.parse(v, c) if v && klass::OPENSSL_IDENTIFIER == o
+          end
+        end
+      end
+      cert
+    end
+
+    def to_pem
+      to_x509_csr.to_pem
+    end
+
+    def to_x509_csr
+      raise "Must specify a DN/subject on csr" if @distinguished_name.nil?
+      raise "Invalid DN in request" unless @distinguished_name.valid?
+      raise "CSR must have key material" if @key_material.nil?
+      raise "CSR must include a public key on key material" if @key_material.public_key.nil?
+      raise "Need a private key on key material for CSR generation" if @key_material.private_key.nil?
+
+      opensslcsr = OpenSSL::X509::Request.new
+      opensslcsr.subject = @distinguished_name.to_x509_name
+      opensslcsr.public_key = @key_material.public_key
+      opensslcsr.attributes = @attributes unless @attributes.nil?
+      opensslcsr.sign @key_material.private_key, OpenSSL::Digest.new(@digest || "SHA512")
+      opensslcsr
+    end
+
+    def self.from_x509_csr(raw_csr)
+      csr = SigningRequest.new
+      openssl_csr = OpenSSL::X509::Request.new(raw_csr)
+      csr.distinguished_name = DistinguishedName.from_openssl openssl_csr.subject
+      csr.raw_body = raw_csr
+      csr.openssl_csr = openssl_csr
+      csr.attributes = openssl_csr.attributes
+      key_material = SigningRequestKeyMaterial.new
+      key_material.public_key = openssl_csr.public_key
+      csr.key_material = key_material
+      csr
+    end
+
+    def self.from_netscape_spkac(raw_spkac)
+      openssl_spkac = OpenSSL::Netscape::SPKI.new raw_spkac
+      csr = SigningRequest.new
+      csr.raw_body = raw_spkac
+      key_material = SigningRequestKeyMaterial.new
+      key_material.public_key = openssl_spkac.public_key
+      csr
+    end
+  end
+end

data/lib/certificate_authority/validations.rb

@@ -0,0 +1,31 @@
+#
+# This is a super simple replacement for ActiveSupport::Validations
+#
+
+module CertificateAuthority
+  class Errors < Array
+    def add(symbol, msg)
+      self.push([symbol, msg])
+    end
+    def full_messages
+      self.map {|i| i[0].to_s + ": " + i[1]}.join("\n")
+    end
+  end
+
+  module Validations
+    def valid?
+      @errors = Errors.new
+      validate
+      errors.empty?
+    end
+
+    # must be overridden
+    def validate
+      raise NotImplementedError
+    end
+
+    def errors
+      @errors ||= Errors.new
+    end
+  end
+end

data/lib/certificate_authority/version.rb

@@ -0,0 +1,3 @@
+module CertificateAuthority
+  VERSION = '1.1.0'.freeze
+end

data/lib/certificate_authority.rb

@@ -1,11 +1,11 @@
-$:.unshift(File.dirname(__FILE__)) unless $:.include?(File.dirname(__FILE__)) || $:.include?(File.expand_path(File.dirname(__FILE__)))
-
-#Exterior requirements
+# Exterior requirements
 require 'openssl'
-require 'active_model'
 
-#Internal modules
+# Internal modules
+require 'certificate_authority/core_extensions'
 require 'certificate_authority/signing_entity'
+require 'certificate_authority/revocable'
+require 'certificate_authority/validations'
 require 'certificate_authority/distinguished_name'
 require 'certificate_authority/serial_number'
 require 'certificate_authority/key_material'
@@ -14,6 +14,7 @@ require 'certificate_authority/extensions'
 require 'certificate_authority/certificate'
 require 'certificate_authority/certificate_revocation_list'
 require 'certificate_authority/ocsp_handler'
+require 'certificate_authority/signing_request'
 
 module CertificateAuthority
 end

metadata

@@ -1,134 +1,139 @@
 --- !ruby/object:Gem::Specification
 name: certificate_authority
 version: !ruby/object:Gem::Version
-  version: 0.1.5
-  prerelease: 
+  version: 1.1.0
 platform: ruby
 authors:
 - Chris Chandler
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-08-12 00:00:00.000000000 Z
+date: 2022-06-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: activemodel
-  requirement: &70219917934620 !ruby/object:Gem::Requirement
-    none: false
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 3.0.6
-  type: :runtime
+        version: '0'
+  type: :development
   prerelease: false
-  version_requirements: *70219917934620
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: &70219917933580 !ruby/object:Gem::Requirement
-    none: false
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70219917933580
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: jeweler
-  requirement: &70219917932340 !ruby/object:Gem::Requirement
-    none: false
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.5.2
+        version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70219917932340
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: rcov
-  requirement: &70219917931200 !ruby/object:Gem::Requirement
-    none: false
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70219917931200
-description: 
-email: chris@flatterline.com
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description:
+email:
+- squanderingtime@gmail.com
 executables: []
 extensions: []
-extra_rdoc_files:
-- README.rdoc
+extra_rdoc_files: []
 files:
+- ".github/workflows/ci.yml"
+- ".gitignore"
+- ".rspec"
 - Gemfile
 - Gemfile.lock
 - README.rdoc
 - Rakefile
-- VERSION.yml
 - certificate_authority.gemspec
 - lib/certificate_authority.rb
 - lib/certificate_authority/certificate.rb
 - lib/certificate_authority/certificate_revocation_list.rb
+- lib/certificate_authority/core_extensions.rb
 - lib/certificate_authority/distinguished_name.rb
 - lib/certificate_authority/extensions.rb
 - lib/certificate_authority/key_material.rb
 - lib/certificate_authority/ocsp_handler.rb
 - lib/certificate_authority/pkcs11_key_material.rb
+- lib/certificate_authority/revocable.rb
 - lib/certificate_authority/serial_number.rb
 - lib/certificate_authority/signing_entity.rb
+- lib/certificate_authority/signing_request.rb
+- lib/certificate_authority/validations.rb
+- lib/certificate_authority/version.rb
 - lib/tasks/certificate_authority.rake
-- spec/spec_helper.rb
-- spec/units/certificate_authority_spec.rb
-- spec/units/certificate_revocation_list_spec.rb
-- spec/units/certificate_spec.rb
-- spec/units/distinguished_name_spec.rb
-- spec/units/extensions_spec.rb
-- spec/units/key_material_spec.rb
-- spec/units/ocsp_handler_spec.rb
-- spec/units/pkcs11_key_material_spec.rb
-- spec/units/serial_number_spec.rb
-- spec/units/signing_entity_spec.rb
-- spec/units/units_helper.rb
-homepage: http://github.com/cchandler/certificate_authority
+homepage: https://github.com/cchandler/certificate_authority
 licenses:
 - MIT
-post_install_message: 
+metadata:
+  homepage_uri: https://github.com/cchandler/certificate_authority
+  source_code_uri: https://github.com/cchandler/certificate_authority
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
-      segments:
-      - 0
-      hash: -4255291266010713520
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 1.8.15
-signing_key: 
-specification_version: 3
+rubygems_version: 3.3.7
+signing_key:
+specification_version: 4
 summary: Ruby gem for managing the core functions outlined in RFC-3280 for PKI
-test_files:
-- spec/spec_helper.rb
-- spec/units/certificate_authority_spec.rb
-- spec/units/certificate_revocation_list_spec.rb
-- spec/units/certificate_spec.rb
-- spec/units/distinguished_name_spec.rb
-- spec/units/extensions_spec.rb
-- spec/units/key_material_spec.rb
-- spec/units/ocsp_handler_spec.rb
-- spec/units/pkcs11_key_material_spec.rb
-- spec/units/serial_number_spec.rb
-- spec/units/signing_entity_spec.rb
-- spec/units/units_helper.rb
+test_files: []

data/VERSION.yml

@@ -1,5 +0,0 @@
----
-:major: 0
-:minor: 1
-:patch: 5
-:build: 

data/spec/spec_helper.rb

@@ -1,4 +0,0 @@
-require 'rubygems'
-require 'rspec'
-
-require File.dirname(__FILE__) + '/../lib/certificate_authority'

data/spec/units/certificate_authority_spec.rb

@@ -1,4 +0,0 @@
-require File.dirname(__FILE__) + '/units_helper'
-
-describe CertificateAuthority do
-end

data/spec/units/certificate_revocation_list_spec.rb

@@ -1,68 +0,0 @@
-require File.dirname(__FILE__) + '/units_helper'
-
-describe CertificateAuthority::CertificateRevocationList do
-  before(:each) do
-    @crl = CertificateAuthority::CertificateRevocationList.new
-
-    @root_certificate = CertificateAuthority::Certificate.new
-    @root_certificate.signing_entity = true
-    @root_certificate.subject.common_name = "CRL Root"
-    @root_certificate.key_material.generate_key(1024)
-    @root_certificate.serial_number.number = 1
-    @root_certificate.sign!
-
-    @certificate = CertificateAuthority::Certificate.new
-    @certificate.key_material.generate_key(1024)
-    @certificate.subject.common_name = "http://bogusSite.com"
-    @certificate.parent = @root_certificate
-    @certificate.serial_number.number = 2
-    @certificate.sign!
-
-    @crl.parent = @root_certificate
-    @certificate.revoked_at = Time.now
-  end
-
-  it "should accept a list of certificates" do
-    @crl << @certificate
-  end
-
-  it "should complain if you add a certificate without a revocation time" do
-    @certificate.revoked_at = nil
-    lambda{ @crl << @certificate}.should raise_error
-  end
-
-  it "should have a 'parent' that will be responsible for signing" do
-    @crl.parent = @root_certificate
-    @crl.parent.should_not be_nil
-  end
-
-  it "should raise an error if you try and sign a CRL without attaching a parent" do
-    @crl.parent = nil
-    lambda { @crl.sign! }.should raise_error
-  end
-
-  it "should be able to generate a proper CRL" do
-    @crl << @certificate
-    lambda {@crl.to_pem}.should raise_error
-    @crl.parent = @root_certificate
-    @crl.sign!
-    @crl.to_pem.should_not be_nil
-    OpenSSL::X509::CRL.new(@crl.to_pem).should_not be_nil
-  end
-
-  describe "Next update" do
-    it "should be able to set a 'next_update' value" do
-      @crl.next_update = (60 * 60 * 10) # 10 Hours
-      @crl.next_update.should_not be_nil
-    end
-
-    it "should throw an error if we try and sign up with a negative next_update" do
-      @crl.sign!
-      @crl.next_update = - (60 * 60 * 10)
-      lambda{@crl.sign!}.should raise_error
-    end
-
-  end
-
-
-end