certificate_authority 0.1.6 → 1.0.0

data/lib/certificate_authority/key_material.rb

@@ -15,11 +15,30 @@ module CertificateAuthority
     def is_in_memory?
       raise "Required implementation"
     end
+
+    def self.from_x509_key_pair(pair,password=nil)
+      if password.nil?
+        key = OpenSSL::PKey::RSA.new(pair)
+      else
+        key = OpenSSL::PKey::RSA.new(pair,password)
+      end
+      mem_key = MemoryKeyMaterial.new
+      mem_key.public_key = key.public_key
+      mem_key.private_key = key
+      mem_key
+    end
+
+    def self.from_x509_public_key(public_key_pem)
+      key = OpenSSL::PKey::RSA.new(public_key_pem)
+      signing_request_key = SigningRequestKeyMaterial.new
+      signing_request_key.public_key = key.public_key
+      signing_request_key
+    end
   end
 
   class MemoryKeyMaterial
     include KeyMaterial
-    include ActiveModel::Validations
+    include Validations
 
     attr_accessor :keypair
     attr_accessor :private_key
@@ -28,11 +47,13 @@ module CertificateAuthority
     def initialize
     end
 
-    validates_each :private_key do |record, attr, value|
-        record.errors.add :private_key, "cannot be blank" if record.private_key.nil?
-    end
-    validates_each :public_key do |record, attr, value|
-      record.errors.add :public_key, "cannot be blank" if record.public_key.nil?
+    def validate
+      if private_key.nil?
+        errors.add :private_key, "cannot be blank"
+      end
+      if public_key.nil?
+        errors.add :public_key, "cannot be blank"
+      end
     end
 
     def is_in_hardware?
@@ -61,10 +82,10 @@ module CertificateAuthority
 
   class SigningRequestKeyMaterial
     include KeyMaterial
-    include ActiveModel::Validations
+    include Validations
 
-    validates_each :public_key do |record, attr, value|
-      record.errors.add :public_key, "cannot be blank" if record.public_key.nil?
+    def validate
+      errors.add :public_key, "cannot be blank" if public_key.nil?
     end
 
     attr_accessor :public_key

data/lib/certificate_authority/ocsp_handler.rb

@@ -1,6 +1,74 @@
 module CertificateAuthority
+  class OCSPResponseBuilder
+    attr_accessor :ocsp_response
+    attr_accessor :verification_mechanism
+    attr_accessor :ocsp_request_reader
+    attr_accessor :parent
+    attr_accessor :next_update
+
+    GOOD = OpenSSL::OCSP::V_CERTSTATUS_GOOD
+    REVOKED = OpenSSL::OCSP::V_CERTSTATUS_REVOKED
+
+    NO_REASON=0
+    KEY_COMPROMISED=OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE
+    UNSPECIFIED=OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED
+
+    def build_response()
+      raise "Requires a parent for signing" if @parent.nil?
+      if @verification_mechanism.nil?
+        ## If no verification callback is provided we're marking it GOOD
+        @verification_mechanism = lambda {|cert_id| [GOOD,NO_REASON] }
+      end
+
+      @ocsp_request_reader.ocsp_request.certid.each do |cert_id|
+        result,reason = verification_mechanism.call(cert_id.serial)
+
+        ## cert_id, status, reason, rev_time, this update, next update, ext
+        ## - unit of time is seconds
+        ## - rev_time is currently set to "now"
+        @ocsp_response.add_status(cert_id,
+        result, reason,
+          0, 0, @next_update, nil)
+      end
+
+      @ocsp_response.sign(OpenSSL::X509::Certificate.new(@parent.to_pem), @parent.key_material.private_key, nil, nil)
+      OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, @ocsp_response)
+    end
+
+    def self.from_request_reader(request_reader,verification_mechanism=nil)
+      response_builder = OCSPResponseBuilder.new
+      response_builder.ocsp_request_reader = request_reader
+
+      ocsp_response = OpenSSL::OCSP::BasicResponse.new
+      ocsp_response.copy_nonce(request_reader.ocsp_request)
+      response_builder.ocsp_response = ocsp_response
+      response_builder.next_update = 60*15 #Default of 15 minutes
+      response_builder
+    end
+  end
+
+  class OCSPRequestReader
+    attr_accessor :raw_ocsp_request
+    attr_accessor :ocsp_request
+
+    def serial_numbers
+      @ocsp_request.certid.collect do |cert_id|
+        cert_id.serial
+      end
+    end
+
+    def self.from_der(request_body)
+      reader = OCSPRequestReader.new
+      reader.raw_ocsp_request = request_body
+      reader.ocsp_request = OpenSSL::OCSP::Request.new(request_body)
+
+      reader
+    end
+  end
+
+  ## DEPRECATED
   class OCSPHandler
-    include ActiveModel::Validations
+    include Validations
 
     attr_accessor :ocsp_request
     attr_accessor :certificate_ids
@@ -10,10 +78,10 @@ module CertificateAuthority
 
     attr_accessor :ocsp_response_body
 
-    validate do |crl|
+    def validate
       errors.add :parent, "A parent entity must be set" if parent.nil?
+      all_certificates_available
     end
-    validate :all_certificates_available
 
     def initialize
       self.certificates = {}
@@ -24,9 +92,11 @@ module CertificateAuthority
     end
 
     def extract_certificate_serials
-      raise "No valid OCSP request was supplied" if self.ocsp_request.nil?
-      openssl_request = OpenSSL::OCSP::Request.new(self.ocsp_request)
+      openssl_request = OpenSSL::OCSP::Request.new(@ocsp_request)
 
+      if openssl_request.certid.nil?
+        raise "Invalid openssl request"
+      end
       self.certificate_ids = openssl_request.certid.collect do |cert_id|
         cert_id.serial
       end

data/lib/certificate_authority/pkcs11_key_material.rb

@@ -1,8 +1,6 @@
 module CertificateAuthority
   class Pkcs11KeyMaterial
     include KeyMaterial
-    include ActiveModel::Validations
-    include ActiveModel::Serialization
 
     attr_accessor :engine
     attr_accessor :token_id

data/lib/certificate_authority/revocable.rb

@@ -0,0 +1,14 @@
+module CertificateAuthority
+  module Revocable
+    attr_accessor :revoked_at
+
+    def revoke!(time=Time.now)
+      @revoked_at = time
+    end
+
+    def revoked?
+      # If we have a time, then we're revoked
+      !@revoked_at.nil?
+    end
+  end
+end

data/lib/certificate_authority/serial_number.rb

@@ -1,9 +1,22 @@
+require 'securerandom'
+
 module CertificateAuthority
   class SerialNumber
-    include ActiveModel::Validations
+    include Validations
+    include Revocable
 
     attr_accessor :number
 
-    validates :number, :presence => true, :numericality => {:greater_than => 0}
+    def validate
+      if self.number.nil?
+        errors.add :number, "must not be empty"
+      elsif self.number.to_i <= 0
+        errors.add :number, "must be greater than zero"
+      end
+    end
+
+    def initialize
+      self.number = SecureRandom.random_number(2**128-1)
+    end
   end
 end

data/lib/certificate_authority/signing_request.rb

@@ -0,0 +1,91 @@
+module CertificateAuthority
+  class SigningRequest
+    attr_accessor :distinguished_name
+    attr_accessor :key_material
+    attr_accessor :raw_body
+    attr_accessor :openssl_csr
+    attr_accessor :digest
+    attr_accessor :attributes
+
+    def initialize()
+      @attributes = []
+    end
+
+    # Fake attribute for convenience because adding
+    # alternative names on a CSR is remarkably non-trivial.
+    def subject_alternative_names=(alt_names)
+      raise "alt_names must be an Array" unless alt_names.is_a?(Array)
+
+      factory = OpenSSL::X509::ExtensionFactory.new
+      name_list = alt_names.map{|m| "DNS:#{m}"}.join(",")
+      ext = factory.create_ext("subjectAltName",name_list,false)
+      ext_set = OpenSSL::ASN1::Set([OpenSSL::ASN1::Sequence([ext])])
+      attr = OpenSSL::X509::Attribute.new("extReq", ext_set)
+      @attributes << attr
+    end
+
+    def read_attributes_by_oid(*oids)
+      attributes.detect { |a| oids.include?(a.oid) }
+    end
+    protected :read_attributes_by_oid
+
+    def to_cert
+      cert = Certificate.new
+      if !@distinguished_name.nil?
+        cert.distinguished_name = @distinguished_name
+      end
+      cert.key_material = @key_material
+      if attribute = read_attributes_by_oid('extReq', 'msExtReq')
+        set = OpenSSL::ASN1.decode(attribute.value)
+        seq = set.value.first
+        seq.value.collect { |asn1ext| OpenSSL::X509::Extension.new(asn1ext).to_a }.each do |o, v, c|
+         Certificate::EXTENSIONS.each do |klass|
+            cert.extensions[klass::OPENSSL_IDENTIFIER] = klass.parse(v, c) if v && klass::OPENSSL_IDENTIFIER == o
+          end
+        end
+      end
+      cert
+    end
+
+    def to_pem
+      to_x509_csr.to_pem
+    end
+
+    def to_x509_csr
+      raise "Must specify a DN/subject on csr" if @distinguished_name.nil?
+      raise "Invalid DN in request" unless @distinguished_name.valid?
+      raise "CSR must have key material" if @key_material.nil?
+      raise "CSR must include a public key on key material" if @key_material.public_key.nil?
+      raise "Need a private key on key material for CSR generation" if @key_material.private_key.nil?
+
+      opensslcsr = OpenSSL::X509::Request.new
+      opensslcsr.subject = @distinguished_name.to_x509_name
+      opensslcsr.public_key = @key_material.public_key
+      opensslcsr.attributes = @attributes unless @attributes.nil?
+      opensslcsr.sign @key_material.private_key, OpenSSL::Digest.new(@digest || "SHA512")
+      opensslcsr
+    end
+
+    def self.from_x509_csr(raw_csr)
+      csr = SigningRequest.new
+      openssl_csr = OpenSSL::X509::Request.new(raw_csr)
+      csr.distinguished_name = DistinguishedName.from_openssl openssl_csr.subject
+      csr.raw_body = raw_csr
+      csr.openssl_csr = openssl_csr
+      csr.attributes = openssl_csr.attributes
+      key_material = SigningRequestKeyMaterial.new
+      key_material.public_key = openssl_csr.public_key
+      csr.key_material = key_material
+      csr
+    end
+
+    def self.from_netscape_spkac(raw_spkac)
+      openssl_spkac = OpenSSL::Netscape::SPKI.new raw_spkac
+      csr = SigningRequest.new
+      csr.raw_body = raw_spkac
+      key_material = SigningRequestKeyMaterial.new
+      key_material.public_key = openssl_spkac.public_key
+      csr
+    end
+  end
+end

data/lib/certificate_authority/validations.rb

@@ -0,0 +1,31 @@
+#
+# This is a super simple replacement for ActiveSupport::Validations
+#
+
+module CertificateAuthority
+  class Errors < Array
+    def add(symbol, msg)
+      self.push([symbol, msg])
+    end
+    def full_messages
+      self.map {|i| i[0].to_s + ": " + i[1]}.join("\n")
+    end
+  end
+
+  module Validations
+    def valid?
+      @errors = Errors.new
+      validate
+      errors.empty?
+    end
+
+    # must be overridden
+    def validate
+      raise NotImplementedError
+    end
+
+    def errors
+      @errors ||= Errors.new
+    end
+  end
+end

data/lib/certificate_authority/version.rb

@@ -0,0 +1,3 @@
+module CertificateAuthority
+  VERSION = '1.0.0'.freeze
+end

metadata

@@ -1,111 +1,139 @@
 --- !ruby/object:Gem::Specification
 name: certificate_authority
 version: !ruby/object:Gem::Version
-  version: 0.1.6
-  prerelease: 
+  version: 1.0.0
 platform: ruby
 authors:
 - Chris Chandler
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-08-12 00:00:00.000000000 Z
+date: 2020-05-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: activemodel
-  requirement: &70182567433260 !ruby/object:Gem::Requirement
-    none: false
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 3.0.6
-  type: :runtime
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
   prerelease: false
-  version_requirements: *70182567433260
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70182567432240 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70182567432240
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: jeweler
-  requirement: &70182567430960 !ruby/object:Gem::Requirement
-    none: false
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.5.2
+        version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70182567430960
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: 
-email: chris@flatterline.com
+email:
+- squanderingtime@gmail.com
 executables: []
 extensions: []
-extra_rdoc_files:
-- README.rdoc
+extra_rdoc_files: []
 files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
 - Gemfile
 - Gemfile.lock
 - README.rdoc
 - Rakefile
-- VERSION.yml
 - certificate_authority.gemspec
 - lib/certificate_authority.rb
 - lib/certificate_authority/certificate.rb
 - lib/certificate_authority/certificate_revocation_list.rb
+- lib/certificate_authority/core_extensions.rb
 - lib/certificate_authority/distinguished_name.rb
 - lib/certificate_authority/extensions.rb
 - lib/certificate_authority/key_material.rb
 - lib/certificate_authority/ocsp_handler.rb
 - lib/certificate_authority/pkcs11_key_material.rb
+- lib/certificate_authority/revocable.rb
 - lib/certificate_authority/serial_number.rb
 - lib/certificate_authority/signing_entity.rb
+- lib/certificate_authority/signing_request.rb
+- lib/certificate_authority/validations.rb
+- lib/certificate_authority/version.rb
 - lib/tasks/certificate_authority.rake
-- spec/spec_helper.rb
-- spec/units/certificate_authority_spec.rb
-- spec/units/certificate_revocation_list_spec.rb
-- spec/units/certificate_spec.rb
-- spec/units/distinguished_name_spec.rb
-- spec/units/extensions_spec.rb
-- spec/units/key_material_spec.rb
-- spec/units/ocsp_handler_spec.rb
-- spec/units/pkcs11_key_material_spec.rb
-- spec/units/serial_number_spec.rb
-- spec/units/signing_entity_spec.rb
-- spec/units/units_helper.rb
-homepage: http://github.com/cchandler/certificate_authority
+homepage: https://github.com/cchandler/certificate_authority
 licenses:
 - MIT
+metadata:
+  homepage_uri: https://github.com/cchandler/certificate_authority
+  source_code_uri: https://github.com/cchandler/certificate_authority
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
-      segments:
-      - 0
-      hash: -2366790866817530073
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 1.8.15
+rubygems_version: 3.1.2
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: Ruby gem for managing the core functions outlined in RFC-3280 for PKI
 test_files: []