certificate_authority 0.1.1 → 0.1.2

Sign up to get free protection for your applications and to get access to all the features.
data/Gemfile CHANGED
@@ -1,9 +1,9 @@
1
1
  source 'http://rubygems.org'
2
2
 
3
- gem 'activemodel'
3
+ gem 'activemodel', "~> 3.0.6"
4
4
 
5
- #group :development do
5
+ group :development do
6
6
  gem 'rspec'
7
7
  gem "jeweler", "~> 1.5.2"
8
8
  gem "rcov", ">= 0"
9
- #end
9
+ end
data/Gemfile.lock CHANGED
@@ -29,7 +29,7 @@ PLATFORMS
29
29
  ruby
30
30
 
31
31
  DEPENDENCIES
32
- activemodel
32
+ activemodel (~> 3.0.6)
33
33
  jeweler (~> 1.5.2)
34
34
  rcov
35
35
  rspec
data/README.rdoc CHANGED
@@ -1,56 +1,225 @@
1
1
  = CertificateAuthority - Because it shouldn't be this damned complicated
2
2
 
3
- This is meant to provide a programmer-friendly implementation of all the basic functionality contained in RFC-3280 to implement your own certificate authority.
3
+ This is meant to provide a (more) programmer-friendly implementation of all the basic functionality contained in RFC-3280 to implement your own certificate authority.
4
4
 
5
5
  You can generate root certificates, intermediate certificates, and terminal certificates. You can also generate/manage Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) messages.
6
6
 
7
7
  Because this library is built using the native Ruby bindings for OpenSSL it also supports PKCS#11 cryptographic hardware for secure maintenance of private key materials.
8
8
 
9
- = The important parts
10
- Coming soon.
9
+ = So you want to maintain a certificate authority root
11
10
 
12
- = Examples
11
+ Let's suppose hypothetically you want to be able to issue and manage your own certificates. This section is meant to outline the basic functions you'll need(optionally want) to support. Not everyone is out to be in total compliance with WebTrust[link:http://www.webtrust.org/] or {Mozilla's rules for CA inclusion}[link:https://wiki.mozilla.org/CA:How_to_apply].
13
12
 
14
- == Creating a self-signed certificate/root (probably what you want)
13
+ The three primary elements to be aware of are:
15
14
 
16
- require 'certificate_authority'
17
- root = CertificateAuthority::Certificate.new
18
- root.subject.common_name "http://mydomain.com"
19
- root.key_material.generate_key
20
- root.signing_entity = true
21
- root.sign!
22
-
23
- == Creating an intermediate certificate (much less common use-case)
15
+ [Certificate Authority] These are the functions primarily related to the signing, issuance, and revocation of certificates.
16
+
17
+ [Registration Authority] These are the functions primarily related to registering and requesting certificates and vetting of the entities requesting certification.
18
+
19
+ [Validation Authority] These are the functions related to verifying the status of certificates out in the wild. Mostly CRLs and OCSP related functions.
20
+
21
+ = Establishing a new root in software
22
+
23
+ Let's look at a complete example for generating a new root certificate. Assuming that you don't have a PKCS#11 hardware token available (lists coming...) we'll have to store this safe.
24
+
25
+ Generating a self-signed root certificate is fairly easy:
24
26
 
25
27
  require 'certificate_authority'
26
28
  root = CertificateAuthority::Certificate.new
27
- root.subject.common_name "My snazzy root!"
29
+ root.subject.common_name= "http://mydomain.com"
30
+ root.serial_number.number=1
28
31
  root.key_material.generate_key
29
32
  root.signing_entity = true
30
33
  root.sign!
31
34
 
35
+ The required elements for the gem at this time are a common name for the subject and a serial number for the certificate. Since this is our self-signed root we're going to give it the first serial available of 1. Because certificate_authority is not designed to manage the issuance lifecycle you'll be expected to store serial numbers yourself.
36
+
37
+ Next, after taking care of required fields, we will require key material for the new certificate. There's a convenience method made available on the key_material object for generating new keys. The private key will be available in:
38
+
39
+ root.key_material.private_key
40
+
41
+ and the public key:
42
+
43
+ root.key_material.public_key
44
+
45
+ Make sure to save the private key somewhere safe!
46
+
47
+ Lastly, we declare that the certificate we're about to sign is itself a signing entity so we can continue on and sign other certificates.
48
+
49
+ == Creating a new intermediate
50
+
51
+ Maybe you don't want to actually sign certificates with your super-secret root certificate. This is actually how a good number of most public certificate authorities do it. Rather than sign with the primary root, they generate an intermediate root that is then responsible for signing the final certificates. If you wanted to create a root certificate you would do something like the following:
52
+
32
53
  intermediate = CertificateAuthority::Certificate.new
33
- intermediate.subject.common_name "My snazzy intermediate!"
54
+ intermediate.subject.common_name= "My snazzy intermediate!"
55
+ intermediate.serial_number.number=2
34
56
  intermediate.key_material.generate_key
35
57
  intermediate.signing_entity = true
36
58
  intermediate.parent = root
37
59
  intermediate.sign!
38
60
 
39
- == Creating a terminal (non-signing) cert
61
+ All we have to do is create another certificate like we did with the root. In this example we gave it the next available serial number which for us, was 2. We then generate (and save!) key material for this new entity. Even the +signing_entity+ is set to true so this certificate can sign other certificates. The difference here is that the +parent+ field is set to the root. Going forward, whatever entity you want to sign a certificate, you set that entity to be the parent. In this case, our root will be responsible for signing this intermediate when we call +sign!+.
62
+
63
+ = Creating new certificates (in general)
64
+
65
+ Now that we have a root certificate (and possibly an intermediate) we can sign end-user certificates. It is, perhaps unsurprisingly, similar to all the others:
40
66
 
41
- require 'certificate_authority'
42
67
  plain_cert = CertificateAuthority::Certificate.new
43
- plain_cert.subject.common_name "http://mydomain.com"
68
+ plain_cert.subject.common_name= "http://mydomain.com"
69
+ plain_cert.serial_number.number=4
44
70
  plain_cert.key_material.generate_key
45
71
  plain_cert.parent = root # or intermediate
46
72
  plain_cert.sign!
47
73
 
48
- == Getting the certificate body
74
+ That's all there is to it! In this example we generate the key material ourselves, but it's possible for the end-user to generate certificate signing request (CSR) that we can then parse and consume automatically (coming soon). To get the PEM formatted certificate for the user you would need to call:
75
+
76
+ plain_cert.to_pem
77
+
78
+ to get the certificate body.
79
+
80
+ = Signing Profiles
81
+
82
+ Creating basic certificates is all well and good, but maybe you want _more_ signing control. +certificate_authority+ supports the idea of signing profiles. These are hashes containing values that +sign!+ will use to merge in additional control options for setting extensions on the certificate.
83
+
84
+ Here's an example of a full signing profile for most of the common V3 extensions:
85
+
86
+ signing_profile = {
87
+ "extensions" => {
88
+ "basicConstraints" => {"ca" => false},
89
+ "crlDistributionPoints" => {"uri" => "http://notme.com/other.crl" },
90
+ "subjectKeyIdentifier" => {},
91
+ "authorityKeyIdentifier" => {},
92
+ "authorityInfoAccess" => {"ocsp" => ["http://youFillThisOut/ocsp/"] },
93
+ "keyUsage" => {"usage" => ["digitalSignature","nonRepudiation"] },
94
+ "extendedKeyUsage" => {"usage" => [ "serverAuth","clientAuth"]},
95
+ "subjectAltName" => {"uris" => ["http://subdomains.youFillThisOut/"]},
96
+ "certificatePolicies" => {
97
+ "policy_identifier" => "1.3.5.8", "cps_uris" => ["http://my.host.name/", "http://my.your.name/"],
98
+ "user_notice" => {
99
+ "explicit_text" => "Explicit Text Here",
100
+ "organization" => "Organization name",
101
+ "notice_numbers" => "1,2,3,4"
102
+ }
103
+ }
104
+ }
105
+ }
106
+
107
+ Using a signing profile is done this way:
108
+
109
+ certificate.sign!(signing_profile)
110
+
111
+ At that point all the configuration options will be merged into the extensions.
112
+
113
+ == Basic Constraints
114
+
115
+ The basic constraints extension allows you to control whether or not a certificate can sign other certificates.
116
+
117
+ [CA] If this value is true then this certificate has the authority to sign additional certificates.
118
+
119
+ [pathlen] This is the maximum length of the chain-of-trust. For instance, if an intermediate certificate has a pathlen of 1 then it can sign additional certificates, but it cannot create another signing entity because the total chain-of-trust would have a length greater than 1.
120
+
121
+ == CRL Distribution Points
122
+
123
+ This extension controls where a conformant client can go to obtain a list of certificate revocation information. At this point +certificate_authority+ only supports a list of URIs. The formal RFC however provides for the ability to provide a URI and an issuer identifier that allows a different signing entity to generate/sign the CRL.
124
+
125
+ [uri] The URI in subject alternative name format of the URI endpoint. Example: "http://ca.chrischandler.name/some_identifier.crl"
126
+
127
+ == Subject Key Identifier
128
+
129
+ This extension is required to be present, but doesn't offer any configurable parameters. Directly from the RFC:
130
+
131
+ The subject key identifier extension provides a means of identifying
132
+ certificates that contain a particular public key.
133
+
134
+ To facilitate certification path construction, this extension MUST
135
+ appear in all conforming CA certificates, that is, all certificates
136
+ including the basic constraints extension (section 4.2.1.10) where
137
+ the value of cA is TRUE. The value of the subject key identifier
138
+ MUST be the value placed in the key identifier field of the Authority
139
+ Key Identifier extension (section 4.2.1.1) of certificates issued by
140
+ the subject of this certificate.
141
+
142
+ == Authority Key Identifier
143
+
144
+ Just like the subject key identifier, this is required under most circumstances and doesn't contain any meaningful configuration options. From the RFC:
145
+
146
+ The keyIdentifier field of the authorityKeyIdentifier extension MUST
147
+ be included in all certificates generated by conforming CAs to
148
+ facilitate certification path construction. There is one exception;
149
+ where a CA distributes its public key in the form of a "self-signed"
150
+ certificate, the authority key identifier MAY be omitted. The
151
+ signature on a self-signed certificate is generated with the private
152
+ key associated with the certificate's subject public key. (This
153
+ proves that the issuer possesses both the public and private keys.)
154
+ In this case, the subject and authority key identifiers would be
155
+ identical, but only the subject key identifier is needed for
156
+ certification path building.
157
+
158
+ == Authority Info Access
159
+
160
+ The authority info access extension allows a CA to sign a certificate with information a client can use to get up-to-the-minute status information on a signed certificate. This takes the form of an OCSP[link:http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol] (Online Certificate Status Protocol) endpoints.
161
+
162
+ [ocsp] This is an array of URIs specifying possible endpoints that will be able to provide a signed response. +certificate_authority+ has an OCSP message handler for parsing OCSP requests and generating OCSP signed responses.
163
+
164
+ == Key Usage
165
+
166
+ This extension contains a list of the functions this certificate is allowed to participate in.
167
+
168
+ [usage] An array of OIDs in string format. The acceptable values are specified by OpenSSL and are: +digitalSignature+, +nonRepudiation+, +keyEncipherment+, +dataEncipherment+, +keyAgreement+, +keyCertSign+, +cRLSign+, +encipherOnly+ and +decipherOnly+.
169
+
170
+ == Extended Key Usage
171
+
172
+ This one is like key usage, but allows for certain application specific purposes. It's generally only present in end-user certificates.
173
+
174
+ [usage] An array of OIDs in string format. The only ones with practical significance at this point are: +serverAuth+, +clientAuth+, and +codeSigning+.
175
+
176
+ == Subject Alternative Name
177
+
178
+ If the certificate needs to work for multiple domains then you can specify the others for which it is valid in the subject alternative name field.
179
+
180
+ [uris] An array of full URIs for other common names this certificate should be valid for. For instance, if you want http://ca.chrischandler.name and http://www.ca.chrischandler.name to share the same cert you would place both in the +uris+ attribute of the subject alternative name.
181
+
182
+ == Certificate Policies
183
+
184
+ This is one of the most esoteric of the extensions. This allows a conformant certificate authority to embed signing policy information into the certificate body. Public certificate authorities are required to maintain a Certificate Practice Statement in accordance with {RFC 2527}[link:http://www.ietf.org/rfc/rfc2527.txt].
185
+
186
+ These CPSs define what vetting criteria and maintenance practices are required to issue, maintain, and revoke a certificate. While it might be overkill for private certificates, if you wanted to make an actual public CA you would need to put together a practice statement and embed it in certificates you issue.
187
+
188
+ [policy_identifier] This is an arbitrary OID (that you make up!) that uniquely represents the policy you are enforcing for whatever kind of certificate this is meant to be.
189
+
190
+ [cps_uris] This is an array of URIs where a client or human can go to get information related to your certification practice.
191
+
192
+ [user_notice] This is a nested field containing explicit human readable text if you want to embed a notice in the certificate body related to certification practices. It contains nested attributes of +explicit_text+ for the notice, +organization+ and +notice_numbers+. Refer to the RFC for specific implications of how these are set, but whether or not browsers implement the correct specified behavior for their presence is another issue.
193
+
194
+ = PKCS#11 Support
195
+
196
+ If you happen to have a PKCS#11 compliant hardware token you can use +certificate_authority+ to maintain private key materials in hardware security modules. At this point the scope of operating that hardware is out of scope of this README but it's there and it is supported.
197
+
198
+ To configure a certificate to utilize PKCS#11 instead of in memory keys all you need to do is:
199
+
200
+ root = CertificateAuthority::Certificate.new
201
+ root.subject.common_name= "http://mydomain.com"
202
+ root.serial_number.number=1
203
+ root.signing_entity = true
204
+
205
+ key_material_in_hardware = CertificateAuthority::Pkcs11KeyMaterial.new
206
+ key_material_in_hardware.token_id = "46"
207
+ key_material_in_hardware.pkcs11_lib = "/usr/lib/libeTPkcs11.so"
208
+ key_material_in_hardware.openssl_pkcs11_engine_lib = "/usr/lib/engines/engine_pkcs11.so"
209
+ key_material_in_hardware.pin = "11111111"
210
+
211
+ root.key_material = key_material_in_hardware
212
+ root.sign!
213
+
214
+ You're current version of OpenSSL _must_ include dynamic engine support and you will need to have OpenSSL PKCS#11 engine support. You will also require the actual PKCS#11 driver from the hardware manufacturer. As of today the only tokens I've gotten to work are:
215
+
216
+ [eTokenPro] Released by Aladdin (now SafeNet Inc.). I have only had success with the version 4 and 5 (32 bit only) copy of the driver. The newer authentication client released by SafeNet appears to be completely broken for interacting with the tokens outside of SafeNet's own tools. If anyone has a different experience I'd like to hear from you.
217
+
218
+ [ACS CryptoMate] Also a 32-bit only driver. You'll have to jump through some hoops to get the Linux PKCS#11 driver but it works surprisingly well. It also appears to support symmetric key operations in hardware.
219
+
220
+ [Your company] Do you make a PKCS#11 device? I'd love to get it working but I probably can't afford your device. Get in touch with me and if you're willing to loan me one for a week I can get it listed.
49
221
 
50
- ...
51
- certificate.sign!
52
- certificate.to_pem # <= Returns a PEM formatted string of your certificate
53
- certificate.key_material.private_key.to_pem # <= If you need the private key (and it's in memory)
222
+ Also of note, I have gotten these to work with 32-bit copies of Ubuntu 10.10 and pre-Snow Leopard versions of OS X. If you are running Snow Leopard you're out of luck since none of the companies I've contacted make a 64 bit driver.
54
223
 
55
224
  = Coming Soon
56
225
 
data/Rakefile CHANGED
@@ -27,7 +27,7 @@ Jeweler::Tasks.new do |gem|
27
27
  gem.email = "chris@flatterline.com"
28
28
  gem.authors = ["Chris Chandler"]
29
29
 
30
- gem.add_dependency('activemodel', '3.0.6')
30
+ # gem.add_dependency('activemodel', '3.0.6')
31
31
  end
32
32
  Jeweler::RubygemsDotOrgTasks.new
33
33
 
data/VERSION.yml CHANGED
@@ -1,5 +1,5 @@
1
1
  ---
2
2
  :major: 0
3
3
  :minor: 1
4
+ :patch: 2
4
5
  :build:
5
- :patch: 1
@@ -5,11 +5,11 @@
5
5
 
6
6
  Gem::Specification.new do |s|
7
7
  s.name = %q{certificate_authority}
8
- s.version = "0.1.1"
8
+ s.version = "0.1.2"
9
9
 
10
10
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
11
  s.authors = ["Chris Chandler"]
12
- s.date = %q{2011-04-20}
12
+ s.date = %q{2011-04-21}
13
13
  s.email = %q{chris@flatterline.com}
14
14
  s.extra_rdoc_files = [
15
15
  "README.rdoc"
@@ -67,24 +67,21 @@ Gem::Specification.new do |s|
67
67
  s.specification_version = 3
68
68
 
69
69
  if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
70
- s.add_runtime_dependency(%q<activemodel>, [">= 0"])
71
- s.add_runtime_dependency(%q<rspec>, [">= 0"])
72
- s.add_runtime_dependency(%q<jeweler>, ["~> 1.5.2"])
73
- s.add_runtime_dependency(%q<rcov>, [">= 0"])
74
- s.add_runtime_dependency(%q<activemodel>, ["= 3.0.6"])
70
+ s.add_runtime_dependency(%q<activemodel>, ["~> 3.0.6"])
71
+ s.add_development_dependency(%q<rspec>, [">= 0"])
72
+ s.add_development_dependency(%q<jeweler>, ["~> 1.5.2"])
73
+ s.add_development_dependency(%q<rcov>, [">= 0"])
75
74
  else
76
- s.add_dependency(%q<activemodel>, [">= 0"])
75
+ s.add_dependency(%q<activemodel>, ["~> 3.0.6"])
77
76
  s.add_dependency(%q<rspec>, [">= 0"])
78
77
  s.add_dependency(%q<jeweler>, ["~> 1.5.2"])
79
78
  s.add_dependency(%q<rcov>, [">= 0"])
80
- s.add_dependency(%q<activemodel>, ["= 3.0.6"])
81
79
  end
82
80
  else
83
- s.add_dependency(%q<activemodel>, [">= 0"])
81
+ s.add_dependency(%q<activemodel>, ["~> 3.0.6"])
84
82
  s.add_dependency(%q<rspec>, [">= 0"])
85
83
  s.add_dependency(%q<jeweler>, ["~> 1.5.2"])
86
84
  s.add_dependency(%q<rcov>, [">= 0"])
87
- s.add_dependency(%q<activemodel>, ["= 3.0.6"])
88
85
  end
89
86
  end
90
87
 
@@ -40,7 +40,7 @@ module CertificateAuthority
40
40
  end
41
41
 
42
42
  def sign!(signing_profile={})
43
- raise "Invalid certificate" unless valid?
43
+ raise "Invalid certificate #{self.errors.full_messages}" unless valid?
44
44
  merge_profile_with_extensions(signing_profile)
45
45
 
46
46
  openssl_cert = OpenSSL::X509::Certificate.new
metadata CHANGED
@@ -2,7 +2,7 @@
2
2
  name: certificate_authority
3
3
  version: !ruby/object:Gem::Version
4
4
  prerelease:
5
- version: 0.1.1
5
+ version: 0.1.2
6
6
  platform: ruby
7
7
  authors:
8
8
  - Chris Chandler
@@ -10,16 +10,16 @@ autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
12
 
13
- date: 2011-04-20 00:00:00 Z
13
+ date: 2011-04-21 00:00:00 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: activemodel
17
17
  requirement: &id001 !ruby/object:Gem::Requirement
18
18
  none: false
19
19
  requirements:
20
- - - ">="
20
+ - - ~>
21
21
  - !ruby/object:Gem::Version
22
- version: "0"
22
+ version: 3.0.6
23
23
  type: :runtime
24
24
  prerelease: false
25
25
  version_requirements: *id001
@@ -31,7 +31,7 @@ dependencies:
31
31
  - - ">="
32
32
  - !ruby/object:Gem::Version
33
33
  version: "0"
34
- type: :runtime
34
+ type: :development
35
35
  prerelease: false
36
36
  version_requirements: *id002
37
37
  - !ruby/object:Gem::Dependency
@@ -42,7 +42,7 @@ dependencies:
42
42
  - - ~>
43
43
  - !ruby/object:Gem::Version
44
44
  version: 1.5.2
45
- type: :runtime
45
+ type: :development
46
46
  prerelease: false
47
47
  version_requirements: *id003
48
48
  - !ruby/object:Gem::Dependency
@@ -53,20 +53,9 @@ dependencies:
53
53
  - - ">="
54
54
  - !ruby/object:Gem::Version
55
55
  version: "0"
56
- type: :runtime
56
+ type: :development
57
57
  prerelease: false
58
58
  version_requirements: *id004
59
- - !ruby/object:Gem::Dependency
60
- name: activemodel
61
- requirement: &id005 !ruby/object:Gem::Requirement
62
- none: false
63
- requirements:
64
- - - "="
65
- - !ruby/object:Gem::Version
66
- version: 3.0.6
67
- type: :runtime
68
- prerelease: false
69
- version_requirements: *id005
70
59
  description:
71
60
  email: chris@flatterline.com
72
61
  executables: []
@@ -117,7 +106,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
117
106
  requirements:
118
107
  - - ">="
119
108
  - !ruby/object:Gem::Version
120
- hash: -1515713382704752763
109
+ hash: -4291817206657186993
121
110
  segments:
122
111
  - 0
123
112
  version: "0"