certificate_authority 0.1.6 → 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e413d44d788e07a95a90b5849298f41796dbd57dce8fe08a0713191ae812798c
+  data.tar.gz: '059b6bee928fdcc1cebd04c6dff6890f7179d66094d6af17c549db7ef1811e56'
+SHA512:
+  metadata.gz: 718978b7b52352cee16da1e555a0b0e71d0c68543bc627ef94869b45ff43dd259ce49a19b194105f96700848535a5397e039e86fd8733de899e5b61865eac2a8
+  data.tar.gz: b5998a5cfe29679198f4d57995e3f3e03f0694cc238e5fbc6f75a3a65b2ab80bfe3f86caac09616cb27f64832c0b83cddd87f3aaaa8e642e817429e3ecad0b7d

data/.gitignore

@@ -0,0 +1,6 @@
+pkg
+development
+.bundle
+.rvmrc
+coverage
+doc

data/.rspec

@@ -0,0 +1,3 @@
+--require spec_helper
+--color
+--format documentation

data/.travis.yml

@@ -0,0 +1,11 @@
+---
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.5
+  - 2.6
+  - 2.7
+before_install: gem install bundler
+script:
+  - bundle exec rake

data/Gemfile

@@ -1,9 +1,3 @@
-source 'http://rubygems.org'
+source 'https://rubygems.org'
 
-gem 'activemodel', ">= 3.0.6"
-
-group :development do
-	gem 'rspec'
-  gem "jeweler", ">= 1.5.2"
-  #gem "rcov", ">= 0"
-end
+gemspec

data/Gemfile.lock

@@ -1,39 +1,79 @@
+PATH
+  remote: .
+  specs:
+    certificate_authority (1.0.0)
+
 GEM
-  remote: http://rubygems.org/
+  remote: https://rubygems.org/
   specs:
-    activemodel (3.2.8)
-      activesupport (= 3.2.8)
-      builder (~> 3.0.0)
-    activesupport (3.2.8)
-      i18n (~> 0.6)
-      multi_json (~> 1.0)
-    builder (3.0.0)
-    diff-lcs (1.1.3)
-    git (1.2.5)
-    i18n (0.6.0)
-    jeweler (1.8.4)
-      bundler (~> 1.0)
-      git (>= 1.2.5)
-      rake
-      rdoc
-    json (1.7.4)
-    multi_json (1.3.6)
-    rake (0.9.2.2)
-    rdoc (3.12)
-      json (~> 1.4)
-    rspec (2.11.0)
-      rspec-core (~> 2.11.0)
-      rspec-expectations (~> 2.11.0)
-      rspec-mocks (~> 2.11.0)
-    rspec-core (2.11.1)
-    rspec-expectations (2.11.2)
-      diff-lcs (~> 1.1.3)
-    rspec-mocks (2.11.2)
+    ast (2.4.0)
+    coderay (1.1.2)
+    coveralls (0.8.23)
+      json (>= 1.8, < 3)
+      simplecov (~> 0.16.1)
+      term-ansicolor (~> 1.3)
+      thor (>= 0.19.4, < 2.0)
+      tins (~> 1.6)
+    diff-lcs (1.3)
+    docile (1.3.2)
+    json (2.3.0)
+    method_source (1.0.0)
+    parallel (1.19.1)
+    parser (2.7.1.3)
+      ast (~> 2.4.0)
+    pry (0.13.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    rainbow (3.0.0)
+    rake (13.0.1)
+    rexml (3.2.4)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.3)
+    rubocop (0.84.0)
+      parallel (~> 1.10)
+      parser (>= 2.7.0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      rexml
+      rubocop-ast (>= 0.0.3)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 2.0)
+    rubocop-ast (0.0.3)
+      parser (>= 2.7.0.1)
+    ruby-progressbar (1.10.1)
+    simplecov (0.16.1)
+      docile (~> 1.1)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.2)
+    sync (0.5.0)
+    term-ansicolor (1.7.1)
+      tins (~> 1.0)
+    thor (1.0.1)
+    tins (1.25.0)
+      sync
+    unicode-display_width (1.7.0)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  activemodel (>= 3.0.6)
-  jeweler (>= 1.5.2)
+  certificate_authority!
+  coveralls
+  pry
+  rake
   rspec
+  rubocop
+
+BUNDLED WITH
+   2.1.4

data/README.rdoc

@@ -1,5 +1,9 @@
 = CertificateAuthority - Because it shouldn't be this damned complicated
 
+{<img src="https://travis-ci.org/cchandler/certificate_authority.png?branch=master" alt="Build Status" />}[https://travis-ci.org/cchandler/certificate_authority]
+{<img src="https://codeclimate.com/github/cchandler/certificate_authority.png" alt="Code Climate" />}[https://codeclimate.com/github/cchandler/certificate_authority]
+{<img src="https://coveralls.io/repos/cchandler/certificate_authority/badge.png?branch=master" alt="Code Coverage" />}[https://coveralls.io/r/cchandler/certificate_authority]
+
 This is meant to provide a (more) programmer-friendly implementation of all the basic functionality contained in RFC-3280 to implement your own certificate authority.
 
 You can generate root certificates, intermediate certificates, and terminal certificates.  You can also generate/manage Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) messages.
@@ -60,7 +64,7 @@ Maybe you don't want to actually sign certificates with your super-secret root c
   signing_profile = {"extensions" => {"keyUsage" => {"usage" => ["critical", "keyCertSign"] }} }
   intermediate.sign!(signing_profile)
 
-All we have to do is create another certificate like we did with the root. In this example we gave it the next available serial number which for us, was 2.  We then generate (and save!) key material for this new entity.  Even the +signing_entity+ is set to true so this certificate can sign other certificates.  The difference here is that the +parent+ field is set to the root. Going forward, whatever entity you want to sign a certificate, you set that entity to be the parent. In this case, our root will be responsible for signing this intermediate when we call +sign!+.
+All we have to do is create another certificate like we did with the root. In this example we gave it the next available serial number, which for us, was 2.  We then generate (and save!) key material for this new entity.  Even the +signing_entity+ is set to true so this certificate can sign other certificates.  The difference here is that the +parent+ field is set to the root. Going forward, whatever entity you want to sign a certificate, you set that entity to be the parent. In this case, our root will be responsible for signing this intermediate when we call +sign!+.
 
 = Creating new certificates (in general)
 
@@ -193,6 +197,78 @@ These CPSs define what vetting criteria and maintenance practices are required t
 
 [user_notice] This is a nested field containing explicit human readable text if you want to embed a notice in the certificate body related to certification practices. It contains nested attributes of +explicit_text+ for the notice, +organization+ and +notice_numbers+. Refer to the RFC for specific implications of how these are set, but whether or not browsers implement the correct specified behavior for their presence is another issue.
 
+= Certificate Signing Requests (CSRs)
+
+If you want certificate requestors to be able to request certificates without moving the private key you'll need to generate a CSR and submit it to the certificate authority.
+
+Here's an example of using +certificate_authority+ to generate a CSR.
+
+  csr = CertificateAuthority::SigningRequest.new
+  dn = CertificateAuthority::DistinguishedName.new
+  dn.common_name = "localhost"
+  csr.distinguished_name = dn
+  k = CertificateAuthority::MemoryKeyMaterial.new
+  k.generate_key(2048)
+  csr.key_material = k
+  csr.digest = "SHA256"
+  csr.to_x509_csr.to_pem
+
+Similarly, reading a CSR in is as simple as providing the PEM formatted version to +SigningRequest.from_x509_csr+.
+
+  csr = CertificateAuthority::SigningRequest.from_x509_csr(@pem_csr)
+
+Once you have the CSR in the form of a +SigningRequest+ you can transform it to a +Certificate+ with +to_cert+. At this point it works just like any other certificate. You'll have to provide a serial number to actually sign it.
+
+= Certificate Revocation Lists (CRLs)
+
+Revocation lists let clients know when a certificate in the wild should no longer be trusted.
+
+Like end-user certificates, CRLs have to be signed by a signing authority to be valid. Additionally, you will need to furnish a +nextUpdate+ value that indicates to the client when it should look for updates to the CRL and how long it should consider a cached value valid.
+
+Ideally you would place the result CRL somewhere generally accessible on the Internet and reference the URI in the +crlDistributionPoints+ extension on issued certificates.
+
+  crl = CertificateAuthority::CertificateRevocationList.new
+  crl << certificate # Some CertificateAuthority::Certificate
+  crl << serial_number # Also works with plain CertificateAuthority::SerialNumber
+  crl.parent = root_certificate # A valid root
+  crl.next_update = (60 * 60 * 10) # 10 Hours
+  crl.sign!
+  crl.to_pem
+
+= OCSP Support
+
+OCSP is the Online Certificate Status Protocol. It provides a mechanism to query an authority to see if a certificate is still valid without downloading an entire CRL. To use this mechanism you provide a URI in the Authority Information Access extension.
+If a client wishes to check the validity of a certificate they can query this endpoint.
+This request will only contain serial numbers, so you'll need to uniquely identify your authority in the AIA path.
+
+If a client sends you a DER encoded OCSP request you can read it out via +OCSPRequestReader+
+
+  ocsp_request_reader = CertificateAuthority::OCSPRequestReader.from_der(@ocsp_request.to_der)
+  ocsp_request_reader.serial_numbers
+
+Then, you can construct a response like this
+
+  response_builder = CertificateAuthority::OCSPResponseBuilder.from_request_reader(ocsp_request_reader)
+  response_builder.parent = root
+  response = response_builder.build_response # Returns OpenSSL::OCSP::Response
+  response.to_der
+
+The response builder will copy a (possible) nonce from the request. By default, the +OCSPResponseBuilder+ will say that every certificate is GOOD.
+You should definitely override this if you plan on revoking certificates.
+If you want to override this you'll need to supply a proc/lambda that takes a serial number and returns an array of status and reason.
+
+  response_builder = CertificateAuthority::OCSPResponseBuilder.from_request_reader(ocsp_request_reader)
+  response_builder.verification_mechanism = lambda {|certid|
+    [CertificateAuthority::OCSPResponseBuilder::REVOKED,CertificateAuthority::OCSPResponseBuilder::UNSPECIFIED]
+  }
+  response_builder.parent = root
+  response = response_builder.build_response # Response will say everything is revoked for unspecified reasons
+
+Lastly, you can configure a nextUpdate time in the response. This is the length of time for which a client may consider this response valid.
+The default is 15 minutes.
+
+  response_builder.next_update = 30 * 60 # 30 minutes
+
 = PKCS#11 Support
 
 If you happen to have a PKCS#11 compliant hardware token you can use +certificate_authority+ to maintain private key materials in hardware security modules. At this point the scope of operating that hardware is out of scope of this README but it's there and it is supported.
@@ -223,15 +299,28 @@ Your current version of OpenSSL _must_ include dynamic engine support and you wi
 
 Also of note, I have gotten these to work with 32-bit copies of Ubuntu 10.10 and pre-Snow Leopard versions of OS X. If you are running Snow Leopard you're out of luck since none of the companies I've contacted make a 64 bit driver.
 
-= Coming Soon
+= Hopefully in the future
 
 * More PKCS#11 hardware (I need driver support from the manufacturers)
+
+= Todone
+
 * Support for working with CSRs to request & issue certificates
+* OCSP support
 
 = Misc notes
 
 * Firefox will complain about root/intermediate certificates unless both digitalSignature and keyEncipherment are specified as keyUsage attributes. Thanks diogomonica
 
+= Special thanks and Contributions
+
+* Diogo Monica @diogo
+* Justin Cummins @sul3n3t
+* @databus23
+* Colin Jones @trptcolin
+* Eric Monti @emonti
+* TJ Vanderpoel @bougyman
+
 == Meta
 
 Written by Chris Chandler(http://chrischandler.name)

data/Rakefile

@@ -1,35 +1,9 @@
-require 'rubygems'
-require 'bundler'
-require 'rspec'
-require 'rspec/core/rake_task'
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+require "rubocop/rake_task"
 
-begin
-  Bundler.setup(:default, :development)
-rescue Bundler::BundlerError => e
-  $stderr.puts e.message
-  $stderr.puts "Run `bundle install` to install missing gems"
-  exit e.status_code
-end
-
-require 'rake'
-
-desc 'Default: run specs.'
-task :default => :spec
-
-require 'jeweler'
-Jeweler::Tasks.new do |gem|
-  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
-  gem.name = "certificate_authority"
-  gem.homepage = "http://github.com/cchandler/certificate_authority"
-  gem.license = "MIT"
-  gem.summary = 'Ruby gem for managing the core functions outlined in RFC-3280 for PKI'
-  # gem.description = ''
-  gem.email = "chris@flatterline.com"
-  gem.authors = ["Chris Chandler"]
-  
-  # gem.add_dependency('activemodel', '3.0.6')
-end
-Jeweler::RubygemsDotOrgTasks.new
+desc "Default: run specs."
+task default: %i[spec]
 
 task :spec do
   Rake::Task["spec:units"].invoke
@@ -38,15 +12,6 @@ end
 namespace :spec do
   desc "Run unit specs."
   RSpec::Core::RakeTask.new(:units) do |t|
-    t.rspec_opts = ['--colour --format progress --tag ~pkcs11']
+    t.rspec_opts = ["--colour --format progress --tag ~pkcs11"]
   end
-
-  desc "Run integration specs."
-  RSpec::Core::RakeTask.new(:integrations) do |t|
-    t.rspec_opts   = ['--colour --format progress']
-  end
-end
-
-RSpec::Core::RakeTask.new(:doc) do |t|
-  t.rspec_opts   = ['--format specdoc ']
 end

data/certificate_authority.gemspec

@@ -1,72 +1,28 @@
-# Generated by jeweler
-# DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
-# -*- encoding: utf-8 -*-
+require File.expand_path("lib/certificate_authority/version", __dir__)
 
-Gem::Specification.new do |s|
-  s.name = "certificate_authority"
-  s.version = "0.1.6"
+Gem::Specification.new do |spec|
+  spec.name = "certificate_authority"
+  spec.version = CertificateAuthority::VERSION
+  spec.authors = ["Chris Chandler"]
+  spec.email = ["squanderingtime@gmail.com"]
 
-  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.authors = ["Chris Chandler"]
-  s.date = "2012-08-12"
-  s.email = "chris@flatterline.com"
-  s.extra_rdoc_files = [
-    "README.rdoc"
-  ]
-  s.files = [
-    "Gemfile",
-    "Gemfile.lock",
-    "README.rdoc",
-    "Rakefile",
-    "VERSION.yml",
-    "certificate_authority.gemspec",
-    "lib/certificate_authority.rb",
-    "lib/certificate_authority/certificate.rb",
-    "lib/certificate_authority/certificate_revocation_list.rb",
-    "lib/certificate_authority/distinguished_name.rb",
-    "lib/certificate_authority/extensions.rb",
-    "lib/certificate_authority/key_material.rb",
-    "lib/certificate_authority/ocsp_handler.rb",
-    "lib/certificate_authority/pkcs11_key_material.rb",
-    "lib/certificate_authority/serial_number.rb",
-    "lib/certificate_authority/signing_entity.rb",
-    "lib/tasks/certificate_authority.rake",
-    "spec/spec_helper.rb",
-    "spec/units/certificate_authority_spec.rb",
-    "spec/units/certificate_revocation_list_spec.rb",
-    "spec/units/certificate_spec.rb",
-    "spec/units/distinguished_name_spec.rb",
-    "spec/units/extensions_spec.rb",
-    "spec/units/key_material_spec.rb",
-    "spec/units/ocsp_handler_spec.rb",
-    "spec/units/pkcs11_key_material_spec.rb",
-    "spec/units/serial_number_spec.rb",
-    "spec/units/signing_entity_spec.rb",
-    "spec/units/units_helper.rb"
-  ]
-  s.homepage = "http://github.com/cchandler/certificate_authority"
-  s.licenses = ["MIT"]
-  s.require_paths = ["lib"]
-  s.rubygems_version = "1.8.15"
-  s.summary = "Ruby gem for managing the core functions outlined in RFC-3280 for PKI"
+  spec.summary  = "Ruby gem for managing the core functions outlined in RFC-3280 for PKI"
+  spec.homepage = "https://github.com/cchandler/certificate_authority"
+  spec.license  = "MIT"
 
-  if s.respond_to? :specification_version then
-    s.specification_version = 3
+  spec.metadata["homepage_uri"] = "https://github.com/cchandler/certificate_authority"
+  spec.metadata["source_code_uri"] = "https://github.com/cchandler/certificate_authority"
 
-    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<activemodel>, [">= 3.0.6"])
-      s.add_development_dependency(%q<rspec>, [">= 0"])
-      s.add_development_dependency(%q<jeweler>, [">= 1.5.2"])
-    else
-      s.add_dependency(%q<activemodel>, [">= 3.0.6"])
-      s.add_dependency(%q<rspec>, [">= 0"])
-      s.add_dependency(%q<jeweler>, [">= 1.5.2"])
-    end
-  else
-    s.add_dependency(%q<activemodel>, [">= 3.0.6"])
-    s.add_dependency(%q<rspec>, [">= 0"])
-    s.add_dependency(%q<jeweler>, [">= 1.5.2"])
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec/)}) }
   end
-end
+  spec.require_paths = ["lib"]
+
+  spec.required_ruby_version = ">= 2.4"
 
+  spec.add_development_dependency "coveralls"
+  spec.add_development_dependency "pry"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "rubocop"
+end

data/lib/certificate_authority.rb

@@ -1,11 +1,11 @@
-$:.unshift(File.dirname(__FILE__)) unless $:.include?(File.dirname(__FILE__)) || $:.include?(File.expand_path(File.dirname(__FILE__)))
-
-#Exterior requirements
+# Exterior requirements
 require 'openssl'
-require 'active_model'
 
-#Internal modules
+# Internal modules
+require 'certificate_authority/core_extensions'
 require 'certificate_authority/signing_entity'
+require 'certificate_authority/revocable'
+require 'certificate_authority/validations'
 require 'certificate_authority/distinguished_name'
 require 'certificate_authority/serial_number'
 require 'certificate_authority/key_material'
@@ -14,6 +14,7 @@ require 'certificate_authority/extensions'
 require 'certificate_authority/certificate'
 require 'certificate_authority/certificate_revocation_list'
 require 'certificate_authority/ocsp_handler'
+require 'certificate_authority/signing_request'
 
 module CertificateAuthority
 end