certificate_authority_sonian 0.1.7

data/lib/certificate_authority/certificate.rb

@@ -0,0 +1,215 @@
+module CertificateAuthority
+  class Certificate
+    # include SigningEntity
+    include ActiveModel::Validations
+
+    attr_accessor :distinguished_name
+    attr_accessor :serial_number
+    attr_accessor :key_material
+    attr_accessor :not_before
+    attr_accessor :not_after
+    attr_accessor :revoked_at
+    attr_accessor :extensions
+    attr_accessor :openssl_body
+
+    alias :subject :distinguished_name #Same thing as the DN
+
+    attr_accessor :parent
+
+    validate do |certificate|
+      errors.add :base, "Distinguished name must be valid" unless distinguished_name.valid?
+      errors.add :base, "Key material must be valid" unless key_material.valid?
+      errors.add :base, "Serial number must be valid" unless serial_number.valid?
+      errors.add :base, "Extensions must be valid" unless extensions.each do |item|
+        unless item.respond_to?(:valid?)
+          true
+        else
+          item.valid?
+        end
+      end
+    end
+
+    def initialize
+      self.distinguished_name = DistinguishedName.new
+      self.serial_number = SerialNumber.new
+      self.key_material = MemoryKeyMaterial.new
+      self.not_before = Time.now
+      self.not_after = Time.now + 60 * 60 * 24 * 365 #One year
+      self.parent = self
+      self.extensions = load_extensions()
+
+      self.signing_entity = false
+
+    end
+
+    def sign!(signing_profile={})
+      raise "Invalid certificate #{self.errors.full_messages}" unless valid?
+      merge_profile_with_extensions(signing_profile)
+
+      openssl_cert = OpenSSL::X509::Certificate.new
+      openssl_cert.version    = 2
+      openssl_cert.not_before = self.not_before
+      openssl_cert.not_after = self.not_after
+      openssl_cert.public_key = self.key_material.public_key
+
+      openssl_cert.serial = self.serial_number.number
+
+      openssl_cert.subject = self.distinguished_name.to_x509_name
+      openssl_cert.issuer = parent.distinguished_name.to_x509_name
+
+      require 'tempfile'
+      t = Tempfile.new("bullshit_conf")
+      # t = File.new("/tmp/openssl.cnf")
+      ## The config requires a file even though we won't use it
+      openssl_config = OpenSSL::Config.new(t.path)
+
+      factory = OpenSSL::X509::ExtensionFactory.new
+      factory.subject_certificate = openssl_cert
+
+      #NB: If the parent doesn't have an SSL body we're making this a self-signed cert
+      if parent.openssl_body.nil?
+        factory.issuer_certificate = openssl_cert
+      else
+        factory.issuer_certificate = parent.openssl_body
+      end
+
+      self.extensions.keys.each do |k|
+        config_extensions = extensions[k].config_extensions
+        openssl_config = merge_options(openssl_config,config_extensions)
+      end
+
+      # p openssl_config.sections
+
+      factory.config = openssl_config
+
+      # Order matters: e.g. for self-signed, subjectKeyIdentifier must come before authorityKeyIdentifier
+      self.extensions.keys.sort{|a,b| b<=>a}.each do |k|
+        e = extensions[k]
+        next if e.to_s.nil? or e.to_s == "" ## If the extension returns an empty string we won't include it
+        ext = factory.create_ext(e.openssl_identifier, e.to_s)
+        openssl_cert.add_extension(ext)
+      end
+
+      if signing_profile["digest"].nil?
+        digest = OpenSSL::Digest::Digest.new("SHA512")
+      else
+        digest = OpenSSL::Digest::Digest.new(signing_profile["digest"])
+      end
+      self.openssl_body = openssl_cert.sign(parent.key_material.private_key,digest)
+      t.close! if t.is_a?(Tempfile)# We can get rid of the ridiculous temp file
+      self.openssl_body
+    end
+
+    def is_signing_entity?
+      self.extensions["basicConstraints"].ca
+    end
+
+    def signing_entity=(signing)
+      self.extensions["basicConstraints"].ca = signing
+    end
+
+    def revoked?
+      !self.revoked_at.nil?
+    end
+
+    def to_pem
+      raise "Certificate has no signed body" if self.openssl_body.nil?
+      self.openssl_body.to_pem
+    end
+
+    def is_root_entity?
+      self.parent == self && is_signing_entity?
+    end
+
+    def is_intermediate_entity?
+      (self.parent != self) && is_signing_entity?
+    end
+
+    private
+
+    def merge_profile_with_extensions(signing_profile={})
+      return self.extensions if signing_profile["extensions"].nil?
+      signing_config = signing_profile["extensions"]
+      signing_config.keys.each do |k|
+        extension = self.extensions[k]
+        items = signing_config[k]
+        items.keys.each do |profile_item_key|
+          if extension.respond_to?("#{profile_item_key}=".to_sym)
+            extension.send("#{profile_item_key}=".to_sym, items[profile_item_key] )
+          else
+            p "Tried applying '#{profile_item_key}' to #{extension.class} but it doesn't respond!"
+          end
+        end
+      end
+    end
+
+    def load_extensions
+      extension_hash = {}
+
+      temp_extensions = []
+      basic_constraints = CertificateAuthority::Extensions::BasicContraints.new
+      temp_extensions << basic_constraints
+      crl_distribution_points = CertificateAuthority::Extensions::CrlDistributionPoints.new
+      temp_extensions << crl_distribution_points
+      subject_key_identifier = CertificateAuthority::Extensions::SubjectKeyIdentifier.new
+      temp_extensions << subject_key_identifier
+      authority_key_identifier = CertificateAuthority::Extensions::AuthorityKeyIdentifier.new
+      temp_extensions << authority_key_identifier
+      authority_info_access = CertificateAuthority::Extensions::AuthorityInfoAccess.new
+      temp_extensions << authority_info_access
+      key_usage = CertificateAuthority::Extensions::KeyUsage.new
+      temp_extensions << key_usage
+      extended_key_usage = CertificateAuthority::Extensions::ExtendedKeyUsage.new
+      temp_extensions << extended_key_usage
+      subject_alternative_name = CertificateAuthority::Extensions::SubjectAlternativeName.new
+      temp_extensions << subject_alternative_name
+      certificate_policies = CertificateAuthority::Extensions::CertificatePolicies.new
+      temp_extensions << certificate_policies
+
+      temp_extensions.each do |extension|
+        extension_hash[extension.openssl_identifier] = extension
+      end
+
+      extension_hash
+    end
+
+    def merge_options(config,hash)
+      hash.keys.each do |k|
+        config[k] = hash[k]
+      end
+      config
+    end
+
+    def self.from_pkcs12_file pkcs12_file, passphrase = nil
+      raise "#{pksc12_file} does not exist" unless File.exists?(pkcs12_file)
+      from_pkcs12 OpenSSL::PKCS12.new(File.read(pkcs12_file), passphrase)
+    end
+
+    def self.from_pkcs12 openssl_pkcs12
+      unless openssl_pkcs12.is_a? OpenSSL::PKCS12
+        raise "Can only construct from an OpenSSL::PKCS12"
+      end
+      certificate = from_openssl openssl_pkcs12.certificate
+      certificate.key_material.private_key = openssl_pkcs12.key
+      certificate
+    end
+
+    def self.from_openssl openssl_cert
+      unless openssl_cert.is_a? OpenSSL::X509::Certificate
+        raise "Can only construct from an OpenSSL::X509::Certificate"
+      end
+
+      certificate = Certificate.new
+      # Only subject, key_material, and body are used for signing
+      certificate.distinguished_name = DistinguishedName.from_openssl openssl_cert.subject
+      certificate.key_material.public_key = openssl_cert.public_key
+      certificate.openssl_body = openssl_cert
+      certificate.serial_number.number = openssl_cert.serial.to_i
+      certificate.not_before = openssl_cert.not_before
+      certificate.not_after = openssl_cert.not_after
+      # TODO extensions
+      certificate
+    end
+
+  end
+end

data/lib/certificate_authority/certificate_revocation_list.rb

@@ -0,0 +1,59 @@
+module CertificateAuthority
+  class CertificateRevocationList
+    include ActiveModel::Validations
+
+    attr_accessor :certificates
+    attr_accessor :parent
+    attr_accessor :crl_body
+    attr_accessor :next_update
+
+    validate do |crl|
+      errors.add :next_update, "Next update must be a positive value" if crl.next_update < 0
+      errors.add :parent, "A parent entity must be set" if crl.parent.nil?
+    end
+
+    def initialize
+      self.certificates = []
+      self.next_update = 60 * 60 * 4 # 4 hour default
+    end
+
+    def <<(cert)
+      raise "Only revoked certificates can be added to a CRL" unless cert.revoked?
+      self.certificates << cert
+    end
+
+    def sign!
+      raise "No parent entity has been set!" if self.parent.nil?
+      raise "Invalid CRL" unless self.valid?
+
+      revocations = self.certificates.collect do |certificate|
+        revocation = OpenSSL::X509::Revoked.new
+        x509_cert = OpenSSL::X509::Certificate.new(certificate.to_pem)
+        revocation.serial = x509_cert.serial
+        revocation.time = certificate.revoked_at
+        revocation
+      end
+
+      crl = OpenSSL::X509::CRL.new
+      revocations.each do |revocation|
+        crl.add_revoked(revocation)
+      end
+
+      crl.version = 1
+      crl.last_update = Time.now
+      crl.next_update = Time.now + self.next_update
+
+      signing_cert = OpenSSL::X509::Certificate.new(self.parent.to_pem)
+      digest = OpenSSL::Digest::Digest.new("SHA512")
+      crl.issuer = signing_cert.subject
+      self.crl_body = crl.sign(self.parent.key_material.private_key, digest)
+
+      self.crl_body
+    end
+
+    def to_pem
+      raise "No signed CRL body" if self.crl_body.nil?
+      self.crl_body.to_pem
+    end
+  end#CertificateRevocationList
+end

data/lib/certificate_authority/distinguished_name.rb

@@ -0,0 +1,58 @@
+module CertificateAuthority
+  class DistinguishedName
+    include ActiveModel::Validations
+
+    validates_presence_of :common_name
+
+    attr_accessor :common_name
+    alias :cn :common_name
+
+    attr_accessor :locality
+    alias :l :locality
+
+    attr_accessor :state
+    alias :s :state
+
+    attr_accessor :country
+    alias :c :country
+
+    attr_accessor :organization
+    alias :o :organization
+
+    attr_accessor :organizational_unit
+    alias :ou :organizational_unit
+
+    def to_x509_name
+      raise "Invalid Distinguished Name" unless valid?
+
+      # NB: the capitalization in the strings counts
+      name = OpenSSL::X509::Name.new
+      name.add_entry("CN", common_name)
+      name.add_entry("O", organization) unless organization.blank?
+      name.add_entry("OU", organizational_unit) unless organizational_unit.blank?
+      name.add_entry("ST", state) unless state.blank?
+      name.add_entry("L", locality) unless locality.blank?
+      name.add_entry("C", country) unless country.blank?
+      name
+    end
+
+    def self.from_openssl openssl_name
+      unless openssl_name.is_a? OpenSSL::X509::Name
+        raise "Argument must be a OpenSSL::X509::Name"
+      end
+
+      name = DistinguishedName.new
+      openssl_name.to_a.each do |k,v|
+        case k
+        when "CN" then name.common_name = v
+        when "L" then name.locality = v
+        when "ST" then name.state = v
+        when "C" then name.country = v
+        when "O" then name.organization = v
+        when "OU" then name.organizational_unit = v
+        end
+      end
+      name
+    end
+  end
+end

data/lib/certificate_authority/extensions.rb

@@ -0,0 +1,266 @@
+module CertificateAuthority
+  module Extensions
+    module ExtensionAPI
+      def to_s
+        raise "Implementation required"
+      end
+
+      def config_extensions
+        {}
+      end
+
+      def openssl_identifier
+        raise "Implementation required"
+      end
+    end
+
+    class BasicContraints
+      include ExtensionAPI
+      include ActiveModel::Validations
+      attr_accessor :ca
+      attr_accessor :path_len
+      validates :ca, :inclusion => [true,false]
+
+      def initialize
+        self.ca = false
+      end
+
+      def is_ca?
+        self.ca
+      end
+
+      def path_len=(value)
+        raise "path_len must be a non-negative integer" if value < 0 or !value.is_a?(Fixnum)
+        @path_len = value
+      end
+
+      def openssl_identifier
+        "basicConstraints"
+      end
+
+      def to_s
+        result = ""
+        result += "CA:#{self.ca}"
+        result += ",pathlen:#{self.path_len}" unless self.path_len.nil?
+        result
+      end
+    end
+
+    class CrlDistributionPoints
+      include ExtensionAPI
+
+      attr_accessor :uri
+
+      def initialize
+        # self.uri = "http://moo.crlendPoint.example.com/something.crl"
+      end
+
+      def openssl_identifier
+        "crlDistributionPoints"
+      end
+
+      ## NB: At this time it seems OpenSSL's extension handlers don't support
+      ## any of the config options the docs claim to support... everything comes back
+      ## "missing value" on GENERAL NAME. Even if copied verbatim
+      def config_extensions
+        {
+          # "custom_crl_fields" => {"fullname" => "URI:#{fullname}"},
+          # "issuer_sect" => {"CN" => "crlissuer.com", "C" => "US", "O" => "shudder"}
+        }
+      end
+
+      def to_s
+        return "" if self.uri.nil?
+        "URI:#{self.uri}"
+      end
+    end
+
+    class SubjectKeyIdentifier
+      include ExtensionAPI
+      def openssl_identifier
+        "subjectKeyIdentifier"
+      end
+
+      def to_s
+        "hash"
+      end
+    end
+
+    class AuthorityKeyIdentifier
+      include ExtensionAPI
+
+      def openssl_identifier
+        "authorityKeyIdentifier"
+      end
+
+      def to_s
+        "keyid,issuer"
+      end
+    end
+
+    class AuthorityInfoAccess
+      include ExtensionAPI
+
+      attr_accessor :ocsp
+
+      def initialize
+        self.ocsp = []
+      end
+
+      def openssl_identifier
+        "authorityInfoAccess"
+      end
+
+      def to_s
+        return "" if self.ocsp.empty?
+        "OCSP;URI:#{self.ocsp}"
+      end
+    end
+
+    class KeyUsage
+      include ExtensionAPI
+
+      attr_accessor :usage
+
+      def initialize
+        self.usage = ["digitalSignature", "nonRepudiation"]
+      end
+
+      def openssl_identifier
+        "keyUsage"
+      end
+
+      def to_s
+        "#{self.usage.join(',')}"
+      end
+    end
+
+    class ExtendedKeyUsage
+      include ExtensionAPI
+
+      attr_accessor :usage
+
+      def initialize
+        self.usage = ["serverAuth","clientAuth"]
+      end
+
+      def openssl_identifier
+        "extendedKeyUsage"
+      end
+
+      def to_s
+        "#{self.usage.join(',')}"
+      end
+    end
+
+    class SubjectAlternativeName
+      include ExtensionAPI
+
+      attr_accessor :uris, :dns_names, :ips
+
+      def initialize
+        self.uris = []
+        self.dns_names = []
+        self.ips = []
+      end
+
+      def uris=(value)
+        raise "URIs must be an array" unless value.is_a?(Array)
+        @uris = value
+      end
+
+      def dns_names=(value)
+        raise "DNS names must be an array" unless value.is_a?(Array)
+        @dns_names = value
+      end
+
+      def ips=(value)
+        raise "IPs must be an array" unless value.is_a?(Array)
+        @ips = value
+      end
+
+      def openssl_identifier
+        "subjectAltName"
+      end
+
+      def to_s
+        res =  self.uris.map {|u| "URI:#{u}" }
+        res += self.dns_names.map {|d| "DNS:#{d}" }
+        res += self.ips.map {|i| "IP:#{i}" }
+
+        return res.join(',')
+      end
+    end
+
+    class CertificatePolicies
+      include ExtensionAPI
+
+      attr_accessor :policy_identifier
+      attr_accessor :cps_uris
+      ##User notice
+      attr_accessor :explicit_text
+      attr_accessor :organization
+      attr_accessor :notice_numbers
+
+      def initialize
+        @contains_data = false
+      end
+
+
+      def openssl_identifier
+        "certificatePolicies"
+      end
+
+      def user_notice=(value={})
+        value.keys.each do |key|
+          self.send("#{key}=".to_sym, value[key])
+        end
+      end
+
+      def config_extensions
+        config_extension = {}
+        custom_policies = {}
+        notice = {}
+        unless self.policy_identifier.nil?
+          custom_policies["policyIdentifier"] = self.policy_identifier
+        end
+
+        if !self.cps_uris.nil? and self.cps_uris.is_a?(Array)
+          self.cps_uris.each_with_index do |cps_uri,i|
+            custom_policies["CPS.#{i}"] = cps_uri
+          end
+        end
+
+        unless self.explicit_text.nil?
+          notice["explicitText"] = self.explicit_text
+        end
+
+        unless self.organization.nil?
+          notice["organization"] = self.organization
+        end
+
+        unless self.notice_numbers.nil?
+          notice["noticeNumbers"] = self.notice_numbers
+        end
+
+        if notice.keys.size > 0
+          custom_policies["userNotice.1"] = "@notice"
+          config_extension["notice"] = notice
+        end
+
+        if custom_policies.keys.size > 0
+          config_extension["custom_policies"] = custom_policies
+          @contains_data = true
+        end
+
+        config_extension
+      end
+
+      def to_s
+        return "" unless @contains_data
+        "ia5org,@custom_policies"
+      end
+    end
+
+  end
+end