certmeister 0.0.1

data/lib/certmeister/in_memory_store.rb

@@ -0,0 +1,43 @@
+require 'certmeister/store_error'
+
+module Certmeister
+
+  class InMemoryStore
+
+    def initialize(certs = {})
+      @certs = certs
+      @healthy = true
+    end
+
+    def store(cn, cert)
+      fail_if_unhealthy
+      @certs[cn] = cert
+    end
+
+    def fetch(cn)
+      fail_if_unhealthy
+      @certs[cn]
+    end
+
+    def remove(cn)
+      fail_if_unhealthy
+      !!@certs.delete(cn)
+    end
+
+    def health_check
+      @healthy
+    end
+
+    private
+
+    def break!
+      @healthy = false
+    end
+
+    def fail_if_unhealthy
+      raise Certmeister::StoreError.new("in-memory store is broken") if !@healthy
+    end
+
+  end
+
+end

data/lib/certmeister/policy.rb

@@ -0,0 +1,21 @@
+module Certmeister
+
+  module Policy
+
+    def self.validate_authenticate_signature(policy)
+      policy and policy.respond_to?(:authenticate) and policy.method(:authenticate).arity == 1
+    end
+
+    def self.validate_authenticate_returns_response(policy)
+      response = policy.authenticate({})
+      response.respond_to?(:authenticated?) and response.respond_to?(:error)
+    end
+
+  end
+
+end
+
+Dir.glob(File.join(File.dirname(__FILE__), "policy", "*.rb")) do |path|
+  require path
+end
+

data/lib/certmeister/policy/blackhole.rb

@@ -0,0 +1,15 @@
+require 'certmeister/policy/response'
+
+module Certmeister
+
+  module Policy
+
+    class Blackhole
+      def authenticate(request)
+        Certmeister::Policy::Response.new(false, "blackholed")
+      end
+    end
+
+  end
+
+end

data/lib/certmeister/policy/chain_all.rb

@@ -0,0 +1,36 @@
+require 'certmeister/policy'
+
+module Certmeister
+
+  module Policy
+
+    class ChainAll
+
+      def initialize(policys)
+        validate_policys(policys)
+        @policys = policys
+      end
+
+      def authenticate(request)
+        success = Certmeister::Policy::Response.new(true, nil)
+        @policys.inject(success) do |continue, policy|
+          response = policy.authenticate(request)
+          break response unless response.authenticated?
+          continue
+        end
+      end
+
+      private
+
+      def validate_policys(policys)
+        unless policys.is_a?(Enumerable) and policys.respond_to?(:size) and policys.size > 0 and
+               policys.all? { |policy| Certmeister::Policy.validate_authenticate_signature(policy) }
+          raise ArgumentError.new("enumerable collection of policys required")
+        end
+      end
+
+    end
+
+  end
+
+end

data/lib/certmeister/policy/domain.rb

@@ -0,0 +1,37 @@
+require 'certmeister/policy/response'
+
+module Certmeister
+
+  module Policy
+
+    class Domain
+
+      def initialize(domains)
+        validate_domains(domains)
+        @domains = domains.map { |domain| ".#{domain}" }
+      end
+
+      def authenticate(request)
+        if not request[:cn]
+          Certmeister::Policy::Response.new(false, "missing cn")
+        elsif not @domains.any? { |domain| request[:cn].end_with?(domain) }
+          Certmeister::Policy::Response.new(false, "cn in unknown domain")
+        else
+          Certmeister::Policy::Response.new(true, nil)
+        end
+      end
+
+      private
+
+      def validate_domains(domains)
+        unless domains.is_a?(Enumerable) and domains.respond_to?(:size) and domains.size > 0 and
+               domains.all? { |psk| psk.respond_to?(:to_s) }
+          raise ArgumentError.new("enumerable collection of domains required")
+        end
+      end
+
+    end
+
+  end
+
+end

data/lib/certmeister/policy/existing.rb

@@ -0,0 +1,32 @@
+require 'certmeister/policy/response'
+
+module Certmeister
+
+  module Policy
+
+    class Existing
+
+      def initialize(store)
+        is_a_store?(store) or raise ArgumentError.new("expected a fetchable store but received a #{store.class}")
+        @store = store
+      end
+
+      def authenticate(request)
+        if @store.fetch(request[:cn]).nil?
+          Certmeister::Policy::Response.new(true, nil)
+        else
+          Certmeister::Policy::Response.new(false, "certificate for cn already exists")
+        end
+      end
+
+      private
+
+      def is_a_store?(store)
+        store.respond_to?(:fetch)
+      end
+
+    end
+
+  end
+
+end

data/lib/certmeister/policy/fcrdns.rb

@@ -0,0 +1,40 @@
+require 'resolv'
+require 'certmeister/policy/response'
+
+module Certmeister
+
+  module Policy
+
+    class Fcrdns
+
+      def authenticate(request)
+        begin
+          if not request[:cn]
+            Certmeister::Policy::Response.new(false, "missing cn")
+          elsif not request[:ip]
+            Certmeister::Policy::Response.new(false, "missing ip")
+          elsif not fcrdns_names(request[:ip]).include?(request[:cn])
+            Certmeister::Policy::Response.new(false, "cn in unknown domain")
+          else
+            Certmeister::Policy::Response.new(true, nil)
+          end
+        rescue Resolv::ResolvError => e
+          Certmeister::Policy::Response.new(false, "DNS error (#{e.message})")
+        end
+      end
+
+      private
+
+      def fcrdns_names(ip)
+        resolv = Resolv::DNS.new
+        names = resolv.getnames(ip)
+        addresses = names.inject([]) { |m, name| m.concat(resolv.getaddresses(name)) }
+        reverse_names = addresses.inject([]) { |m, address| m.concat(resolv.getnames(address.to_s)) }
+        (names & reverse_names).map(&:to_s)
+      end
+
+    end
+
+  end
+
+end

data/lib/certmeister/policy/noop.rb

@@ -0,0 +1,15 @@
+require 'certmeister/policy/response'
+
+module Certmeister
+
+  module Policy
+
+    class Noop
+      def authenticate(request)
+        Certmeister::Policy::Response.new(true, nil)
+      end
+    end
+
+  end
+
+end

data/lib/certmeister/policy/psk.rb

@@ -0,0 +1,37 @@
+require 'certmeister/policy/response'
+
+module Certmeister
+
+  module Policy
+
+    class Psk
+
+      def initialize(psks)
+        validate_psks(psks)
+        @psks = psks.map(&:to_s)
+      end
+
+      def authenticate(request)
+        if not request[:psk]
+          Certmeister::Policy::Response.new(false, "missing psk")
+        elsif not @psks.include?(request[:psk])
+          Certmeister::Policy::Response.new(false, "unknown psk")
+        else
+          Certmeister::Policy::Response.new(true, nil)
+        end
+      end
+
+      private
+
+      def validate_psks(psks)
+        unless psks.is_a?(Enumerable) and psks.respond_to?(:size) and psks.size > 0 and
+               psks.all? { |psk| psk.respond_to?(:to_s) }
+          raise ArgumentError.new("enumerable collection of psks required")
+        end
+      end
+
+    end
+
+  end
+
+end

data/lib/certmeister/policy/response.rb

@@ -0,0 +1,24 @@
+module Certmeister
+
+  module Policy
+
+    class Response
+
+      def initialize(authenticated, error)
+        @authenticated = authenticated
+        @error = error
+      end
+
+      def authenticated?
+        !@error
+      end
+
+      def error
+        @error
+      end
+
+    end
+
+  end
+
+end

data/lib/certmeister/response.rb

@@ -0,0 +1,47 @@
+module Certmeister
+
+  class Response
+
+    def initialize(pem, error)
+      @pem = pem
+      @error = error
+      if @pem and @error
+        raise ArgumentError.new("pem and error are mutually exclusive")
+      end
+    end
+
+    def pem
+      @pem
+    end
+
+    def error
+      @error
+    end
+
+    def hit?
+      !!@pem
+    end
+
+    def miss?
+      !(hit? or error?)
+    end
+
+    def error?
+      !!@error
+    end
+
+    def self.hit(pem)
+      self.new(pem, nil)
+    end
+
+    def self.miss
+      self.new(nil, nil)
+    end
+
+    def self.error(message)
+      self.new(nil, message)
+    end
+
+  end
+
+end

data/lib/certmeister/store_error.rb

@@ -0,0 +1,6 @@
+module Certmeister
+
+  class StoreError < StandardError
+  end
+
+end

data/lib/certmeister/test/memory_store_interface.rb

@@ -0,0 +1,54 @@
+module Certmeister
+
+  module Test
+    
+    module MemoryStoreInterface
+
+      def it_behaves_like_a_certmeister_store
+        
+        it "stores certificates by CN (common name)" do
+          pem = File.read('fixtures/client.crt')
+          subject.store('axl.hetzner.africa', pem)
+          expect(subject.fetch('axl.hetzner.africa')).to eql pem
+        end
+
+        it "returns nil when fetching non-existent CN" do
+          expect(subject.fetch('axl.hetzner.africa')).to be_nil
+        end
+
+        it "is not concerned with validating certificates" do
+          expect { subject.store('axl.hetzner.africa', "nonsense") }.to_not raise_error
+        end
+
+        it "overwrites an existing certificate if one exists" do
+          subject.store('axl.hetzner.africa', "first")
+          subject.store('axl.hetzner.africa', "second")
+          expect(subject.fetch('axl.hetzner.africa')).to eql "second"
+        end
+
+        it "deletes certificates by CN (common name)" do
+          subject.store('axl.hetzner.africa', "cert")
+          expect(subject.remove('axl.hetzner.africa')).to be_true
+          expect(subject.fetch('axl.hetzner.africa')).to be_nil
+        end
+
+        it "returns false when removing a non-existent CN" do
+          expect(subject.remove('axl.hetzner.africa')).to be_false
+        end
+
+        it "returns true from health_check when healthy" do
+          expect(subject.health_check).to be_true
+        end
+
+        it "returns false from health_check when not healthy" do
+          subject.send(:break!)
+          expect(subject.health_check).to be_false
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/certmeister/version.rb

@@ -0,0 +1,5 @@
+module Certmeister
+
+  VERSION = '0.0.1' unless defined?(VERSION)
+  
+end

data/signit.rb

@@ -0,0 +1,39 @@
+# Inspired by https://gist.github.com/mitfik/1922961
+
+require 'openssl'
+require 'time'
+
+if OpenSSL::Digest.const_defined?('SHA256')
+  @digest = OpenSSL::Digest::SHA256
+elsif OpenSSL::Digest.const_defined?('SHA1')
+  @digest = OpenSSL::Digest::SHA1
+else
+  raise "No FIPS 140-2 compliant digest algorithm in OpenSSL::Digest"
+end
+
+ca_cert_data = File.read('fixtures/ca.crt')
+ca_key_data = File.read('fixtures/ca.key')
+
+ca_cert = OpenSSL::X509::Certificate.new(ca_cert_data)
+ca_key = OpenSSL::PKey.read(ca_key_data)
+puts "# CA cert"
+puts ca_cert.to_pem
+
+csr_data = File.read('fixtures/client.csr')
+csr = OpenSSL::X509::Request.new(csr_data)
+puts "# client certificate signing request"
+puts csr.to_pem
+
+now = DateTime.now
+cert = OpenSSL::X509::Certificate.new
+cert.serial = 0
+cert.version = 2
+cert.not_before = now.to_time
+cert.not_after = (now + (5 * 365)).to_time
+cert.subject = csr.subject
+cert.public_key = csr.public_key
+cert.issuer = ca_cert.subject
+cert.sign ca_key, @digest.new
+
+puts "# client certificate"
+puts cert.to_pem