certmeister 2.1.0 → 2.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Rakefile +2 -0
- data/fixtures/kbits_1024.csr +12 -0
- data/fixtures/kbits_4096.csr +28 -0
- data/lib/certmeister/policy/key_bits.rb +46 -0
- data/lib/certmeister/version.rb +1 -1
- data/spec/certmeister/policy/key_bits_spec.rb +48 -0
- metadata +8 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 799bbad30dae1a1c0f05c7e3ba59dc4b3cc47467
|
|
4
|
+
data.tar.gz: 447321524cd2661a7f439d5c19fa056efbc699b5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c98b95cad7ff3960438ac4e8f1a4c73d5458f6774a3743a77694f85fbae21ba39be424176961276b243f7c51d703d4bf5c5cb646f3a515881eb5d7c631db1036
|
|
7
|
+
data.tar.gz: bd53076b8e6b89f3ea3bcc493a5565698aa399e36cac58aa534e7d777f0f3a7071d99b5ff7e4c5dd2a490348ea973390a524928df420abc9a245da0af1044bf6
|
data/Rakefile
CHANGED
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
-----BEGIN CERTIFICATE REQUEST-----
|
|
2
|
+
MIIBrzCCARgCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
|
|
3
|
+
ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
|
|
4
|
+
GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCBnzANBgkqhkiG9w0BAQEFAAOB
|
|
5
|
+
jQAwgYkCgYEAq14FktEw9Zilzj5DUKTI2Mix66A0Za5lTAeRmP1Ms9Hmjc+RnnCm
|
|
6
|
+
u5L6zPoHY8s6/8tbxewtu86L7v2SfKkJjLSKxZQLFxBEzMHOgzziHTyZ1zU5SPWv
|
|
7
|
+
Co8AQdlbZI8Wmai7dkxwdaA2xaWR4elHlgT78xDdYZXwRL75wfmkF/kCAwEAAaAA
|
|
8
|
+
MA0GCSqGSIb3DQEBBQUAA4GBAKHHpelQzMYFBXYa0VOWFiqRd1HXJfnUbo8D5xup
|
|
9
|
+
RzveAVlGTj83slgKvGigUupWdfk1S4KiUG1HsAyLcwl8lgOCO77CrdNPZC0qjB4+
|
|
10
|
+
pK3Xp2FMsK4+lp24FNR0tM31FA03DU8uhL8v5cvExHBn4idBEwO2W4OWPKVYKrtm
|
|
11
|
+
w9ne
|
|
12
|
+
-----END CERTIFICATE REQUEST-----
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
-----BEGIN CERTIFICATE REQUEST-----
|
|
2
|
+
MIIEtDCCApwCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
|
|
3
|
+
ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
|
|
4
|
+
GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCCAiIwDQYJKoZIhvcNAQEBBQAD
|
|
5
|
+
ggIPADCCAgoCggIBALVi/dpNu31zZ+Wvxf4DXEaxLwsUbzsaLCxt770RkzEo8OdU
|
|
6
|
+
DElf1WM7X+rdOJC3BDZ499Bigw5efpEhg2m2BmDl8DG1XmTvVKxIY6fvx9NWqTEt
|
|
7
|
+
KcvOni7g/OFzmUXHoesoc6gz2flwD4lmdSR+S1N2RwwlOG2ZpBKy35mtmDdq/MJG
|
|
8
|
+
Xj4rUafT4n9Pnmwzo9PPn54hjg7c7yQwUFWk0lOrsl7uhK1LMtQORME23oG0gK3N
|
|
9
|
+
zhtY9f0+6YJAbzJ3EI2/i7Oso4XiW9eHpujKhaMYO8ezm3KuYgdEoOTaH4mruSjE
|
|
10
|
+
34kmsTNonktiUdGMn/HqARgQKyVTyHmP+ocVcY8POzlJDcxMRVTYxQ4I9U1bz/eG
|
|
11
|
+
ugHiCw0YnxrXpClXT3RVfydV/B7+srw+Tw8ff+m7WSzYeDjDLVotlnGrXLKLHm6d
|
|
12
|
+
IA7n+fwBhliSSDNTu3ZVA5Vp72AEDqmfbRIcO4twIfkyu3TB3f2lf3g4LLebLDj3
|
|
13
|
+
b3NwNwu0p/uq47eEYOKdILxXsZQRVKr8OZfhjPHIEw7d/6EpCCxG9I9Zj6KFAdga
|
|
14
|
+
s8rquCKvb/8aXnL2Zz+QOhUGX9aAIpZJ7lNM95C1yjmRW/HcNonXcxBHqdi9+swO
|
|
15
|
+
quagOBimj5BkUMRDWtMmr5bXDBGfxMeh6t1BrfcgtQgZy/FLkhjioObqD+WHAgMB
|
|
16
|
+
AAGgADANBgkqhkiG9w0BAQsFAAOCAgEAR1ogHg6V59JwM0+EN4LhN8m7eDiCkYM+
|
|
17
|
+
hmko5gTdzOe3Z+n/eVMoyqJ9qnzQEkO0n4aWTiaO2gLKEtXFo3Qu1wjWEJqxD8/b
|
|
18
|
+
YdH64Gp8sFKlrM8o8mACG6jPo8ueFxI0o9Brl2Q6pUkOlepXUaLzMw0txm1Nm/9c
|
|
19
|
+
O29p1XGAPVEdi9OMqbT+eAnxgSTy/AWR33+1BrZF42zBIaM62yquEPyJ1O1igTio
|
|
20
|
+
MV3ZxhX061z02+5B/6cit41pUClZabII6f/tHAPxxxn3zNHkmYn6eQ3DsZT3Stuf
|
|
21
|
+
lXw8j0e2sFXpvOSk1otYEOVYUiTp4SpmCjdUV1qUPlbQ94qGP75dv5uYn5pN/hJ5
|
|
22
|
+
UO/lGETzK1/ycUcoedDCzr7sQhfXB1Z47/NQ+RL4NVem941ujIfn8MKHyx99zKnT
|
|
23
|
+
OI73Pn6Y7n1hZxoV6krRl7C3gzkI7Eo0bFQEwiZbRC7U30WaiFurfKi0puMlU1K3
|
|
24
|
+
vdOPTy0rq6zGp3r1J6oITHiD/h+CxRxJTrGu9GbCUQlaoQfPqwXAdI7GQcwsSPto
|
|
25
|
+
l1643eqDR3lST821TPE0Ln+Lvs8aQzYNVFaV79nhgncJHyPpP7j9/2k6CtsGAtVv
|
|
26
|
+
qPOTJbxnOfwRDfbyDLWBoqHNxmfhq3KtE6ktVxyP9hUyGnAf8yAn3zaDx4V980N6
|
|
27
|
+
9FNkBniZB+Y=
|
|
28
|
+
-----END CERTIFICATE REQUEST-----
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
require 'certmeister/policy/response'
|
|
2
|
+
require 'openssl'
|
|
3
|
+
|
|
4
|
+
module Certmeister
|
|
5
|
+
|
|
6
|
+
module Policy
|
|
7
|
+
|
|
8
|
+
class KeyBits
|
|
9
|
+
|
|
10
|
+
DEFAULT_MIN_KEY_BITS = 4096
|
|
11
|
+
|
|
12
|
+
attr_reader :min_key_bits
|
|
13
|
+
|
|
14
|
+
def initialize(min_key_bits = DEFAULT_MIN_KEY_BITS)
|
|
15
|
+
validate_min_key_bits(min_key_bits)
|
|
16
|
+
@min_key_bits = min_key_bits
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def authenticate(request)
|
|
20
|
+
if not request[:pem]
|
|
21
|
+
Certmeister::Policy::Response.new(false, "missing pem")
|
|
22
|
+
else
|
|
23
|
+
cert = OpenSSL::X509::Request.new(request[:pem])
|
|
24
|
+
pkey = cert.public_key
|
|
25
|
+
kbits = pkey.n.num_bytes * 8
|
|
26
|
+
if kbits < @min_key_bits
|
|
27
|
+
Certmeister::Policy::Response.new(false, "weak key")
|
|
28
|
+
else
|
|
29
|
+
Certmeister::Policy::Response.new(true, nil)
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
private
|
|
35
|
+
|
|
36
|
+
def validate_min_key_bits(min_key_bits)
|
|
37
|
+
unless min_key_bits.is_a?(Integer)
|
|
38
|
+
raise ArgumentError.new("invalid minimum key size")
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
end
|
data/lib/certmeister/version.rb
CHANGED
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
require 'certmeister/policy/key_bits'
|
|
4
|
+
|
|
5
|
+
describe Certmeister::Policy::KeyBits do
|
|
6
|
+
|
|
7
|
+
subject { Certmeister::Policy::KeyBits.new(4096) }
|
|
8
|
+
|
|
9
|
+
it "may be configured with a minimum key size in bits" do
|
|
10
|
+
expect { Certmeister::Policy::KeyBits.new("hamster") }.to raise_error(ArgumentError, "invalid minimum key size")
|
|
11
|
+
expect { Certmeister::Policy::KeyBits.new(4096) }.to_not raise_error
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
it "defaults to #{Certmeister::Policy::KeyBits::DEFAULT_MIN_KEY_BITS} bits minimum key size" do
|
|
15
|
+
expect(described_class.new.min_key_bits).to eql Certmeister::Policy::KeyBits::DEFAULT_MIN_KEY_BITS
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
it "demands a request" do
|
|
19
|
+
expect { subject.authenticate }.to raise_error(ArgumentError)
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
it "refuses to authenticate a request with a missing pem" do
|
|
23
|
+
response = subject.authenticate({anything: 'something'})
|
|
24
|
+
expect(response).to_not be_authenticated
|
|
25
|
+
expect(response.error).to eql "missing pem"
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
it "refuses to authenticate an invalid request" do
|
|
29
|
+
pem = File.read('fixtures/kbits_1024.csr')
|
|
30
|
+
response = subject.authenticate({pem: pem})
|
|
31
|
+
expect(response).to_not be_authenticated
|
|
32
|
+
expect(response.error).to eql "weak key"
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
it "refuses to authenticate a request for a key with too few bits" do
|
|
36
|
+
pem = File.read('fixtures/kbits_1024.csr')
|
|
37
|
+
response = subject.authenticate({pem: pem})
|
|
38
|
+
expect(response).to_not be_authenticated
|
|
39
|
+
expect(response.error).to eql "weak key"
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
it "authenticates a request for a key with sufficient bits" do
|
|
43
|
+
pem = File.read('fixtures/kbits_4096.csr')
|
|
44
|
+
response = subject.authenticate({pem: pem})
|
|
45
|
+
expect(response).to be_authenticated
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: certmeister
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sheldon Hearn
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2016-01-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -78,6 +78,8 @@ files:
|
|
|
78
78
|
- fixtures/client.crt
|
|
79
79
|
- fixtures/client.csr
|
|
80
80
|
- fixtures/client.key
|
|
81
|
+
- fixtures/kbits_1024.csr
|
|
82
|
+
- fixtures/kbits_4096.csr
|
|
81
83
|
- lib/certmeister.rb
|
|
82
84
|
- lib/certmeister/base.rb
|
|
83
85
|
- lib/certmeister/config.rb
|
|
@@ -90,6 +92,7 @@ files:
|
|
|
90
92
|
- lib/certmeister/policy/existing.rb
|
|
91
93
|
- lib/certmeister/policy/fcrdns.rb
|
|
92
94
|
- lib/certmeister/policy/ip.rb
|
|
95
|
+
- lib/certmeister/policy/key_bits.rb
|
|
93
96
|
- lib/certmeister/policy/noop.rb
|
|
94
97
|
- lib/certmeister/policy/psk.rb
|
|
95
98
|
- lib/certmeister/policy/response.rb
|
|
@@ -108,6 +111,7 @@ files:
|
|
|
108
111
|
- spec/certmeister/policy/existing_spec.rb
|
|
109
112
|
- spec/certmeister/policy/fcrdns_spec.rb
|
|
110
113
|
- spec/certmeister/policy/ip_spec.rb
|
|
114
|
+
- spec/certmeister/policy/key_bits_spec.rb
|
|
111
115
|
- spec/certmeister/policy/noop_spec.rb
|
|
112
116
|
- spec/certmeister/policy/psk_spec.rb
|
|
113
117
|
- spec/certmeister/policy/response_spec.rb
|
|
@@ -139,7 +143,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
139
143
|
version: '0'
|
|
140
144
|
requirements: []
|
|
141
145
|
rubyforge_project:
|
|
142
|
-
rubygems_version: 2.
|
|
146
|
+
rubygems_version: 2.5.1
|
|
143
147
|
signing_key:
|
|
144
148
|
specification_version: 4
|
|
145
149
|
summary: Conditionally autosigning certificate authority.
|
|
@@ -154,6 +158,7 @@ test_files:
|
|
|
154
158
|
- spec/certmeister/policy/existing_spec.rb
|
|
155
159
|
- spec/certmeister/policy/fcrdns_spec.rb
|
|
156
160
|
- spec/certmeister/policy/ip_spec.rb
|
|
161
|
+
- spec/certmeister/policy/key_bits_spec.rb
|
|
157
162
|
- spec/certmeister/policy/noop_spec.rb
|
|
158
163
|
- spec/certmeister/policy/psk_spec.rb
|
|
159
164
|
- spec/certmeister/policy/response_spec.rb
|