certmeister 2.2.0 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (18) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +1 -1
  3. data/SignatureAlgorithm.txt +28 -0
  4. data/certmeister.gemspec +1 -1
  5. data/fixtures/ecdsa.csr +10 -0
  6. data/fixtures/sha1_1024bit.csr +12 -0
  7. data/fixtures/sha1_4096bit.csr +28 -0
  8. data/fixtures/sha256_1024bit.csr +12 -0
  9. data/fixtures/sha256_4096bit.csr +28 -0
  10. data/lib/certmeister/policy/key_bits.rb +2 -0
  11. data/lib/certmeister/policy/signature_algorithm.rb +67 -0
  12. data/lib/certmeister/version.rb +1 -1
  13. data/spec/certmeister/policy/key_bits_spec.rb +5 -5
  14. data/spec/certmeister/policy/signature_algorithm_spec.rb +55 -0
  15. metadata +14 -8
  16. data/Gemfile.lock +0 -31
  17. data/fixtures/kbits_1024.csr +0 -12
  18. data/fixtures/kbits_4096.csr +0 -28
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 799bbad30dae1a1c0f05c7e3ba59dc4b3cc47467
4
- data.tar.gz: 447321524cd2661a7f439d5c19fa056efbc699b5
3
+ metadata.gz: 91d17da8b132ec96406859d320cf1054d92e5023
4
+ data.tar.gz: b7e3ca7db11270296498eb364c9ed4c5a9d201ad
5
5
  SHA512:
6
- metadata.gz: c98b95cad7ff3960438ac4e8f1a4c73d5458f6774a3743a77694f85fbae21ba39be424176961276b243f7c51d703d4bf5c5cb646f3a515881eb5d7c631db1036
7
- data.tar.gz: bd53076b8e6b89f3ea3bcc493a5565698aa399e36cac58aa534e7d777f0f3a7071d99b5ff7e4c5dd2a490348ea973390a524928df420abc9a245da0af1044bf6
6
+ metadata.gz: d5f5509b6e7792ebebf8eec73ea1b5b8da307c4aa8b1c384287dceff34e5b0794a148e93007d378efa1d2369c4caffebe009bdc1aaac4c0b0e756ff5c2cc598d
7
+ data.tar.gz: f14101564b1038b63f3509ea14487d4bc157f8c1df35c03cf941f125fdf93f4fcd9e7edaebbaa4d678ee4c268ab5d44455578e6fc8c66fbd8633640c04a09d76
data/.gitignore CHANGED
@@ -13,7 +13,7 @@ spec/reports
13
13
  test/tmp
14
14
  test/version_tmp
15
15
  tmp
16
- contrib/Gemfile.lock
16
+ Gemfile.lock
17
17
 
18
18
  # YARD artifacts
19
19
  .yardoc
data/SignatureAlgorithm.txt ADDED
@@ -0,0 +1,28 @@
1
+ Feature: Signature algorithm policy
2
+
3
+ As the operator of a conditionally autosigning certification authority
4
+ When deciding whether to sign a certificate
5
+ I want to reject certificate signing requests with weak signature algorithms
6
+ In order to enforce the use of strong cryptography across our network.
7
+
8
+ Desired rspec output:
9
+
10
+ Certmeister::Policy::SignatureAlgorithm
11
+ may be configured with a set of strong signature algorithms
12
+ defaults to ["sha256"] as the set of strong signature algorithms
13
+ demands a request
14
+ refuses to authenticate a request with a missing pem
15
+ refuses to authenticate an invalid pem
16
+ refuses to authenticate a request with a weak signature algorithm
17
+ authenticates a request with a strong signature algorithm
18
+
19
+ Use spec/certmeister/policy/key_bits_spec.rb as a guide to specifying the behaviour.
20
+
21
+ Use lib/certmeister/policy/key_bits.rb as a guide to implementing the behaviour.
22
+
23
+ You may find these fixtures useful:
24
+
25
+ fixtures/sha1_4096bit.csr
26
+ fixtures/sha256_4096bit.csr
27
+
28
+ The signature algorithm of a CSR is provided by the OpenSSL::X509::Request#signature_algorithm method.
data/certmeister.gemspec CHANGED
@@ -23,6 +23,6 @@ Gem::Specification.new do |spec|
23
23
  spec.require_paths = ["lib"]
24
24
 
25
25
  spec.add_development_dependency "bundler", "~> 1.5"
26
- spec.add_development_dependency "rake", "~> 10.4.2"
26
+ spec.add_development_dependency "rake", "~> 10.4"
27
27
  spec.add_development_dependency "rspec", "~> 3.1"
28
28
  end
data/fixtures/ecdsa.csr ADDED
@@ -0,0 +1,10 @@
1
+ -----BEGIN CERTIFICATE REQUEST-----
2
+ MIIBZzCB7gIBADBvMQswCQYDVQQGEwJaQTEVMBMGA1UECAwMV2VzdGVybiBDYXBl
3
+ MRIwEAYDVQQHDAlDYXBlIFRvd24xGDAWBgNVBAoMD0hldHpuZXIgUFRZIEx0ZDEb
4
+ MBkGA1UEAwwSYXhsLmhldHpuZXIuYWZyaWNhMHYwEAYHKoZIzj0CAQYFK4EEACID
5
+ YgAEKxZhR5/G3bds3LOkA1dL88O0zyyk6zMlQ2KTf6Cl/rE6cCLAq3vI53cM4FDc
6
+ DHCq8ZQwt+e6GUC/CXizCEx9sNg2Sdx1YvpPhMhNyAYd0WjTenAkUmpG+Mdx1q+m
7
+ 5OMfoAAwCgYIKoZIzj0EAwMDaAAwZQIxAPxLD6+F1Eu2onDYfyguJ1DOz600NBJ5
8
+ IoY0PgsMYDtu+sJn+7XmjBsw4WYhJHwb+QIwWxt2M0uJP/+BexmH4eOufc9Iw/bk
9
+ PArUpgT3hwfJS8lUB/D9PN0K95BU6AvzG/iG
10
+ -----END CERTIFICATE REQUEST-----
data/fixtures/sha1_1024bit.csr ADDED
@@ -0,0 +1,12 @@
1
+ -----BEGIN CERTIFICATE REQUEST-----
2
+ MIIBrzCCARgCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
3
+ ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
4
+ GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCBnzANBgkqhkiG9w0BAQEFAAOB
5
+ jQAwgYkCgYEA0SMKeQYOacF+wQ4GfsyEf8r5PdBW51MHf9kJS0TU0jfHxP4y6epA
6
+ HPxsZUSNLsGuHCKar4oXiEjKePsMpRBcuIF8MQyernrFwFFuT5PigHlwiqvcAGZj
7
+ pOsR2zg0sOHRDyaYwnOtA1PtMHpcy0V4g7p06t1bRrP3KfeAUD/+VPMCAwEAAaAA
8
+ MA0GCSqGSIb3DQEBBQUAA4GBAMyBS386mKoS9DkyK2x37sxmFTqrzZrW1HOAbUz3
9
+ mAWIF6w29ddtjiPijjPO/uM9C3L3/AuxttYRwNqQ8K7js1O6y1ZO8eWOPgGLUo77
10
+ AIznjobOrZGRn4rvLgY1pE+xuQx6S5YeC3SMcIXogL+58Pzwg7SQtFQwB45ErDWW
11
+ eNnz
12
+ -----END CERTIFICATE REQUEST-----
data/fixtures/sha1_4096bit.csr ADDED
@@ -0,0 +1,28 @@
1
+ -----BEGIN CERTIFICATE REQUEST-----
2
+ MIIEtDCCApwCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
3
+ ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
4
+ GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCCAiIwDQYJKoZIhvcNAQEBBQAD
5
+ ggIPADCCAgoCggIBAPAQvQSgOxZuxZV++QDINS2i0L7KDW84WZOPHGzdtGbUaQl4
6
+ 3LpltYOFR3eSySq0iCaE9dIp7c+H4MtLSiKH82Nfbk9qdiwSKfAk6J9I/iTudRO8
7
+ M2HQUNO2M9cyg3E8Ivu/GC1AXbTV9wBgdBwZwLyS1JMYofuizeEaB/yz1pDdko2e
8
+ shgXDbDz0rjA32m0LvY9mNERn7s5Ad/p46WC1UvWWYBAHClCk1dC2R+mA8fO7z++
9
+ oRiTlgMkW+bwVI8NsNXqSULJAd6rL65pn5FHGAnodr4BWPNl8fh/kKl3O02M08Th
10
+ ATRwnU3n1nKaEAgHxYRKq8IbwtosUBkJlzSu8NLII/T6G8KQWad2xmqf5SZCGoOt
11
+ /sCUiPSlaPoN2jCfgsZyidZy/LGlrwMFIVUjvEjCtCsxVIpFcfNbFB1oOSH2uhcj
12
+ bbitrUwbcuv4e0495j30d7ajgfcwMyzRZoCMCzxpEsnPI5Ld7rUyAh6uBprnDP30
13
+ ZjIxp7vumTWhaYSxCdOBRCPDKvUR3xNugD/HBC202bbvkNIHq0RVCRud9Hi6qxJs
14
+ JLseE696ee3gKzYAU3z96rN16/DAxYjq9dy1upEa3sGM3UwYVHR9kjSHF2yrY17A
15
+ gqh13rOLmB3QKdBjAjf6PGA+AnMIlSbFHIra7QjKfbRwCv5ZfoFU/kMjhQg7AgMB
16
+ AAGgADANBgkqhkiG9w0BAQUFAAOCAgEA4GeMExrX4kNhzqgXR1+q9Wp/izDHHC6a
17
+ xTkVEHPfT8+jsd9bfwF3HPZB3VhGzsic6dUiQAcRxUC6Yv6CI/Z67lyJNyxiaeKf
18
+ 9RH3NNm6paNPtRK0TW33nTpTuYDtHqgCInvZt1JfXXoP6t0uqqj6WgM/o57D16JN
19
+ BWFf2E6MZGt0WJs+aUff+R7y5ZJA9XHs2ZWvU/TYR+YjJ8kTzbw2+QKdbTJzQjcw
20
+ 4YBWtj9nBwvWwIOQkzIWokRS8h5PgR4EIevkkFjbq6zU+ue1IzTEAD8G6a2YTzrW
21
+ qqwDlB4YtaQsGhEn600lrl33IGqpEABB32l8oKQtlJVxlZ8TcIVRkXLVXps1skIU
22
+ f7HeVN8OlgD85rhCoikTXGvBQXiFww1y/2CT8sfX7w3Z8F/0kPHavdo/goe5316f
23
+ l0jwJbpO5dNpL/kPxLxjJjXx6s0Ky8ZCKrk7vYpBhlLgCTCl9cLCfac4xD6kcANn
24
+ 68PNJ03jn0nVzds7gs3ad8v8T85l7lypQf77fd2Zci7MXtJ3NA59/51a+1jXEf/0
25
+ vJAB1ktx31CKWip8c7iBErI+oV8T8Y8kGBsmGl2Ey/iqFz0xo7CqV7Lt/glzNg+w
26
+ Rir40w7f5XAZIIEtONHnrqJEfNGa+KesQe776YlwzUQ30/kar1peD5vsMgwS14V1
27
+ kr0+IF2eEro=
28
+ -----END CERTIFICATE REQUEST-----
data/fixtures/sha256_1024bit.csr ADDED
@@ -0,0 +1,12 @@
1
+ -----BEGIN CERTIFICATE REQUEST-----
2
+ MIIBrzCCARgCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
3
+ ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
4
+ GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCBnzANBgkqhkiG9w0BAQEFAAOB
5
+ jQAwgYkCgYEA0SMKeQYOacF+wQ4GfsyEf8r5PdBW51MHf9kJS0TU0jfHxP4y6epA
6
+ HPxsZUSNLsGuHCKar4oXiEjKePsMpRBcuIF8MQyernrFwFFuT5PigHlwiqvcAGZj
7
+ pOsR2zg0sOHRDyaYwnOtA1PtMHpcy0V4g7p06t1bRrP3KfeAUD/+VPMCAwEAAaAA
8
+ MA0GCSqGSIb3DQEBCwUAA4GBAIHXr0IMku2vkQtgqYCdkfpba0SG2lDLrXX47Oec
9
+ bVy2s97y7ujJdAQgH7jExvYMsIa1sVOTG1kCczmLuMb8A8PowmJ4QQi35aE9O36f
10
+ 1WaaG89HOepP4WkkiPYX8W62f43vYY2psmOtsJ3XrkZUMPE69QgzILqNC+hU6rnG
11
+ uToc
12
+ -----END CERTIFICATE REQUEST-----
data/fixtures/sha256_4096bit.csr ADDED
@@ -0,0 +1,28 @@
1
+ -----BEGIN CERTIFICATE REQUEST-----
2
+ MIIEtDCCApwCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
3
+ ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
4
+ GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCCAiIwDQYJKoZIhvcNAQEBBQAD
5
+ ggIPADCCAgoCggIBAPAQvQSgOxZuxZV++QDINS2i0L7KDW84WZOPHGzdtGbUaQl4
6
+ 3LpltYOFR3eSySq0iCaE9dIp7c+H4MtLSiKH82Nfbk9qdiwSKfAk6J9I/iTudRO8
7
+ M2HQUNO2M9cyg3E8Ivu/GC1AXbTV9wBgdBwZwLyS1JMYofuizeEaB/yz1pDdko2e
8
+ shgXDbDz0rjA32m0LvY9mNERn7s5Ad/p46WC1UvWWYBAHClCk1dC2R+mA8fO7z++
9
+ oRiTlgMkW+bwVI8NsNXqSULJAd6rL65pn5FHGAnodr4BWPNl8fh/kKl3O02M08Th
10
+ ATRwnU3n1nKaEAgHxYRKq8IbwtosUBkJlzSu8NLII/T6G8KQWad2xmqf5SZCGoOt
11
+ /sCUiPSlaPoN2jCfgsZyidZy/LGlrwMFIVUjvEjCtCsxVIpFcfNbFB1oOSH2uhcj
12
+ bbitrUwbcuv4e0495j30d7ajgfcwMyzRZoCMCzxpEsnPI5Ld7rUyAh6uBprnDP30
13
+ ZjIxp7vumTWhaYSxCdOBRCPDKvUR3xNugD/HBC202bbvkNIHq0RVCRud9Hi6qxJs
14
+ JLseE696ee3gKzYAU3z96rN16/DAxYjq9dy1upEa3sGM3UwYVHR9kjSHF2yrY17A
15
+ gqh13rOLmB3QKdBjAjf6PGA+AnMIlSbFHIra7QjKfbRwCv5ZfoFU/kMjhQg7AgMB
16
+ AAGgADANBgkqhkiG9w0BAQsFAAOCAgEAXJO7tsgW4CJ+cwRFJ3slEEaLYl0jsHiZ
17
+ 91dCtAmqs6BWAfrpNeLJIvmRqhugnL97nWnxhSLQP0/ssRdqOv1U91Mw9KsLQAMe
18
+ MkXQ14TraKwRV2UlL56deDBzl4HBTLtCf1Arlj4FucUysqndzFfWMhsDF2/QONyl
19
+ YGz4pKX1OQ4eb+UeZ7k7gmiJT0Xq1PQr7YP/hgr+euIZtwzgdMujqgQo/y8XoHXk
20
+ ISvfXgotowP3WrOqbrjo4k/+PSOxMGG497SG8q2crSXIQrThd/EpsIOpcyeqh5rb
21
+ wCpGqb0i33Bbk63grHE3J+BH5lNr2txBtxFaYYywHhz/RsI9m+o9DNPfR7ABvFtt
22
+ wzDYKNLGj8hsK/GbVNfY+25FnLZetnuKZHWGVQaltzLrn+qRWt1zEkUcQz1ir89g
23
+ Dn75kK2mpxJTK/tI/65eQRfpWGviepTItmof8SmnXE22qguU2hzAf+GMGBmvUU8b
24
+ 1jctN8wOwt+EK47YCC9PtbgVAPlzGV+RTlO5K0nUPcRUjL5FXCJB5FLhAJ3hYR4H
25
+ dqMEYhoHdgTT65wrF3Mfw7z26qhDmN8eIp0T3qKE/A0hGUWBdyHtnF96Z2ymzTHQ
26
+ MA8TdHUoLmEW6DN9BgOATi0BzUAL2e6VTIqNFx6deRrm0kSGPQ0haR2shWfDHjMS
27
+ +DgHYI3c0do=
28
+ -----END CERTIFICATE REQUEST-----
data/lib/certmeister/policy/key_bits.rb CHANGED
@@ -29,6 +29,8 @@ module Certmeister
29
29
  Certmeister::Policy::Response.new(true, nil)
30
30
  end
31
31
  end
32
+ rescue OpenSSL::X509::RequestError => e
33
+ Certmeister::Policy::Response.new(false, "invalid pem (#{e.message})")
32
34
  end
33
35
 
34
36
  private
data/lib/certmeister/policy/signature_algorithm.rb ADDED
@@ -0,0 +1,67 @@
1
+ require 'certmeister/policy/response'
2
+ require 'openssl'
3
+
4
+ module Certmeister
5
+
6
+ module Policy
7
+
8
+ class SignatureAlgorithm
9
+
10
+ DEFAULT_SIGNATURE_ALGORITHMS = ["sha256", "sha384", "sha512"]
11
+
12
+ attr_reader :signature_algorithms
13
+
14
+ def initialize(signature_algorithms = DEFAULT_SIGNATURE_ALGORITHMS)
15
+ validate_signature_algorithms(signature_algorithms)
16
+ @signature_algorithms = signature_algorithms
17
+ end
18
+
19
+ def authenticate(request)
20
+ if not request[:pem]
21
+ return Certmeister::Policy::Response.new(false, "missing pem")
22
+ else
23
+ cert = OpenSSL::X509::Request.new(request[:pem])
24
+ signature_algorithm = cert.signature_algorithm
25
+ if signature_algorithm = check_for_supported_signature_algorithm(signature_algorithm)
26
+ check_signature_algorithm_strength(signature_algorithm)
27
+ else
28
+ return Certmeister::Policy::Response.new(false, "unknown/unsupported signature algorithm (#{cert.signature_algorithm})")
29
+ end
30
+ end
31
+ rescue OpenSSL::X509::RequestError => e
32
+ return Certmeister::Policy::Response.new(false, "invalid pem (#{e.message})")
33
+ end
34
+
35
+ private
36
+
37
+ def validate_signature_algorithms(signature_algorithms)
38
+ unless signature_algorithms.kind_of?(Array)
39
+ raise ArgumentError.new("invalid set of signature algorithms")
40
+ end
41
+ signature_algorithms.each do |element|
42
+ unless element.kind_of?(String)
43
+ raise ArgumentError.new("invalid set of signature algorithms")
44
+ end
45
+ end
46
+ end
47
+
48
+ def check_for_supported_signature_algorithm(signature_algorithm)
49
+ if signature_algorithm.include? "WithRSAEncryption"
50
+ return signature_algorithm = signature_algorithm.sub("WithRSAEncryption", "")
51
+ end
52
+
53
+ end
54
+
55
+ def check_signature_algorithm_strength(signature_algorithm)
56
+ if @signature_algorithms.include? signature_algorithm
57
+ return Certmeister::Policy::Response.new(true, nil)
58
+ else
59
+ return Certmeister::Policy::Response.new(false, "weak signature algorithm")
60
+ end
61
+ end
62
+
63
+ end
64
+
65
+ end
66
+
67
+ end
data/lib/certmeister/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Certmeister
2
2
 
3
- VERSION = '2.2.0' unless defined?(VERSION)
3
+ VERSION = '2.3.0' unless defined?(VERSION)
4
4
 
5
5
  end
data/spec/certmeister/policy/key_bits_spec.rb CHANGED
@@ -25,22 +25,22 @@ describe Certmeister::Policy::KeyBits do
25
25
  expect(response.error).to eql "missing pem"
26
26
  end
27
27
 
28
- it "refuses to authenticate an invalid request" do
29
- pem = File.read('fixtures/kbits_1024.csr')
28
+ it "refuses to authenticate an invalid pem" do
29
+ pem = "bad input"
30
30
  response = subject.authenticate({pem: pem})
31
31
  expect(response).to_not be_authenticated
32
- expect(response.error).to eql "weak key"
32
+ expect(response.error).to eql "invalid pem (not enough data)"
33
33
  end
34
34
 
35
35
  it "refuses to authenticate a request for a key with too few bits" do
36
- pem = File.read('fixtures/kbits_1024.csr')
36
+ pem = File.read('fixtures/sha256_1024bit.csr')
37
37
  response = subject.authenticate({pem: pem})
38
38
  expect(response).to_not be_authenticated
39
39
  expect(response.error).to eql "weak key"
40
40
  end
41
41
 
42
42
  it "authenticates a request for a key with sufficient bits" do
43
- pem = File.read('fixtures/kbits_4096.csr')
43
+ pem = File.read('fixtures/sha256_4096bit.csr')
44
44
  response = subject.authenticate({pem: pem})
45
45
  expect(response).to be_authenticated
46
46
  end
data/spec/certmeister/policy/signature_algorithm_spec.rb ADDED
@@ -0,0 +1,55 @@
1
+ require 'spec_helper'
2
+
3
+ require 'certmeister/policy/signature_algorithm'
4
+
5
+ describe Certmeister::Policy::SignatureAlgorithm do
6
+
7
+ subject { Certmeister::Policy::SignatureAlgorithm.new(["sha256", "sha384", "sha512"]) }
8
+
9
+ it "may be configured with a set of strong signature algorithms" do
10
+ expect { Certmeister::Policy::SignatureAlgorithm.new([1,2])}.to raise_error(ArgumentError, "invalid set of signature algorithms")
11
+ expect { Certmeister::Policy::SignatureAlgorithm.new(["one", "two", "three"]) }.to_not raise_error
12
+ end
13
+
14
+ it "defaults to #{Certmeister::Policy::SignatureAlgorithm::DEFAULT_SIGNATURE_ALGORITHMS} as the set of strong signature algorithms" do
15
+ expect(described_class.new.signature_algorithms).to eql Certmeister::Policy::SignatureAlgorithm::DEFAULT_SIGNATURE_ALGORITHMS
16
+ end
17
+
18
+ it "demands a request" do
19
+ expect { subject.authenticate }.to raise_error(ArgumentError)
20
+ end
21
+
22
+ it "refuses to authenticate a request with a missing pem" do
23
+ response = subject.authenticate({anything: 'something'})
24
+ expect(response).to_not be_authenticated
25
+ expect(response.error).to eql "missing pem"
26
+ end
27
+
28
+ it "refuses to authenticate an invalid pem" do
29
+ pem = "bad input"
30
+ response = subject.authenticate({pem: pem})
31
+ expect(response).to_not be_authenticated
32
+ expect(response.error).to eql "invalid pem (not enough data)"
33
+ end
34
+
35
+ it "refuses to authenticate a request with a weak signature algorithm" do
36
+ pem = File.read('fixtures/sha1_4096bit.csr')
37
+ response = subject.authenticate({pem: pem})
38
+ expect(response).to_not be_authenticated
39
+ expect(response.error).to eql "weak signature algorithm"
40
+ end
41
+
42
+ it "authenticates a request with a strong signature algorithm" do
43
+ pem = File.read('fixtures/sha256_4096bit.csr')
44
+ response = subject.authenticate({pem: pem})
45
+ expect(response).to be_authenticated
46
+ end
47
+
48
+ it "refuses to authenticate a request with an unknown/unsupported signature algorithm" do
49
+ pem = File.read('fixtures/ecdsa.csr')
50
+ response = subject.authenticate({pem: pem})
51
+ expect(response).to_not be_authenticated
52
+ expect(response.error).to eql "unknown/unsupported signature algorithm (ecdsa-with-SHA384)"
53
+ end
54
+
55
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: certmeister
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.0
4
+ version: 2.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Sheldon Hearn
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-01-05 00:00:00.000000000 Z
11
+ date: 2016-01-13 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -30,14 +30,14 @@ dependencies:
30
30
  requirements:
31
31
  - - "~>"
32
32
  - !ruby/object:Gem::Version
33
- version: 10.4.2
33
+ version: '10.4'
34
34
  type: :development
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - "~>"
39
39
  - !ruby/object:Gem::Version
40
- version: 10.4.2
40
+ version: '10.4'
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: rspec
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -67,10 +67,10 @@ files:
67
67
  - ".ruby-gemset"
68
68
  - ".ruby-version"
69
69
  - Gemfile
70
- - Gemfile.lock
71
70
  - LICENSE
72
71
  - README.md
73
72
  - Rakefile
73
+ - SignatureAlgorithm.txt
74
74
  - certmeister.gemspec
75
75
  - fixtures/ca.crt
76
76
  - fixtures/ca.csr
@@ -78,8 +78,11 @@ files:
78
78
  - fixtures/client.crt
79
79
  - fixtures/client.csr
80
80
  - fixtures/client.key
81
- - fixtures/kbits_1024.csr
82
- - fixtures/kbits_4096.csr
81
+ - fixtures/ecdsa.csr
82
+ - fixtures/sha1_1024bit.csr
83
+ - fixtures/sha1_4096bit.csr
84
+ - fixtures/sha256_1024bit.csr
85
+ - fixtures/sha256_4096bit.csr
83
86
  - lib/certmeister.rb
84
87
  - lib/certmeister/base.rb
85
88
  - lib/certmeister/config.rb
@@ -96,6 +99,7 @@ files:
96
99
  - lib/certmeister/policy/noop.rb
97
100
  - lib/certmeister/policy/psk.rb
98
101
  - lib/certmeister/policy/response.rb
102
+ - lib/certmeister/policy/signature_algorithm.rb
99
103
  - lib/certmeister/response.rb
100
104
  - lib/certmeister/self_test.rb
101
105
  - lib/certmeister/store_error.rb
@@ -115,6 +119,7 @@ files:
115
119
  - spec/certmeister/policy/noop_spec.rb
116
120
  - spec/certmeister/policy/psk_spec.rb
117
121
  - spec/certmeister/policy/response_spec.rb
122
+ - spec/certmeister/policy/signature_algorithm_spec.rb
118
123
  - spec/certmeister/response_spec.rb
119
124
  - spec/certmeister/self_test_spec.rb
120
125
  - spec/helpers/certmeister_config_helper.rb
@@ -143,7 +148,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
143
148
  version: '0'
144
149
  requirements: []
145
150
  rubyforge_project:
146
- rubygems_version: 2.5.1
151
+ rubygems_version: 2.4.5.1
147
152
  signing_key:
148
153
  specification_version: 4
149
154
  summary: Conditionally autosigning certificate authority.
@@ -162,6 +167,7 @@ test_files:
162
167
  - spec/certmeister/policy/noop_spec.rb
163
168
  - spec/certmeister/policy/psk_spec.rb
164
169
  - spec/certmeister/policy/response_spec.rb
170
+ - spec/certmeister/policy/signature_algorithm_spec.rb
165
171
  - spec/certmeister/response_spec.rb
166
172
  - spec/certmeister/self_test_spec.rb
167
173
  - spec/helpers/certmeister_config_helper.rb
data/Gemfile.lock DELETED
@@ -1,31 +0,0 @@
1
- PATH
2
- remote: .
3
- specs:
4
- certmeister (2.1.0)
5
-
6
- GEM
7
- remote: http://rubygems.org/
8
- specs:
9
- diff-lcs (1.2.5)
10
- rake (10.4.2)
11
- rspec (3.1.0)
12
- rspec-core (~> 3.1.0)
13
- rspec-expectations (~> 3.1.0)
14
- rspec-mocks (~> 3.1.0)
15
- rspec-core (3.1.7)
16
- rspec-support (~> 3.1.0)
17
- rspec-expectations (3.1.2)
18
- diff-lcs (>= 1.2.0, < 2.0)
19
- rspec-support (~> 3.1.0)
20
- rspec-mocks (3.1.3)
21
- rspec-support (~> 3.1.0)
22
- rspec-support (3.1.2)
23
-
24
- PLATFORMS
25
- ruby
26
-
27
- DEPENDENCIES
28
- bundler (~> 1.5)
29
- certmeister!
30
- rake (~> 10.4.2)
31
- rspec (~> 3.1)
data/fixtures/kbits_1024.csr DELETED
@@ -1,12 +0,0 @@
1
- -----BEGIN CERTIFICATE REQUEST-----
2
- MIIBrzCCARgCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
3
- ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
4
- GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCBnzANBgkqhkiG9w0BAQEFAAOB
5
- jQAwgYkCgYEAq14FktEw9Zilzj5DUKTI2Mix66A0Za5lTAeRmP1Ms9Hmjc+RnnCm
6
- u5L6zPoHY8s6/8tbxewtu86L7v2SfKkJjLSKxZQLFxBEzMHOgzziHTyZ1zU5SPWv
7
- Co8AQdlbZI8Wmai7dkxwdaA2xaWR4elHlgT78xDdYZXwRL75wfmkF/kCAwEAAaAA
8
- MA0GCSqGSIb3DQEBBQUAA4GBAKHHpelQzMYFBXYa0VOWFiqRd1HXJfnUbo8D5xup
9
- RzveAVlGTj83slgKvGigUupWdfk1S4KiUG1HsAyLcwl8lgOCO77CrdNPZC0qjB4+
10
- pK3Xp2FMsK4+lp24FNR0tM31FA03DU8uhL8v5cvExHBn4idBEwO2W4OWPKVYKrtm
11
- w9ne
12
- -----END CERTIFICATE REQUEST-----
data/fixtures/kbits_4096.csr DELETED
@@ -1,28 +0,0 @@
1
- -----BEGIN CERTIFICATE REQUEST-----
2
- MIIEtDCCApwCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
3
- ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
4
- GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCCAiIwDQYJKoZIhvcNAQEBBQAD
5
- ggIPADCCAgoCggIBALVi/dpNu31zZ+Wvxf4DXEaxLwsUbzsaLCxt770RkzEo8OdU
6
- DElf1WM7X+rdOJC3BDZ499Bigw5efpEhg2m2BmDl8DG1XmTvVKxIY6fvx9NWqTEt
7
- KcvOni7g/OFzmUXHoesoc6gz2flwD4lmdSR+S1N2RwwlOG2ZpBKy35mtmDdq/MJG
8
- Xj4rUafT4n9Pnmwzo9PPn54hjg7c7yQwUFWk0lOrsl7uhK1LMtQORME23oG0gK3N
9
- zhtY9f0+6YJAbzJ3EI2/i7Oso4XiW9eHpujKhaMYO8ezm3KuYgdEoOTaH4mruSjE
10
- 34kmsTNonktiUdGMn/HqARgQKyVTyHmP+ocVcY8POzlJDcxMRVTYxQ4I9U1bz/eG
11
- ugHiCw0YnxrXpClXT3RVfydV/B7+srw+Tw8ff+m7WSzYeDjDLVotlnGrXLKLHm6d
12
- IA7n+fwBhliSSDNTu3ZVA5Vp72AEDqmfbRIcO4twIfkyu3TB3f2lf3g4LLebLDj3
13
- b3NwNwu0p/uq47eEYOKdILxXsZQRVKr8OZfhjPHIEw7d/6EpCCxG9I9Zj6KFAdga
14
- s8rquCKvb/8aXnL2Zz+QOhUGX9aAIpZJ7lNM95C1yjmRW/HcNonXcxBHqdi9+swO
15
- quagOBimj5BkUMRDWtMmr5bXDBGfxMeh6t1BrfcgtQgZy/FLkhjioObqD+WHAgMB
16
- AAGgADANBgkqhkiG9w0BAQsFAAOCAgEAR1ogHg6V59JwM0+EN4LhN8m7eDiCkYM+
17
- hmko5gTdzOe3Z+n/eVMoyqJ9qnzQEkO0n4aWTiaO2gLKEtXFo3Qu1wjWEJqxD8/b
18
- YdH64Gp8sFKlrM8o8mACG6jPo8ueFxI0o9Brl2Q6pUkOlepXUaLzMw0txm1Nm/9c
19
- O29p1XGAPVEdi9OMqbT+eAnxgSTy/AWR33+1BrZF42zBIaM62yquEPyJ1O1igTio
20
- MV3ZxhX061z02+5B/6cit41pUClZabII6f/tHAPxxxn3zNHkmYn6eQ3DsZT3Stuf
21
- lXw8j0e2sFXpvOSk1otYEOVYUiTp4SpmCjdUV1qUPlbQ94qGP75dv5uYn5pN/hJ5
22
- UO/lGETzK1/ycUcoedDCzr7sQhfXB1Z47/NQ+RL4NVem941ujIfn8MKHyx99zKnT
23
- OI73Pn6Y7n1hZxoV6krRl7C3gzkI7Eo0bFQEwiZbRC7U30WaiFurfKi0puMlU1K3
24
- vdOPTy0rq6zGp3r1J6oITHiD/h+CxRxJTrGu9GbCUQlaoQfPqwXAdI7GQcwsSPto
25
- l1643eqDR3lST821TPE0Ln+Lvs8aQzYNVFaV79nhgncJHyPpP7j9/2k6CtsGAtVv
26
- qPOTJbxnOfwRDfbyDLWBoqHNxmfhq3KtE6ktVxyP9hUyGnAf8yAn3zaDx4V980N6
27
- 9FNkBniZB+Y=
28
- -----END CERTIFICATE REQUEST-----