certmeister 2.2.0 → 2.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -1
- data/SignatureAlgorithm.txt +28 -0
- data/certmeister.gemspec +1 -1
- data/fixtures/ecdsa.csr +10 -0
- data/fixtures/sha1_1024bit.csr +12 -0
- data/fixtures/sha1_4096bit.csr +28 -0
- data/fixtures/sha256_1024bit.csr +12 -0
- data/fixtures/sha256_4096bit.csr +28 -0
- data/lib/certmeister/policy/key_bits.rb +2 -0
- data/lib/certmeister/policy/signature_algorithm.rb +67 -0
- data/lib/certmeister/version.rb +1 -1
- data/spec/certmeister/policy/key_bits_spec.rb +5 -5
- data/spec/certmeister/policy/signature_algorithm_spec.rb +55 -0
- metadata +14 -8
- data/Gemfile.lock +0 -31
- data/fixtures/kbits_1024.csr +0 -12
- data/fixtures/kbits_4096.csr +0 -28
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 91d17da8b132ec96406859d320cf1054d92e5023
|
|
4
|
+
data.tar.gz: b7e3ca7db11270296498eb364c9ed4c5a9d201ad
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d5f5509b6e7792ebebf8eec73ea1b5b8da307c4aa8b1c384287dceff34e5b0794a148e93007d378efa1d2369c4caffebe009bdc1aaac4c0b0e756ff5c2cc598d
|
|
7
|
+
data.tar.gz: f14101564b1038b63f3509ea14487d4bc157f8c1df35c03cf941f125fdf93f4fcd9e7edaebbaa4d678ee4c268ab5d44455578e6fc8c66fbd8633640c04a09d76
|
data/.gitignore
CHANGED
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
Feature: Signature algorithm policy
|
|
2
|
+
|
|
3
|
+
As the operator of a conditionally autosigning certification authority
|
|
4
|
+
When deciding whether to sign a certificate
|
|
5
|
+
I want to reject certificate signing requests with weak signature algorithms
|
|
6
|
+
In order to enforce the use of strong cryptography across our network.
|
|
7
|
+
|
|
8
|
+
Desired rspec output:
|
|
9
|
+
|
|
10
|
+
Certmeister::Policy::SignatureAlgorithm
|
|
11
|
+
may be configured with a set of strong signature algorithms
|
|
12
|
+
defaults to ["sha256"] as the set of strong signature algorithms
|
|
13
|
+
demands a request
|
|
14
|
+
refuses to authenticate a request with a missing pem
|
|
15
|
+
refuses to authenticate an invalid pem
|
|
16
|
+
refuses to authenticate a request with a weak signature algorithm
|
|
17
|
+
authenticates a request with a strong signature algorithm
|
|
18
|
+
|
|
19
|
+
Use spec/certmeister/policy/key_bits_spec.rb as a guide to specifying the behaviour.
|
|
20
|
+
|
|
21
|
+
Use lib/certmeister/policy/key_bits.rb as a guide to implementing the behaviour.
|
|
22
|
+
|
|
23
|
+
You may find these fixtures useful:
|
|
24
|
+
|
|
25
|
+
fixtures/sha1_4096bit.csr
|
|
26
|
+
fixtures/sha256_4096bit.csr
|
|
27
|
+
|
|
28
|
+
The signature algorithm of a CSR is provided by the OpenSSL::X509::Request#signature_algorithm method.
|
data/certmeister.gemspec
CHANGED
|
@@ -23,6 +23,6 @@ Gem::Specification.new do |spec|
|
|
|
23
23
|
spec.require_paths = ["lib"]
|
|
24
24
|
|
|
25
25
|
spec.add_development_dependency "bundler", "~> 1.5"
|
|
26
|
-
spec.add_development_dependency "rake", "~> 10.4
|
|
26
|
+
spec.add_development_dependency "rake", "~> 10.4"
|
|
27
27
|
spec.add_development_dependency "rspec", "~> 3.1"
|
|
28
28
|
end
|
data/fixtures/ecdsa.csr
ADDED
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
-----BEGIN CERTIFICATE REQUEST-----
|
|
2
|
+
MIIBZzCB7gIBADBvMQswCQYDVQQGEwJaQTEVMBMGA1UECAwMV2VzdGVybiBDYXBl
|
|
3
|
+
MRIwEAYDVQQHDAlDYXBlIFRvd24xGDAWBgNVBAoMD0hldHpuZXIgUFRZIEx0ZDEb
|
|
4
|
+
MBkGA1UEAwwSYXhsLmhldHpuZXIuYWZyaWNhMHYwEAYHKoZIzj0CAQYFK4EEACID
|
|
5
|
+
YgAEKxZhR5/G3bds3LOkA1dL88O0zyyk6zMlQ2KTf6Cl/rE6cCLAq3vI53cM4FDc
|
|
6
|
+
DHCq8ZQwt+e6GUC/CXizCEx9sNg2Sdx1YvpPhMhNyAYd0WjTenAkUmpG+Mdx1q+m
|
|
7
|
+
5OMfoAAwCgYIKoZIzj0EAwMDaAAwZQIxAPxLD6+F1Eu2onDYfyguJ1DOz600NBJ5
|
|
8
|
+
IoY0PgsMYDtu+sJn+7XmjBsw4WYhJHwb+QIwWxt2M0uJP/+BexmH4eOufc9Iw/bk
|
|
9
|
+
PArUpgT3hwfJS8lUB/D9PN0K95BU6AvzG/iG
|
|
10
|
+
-----END CERTIFICATE REQUEST-----
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
-----BEGIN CERTIFICATE REQUEST-----
|
|
2
|
+
MIIBrzCCARgCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
|
|
3
|
+
ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
|
|
4
|
+
GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCBnzANBgkqhkiG9w0BAQEFAAOB
|
|
5
|
+
jQAwgYkCgYEA0SMKeQYOacF+wQ4GfsyEf8r5PdBW51MHf9kJS0TU0jfHxP4y6epA
|
|
6
|
+
HPxsZUSNLsGuHCKar4oXiEjKePsMpRBcuIF8MQyernrFwFFuT5PigHlwiqvcAGZj
|
|
7
|
+
pOsR2zg0sOHRDyaYwnOtA1PtMHpcy0V4g7p06t1bRrP3KfeAUD/+VPMCAwEAAaAA
|
|
8
|
+
MA0GCSqGSIb3DQEBBQUAA4GBAMyBS386mKoS9DkyK2x37sxmFTqrzZrW1HOAbUz3
|
|
9
|
+
mAWIF6w29ddtjiPijjPO/uM9C3L3/AuxttYRwNqQ8K7js1O6y1ZO8eWOPgGLUo77
|
|
10
|
+
AIznjobOrZGRn4rvLgY1pE+xuQx6S5YeC3SMcIXogL+58Pzwg7SQtFQwB45ErDWW
|
|
11
|
+
eNnz
|
|
12
|
+
-----END CERTIFICATE REQUEST-----
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
-----BEGIN CERTIFICATE REQUEST-----
|
|
2
|
+
MIIEtDCCApwCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
|
|
3
|
+
ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
|
|
4
|
+
GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCCAiIwDQYJKoZIhvcNAQEBBQAD
|
|
5
|
+
ggIPADCCAgoCggIBAPAQvQSgOxZuxZV++QDINS2i0L7KDW84WZOPHGzdtGbUaQl4
|
|
6
|
+
3LpltYOFR3eSySq0iCaE9dIp7c+H4MtLSiKH82Nfbk9qdiwSKfAk6J9I/iTudRO8
|
|
7
|
+
M2HQUNO2M9cyg3E8Ivu/GC1AXbTV9wBgdBwZwLyS1JMYofuizeEaB/yz1pDdko2e
|
|
8
|
+
shgXDbDz0rjA32m0LvY9mNERn7s5Ad/p46WC1UvWWYBAHClCk1dC2R+mA8fO7z++
|
|
9
|
+
oRiTlgMkW+bwVI8NsNXqSULJAd6rL65pn5FHGAnodr4BWPNl8fh/kKl3O02M08Th
|
|
10
|
+
ATRwnU3n1nKaEAgHxYRKq8IbwtosUBkJlzSu8NLII/T6G8KQWad2xmqf5SZCGoOt
|
|
11
|
+
/sCUiPSlaPoN2jCfgsZyidZy/LGlrwMFIVUjvEjCtCsxVIpFcfNbFB1oOSH2uhcj
|
|
12
|
+
bbitrUwbcuv4e0495j30d7ajgfcwMyzRZoCMCzxpEsnPI5Ld7rUyAh6uBprnDP30
|
|
13
|
+
ZjIxp7vumTWhaYSxCdOBRCPDKvUR3xNugD/HBC202bbvkNIHq0RVCRud9Hi6qxJs
|
|
14
|
+
JLseE696ee3gKzYAU3z96rN16/DAxYjq9dy1upEa3sGM3UwYVHR9kjSHF2yrY17A
|
|
15
|
+
gqh13rOLmB3QKdBjAjf6PGA+AnMIlSbFHIra7QjKfbRwCv5ZfoFU/kMjhQg7AgMB
|
|
16
|
+
AAGgADANBgkqhkiG9w0BAQUFAAOCAgEA4GeMExrX4kNhzqgXR1+q9Wp/izDHHC6a
|
|
17
|
+
xTkVEHPfT8+jsd9bfwF3HPZB3VhGzsic6dUiQAcRxUC6Yv6CI/Z67lyJNyxiaeKf
|
|
18
|
+
9RH3NNm6paNPtRK0TW33nTpTuYDtHqgCInvZt1JfXXoP6t0uqqj6WgM/o57D16JN
|
|
19
|
+
BWFf2E6MZGt0WJs+aUff+R7y5ZJA9XHs2ZWvU/TYR+YjJ8kTzbw2+QKdbTJzQjcw
|
|
20
|
+
4YBWtj9nBwvWwIOQkzIWokRS8h5PgR4EIevkkFjbq6zU+ue1IzTEAD8G6a2YTzrW
|
|
21
|
+
qqwDlB4YtaQsGhEn600lrl33IGqpEABB32l8oKQtlJVxlZ8TcIVRkXLVXps1skIU
|
|
22
|
+
f7HeVN8OlgD85rhCoikTXGvBQXiFww1y/2CT8sfX7w3Z8F/0kPHavdo/goe5316f
|
|
23
|
+
l0jwJbpO5dNpL/kPxLxjJjXx6s0Ky8ZCKrk7vYpBhlLgCTCl9cLCfac4xD6kcANn
|
|
24
|
+
68PNJ03jn0nVzds7gs3ad8v8T85l7lypQf77fd2Zci7MXtJ3NA59/51a+1jXEf/0
|
|
25
|
+
vJAB1ktx31CKWip8c7iBErI+oV8T8Y8kGBsmGl2Ey/iqFz0xo7CqV7Lt/glzNg+w
|
|
26
|
+
Rir40w7f5XAZIIEtONHnrqJEfNGa+KesQe776YlwzUQ30/kar1peD5vsMgwS14V1
|
|
27
|
+
kr0+IF2eEro=
|
|
28
|
+
-----END CERTIFICATE REQUEST-----
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
-----BEGIN CERTIFICATE REQUEST-----
|
|
2
|
+
MIIBrzCCARgCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
|
|
3
|
+
ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
|
|
4
|
+
GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCBnzANBgkqhkiG9w0BAQEFAAOB
|
|
5
|
+
jQAwgYkCgYEA0SMKeQYOacF+wQ4GfsyEf8r5PdBW51MHf9kJS0TU0jfHxP4y6epA
|
|
6
|
+
HPxsZUSNLsGuHCKar4oXiEjKePsMpRBcuIF8MQyernrFwFFuT5PigHlwiqvcAGZj
|
|
7
|
+
pOsR2zg0sOHRDyaYwnOtA1PtMHpcy0V4g7p06t1bRrP3KfeAUD/+VPMCAwEAAaAA
|
|
8
|
+
MA0GCSqGSIb3DQEBCwUAA4GBAIHXr0IMku2vkQtgqYCdkfpba0SG2lDLrXX47Oec
|
|
9
|
+
bVy2s97y7ujJdAQgH7jExvYMsIa1sVOTG1kCczmLuMb8A8PowmJ4QQi35aE9O36f
|
|
10
|
+
1WaaG89HOepP4WkkiPYX8W62f43vYY2psmOtsJ3XrkZUMPE69QgzILqNC+hU6rnG
|
|
11
|
+
uToc
|
|
12
|
+
-----END CERTIFICATE REQUEST-----
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
-----BEGIN CERTIFICATE REQUEST-----
|
|
2
|
+
MIIEtDCCApwCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
|
|
3
|
+
ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
|
|
4
|
+
GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCCAiIwDQYJKoZIhvcNAQEBBQAD
|
|
5
|
+
ggIPADCCAgoCggIBAPAQvQSgOxZuxZV++QDINS2i0L7KDW84WZOPHGzdtGbUaQl4
|
|
6
|
+
3LpltYOFR3eSySq0iCaE9dIp7c+H4MtLSiKH82Nfbk9qdiwSKfAk6J9I/iTudRO8
|
|
7
|
+
M2HQUNO2M9cyg3E8Ivu/GC1AXbTV9wBgdBwZwLyS1JMYofuizeEaB/yz1pDdko2e
|
|
8
|
+
shgXDbDz0rjA32m0LvY9mNERn7s5Ad/p46WC1UvWWYBAHClCk1dC2R+mA8fO7z++
|
|
9
|
+
oRiTlgMkW+bwVI8NsNXqSULJAd6rL65pn5FHGAnodr4BWPNl8fh/kKl3O02M08Th
|
|
10
|
+
ATRwnU3n1nKaEAgHxYRKq8IbwtosUBkJlzSu8NLII/T6G8KQWad2xmqf5SZCGoOt
|
|
11
|
+
/sCUiPSlaPoN2jCfgsZyidZy/LGlrwMFIVUjvEjCtCsxVIpFcfNbFB1oOSH2uhcj
|
|
12
|
+
bbitrUwbcuv4e0495j30d7ajgfcwMyzRZoCMCzxpEsnPI5Ld7rUyAh6uBprnDP30
|
|
13
|
+
ZjIxp7vumTWhaYSxCdOBRCPDKvUR3xNugD/HBC202bbvkNIHq0RVCRud9Hi6qxJs
|
|
14
|
+
JLseE696ee3gKzYAU3z96rN16/DAxYjq9dy1upEa3sGM3UwYVHR9kjSHF2yrY17A
|
|
15
|
+
gqh13rOLmB3QKdBjAjf6PGA+AnMIlSbFHIra7QjKfbRwCv5ZfoFU/kMjhQg7AgMB
|
|
16
|
+
AAGgADANBgkqhkiG9w0BAQsFAAOCAgEAXJO7tsgW4CJ+cwRFJ3slEEaLYl0jsHiZ
|
|
17
|
+
91dCtAmqs6BWAfrpNeLJIvmRqhugnL97nWnxhSLQP0/ssRdqOv1U91Mw9KsLQAMe
|
|
18
|
+
MkXQ14TraKwRV2UlL56deDBzl4HBTLtCf1Arlj4FucUysqndzFfWMhsDF2/QONyl
|
|
19
|
+
YGz4pKX1OQ4eb+UeZ7k7gmiJT0Xq1PQr7YP/hgr+euIZtwzgdMujqgQo/y8XoHXk
|
|
20
|
+
ISvfXgotowP3WrOqbrjo4k/+PSOxMGG497SG8q2crSXIQrThd/EpsIOpcyeqh5rb
|
|
21
|
+
wCpGqb0i33Bbk63grHE3J+BH5lNr2txBtxFaYYywHhz/RsI9m+o9DNPfR7ABvFtt
|
|
22
|
+
wzDYKNLGj8hsK/GbVNfY+25FnLZetnuKZHWGVQaltzLrn+qRWt1zEkUcQz1ir89g
|
|
23
|
+
Dn75kK2mpxJTK/tI/65eQRfpWGviepTItmof8SmnXE22qguU2hzAf+GMGBmvUU8b
|
|
24
|
+
1jctN8wOwt+EK47YCC9PtbgVAPlzGV+RTlO5K0nUPcRUjL5FXCJB5FLhAJ3hYR4H
|
|
25
|
+
dqMEYhoHdgTT65wrF3Mfw7z26qhDmN8eIp0T3qKE/A0hGUWBdyHtnF96Z2ymzTHQ
|
|
26
|
+
MA8TdHUoLmEW6DN9BgOATi0BzUAL2e6VTIqNFx6deRrm0kSGPQ0haR2shWfDHjMS
|
|
27
|
+
+DgHYI3c0do=
|
|
28
|
+
-----END CERTIFICATE REQUEST-----
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
require 'certmeister/policy/response'
|
|
2
|
+
require 'openssl'
|
|
3
|
+
|
|
4
|
+
module Certmeister
|
|
5
|
+
|
|
6
|
+
module Policy
|
|
7
|
+
|
|
8
|
+
class SignatureAlgorithm
|
|
9
|
+
|
|
10
|
+
DEFAULT_SIGNATURE_ALGORITHMS = ["sha256", "sha384", "sha512"]
|
|
11
|
+
|
|
12
|
+
attr_reader :signature_algorithms
|
|
13
|
+
|
|
14
|
+
def initialize(signature_algorithms = DEFAULT_SIGNATURE_ALGORITHMS)
|
|
15
|
+
validate_signature_algorithms(signature_algorithms)
|
|
16
|
+
@signature_algorithms = signature_algorithms
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def authenticate(request)
|
|
20
|
+
if not request[:pem]
|
|
21
|
+
return Certmeister::Policy::Response.new(false, "missing pem")
|
|
22
|
+
else
|
|
23
|
+
cert = OpenSSL::X509::Request.new(request[:pem])
|
|
24
|
+
signature_algorithm = cert.signature_algorithm
|
|
25
|
+
if signature_algorithm = check_for_supported_signature_algorithm(signature_algorithm)
|
|
26
|
+
check_signature_algorithm_strength(signature_algorithm)
|
|
27
|
+
else
|
|
28
|
+
return Certmeister::Policy::Response.new(false, "unknown/unsupported signature algorithm (#{cert.signature_algorithm})")
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
rescue OpenSSL::X509::RequestError => e
|
|
32
|
+
return Certmeister::Policy::Response.new(false, "invalid pem (#{e.message})")
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
private
|
|
36
|
+
|
|
37
|
+
def validate_signature_algorithms(signature_algorithms)
|
|
38
|
+
unless signature_algorithms.kind_of?(Array)
|
|
39
|
+
raise ArgumentError.new("invalid set of signature algorithms")
|
|
40
|
+
end
|
|
41
|
+
signature_algorithms.each do |element|
|
|
42
|
+
unless element.kind_of?(String)
|
|
43
|
+
raise ArgumentError.new("invalid set of signature algorithms")
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
def check_for_supported_signature_algorithm(signature_algorithm)
|
|
49
|
+
if signature_algorithm.include? "WithRSAEncryption"
|
|
50
|
+
return signature_algorithm = signature_algorithm.sub("WithRSAEncryption", "")
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
def check_signature_algorithm_strength(signature_algorithm)
|
|
56
|
+
if @signature_algorithms.include? signature_algorithm
|
|
57
|
+
return Certmeister::Policy::Response.new(true, nil)
|
|
58
|
+
else
|
|
59
|
+
return Certmeister::Policy::Response.new(false, "weak signature algorithm")
|
|
60
|
+
end
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
end
|
data/lib/certmeister/version.rb
CHANGED
|
@@ -25,22 +25,22 @@ describe Certmeister::Policy::KeyBits do
|
|
|
25
25
|
expect(response.error).to eql "missing pem"
|
|
26
26
|
end
|
|
27
27
|
|
|
28
|
-
it "refuses to authenticate an invalid
|
|
29
|
-
pem =
|
|
28
|
+
it "refuses to authenticate an invalid pem" do
|
|
29
|
+
pem = "bad input"
|
|
30
30
|
response = subject.authenticate({pem: pem})
|
|
31
31
|
expect(response).to_not be_authenticated
|
|
32
|
-
expect(response.error).to eql "
|
|
32
|
+
expect(response.error).to eql "invalid pem (not enough data)"
|
|
33
33
|
end
|
|
34
34
|
|
|
35
35
|
it "refuses to authenticate a request for a key with too few bits" do
|
|
36
|
-
pem = File.read('fixtures/
|
|
36
|
+
pem = File.read('fixtures/sha256_1024bit.csr')
|
|
37
37
|
response = subject.authenticate({pem: pem})
|
|
38
38
|
expect(response).to_not be_authenticated
|
|
39
39
|
expect(response.error).to eql "weak key"
|
|
40
40
|
end
|
|
41
41
|
|
|
42
42
|
it "authenticates a request for a key with sufficient bits" do
|
|
43
|
-
pem = File.read('fixtures/
|
|
43
|
+
pem = File.read('fixtures/sha256_4096bit.csr')
|
|
44
44
|
response = subject.authenticate({pem: pem})
|
|
45
45
|
expect(response).to be_authenticated
|
|
46
46
|
end
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
require 'certmeister/policy/signature_algorithm'
|
|
4
|
+
|
|
5
|
+
describe Certmeister::Policy::SignatureAlgorithm do
|
|
6
|
+
|
|
7
|
+
subject { Certmeister::Policy::SignatureAlgorithm.new(["sha256", "sha384", "sha512"]) }
|
|
8
|
+
|
|
9
|
+
it "may be configured with a set of strong signature algorithms" do
|
|
10
|
+
expect { Certmeister::Policy::SignatureAlgorithm.new([1,2])}.to raise_error(ArgumentError, "invalid set of signature algorithms")
|
|
11
|
+
expect { Certmeister::Policy::SignatureAlgorithm.new(["one", "two", "three"]) }.to_not raise_error
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
it "defaults to #{Certmeister::Policy::SignatureAlgorithm::DEFAULT_SIGNATURE_ALGORITHMS} as the set of strong signature algorithms" do
|
|
15
|
+
expect(described_class.new.signature_algorithms).to eql Certmeister::Policy::SignatureAlgorithm::DEFAULT_SIGNATURE_ALGORITHMS
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
it "demands a request" do
|
|
19
|
+
expect { subject.authenticate }.to raise_error(ArgumentError)
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
it "refuses to authenticate a request with a missing pem" do
|
|
23
|
+
response = subject.authenticate({anything: 'something'})
|
|
24
|
+
expect(response).to_not be_authenticated
|
|
25
|
+
expect(response.error).to eql "missing pem"
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
it "refuses to authenticate an invalid pem" do
|
|
29
|
+
pem = "bad input"
|
|
30
|
+
response = subject.authenticate({pem: pem})
|
|
31
|
+
expect(response).to_not be_authenticated
|
|
32
|
+
expect(response.error).to eql "invalid pem (not enough data)"
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
it "refuses to authenticate a request with a weak signature algorithm" do
|
|
36
|
+
pem = File.read('fixtures/sha1_4096bit.csr')
|
|
37
|
+
response = subject.authenticate({pem: pem})
|
|
38
|
+
expect(response).to_not be_authenticated
|
|
39
|
+
expect(response.error).to eql "weak signature algorithm"
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
it "authenticates a request with a strong signature algorithm" do
|
|
43
|
+
pem = File.read('fixtures/sha256_4096bit.csr')
|
|
44
|
+
response = subject.authenticate({pem: pem})
|
|
45
|
+
expect(response).to be_authenticated
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
it "refuses to authenticate a request with an unknown/unsupported signature algorithm" do
|
|
49
|
+
pem = File.read('fixtures/ecdsa.csr')
|
|
50
|
+
response = subject.authenticate({pem: pem})
|
|
51
|
+
expect(response).to_not be_authenticated
|
|
52
|
+
expect(response.error).to eql "unknown/unsupported signature algorithm (ecdsa-with-SHA384)"
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: certmeister
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sheldon Hearn
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-01-
|
|
11
|
+
date: 2016-01-13 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -30,14 +30,14 @@ dependencies:
|
|
|
30
30
|
requirements:
|
|
31
31
|
- - "~>"
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version: 10.4
|
|
33
|
+
version: '10.4'
|
|
34
34
|
type: :development
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - "~>"
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version: 10.4
|
|
40
|
+
version: '10.4'
|
|
41
41
|
- !ruby/object:Gem::Dependency
|
|
42
42
|
name: rspec
|
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -67,10 +67,10 @@ files:
|
|
|
67
67
|
- ".ruby-gemset"
|
|
68
68
|
- ".ruby-version"
|
|
69
69
|
- Gemfile
|
|
70
|
-
- Gemfile.lock
|
|
71
70
|
- LICENSE
|
|
72
71
|
- README.md
|
|
73
72
|
- Rakefile
|
|
73
|
+
- SignatureAlgorithm.txt
|
|
74
74
|
- certmeister.gemspec
|
|
75
75
|
- fixtures/ca.crt
|
|
76
76
|
- fixtures/ca.csr
|
|
@@ -78,8 +78,11 @@ files:
|
|
|
78
78
|
- fixtures/client.crt
|
|
79
79
|
- fixtures/client.csr
|
|
80
80
|
- fixtures/client.key
|
|
81
|
-
- fixtures/
|
|
82
|
-
- fixtures/
|
|
81
|
+
- fixtures/ecdsa.csr
|
|
82
|
+
- fixtures/sha1_1024bit.csr
|
|
83
|
+
- fixtures/sha1_4096bit.csr
|
|
84
|
+
- fixtures/sha256_1024bit.csr
|
|
85
|
+
- fixtures/sha256_4096bit.csr
|
|
83
86
|
- lib/certmeister.rb
|
|
84
87
|
- lib/certmeister/base.rb
|
|
85
88
|
- lib/certmeister/config.rb
|
|
@@ -96,6 +99,7 @@ files:
|
|
|
96
99
|
- lib/certmeister/policy/noop.rb
|
|
97
100
|
- lib/certmeister/policy/psk.rb
|
|
98
101
|
- lib/certmeister/policy/response.rb
|
|
102
|
+
- lib/certmeister/policy/signature_algorithm.rb
|
|
99
103
|
- lib/certmeister/response.rb
|
|
100
104
|
- lib/certmeister/self_test.rb
|
|
101
105
|
- lib/certmeister/store_error.rb
|
|
@@ -115,6 +119,7 @@ files:
|
|
|
115
119
|
- spec/certmeister/policy/noop_spec.rb
|
|
116
120
|
- spec/certmeister/policy/psk_spec.rb
|
|
117
121
|
- spec/certmeister/policy/response_spec.rb
|
|
122
|
+
- spec/certmeister/policy/signature_algorithm_spec.rb
|
|
118
123
|
- spec/certmeister/response_spec.rb
|
|
119
124
|
- spec/certmeister/self_test_spec.rb
|
|
120
125
|
- spec/helpers/certmeister_config_helper.rb
|
|
@@ -143,7 +148,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
143
148
|
version: '0'
|
|
144
149
|
requirements: []
|
|
145
150
|
rubyforge_project:
|
|
146
|
-
rubygems_version: 2.5.1
|
|
151
|
+
rubygems_version: 2.4.5.1
|
|
147
152
|
signing_key:
|
|
148
153
|
specification_version: 4
|
|
149
154
|
summary: Conditionally autosigning certificate authority.
|
|
@@ -162,6 +167,7 @@ test_files:
|
|
|
162
167
|
- spec/certmeister/policy/noop_spec.rb
|
|
163
168
|
- spec/certmeister/policy/psk_spec.rb
|
|
164
169
|
- spec/certmeister/policy/response_spec.rb
|
|
170
|
+
- spec/certmeister/policy/signature_algorithm_spec.rb
|
|
165
171
|
- spec/certmeister/response_spec.rb
|
|
166
172
|
- spec/certmeister/self_test_spec.rb
|
|
167
173
|
- spec/helpers/certmeister_config_helper.rb
|
data/Gemfile.lock
DELETED
|
@@ -1,31 +0,0 @@
|
|
|
1
|
-
PATH
|
|
2
|
-
remote: .
|
|
3
|
-
specs:
|
|
4
|
-
certmeister (2.1.0)
|
|
5
|
-
|
|
6
|
-
GEM
|
|
7
|
-
remote: http://rubygems.org/
|
|
8
|
-
specs:
|
|
9
|
-
diff-lcs (1.2.5)
|
|
10
|
-
rake (10.4.2)
|
|
11
|
-
rspec (3.1.0)
|
|
12
|
-
rspec-core (~> 3.1.0)
|
|
13
|
-
rspec-expectations (~> 3.1.0)
|
|
14
|
-
rspec-mocks (~> 3.1.0)
|
|
15
|
-
rspec-core (3.1.7)
|
|
16
|
-
rspec-support (~> 3.1.0)
|
|
17
|
-
rspec-expectations (3.1.2)
|
|
18
|
-
diff-lcs (>= 1.2.0, < 2.0)
|
|
19
|
-
rspec-support (~> 3.1.0)
|
|
20
|
-
rspec-mocks (3.1.3)
|
|
21
|
-
rspec-support (~> 3.1.0)
|
|
22
|
-
rspec-support (3.1.2)
|
|
23
|
-
|
|
24
|
-
PLATFORMS
|
|
25
|
-
ruby
|
|
26
|
-
|
|
27
|
-
DEPENDENCIES
|
|
28
|
-
bundler (~> 1.5)
|
|
29
|
-
certmeister!
|
|
30
|
-
rake (~> 10.4.2)
|
|
31
|
-
rspec (~> 3.1)
|
data/fixtures/kbits_1024.csr
DELETED
|
@@ -1,12 +0,0 @@
|
|
|
1
|
-
-----BEGIN CERTIFICATE REQUEST-----
|
|
2
|
-
MIIBrzCCARgCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
|
|
3
|
-
ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
|
|
4
|
-
GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCBnzANBgkqhkiG9w0BAQEFAAOB
|
|
5
|
-
jQAwgYkCgYEAq14FktEw9Zilzj5DUKTI2Mix66A0Za5lTAeRmP1Ms9Hmjc+RnnCm
|
|
6
|
-
u5L6zPoHY8s6/8tbxewtu86L7v2SfKkJjLSKxZQLFxBEzMHOgzziHTyZ1zU5SPWv
|
|
7
|
-
Co8AQdlbZI8Wmai7dkxwdaA2xaWR4elHlgT78xDdYZXwRL75wfmkF/kCAwEAAaAA
|
|
8
|
-
MA0GCSqGSIb3DQEBBQUAA4GBAKHHpelQzMYFBXYa0VOWFiqRd1HXJfnUbo8D5xup
|
|
9
|
-
RzveAVlGTj83slgKvGigUupWdfk1S4KiUG1HsAyLcwl8lgOCO77CrdNPZC0qjB4+
|
|
10
|
-
pK3Xp2FMsK4+lp24FNR0tM31FA03DU8uhL8v5cvExHBn4idBEwO2W4OWPKVYKrtm
|
|
11
|
-
w9ne
|
|
12
|
-
-----END CERTIFICATE REQUEST-----
|
data/fixtures/kbits_4096.csr
DELETED
|
@@ -1,28 +0,0 @@
|
|
|
1
|
-
-----BEGIN CERTIFICATE REQUEST-----
|
|
2
|
-
MIIEtDCCApwCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
|
|
3
|
-
ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
|
|
4
|
-
GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCCAiIwDQYJKoZIhvcNAQEBBQAD
|
|
5
|
-
ggIPADCCAgoCggIBALVi/dpNu31zZ+Wvxf4DXEaxLwsUbzsaLCxt770RkzEo8OdU
|
|
6
|
-
DElf1WM7X+rdOJC3BDZ499Bigw5efpEhg2m2BmDl8DG1XmTvVKxIY6fvx9NWqTEt
|
|
7
|
-
KcvOni7g/OFzmUXHoesoc6gz2flwD4lmdSR+S1N2RwwlOG2ZpBKy35mtmDdq/MJG
|
|
8
|
-
Xj4rUafT4n9Pnmwzo9PPn54hjg7c7yQwUFWk0lOrsl7uhK1LMtQORME23oG0gK3N
|
|
9
|
-
zhtY9f0+6YJAbzJ3EI2/i7Oso4XiW9eHpujKhaMYO8ezm3KuYgdEoOTaH4mruSjE
|
|
10
|
-
34kmsTNonktiUdGMn/HqARgQKyVTyHmP+ocVcY8POzlJDcxMRVTYxQ4I9U1bz/eG
|
|
11
|
-
ugHiCw0YnxrXpClXT3RVfydV/B7+srw+Tw8ff+m7WSzYeDjDLVotlnGrXLKLHm6d
|
|
12
|
-
IA7n+fwBhliSSDNTu3ZVA5Vp72AEDqmfbRIcO4twIfkyu3TB3f2lf3g4LLebLDj3
|
|
13
|
-
b3NwNwu0p/uq47eEYOKdILxXsZQRVKr8OZfhjPHIEw7d/6EpCCxG9I9Zj6KFAdga
|
|
14
|
-
s8rquCKvb/8aXnL2Zz+QOhUGX9aAIpZJ7lNM95C1yjmRW/HcNonXcxBHqdi9+swO
|
|
15
|
-
quagOBimj5BkUMRDWtMmr5bXDBGfxMeh6t1BrfcgtQgZy/FLkhjioObqD+WHAgMB
|
|
16
|
-
AAGgADANBgkqhkiG9w0BAQsFAAOCAgEAR1ogHg6V59JwM0+EN4LhN8m7eDiCkYM+
|
|
17
|
-
hmko5gTdzOe3Z+n/eVMoyqJ9qnzQEkO0n4aWTiaO2gLKEtXFo3Qu1wjWEJqxD8/b
|
|
18
|
-
YdH64Gp8sFKlrM8o8mACG6jPo8ueFxI0o9Brl2Q6pUkOlepXUaLzMw0txm1Nm/9c
|
|
19
|
-
O29p1XGAPVEdi9OMqbT+eAnxgSTy/AWR33+1BrZF42zBIaM62yquEPyJ1O1igTio
|
|
20
|
-
MV3ZxhX061z02+5B/6cit41pUClZabII6f/tHAPxxxn3zNHkmYn6eQ3DsZT3Stuf
|
|
21
|
-
lXw8j0e2sFXpvOSk1otYEOVYUiTp4SpmCjdUV1qUPlbQ94qGP75dv5uYn5pN/hJ5
|
|
22
|
-
UO/lGETzK1/ycUcoedDCzr7sQhfXB1Z47/NQ+RL4NVem941ujIfn8MKHyx99zKnT
|
|
23
|
-
OI73Pn6Y7n1hZxoV6krRl7C3gzkI7Eo0bFQEwiZbRC7U30WaiFurfKi0puMlU1K3
|
|
24
|
-
vdOPTy0rq6zGp3r1J6oITHiD/h+CxRxJTrGu9GbCUQlaoQfPqwXAdI7GQcwsSPto
|
|
25
|
-
l1643eqDR3lST821TPE0Ln+Lvs8aQzYNVFaV79nhgncJHyPpP7j9/2k6CtsGAtVv
|
|
26
|
-
qPOTJbxnOfwRDfbyDLWBoqHNxmfhq3KtE6ktVxyP9hUyGnAf8yAn3zaDx4V980N6
|
|
27
|
-
9FNkBniZB+Y=
|
|
28
|
-
-----END CERTIFICATE REQUEST-----
|