certmeister 2.1.0 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Rakefile +2 -0
- data/fixtures/kbits_1024.csr +12 -0
- data/fixtures/kbits_4096.csr +28 -0
- data/lib/certmeister/policy/key_bits.rb +46 -0
- data/lib/certmeister/version.rb +1 -1
- data/spec/certmeister/policy/key_bits_spec.rb +48 -0
- metadata +8 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 799bbad30dae1a1c0f05c7e3ba59dc4b3cc47467
|
|
4
|
+
data.tar.gz: 447321524cd2661a7f439d5c19fa056efbc699b5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c98b95cad7ff3960438ac4e8f1a4c73d5458f6774a3743a77694f85fbae21ba39be424176961276b243f7c51d703d4bf5c5cb646f3a515881eb5d7c631db1036
|
|
7
|
+
data.tar.gz: bd53076b8e6b89f3ea3bcc493a5565698aa399e36cac58aa534e7d777f0f3a7071d99b5ff7e4c5dd2a490348ea973390a524928df420abc9a245da0af1044bf6
|
data/Rakefile
CHANGED
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
-----BEGIN CERTIFICATE REQUEST-----
|
|
2
|
+
MIIBrzCCARgCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
|
|
3
|
+
ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
|
|
4
|
+
GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCBnzANBgkqhkiG9w0BAQEFAAOB
|
|
5
|
+
jQAwgYkCgYEAq14FktEw9Zilzj5DUKTI2Mix66A0Za5lTAeRmP1Ms9Hmjc+RnnCm
|
|
6
|
+
u5L6zPoHY8s6/8tbxewtu86L7v2SfKkJjLSKxZQLFxBEzMHOgzziHTyZ1zU5SPWv
|
|
7
|
+
Co8AQdlbZI8Wmai7dkxwdaA2xaWR4elHlgT78xDdYZXwRL75wfmkF/kCAwEAAaAA
|
|
8
|
+
MA0GCSqGSIb3DQEBBQUAA4GBAKHHpelQzMYFBXYa0VOWFiqRd1HXJfnUbo8D5xup
|
|
9
|
+
RzveAVlGTj83slgKvGigUupWdfk1S4KiUG1HsAyLcwl8lgOCO77CrdNPZC0qjB4+
|
|
10
|
+
pK3Xp2FMsK4+lp24FNR0tM31FA03DU8uhL8v5cvExHBn4idBEwO2W4OWPKVYKrtm
|
|
11
|
+
w9ne
|
|
12
|
+
-----END CERTIFICATE REQUEST-----
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
-----BEGIN CERTIFICATE REQUEST-----
|
|
2
|
+
MIIEtDCCApwCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
|
|
3
|
+
ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
|
|
4
|
+
GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCCAiIwDQYJKoZIhvcNAQEBBQAD
|
|
5
|
+
ggIPADCCAgoCggIBALVi/dpNu31zZ+Wvxf4DXEaxLwsUbzsaLCxt770RkzEo8OdU
|
|
6
|
+
DElf1WM7X+rdOJC3BDZ499Bigw5efpEhg2m2BmDl8DG1XmTvVKxIY6fvx9NWqTEt
|
|
7
|
+
KcvOni7g/OFzmUXHoesoc6gz2flwD4lmdSR+S1N2RwwlOG2ZpBKy35mtmDdq/MJG
|
|
8
|
+
Xj4rUafT4n9Pnmwzo9PPn54hjg7c7yQwUFWk0lOrsl7uhK1LMtQORME23oG0gK3N
|
|
9
|
+
zhtY9f0+6YJAbzJ3EI2/i7Oso4XiW9eHpujKhaMYO8ezm3KuYgdEoOTaH4mruSjE
|
|
10
|
+
34kmsTNonktiUdGMn/HqARgQKyVTyHmP+ocVcY8POzlJDcxMRVTYxQ4I9U1bz/eG
|
|
11
|
+
ugHiCw0YnxrXpClXT3RVfydV/B7+srw+Tw8ff+m7WSzYeDjDLVotlnGrXLKLHm6d
|
|
12
|
+
IA7n+fwBhliSSDNTu3ZVA5Vp72AEDqmfbRIcO4twIfkyu3TB3f2lf3g4LLebLDj3
|
|
13
|
+
b3NwNwu0p/uq47eEYOKdILxXsZQRVKr8OZfhjPHIEw7d/6EpCCxG9I9Zj6KFAdga
|
|
14
|
+
s8rquCKvb/8aXnL2Zz+QOhUGX9aAIpZJ7lNM95C1yjmRW/HcNonXcxBHqdi9+swO
|
|
15
|
+
quagOBimj5BkUMRDWtMmr5bXDBGfxMeh6t1BrfcgtQgZy/FLkhjioObqD+WHAgMB
|
|
16
|
+
AAGgADANBgkqhkiG9w0BAQsFAAOCAgEAR1ogHg6V59JwM0+EN4LhN8m7eDiCkYM+
|
|
17
|
+
hmko5gTdzOe3Z+n/eVMoyqJ9qnzQEkO0n4aWTiaO2gLKEtXFo3Qu1wjWEJqxD8/b
|
|
18
|
+
YdH64Gp8sFKlrM8o8mACG6jPo8ueFxI0o9Brl2Q6pUkOlepXUaLzMw0txm1Nm/9c
|
|
19
|
+
O29p1XGAPVEdi9OMqbT+eAnxgSTy/AWR33+1BrZF42zBIaM62yquEPyJ1O1igTio
|
|
20
|
+
MV3ZxhX061z02+5B/6cit41pUClZabII6f/tHAPxxxn3zNHkmYn6eQ3DsZT3Stuf
|
|
21
|
+
lXw8j0e2sFXpvOSk1otYEOVYUiTp4SpmCjdUV1qUPlbQ94qGP75dv5uYn5pN/hJ5
|
|
22
|
+
UO/lGETzK1/ycUcoedDCzr7sQhfXB1Z47/NQ+RL4NVem941ujIfn8MKHyx99zKnT
|
|
23
|
+
OI73Pn6Y7n1hZxoV6krRl7C3gzkI7Eo0bFQEwiZbRC7U30WaiFurfKi0puMlU1K3
|
|
24
|
+
vdOPTy0rq6zGp3r1J6oITHiD/h+CxRxJTrGu9GbCUQlaoQfPqwXAdI7GQcwsSPto
|
|
25
|
+
l1643eqDR3lST821TPE0Ln+Lvs8aQzYNVFaV79nhgncJHyPpP7j9/2k6CtsGAtVv
|
|
26
|
+
qPOTJbxnOfwRDfbyDLWBoqHNxmfhq3KtE6ktVxyP9hUyGnAf8yAn3zaDx4V980N6
|
|
27
|
+
9FNkBniZB+Y=
|
|
28
|
+
-----END CERTIFICATE REQUEST-----
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
require 'certmeister/policy/response'
|
|
2
|
+
require 'openssl'
|
|
3
|
+
|
|
4
|
+
module Certmeister
|
|
5
|
+
|
|
6
|
+
module Policy
|
|
7
|
+
|
|
8
|
+
class KeyBits
|
|
9
|
+
|
|
10
|
+
DEFAULT_MIN_KEY_BITS = 4096
|
|
11
|
+
|
|
12
|
+
attr_reader :min_key_bits
|
|
13
|
+
|
|
14
|
+
def initialize(min_key_bits = DEFAULT_MIN_KEY_BITS)
|
|
15
|
+
validate_min_key_bits(min_key_bits)
|
|
16
|
+
@min_key_bits = min_key_bits
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def authenticate(request)
|
|
20
|
+
if not request[:pem]
|
|
21
|
+
Certmeister::Policy::Response.new(false, "missing pem")
|
|
22
|
+
else
|
|
23
|
+
cert = OpenSSL::X509::Request.new(request[:pem])
|
|
24
|
+
pkey = cert.public_key
|
|
25
|
+
kbits = pkey.n.num_bytes * 8
|
|
26
|
+
if kbits < @min_key_bits
|
|
27
|
+
Certmeister::Policy::Response.new(false, "weak key")
|
|
28
|
+
else
|
|
29
|
+
Certmeister::Policy::Response.new(true, nil)
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
private
|
|
35
|
+
|
|
36
|
+
def validate_min_key_bits(min_key_bits)
|
|
37
|
+
unless min_key_bits.is_a?(Integer)
|
|
38
|
+
raise ArgumentError.new("invalid minimum key size")
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
end
|
data/lib/certmeister/version.rb
CHANGED
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
require 'certmeister/policy/key_bits'
|
|
4
|
+
|
|
5
|
+
describe Certmeister::Policy::KeyBits do
|
|
6
|
+
|
|
7
|
+
subject { Certmeister::Policy::KeyBits.new(4096) }
|
|
8
|
+
|
|
9
|
+
it "may be configured with a minimum key size in bits" do
|
|
10
|
+
expect { Certmeister::Policy::KeyBits.new("hamster") }.to raise_error(ArgumentError, "invalid minimum key size")
|
|
11
|
+
expect { Certmeister::Policy::KeyBits.new(4096) }.to_not raise_error
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
it "defaults to #{Certmeister::Policy::KeyBits::DEFAULT_MIN_KEY_BITS} bits minimum key size" do
|
|
15
|
+
expect(described_class.new.min_key_bits).to eql Certmeister::Policy::KeyBits::DEFAULT_MIN_KEY_BITS
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
it "demands a request" do
|
|
19
|
+
expect { subject.authenticate }.to raise_error(ArgumentError)
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
it "refuses to authenticate a request with a missing pem" do
|
|
23
|
+
response = subject.authenticate({anything: 'something'})
|
|
24
|
+
expect(response).to_not be_authenticated
|
|
25
|
+
expect(response.error).to eql "missing pem"
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
it "refuses to authenticate an invalid request" do
|
|
29
|
+
pem = File.read('fixtures/kbits_1024.csr')
|
|
30
|
+
response = subject.authenticate({pem: pem})
|
|
31
|
+
expect(response).to_not be_authenticated
|
|
32
|
+
expect(response.error).to eql "weak key"
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
it "refuses to authenticate a request for a key with too few bits" do
|
|
36
|
+
pem = File.read('fixtures/kbits_1024.csr')
|
|
37
|
+
response = subject.authenticate({pem: pem})
|
|
38
|
+
expect(response).to_not be_authenticated
|
|
39
|
+
expect(response.error).to eql "weak key"
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
it "authenticates a request for a key with sufficient bits" do
|
|
43
|
+
pem = File.read('fixtures/kbits_4096.csr')
|
|
44
|
+
response = subject.authenticate({pem: pem})
|
|
45
|
+
expect(response).to be_authenticated
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: certmeister
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sheldon Hearn
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2016-01-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -78,6 +78,8 @@ files:
|
|
|
78
78
|
- fixtures/client.crt
|
|
79
79
|
- fixtures/client.csr
|
|
80
80
|
- fixtures/client.key
|
|
81
|
+
- fixtures/kbits_1024.csr
|
|
82
|
+
- fixtures/kbits_4096.csr
|
|
81
83
|
- lib/certmeister.rb
|
|
82
84
|
- lib/certmeister/base.rb
|
|
83
85
|
- lib/certmeister/config.rb
|
|
@@ -90,6 +92,7 @@ files:
|
|
|
90
92
|
- lib/certmeister/policy/existing.rb
|
|
91
93
|
- lib/certmeister/policy/fcrdns.rb
|
|
92
94
|
- lib/certmeister/policy/ip.rb
|
|
95
|
+
- lib/certmeister/policy/key_bits.rb
|
|
93
96
|
- lib/certmeister/policy/noop.rb
|
|
94
97
|
- lib/certmeister/policy/psk.rb
|
|
95
98
|
- lib/certmeister/policy/response.rb
|
|
@@ -108,6 +111,7 @@ files:
|
|
|
108
111
|
- spec/certmeister/policy/existing_spec.rb
|
|
109
112
|
- spec/certmeister/policy/fcrdns_spec.rb
|
|
110
113
|
- spec/certmeister/policy/ip_spec.rb
|
|
114
|
+
- spec/certmeister/policy/key_bits_spec.rb
|
|
111
115
|
- spec/certmeister/policy/noop_spec.rb
|
|
112
116
|
- spec/certmeister/policy/psk_spec.rb
|
|
113
117
|
- spec/certmeister/policy/response_spec.rb
|
|
@@ -139,7 +143,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
139
143
|
version: '0'
|
|
140
144
|
requirements: []
|
|
141
145
|
rubyforge_project:
|
|
142
|
-
rubygems_version: 2.
|
|
146
|
+
rubygems_version: 2.5.1
|
|
143
147
|
signing_key:
|
|
144
148
|
specification_version: 4
|
|
145
149
|
summary: Conditionally autosigning certificate authority.
|
|
@@ -154,6 +158,7 @@ test_files:
|
|
|
154
158
|
- spec/certmeister/policy/existing_spec.rb
|
|
155
159
|
- spec/certmeister/policy/fcrdns_spec.rb
|
|
156
160
|
- spec/certmeister/policy/ip_spec.rb
|
|
161
|
+
- spec/certmeister/policy/key_bits_spec.rb
|
|
157
162
|
- spec/certmeister/policy/noop_spec.rb
|
|
158
163
|
- spec/certmeister/policy/psk_spec.rb
|
|
159
164
|
- spec/certmeister/policy/response_spec.rb
|