devpki 0.0.3 → 0.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6955eee6a2a6194ffed37756e37a08addf819630
-  data.tar.gz: c034539b017c45656535e837435115a32b9a535d
+  metadata.gz: fbc7720cc112b9758de034e6fa6f28f9ae19c364
+  data.tar.gz: feebcd561f7f8b042b008ddb16ec3e304a2e273d
 SHA512:
-  metadata.gz: 53625e5fc5e30459f56872633c8d32a4adcd542a3f85ce145bd2d6ea3a27485510f00593ea245c98ee3facff55d02211e8769e9319bdfbbe831fbd700e42f0e1
-  data.tar.gz: afcecd2f7a8702c57cc7d94f477b0b73259aaf290e1444fa0eab6a876c86058d75932aac132ee8efe61d0713d93d8a172bbdc9370a8e934694d8e16b6dc655e3
+  metadata.gz: 813fc219225e95e0639863df5ce58c90ded9139f663664788ec2b4c948adafb11c02d97735380d08d4c098f6115357279138225061790411363d7a5f29f7b193
+  data.tar.gz: 7a2e93ee9961430d3642c43dfe34cc31383e75e3a7fd5740ab43d74def64ee667cee22acf275ae02e16e926633071e789505e59c7e4e212038a722ba627c2c81

data/devpki.gemspec

@@ -22,5 +22,6 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency "sqlite3"
   spec.add_runtime_dependency "xdg"
   spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "pry"
   spec.add_development_dependency "rake"
 end

data/lib/devpki/cli/ocsp.rb

@@ -1,10 +1,11 @@
 require 'devpki'
 require 'thor'
 require 'net/http'
+require 'pry'
 
 module DevPKI
   class CLI < Thor
-    desc "ocsp [--method=get|post] --uri=<ocsp uri> ISSUER_CER_FILE:SUBJ_A.CER[,SUBJ_B.CER...]...", "Performs an OCSP query"
+    desc "ocsp [--method=get|post] --uri=<ocsp uri> [--chain-certs=ca1.cer,ca2.cer...] ISSUER_CER_FILE:SUBJ_A.CER[,SUBJ_B.CER...]...", "Performs an OCSP query"
     long_desc <<-LONGDESC
         This command performs an OCSP query against the given OCSP URI, over HTTP. To perform
         a query, at least 2 certificates are needed - the CA certificate and the subject certificate
@@ -22,13 +23,20 @@ module DevPKI
     LONGDESC
     option :method, :default => "post", :banner => "get|post", :desc => "Method to use. GET as per RFC5019, or POST as per RFC2560. Defaults to POST."
     option :uri, :banner => "<ocsp uri>", :required => true, :desc => "OCSP responder URI."
+    option :"chain-certs", :banner => "ca1.cer,ca2.cer...", :desc => "Trusted certificates that can be used, when verifying OCSP response signature."
 
     def ocsp(*cer_files)
 
       raise InvalidOption.new("Please specify at least one CA and subject certificate file.") if cer_files.empty?
 
+      chain_cert_files = []
+      if options[:"chain-certs"] != nil
+        chain_cert_files=options[:"chain-certs"].split(",")
+      end
+
       ca_subj_map = {}
       cer_files.each do |ca_subj_pair|
+
         raise InvalidOption.new("\"#{ca_subj_pair}\" is an invalid CA and subject pair. Please pass a pair with format similar to \"ca.cer:a.cer[,b.cer...]\"") if not ca_subj_pair.include?(":")
 
         ca_subjlist_split = ca_subj_pair.split(":")
@@ -55,6 +63,12 @@ module DevPKI
 
       cert_ids = []
       store = OpenSSL::X509::Store.new
+      chain_cert_files.each do |chain_cert_file|
+        puts "Adding #{chain_cert_file} to store"
+        store.add_file(chain_cert_file)
+      end
+      #store.set_default_paths
+      #store.add_file("root.crt")
 
       ca_subj_map.each_pair do |ca_file, subj_file_list|
         ca_cert = OpenSSL::X509::Certificate.new File.read(ca_file)
@@ -73,6 +87,7 @@ module DevPKI
       end
 
       request_uri = URI(options[:uri])
+      request_uri.path = "/" if request_uri.path.to_s.empty?
 
       http_req = Net::HTTP::Post.new(request_uri.path)
       http_req.content_type = "application/ocsp-request"
@@ -92,26 +107,61 @@ module DevPKI
       puts "Status: #{response.status}"
       puts "Status string: #{response.status_string}"
 
+      # Statuses from http://tools.ietf.org/html/rfc2560 section 4.2.1
+      #
+      # successful            (0),  --Response has valid confirmations
+      # malformedRequest      (1),  --Illegal confirmation request
+      # internalError         (2),  --Internal error in issuer
+      # tryLater              (3),  --Try again later
+      #                             --(4) is not used
+      # sigRequired           (5),  --Must sign the request
+      # unauthorized          (6)   --Request unauthorized
       if response.status != 0
         raise StandardError, "Not a successful status"
       end
-      if response.basic[0][0].serial != cert.serial
-        raise StandardError, "Not the same serial"
-      end
-      if response.basic[0][1] != 0 # 0 is good, 1 is revoked, 2 is unknown.
-        raise StandardError, "Not a good status"
-      end
-      current_time = Time.now
-      if response.basic[0][4] > current_time or response.basic[0][5] < current_time
-        raise StandardError, "The response is not within its validity window"
-      end
 
-      # we also need to verify that the OCSP response is signed by
-      # a certificate that is allowed and chains up to a trusted root.
-      # To do this you'll need to build an OpenSSL::X509::Store object
-      # that contains the certificate you're checking + intermediates + root.
+      # response.basic.status will be populated, if response.status == 0
+      cert_ids.each_with_index do |cert_id,ix|
+
+        # SingleResponse structure from http://tools.ietf.org/html/rfc2560 section 4.2.1
+        #
+        # SingleResponse ::= SEQUENCE {
+        # certID                       CertID,
+        # certStatus                   CertStatus,
+        # thisUpdate                   GeneralizedTime,
+        # nextUpdate         [0]       EXPLICIT GeneralizedTime OPTIONAL,
+        # singleExtensions   [1]       EXPLICIT Extensions OPTIONAL }
+        # single_response = response.basic.status[ix]
+
+        # Find the single response that matches current cert_id
+        single_response = nil
+        response.basic.status.each do |single_response_candidate|
+          if single_response_candidate[0].serial.to_s == cert_id.serial.to_s
+            single_response = single_response_candidate
+            break
+          end
+        end
+
+        raise StandardError.new("SingleResponse for certificate s/n ##{cert_id.serial.to_s} not found.") if single_response == nil
+
+        # CertStatus from from http://tools.ietf.org/html/rfc2560 section 4.2.1
+        #
+        # CertStatus ::= CHOICE {
+        # good        [0]     IMPLICIT NULL,
+        # revoked     [1]     IMPLICIT RevokedInfo,
+        # unknown     [2]     IMPLICIT UnknownInfo }
+        if single_response[1] != 0
+          raise StandardError, "CertStatus for cert s/n #{cert_id.serial.to_s} is #{single_response[1]}"
+        end
+
+        current_time = Time.now
+        if single_response[4] > current_time or single_response[5] < current_time
+          raise StandardError, "The response for cert_id s/n #{cert_id.serial.to_s} is not within its validity window"
+        end
+      end
 
       if response.basic.verify([],store) != true
+        binding.pry
         raise StandardError, "Response not signed by a trusted certificate"
       end
 

data/lib/devpki/version.rb

@@ -1,3 +1,3 @@
 module DevPKI
-  VERSION = "0.0.3"
+  VERSION = "0.0.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devpki
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
 platform: ruby
 authors:
 - Jānis Kiršteins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-10-24 00:00:00.000000000 Z
+date: 2013-10-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -66,6 +66,20 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement