jruby-openssl 0.5.2 → 0.6
Sign up to get free protection for your applications and to get access to all the features.
- data/History.txt +27 -0
- data/Manifest.txt +100 -0
- data/Rakefile +71 -0
- data/lib/jopenssl.jar +0 -0
- data/lib/jopenssl/version.rb +1 -1
- data/lib/openssl/bn.rb +1 -3
- data/lib/openssl/cipher.rb +15 -17
- data/lib/openssl/digest.rb +1 -3
- data/test/cert_with_ec_pk.cer +27 -0
- data/test/fixture/ca_path/72fa7371.0 +19 -0
- data/test/fixture/ca_path/verisign.pem +19 -0
- data/test/fixture/common.pem +48 -0
- data/test/fixture/max.pem +29 -0
- data/test/fixture/purpose/b70a5bc1.0 +24 -0
- data/test/fixture/purpose/ca/PASSWD_OF_CA_KEY_IS_1234 +0 -0
- data/test/fixture/purpose/ca/ca_config.rb +37 -0
- data/test/fixture/purpose/ca/cacert.pem +24 -0
- data/test/fixture/purpose/ca/newcerts/2_cert.pem +19 -0
- data/test/fixture/purpose/ca/newcerts/3_cert.pem +19 -0
- data/test/fixture/purpose/ca/private/cakeypair.pem +30 -0
- data/test/fixture/purpose/ca/serial +1 -0
- data/test/fixture/purpose/cacert.pem +24 -0
- data/test/fixture/purpose/scripts/gen_cert.rb +127 -0
- data/test/fixture/purpose/scripts/gen_csr.rb +50 -0
- data/test/fixture/purpose/scripts/init_ca.rb +66 -0
- data/test/fixture/purpose/sslclient.pem +19 -0
- data/test/fixture/purpose/sslclient/csr.pem +10 -0
- data/test/fixture/purpose/sslclient/keypair.pem +15 -0
- data/test/fixture/purpose/sslclient/sslclient.pem +19 -0
- data/test/fixture/purpose/sslserver.pem +19 -0
- data/test/fixture/purpose/sslserver/csr.pem +10 -0
- data/test/fixture/purpose/sslserver/keypair.pem +15 -0
- data/test/fixture/purpose/sslserver/sslserver.pem +19 -0
- data/test/fixture/verisign.pem +19 -0
- data/test/fixture/verisign_c3.pem +14 -0
- data/test/openssl/test_cipher.rb +22 -0
- data/test/openssl/test_pkcs7.rb +1 -0
- data/test/openssl/test_ssl.rb +2 -0
- data/test/openssl/test_x509ext.rb +21 -0
- data/test/openssl/test_x509name.rb +16 -0
- data/test/test_cipher.rb +20 -6
- data/test/test_integration.rb +43 -4
- data/test/test_parse_certificate.rb +20 -0
- data/test/test_x509store.rb +155 -0
- metadata +37 -3
File without changes
|
@@ -0,0 +1,37 @@
|
|
1
|
+
class CAConfig
|
2
|
+
BASE_DIR = File.dirname(__FILE__)
|
3
|
+
KEYPAIR_FILE = "#{BASE_DIR}/private/cakeypair.pem"
|
4
|
+
CERT_FILE = "#{BASE_DIR}/cacert.pem"
|
5
|
+
SERIAL_FILE = "#{BASE_DIR}/serial"
|
6
|
+
NEW_CERTS_DIR = "#{BASE_DIR}/newcerts"
|
7
|
+
NEW_KEYPAIR_DIR = "#{BASE_DIR}/private/keypair_backup"
|
8
|
+
CRL_DIR = "#{BASE_DIR}/crl"
|
9
|
+
|
10
|
+
NAME = [['C', 'JP'], ['O', 'www.ruby-lang.org'], ['OU', 'development']]
|
11
|
+
CA_CERT_DAYS = 20 * 365
|
12
|
+
CA_RSA_KEY_LENGTH = 2048
|
13
|
+
|
14
|
+
CERT_DAYS = 19 * 365
|
15
|
+
CERT_KEY_LENGTH_MIN = 1024
|
16
|
+
CERT_KEY_LENGTH_MAX = 2048
|
17
|
+
CDP_LOCATION = nil
|
18
|
+
OCSP_LOCATION = nil
|
19
|
+
|
20
|
+
CRL_FILE = "#{CRL_DIR}/jruby.crl"
|
21
|
+
CRL_PEM_FILE = "#{CRL_DIR}/jruby.pem"
|
22
|
+
CRL_DAYS = 14
|
23
|
+
|
24
|
+
PASSWD_CB = Proc.new { |flag|
|
25
|
+
print "Enter password: "
|
26
|
+
pass = $stdin.gets.chop!
|
27
|
+
# when the flag is true, this passphrase
|
28
|
+
# will be used to perform encryption; otherwise it will
|
29
|
+
# be used to perform decryption.
|
30
|
+
if flag
|
31
|
+
print "Verify password: "
|
32
|
+
pass2 = $stdin.gets.chop!
|
33
|
+
raise "verify failed." if pass != pass2
|
34
|
+
end
|
35
|
+
pass
|
36
|
+
}
|
37
|
+
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
2
|
+
MIIEADCCAuigAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJKUDEa
|
3
|
+
MBgGA1UECgwRd3d3LnJ1YnktbGFuZy5vcmcxFDASBgNVBAsMC2RldmVsb3BtZW50
|
4
|
+
MQswCQYDVQQDDAJDQTAeFw0wOTExMTkxMDI5MjBaFw0yOTExMTQxMDI5MjBaMEwx
|
5
|
+
CzAJBgNVBAYTAkpQMRowGAYDVQQKDBF3d3cucnVieS1sYW5nLm9yZzEUMBIGA1UE
|
6
|
+
CwwLZGV2ZWxvcG1lbnQxCzAJBgNVBAMMAkNBMIIBIjANBgkqhkiG9w0BAQEFAAOC
|
7
|
+
AQ8AMIIBCgKCAQEA2nXhXZxXUs1Sfxqi8sReyzPHRcAHQM9RqDAGG9Nt1zYrLXwg
|
8
|
+
MmUhOr4yBeW2KAxJGxdRQSzI38jyT6mrDRBpTl/OeU9zBG4p6AtFGkoMnRvUonB3
|
9
|
+
CvgYJXhmrFjnHn34JNaRSORjaZDBmI9/fMGvaYndEM3wJ2b3jEOeizDIG60kZxA6
|
10
|
+
XQ+X7ral+aABsjomubvjEQ9dlcDhQlssKjbjaN3NZ/kL/i/75jc6rzT05XYYkj+Z
|
11
|
+
9rPRfT+HH3c5EYLtxcRTEHVWXMC8/of7oOFgZwwI3Cx9/v1s2Z6gdJ8J0kIkEoUL
|
12
|
+
ziYsLIOmVB2tx0rKkmeivJB4PTM5QyHb7d1xUwIDAQABo4HsMIHpMA8GA1UdEwEB
|
13
|
+
/wQFMAMBAf8wMQYJYIZIAYb4QgENBCQWIlJ1YnkvT3BlblNTTCBHZW5lcmF0ZWQg
|
14
|
+
Q2VydGlmaWNhdGUwHQYDVR0OBBYEFBOZGvHkAfn+0Ct33rQ6tW2UmF5TMA4GA1Ud
|
15
|
+
DwEB/wQEAwIBBjB0BgNVHSMEbTBrgBQTmRrx5AH5/tArd960OrVtlJheU6FQpE4w
|
16
|
+
TDELMAkGA1UEBhMCSlAxGjAYBgNVBAoMEXd3dy5ydWJ5LWxhbmcub3JnMRQwEgYD
|
17
|
+
VQQLDAtkZXZlbG9wbWVudDELMAkGA1UEAwwCQ0GCAQEwDQYJKoZIhvcNAQEFBQAD
|
18
|
+
ggEBACfgSl3pA+e3JyjgS/zscaJHHNDwXIIoH0KY6pcrZnl7Zh8CW+Gdba621Lek
|
19
|
+
aAy0YhAAM9bF87QZG1+sL7B2H1oSTt7F67SwQfq079oNWjhEdV5dxBKk6XaU0R31
|
20
|
+
KXSsmLR4pMxcFdPzGM0FTiSj9FNKk2pydVySsa5jJeG0qvXVFMqsRUUwklQHl9Kx
|
21
|
+
9GZiknt4PEGj/ThUwarhRbRjV5z7ZxXKexkangBlRWPX7TjvlpZPgLzAODG4fiRW
|
22
|
+
ZUo8Ng7QolTJuPAhlVxhdi9n5hItm6mt21RTpQcP49KoGe8x+T4EzPO0PPdCMliD
|
23
|
+
fH3udDO+bq2F8H4ts6ZJAYWFo8U=
|
24
|
+
-----END CERTIFICATE-----
|
@@ -0,0 +1,19 @@
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
2
|
+
MIIDBjCCAe6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJKUDEa
|
3
|
+
MBgGA1UECgwRd3d3LnJ1YnktbGFuZy5vcmcxFDASBgNVBAsMC2RldmVsb3BtZW50
|
4
|
+
MQswCQYDVQQDDAJDQTAeFw0wOTExMTkxMDMwMTdaFw0yODExMTQxMDMwMTdaMD0x
|
5
|
+
CzAJBgNVBAYTAkpQMRowGAYDVQQKDBF3d3cucnVieS1sYW5nLm9yZzESMBAGA1UE
|
6
|
+
AwwJc3Nsc2VydmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgYsazavfR
|
7
|
+
a72yK4qfnIjOrDT9Uv2ToL4swbE86PXY5N+YvUig3fVmNJo72rT5JlAODs+MtJJU
|
8
|
+
aJ8HsczlGdrhjTWyT/0fyoY/rC4mi5UFASBCbaoaviDPgbhI6ehBY6d5vEYQOW79
|
9
|
+
fL95KIa+OyGzUNYy+EkSxJmvt/8EJYtqIwIDAQABo4GFMIGCMAwGA1UdEwEB/wQC
|
10
|
+
MAAwMQYJYIZIAYb4QgENBCQWIlJ1YnkvT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
|
11
|
+
aWNhdGUwHQYDVR0OBBYEFJsUyGU/R4muSKVIeckJElcBNbipMAsGA1UdDwQEAwIF
|
12
|
+
oDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAAc49qdDC
|
13
|
+
TzFoWy794TYEx/uSAFQPMxp/dktYuMvtMSqhOfkDAaX7YFAD40R9tQljm6Vb7uEB
|
14
|
+
afAecveSyBN2EPZas8NdohJJcTT/pu39E9iMuvAoxz+R8RV7S/RikFOtoet79owa
|
15
|
+
6lnD3893tz5RR5BloRX7yRii87U5LUdxd3CvEmA7ycNTO8ZEaAuLDitsTMxhPiIJ
|
16
|
+
DeGW5L8DCyiWuDt9K6S13XdnDxTvYUmafVPU59BncdSoY/3BebappMzDM8QM0yCZ
|
17
|
+
GWh7ItY4sncMur1fc9ZuSsyplT3d3jysmVXolz2khxboMPVBoRSTtgBOn1PSsVma
|
18
|
+
FWULbrbYBK5Cqg==
|
19
|
+
-----END CERTIFICATE-----
|
@@ -0,0 +1,19 @@
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
2
|
+
MIIDEDCCAfigAwIBAgIBAzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJKUDEa
|
3
|
+
MBgGA1UECgwRd3d3LnJ1YnktbGFuZy5vcmcxFDASBgNVBAsMC2RldmVsb3BtZW50
|
4
|
+
MQswCQYDVQQDDAJDQTAeFw0wOTExMTkxMDMwMjdaFw0yODExMTQxMDMwMjdaMD0x
|
5
|
+
CzAJBgNVBAYTAkpQMRowGAYDVQQKDBF3d3cucnVieS1sYW5nLm9yZzESMBAGA1UE
|
6
|
+
AwwJc3NsY2xpZW50MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgemBPByEo
|
7
|
+
KbxaYnHXJxslyYsdWWCKf6j2mVIoxzC0b7W4TS5loBzOkZ05rkuapZ7O5flSMjtH
|
8
|
+
5NMJ2h7/zsgK5XBkNRCPFK+8HMXVFdSs+euKY+2qE01P0NIuCrkvKjJgsrXdy3sG
|
9
|
+
2UVUEoYEt5MHDR6aBL0Km+nVKc6T7O+KtQIDAQABo4GPMIGMMAwGA1UdEwEB/wQC
|
10
|
+
MAAwMQYJYIZIAYb4QgENBCQWIlJ1YnkvT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
|
11
|
+
aWNhdGUwHQYDVR0OBBYEFOFnq0r6adftxM/7aApl0DDrLTNWMAsGA1UdDwQEAwIF
|
12
|
+
4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQEFBQAD
|
13
|
+
ggEBACiRGC9KvUP2PaU7JmcIzJHMJtz0mUsO8KJeFWmBCSkfQErF3egOzE47WcRM
|
14
|
+
0lGy0e4fjJB3at/O2V4RgwkFpsBpGXv9LJ5ZVXkEu9PwzwLTGZ4VfSPNIXgse1lK
|
15
|
+
9EYOXgL8XhL7c9XPJLRFOWt6Odwp1VjQ2RqkpYLYnsHZam+5gsRd5K2yS0VO8A1Q
|
16
|
+
otxH1D4evwpoSAaRHSff71Qh7046g2jGvCvdEVqBXuAoOuY8IRvf6YpTKEcPuOOo
|
17
|
+
t7h5kLIVKuG4/AikVZ62Xh7DjdRFxy/Pxg3uIhrvkHkG8QtEFgBBMHoQR6iSGf6N
|
18
|
+
1SNrs9tpu1oqTSzoKFG72BsEA6M=
|
19
|
+
-----END CERTIFICATE-----
|
@@ -0,0 +1,30 @@
|
|
1
|
+
-----BEGIN RSA PRIVATE KEY-----
|
2
|
+
Proc-Type: 4,ENCRYPTED
|
3
|
+
DEK-Info: DES-EDE3-CBC,1381BA5304F6971E
|
4
|
+
|
5
|
+
NmDiHjP3Kn3gG7q0oG8n5nyCM8wp5PYeEpuwrZmnNzpdsTTxpPV2Px8wy9EBrR4k
|
6
|
+
SeZufUHA7T+zOLc1mSGMm+LOSSV2CMcUnby+yVRuV7CTtw7AwD+et7asff/HU1v6
|
7
|
+
GE4SbX0tnZskiAR00zZTN/C17w27HIG7qNHrEjCng/S4fKFVNe6riQbmQqvykYQS
|
8
|
+
8bZsQzzlB8e8kxNV5EDvYag3oevgY7RpIWUXEwTHd46o+8GsExuhs+8WpiO1az1D
|
9
|
+
vu0u0MpO5t6PKyafp5vdiLTiwoY8VUdCF627FbyCWFkSuRbYxXNiRZzIvgwtZS7d
|
10
|
+
wHOr5aVA2ROli2S7W5Mmx00tww05mPdzQbk5q6ZMxD+lK9bIuHEGwBY0IaWjkJtt
|
11
|
+
a0RyBilLatVE9866D40dmNKA4mzAqtADdq6vwzoEqd7kVdwjdk7EMvaZgACrBypH
|
12
|
+
NfadJ+HG2TW+4gnZLG60y6YaMPXAbObCUHCUYVhJe/E4mGdSkKOGgiQks9hT448T
|
13
|
+
+/YBt2TqCq3UQU2rfxLVV6AlD/tywTwPTb0Leu40oTNEQyJ9aaQXmcZHZlDWI+Sl
|
14
|
+
xdvGule84RenlV+GnC5UlBxUopTKbVSI7tw10grJtz5/TWx7ubOQ4pCNHzxksQH7
|
15
|
+
YqygX5F6jlR6GbZFYUozNf57Frh9zUmhc6YWGFeTz1uc6rRqTCrKcyqvRD9QCYPY
|
16
|
+
P+8MhvztbbYOr+XRStVeuDXzMwS6/HUrlPTt0IvO3Hq9dFDaTg1bW4mzgdKuYotV
|
17
|
+
VF5DRenkF8lalTFpMppNsfpldazrZ8VvW5qRwbKF4mu7AWsBh9IpZMW15LtI7fUA
|
18
|
+
L+JQO8aBUq6gyXTzaJxx8kxpdcIRtubOIultptj2m/XPXNNFSsI5DMv7V5jh58sC
|
19
|
+
ju2RwxwivcWh1XtQxc4RNzvP3/Ek85at+cO9Q74Tu4f8alJZiWT51PZRwaucdQ8y
|
20
|
+
rYT32rsqoWw1MvkDDENHbEt1QZ7AFmO3zFeGYXbPNHoi2gKzCo7xQtCm+QXQAh7B
|
21
|
+
87KoKqwS9BO9QA/F+htVW9mbA+Yc5a2vcykxYbGlGqyMleI8cU5AeIbGoZdyYaun
|
22
|
+
cDX/NtyV3HGPD5aHUPcz/sP7KAbdLzwh72CzRqQQo8yxOmQEWdd7W8jtxt0on2cs
|
23
|
+
AXj59c9jKRJl5XlXMQO+VWnWO04bWxs8PAgop5Y4ePY766/mL1bAr02kdI6DJ9mx
|
24
|
+
Opmpqk4gPZpnksnCQWJelPPYad0S49QxbOIWf5bI9FMi+6cgVh76iC5nMGVGI+gw
|
25
|
+
lS64zEHhSRXuAC9Nsw5d+owc3aCG15DzUjpEBhDJ8EYKP9kgiJU0rnqPqGrriyrb
|
26
|
+
f6kNOisGvAbI3RldVDLvvZbZEffPu60yA1rP7XaBRPn4K3g+3KTiEcn00wwJaoc3
|
27
|
+
rddzmUCbx6fOluN+34BiPdJzHBZsROEvCcT4KGw1/nZIp/GgX3f3nPW40go2RLFP
|
28
|
+
THQ5L0tuEvyhtJWaiLzjoZ3kCiwWZUzUwYCSfP9raVVXAxLoS4wU+qqKPl6/AaLI
|
29
|
+
NDgIDJtZ0hrnptZuCkBUzVGQzxpMr8IVK/zQDq8uSXI53heZhLQoww==
|
30
|
+
-----END RSA PRIVATE KEY-----
|
@@ -0,0 +1 @@
|
|
1
|
+
0004
|
@@ -0,0 +1,24 @@
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
2
|
+
MIIEADCCAuigAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJKUDEa
|
3
|
+
MBgGA1UECgwRd3d3LnJ1YnktbGFuZy5vcmcxFDASBgNVBAsMC2RldmVsb3BtZW50
|
4
|
+
MQswCQYDVQQDDAJDQTAeFw0wOTExMTkxMDI5MjBaFw0yOTExMTQxMDI5MjBaMEwx
|
5
|
+
CzAJBgNVBAYTAkpQMRowGAYDVQQKDBF3d3cucnVieS1sYW5nLm9yZzEUMBIGA1UE
|
6
|
+
CwwLZGV2ZWxvcG1lbnQxCzAJBgNVBAMMAkNBMIIBIjANBgkqhkiG9w0BAQEFAAOC
|
7
|
+
AQ8AMIIBCgKCAQEA2nXhXZxXUs1Sfxqi8sReyzPHRcAHQM9RqDAGG9Nt1zYrLXwg
|
8
|
+
MmUhOr4yBeW2KAxJGxdRQSzI38jyT6mrDRBpTl/OeU9zBG4p6AtFGkoMnRvUonB3
|
9
|
+
CvgYJXhmrFjnHn34JNaRSORjaZDBmI9/fMGvaYndEM3wJ2b3jEOeizDIG60kZxA6
|
10
|
+
XQ+X7ral+aABsjomubvjEQ9dlcDhQlssKjbjaN3NZ/kL/i/75jc6rzT05XYYkj+Z
|
11
|
+
9rPRfT+HH3c5EYLtxcRTEHVWXMC8/of7oOFgZwwI3Cx9/v1s2Z6gdJ8J0kIkEoUL
|
12
|
+
ziYsLIOmVB2tx0rKkmeivJB4PTM5QyHb7d1xUwIDAQABo4HsMIHpMA8GA1UdEwEB
|
13
|
+
/wQFMAMBAf8wMQYJYIZIAYb4QgENBCQWIlJ1YnkvT3BlblNTTCBHZW5lcmF0ZWQg
|
14
|
+
Q2VydGlmaWNhdGUwHQYDVR0OBBYEFBOZGvHkAfn+0Ct33rQ6tW2UmF5TMA4GA1Ud
|
15
|
+
DwEB/wQEAwIBBjB0BgNVHSMEbTBrgBQTmRrx5AH5/tArd960OrVtlJheU6FQpE4w
|
16
|
+
TDELMAkGA1UEBhMCSlAxGjAYBgNVBAoMEXd3dy5ydWJ5LWxhbmcub3JnMRQwEgYD
|
17
|
+
VQQLDAtkZXZlbG9wbWVudDELMAkGA1UEAwwCQ0GCAQEwDQYJKoZIhvcNAQEFBQAD
|
18
|
+
ggEBACfgSl3pA+e3JyjgS/zscaJHHNDwXIIoH0KY6pcrZnl7Zh8CW+Gdba621Lek
|
19
|
+
aAy0YhAAM9bF87QZG1+sL7B2H1oSTt7F67SwQfq079oNWjhEdV5dxBKk6XaU0R31
|
20
|
+
KXSsmLR4pMxcFdPzGM0FTiSj9FNKk2pydVySsa5jJeG0qvXVFMqsRUUwklQHl9Kx
|
21
|
+
9GZiknt4PEGj/ThUwarhRbRjV5z7ZxXKexkangBlRWPX7TjvlpZPgLzAODG4fiRW
|
22
|
+
ZUo8Ng7QolTJuPAhlVxhdi9n5hItm6mt21RTpQcP49KoGe8x+T4EzPO0PPdCMliD
|
23
|
+
fH3udDO+bq2F8H4ts6ZJAYWFo8U=
|
24
|
+
-----END CERTIFICATE-----
|
@@ -0,0 +1,127 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require 'openssl'
|
4
|
+
require 'ca_config'
|
5
|
+
require 'fileutils'
|
6
|
+
require 'getopts'
|
7
|
+
|
8
|
+
include OpenSSL
|
9
|
+
|
10
|
+
def usage
|
11
|
+
myname = File::basename($0)
|
12
|
+
$stderr.puts "Usage: #{myname} [--type (client|server|ca|ocsp)] [--out certfile] csr_file"
|
13
|
+
exit
|
14
|
+
end
|
15
|
+
|
16
|
+
getopts nil, 'type:client', 'out:', 'force'
|
17
|
+
|
18
|
+
cert_type = $OPT_type
|
19
|
+
out_file = $OPT_out || 'cert.pem'
|
20
|
+
csr_file = ARGV.shift or usage
|
21
|
+
ARGV.empty? or usage
|
22
|
+
|
23
|
+
csr = X509::Request.new(File.open(csr_file).read)
|
24
|
+
unless csr.verify(csr.public_key)
|
25
|
+
raise "CSR sign verification failed."
|
26
|
+
end
|
27
|
+
p csr.public_key
|
28
|
+
if csr.public_key.n.num_bits < CAConfig::CERT_KEY_LENGTH_MIN
|
29
|
+
raise "Key length too short"
|
30
|
+
end
|
31
|
+
if csr.public_key.n.num_bits > CAConfig::CERT_KEY_LENGTH_MAX
|
32
|
+
raise "Key length too long"
|
33
|
+
end
|
34
|
+
if csr.subject.to_a[0, CAConfig::NAME.size] != CAConfig::NAME
|
35
|
+
unless $OPT_force
|
36
|
+
p csr.subject.to_a
|
37
|
+
p CAConfig::NAME
|
38
|
+
raise "DN does not match"
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
# Only checks signature here. You must verify CSR according to your CP/CPS.
|
43
|
+
|
44
|
+
$stdout.sync = true
|
45
|
+
|
46
|
+
# CA setup
|
47
|
+
|
48
|
+
ca_file = CAConfig::CERT_FILE
|
49
|
+
puts "Reading CA cert (from #{ca_file})"
|
50
|
+
ca = X509::Certificate.new(File.read(ca_file))
|
51
|
+
|
52
|
+
ca_keypair_file = CAConfig::KEYPAIR_FILE
|
53
|
+
puts "Reading CA keypair (from #{ca_keypair_file})"
|
54
|
+
ca_keypair = PKey::RSA.new(File.read(ca_keypair_file), &CAConfig::PASSWD_CB)
|
55
|
+
|
56
|
+
serial = File.open(CAConfig::SERIAL_FILE, "r").read.chomp.hex
|
57
|
+
File.open(CAConfig::SERIAL_FILE, "w") do |f|
|
58
|
+
f << sprintf("%04X", serial + 1)
|
59
|
+
end
|
60
|
+
|
61
|
+
# Generate new cert
|
62
|
+
|
63
|
+
cert = X509::Certificate.new
|
64
|
+
from = Time.now # + 30 * 60 # Wait 30 minutes.
|
65
|
+
cert.subject = csr.subject
|
66
|
+
cert.issuer = ca.subject
|
67
|
+
cert.not_before = from
|
68
|
+
cert.not_after = from + CAConfig::CERT_DAYS * 24 * 60 * 60
|
69
|
+
cert.public_key = csr.public_key
|
70
|
+
cert.serial = serial
|
71
|
+
cert.version = 2 # X509v3
|
72
|
+
|
73
|
+
basic_constraint = nil
|
74
|
+
key_usage = []
|
75
|
+
ext_key_usage = []
|
76
|
+
case cert_type
|
77
|
+
when "ca"
|
78
|
+
basic_constraint = "CA:TRUE"
|
79
|
+
key_usage << "cRLSign" << "keyCertSign"
|
80
|
+
when "terminalsubca"
|
81
|
+
basic_constraint = "CA:TRUE,pathlen:0"
|
82
|
+
key_usage << "cRLSign" << "keyCertSign"
|
83
|
+
when "server"
|
84
|
+
basic_constraint = "CA:FALSE"
|
85
|
+
key_usage << "digitalSignature" << "keyEncipherment"
|
86
|
+
ext_key_usage << "serverAuth"
|
87
|
+
when "ocsp"
|
88
|
+
basic_constraint = "CA:FALSE"
|
89
|
+
key_usage << "nonRepudiation" << "digitalSignature"
|
90
|
+
ext_key_usage << "serverAuth" << "OCSPSigning"
|
91
|
+
when "client"
|
92
|
+
basic_constraint = "CA:FALSE"
|
93
|
+
key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment"
|
94
|
+
ext_key_usage << "clientAuth" << "emailProtection"
|
95
|
+
else
|
96
|
+
raise "unknonw cert type \"#{cert_type}\" is specified."
|
97
|
+
end
|
98
|
+
|
99
|
+
ef = X509::ExtensionFactory.new
|
100
|
+
ef.subject_certificate = cert
|
101
|
+
ef.issuer_certificate = ca
|
102
|
+
ex = []
|
103
|
+
ex << ef.create_extension("basicConstraints", basic_constraint, true)
|
104
|
+
ex << ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate")
|
105
|
+
ex << ef.create_extension("subjectKeyIdentifier", "hash")
|
106
|
+
#ex << ef.create_extension("nsCertType", "client,email")
|
107
|
+
ex << ef.create_extension("keyUsage", key_usage.join(",")) unless key_usage.empty?
|
108
|
+
#ex << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
|
109
|
+
#ex << ef.create_extension("authorityKeyIdentifier", "keyid:always")
|
110
|
+
ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(",")) unless ext_key_usage.empty?
|
111
|
+
|
112
|
+
ex << ef.create_extension("crlDistributionPoints", CAConfig::CDP_LOCATION) if CAConfig::CDP_LOCATION
|
113
|
+
ex << ef.create_extension("authorityInfoAccess", "OCSP;" << CAConfig::OCSP_LOCATION) if CAConfig::OCSP_LOCATION
|
114
|
+
cert.extensions = ex
|
115
|
+
cert.sign(ca_keypair, OpenSSL::Digest::SHA1.new)
|
116
|
+
|
117
|
+
# For backup
|
118
|
+
|
119
|
+
cert_file = CAConfig::NEW_CERTS_DIR + "/#{cert.serial}_cert.pem"
|
120
|
+
File.open(cert_file, "w", 0644) do |f|
|
121
|
+
f << cert.to_pem
|
122
|
+
end
|
123
|
+
|
124
|
+
puts "Writing cert.pem..."
|
125
|
+
FileUtils.copy(cert_file, out_file)
|
126
|
+
|
127
|
+
puts "DONE. (Generated certificate for '#{cert.subject}')"
|
@@ -0,0 +1,50 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require 'getopts'
|
4
|
+
require 'openssl'
|
5
|
+
|
6
|
+
include OpenSSL
|
7
|
+
|
8
|
+
def usage
|
9
|
+
myname = File::basename($0)
|
10
|
+
$stderr.puts <<EOS
|
11
|
+
Usage: #{myname} [--key keypair_file] name
|
12
|
+
name ... ex. /C=JP/O=RRR/OU=CA/CN=NaHi/emailAddress=nahi@example.org
|
13
|
+
EOS
|
14
|
+
exit
|
15
|
+
end
|
16
|
+
|
17
|
+
getopts nil, "key:", "csrout:", "keyout:"
|
18
|
+
keypair_file = $OPT_key
|
19
|
+
csrout = $OPT_csrout || "csr.pem"
|
20
|
+
keyout = $OPT_keyout || "keypair.pem"
|
21
|
+
|
22
|
+
$stdout.sync = true
|
23
|
+
name_str = ARGV.shift or usage()
|
24
|
+
p name_str
|
25
|
+
name = X509::Name.parse(name_str)
|
26
|
+
|
27
|
+
keypair = nil
|
28
|
+
if keypair_file
|
29
|
+
keypair = PKey::RSA.new(File.open(keypair_file).read)
|
30
|
+
else
|
31
|
+
keypair = PKey::RSA.new(1024) { putc "." }
|
32
|
+
puts
|
33
|
+
puts "Writing #{keyout}..."
|
34
|
+
File.open(keyout, "w", 0400) do |f|
|
35
|
+
f << keypair.to_pem
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
puts "Generating CSR for #{name_str}"
|
40
|
+
|
41
|
+
req = X509::Request.new
|
42
|
+
req.version = 0
|
43
|
+
req.subject = name
|
44
|
+
req.public_key = keypair.public_key
|
45
|
+
req.sign(keypair, OpenSSL::Digest::MD5.new)
|
46
|
+
|
47
|
+
puts "Writing #{csrout}..."
|
48
|
+
File.open(csrout, "w") do |f|
|
49
|
+
f << req.to_pem
|
50
|
+
end
|
@@ -0,0 +1,66 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require 'openssl'
|
4
|
+
require 'ca_config'
|
5
|
+
|
6
|
+
include OpenSSL
|
7
|
+
|
8
|
+
$stdout.sync = true
|
9
|
+
|
10
|
+
cn = ARGV.shift || 'CA'
|
11
|
+
|
12
|
+
unless FileTest.exist?('private')
|
13
|
+
Dir.mkdir('private', 0700)
|
14
|
+
end
|
15
|
+
unless FileTest.exist?('newcerts')
|
16
|
+
Dir.mkdir('newcerts')
|
17
|
+
end
|
18
|
+
unless FileTest.exist?('crl')
|
19
|
+
Dir.mkdir('crl')
|
20
|
+
end
|
21
|
+
unless FileTest.exist?('serial')
|
22
|
+
File.open('serial', 'w') do |f|
|
23
|
+
f << '2'
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
print "Generating CA keypair: "
|
28
|
+
keypair = PKey::RSA.new(CAConfig::CA_RSA_KEY_LENGTH) { putc "." }
|
29
|
+
putc "\n"
|
30
|
+
|
31
|
+
now = Time.now
|
32
|
+
cert = X509::Certificate.new
|
33
|
+
name = CAConfig::NAME.dup << ['CN', cn]
|
34
|
+
cert.subject = cert.issuer = X509::Name.new(name)
|
35
|
+
cert.not_before = now
|
36
|
+
cert.not_after = now + CAConfig::CA_CERT_DAYS * 24 * 60 * 60
|
37
|
+
cert.public_key = keypair.public_key
|
38
|
+
cert.serial = 0x1
|
39
|
+
cert.version = 2 # X509v3
|
40
|
+
|
41
|
+
key_usage = ["cRLSign", "keyCertSign"]
|
42
|
+
ef = X509::ExtensionFactory.new
|
43
|
+
ef.subject_certificate = cert
|
44
|
+
ef.issuer_certificate = cert # we needed subjectKeyInfo inside, now we have it
|
45
|
+
ext1 = ef.create_extension("basicConstraints","CA:TRUE", true)
|
46
|
+
ext2 = ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate")
|
47
|
+
ext3 = ef.create_extension("subjectKeyIdentifier", "hash")
|
48
|
+
ext4 = ef.create_extension("keyUsage", key_usage.join(","), true)
|
49
|
+
cert.extensions = [ext1, ext2, ext3, ext4]
|
50
|
+
ext0 = ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
|
51
|
+
cert.add_extension(ext0)
|
52
|
+
cert.sign(keypair, OpenSSL::Digest::SHA1.new)
|
53
|
+
|
54
|
+
keypair_file = CAConfig::KEYPAIR_FILE
|
55
|
+
puts "Writing keypair."
|
56
|
+
File.open(keypair_file, "w", 0400) do |f|
|
57
|
+
f << keypair.export(Cipher::DES.new(:EDE3, :CBC), &CAConfig::PASSWD_CB)
|
58
|
+
end
|
59
|
+
|
60
|
+
cert_file = CAConfig::CERT_FILE
|
61
|
+
puts "Writing #{cert_file}."
|
62
|
+
File.open(cert_file, "w", 0644) do |f|
|
63
|
+
f << cert.to_pem
|
64
|
+
end
|
65
|
+
|
66
|
+
puts "DONE. (Generated certificate for '#{cert.subject}')"
|
@@ -0,0 +1,19 @@
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
2
|
+
MIIDEDCCAfigAwIBAgIBAzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJKUDEa
|
3
|
+
MBgGA1UECgwRd3d3LnJ1YnktbGFuZy5vcmcxFDASBgNVBAsMC2RldmVsb3BtZW50
|
4
|
+
MQswCQYDVQQDDAJDQTAeFw0wOTExMTkxMDMwMjdaFw0yODExMTQxMDMwMjdaMD0x
|
5
|
+
CzAJBgNVBAYTAkpQMRowGAYDVQQKDBF3d3cucnVieS1sYW5nLm9yZzESMBAGA1UE
|
6
|
+
AwwJc3NsY2xpZW50MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgemBPByEo
|
7
|
+
KbxaYnHXJxslyYsdWWCKf6j2mVIoxzC0b7W4TS5loBzOkZ05rkuapZ7O5flSMjtH
|
8
|
+
5NMJ2h7/zsgK5XBkNRCPFK+8HMXVFdSs+euKY+2qE01P0NIuCrkvKjJgsrXdy3sG
|
9
|
+
2UVUEoYEt5MHDR6aBL0Km+nVKc6T7O+KtQIDAQABo4GPMIGMMAwGA1UdEwEB/wQC
|
10
|
+
MAAwMQYJYIZIAYb4QgENBCQWIlJ1YnkvT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
|
11
|
+
aWNhdGUwHQYDVR0OBBYEFOFnq0r6adftxM/7aApl0DDrLTNWMAsGA1UdDwQEAwIF
|
12
|
+
4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQEFBQAD
|
13
|
+
ggEBACiRGC9KvUP2PaU7JmcIzJHMJtz0mUsO8KJeFWmBCSkfQErF3egOzE47WcRM
|
14
|
+
0lGy0e4fjJB3at/O2V4RgwkFpsBpGXv9LJ5ZVXkEu9PwzwLTGZ4VfSPNIXgse1lK
|
15
|
+
9EYOXgL8XhL7c9XPJLRFOWt6Odwp1VjQ2RqkpYLYnsHZam+5gsRd5K2yS0VO8A1Q
|
16
|
+
otxH1D4evwpoSAaRHSff71Qh7046g2jGvCvdEVqBXuAoOuY8IRvf6YpTKEcPuOOo
|
17
|
+
t7h5kLIVKuG4/AikVZ62Xh7DjdRFxy/Pxg3uIhrvkHkG8QtEFgBBMHoQR6iSGf6N
|
18
|
+
1SNrs9tpu1oqTSzoKFG72BsEA6M=
|
19
|
+
-----END CERTIFICATE-----
|
@@ -0,0 +1,10 @@
|
|
1
|
+
-----BEGIN CERTIFICATE REQUEST-----
|
2
|
+
MIIBfDCB5gIBADA9MQswCQYDVQQGEwJKUDEaMBgGA1UECgwRd3d3LnJ1YnktbGFu
|
3
|
+
Zy5vcmcxEjAQBgNVBAMMCXNzbGNsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
|
4
|
+
gYkCgYEA4HpgTwchKCm8WmJx1ycbJcmLHVlgin+o9plSKMcwtG+1uE0uZaAczpGd
|
5
|
+
Oa5LmqWezuX5UjI7R+TTCdoe/87ICuVwZDUQjxSvvBzF1RXUrPnrimPtqhNNT9DS
|
6
|
+
Lgq5LyoyYLK13ct7BtlFVBKGBLeTBw0emgS9Cpvp1SnOk+zvirUCAwEAAaAAMA0G
|
7
|
+
CSqGSIb3DQEBBAUAA4GBAAg7mWW/hU/fBNLxYVoBRGjpgYKTipRieZ9UDxsxu5O5
|
8
|
+
DpLbM/DWydzD0nWDt3zSxG4tCwgEL7gOK6rQz3D+b3BkFGSeQ5AQXjxaDurQoLdR
|
9
|
+
OQccN93zAeDb0vBADN/90thJ7osiX8VKG6vUHHcWhA26hzaARSHcLPRR8TeTFFb6
|
10
|
+
-----END CERTIFICATE REQUEST-----
|
@@ -0,0 +1,15 @@
|
|
1
|
+
-----BEGIN RSA PRIVATE KEY-----
|
2
|
+
MIICXAIBAAKBgQDgemBPByEoKbxaYnHXJxslyYsdWWCKf6j2mVIoxzC0b7W4TS5l
|
3
|
+
oBzOkZ05rkuapZ7O5flSMjtH5NMJ2h7/zsgK5XBkNRCPFK+8HMXVFdSs+euKY+2q
|
4
|
+
E01P0NIuCrkvKjJgsrXdy3sG2UVUEoYEt5MHDR6aBL0Km+nVKc6T7O+KtQIDAQAB
|
5
|
+
AoGABfvdI14qSRrLtZEYPccCF0DHH5IpW6fJhkFSClo89yJfMrmD+huJiQwip834
|
6
|
+
n/e4QwWoXsOOBv2XjpSs7N7DQFJNfZ3ivRHyEOlHYgiH2m3hOpe/47sbgvB4z7li
|
7
|
+
SPGV6oV2BBafc+yDof3vWLX2BMmxvQKB6aJ7DUjSsc7SR2ECQQD+0m+Q03AynhST
|
8
|
+
9ZSOnHt9mUMykeNuPXfX2oeQ1LXtpIQ9Zco/Bl9fWr94ghygAy8tsc4gtGQj+74G
|
9
|
+
GcGGcBydAkEA4YQHyGGdZAb6bH0esNpE3hyTiqzjEshTpvF3jkKAlRU+4DS9cBhB
|
10
|
+
fcqPrsYetIrl1fgySLdNK3vTdS8WduWu+QJBAN5u5JIf7uVQVhgdm3KtJ6KoQR8I
|
11
|
+
d+VH5K/YAtQqyS/KluBdVSCUuHWs6kwQD1qhzPHvLkYgEPXUDriWjPaEMIUCQFf1
|
12
|
+
wXtc56DOP/r0ynW8jMP9bWbXjDIVRNuGr1Ujhzee88lLiOAh9dl0mppW2D8fNgpB
|
13
|
+
JovKQyVExPOeDCsP5zECQBoXPjAvdLm1BrRhQkvtX7Fkk2l54CxoKz7yBHwNWD7e
|
14
|
+
hKa0riKKq3z+tzzfOkgFdNf3aTZyL7cfBALZJdfiLhA=
|
15
|
+
-----END RSA PRIVATE KEY-----
|