mini_ca 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: ba8cda5d5c7a9ebbd7baa7803916e988ffc7520c
+  data.tar.gz: fdee1aafd4a2e43fb1bb4b98dd271cb4a7ef0654
+SHA512:
+  metadata.gz: cd647947568fd6e7081284b3b34a4935c10326b95c0dbeddcc439845d76435d14c17b498e773dffb5eeee3fea9481b82ed5d62a08dab6dc932c1516e12f3f98f
+  data.tar.gz: 7ed91bff6a7617c18415eb5f9e652511f403d1fa2cb897932d26ec94375534d16bebeb78092dca0364cc2c5070b288cee58078ff37b131fc42b5575b98c79ee2

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format documentation

data/.travis.yml

@@ -0,0 +1,12 @@
+sudo: false
+
+cache: bundler
+
+before_install:
+  gem update bundler
+
+rvm:
+  - 2.0.0
+  - 2.1.0
+  - 2.2.0
+  - 2.3.0

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in mini_ca.gemspec
+gemspec

data/LICENSE.md

@@ -0,0 +1,22 @@
+Copyright (c) 2017 Aptible, Inc.
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,52 @@
+# ![](https://raw.github.com/aptible/straptible/master/lib/straptible/rails/templates/public.api/icon-60px.png) MiniCa
+
+[![Gem Version](https://badge.fury.io/rb/mini_ca.png)](https://rubygems.org/gems/mini_ca)
+[![Build Status](https://travis-ci.org/aptible/mini_ca.png?branch=master)](https://travis-ci.org/aptible/mini_ca)
+[![Dependency Status](https://gemnasium.com/aptible/mini_ca.png)](https://gemnasium.com/aptible/mini_ca)
+
+A Gem to generate custom X509 certificates in specs.
+
+## Installation
+
+Add the following line to your application's Gemfile.
+
+    gem 'mini_ca'
+
+And then run `bundle install`.
+
+## Usage
+
+```
+# Instantiate a CA
+ca = MiniCa::Certificate.new('My Test CA', ca: true)
+
+# Create an intermediate
+intermediate = ca.issue('My Intermediate', ca: true)
+
+# Create a certificate
+certificate = intermediate.issue('My Certificate')
+
+# Get the certificate chain as PEM
+certificate.chain_pem
+
+# Get the certificate bundle (i.e. including the leaf certificate) as PEM
+certificate.bundle_pem
+
+# Verify a certificate
+ca.store.verify(certificate.x509, [intermediate.x509])
+```
+
+See the specs for more examples.
+
+## Contributing
+
+1. Fork the project.
+1. Commit your changes, with specs.
+1. Ensure that your code passes specs (`rake spec`) and meets Aptible's Ruby style guide (`rake rubocop`).
+1. Create a new pull request on GitHub.
+
+## Copyright and License
+
+MIT License, see [LICENSE](LICENSE.md) for details.
+
+Copyright (c) 2017 [Aptible](https://www.aptible.com), Thomas Orozco, and contributors.

data/Rakefile

@@ -0,0 +1,4 @@
+require 'bundler/gem_tasks'
+
+require 'aptible/tasks'
+Aptible::Tasks.load_tasks

data/lib/mini_ca/certificate.rb

@@ -0,0 +1,129 @@
+module MiniCa
+  class Certificate
+    DIGEST = OpenSSL::Digest::SHA256
+
+    attr_reader :key, :x509, :issuer, :ca
+
+    # rubocop:disable ParameterLists
+    def initialize(
+      cn,
+      sans: nil,
+      issuer: nil,
+      ca: false,
+      serial: nil,
+      not_before: nil,
+      not_after: nil,
+      country: nil,
+      state: nil,
+      location: nil,
+      organization: nil
+    )
+      @key = OpenSSL::PKey::RSA.new(2048)
+      @x509 = OpenSSL::X509::Certificate.new
+      @issuer = issuer
+      @ca = ca
+      @counter = 0
+
+      x509.version = 0x2
+      x509.serial = serial || 0
+
+      x509.public_key = key.public_key
+
+      x509.subject = OpenSSL::X509::Name.new
+
+      [
+        ['CN', cn],
+        ['C', country],
+        ['ST', state],
+        ['L', location],
+        ['O', organization]
+      ].each do |prop, value|
+        next if value.nil?
+        x509.subject = x509.subject.add_entry(prop, value)
+      end
+
+      x509.issuer = issuer ? issuer.x509.subject : x509.subject
+
+      if issuer
+        not_before ||= issuer.x509.not_before
+        not_after ||= issuer.x509.not_after
+
+        if issuer.x509.not_before > not_before
+          raise Error, 'Certificate cannot become valid before issuer'
+        end
+
+        if issuer.x509.not_after < not_after
+          raise Error, 'Certificate cannot expire after issuer'
+        end
+      else
+        not_before ||= Time.now - 3600 * 24
+        not_after ||= Time.now + 3600 + 24
+      end
+
+      x509.not_before = not_before
+      x509.not_after = not_after
+
+      ef = OpenSSL::X509::ExtensionFactory.new
+      ef.subject_certificate = x509
+
+      sans = (sans || []) + ["DNS:#{cn}"]
+
+      exts = if ca
+               [
+                 ef.create_extension('basicConstraints', 'CA:TRUE', true)
+               ]
+             else
+               [
+                 ef.create_extension('basicConstraints', 'CA:FALSE', true),
+                 ef.create_extension('subjectAltName', sans.join(','), false)
+               ]
+             end
+
+      exts.each { |e| x509.add_extension(e) }
+
+      signing_key = issuer ? issuer.key : key
+      x509.sign signing_key, DIGEST.new
+    end
+    # rubocop:enable ParameterLists
+
+    def issue(cn, **opts)
+      raise 'CA must be set to use #issue' unless ca
+      @counter += 1
+      Certificate.new(cn, issuer: self, serial: @counter, **opts)
+    end
+
+    def store
+      raise 'CA must be set to use #store' unless ca
+      OpenSSL::X509::Store.new.tap { |store| store.add_cert(x509) }
+    end
+
+    def chain
+      bits = []
+      this_cert = self
+      until (this_cert = this_cert.issuer).nil?
+        bits << this_cert
+      end
+      bits[0...-1]
+    end
+
+    def bundle
+      [self] + chain
+    end
+
+    def x509_pem
+      x509.to_s
+    end
+
+    def chain_pem
+      chain.map(&:x509).map(&:to_s).join('')
+    end
+
+    def bundle_pem
+      bundle.map(&:x509).map(&:to_s).join('')
+    end
+
+    def key_pem
+      key.to_s
+    end
+  end
+end

data/lib/mini_ca/error.rb

@@ -0,0 +1,4 @@
+module MiniCa
+  class Error < StandardError
+  end
+end

data/lib/mini_ca/version.rb

@@ -0,0 +1,3 @@
+module MiniCa
+  VERSION = '0.1.0'.freeze
+end

data/lib/mini_ca.rb

@@ -0,0 +1,8 @@
+require 'openssl'
+
+require 'mini_ca/version'
+require 'mini_ca/error'
+require 'mini_ca/certificate'
+
+module MiniCa
+end

data/mini_ca.gemspec

@@ -0,0 +1,26 @@
+# encoding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+require 'English'
+require 'mini_ca/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'mini_ca'
+  spec.version       = MiniCa::VERSION
+  spec.authors       = ['Thomas Orozco']
+  spec.email         = ['thomas@orozco.fr']
+  spec.description   = 'A minimal Certification Authority, for use in specs'
+  spec.summary       = spec.description
+  spec.homepage      = 'https://github.com/aptible/mini_ca'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files`.split($RS)
+  spec.test_files    = spec.files.grep(%r{^spec/})
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'aptible-tasks'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
+end

data/spec/mini_ca/certificate_spec.rb

@@ -0,0 +1,133 @@
+require 'spec_helper'
+
+describe MiniCa::Certificate do
+  describe '#initialize' do
+    it 'initializes a self-signed certificate' do
+      c = described_class.new('name')
+      expect(c.x509.subject.to_s).to eq('/CN=name')
+      expect(c.x509.issuer.to_s).to eq('/CN=name')
+    end
+
+    it 'initializes a CA certificate' do
+      c1 = described_class.new('foo', ca: true)
+      c2 = c1.issue('bar')
+      expect(c1.store.verify(c2.x509)).to be_truthy
+    end
+
+    it 'initializes a certificate with a serial' do
+      c1 = described_class.new('foo', serial: 10)
+      expect(c1.x509.serial).to eq(10)
+    end
+
+    it 'initializes a certificate with not_before' do
+      t = Time.at((Time.now - 100).to_i)
+      c1 = described_class.new('foo', not_before: t)
+      expect(c1.x509.not_before).to eq(t)
+    end
+
+    it 'initializes a certificate with not_after' do
+      t = Time.at((Time.now + 100).to_i)
+      c1 = described_class.new('foo', not_after: t)
+      expect(c1.x509.not_after).to eq(t)
+    end
+
+    context 'subject fields' do
+      it 'sets country' do
+        expect(described_class.new('x', country: 'bar').x509.subject.to_s)
+          .to eq('/CN=x/C=bar')
+      end
+
+      it 'sets state' do
+        expect(described_class.new('x', state: 'bar').x509.subject.to_s)
+          .to eq('/CN=x/ST=bar')
+      end
+
+      it 'sets location' do
+        expect(described_class.new('x', location: 'bar').x509.subject.to_s)
+          .to eq('/CN=x/L=bar')
+      end
+
+      it 'sets organization' do
+        expect(described_class.new('x', organization: 'bar').x509.subject.to_s)
+          .to eq('/CN=x/O=bar')
+      end
+    end
+  end
+
+  context 'CA' do
+    subject { described_class.new('MyCA', ca: true) }
+
+    describe '#issue' do
+      it 'issues signed certificates with a valid serial' do
+        c1 = subject.issue('c1')
+        c2 = subject.issue('c2')
+        expect(c1.x509.serial).not_to eq(c2.x509.serial)
+      end
+
+      it 'fails if the CA becomes valid after the certificate' do
+        t = subject.x509.not_before - 100
+        expect { subject.issue('c', not_before: t) }
+          .to raise_error(/cannot become valid before issuer/i)
+      end
+
+      it 'fails if the CA expires before the certificate' do
+        t = subject.x509.not_after + 100
+        expect { subject.issue('c', not_after: t) }
+          .to raise_error(/cannot expire after issuer/i)
+      end
+    end
+
+    describe '#store' do
+      it 'returns a store trusting the CA' do
+        alt = described_class.new('OtherCA', ca: true)
+        cert = subject.issue('Client')
+
+        expect(subject.store.verify(cert.x509)).to be_truthy
+        expect(alt.store.verify(cert.x509)).to be_falsey
+      end
+    end
+  end
+
+  describe '#chain / #bundle' do
+    it 'returns nothing for a self-signed certificate' do
+      c = described_class.new('c')
+      expect(c.chain).to be_empty
+    end
+
+    it 'returns nothing for a certificate issued by a CA' do
+      ca = described_class.new('ca', ca: true)
+      c = ca.issue('c')
+      expect(c.chain).to be_empty
+      expect(c.bundle).to eq([c])
+    end
+
+    it 'returns 1 leaf certificate for 1 intermediate' do
+      ca = described_class.new('ca', ca: true)
+      i1 = ca.issue('i1', ca: true)
+      c = i1.issue('c')
+      expect(c.chain).to eq([i1])
+      expect(c.bundle).to eq([c, i1])
+    end
+
+    it 'returns 2 leaf certificates for 2 intermediates' do
+      ca = described_class.new('ca', ca: true)
+      i1 = ca.issue('i1', ca: true)
+      i2 = i1.issue('i2', ca: true)
+      c = i2.issue('c')
+      expect(c.chain).to eq([i2, i1])
+      expect(c.bundle).to eq([c, i2, i1])
+    end
+  end
+
+  describe '#chain_pem / #bundle_pem' do
+    it 'returns the certificate chain' do
+      ca = described_class.new('ca', ca: true)
+      i1 = ca.issue('i1', ca: true)
+      c = i1.issue('c')
+      expect(c.chain_pem.split("\n").grep(/BEGIN CERTIFICATE/).size).to eq(1)
+      expect(c.bundle_pem.split("\n").grep(/BEGIN CERTIFICATE/).size).to eq(2)
+      expect(c.bundle_pem).to start_with(c.x509_pem)
+      expect(c.bundle_pem).to end_with(i1.x509_pem)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,10 @@
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+
+# Load shared spec files
+Dir["#{File.dirname(__FILE__)}/shared/**/*.rb"].each do |file|
+  require file
+end
+
+# Require library up front
+require 'mini_ca'

metadata

@@ -0,0 +1,116 @@
+--- !ruby/object:Gem::Specification
+name: mini_ca
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Thomas Orozco
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-11-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aptible-tasks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: A minimal Certification Authority, for use in specs
+email:
+- thomas@orozco.fr
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- LICENSE.md
+- README.md
+- Rakefile
+- lib/mini_ca.rb
+- lib/mini_ca/certificate.rb
+- lib/mini_ca/error.rb
+- lib/mini_ca/version.rb
+- mini_ca.gemspec
+- spec/mini_ca/certificate_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/aptible/mini_ca
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.13
+signing_key: 
+specification_version: 4
+summary: A minimal Certification Authority, for use in specs
+test_files:
+- spec/mini_ca/certificate_spec.rb
+- spec/spec_helper.rb