mkchain 1.0.3 → 2.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8fdbd7f7b809a418c581c5cb91e446acf5fcbe56488001a95c1294af836b4772
-  data.tar.gz: d7f434b17fae4f78f3203378210deae947740c451b7df43cfbe79dfbe58df234
+  metadata.gz: dd1dfa10f2fce6363800bd991a591ec457816dec9da5fb0953c2552d3bd43cb5
+  data.tar.gz: b2d96f3d347f7e2e43b033f7664504c24c29154aab522accda414f19d7880d8b
 SHA512:
-  metadata.gz: 990ff4e9ab0d6e0152efc8f064231ad95002ca4bde7f8749209a7747f9c416694b3dcfa951fda702daf31602eebfe41f0f62bc5ca432c92b00d248c548fd13e2
-  data.tar.gz: a5904ad244ca7c99262aa25ca1f86ab0c1b4db4cadb57cdef506eecda69ff2fb8d71ee160aa5c4e014c3599e09f3666e67fa7dcc364c1b1108d7d3fd5142b2ab
+  metadata.gz: 6707656fc9eeab78477b4078a8bdf048a4d74bc86ff6c5ea57899a64d32599ae62d9bb491f234aa67cc61779caaf84091f3ad66852dc5c51bee593843a4efb55
+  data.tar.gz: 9a2a060b92db1061bf25ada2ec174457ac93dcf9a1313be8b792d8d55754c65dc583079c7a9a21b26c44d6b5c691d5937d10629694fbf8596a755d3c58c3dece

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Instructure, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -5,23 +5,22 @@ intermediate certificate chain, and print it to stdout. This replaces the
 need to copy/edit cert-vendor provided chain files and deal with certificate
 order.
 
-
 ## Installation
 
     $ rake install
 
-
 ## Command-line Usage
 
     $ mkchain site.example.com.crt > site.example.com.chain
-
+    $ mkchain -c 2025-05-30 site.example.com.crt > site.example.com.chain
+    $ mkchain -lr site.example.com.crt > site.example.com.fullchain
 
 ## Ruby Library
 
 You can also invoke `mkchain` from Ruby code:
 
     require 'mkchain'
-    chain_str = MkChain.chain(File.read(cert_filename))
+    chain_str = MkChain.new(include_root: true).chain(File.read(cert_filename))
 
 This method returns a string containing the contents of the intermediate
 chain in PEM format. If no chain can be built from the certificate, a
@@ -29,14 +28,12 @@ chain in PEM format. If no chain can be built from the certificate, a
 (ie, if the certificate was signed directly by the root CA), then an empty
 string will be returned.
 
-
 ## No guarantee
 
 This method of building an intermediate chain depends on the signing
 certificate being in the `authorityInfoAccess` X.509 extension field under
 `CA Issuers`. That's a common but not universal pattern.
 
-
 ## Similar Tools
 
 * https://whatsmychaincert.com/

data/bin/mkchain

@@ -1,11 +1,6 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'mkchain'
 
-abort 'Usage: mkchain <cert-filename>' unless ARGV.count == 1
-
-filename = ARGV[0]
-abort "No such file '#{filename}'" unless File.exist?(filename)
-abort "Cannot read file '#{filename}'" unless File.readable?(filename)
-
-puts MkChain.chain(File.read(filename))
+MkChain::CLI.start

data/lib/mkchain/cli.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require 'optparse'
+
+module MkChain
+  class CLI
+    def self.start(argv = ARGV)
+      new.run(argv)
+    end
+
+    def run(argv)
+      options = parse_options(argv)
+
+      filename = argv.shift&.strip
+      abort 'No certificate file specified.' if filename.nil? || filename.empty?
+      abort "No such file '#{filename}'" unless File.exist?(filename)
+      abort "Cannot read file '#{filename}'" unless File.readable?(filename)
+
+      puts MkChain::Core.new(options).chain(File.read(filename))
+    rescue ArgumentError, MkChain::NoChainFoundException, MkChain::UnknownFormat => e
+      puts "Error: #{e.message}"
+      exit 1
+    rescue StandardError => e
+      puts "Unexpected error: #{e.message}"
+      exit 1
+    end
+
+    private
+
+    def parse_options(argv) # rubocop:disable Metrics/MethodLength
+      options = {
+        include_leaf: false,
+        include_root: false,
+        cacert_date: nil
+      }
+      opt_parser = OptionParser.new do |opts|
+        opts.banner = 'Usage: mkchain [options] <cert-filename>'
+        opts.on('-h', '--help', 'Display this help message') do
+          puts opts
+          exit
+        end
+        opts.on('-l', '--include-leaf', 'Include the leaf certificate') do
+          options[:include_leaf] = true
+        end
+        opts.on('-r', '--include-root', 'Include the root certificate') do
+          options[:include_root] = true
+        end
+        opts.on('-c', '--cacert-date DATE',
+                'Build chain against a specific CA bundle revision for better legacy client ' \
+                'compatibility. See https://curl.se/docs/caextract.html') do |date|
+          options[:cacert_date] = Date.parse(date)
+          require 'net/http'
+          require 'uri'
+          uri = URI("https://curl.se/ca/cacert-#{date}.pem")
+          response = Net::HTTP.get_response(uri)
+          if response.code.to_i != 200
+            raise "No CA bundle found for date #{date}. Please check the date format or availability. " \
+                  'For a subset of available revisions, visit https://curl.se/docs/caextract.html'
+          end
+
+          options[:cacert_date] = date
+        rescue Date::Error
+          puts 'Invalid date format. Use YYYY-MM-DD.'
+          exit 1
+        rescue StandardError => e
+          puts "Error fetching CA bundle: #{e.message}"
+          exit 1
+        end
+        opts.on('-v', '--version', 'Display version information') do
+          puts "mkchain #{MkChain::VERSION}"
+          exit
+        end
+      end
+
+      opt_parser.parse!(argv)
+      options
+    end
+  end
+end

data/lib/mkchain/core.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'open-uri'
+
+module MkChain
+  class NoChainFoundException < StandardError; end
+  class UnknownFormat < StandardError; end
+
+  class Core
+    def self.parse_pem(data)
+      # First try to parse as PEM-encoded X.509 certificates
+      begin
+        pem_blocks = data.scan(/-----BEGIN CERTIFICATE-----(.*?)-----END CERTIFICATE-----/m).flatten
+        certs = pem_blocks.map do |block|
+          OpenSSL::X509::Certificate.new([
+            '-----BEGIN CERTIFICATE-----',
+            block.strip,
+            '-----END CERTIFICATE-----'
+          ].join("\n"))
+        end
+
+        return certs unless certs.empty?
+      rescue OpenSSL::X509::CertificateError
+        # fall through to try PKCS#7
+      end
+
+      # Otherwise attempt PEM-encoded PKCS#7
+      begin
+        pkcs7 = OpenSSL::PKCS7.new(data)
+        return pkcs7.certificates if pkcs7.certificates.any?
+      rescue OpenSSL::PKCS7::PKCS7Error, ArgumentError
+        # fall through
+      end
+
+      raise UnknownFormat, 'Invalid PEM/PKCS#7 format'
+    end
+
+    def self.parse_der(data)
+      # Try to parse as PKCS#7 format first since it can wrap X.509 certs
+      begin
+        pkcs7 = OpenSSL::PKCS7.new(data)
+        return pkcs7.certificates if pkcs7.certificates.any?
+      rescue OpenSSL::PKCS7::PKCS7Error, ArgumentError
+        # fall through to try X.509 parsing
+      end
+
+      # If it fails, try to parse as a single X.509 certificate
+      begin
+        cert = OpenSSL::X509::Certificate.new(data)
+        return [cert]
+      rescue OpenSSL::X509::CertificateError
+        # fall through
+      end
+
+      raise UnknownFormat, 'Invalid DER format - could not parse as PKCS#7 or X.509'
+    end
+
+    def initialize(options = {})
+      @options = { include_leaf: false, include_root: false, cacert_date: nil }.merge(options)
+    end
+
+    def fetch_certificates(url)
+      @certificate_cache ||= {}
+      return @certificate_cache[url] if @certificate_cache.key?(url)
+
+      result = begin
+        data = URI.parse(url).read
+        if data.start_with?('-----BEGIN ')
+          self.class.parse_pem(data)
+        elsif data.getbyte(0) == 0x30
+          self.class.parse_der(data)
+        else
+          raise UnknownFormat, "Unknown certificate format - found leading bytes: #{data.byteslice(0, 4).unpack('H*')}"
+        end
+      rescue OpenURI::HTTPError => e
+        raise "Failed to fetch certificates from #{url}: #{e.message}"
+      end
+
+      @certificate_cache[url] = result
+      result
+    end
+
+    def chain(cert_str) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
+      # Ensure we have a valid certificate string
+      raise ArgumentError, 'Certificate string cannot be nil or empty' if cert_str.nil? || cert_str.strip.empty?
+
+      # If cacert_date is provided, attempt to load a CA bundle at the specified revision
+      cacert_date = @options.fetch(:cacert_date, nil)
+      cacert_url = "https://curl.se/ca/cacert#{"-#{cacert_date}" if cacert_date}.pem"
+      begin
+        # Download the CA bundle from the specified date to a temporary file
+        require 'tempfile'
+        tempfile = Tempfile.new("cacert-#{cacert_date || 'latest'}.pem")
+        tempfile.binmode
+        tempfile.write(URI.parse(cacert_url).read)
+        tempfile.rewind
+
+        # Load the CA bundle into an OpenSSL::X509::Store
+        ca_store = OpenSSL::X509::Store.new
+        ca_store.add_file(tempfile.path)
+        tempfile.close
+        tempfile.unlink
+      rescue OpenSSL::X509::StoreError => e
+        raise "Failed to load CA bundle (#{cacert_date || 'latest'}): #{e.message}"
+      end
+
+      # Parse the certificate and initialize the chain
+      leaf = OpenSSL::X509::Certificate.new(cert_str)
+      untrusted = []
+
+      # Walk through the certificate chain to find intermediates based on AIA extensions
+      queue = [leaf]
+      while (current = queue.shift)
+        # rubocop:disable Style/SafeNavigationChainLength
+        uri = current.extensions.find { |ext| ext.oid == 'authorityInfoAccess' }
+                     &.value
+                     &.scan(%r{CA Issuers - URI:(https?://\S+)})
+                     &.flatten&.first
+        # rubocop:enable Style/SafeNavigationChainLength
+        next unless uri
+
+        fetch_certificates(uri).each do |c|
+          next if c.subject == c.issuer # Skip self-signed/root certs
+
+          key = [c.subject.to_s, c.issuer.to_s, c.serial]
+          unless untrusted.any? { |u| key == [u.subject.to_s, u.issuer.to_s, u.serial] }
+            untrusted << c
+            queue << c
+          end
+        end
+      end
+      raise NoChainFoundException, 'No intermediate certificates found' if untrusted.empty?
+
+      # Attempt to build the chain from the untrusted certificates using the CA store
+      ctx = OpenSSL::X509::StoreContext.new(ca_store, leaf, untrusted)
+      raise "Failed to verify and build chain: #{ctx.error_string}" unless ctx.verify
+
+      # Collect the chain from the context
+      chain = ctx.chain
+      raise NoChainFoundException, 'No valid certificate chain found' if chain.empty?
+
+      # Remove the root and/or leaf if not requested
+      chain = chain[..-2] if @options[:include_root] == false
+      chain = chain[1..] if @options[:include_leaf] == false
+
+      # Return the chain as an array of PEM-encoded strings
+      chain.join
+    end
+  end
+end

data/lib/mkchain/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module MkChain
+  VERSION = '2.0.2'
+end

data/lib/mkchain.rb

@@ -1,24 +1,5 @@
-require 'openssl'
-require 'open-uri'
+# frozen_string_literal: true
 
-class MkChain
-  class NoChainFoundException < Exception; end
-
-  def self.chain(cert_str)
-    chain = []
-    cert = OpenSSL::X509::Certificate.new(cert_str)
-
-    loop do
-      url = cert.extensions.select { |ext| ext.oid == 'authorityInfoAccess' }
-        .first.value.match(%r{^CA Issuers - URI:(https?://.+)$})[1] rescue break
-
-      cert = OpenSSL::X509::Certificate.new(URI.open(url).read) rescue break
-      chain << cert.to_pem
-    end
-
-    raise NoChainFoundException, 'No intermediate chain found' if chain.empty?
-
-    # the last cert will be the root cert, which doesn't belong in the chain
-    chain[0..-1].join
-  end
-end
+require_relative 'mkchain/cli'
+require_relative 'mkchain/core'
+require_relative 'mkchain/version'

data/mkchain.gemspec

@@ -1,23 +1,31 @@
+# frozen_string_literal: true
+
+require_relative 'lib/mkchain'
+
 Gem::Specification.new do |s|
   s.name = 'mkchain'
-  s.version = '1.0.3'
-  s.authors = ['David Adams']
-  s.email = 'dadams@instructure.com'
-  s.date = Time.now.strftime('%Y-%m-%d')
+  s.version = MkChain::VERSION
+  s.authors = ['David Adams', 'David Warkentin']
+  s.email = ['dadams@instructure.com', 'dwarkentin@instructure.com']
   s.license = 'MIT'
   s.homepage = 'https://github.com/instructure/mkchain'
-  s.required_ruby_version = '>=2.0.0'
+  s.required_ruby_version = '>=3.0.0'
 
   s.summary = 'Create a chain file from SSL cert'
   s.description =
     'Creates an intermediate chain file from the given SSL certificate'
 
+  s.metadata = {
+    'rubygems_mfa_required' => 'true',
+    'source_code_uri' => s.homepage,
+  }
+
   s.require_paths = ['lib']
-  s.files = [
-    'lib/mkchain.rb',
-    'README.md',
-    'mkchain.gemspec'
-  ]
+  s.files = Dir.chdir(File.expand_path(__dir__)) do
+    Dir.glob('lib/**/*.rb') +
+      Dir.glob('bin/*') +
+      %w[README.md LICENSE mkchain.gemspec]
+  end
   s.bindir = 'bin'
   s.executables = ['mkchain']
 end

metadata

@@ -1,31 +1,38 @@
 --- !ruby/object:Gem::Specification
 name: mkchain
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 2.0.2
 platform: ruby
 authors:
 - David Adams
-autorequire:
+- David Warkentin
 bindir: bin
 cert_chain: []
-date: 2021-02-25 00:00:00.000000000 Z
+date: 2025-07-31 00:00:00.000000000 Z
 dependencies: []
 description: Creates an intermediate chain file from the given SSL certificate
-email: dadams@instructure.com
+email:
+- dadams@instructure.com
+- dwarkentin@instructure.com
 executables:
 - mkchain
 extensions: []
 extra_rdoc_files: []
 files:
+- LICENSE
 - README.md
 - bin/mkchain
 - lib/mkchain.rb
+- lib/mkchain/cli.rb
+- lib/mkchain/core.rb
+- lib/mkchain/version.rb
 - mkchain.gemspec
 homepage: https://github.com/instructure/mkchain
 licenses:
 - MIT
-metadata: {}
-post_install_message:
+metadata:
+  rubygems_mfa_required: 'true'
+  source_code_uri: https://github.com/instructure/mkchain
 rdoc_options: []
 require_paths:
 - lib
@@ -33,15 +40,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.0.0
+      version: 3.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
-signing_key:
+rubygems_version: 3.6.2
 specification_version: 4
 summary: Create a chain file from SSL cert
 test_files: []