omf_common 6.0.7.1 → 6.0.8.pre.1

checksums.yaml

@@ -1,7 +1,15 @@
 ---
-SHA1:
-  metadata.gz: 65fd04c1481079b28cd3b353559c88893704fa25
-  data.tar.gz: 98e1f8789175aaf85869f463b3add3201959a18e
-SHA512:
-  metadata.gz: 477b8b778f5ddf8284d55cefff962dd3a3efec8cdfe705444ef69790d4e56cde08b6d8e7087339c7c2574c8056291520ee47e3e970b37bc756669f94435c0712
-  data.tar.gz: 54d3f6a16aeff8e32a5eed85d6400af3ef9811a2db70bc562b3f4a7729376b1aabfe0c5481264629e920b331cc16b08d98fe7c4e3f7aeafeb5f1e76c7a91cdc9
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    MWJjMTBiYThjZmUxMWJjZDIyMmFiOTU2NDViZjQyMTM0MmQ4OTIwZA==
+  data.tar.gz: !binary |-
+    NTBjNDYwYzk3NzRlNjFhMTBlYjEzYTZmYjljZjUzZTM0NDVlOTc2ZA==
+!binary "U0hBNTEy":
+  metadata.gz: !binary |-
+    MjJkNzIxN2NjZDMzOTcwZTVlNTg3YWZhY2I0NWEyYmI4MzEwMTRmNzg1ZDRh
+    M2RhY2RlZGZiNDkwZWI5MDAyMGExY2RiNTA3ZWUwMjg5ZmE2ODExYmIwOWVl
+    N2I2MDIzOTE0ZGE5NzBlODJjZTU0Yzc5YmFkMGI2MTY4NzM5NjE=
+  data.tar.gz: !binary |-
+    MzliNDQ5MTU3ZWJkZjg0Mzg5N2FiMmFhN2Y1ODlkZjFiYzY1YzQ3YzZiNGVi
+    MjlmNmZmNjEzNjc0M2RhYzZiZGU1NWM4NjY4YzQ3ZTMzMjg1MjE5OTYyNmQ4
+    YmNiYTU1NTI2ZTgzZTEwYzhjM2FkNjA2ZmU1NzRkMzM4OTYyZjY=

data/bin/omf_cert.rb

@@ -0,0 +1,175 @@
+#!/usr/bin/env ruby
+BIN_DIR = File.dirname(File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__)
+TOP_DIR = File.join(BIN_DIR, '..')
+$: << File.join(TOP_DIR, 'lib')
+
+require 'json/jwt' # to get around dependencies with activesupport
+
+DESCR = %{
+Program to create, read, and manipulate X509 certificates used in OMF.
+    create_root ...... Create a root certificate
+    create_user ...... Create user certificate (requires: --email, --user)
+    create_resource .. Create a certificate for a resource (requires: --resource_type)
+    describe ......... Print out some of the key properties found in the cert
+}
+
+
+require 'omf_common'
+include OmfCommon::Auth
+
+DEF_SUBJECT_PREFIX = Certificate.default_domain('US', 'CA', 'ACME', 'Roadrunner')
+
+OPTS = {
+  duration: Certificate::DEF_DURATION
+}
+
+op = OP = OptionParser.new
+op.banner = "\nUsage: #{op.program_name} [options] cmd \n#{DESCR}\n"
+op.on '-o', '--out FILE', "Write result into FILE [STDOUT]" do |file|
+  OPTS[:out] = file
+end
+op.on '-i', '--in FILE', "Read certificate from FILE [STDIN]" do |file|
+  OPTS[:in] = file
+end
+op.on '--email EMAIL', "Email to add to cert" do |email|
+  OPTS[:email] = email
+end
+op.on '--cn CN', "Common name to use. Will be appended to '#{DEF_SUBJECT_PREFIX}'" do |cn|
+  OPTS[:cn] = cn
+end
+op.on '--subj SUBJECT', "Subject to use in cert [#{DEF_SUBJECT_PREFIX}/CN=dummy]" do |subject|
+  OPTS[:subject] = subject
+end
+op.on '--user USER_NAME', "User name for user certs" do |user|
+  OPTS[:user] = user
+end
+op.on '--resource-type TYPE', "Type of resource to create cert for" do |type|
+  OPTS[:resource_type] = type
+end
+op.on '--resource-id ID', "ID for resource" do |id|
+  OPTS[:resource_id] = id
+end
+op.on '--duration SEC', "Duration the cert will be valid for [#{OPTS[:duration]}]" do |secs|
+  OPTS[:duration] = secs
+end
+op.on '--domain C:ST:O:OU', "Domain to us (components are ':' separated) [#{DEF_SUBJECT_PREFIX}]" do |domain|
+  unless (p = domain.split(':')).length == 4
+    $stderr.puts "ERROR: Domain needs to contain 4 parts separated by ':'\n"
+    exit(-1)
+  end
+  c, st, o, ou = p
+  Certificate.default_domain(c, st, o, ou)
+end
+
+op.on_tail('-v', "--verbose", "Print summary of created cert (Surpressed when writing cert to stdout)") do
+  OPTS[:verbose] = true
+end
+op.on_tail('-h', "--help", "Show this message") { $stderr.puts op; exit }
+rest = op.parse(ARGV) || []
+OPTS[:verbose] = false unless OPTS[:out]
+
+if rest.length != 1
+  $stderr.puts "ERROR: Can't figure out what is being requested\n"
+  $stderr.puts op; exit
+end
+
+CertificateStore.init()
+
+def write(content)
+  if (fname = OPTS[:out]) && fname != '-'
+    File.open(fname, 'w') {|f| f.puts content}
+  else
+    puts content
+  end
+end
+
+def write_cert(cert)
+  write cert.to_pem_with_key
+  describe_cert(cert) if OPTS[:verbose]
+end
+
+def require_opts(*names)
+  fails = false
+  names.each do |n|
+    unless OPTS[n]
+      $stderr.puts "ERROR: Missing option '--#{n}'\n"
+      fails = true
+    end
+  end
+  exit if fails
+end
+
+def describe_cert(cert = nil)
+  unless cert
+    if cert_file = OPTS[:in]
+      if File.readable?(cert_file)
+        pem = File.read(cert_file)
+      else
+        $stderr.puts "ERROR: Can't open file '#{cert_file}' for reading\n"
+        exit
+      end
+    else
+      pem = $stdin.read
+    end
+    cert = Certificate.create_from_pem(pem)
+  end
+  cert.describe.each do |k, v|
+    puts "#{k}:#{' ' * (15 - k.length)} #{v.inspect}"
+  end
+end
+
+case cmd = rest[0]
+when /^cre.*_root/
+  require_opts(:email)
+  cert = Certificate.create_root(OPTS)
+  write_cert cert
+
+when /^cre.*_user/
+  root = Certificate.create_root()
+  require_opts(:user, :email)
+  cert = root.create_for_user(OPTS[:user], OPTS)
+  write_cert cert
+
+when /^cre.*_resource/
+  root = Certificate.create_root()
+  require_opts(:resource_type)
+  r_id = OPTS.delete(:resource_id)
+  r_type = OPTS.delete(:resource_type)
+  cert = root.create_for_resource(r_id, r_type, OPTS)
+  write_cert cert
+
+when /^des.*/ # describe
+  describe_cert
+else
+  $stderr.puts "ERROR: Unknown cmd '#{cmd}'\n"
+  $stderr.puts op; exit
+end
+
+exit
+
+# unless resource_url || resource_type
+  # $stderr.puts 'Missing --resource-url --type or'
+  # $stderr.puts op
+  # exit(-1)
+# end
+
+adam = root.create_for_user('adam')
+projectA = root.create_for_resource('projectA', :project)
+#puts projectA.to_pem
+
+# require 'json/jwt'
+# msg = {cnt: "shit", iss: projectA}
+# p = JSON::JWT.new(msg).sign(projectA.key , :RS256).to_s
+
+require 'omf_common/auth/jwt_authenticator'
+
+#puts projectA.addresses_raw
+
+
+p = OmfCommon::Auth::JWTAuthenticator.sign('shit', projectA)
+pn = (p.length / 80 + 1).times.map {|i| p[i * 80, 80]}.join("\n")
+puts pn
+
+puts pn.split.join == p
+
+puts OmfCommon::Auth::JWTAuthenticator.parse(pn).inspect

data/example/auth_test.rb

@@ -0,0 +1,76 @@
+#!/usr/bin/env ruby
+#
+# This stand alone program is exercising a few authorization scenarios.
+#
+# Usage: ruby -I .
+
+EX_DIR = File.dirname(File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__)
+TOP_DIR = File.join(EX_DIR, '..')
+$: << File.join(TOP_DIR, 'lib')
+
+begin; require 'json/jwt'; rescue Exception; end
+require 'omf_common'
+require 'pry'
+
+OP_MODE = :development
+
+opts = {
+  communication: {
+    url: 'xmpp://srv.mytestbed.net',
+    auth: {
+      authenticate: true,
+      pdp: {
+        constructor: 'TestPDP',
+        trust: ['adam']
+      }
+    }
+  }
+}
+
+# Implements a simple PDP which accepts any message from a set of trusted issuers.
+#
+class TestPDP
+
+  def initialize(opts = {})
+    @trust = opts[:trust] || []
+    puts "AUTH INIT>>> #{opts}"
+  end
+
+  def authorize(msg, &block)
+    info msg.to_s
+    iss = msg.issuer.resource_id
+    if @trust.include? iss
+      puts "AUTH(#{iss}) >>> PASS"
+      msg
+    else
+      puts "AUTH(#{iss}) >>> FAILED"
+    end
+  end
+end
+
+def doit(comm, el)
+  init_auth_store(comm)
+  comm.subscribe(:test) do |topic|
+    topic.on_message do |msg|
+      puts "MSG>> #{msg}"
+    end
+
+    topic.configure({foo: 1}, {issuer: 'adam'})
+    el.after(1) { topic.configure({foo: 2}, {issuer: 'eve'}) }
+  end
+end
+
+def init_auth_store(comm)
+  root_ca = OmfCommon::Auth::Certificate.create_root
+
+  root_ca.create_for_resource 'adam', :requester
+  root_ca.create_for_resource 'eve', :requester
+  OmfCommon::Auth::CertificateStore.instance.pry
+end
+
+OmfCommon.init(:development, opts) do |el|
+  OmfCommon.comm.on_connected do |comm|
+    doit(comm, el)
+  end
+  el.after(3) do puts "AFTER" end
+end

data/lib/omf_common.rb

@@ -142,6 +142,8 @@ module OmfCommon
   # @param [Hash] opts
   #
   def self.init(op_mode, opts = {}, &block)
+    opts = _rec_sym_keys(opts)
+
     if op_mode && defs = DEFAULTS[op_mode.to_sym]
       opts = _rec_merge(defs, opts)
     end
@@ -157,6 +159,7 @@ module OmfCommon
     if lopts = opts[:logging]
       _init_logging(lopts) unless lopts.empty?
     end
+
     unless copts = opts[:communication]
       raise "Missing :communication description"
     end
@@ -294,7 +297,7 @@ module OmfCommon
     end
   end
 
-  # Recusively Symbolize keys of hash
+  # Recursively Symbolize keys of hash
   #
   def self._rec_sym_keys(hash)
     h = {}
@@ -325,4 +328,12 @@ module OmfCommon
       end
     end
   end
+
+  def self.load_credentials(opts)
+    unless opts.nil?
+      OmfCommon::Auth::CertificateStore.instance.register_default_certs(File.expand_path(opts[:root_cert_dir]))
+      cert_and_priv_key = File.read(File.expand_path(opts[:entity_cert])) << "\n" << File.read(File.expand_path(opts[:entity_key]))
+      OmfCommon::Auth::Certificate.create_from_pem(cert_and_priv_key)
+    end
+  end
 end

data/lib/omf_common/auth/certificate.rb

@@ -6,50 +6,141 @@
 require 'openssl'
 require 'omf_common/auth'
 require 'omf_common/auth/ssh_pub_key_convert'
+require 'uuidtools'
 
 module OmfCommon::Auth
 
+  class CertificateNoLongerValidException < AuthException; end
+
   class Certificate
     DEF_DOMAIN_NAME = 'acme'
     DEF_DURATION = 3600
 
     BEGIN_CERT = "-----BEGIN CERTIFICATE-----\n"
     END_CERT = "\n-----END CERTIFICATE-----\n"
-    @@serial = 0
+    BEGIN_KEY = "-----BEGIN RSA PRIVATE KEY-----\n"
+    END_KEY = "\n-----END RSA PRIVATE KEY-----\n"
 
-    # @param [String] name unique name of the entity (resource name)
-    # @param [String] type type of the entity (resource type)
-    # @param [String] domain of the resource
+    @@def_x509_name_prefix = [['C', 'US'], ['ST', 'CA'], ['O', 'ACME'], ['OU', 'Roadrunner']]
+    @@def_email_domain = 'acme.org'
     #
-    def self.create(address, name, type, domain = DEF_DOMAIN_NAME, issuer = nil, not_before = Time.now, duration = 3600, key = nil)
-      subject = _create_name(name, type, domain)
-      if key.nil?
-        key, digest = _create_key()
-      else
+    def self.default_domain(country, state, organisation, org_unit)
+      @@def_x509_name_prefix = [
+        ['C', c = country.upcase],
+        ['ST', st = state.upcase],
+        ['O', o = organisation],
+        ['OU', ou = org_unit]
+      ]
+      "/C=#{c}/ST=#{st}/O=#{o}/OU=#{ou}"
+    end
+
+    def self.default_email_domain(email_domain)
+      @@def_email_domain = email_domain
+    end
+
+    # @param [String] resource_id unique id of the resource entity
+    # @param [String] resource_type type of the resource entity
+    # @param [Certificate] Issuer
+    # @param [Hash] options
+    # @option [Time] :not_before Time the cert will be valid from [now]
+    # @option [int] :duration Time in seconds this cert is valid for [3600]
+    # @option [OpenSSL::PKey::RSA] :key Key to encode in cert. If not given, will create a new one
+    # @option [String] :user_id ID (should be UUID) for user [UUID(email)]
+    # @option [String] :email Email to identify user. If not give, user 'name' and @@def_email_domain
+    # @option [String] :geni_uri
+    # @option [String] :frcp_uri
+    # @option [String] :frcp_domain
+    # @option [String] :http_uri
+    # @option [String] :http_prefix
+    #
+    def self.create_for_resource(resource_id, resource_type, issuer, opts = {})
+      xname = @@def_x509_name_prefix.dup
+      xname << ['CN', opts[:cn] || resource_id]
+      subject = OpenSSL::X509::Name.new(xname)
+
+      if key = opts[:key]
         digest = _create_digest
+      else
+        key, digest = _create_key()
       end
 
-      c = _create_x509_cert(address, subject, key, digest, issuer, not_before, duration)
-      c[:address] = address if address
+      addresses = opts[:addresses] || []
+      addresses << "URI:uuid:#{opts[:resource_uuid]}" if opts[:resource_uuid]
+      email_domain = opts[:email] ? opts[:email].split('@')[1] : @@def_email_domain
+      addresses << (opts[:geni_uri] || "URI:urn:publicid:IDN+#{email_domain}+#{resource_type}+#{resource_id}")
+      if frcp_uri = opts[:frcp_uri]
+        unless frcp_uri.to_s.start_with? 'URI'
+          frcp_uri = "URI:frcp:#{frcp_uri}"
+        end
+        addresses << frcp_uri
+      end
+          # opts[:frcp_uri] || "URI:frcp:#{user_id}@#{opts[:frcp_domain] || @@def_email_domain}",
+          # opts[:http_uri] || "URI:http://#{opts[:http_prefix] || @@def_email_domain}/users/#{user_id}"
+      not_before = opts[:not_before] || Time.now
+      duration = opts[:duration] = 3600
+      c = _create_x509_cert(subject, key, digest, issuer, not_before, duration, addresses)
+      c[:addresses] = addresses
+      c[:resource_id] = resource_id
+      c[:subject] = subject
       self.new c
     end
 
-    # @param [String] pem is the content of existing x509 cert
-    # @param [OpenSSL::PKey::RSA|String] key is the private key which can be attached to the instance for signing.
-    def self.create_from_x509(pem, key = nil)
+    def self.create_root(opts = {})
+      email = opts[:email] ||= "sa@#{@@def_email_domain}"
+      opts = {
+        addresses: [
+          "email:#{email}"
+        ]
+      }.merge(opts)
+      cert = create_for_resource('sa', :authority, nil, opts)
+      CertificateStore.instance.register_trusted(cert)
+      cert
+    end
+
+    # Return  a newly create certificate with properties token from
+    # 'pem' encoded string.
+    #
+    # @param [String] pem is the PEM encoded content of existing x509 cert
+    # @return [Certificate] Certificate object
+    #
+    def self.create_from_pem(pem_s)
+      state = :seeking
+      cert_pem = []
+      key_pem = []
+      end_regexp = /^-*END/
+      pem_s.each_line do |line|
+        state = :seeking if line.match(end_regexp)
+        case state
+        when :seeking
+          case line
+          when /^-*BEGIN CERTIFICATE/
+            state = :cert
+          when /^-*BEGIN RSA PRIVATE KEY/
+            state = :key
+          end
+        when :cert
+          cert_pem << line
+        when :key
+          key_pem << line
+        else
+          raise "BUG: Unknown state '#{state}'"
+        end
+      end
       # Some command list generated cert can use \r\n as newline char
-      unless pem =~ /^-----BEGIN CERTIFICATE-----/
-        pem = "#{BEGIN_CERT}#{pem}#{END_CERT}"
+      cert_pem = cert_pem.join()
+      unless cert_pem =~ /^-----BEGIN CERTIFICATE-----/
+        cert_pem = "#{BEGIN_CERT}#{cert_pem.chomp}#{END_CERT}"
       end
-
-      cert = OpenSSL::X509::Certificate.new(pem)
-
-      key = OpenSSL::PKey::RSA.new(key) if key && key.is_a?(String)
-
-      if key && !cert.check_private_key(key)
-        raise ArgumentError, "Private key provided could not match the public key of given certificate"
+      opts = {}
+      opts[:cert] = OpenSSL::X509::Certificate.new(cert_pem)
+      if key_pem.size > 0
+        key_pem = key_pem.join()
+        unless key_pem =~ /^-----BEGIN RSA PRIVATE KEY-----/
+          key_pem = "#{BEGIN_KEY}#{key_pem.chomp}#{END_KEY}"
+        end
+        opts[:key] = OpenSSL::PKey::RSA.new(key_pem)
       end
-      self.new({ cert: cert, key: key })
+      self.new(opts)
     end
 
     # Returns an array with a new RSA key and a SHA1 digest
@@ -62,13 +153,6 @@ module OmfCommon::Auth
       OpenSSL::Digest::SHA1.new
     end
 
-    # @param [String] name unique name of the entity (resource name)
-    # @param [String] type type of the entity (resource type)
-    #
-    def self._create_name(name, type, domain = DEF_DOMAIN_NAME)
-      OpenSSL::X509::Name.new [['CN', "frcp//#{domain}//frcp.#{type}.#{name}"]], {}
-    end
-
     # Create a X509 certificate
     #
     # @param [String] address
@@ -76,96 +160,154 @@ module OmfCommon::Auth
     # @param [OpenSSL::PKey::RSA] key
     # @return {cert, key}
     #
-    def self._create_x509_cert(address, subject, key, digest = nil,
-                              issuer = nil, not_before = Time.now, duration = DEF_DURATION, extensions = [])
-      extensions << ["subjectAltName", "URI:#{address}", false] if address
+    def self._create_x509_cert(subject, key, digest = nil,
+                              issuer = nil, not_before = Time.now, duration = DEF_DURATION, addresses = [])
+
+      if key.nil?
+        key, digest = _create_key()
+      else
+        digest = _create_digest
+      end
 
       cert = OpenSSL::X509::Certificate.new
       cert.version = 2
       # TODO change serial to non-sequential secure random numbers for production use
-      cert.serial = (@@serial += 1)
+      cert.serial = UUIDTools::UUID.random_create.to_i
       cert.subject = subject
       cert.public_key = key.public_key
       cert.not_before = not_before
       cert.not_after = not_before + duration
-      unless extensions.empty?
-        issuer_cert = issuer ? issuer.to_x509 : cert
-        ef = OpenSSL::X509::ExtensionFactory.new
-        ef.subject_certificate = cert
-        ef.issuer_certificate = issuer_cert
-        extensions.each{|oid, value, critical|
-          cert.add_extension(ef.create_extension(oid, value, critical))
-        }
+      #extensions << ["subjectAltName", "URI:http://foo.com/users/dc766130, URI:frcp:dc766130-c822-11e0-901e-000c29f89f7b@foo.com", false]
+
+      issuer_cert = issuer ? issuer.to_x509 : cert
+      ef = OpenSSL::X509::ExtensionFactory.new
+      ef.subject_certificate = cert
+      ef.issuer_certificate = issuer_cert
+      unless addresses.empty?
+        cert.add_extension(ef.create_extension("subjectAltName", addresses.join(','), false))
       end
+
       if issuer
         cert.issuer = issuer.subject
         cert.sign(issuer.key, issuer.digest)
       else
         # self signed
         cert.issuer = subject
+
+        # Not exactly sure if that's the right extensions to add. Copied from
+        # http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/X509/Certificate.html
+        cert.add_extension(ef.create_extension("basicConstraints", "CA:TRUE", true))
+        cert.add_extension(ef.create_extension("keyUsage", "keyCertSign, cRLSign", true))
+        cert.add_extension(ef.create_extension("subjectKeyIdentifier", "hash", false))
+        cert.add_extension(ef.create_extension("authorityKeyIdentifier", "keyid:always", false))
+
+        # Signing the cert should be ABSOLUTELY the last step
         cert.sign(key, digest)
       end
       { cert: cert, key: key }
     end
 
-    attr_reader :address, :subject, :key, :digest
+    attr_reader :addresses, :resource_id # :addresses_raw, :addresses_string
+    attr_reader :subject, :key, :digest
+    attr_writer :resource_id
 
     def initialize(opts)
       if @cert = opts[:cert]
         @subject = @cert.subject
       end
-      unless @address = opts[:address]
-        # try to see it it is in cert
-        if @cert
-          @cert.extensions.each do |ext|
-            if ext.oid == 'subjectAltName'
-              @address = ext.value[4 .. -1] # strip off 'URI:'
-            end
-          end
-        end
-      end
-      if @key = opts[:key]
-        @digest = opts[:digest] || OpenSSL::Digest::SHA1.new
-      end
+      @resource_id = opts[:resource_id]
+      _extract_addresses(@cert)
       unless @subject ||= opts[:subject]
         name = opts[:name]
         type = opts[:type]
         domain = opts[:domain]
         @subject = _create_name(name, type, domain)
       end
-      @cert ||= _create_x509_cert(@address, @subject, @key, @digest)[:cert]
+      if key = opts[:key]
+        @digest = opts[:digest] || self.class._create_digest
+      end
+      if @cert
+        self.key = key if key # this verifies that key is the right one for this cert
+      else
+        #@cert ||= _create_x509_cert(@address, @subject, @key, @digest)[:cert]
+        @cert = self.class._create_x509_cert(@subject, key, @digest)[:cert]
+        @key = key
+      end
     end
 
-    # @param [OpenSSL::PKey::RSA|String] key is most likely the public key of the resource.
-    #
-    def create_for(address, name, type, domain = DEF_DOMAIN_NAME, duration = 3600, key = nil)
-      raise ArgumentError, "Address required" unless address
+    def valid?
+      now = Time.new
+      (@cert.not_before <= now && now <= @cert.not_after)
+    end
+
+    def cert_expired?
+      debug "Certificate expired!" unless valid?
+      !valid?
+    end
 
-      begin
-        key = OpenSSL::PKey::RSA.new(key) if key && key.is_a?(String)
-      rescue OpenSSL::PKey::RSAError
-        # It might be a SSH pub key, try that
-        key = OmfCommon::Auth::SSHPubKeyConvert.convert(key)
+    def key=(key)
+      if @cert && !@cert.check_private_key(key)
+        raise ArgumentError, "Private key provided could not match the public key of given certificate"
       end
+      @key = key
+    end
 
-      cert = self.class.create(address, name, type, domain, self, Time.now, duration, key)
-      CertificateStore.instance.register(cert, address)
+    def create_for_resource(resource_id, resource_type, opts = {})
+      unless valid?
+        raise CertificateNoLongerValidException.new
+      end
+      resource_id ||= UUIDTools::UUID.random_create()
+      unless opts[:resource_uuid]
+        if resource_id.is_a? UUIDTools::UUID
+          opts[:resource_uuid] = resource_id
+        else
+          opts[:resource_uuid] = UUIDTools::UUID.random_create()
+        end
+      end
+      unless opts[:cn]
+        opts[:cn] = "#{resource_id}/type=#{resource_type}"
+        (opts[:cn] += "/uuid=#{opts[:resource_uuid]}") unless resource_id.is_a? UUIDTools::UUID
+      end
+      cert = self.class.create_for_resource(resource_id, resource_type, self, opts)
+      CertificateStore.instance.register(cert)
       cert
     end
 
+    # See #create_for_resource for documentation on 'opts'
+    def create_for_user(name, opts = {})
+      unless valid?
+        raise CertificateNoLongerValidException.new
+      end
+      email = opts[:email] || "#{name}@#{@@def_email_domain}"
+      user_id = opts[:user_id] || UUIDTools::UUID.sha1_create(UUIDTools::UUID_URL_NAMESPACE, email)
+      opts[:cn] = "#{user_id}/emailAddress=#{email}"
+      opts[:addresses] = [
+        "email:#{email}",
+      ]
+      create_for_resource(user_id, :user, opts)
+    end
+
     # Return the X509 certificate. If it hasn't been passed in, return a self-signed one
     def to_x509()
       @cert
     end
 
     def can_sign?
-      !@key.nil? && @key.private?
+      !cert_expired? && !@key.nil? && @key.private?
+    end
+
+    def root_ca?
+      subject == @cert.issuer
     end
 
     def to_pem
       to_x509.to_pem
     end
 
+    def to_pem_with_key
+      to_x509.to_pem + @key.to_pem
+    end
+
     def to_pem_compact
       to_pem.lines.to_a[1 ... -1].join.strip
     end
@@ -178,16 +320,57 @@ module OmfCommon::Auth
       end
     end
 
+    # Return a hash of some of the key properties of this cert.
+    # To get the full monty, use 'openssl x509 -in xxx.pem -text'
+    #
+    def describe
+      {
+        subject: subject,
+        issuer: @cert.issuer,
+        addresses: addresses,
+        can_sign: can_sign?,
+        root_ca: root_ca?,
+        valid: valid?,
+        valid_period: [@cert.not_before, @cert.not_after]
+      }
+      #(@cert.methods - Object.new.methods).sort
+    end
+
     # Will return one of the following
     #
     # :HS256, :HS384, :HS512, :RS256, :RS384, :RS512, :ES256, :ES384, :ES512
     #
     # def key_algorithm
-#
+    #
     # end
 
     def to_s
-      "#<#{self.class} addr=#{@address} subj=#{@subject} can-sign=#{@key != nil}>"
+      "#<#{self.class} subj=#{@subject} can-sign=#{@key != nil}>"
+    end
+
+    def _extract_addresses(cert)
+      addr = @addresses = {}
+      return unless cert
+      ext = cert.extensions.find { |ext| ext.oid == 'subjectAltName' }
+      return unless ext
+      @address_string = ext.value
+      @addresses_raw = ext.value.split(',').compact
+      @addresses_raw.each do |addr_s|
+        parts = addr_s.split(':')
+        #puts ">>>>>> #{parts}"
+        case parts[0].strip
+        when 'email'
+          addr[:email] = parts[1]
+        when 'URI'
+          if parts[1] == 'urn'
+            addr[:geni] = parts[3][4 .. -1]
+          else
+            addr[parts[1].to_sym] = parts[2]
+          end
+        else
+          warn "Unknown address type '#{parts[0]}'"
+        end
+      end
     end
   end # class
 end # module