r509-ca-http 0.1

data/doc/top-level-namespace.html

@@ -0,0 +1,112 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<title>
+  Top Level Namespace
+  
+    &mdash; Documentation by YARD 0.8.3
+  
+</title>
+
+  <link rel="stylesheet" href="css/style.css" type="text/css" media="screen" charset="utf-8" />
+
+  <link rel="stylesheet" href="css/common.css" type="text/css" media="screen" charset="utf-8" />
+
+<script type="text/javascript" charset="utf-8">
+  hasFrames = window.top.frames.main ? true : false;
+  relpath = '';
+  framesUrl = "frames.html#!" + escape(window.location.href);
+</script>
+
+
+  <script type="text/javascript" charset="utf-8" src="js/jquery.js"></script>
+
+  <script type="text/javascript" charset="utf-8" src="js/app.js"></script>
+
+
+  </head>
+  <body>
+    <div id="header">
+      <div id="menu">
+  
+    <a href="_index.html">Index</a> &raquo;
+    
+    
+    <span class="title">Top Level Namespace</span>
+  
+
+  <div class="noframes"><span class="title">(</span><a href="." target="_top">no frames</a><span class="title">)</span></div>
+</div>
+
+      <div id="search">
+  
+    <a class="full_list_link" id="class_list_link"
+        href="class_list.html">
+      Class List
+    </a>
+  
+    <a class="full_list_link" id="method_list_link"
+        href="method_list.html">
+      Method List
+    </a>
+  
+    <a class="full_list_link" id="file_list_link"
+        href="file_list.html">
+      File List
+    </a>
+  
+</div>
+      <div class="clear"></div>
+    </div>
+
+    <iframe id="search_frame"></iframe>
+
+    <div id="content"><h1>Top Level Namespace
+  
+  
+  
+</h1>
+
+<dl class="box">
+  
+  
+    
+  
+    
+  
+  
+  
+</dl>
+<div class="clear"></div>
+
+<h2>Defined Under Namespace</h2>
+<p class="children">
+  
+    
+      <strong class="modules">Modules:</strong> <span class='object_link'><a href="R509.html" title="R509 (module)">R509</a></span>
+    
+  
+    
+  
+</p>
+
+
+
+
+
+
+
+
+
+</div>
+
+    <div id="footer">
+  Generated on Thu Nov  8 14:58:26 2012 by
+  <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
+  0.8.3 (ruby-1.9.3).
+</div>
+
+  </body>
+</html>

data/lib/r509/certificateauthority/http/factory.rb

@@ -0,0 +1,15 @@
+module R509::CertificateAuthority::Http
+    module Factory
+        class CsrFactory
+            def build(options)
+                R509::Csr.new(options)
+            end
+        end
+
+        class SpkiFactory
+            def build(options)
+                R509::Spki.new(options)
+            end
+        end
+    end
+end

data/lib/r509/certificateauthority/http/server.rb

@@ -0,0 +1,237 @@
+require 'rubygems' if RUBY_VERSION < "1.9"
+require 'sinatra/base'
+require 'r509'
+require "#{File.dirname(__FILE__)}/subjectparser"
+require "#{File.dirname(__FILE__)}/validityperiodconverter"
+require "#{File.dirname(__FILE__)}/factory"
+require 'base64'
+require 'yaml'
+require 'logger'
+require 'dependo'
+
+module R509
+    module CertificateAuthority
+        module Http
+            class Server < Sinatra::Base
+                extend Dependo::Mixin
+                include Dependo::Mixin
+
+                configure do
+                    disable :protection #disable Rack::Protection (for speed)
+                    disable :logging
+                    set :environment, :production
+
+                    crls = {}
+                    certificate_authorities = {}
+                    config_pool.names.each do |name|
+                        crls[name] = R509::Crl::Administrator.new(config_pool[name])
+                        certificate_authorities[name] = R509::CertificateAuthority::Signer.new(config_pool[name])
+                    end
+
+                    set :crls, crls
+                    set :certificate_authorities, certificate_authorities
+                    set :subject_parser, R509::CertificateAuthority::Http::SubjectParser.new
+                    set :validity_period_converter, R509::CertificateAuthority::Http::ValidityPeriodConverter.new
+                    set :csr_factory, R509::CertificateAuthority::Http::Factory::CsrFactory.new
+                    set :spki_factory, R509::CertificateAuthority::Http::Factory::SpkiFactory.new
+                end
+
+                before do
+                    content_type :text
+                end
+
+                helpers do
+                    def crl(name)
+                        settings.crls[name]
+                    end
+                    def ca(name)
+                        settings.certificate_authorities[name]
+                    end
+                    def subject_parser
+                        settings.subject_parser
+                    end
+                    def validity_period_converter
+                        settings.validity_period_converter
+                    end
+                    def csr_factory
+                        settings.csr_factory
+                    end
+                    def spki_factory
+                        settings.spki_factory
+                    end
+                end
+
+                error do
+                    log.error env["sinatra.error"].inspect
+                    log.error env["sinatra.error"].backtrace.join("\n")
+                    "Something is amiss with our CA. You should ... wait?"
+                end
+
+                error StandardError do
+                    log.error env["sinatra.error"].inspect
+                    log.error env["sinatra.error"].backtrace.join("\n")
+                    env["sinatra.error"].inspect
+                end
+
+                get '/favicon.ico' do
+                    log.debug "go away. no children."
+                    "go away. no children"
+                end
+
+                get '/1/crl/:ca/get/?' do
+                    log.info "Get CRL for #{params[:ca]}"
+
+                    if not crl(params[:ca])
+                        raise ArgumentError, "CA not found"
+                    end
+
+                    crl(params[:ca]).to_pem
+                end
+
+                get '/1/crl/:ca/generate/?' do
+                    log.info "Generate CRL for #{params[:ca]}"
+
+                    if not crl(params[:ca])
+                        raise ArgumentError, "CA not found"
+                    end
+
+                    crl(params[:ca]).generate_crl
+                end
+
+                post '/1/certificate/issue/?' do
+                    log.info "Issue Certificate"
+                    raw = request.env["rack.input"].read
+                    env["rack.input"].rewind
+                    log.info raw
+
+                    log.info params.inspect
+
+                    if not params.has_key?("ca")
+                        raise ArgumentError, "Must provide a CA"
+                    end
+                    if not ca(params["ca"])
+                        raise ArgumentError, "CA not found"
+                    end
+                    if not params.has_key?("profile")
+                        raise ArgumentError, "Must provide a CA profile"
+                    end
+                    if not params.has_key?("validityPeriod")
+                        raise ArgumentError, "Must provide a validity period"
+                    end
+                    if not params.has_key?("csr") and not params.has_key?("spki")
+                        raise ArgumentError, "Must provide a CSR or SPKI"
+                    end
+
+                    subject = subject_parser.parse(raw, "subject")
+                    log.info subject.inspect
+                    log.info subject.to_s
+                    if subject.empty?
+                        raise ArgumentError, "Must provide a subject"
+                    end
+
+                    if params.has_key?("extensions") and params["extensions"].has_key?("subjectAlternativeName")
+                        san_names = params["extensions"]["subjectAlternativeName"].select { |name| not name.empty? }
+                    else
+                        san_names = []
+                    end
+
+                    data_hash = {
+                        :subject => subject,
+                        :san_names => san_names
+                    }
+
+                    validity_period = validity_period_converter.convert(params["validityPeriod"])
+
+                    if params.has_key?("csr")
+                        csr = csr_factory.build(:csr => params["csr"])
+                        cert = ca(params["ca"]).sign(
+                            :csr => csr,
+                            :profile_name => params["profile"],
+                            :data_hash => data_hash,
+                            :not_before => validity_period[:not_before],
+                            :not_after => validity_period[:not_after]
+                        )
+                    elsif params.has_key?("spki")
+                        spki = spki_factory.build(:spki => params["spki"], :subject => subject)
+                        cert = ca(params["ca"]).sign(
+                            :spki => spki,
+                            :profile_name => params["profile"],
+                            :data_hash => data_hash,
+                            :not_before => validity_period[:not_before],
+                            :not_after => validity_period[:not_after]
+                        )
+                    else
+                        raise ArgumentError, "Must provide a CSR or SPKI"
+                    end
+
+                    pem = cert.to_pem
+                    log.info pem
+
+                    pem
+                end
+
+                post '/1/certificate/revoke/?' do
+                    ca = params[:ca]
+                    serial = params[:serial]
+                    reason = params[:reason]
+                    log.info "Revoke for serial #{serial} on CA #{ca}"
+
+                    if not ca
+                        raise ArgumentError, "CA must be provided"
+                    end
+                    if not crl(ca)
+                        raise ArgumentError, "CA not found"
+                    end
+                    if not serial
+                        raise ArgumentError, "Serial must be provided"
+                    end
+                    if not reason
+                        reason = 0
+                    end
+
+                    crl(ca).revoke_cert(serial.to_i, reason.to_i)
+
+                    crl(ca).to_pem
+                end
+
+                post '/1/certificate/unrevoke/?' do
+                    ca = params[:ca]
+                    serial = params[:serial]
+                    log.info "Unrevoke for serial #{serial} on CA #{ca}"
+
+                    if not ca
+                        raise ArgumentError, "CA must be provided"
+                    end
+                    if not crl(ca)
+                        raise ArgumentError, "CA not found"
+                    end
+                    if not serial
+                        raise ArgumentError, "Serial must be provided"
+                    end
+
+                    crl(ca).unrevoke_cert(serial.to_i)
+
+                    crl(ca).to_pem
+                end
+
+                get '/test/certificate/issue/?' do
+                    log.info "Loaded test issuance interface"
+                    content_type :html
+                    erb :test_issue
+                end
+
+                get '/test/certificate/revoke/?' do
+                    log.info "Loaded test revoke interface"
+                    content_type :html
+                    erb :test_revoke
+                end
+
+                get '/test/certificate/unrevoke/?' do
+                    log.info "Loaded test unrevoke interface"
+                    content_type :html
+                    erb :test_unrevoke
+                end
+            end
+        end
+    end
+end

data/lib/r509/certificateauthority/http/subjectparser.rb

@@ -0,0 +1,33 @@
+module R509
+    module CertificateAuthority
+        module Http
+            class SubjectParser
+                def parse(raw, name="subject")
+                    if raw.nil?
+                        raise ArgumentError, "Must provide a query string"
+                    end
+
+                    subject = R509::Subject.new
+                    raw.split(/[&;] */n).each { |pair|
+                        key, value = pair.split('=', 2).map { |data| unescape(data) }
+                        match = key.match(/#{name}\[(.*)\]/)
+                        if not match.nil? and not value.empty?
+                            subject[match[1]] = value
+                        end
+                    }
+                    subject
+                end
+
+                if defined?(::Encoding)
+                    def unescape(s, encoding = Encoding::UTF_8)
+                        URI.decode_www_form_component(s, encoding)
+                    end
+                else
+                    def unescape(s, encoding = nil)
+                        URI.decode_www_form_component(s, encoding)
+                    end
+                end
+            end
+        end
+    end
+end

data/lib/r509/certificateauthority/http/validityperiodconverter.rb

@@ -0,0 +1,16 @@
+module R509::CertificateAuthority::Http
+    class ValidityPeriodConverter
+        def convert(validity_period)
+            if validity_period.nil?
+                raise ArgumentError, "Must provide validity period"
+            end
+            if validity_period.to_i <= 0
+                raise ArgumentError, "Validity period must be positive"
+            end
+            {
+                :not_before => Time.now - 6 * 60 * 60,
+                :not_after => Time.now + validity_period.to_i,
+            }
+        end
+    end
+end

data/lib/r509/certificateauthority/http/version.rb

@@ -0,0 +1,7 @@
+module R509
+    module CertificateAuthority
+        module Http
+            VERSION="0.1"
+        end
+    end
+end

data/lib/r509/certificateauthority/http/views/test_issue.erb

@@ -0,0 +1,85 @@
+<html>
+<head>
+    <title>Issue</title>
+</head>
+<body>
+
+<h1>Issue a certificate</h1>
+
+<form method="post" action="/1/certificate/issue/">
+    <p>
+        CA:
+        <br />
+        <input type="text" name="ca" />
+    </p>
+    <p>
+        Profile:
+        <br />
+        <input type="text" name="profile" />
+    </p>
+    <p>
+        Validity Period (in seconds):
+        <br />
+        <input type="text" name="validityPeriod" />
+    </p>
+    <p>
+        C:
+        <br />
+        <input type="text" name="subject[C]" />
+    </p>
+    <p>
+        ST:
+        <br />
+        <input type="text" name="subject[ST]" />
+    </p>
+    <p>
+        L:
+        <br />
+        <input type="text" name="subject[L]" />
+    </p>
+    <p>
+        O:
+        <br />
+        <input type="text" name="subject[O]" />
+    </p>
+    <p>
+        OU:
+        <br />
+        <input type="text" name="subject[OU]" />
+    </p>
+    <p>
+        CN:
+        <br />
+        <input type="text" name="subject[CN]" />
+    </p>
+    <p>
+        emailAddress:
+        <br />
+        <input type="text" name="subject[emailAddress]" />
+    </p>
+    <p>
+        SAN:
+        <br />
+        <input type="text" name="extensions[subjectAlternativeName][]" />
+        <br />
+        <input type="text" name="extensions[subjectAlternativeName][]" />
+        <br />
+        <input type="text" name="extensions[subjectAlternativeName][]" />
+        <br />
+        <input type="text" name="extensions[subjectAlternativeName][]" />
+        <br />
+        <input type="text" name="extensions[subjectAlternativeName][]" />
+        <br />
+    </p>
+    <p>
+        CSR:
+        <br />
+        <textarea name="csr" rows="6" cols="80"></textarea>
+    </p>
+    <p>
+        <input type="submit" value="Gimme" />
+    </p>
+</form>
+
+</body>
+</html>