r509 0.10.0 → 1.0

data/lib/r509/cert/extensions/crl_distribution_points.rb

@@ -36,7 +36,7 @@ module R509
         #     :value => [name]
         #   )
         def initialize(arg)
-          if not R509::Cert::Extensions.is_extension?(arg)
+          unless R509::Cert::Extensions.is_extension?(arg)
             arg = build_extension(arg)
           end
 
@@ -60,7 +60,7 @@ module R509
         private
 
         def parse_extension
-          @general_names= R509::ASN1::GeneralNames.new
+          @general_names = R509::ASN1::GeneralNames.new
           data = R509::ASN1.get_extension_payload(self)
           data.entries.each do |distribution_point|
             #   DistributionPoint ::= SEQUENCE {
@@ -79,18 +79,16 @@ module R509
 
         def build_extension(arg)
           validate_crl_distribution_points(arg)
-          validate_location('crl_distribution_points',arg[:value])
+          validate_location('crl_distribution_points', arg[:value])
           serialize = R509::ASN1::GeneralNames.new(arg[:value]).serialize_names
           ef = OpenSSL::X509::ExtensionFactory.new
           ef.config = OpenSSL::Config.parse(serialize[:conf])
           critical = R509::Cert::Extensions.calculate_critical(arg[:critical], false)
-          return ef.create_extension("crlDistributionPoints", serialize[:extension_string],critical)
+          ef.create_extension("crlDistributionPoints", serialize[:extension_string], critical)
         end
 
         def validate_crl_distribution_points(arg)
-          if not arg.kind_of?(Hash)
-            raise ArgumentError, "You must pass a hash with a :value key"
-          end
+          raise ArgumentError, "You must pass a hash with a :value key" unless arg.is_a?(Hash)
         end
       end
     end

data/lib/r509/cert/extensions/extended_key_usage.rb

@@ -61,10 +61,10 @@ module R509
         # @example
         #   R509::Cert::Extensions::ExtendedKeyUsage.new(
         #     :critical => false,
-        #     :value => ['clientAuth,'serverAuth']
+        #     :value => ['clientAuth','serverAuth']
         #   )
         def initialize(arg)
-          if not R509::Cert::Extensions.is_extension?(arg)
+          unless R509::Cert::Extensions.is_extension?(arg)
             arg = build_extension(arg)
           end
 
@@ -74,8 +74,8 @@ module R509
 
         # Returns true if the given use is allowed by this extension.
         # @param [string] friendly_use_name One of the AU_* constants in this class.
-        def allows?( friendly_use_name )
-          @allowed_uses.include?( friendly_use_name )
+        def allows?(friendly_use_name)
+          @allowed_uses.include?(friendly_use_name)
         end
 
         def web_server_authentication?
@@ -181,7 +181,7 @@ module R509
           validate_usage(arg)
           ef = OpenSSL::X509::ExtensionFactory.new
           critical = R509::Cert::Extensions.calculate_critical(arg[:critical], false)
-          return ef.create_extension("extendedKeyUsage", arg[:value].join(","),critical)
+          ef.create_extension("extendedKeyUsage", arg[:value].join(","), critical)
         end
       end
     end

data/lib/r509/cert/extensions/inhibit_any_policy.rb

@@ -31,7 +31,7 @@ module R509
         # @option arg :value [Integer]
         # @option arg :critical [Boolean] (true)
         def initialize(arg)
-          if not R509::Cert::Extensions.is_extension?(arg)
+          unless R509::Cert::Extensions.is_extension?(arg)
             arg = build_extension(arg)
           end
 
@@ -50,6 +50,7 @@ module R509
         end
 
         private
+
         def parse_extension
           #   id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::=  { id-ce 54 }
           #   InhibitAnyPolicy ::= SkipCerts
@@ -58,11 +59,11 @@ module R509
         end
 
         def build_extension(arg)
-          validate_non_negative_integer("Inhibit any policy",arg[:value])
+          validate_non_negative_integer("Inhibit any policy", arg[:value])
           ef = OpenSSL::X509::ExtensionFactory.new
           critical = R509::Cert::Extensions.calculate_critical(arg[:critical], true)
           # must be set critical per RFC 5280
-          return ef.create_extension("inhibitAnyPolicy",arg[:value].to_s,critical)
+          ef.create_extension("inhibitAnyPolicy", arg[:value].to_s, critical)
         end
       end
     end

data/lib/r509/cert/extensions/key_usage.rb

@@ -69,7 +69,7 @@ module R509
         #     :value => ['digitalSignature,'keyEncipherment']
         #   )
         def initialize(arg)
-          if not R509::Cert::Extensions.is_extension?(arg)
+          unless R509::Cert::Extensions.is_extension?(arg)
             arg = build_extension(arg)
           end
 
@@ -81,8 +81,8 @@ module R509
         # @param [String] friendly_use_name key usage short name (e.g. digitalSignature, cRLSign, etc)
         #   or one of the AU_* constants in this class
         # @return [Boolean]
-        def allows?( friendly_use_name )
-          @allowed_uses.include?( friendly_use_name )
+        def allows?(friendly_use_name)
+          @allowed_uses.include?(friendly_use_name)
         end
 
         def digital_signature?
@@ -140,7 +140,7 @@ module R509
           validate_usage(arg)
           ef = OpenSSL::X509::ExtensionFactory.new
           critical = R509::Cert::Extensions.calculate_critical(arg[:critical], false)
-          return ef.create_extension("keyUsage", arg[:value].join(","),critical)
+          ef.create_extension("keyUsage", arg[:value].join(","), critical)
         end
 
         def parse_extension
@@ -152,7 +152,7 @@ module R509
           # the second byte is not encoded. let's add it back so we can
           # have the full bitmask for comparison
           if data.size == 1
-            data = data + "\0"
+            data += "\0"
           end
           bit_mask = data.unpack('n')[0] # treat it as a 16-bit unsigned big endian
           #      KeyUsage ::= BIT STRING {

data/lib/r509/cert/extensions/name_constraints.rb

@@ -31,7 +31,6 @@ module R509
       # You can use this extension to parse an existing extension for easy access
       # to the contents or create a new one.
       class NameConstraints < OpenSSL::X509::Extension
-
         # friendly name for CP OID
         OID = "nameConstraints"
         Extensions.register_class(self)
@@ -63,7 +62,7 @@ module R509
         # @note When supplying dirName the value is an R509::Subject or the hash used to build an R509::Subject
         #
         def initialize(arg)
-          if not R509::Cert::Extensions.is_extension?(arg)
+          unless R509::Cert::Extensions.is_extension?(arg)
             arg = build_extension(arg)
           end
           super(arg)
@@ -85,6 +84,7 @@ module R509
         end
 
         private
+
         def parse_extension
           @permitted = R509::ASN1::GeneralNames.new
           @excluded = R509::ASN1::GeneralNames.new
@@ -96,7 +96,7 @@ module R509
                 gn = R509::ASN1::GeneralName.new(obj)
                 if gs.tag == 0 # permittedSubtrees
                   @permitted.add_item(gn)
-                elsif gs.tag == 1 #excludedSubtrees
+                elsif gs.tag == 1 # excludedSubtrees
                   @excluded.add_item(gn)
                 end
               end
@@ -125,15 +125,15 @@ module R509
           validate_name_constraints(arg)
           nc_data = []
           nc_conf = []
-          [:permitted,:excluded].each do |permit_exclude|
-            if not arg[permit_exclude].nil?
+          [:permitted, :excluded].each do |permit_exclude|
+            unless arg[permit_exclude].nil?
               gns = R509::ASN1::GeneralNames.new
               arg[permit_exclude].each do |p|
                 gns.create_item(p)
               end
               gns.names.each do |name|
                 serialize = name.serialize_name
-                nc_data.push "#{permit_exclude.to_s};#{serialize[:extension_string]}"
+                nc_data.push "#{permit_exclude};#{serialize[:extension_string]}"
                 nc_conf.push serialize[:conf]
               end
             end
@@ -143,32 +143,32 @@ module R509
           ef.config = OpenSSL::Config.parse nc_conf.join("\n")
           critical = R509::Cert::Extensions.calculate_critical(arg[:critical], true)
           # must be set critical per RFC 5280
-          return ef.create_extension("nameConstraints",nc_data.join(","),critical)
+          ef.create_extension("nameConstraints", nc_data.join(","), critical)
         end
 
         def validate_name_constraints(nc)
-          if not nc.kind_of?(Hash)
+          unless nc.is_a?(Hash)
             raise ArgumentError, "name_constraints must be provided as a hash"
           end
-          [:permitted,:excluded].each do |key|
-            if not nc[key].nil?
-              validate_name_constraints_elements(key,nc[key])
+          [:permitted, :excluded].each do |key|
+            unless nc[key].nil?
+              validate_name_constraints_elements(key, nc[key])
             end
           end
-          if (nc[:permitted].nil? or nc[:permitted].empty?) and (nc[:excluded].nil? or nc[:excluded].empty?)
+          if (nc[:permitted].nil? || nc[:permitted].empty?) && (nc[:excluded].nil? || nc[:excluded].empty?)
             raise ArgumentError, "If name_constraints are supplied you must have at least one valid :permitted or :excluded element"
           end
         end
 
-        def validate_name_constraints_elements(type,arr)
-          if not arr.kind_of?(Array)
+        def validate_name_constraints_elements(type, arr)
+          unless arr.is_a?(Array)
             raise ArgumentError, "#{type} must be an array"
           end
           arr.each do |el|
-            if not el.kind_of?(Hash) or not el.has_key?(:type) or not el.has_key?(:value)
+            if !el.is_a?(Hash) || !el.key?(:type) || !el.key?(:value)
               raise ArgumentError, "Elements within the #{type} array must be hashes with both type and value"
             end
-            if R509::ASN1::GeneralName.map_type_to_tag(el[:type]) == nil
+            if R509::ASN1::GeneralName.map_type_to_tag(el[:type]).nil?
               raise ArgumentError, "#{el[:type]} is not an allowed type. Check R509::ASN1::GeneralName.map_type_to_tag to see a list of types"
             end
           end

data/lib/r509/cert/extensions/ocsp_no_check.rb

@@ -18,7 +18,6 @@ module R509
       # You can use this extension to parse an existing extension for easy access
       # to the contents or create a new one.
       class OCSPNoCheck < OpenSSL::X509::Extension
-
         # friendly name for OCSP No Check
         OID = "noCheck"
         Extensions.register_class(self)
@@ -28,7 +27,7 @@ module R509
         # @option arg :ocsp_no_check [Any] Pass any value. It's irrelevant.
         # @option arg :critical [Boolean] (false)
         def initialize(arg)
-          if not R509::Cert::Extensions.is_extension?(arg)
+          unless R509::Cert::Extensions.is_extension?(arg)
             arg = build_extension(arg)
           end
           super(arg)
@@ -45,10 +44,11 @@ module R509
         end
 
         private
+
         def build_extension(arg)
           ef = OpenSSL::X509::ExtensionFactory.new
           critical = R509::Cert::Extensions.calculate_critical(arg[:critical], false)
-          return ef.create_extension("noCheck","yes",critical)
+          ef.create_extension("noCheck", "yes", critical)
         end
       end
     end

data/lib/r509/cert/extensions/policy_constraints.rb

@@ -49,7 +49,7 @@ module R509
         # @option arg :inhibit_policy_mapping [Integer]
         # @option arg :critical [Boolean] (true)
         def initialize(arg)
-          if not R509::Cert::Extensions.is_extension?(arg)
+          unless R509::Cert::Extensions.is_extension?(arg)
             arg = build_extension(arg)
           end
 
@@ -99,20 +99,20 @@ module R509
           ef = OpenSSL::X509::ExtensionFactory.new
           critical = R509::Cert::Extensions.calculate_critical(arg[:critical], true)
           # must be set critical per RFC 5280
-          return ef.create_extension("policyConstraints",constraints.join(","),critical)
+          ef.create_extension("policyConstraints", constraints.join(","), critical)
         end
 
         def validate_policy_constraints(pc)
-          if not pc.kind_of?(Hash)
+          unless pc.is_a?(Hash)
             raise ArgumentError, 'Policy constraints must be provided as a hash with at least one of the two allowed keys: :inhibit_policy_mapping and :require_explicit_policy'
           end
-          if not pc[:inhibit_policy_mapping].nil?
-            ipm = validate_non_negative_integer("inhibit_policy_mapping",pc[:inhibit_policy_mapping])
+          unless pc[:inhibit_policy_mapping].nil?
+            ipm = validate_non_negative_integer("inhibit_policy_mapping", pc[:inhibit_policy_mapping])
           end
-          if not pc[:require_explicit_policy].nil?
-            rep = validate_non_negative_integer("require_explicit_policy",pc[:require_explicit_policy])
+          unless pc[:require_explicit_policy].nil?
+            rep = validate_non_negative_integer("require_explicit_policy", pc[:require_explicit_policy])
           end
-          if not ipm and not rep
+          if !ipm && !rep
             raise ArgumentError, 'Policy constraints must have at least one of two keys: :inhibit_policy_mapping and :require_explicit_policy and the value must be non-negative'
           end
         end

data/lib/r509/cert/extensions/subject_alternative_name.rb

@@ -41,7 +41,7 @@ module R509
         #   You can also pass a pre-existing GeneralNames object
         # @option arg :critical [Boolean] (false)
         def initialize(arg)
-          if not R509::Cert::Extensions.is_extension?(arg)
+          unless R509::Cert::Extensions.is_extension?(arg)
             arg = build_extension(arg)
           end
           super(arg)
@@ -50,7 +50,7 @@ module R509
 
         # @return [Hash]
         def to_h
-          {:critical => self.critical?, :value => @general_names.to_h }
+          { :critical => self.critical?, :value => @general_names.to_h }
         end
 
         # @return [YAML]
@@ -59,6 +59,7 @@ module R509
         end
 
         private
+
         def parse_extension
           data = R509::ASN1.get_extension_payload(self)
           @general_names = R509::ASN1::GeneralNames.new
@@ -73,11 +74,11 @@ module R509
           ef = OpenSSL::X509::ExtensionFactory.new
           ef.config = OpenSSL::Config.parse(serialize[:conf])
           critical = R509::Cert::Extensions.calculate_critical(arg[:critical], false)
-          return ef.create_extension("subjectAltName", serialize[:extension_string],critical)
+          ef.create_extension("subjectAltName", serialize[:extension_string], critical)
         end
 
         def validate_subject_alternative_name(san)
-          if not san.kind_of?(Hash) or not (san[:value].kind_of?(R509::ASN1::GeneralNames) or san[:value].kind_of?(Array))
+          if !san.is_a?(Hash) || !(san[:value].is_a?(R509::ASN1::GeneralNames) || san[:value].is_a?(Array))
             raise ArgumentError, "You must supply a hash with a :value"
           end
           validate_general_name_hash_array(san[:value])

data/lib/r509/cert/extensions/subject_key_identifier.rb

@@ -11,7 +11,6 @@ module R509
       # You can use this extension to parse an existing extension for easy access
       # to the contents or create a new one.
       class SubjectKeyIdentifier < OpenSSL::X509::Extension
-
         # friendly name for Subject Key Identifier OID
         OID = "subjectKeyIdentifier"
         # default extension behavior when generating
@@ -22,7 +21,7 @@ module R509
         # @option arg :public_key [OpenSSL::PKey] (Cert/CSR/PrivateKey return this type from #public_key)
         # @option arg :critical [Boolean] (false)
         def initialize(arg)
-          if not R509::Cert::Extensions.is_extension?(arg)
+          unless R509::Cert::Extensions.is_extension?(arg)
             arg = build_extension(arg)
           end
           super(arg)
@@ -30,10 +29,11 @@ module R509
 
         # @return value of key
         def key
-          return self.value
+          self.value
         end
 
         private
+
         def build_extension(arg)
           validate_subject_key_identifier(arg)
           ef = OpenSSL::X509::ExtensionFactory.new
@@ -41,11 +41,11 @@ module R509
           cert.public_key = arg[:public_key]
           ef.subject_certificate = cert
           critical = R509::Cert::Extensions.calculate_critical(arg[:critical], false)
-          arg = ef.create_extension("subjectKeyIdentifier", SKI_EXTENSION_DEFAULT, critical)
+          ef.create_extension("subjectKeyIdentifier", SKI_EXTENSION_DEFAULT, critical)
         end
 
         def validate_subject_key_identifier(ski)
-          if not ski.kind_of?(Hash) or ski[:public_key].nil?
+          if !ski.is_a?(Hash) || ski[:public_key].nil?
             raise ArgumentError, "You must supply a hash with a :public_key"
           end
           ski

data/lib/r509/cert/extensions/validation_mixin.rb

@@ -5,24 +5,25 @@ module R509
       # Validation methods shared by multiple extensions
       module ValidationMixin
         private
+
         # used by iap and pc validation methods
-        def validate_non_negative_integer(source,value)
-            if not value.kind_of?(Integer) or value < 0
-              raise ArgumentError, "#{source} must be a non-negative integer"
-            end
-            value
+        def validate_non_negative_integer(source, value)
+          if !value.is_a?(Integer) || value < 0
+            raise ArgumentError, "#{source} must be a non-negative integer"
+          end
+          value
         end
 
         # validates key usage array
         def validate_usage(ku)
-          if ku.nil? or not ku.kind_of?(Hash) or not ku[:value].kind_of?(Array)
+          if ku.nil? || !ku.is_a?(Hash) || !ku[:value].is_a?(Array)
             raise ArgumentError, 'You must pass a hash with a key :value that contains an array of strings (see README)'
           end
           ku
         end
 
-        def validate_location(type,location)
-          if not location.nil? and not (location.kind_of?(Array) or location.kind_of?(R509::ASN1::GeneralNames))
+        def validate_location(type, location)
+          if location && !(location.is_a?(Array) || location.is_a?(R509::ASN1::GeneralNames))
             raise ArgumentError, "#{type} must contain an array or R509::ASN1::GeneralNames object if provided"
           end
           validate_general_name_hash_array(location) unless location.nil?
@@ -31,10 +32,10 @@ module R509
 
         def validate_general_name_hash_array(arr)
           arr.each do |l|
-            if not l.kind_of?(Hash) or l[:type].nil? or l[:value].nil?
+            if !l.is_a?(Hash) || l[:type].nil? || l[:value].nil?
               raise ArgumentError, "All elements of the array must be hashes with a :type and :value"
             end
-          end unless arr.kind_of?(R509::ASN1::GeneralNames)
+          end unless arr.is_a?(R509::ASN1::GeneralNames)
         end
       end
     end

data/lib/r509/certificate_authority/options_builder.rb

@@ -2,7 +2,7 @@ module R509::CertificateAuthority
   # A class to build hashes to send to the R509::CertificateAuthority::Signer. These are built from R509::Config::CertProfile objects and additional data supplied to the #build_and_enforce method.
   class OptionsBuilder
     def initialize(config)
-      if not config.kind_of?(R509::Config::CAConfig)
+      unless config.is_a?(R509::Config::CAConfig)
         raise ArgumentError, "You must supply a R509::Config::CAConfig object to this class at instantiation"
       end
       @config = config
@@ -22,15 +22,15 @@ module R509::CertificateAuthority
 
       R509::CertificateAuthority::Signer.check_options(options)
 
-      if (options.has_key?(:csr) and not options[:csr].verify_signature) or
-         (options.has_key?(:spki) and not options[:spki].verify_signature)
+      if (options.key?(:csr) && !options[:csr].verify_signature) ||
+         (options.key?(:spki) && !options[:spki].verify_signature)
         raise R509::R509Error, "Request signature is invalid."
       end
 
       raw_subject, public_key = R509::CertificateAuthority::Signer.extract_public_key_subject(options)
 
-      message_digest = enforce_md(options[:message_digest],profile)
-      subject = enforce_subject_item_policy(raw_subject,profile)
+      message_digest = enforce_md(options[:message_digest], profile)
+      subject = enforce_subject_item_policy(raw_subject, profile)
       enforce_not_after(options[:not_after])
 
       extensions = build_and_merge_extensions(options, profile, public_key)
@@ -44,7 +44,7 @@ module R509::CertificateAuthority
       return_hash = {
         :subject => subject,
         :extensions => extensions,
-        :message_digest => message_digest,
+        :message_digest => message_digest
       }
       return_hash[:csr] = options[:csr] unless options[:csr].nil?
       return_hash[:spki] = options[:spki] unless options[:spki].nil?
@@ -54,18 +54,18 @@ module R509::CertificateAuthority
     end
 
     def enforce_not_after(not_after)
-      if not not_after.nil? and @config.ca_cert.not_after < not_after
+      if not_after && @config.ca_cert.not_after < not_after
         raise R509::R509Error, 'The requested certificate lifetime would exceed the issuing CA.'
       end
     end
 
-    def enforce_md(requested_md,profile)
+    def enforce_md(requested_md, profile)
       # prior to OpenSSL 1.0 DSA could only use DSS1 (aka SHA1) signatures. post-1.0 anything
       # goes but at the moment we don't enforce this restriction so an OpenSSL error could
       # bubble up if they do it wrong.
       #
       # First let's check to see if the config restricts the allowed mds
-      if not profile.allowed_mds.nil? and not requested_md.nil?
+      if profile.allowed_mds && requested_md
         if profile.allowed_mds.include?(requested_md.upcase)
           message_digest = R509::MessageDigest.new(requested_md)
         else
@@ -73,14 +73,14 @@ module R509::CertificateAuthority
         end
       else
         # it doesn't, so either use their md (if valid) or the default one
-      message_digest = (not requested_md.nil?)? R509::MessageDigest.new(requested_md) : R509::MessageDigest.new(profile.default_md)
+        message_digest = (requested_md) ? R509::MessageDigest.new(requested_md) : R509::MessageDigest.new(profile.default_md)
       end
       message_digest.name
     end
 
     # @return [R509::Subject]
-    def enforce_subject_item_policy(subject,profile)
-      if profile.subject_item_policy.nil? then
+    def enforce_subject_item_policy(subject, profile)
+      if profile.subject_item_policy.nil?
         subject
       else
         profile.subject_item_policy.validate_subject(subject)
@@ -88,16 +88,15 @@ module R509::CertificateAuthority
     end
 
     def build_and_merge_extensions(options, profile, public_key)
-      extensions = build_extensions(options,profile,public_key)
+      extensions = build_extensions(profile, public_key)
 
-      if not options[:extensions].nil?
-        extensions = merge_extensions(options,extensions)
+      unless options[:extensions].nil?
+        extensions = merge_extensions(options, extensions)
       end
       extensions
     end
 
-
-    def merge_extensions(options,extensions)
+    def merge_extensions(options, extensions)
       ext_hash = {}
       extensions.each do |e|
         ext_hash[e.class] = e
@@ -106,13 +105,13 @@ module R509::CertificateAuthority
         ext_hash[e.class] = e
       end
       merged_ext = []
-      ext_hash.each do |k,v|
+      ext_hash.each do |_k, v|
         merged_ext.push(v)
       end
-      return merged_ext
+      merged_ext
     end
 
-    def build_extensions(options,profile,public_key)
+    def build_extensions(profile, public_key)
       extensions = []
 
       extensions << profile.basic_constraints unless profile.basic_constraints.nil?
@@ -137,6 +136,5 @@ module R509::CertificateAuthority
       extensions << profile.ocsp_no_check
       extensions.compact
     end
-
   end
 end