r509 0.10.0 → 1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/README.mdown +2 -2
- data/Rakefile +2 -3
- data/bin/r509 +77 -80
- data/bin/r509-parse +4 -4
- data/doc/R509.html +60 -60
- data/doc/R509/ASN1.html +158 -48
- data/doc/R509/ASN1/GeneralName.html +157 -154
- data/doc/R509/ASN1/GeneralNames.html +246 -237
- data/doc/R509/CRL.html +41 -39
- data/doc/R509/CRL/Administrator.html +105 -100
- data/doc/R509/CRL/FileReaderWriter.html +146 -98
- data/doc/R509/CRL/ReaderWriter.html +57 -54
- data/doc/R509/CRL/SQLiteReaderWriter.html +727 -0
- data/doc/R509/CRL/SignedList.html +83 -80
- data/doc/R509/CSR.html +184 -162
- data/doc/R509/Cert.html +271 -269
- data/doc/R509/Cert/Extensions.html +62 -63
- data/doc/R509/Cert/Extensions/AuthorityInfoAccess.html +138 -108
- data/doc/R509/Cert/Extensions/AuthorityKeyIdentifier.html +100 -84
- data/doc/R509/Cert/Extensions/BasicConstraints.html +89 -88
- data/doc/R509/Cert/Extensions/CRLDistributionPoints.html +87 -83
- data/doc/R509/Cert/Extensions/CertificatePolicies.html +78 -76
- data/doc/R509/Cert/Extensions/ExtendedKeyUsage.html +128 -125
- data/doc/R509/Cert/Extensions/GeneralNamesMixin.html +83 -78
- data/doc/R509/Cert/Extensions/InhibitAnyPolicy.html +69 -67
- data/doc/R509/Cert/Extensions/KeyUsage.html +138 -135
- data/doc/R509/Cert/Extensions/NameConstraints.html +82 -81
- data/doc/R509/Cert/Extensions/NoticeReference.html +59 -56
- data/doc/R509/Cert/Extensions/OCSPNoCheck.html +70 -69
- data/doc/R509/Cert/Extensions/PolicyConstraints.html +71 -69
- data/doc/R509/Cert/Extensions/PolicyInformation.html +63 -60
- data/doc/R509/Cert/Extensions/PolicyQualifiers.html +60 -57
- data/doc/R509/Cert/Extensions/SubjectAlternativeName.html +91 -87
- data/doc/R509/Cert/Extensions/SubjectKeyIdentifier.html +72 -71
- data/doc/R509/Cert/Extensions/UserNotice.html +60 -57
- data/doc/R509/Cert/Extensions/ValidationMixin.html +43 -40
- data/doc/R509/CertificateAuthority.html +39 -37
- data/doc/R509/CertificateAuthority/OptionsBuilder.html +58 -55
- data/doc/R509/CertificateAuthority/Signer.html +277 -60
- data/doc/R509/Config.html +40 -38
- data/doc/R509/Config/CAConfig.html +255 -188
- data/doc/R509/Config/CAConfigPool.html +64 -61
- data/doc/R509/Config/CertProfile.html +119 -116
- data/doc/R509/Config/SubjectItemPolicy.html +94 -93
- data/doc/R509/Engine.html +60 -56
- data/doc/R509/Helpers.html +99 -96
- data/doc/R509/MessageDigest.html +69 -68
- data/doc/R509/NameSanitizer.html +51 -48
- data/doc/R509/OCSP.html +39 -37
- data/doc/R509/OCSP/Request.html +39 -37
- data/doc/R509/OCSP/Request/Nonce.html +67 -67
- data/doc/R509/OCSP/Response.html +93 -90
- data/doc/R509/OIDMapper.html +48 -46
- data/doc/R509/PrivateKey.html +170 -169
- data/doc/R509/R509Error.html +45 -42
- data/doc/R509/SPKI.html +99 -89
- data/doc/R509/Subject.html +86 -83
- data/doc/R509/Validity.html +57 -57
- data/doc/R509/Validity/Checker.html +63 -93
- data/doc/R509/Validity/DefaultChecker.html +58 -55
- data/doc/R509/Validity/DefaultWriter.html +62 -59
- data/doc/R509/Validity/Status.html +77 -74
- data/doc/R509/Validity/Writer.html +75 -123
- data/doc/_index.html +37 -31
- data/doc/class_list.html +25 -27
- data/doc/css/full_list.css +32 -31
- data/doc/css/style.css +221 -78
- data/doc/file.CONTRIBUTING.html +29 -30
- data/doc/file.LICENSE.html +29 -30
- data/doc/file.README.html +31 -32
- data/doc/file.YAML.html +33 -34
- data/doc/file.r509.html +39 -48
- data/doc/file_list.html +39 -30
- data/doc/frames.html +10 -21
- data/doc/index.html +31 -32
- data/doc/js/app.js +100 -71
- data/doc/js/full_list.js +168 -130
- data/doc/method_list.html +1788 -1119
- data/doc/top-level-namespace.html +45 -49
- data/lib/r509.rb +21 -7
- data/lib/r509/asn1.rb +45 -32
- data/lib/r509/cert.rb +45 -51
- data/lib/r509/cert/extensions/authority_info_access.rb +49 -23
- data/lib/r509/cert/extensions/authority_key_identifier.rb +16 -11
- data/lib/r509/cert/extensions/base.rb +22 -23
- data/lib/r509/cert/extensions/basic_constraints.rb +11 -12
- data/lib/r509/cert/extensions/certificate_policies.rb +26 -26
- data/lib/r509/cert/extensions/crl_distribution_points.rb +5 -7
- data/lib/r509/cert/extensions/extended_key_usage.rb +5 -5
- data/lib/r509/cert/extensions/inhibit_any_policy.rb +4 -3
- data/lib/r509/cert/extensions/key_usage.rb +5 -5
- data/lib/r509/cert/extensions/name_constraints.rb +16 -16
- data/lib/r509/cert/extensions/ocsp_no_check.rb +3 -3
- data/lib/r509/cert/extensions/policy_constraints.rb +8 -8
- data/lib/r509/cert/extensions/subject_alternative_name.rb +5 -4
- data/lib/r509/cert/extensions/subject_key_identifier.rb +5 -5
- data/lib/r509/cert/extensions/validation_mixin.rb +11 -10
- data/lib/r509/certificate_authority/options_builder.rb +19 -21
- data/lib/r509/certificate_authority/signer.rb +26 -27
- data/lib/r509/config.rb +1 -0
- data/lib/r509/config/ca_config.rb +70 -75
- data/lib/r509/config/cert_profile.rb +9 -8
- data/lib/r509/config/subject_item_policy.rb +25 -28
- data/lib/r509/crl/administrator.rb +19 -20
- data/lib/r509/crl/reader_writer.rb +10 -8
- data/lib/r509/crl/signed_list.rb +4 -4
- data/lib/r509/crl/sqlite_reader_writer.rb +75 -0
- data/lib/r509/csr.rb +54 -60
- data/lib/r509/ec-hack.rb +3 -2
- data/lib/r509/engine.rb +5 -6
- data/lib/r509/exceptions.rb +1 -1
- data/lib/r509/helpers.rb +11 -14
- data/lib/r509/io_helpers.rb +7 -7
- data/lib/r509/message_digest.rb +5 -6
- data/lib/r509/ocsp.rb +11 -13
- data/lib/r509/oid_mapper.rb +2 -2
- data/lib/r509/private_key.rb +28 -32
- data/lib/r509/spki.rb +17 -20
- data/lib/r509/subject.rb +26 -27
- data/lib/r509/trollop.rb +1 -0
- data/lib/r509/validity.rb +30 -21
- data/lib/r509/version.rb +4 -2
- data/r509.yaml +9 -17
- data/spec/asn1_spec.rb +145 -146
- data/spec/cert/extensions/authority_info_access_spec.rb +41 -41
- data/spec/cert/extensions/authority_key_identifier_spec.rb +29 -23
- data/spec/cert/extensions/base_spec.rb +38 -34
- data/spec/cert/extensions/basic_constraints_spec.rb +21 -21
- data/spec/cert/extensions/certificate_policies_spec.rb +99 -87
- data/spec/cert/extensions/crl_distribution_points_spec.rb +24 -25
- data/spec/cert/extensions/extended_key_usage_spec.rb +40 -36
- data/spec/cert/extensions/inhibit_any_policy_spec.rb +12 -12
- data/spec/cert/extensions/key_usage_spec.rb +44 -39
- data/spec/cert/extensions/name_constraints_spec.rb +83 -83
- data/spec/cert/extensions/ocsp_no_check_spec.rb +10 -10
- data/spec/cert/extensions/policy_constraints_spec.rb +19 -19
- data/spec/cert/extensions/subject_alternative_name_spec.rb +46 -47
- data/spec/cert/extensions/subject_key_identifier_spec.rb +10 -10
- data/spec/cert_spec.rb +105 -101
- data/spec/certificate_authority/options_builder_spec.rb +90 -90
- data/spec/certificate_authority/signer_spec.rb +41 -41
- data/spec/config/ca_config_spec.rb +169 -119
- data/spec/config/cert_profile_spec.rb +33 -33
- data/spec/config/subject_item_policy_spec.rb +22 -22
- data/spec/crl/administrator_spec.rb +65 -65
- data/spec/crl/reader_writer_spec.rb +20 -19
- data/spec/crl/signed_list_spec.rb +26 -26
- data/spec/crl/sqlite_reader_writer_spec.rb +42 -0
- data/spec/csr_spec.rb +149 -145
- data/spec/engine_spec.rb +14 -14
- data/spec/fixtures.rb +56 -39
- data/spec/fixtures/crl_list.sql +13 -0
- data/spec/fixtures/csr1.der +0 -0
- data/spec/fixtures/csr1.pem +6 -6
- data/spec/message_digest_spec.rb +43 -43
- data/spec/ocsp_spec.rb +25 -25
- data/spec/oid_mapper_spec.rb +18 -19
- data/spec/private_key_spec.rb +79 -81
- data/spec/r509_spec.rb +16 -16
- data/spec/spec_helper.rb +3 -3
- data/spec/spki_spec.rb +94 -94
- data/spec/subject_spec.rb +107 -107
- data/spec/validity_spec.rb +25 -25
- metadata +113 -111
- metadata.gz.sig +0 -0
data/lib/r509/spki.rb
CHANGED
|
@@ -12,20 +12,20 @@ module R509
|
|
|
12
12
|
attr_reader :spki, :key
|
|
13
13
|
# @option opts [String,OpenSSL::Netscape::SPKI] :spki the spki you want to parse
|
|
14
14
|
# @option opts [R509::PrivateKey,String] :key optional private key to supply. either an unencrypted PEM/DER string or an R509::PrivateKey object (use the latter if you need password/hardware support). if supplied you do not need to pass an spki.
|
|
15
|
-
# @option opts [String] :message_digest Optional digest. sha1, sha224, sha256, sha384, sha512, md5. Defaults to
|
|
16
|
-
def initialize(opts={})
|
|
17
|
-
if
|
|
15
|
+
# @option opts [String] :message_digest Optional digest. sha1, sha224, sha256, sha384, sha512, md5. Defaults to sha256. Only used if you supply a :key and no :spki
|
|
16
|
+
def initialize(opts = {})
|
|
17
|
+
if !opts.is_a?(Hash)
|
|
18
18
|
raise ArgumentError, 'Must provide a hash of options'
|
|
19
|
-
elsif
|
|
19
|
+
elsif !opts.key?(:spki) && !opts.key?(:key)
|
|
20
20
|
raise ArgumentError, 'Must provide either :spki or :key'
|
|
21
21
|
end
|
|
22
22
|
|
|
23
23
|
@key = load_private_key(opts)
|
|
24
24
|
|
|
25
|
-
if opts.
|
|
25
|
+
if opts.key?(:spki)
|
|
26
26
|
@spki = parse_spki(opts[:spki])
|
|
27
27
|
else
|
|
28
|
-
|
|
28
|
+
# create the SPKI from the private key if it wasn't passed in
|
|
29
29
|
@spki = build_spki(opts[:message_digest])
|
|
30
30
|
end
|
|
31
31
|
end
|
|
@@ -41,14 +41,14 @@ module R509
|
|
|
41
41
|
@spki.verify(public_key)
|
|
42
42
|
end
|
|
43
43
|
|
|
44
|
-
|
|
44
|
+
alias_method :to_s, :to_pem
|
|
45
45
|
|
|
46
46
|
# Returns the signature algorithm (e.g., RSA-SHA1, ecdsa-with-SHA256)
|
|
47
47
|
#
|
|
48
48
|
# @return [String] signature algorithm string
|
|
49
49
|
def signature_algorithm
|
|
50
50
|
data = OpenSSL::ASN1.decode(self.to_der)
|
|
51
|
-
|
|
51
|
+
data.entries[1].value.entries[0].value
|
|
52
52
|
end
|
|
53
53
|
|
|
54
54
|
private
|
|
@@ -59,7 +59,7 @@ module R509
|
|
|
59
59
|
def parse_spki(spki)
|
|
60
60
|
# first let's try cleaning up the input a bit so OpenSSL is happy with it
|
|
61
61
|
# OpenSSL hates SPKAC=
|
|
62
|
-
spki.sub!("SPKAC=","")
|
|
62
|
+
spki.sub!("SPKAC=", "")
|
|
63
63
|
# it really hates newlines (Firefox loves 'em)
|
|
64
64
|
# so let's normalize line endings
|
|
65
65
|
spki.gsub!(/\r\n?/, "\n")
|
|
@@ -68,10 +68,10 @@ module R509
|
|
|
68
68
|
# ...and leading/trailing whitespace
|
|
69
69
|
spki.strip!
|
|
70
70
|
spki = OpenSSL::Netscape::SPKI.new(spki)
|
|
71
|
-
if
|
|
71
|
+
if @key && !spki.verify(@key.public_key)
|
|
72
72
|
raise R509Error, 'Key does not match SPKI.'
|
|
73
73
|
end
|
|
74
|
-
|
|
74
|
+
spki
|
|
75
75
|
end
|
|
76
76
|
|
|
77
77
|
# Tries to build an SPKI using an existing private key
|
|
@@ -81,21 +81,18 @@ module R509
|
|
|
81
81
|
spki = OpenSSL::Netscape::SPKI.new
|
|
82
82
|
spki.public_key = @key.public_key
|
|
83
83
|
if @key.dsa?
|
|
84
|
-
#only DSS1 is acceptable for DSA signing in OpenSSL < 1.0
|
|
85
|
-
#post-1.0 you can sign with anything, but let's be conservative
|
|
86
|
-
#see: http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/PKey/DSA.html
|
|
84
|
+
# only DSS1 is acceptable for DSA signing in OpenSSL < 1.0
|
|
85
|
+
# post-1.0 you can sign with anything, but let's be conservative
|
|
86
|
+
# see: http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/PKey/DSA.html
|
|
87
87
|
message_digest = R509::MessageDigest.new('dss1')
|
|
88
88
|
else
|
|
89
89
|
message_digest = R509::MessageDigest.new(md)
|
|
90
90
|
end
|
|
91
|
-
spki.sign(@key.key,message_digest.digest)
|
|
92
|
-
|
|
91
|
+
spki.sign(@key.key, message_digest.digest)
|
|
92
|
+
spki
|
|
93
93
|
end
|
|
94
94
|
|
|
95
95
|
# Returns the proper instance variable
|
|
96
|
-
|
|
97
|
-
@spki
|
|
98
|
-
end
|
|
99
|
-
|
|
96
|
+
alias_method :internal_obj, :spki
|
|
100
97
|
end
|
|
101
98
|
end
|
data/lib/r509/subject.rb
CHANGED
|
@@ -21,19 +21,19 @@ module R509
|
|
|
21
21
|
# subject.custom_oid="test"
|
|
22
22
|
class Subject
|
|
23
23
|
# @param [Array, OpenSSL::X509::Name, R509::Subject, DER, Hash, nil] arg
|
|
24
|
-
def initialize(arg=nil)
|
|
25
|
-
if arg.
|
|
24
|
+
def initialize(arg = nil)
|
|
25
|
+
if arg.is_a?(Array)
|
|
26
26
|
@array = arg
|
|
27
|
-
elsif arg.
|
|
28
|
-
@array = arg.map { |k,v| [k.to_s.upcase,v] }
|
|
29
|
-
elsif arg.
|
|
27
|
+
elsif arg.is_a?(Hash)
|
|
28
|
+
@array = arg.map { |k, v| [k.to_s.upcase, v] }
|
|
29
|
+
elsif arg.is_a?(OpenSSL::X509::Name)
|
|
30
30
|
sanitizer = R509::NameSanitizer.new
|
|
31
31
|
@array = sanitizer.sanitize(arg)
|
|
32
|
-
elsif arg.
|
|
32
|
+
elsif arg.is_a?(R509::Subject)
|
|
33
33
|
@array = arg.to_a
|
|
34
34
|
else
|
|
35
35
|
@array = []
|
|
36
|
-
|
|
36
|
+
unless (begin OpenSSL::ASN1.decode(arg) rescue nil end).nil?
|
|
37
37
|
parse_asn1(arg)
|
|
38
38
|
end
|
|
39
39
|
end
|
|
@@ -59,22 +59,22 @@ module R509
|
|
|
59
59
|
return item[1]
|
|
60
60
|
end
|
|
61
61
|
end
|
|
62
|
-
|
|
62
|
+
nil
|
|
63
63
|
end
|
|
64
64
|
|
|
65
65
|
# set key and value
|
|
66
66
|
def []=(key, value)
|
|
67
67
|
added = false
|
|
68
|
-
@array = @array.map
|
|
68
|
+
@array = @array.map do |item|
|
|
69
69
|
if key == item[0]
|
|
70
70
|
added = true
|
|
71
71
|
[key, value]
|
|
72
72
|
else
|
|
73
73
|
item
|
|
74
74
|
end
|
|
75
|
-
|
|
75
|
+
end
|
|
76
76
|
|
|
77
|
-
|
|
77
|
+
unless added
|
|
78
78
|
@array << [key, value]
|
|
79
79
|
end
|
|
80
80
|
|
|
@@ -118,8 +118,8 @@ module R509
|
|
|
118
118
|
# @private
|
|
119
119
|
def respond_to?(method_sym, include_private = false)
|
|
120
120
|
method_sym.to_s =~ /([^=]*)/
|
|
121
|
-
oid = oid_check(
|
|
122
|
-
if
|
|
121
|
+
oid = oid_check(Regexp.last_match[1])
|
|
122
|
+
if oid
|
|
123
123
|
true
|
|
124
124
|
else
|
|
125
125
|
super(method_sym, include_private)
|
|
@@ -139,17 +139,17 @@ module R509
|
|
|
139
139
|
#
|
|
140
140
|
def method_missing(method_sym, *args, &block)
|
|
141
141
|
if method_sym.to_s =~ /(.*)=$/
|
|
142
|
-
sn = oid_check(
|
|
143
|
-
if
|
|
144
|
-
define_dynamic_setter(method_sym,sn)
|
|
142
|
+
sn = oid_check(Regexp.last_match[1])
|
|
143
|
+
if sn
|
|
144
|
+
define_dynamic_setter(method_sym, sn)
|
|
145
145
|
send(method_sym, args.first)
|
|
146
146
|
else
|
|
147
147
|
return super(method_sym, *args, &block)
|
|
148
148
|
end
|
|
149
149
|
else
|
|
150
150
|
sn = oid_check(method_sym)
|
|
151
|
-
if
|
|
152
|
-
define_dynamic_getter(method_sym,sn)
|
|
151
|
+
if sn
|
|
152
|
+
define_dynamic_getter(method_sym, sn)
|
|
153
153
|
send(method_sym)
|
|
154
154
|
else
|
|
155
155
|
return super(method_sym, *args, &block)
|
|
@@ -157,29 +157,29 @@ module R509
|
|
|
157
157
|
end
|
|
158
158
|
end
|
|
159
159
|
|
|
160
|
-
def define_dynamic_setter(name,sn)
|
|
160
|
+
def define_dynamic_setter(name, sn)
|
|
161
161
|
instance_eval <<-RUBY
|
|
162
|
-
def #{name
|
|
162
|
+
def #{name}(value)
|
|
163
163
|
self["#{sn}"]= value
|
|
164
164
|
end
|
|
165
165
|
RUBY
|
|
166
166
|
end
|
|
167
167
|
|
|
168
|
-
def define_dynamic_getter(name,sn)
|
|
168
|
+
def define_dynamic_getter(name, sn)
|
|
169
169
|
instance_eval <<-RUBY
|
|
170
|
-
def #{name
|
|
170
|
+
def #{name}
|
|
171
171
|
self["#{sn}"]
|
|
172
172
|
end
|
|
173
173
|
RUBY
|
|
174
174
|
end
|
|
175
175
|
|
|
176
176
|
def oid_check(name)
|
|
177
|
-
|
|
178
|
-
|
|
177
|
+
oid = OpenSSL::ASN1::ObjectId.new(camelize(name))
|
|
178
|
+
oid.short_name
|
|
179
179
|
end
|
|
180
180
|
|
|
181
181
|
def camelize(sym)
|
|
182
|
-
sym.to_s.split('_').
|
|
182
|
+
sym.to_s.split('_').reduce([]) { |a, e| a.push(a.empty? ? e : e.capitalize) }.join
|
|
183
183
|
end
|
|
184
184
|
|
|
185
185
|
def parse_asn1(asn)
|
|
@@ -213,7 +213,7 @@ module R509
|
|
|
213
213
|
if oids.size == 1
|
|
214
214
|
oid = oids.first
|
|
215
215
|
else
|
|
216
|
-
oid = oids.select{ |match|
|
|
216
|
+
oid = oids.select { |match| !used_oids.include?(match) }.first
|
|
217
217
|
end
|
|
218
218
|
# replace the "UNDEF" OID name in the array at the index the UNDEF was found
|
|
219
219
|
array[component[:index]][0] = oid
|
|
@@ -244,5 +244,4 @@ module R509
|
|
|
244
244
|
components
|
|
245
245
|
end
|
|
246
246
|
end
|
|
247
|
-
|
|
248
247
|
end
|
data/lib/r509/trollop.rb
CHANGED
data/lib/r509/validity.rb
CHANGED
|
@@ -1,29 +1,31 @@
|
|
|
1
1
|
require 'openssl'
|
|
2
2
|
|
|
3
|
-
#Module for holding classes for writing and reading certificate validity
|
|
3
|
+
# Module for holding classes for writing and reading certificate validity
|
|
4
|
+
# information (used for serving OCSP responses)
|
|
4
5
|
module R509::Validity
|
|
5
|
-
#mapping from OpenSSL
|
|
6
|
+
# mapping from OpenSSL
|
|
6
7
|
VALID = OpenSSL::OCSP::V_CERTSTATUS_GOOD
|
|
7
|
-
#mapping from OpenSSL
|
|
8
|
+
# mapping from OpenSSL
|
|
8
9
|
REVOKED = OpenSSL::OCSP::V_CERTSTATUS_REVOKED
|
|
9
|
-
#mapping from OpenSSL
|
|
10
|
+
# mapping from OpenSSL
|
|
10
11
|
UNKNOWN = OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
|
|
11
12
|
|
|
12
|
-
#data about the status of a certificate
|
|
13
|
+
# data about the status of a certificate
|
|
13
14
|
class Status
|
|
14
15
|
attr_reader :status, :revocation_time, :revocation_reason
|
|
15
16
|
|
|
16
|
-
def initialize(options={})
|
|
17
|
+
def initialize(options = {})
|
|
17
18
|
@status = options[:status]
|
|
18
19
|
@revocation_time = options[:revocation_time] || nil
|
|
19
20
|
@revocation_reason = options[:revocation_reason] || 0
|
|
20
21
|
|
|
21
|
-
if
|
|
22
|
+
if @status == R509::Validity::REVOKED && @revocation_time.nil?
|
|
22
23
|
@revocation_time = Time.now.to_i
|
|
23
24
|
end
|
|
24
25
|
end
|
|
25
26
|
|
|
26
|
-
# @return [OpenSSL::OCSP::STATUS] OpenSSL status constants when passing
|
|
27
|
+
# @return [OpenSSL::OCSP::STATUS] OpenSSL status constants when passing
|
|
28
|
+
# R509 constants
|
|
27
29
|
def ocsp_status
|
|
28
30
|
case @status
|
|
29
31
|
when R509::Validity::VALID
|
|
@@ -38,37 +40,44 @@ module R509::Validity
|
|
|
38
40
|
end
|
|
39
41
|
end
|
|
40
42
|
|
|
41
|
-
#abstract base class for a Writer
|
|
43
|
+
# abstract base class for a Writer
|
|
42
44
|
class Writer
|
|
43
45
|
def issue(issuer, serial)
|
|
44
|
-
|
|
46
|
+
fail NotImplementedError,
|
|
47
|
+
"You must call #issue on a subclass of Writer"
|
|
45
48
|
end
|
|
46
49
|
|
|
47
50
|
def revoke(issuer, serial, reason)
|
|
48
|
-
|
|
51
|
+
fail NotImplementedError,
|
|
52
|
+
"You must call #revoke on a subclass of Writer"
|
|
49
53
|
end
|
|
50
54
|
|
|
51
|
-
# is_available? is meant to be implemented to check if the backend store
|
|
52
|
-
#
|
|
55
|
+
# is_available? is meant to be implemented to check if the backend store
|
|
56
|
+
# you choose to implement is currently working. see r509-ocsp-responder
|
|
57
|
+
# and r509-validity-redis for an example of use
|
|
53
58
|
def is_available?
|
|
54
|
-
|
|
59
|
+
fail NotImplementedError,
|
|
60
|
+
"You must call #is_available? on a subclass of Writer"
|
|
55
61
|
end
|
|
56
62
|
end
|
|
57
63
|
|
|
58
|
-
#abstract base class for a Checker
|
|
64
|
+
# abstract base class for a Checker
|
|
59
65
|
class Checker
|
|
60
66
|
def check(issuer, serial)
|
|
61
|
-
|
|
67
|
+
fail NotImplementedError, "You must call #check on a subclass of Checker"
|
|
62
68
|
end
|
|
63
69
|
|
|
64
|
-
# is_available? is meant to be implemented to check if the backend store
|
|
65
|
-
#
|
|
70
|
+
# is_available? is meant to be implemented to check if the backend store
|
|
71
|
+
# you choose to implement is currently working. see r509-ocsp-responder
|
|
72
|
+
# and r509-validity-redis for an example of use
|
|
66
73
|
def is_available?
|
|
67
|
-
|
|
74
|
+
fail NotImplementedError,
|
|
75
|
+
"You must call #is_available? on a subclass of Checker"
|
|
68
76
|
end
|
|
69
77
|
end
|
|
70
78
|
|
|
71
|
-
#default implementaton of the Checker class. Used for tests.
|
|
79
|
+
# default implementaton of the Checker class. Used for tests.
|
|
80
|
+
# DO NOT USE OTHERWISE
|
|
72
81
|
class DefaultChecker < R509::Validity::Checker
|
|
73
82
|
def check(issuer, serial)
|
|
74
83
|
R509::Validity::Status.new(:status => R509::Validity::VALID)
|
|
@@ -79,7 +88,7 @@ module R509::Validity
|
|
|
79
88
|
end
|
|
80
89
|
end
|
|
81
90
|
|
|
82
|
-
#default implementaton of the Writer class. Does nothing (obviously)
|
|
91
|
+
# default implementaton of the Writer class. Does nothing (obviously)
|
|
83
92
|
class DefaultWriter < R509::Validity::Writer
|
|
84
93
|
def issue(issuer, serial)
|
|
85
94
|
end
|
data/lib/r509/version.rb
CHANGED
data/r509.yaml
CHANGED
|
@@ -23,7 +23,7 @@ certificate_authorities:
|
|
|
23
23
|
crl_list_file: spec/fixtures/test_ca_crl_list.txt
|
|
24
24
|
crl_number_file: spec/fixtures/test_ca_crl_number.txt
|
|
25
25
|
crl_validity_hours: 168
|
|
26
|
-
crl_md:
|
|
26
|
+
crl_md: SHA256
|
|
27
27
|
profiles:
|
|
28
28
|
server:
|
|
29
29
|
basic_constraints:
|
|
@@ -64,11 +64,10 @@ certificate_authorities:
|
|
|
64
64
|
:value:
|
|
65
65
|
- :type: URI
|
|
66
66
|
:value: http://crl.domain.com/test_ca.crl
|
|
67
|
-
default_md:
|
|
67
|
+
default_md: SHA256
|
|
68
68
|
allowed_mds:
|
|
69
69
|
- SHA256
|
|
70
70
|
- SHA512
|
|
71
|
-
- SHA1
|
|
72
71
|
client:
|
|
73
72
|
basic_constraints:
|
|
74
73
|
:ca: false
|
|
@@ -91,11 +90,10 @@ certificate_authorities:
|
|
|
91
90
|
:value:
|
|
92
91
|
- :type: URI
|
|
93
92
|
:value: http://crl.domain.com/test_ca.crl
|
|
94
|
-
default_md:
|
|
93
|
+
default_md: SHA256
|
|
95
94
|
allowed_mds:
|
|
96
95
|
- SHA256
|
|
97
96
|
- SHA512
|
|
98
|
-
- SHA1
|
|
99
97
|
email:
|
|
100
98
|
basic_constraints:
|
|
101
99
|
:ca: false
|
|
@@ -118,11 +116,10 @@ certificate_authorities:
|
|
|
118
116
|
:value:
|
|
119
117
|
- :type: URI
|
|
120
118
|
:value: http://crl.domain.com/test_ca.crl
|
|
121
|
-
default_md:
|
|
119
|
+
default_md: SHA256
|
|
122
120
|
allowed_mds:
|
|
123
121
|
- SHA256
|
|
124
122
|
- SHA512
|
|
125
|
-
- SHA1
|
|
126
123
|
clientserver:
|
|
127
124
|
basic_constraints:
|
|
128
125
|
:ca: false
|
|
@@ -146,11 +143,10 @@ certificate_authorities:
|
|
|
146
143
|
:value:
|
|
147
144
|
- :type: URI
|
|
148
145
|
:value: http://crl.domain.com/test_ca.crl
|
|
149
|
-
default_md:
|
|
146
|
+
default_md: SHA256
|
|
150
147
|
allowed_mds:
|
|
151
148
|
- SHA256
|
|
152
149
|
- SHA512
|
|
153
|
-
- SHA1
|
|
154
150
|
codesigning:
|
|
155
151
|
basic_constraints:
|
|
156
152
|
:ca: false
|
|
@@ -172,11 +168,10 @@ certificate_authorities:
|
|
|
172
168
|
:value:
|
|
173
169
|
- :type: URI
|
|
174
170
|
:value: http://crl.domain.com/test_ca.crl
|
|
175
|
-
default_md:
|
|
171
|
+
default_md: SHA256
|
|
176
172
|
allowed_mds:
|
|
177
173
|
- SHA256
|
|
178
174
|
- SHA512
|
|
179
|
-
- SHA1
|
|
180
175
|
timestamping:
|
|
181
176
|
basic_constraints:
|
|
182
177
|
:ca: false
|
|
@@ -198,11 +193,10 @@ certificate_authorities:
|
|
|
198
193
|
:value:
|
|
199
194
|
- :type: URI
|
|
200
195
|
:value: http://crl.domain.com/test_ca.crl
|
|
201
|
-
default_md:
|
|
196
|
+
default_md: SHA256
|
|
202
197
|
allowed_mds:
|
|
203
198
|
- SHA256
|
|
204
199
|
- SHA512
|
|
205
|
-
- SHA1
|
|
206
200
|
subroot:
|
|
207
201
|
basic_constraints:
|
|
208
202
|
:ca: true
|
|
@@ -261,11 +255,10 @@ certificate_authorities:
|
|
|
261
255
|
:value:
|
|
262
256
|
- :type: URI
|
|
263
257
|
:value: http://crl.domain.com/test_ca.crl
|
|
264
|
-
default_md:
|
|
258
|
+
default_md: SHA256
|
|
265
259
|
allowed_mds:
|
|
266
260
|
- SHA256
|
|
267
261
|
- SHA512
|
|
268
|
-
- SHA1
|
|
269
262
|
ocsp_delegate:
|
|
270
263
|
basic_constraints:
|
|
271
264
|
:ca: false
|
|
@@ -282,8 +275,7 @@ certificate_authorities:
|
|
|
282
275
|
ocsp_no_check:
|
|
283
276
|
:critical: false
|
|
284
277
|
:value: true
|
|
285
|
-
default_md:
|
|
278
|
+
default_md: SHA256
|
|
286
279
|
allowed_mds:
|
|
287
280
|
- SHA256
|
|
288
281
|
- SHA512
|
|
289
|
-
- SHA1
|