r509 0.8.1 → 0.9

data/lib/r509/ec-hack.rb

@@ -0,0 +1,37 @@
+# this hack exists to work around a major issue with the OpenSSL::PKey::EC interface
+# as it is currently configured in ruby <= 2.0.0-p0
+# the signing methods on OpenSSL::X509::Request and OpenSSL::X509::Certificate look for
+# a method named #private? on the PKey object. OpenSSL::PKey::RSA and OpenSSL::PKey::DSA
+# both define this method, but OpenSSL::PKey::EC defines #private_key? instead. This
+# will open up the class and add #private? as an alias to allow successful signing
+if defined?(OpenSSL::PKey::EC) and not OpenSSL::PKey::EC.method_defined?('private?')
+  # marked as @private so it won't appear in the yard doc
+  # @private
+  module OpenSSL::PKey
+    # marked as @private so it won't appear in the yard doc
+    # @private
+    class EC
+      def private?
+        private_key?
+      end
+    end
+  end
+elsif not defined?(OpenSSL::PKey::EC)
+  # this is a stub implementation for when EC is unavailable. Any method called against
+  # it will raise an R509Error
+  # marked as @private so it won't appear in the yard doc
+  # @private
+  module OpenSSL::PKey
+    # marked as @private so it won't appear in the yard doc
+    # @private
+    class EC
+      UNSUPPORTED = true
+      def initialize(*args)
+        raise R509::R509Error, "EC is unavailable. You may need to recompile Ruby with an OpenSSL that has elliptic curve support."
+      end
+      def method_missing(method, *args, &block)
+        raise R509::R509Error, "EC is unavailable. You may need to recompile Ruby with an OpenSSL that has elliptic curve support."
+      end
+    end
+  end
+end

data/lib/r509/exceptions.rb

@@ -1,5 +1,5 @@
 module R509
-    #An error r509 sometimes raises. You know, when it feels like it.
-    class R509Error < StandardError
-    end
+  #An error r509 sometimes raises. You know, when it feels like it.
+  class R509Error < StandardError
+  end
 end

data/lib/r509/io_helpers.rb

@@ -1,52 +1,52 @@
 module R509
-    # helper methods for I/O
-    module IOHelpers
-        # Writes data into an IO or file
-        # @param [String, #write] filename_or_io Either a string of the path for
-        #  the file that you'd like to write, or an IO-like object.
-        # @param [String] data The data that we want to write
-        def self.write_data(filename_or_io, data)
-            if filename_or_io.respond_to?(:write)
-                filename_or_io.write(data)
-            else
-                begin
-                    file = File.open(filename_or_io, 'wb:ascii-8bit')
-                    return file.write(data)
-                ensure
-                    file.close()
-                end
-            end
+  # helper methods for I/O
+  module IOHelpers
+    # Writes data into an IO or file
+    # @param [String, #write] filename_or_io Either a string of the path for
+    #  the file that you'd like to write, or an IO-like object.
+    # @param [String] data The data that we want to write
+    def self.write_data(filename_or_io, data)
+      if filename_or_io.respond_to?(:write)
+        filename_or_io.write(data)
+      else
+        begin
+          file = File.open(filename_or_io, 'wb:ascii-8bit')
+          return file.write(data)
+        ensure
+          file.close()
         end
+      end
+    end
 
-        # Reads data from an IO or file
-        # @param [String, #read] filename_or_io Either a string of the path for
-        #  the file that you'd like to read, or an IO-like object.
-        def self.read_data(filename_or_io)
-            if filename_or_io.respond_to?(:read)
-                filename_or_io.read()
-            else
-                begin
-                    file = File.open(filename_or_io, 'rb:ascii-8bit')
-                    return file.read()
-                ensure
-                    file.close() unless file.nil?
-                end
-            end
+    # Reads data from an IO or file
+    # @param [String, #read] filename_or_io Either a string of the path for
+    #  the file that you'd like to read, or an IO-like object.
+    def self.read_data(filename_or_io)
+      if filename_or_io.respond_to?(:read)
+        filename_or_io.read()
+      else
+        begin
+          file = File.open(filename_or_io, 'rb:ascii-8bit')
+          return file.read()
+        ensure
+          file.close() unless file.nil?
         end
+      end
+    end
 
-        # Writes data into an IO or file
-        # @param [String, #write] filename_or_io Either a string of the path for
-        #  the file that you'd like to write, or an IO-like object.
-        # @param [String] data The data that we want to write
-        def write_data(filename_or_io, data)
-          IOHelpers.write_data(filename_or_io, data)
-        end
+    # Writes data into an IO or file
+    # @param [String, #write] filename_or_io Either a string of the path for
+    #  the file that you'd like to write, or an IO-like object.
+    # @param [String] data The data that we want to write
+    def write_data(filename_or_io, data)
+      IOHelpers.write_data(filename_or_io, data)
+    end
 
-        # Reads data from an IO or file
-        # @param [String, #read] filename_or_io Either a string of the path for
-        #  the file that you'd like to read, or an IO-like object.
-        def read_data(filename_or_io)
-          IOHelpers.read_data(filename_or_io)
-        end
+    # Reads data from an IO or file
+    # @param [String, #read] filename_or_io Either a string of the path for
+    #  the file that you'd like to read, or an IO-like object.
+    def read_data(filename_or_io)
+      IOHelpers.read_data(filename_or_io)
     end
+  end
 end

data/lib/r509/message_digest.rb

@@ -0,0 +1,53 @@
+require 'openssl'
+
+module R509
+  #MessageDigest allows you to specify MDs in a more friendly fashion
+  class MessageDigest
+    attr_reader :name, :digest
+
+    # @param [String,OpenSSL::Digest] arg
+    def initialize(arg)
+      if arg.kind_of?(String)
+        @name = arg.downcase
+        @digest = translate_name_to_digest
+      else
+        @digest = arg
+        @name = translate_digest_to_name
+      end
+    end
+
+    private
+
+    # @return [OpenSSL::Digest]
+    def translate_name_to_digest
+      case @name
+      when 'sha1' then OpenSSL::Digest::SHA1.new
+      when 'sha224' then OpenSSL::Digest::SHA224.new
+      when 'sha256' then OpenSSL::Digest::SHA256.new
+      when 'sha384' then OpenSSL::Digest::SHA384.new
+      when 'sha512' then OpenSSL::Digest::SHA512.new
+      when 'md5' then OpenSSL::Digest::MD5.new
+      when 'dss1' then OpenSSL::Digest::DSS1.new
+      else
+        @name = "sha1"
+        OpenSSL::Digest::SHA1.new
+      end
+    end
+
+    # @return [String]
+    def translate_digest_to_name
+      case @digest
+      when OpenSSL::Digest::SHA1 then 'sha1'
+      when OpenSSL::Digest::SHA224 then 'sha224'
+      when OpenSSL::Digest::SHA256 then 'sha256'
+      when OpenSSL::Digest::SHA384 then 'sha384'
+      when OpenSSL::Digest::SHA512 then 'sha512'
+      when OpenSSL::Digest::MD5 then 'md5'
+      when OpenSSL::Digest::DSS1 then 'dss1'
+      else
+        raise ArgumentError, "Unknown digest"
+      end
+    end
+  end
+end
+

data/lib/r509/ocsp.rb

@@ -2,84 +2,94 @@ require 'openssl'
 require 'r509/exceptions'
 require 'r509/config'
 
-#Ocsp module
-module R509::Ocsp
+#OCSP module
+module R509::OCSP
 
-    #builds OCSP responses
-    class Response
-        # @param ocsp_response [OpenSSL::OCSP::Response]
-        def initialize(ocsp_response)
-            if not ocsp_response.kind_of?(OpenSSL::OCSP::Response)
-                raise R509::R509Error, 'You must pass an OpenSSL::OCSP::Response object to the constructor. See R509::Ocsp::Response.parse if you are trying to parse'
-            end
-            @ocsp_response = ocsp_response
-        end
-        # @param [String,OpenSSL::OCSP::Response] ocsp_string parses an existing response
-        # @return [R509::Ocsp::Response]
-        def self.parse(ocsp_string)
-            if ocsp_string.nil?
-                raise R509::R509Error, 'You must pass a DER encoded OCSP response to this method'
-            end
-            R509::Ocsp::Response.new(OpenSSL::OCSP::Response.new(ocsp_string))
-        end
-
-        # @return [OpenSSL::OCSP] response status of this response
-        def status
-            @ocsp_response.status
-        end
+  #builds OCSP responses
+  class Response
+    # @param ocsp_response [OpenSSL::OCSP::Response]
+    def initialize(ocsp_response)
+      if not ocsp_response.kind_of?(OpenSSL::OCSP::Response)
+        raise R509::R509Error, 'You must pass an OpenSSL::OCSP::Response object to the constructor. See R509::OCSP::Response.parse if you are trying to parse'
+      end
+      @ocsp_response = ocsp_response
+    end
+    # @param [String,OpenSSL::OCSP::Response] ocsp_string parses an existing response
+    # @return [R509::OCSP::Response]
+    def self.parse(ocsp_string)
+      if ocsp_string.nil?
+        raise R509::R509Error, 'You must pass a DER encoded OCSP response to this method'
+      end
+      R509::OCSP::Response.new(OpenSSL::OCSP::Response.new(ocsp_string))
+    end
 
-        # @return [String] der encoded string
-        def to_der
-            @ocsp_response.to_der
-        end
+    # @return [OpenSSL::OCSP] response status of this response
+    def status
+      @ocsp_response.status
+    end
 
-        # @return [OpenSSL::OCSP::BasicResponse]
-        def basic
-            @ocsp_response.basic
-        end
+    # @return [String] der encoded string
+    def to_der
+      @ocsp_response.to_der
+    end
 
-        # @param [Array<OpenSSL::X509::Certificate>,OpenSSL::X509::Certificate] certs A cert or array of certs to verify against
-        # @return [Boolean] true if the response is valid according to the given root
-        def verify(certs)
-            store = OpenSSL::X509::Store.new
-            if certs.kind_of?(Array)
-                stack = certs
-                certs.each do |cert|
-                    store.add_cert(cert)
-                end
-            else
-                stack = [certs]
-                store.add_cert(certs)
-            end
+    # @return [OpenSSL::OCSP::BasicResponse]
+    def basic
+      @ocsp_response.basic
+    end
 
-            #suppress verbosity since #verify will output a warning if it does not match
-            #as well as returning false. we just want the boolean
-            original_verbosity = $VERBOSE
-            $VERBOSE = nil
-            #still a bit unclear on why we add to store and pass in array to verify
-            result = @ocsp_response.basic.verify(stack, store)
-            $VERBOSE = original_verbosity
-            return result
+    # @param [Array<OpenSSL::X509::Certificate>,OpenSSL::X509::Certificate] certs A cert or array of certs to verify against
+    # @return [Boolean] true if the response is valid according to the given root
+    def verify(certs)
+      store = OpenSSL::X509::Store.new
+      if certs.kind_of?(Array)
+        stack = certs
+        certs.each do |cert|
+          store.add_cert(cert)
         end
+      else
+        stack = [certs]
+        store.add_cert(certs)
+      end
 
-        # @param [OpenSSL::OCSP::Request] ocsp_request the OCSP request whose nonce to check
-        # @return [R509::Ocsp::Request::Nonce::CONSTANT] the status code of the nonce check
-        def check_nonce(ocsp_request)
-            ocsp_request.check_nonce(@ocsp_response.basic)
-        end
+      #suppress verbosity since #verify will output a warning if it does not match
+      #as well as returning false. we just want the boolean
+      original_verbosity = $VERBOSE
+      $VERBOSE = nil
+      #still a bit unclear on why we add to store and pass in array to verify
+      result = @ocsp_response.basic.verify(stack, store)
+      $VERBOSE = original_verbosity
+      return result
     end
 
-    #holds OCSP request related items
-    module Request
-        # contains constants r509 uses for OCSP responses
-        module Nonce
-            #these values are defined at
-            #http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/OCSP/Request.html
-            PRESENT_AND_EQUAL = 1
-            BOTH_ABSENT = 2
-            RESPONSE_ONLY = 3
-            NOT_EQUAL = 0
-            REQUEST_ONLY = -1
-        end
+    # @param [OpenSSL::OCSP::Request] ocsp_request the OCSP request whose nonce to check
+    # @return [R509::OCSP::Request::Nonce::CONSTANT] the status code of the nonce check
+    def check_nonce(ocsp_request)
+      ocsp_request.check_nonce(@ocsp_response.basic)
+    end
+  end
+
+  #holds OCSP request related items
+  module Request
+    # contains constants r509 uses for OCSP responses
+    module Nonce
+      #these values are defined at
+      #http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/OCSP/Request.html
+      # nonce is present and matches
+      PRESENT_AND_EQUAL = 1
+
+      # nonce is missing in request and response
+      BOTH_ABSENT = 2
+
+      # nonce is present in response only
+      RESPONSE_ONLY = 3
+
+      # nonce is in both request and response, but does not match
+      NOT_EQUAL = 0
+
+      # nonce is present in request only
+      REQUEST_ONLY = -1
+
     end
+  end
 end

data/lib/r509/oid_mapper.rb

@@ -0,0 +1,32 @@
+require 'openssl'
+
+module R509
+  # Helps map raw OIDs to friendlier short names
+  module OIDMapper
+    # Register an OID so we have a friendly short name
+    # @param [String] oid A string representation of the OID you want to map (e.g. "1.6.2.3.55")
+    # @param [String] short_name The short name (e.g. CN, O, OU, emailAddress)
+    # @param [String] long_name Optional long name. Defaults to the same as short_name
+    # @return [Boolean] success/failure
+    def self.register(oid,short_name,long_name=nil)
+      if long_name.nil?
+        long_name = short_name
+      end
+      OpenSSL::ASN1::ObjectId.register(oid, short_name, long_name)
+    end
+
+    # Register a batch of OIDs so we have friendly short names
+    # @param [Array] oids An array of hashes
+    # @example
+    #  R509::OIDMapper.batch_register([
+    #   {:oid => "1.2.3.4.5", :short_name => "sName", :long_name => "lName"},
+    #   {:oid => "1.2.3.4.6", :short_name => "oName"}
+    # ]
+    def self.batch_register(oids)
+      oids.each do |oid_hash|
+        self.register(oid_hash[:oid],oid_hash[:short_name],oid_hash[:long_name])
+      end
+      nil
+    end
+  end
+end

data/lib/r509/private_key.rb

@@ -0,0 +1,228 @@
+require 'openssl'
+require 'r509/io_helpers'
+require 'r509/exceptions'
+
+module R509
+  #private key management
+  class PrivateKey
+    include R509::IOHelpers
+
+    # @option opts [Symbol] :type :rsa/:dsa/:ec
+    # @option opts [String] :curve_name ("secp384r1") Only used if :type is :ec
+    # @option opts [Integer] :bit_strength (2048) Only used if :type is :rsa or :dsa.
+    # @option opts [String] :password
+    # @option opts [String,OpenSSL::PKey::RSA,OpenSSL::PKey::DSA,OpenSSL::PKey::EC] :key
+    # @option opts [OpenSSL::Engine] :engine
+    # @option opts [string] :key_name (used with engine)
+    def initialize(opts={})
+      if not opts.kind_of?(Hash)
+        raise ArgumentError, 'Must provide a hash of options'
+      end
+
+      if opts.has_key?(:engine) and opts.has_key?(:key)
+        raise ArgumentError, 'You can\'t pass both :key and :engine'
+      elsif opts.has_key?(:key_name) and not opts.has_key?(:engine)
+        raise ArgumentError, 'When providing a :key_name you MUST provide an :engine'
+      elsif opts.has_key?(:engine) and not opts.has_key?(:key_name)
+        raise ArgumentError, 'When providing an :engine you MUST provide a :key_name'
+      elsif opts.has_key?(:engine) and opts.has_key?(:key_name)
+        if not opts[:engine].kind_of?(OpenSSL::Engine)
+          raise ArgumentError, 'When providing an engine, it must be of type OpenSSL::Engine'
+        end
+        @engine = opts[:engine]
+        @key_name = opts[:key_name]
+      end
+
+      if opts.has_key?(:key)
+        password = opts[:password] || nil
+        #OpenSSL::PKey.read solves this begin/rescue garbage but is only
+        #available to Ruby 1.9.3+ and may not solve the EC portion
+        begin
+          @key = OpenSSL::PKey::RSA.new(opts[:key],password)
+        rescue OpenSSL::PKey::RSAError
+          begin
+            @key = OpenSSL::PKey::DSA.new(opts[:key],password)
+          rescue
+            begin
+              @key = OpenSSL::PKey::EC.new(opts[:key],password)
+            rescue
+              raise R509::R509Error, "Failed to load private key. Invalid key or incorrect password."
+            end
+          end
+        end
+      else
+        bit_strength = opts[:bit_strength] || 2048
+        type = opts[:type] || :rsa
+        case type
+        when :rsa
+          @key = OpenSSL::PKey::RSA.new(bit_strength)
+        when :dsa
+          @key = OpenSSL::PKey::DSA.new(bit_strength)
+        when :ec
+          curve_name = opts[:curve_name] || "secp384r1"
+          @key = OpenSSL::PKey::EC.new(curve_name)
+          @key.generate_key
+        else
+          raise ArgumentError, 'Must provide :rsa, :dsa , or :ec as type when key or engine is nil'
+        end
+      end
+    end
+
+    # Helper method to quickly load a private key from the filesystem
+    #
+    # @param [String] filename Path to file you want to load
+    # @return [R509::PrivateKey] PrivateKey object
+    def self.load_from_file( filename, password = nil )
+      return R509::PrivateKey.new(:key => IOHelpers.read_data(filename), :password => password )
+    end
+
+
+    # Returns the bit strength of the key
+    #
+    # @return [Integer]
+    def bit_strength
+      if self.rsa?
+        return self.public_key.n.num_bits
+      elsif self.dsa?
+        return self.public_key.p.num_bits
+      elsif self.ec?
+        raise R509::R509Error, 'Bit strength is not available for EC at this time.'
+      end
+    end
+
+    # Returns the short name of the elliptic curve used to generate the private key
+    # if the key is EC. If not, raises an error.
+    #
+    # @return [String] elliptic curve name
+    def curve_name
+      if self.ec?
+        self.key.group.curve_name
+      else
+        raise R509::R509Error, 'Curve name is only available with EC private keys'
+      end
+    end
+
+    # @return [OpenSSL::PKey::RSA,OpenSSL::PKey::DSA,OpenSSL::Engine pkey] this method may return the PKey object itself or a handle to the private key in the HSM (which will not show the private key, just public)
+    def key
+      if in_hardware?
+        @engine.load_private_key(@key_name)
+      else
+        @key
+      end
+    end
+
+    # @return [Boolean] whether the key is resident in hardware or not
+    def in_hardware?
+      if not @engine.nil?
+        true
+      else
+        false
+      end
+    end
+
+    # @return [OpenSSL::PKey::RSA,OpenSSL::PKey::DSA,OpenSSL::PKey::EC] public key
+    def public_key
+      if self.ec?
+        # OpenSSL::PKey::EC.public_key returns an OpenSSL::PKey::EC::Point, which isn't consistent
+        # with the way OpenSSL::PKey::RSA/DSA do it. We could return the original PKey::EC object
+        # but if we do that then it has the private_key as well. Here's a ghetto workaround.
+        # We have to supply the curve name to the temporary key object or else #public_key= fails
+        curve_name = self.key.group.curve_name
+        temp_key = OpenSSL::PKey::EC.new(curve_name)
+        temp_key.public_key=self.key.public_key
+        temp_key
+      else
+        self.key.public_key
+      end
+    end
+
+    alias :to_s :public_key
+
+    # Converts the key into the PEM format
+    #
+    # @return [String] the key converted into PEM format.
+    def to_pem
+      if in_hardware?
+        raise R509::R509Error, "This method cannot be called when using keys in hardware"
+      end
+      self.key.to_pem
+    end
+
+    # Converts the key into encrypted PEM format
+    #
+    # @param [String,OpenSSL::Cipher] cipher to use for encryption
+    # full list of available ciphers can be obtained with OpenSSL::Cipher.ciphers
+    # (common ones are des3, aes256, aes128)
+    # @param [String] password password
+    # @return [String] the key converted into encrypted PEM format.
+    def to_encrypted_pem(cipher,password)
+      if in_hardware?
+        raise R509::R509Error, "This method cannot be called when using keys in hardware"
+      end
+      cipher = OpenSSL::Cipher::Cipher.new(cipher)
+      self.key.to_pem(cipher,password)
+    end
+
+
+    # Converts the key into the DER format
+    #
+    # @return [String] the key converted into DER format.
+    def to_der
+      if in_hardware?
+        raise R509::R509Error, "This method cannot be called when using keys in hardware"
+      end
+      self.key.to_der
+    end
+
+    # Writes the key into the PEM format
+    #
+    # @param [String, #write] filename_or_io Either a string of the path for
+    #  the file that you'd like to write, or an IO-like object.
+    def write_pem(filename_or_io)
+      write_data(filename_or_io, self.to_pem)
+    end
+
+
+    # Writes the key into encrypted PEM format with specified cipher
+    #
+    # @param [String, #write] filename_or_io Either a string of the path for
+    #  the file that you'd like to write, or an IO-like object.
+    # @param [String,OpenSSL::Cipher] cipher to use for encryption
+    # full list of available ciphers can be obtained with OpenSSL::Cipher.ciphers
+    # (common ones are des3, aes256, aes128)
+    # @param [String] password password
+    def write_encrypted_pem(filename_or_io,cipher,password)
+      write_data(filename_or_io, to_encrypted_pem(cipher,password))
+    end
+
+    # Writes the key into the DER format
+    #
+    # @param [String, #write] filename_or_io Either a string of the path for
+    #  the file that you'd like to write, or an IO-like object.
+    def write_der(filename_or_io)
+      write_data(filename_or_io, self.to_der)
+    end
+
+
+    # Returns whether the key is RSA
+    #
+    # @return [Boolean] true if the key is RSA, false otherwise
+    def rsa?
+      self.key.kind_of?(OpenSSL::PKey::RSA)
+    end
+
+    # Returns whether the key is DSA
+    #
+    # @return [Boolean] true if the key is DSA, false otherwise
+    def dsa?
+      self.key.kind_of?(OpenSSL::PKey::DSA)
+    end
+
+    # Returns whether the key is EC
+    #
+    # @return [Boolean] true if the key is EC, false otherwise
+    def ec?
+      self.key.kind_of?(OpenSSL::PKey::EC)
+    end
+  end
+end