r509 0.8.1 → 0.9

data/lib/r509/spki.rb

@@ -3,110 +3,162 @@ require 'r509/exceptions'
 require 'r509/io_helpers'
 
 module R509
-    # class for handling SPKAC/SPKI requests (typically generated by the <keygen> tag
-    class Spki
-        include R509::IOHelpers
-
-        attr_reader :subject, :spki, :san_names
-        # @option opts [String,OpenSSL::Netscape::SPKI] :spki the spki you want to parse
-        # @option opts [R509::Subject,Array,OpenSSL::X509::Name] :subject array of subject items
-        # @example [['CN','langui.sh'],['ST','Illinois'],['L','Chicago'],['C','US'],['emailAddress','ca@langui.sh']]
-        # you can also pass OIDs (see tests)
-        # @option opts [Array] :san_names array of SAN names
-        def initialize(opts={})
-            if not opts.kind_of?(Hash)
-                raise ArgumentError, 'Must provide a hash of options'
-            end
-            if opts.has_key?(:spki) and not opts.has_key?(:subject)
-                raise ArgumentError, "Must provide both spki and subject"
-            end
-            if opts.has_key?(:san_names) and not opts[:san_names].kind_of?(Array)
-                raise ArgumentError, "if san_names are provided they must be in an Array"
-            end
-            @spki = OpenSSL::Netscape::SPKI.new(opts[:spki].sub("SPKAC=",""))
-            @subject = R509::Subject.new(opts[:subject])
-            @san_names = opts[:san_names] || []
-        end
+  # class for loading/generating SPKAC/SPKI requests (typically generated by the <keygen> tag
+  class SPKI
+    include R509::IOHelpers
 
-        # @return [OpenSSL::PKey::RSA] public key
-        def public_key
-            @spki.public_key
-        end
+    attr_reader :spki, :key
+    # @option opts [String,OpenSSL::Netscape::SPKI] :spki the spki you want to parse
+    # @option opts [R509::PrivateKey,String] :key optional private key to supply. either an unencrypted PEM/DER string or an R509::PrivateKey object (use the latter if you need password/hardware support). if supplied you do not need to pass an spki.
+    # @option opts [String] :message_digest Optional digest. sha1, sha224, sha256, sha384, sha512, md5. Defaults to sha1. Only used if you supply a :key and no :spki
+    def initialize(opts={})
+      if not opts.kind_of?(Hash)
+        raise ArgumentError, 'Must provide a hash of options'
+      elsif not opts.has_key?(:spki) and not opts.has_key?(:key)
+        raise ArgumentError, 'Must provide either :spki or :key'
+      end
 
-        # Converts the SPKI into the PEM format
-        #
-        # @return [String] the SPKI converted into PEM format.
-        def to_pem
-            @spki.to_pem
+      if opts.has_key?(:key)
+        if opts[:key].kind_of?(R509::PrivateKey)
+          @key = opts[:key]
+        else
+          @key = R509::PrivateKey.new(:key => opts[:key])
+        end
+      end
+      if opts.has_key?(:spki)
+        spki = opts[:spki]
+        # first let's try cleaning up the input a bit so OpenSSL is happy with it
+        # OpenSSL hates SPKAC=
+        spki.sub!("SPKAC=","")
+        # it really hates newlines (Firefox loves 'em)
+        # so let's normalize line endings
+        spki.gsub!(/\r\n?/, "\n")
+        # and nuke 'em
+        spki.gsub!("\n", "")
+        # ...and leading/trailing whitespace
+        spki.strip!
+        @spki = OpenSSL::Netscape::SPKI.new(spki)
+        if not @key.nil? and not @spki.verify(@key.public_key) then
+          raise R509Error, 'Key does not match SPKI.'
+        end
+      end
+      # create the SPKI from the private key if it wasn't passed in
+      if @spki.nil?
+        @spki = OpenSSL::Netscape::SPKI.new
+        @spki.public_key = @key.public_key
+        if @key.dsa?
+          #only DSS1 is acceptable for DSA signing in OpenSSL < 1.0
+          #post-1.0 you can sign with anything, but let's be conservative
+          #see: http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/PKey/DSA.html
+          message_digest = R509::MessageDigest.new('dss1')
+        elsif opts.has_key?(:message_digest)
+          message_digest = R509::MessageDigest.new(opts[:message_digest])
+        else
+          message_digest = R509::MessageDigest.new('sha1')
         end
+        @spki.sign(@key.key,message_digest.digest)
+      end
+    end
 
-        alias :to_s :to_pem
+    # @return [OpenSSL::PKey::RSA] public key
+    def public_key
+      @spki.public_key
+    end
 
-        # Converts the SPKI into the DER format
-        #
-        # @return [String] the SPKI converted into DER format.
-        def to_der
-            @spki.to_der
-        end
+    # Verifies the integrity of the signature on the SPKI
+    # @return [Boolean]
+    def verify_signature
+      @spki.verify(public_key)
+    end
 
-        # Writes the SPKI into the PEM format
-        #
-        # @param [String, #write] filename_or_io Either a string of the path for
-        #  the file that you'd like to write, or an IO-like object.
-        def write_pem(filename_or_io)
-            write_data(filename_or_io, @spki.to_pem)
-        end
+    # Converts the SPKI into the PEM format
+    #
+    # @return [String] the SPKI converted into PEM format.
+    def to_pem
+      @spki.to_pem
+    end
 
-        # Writes the SPKI into the DER format
-        #
-        # @param [String, #write] filename_or_io Either a string of the path for
-        #  the file that you'd like to write, or an IO-like object.
-        def write_der(filename_or_io)
-            write_data(filename_or_io, @spki.to_der)
-        end
+    alias :to_s :to_pem
 
-        # Returns whether the public key is RSA
-        #
-        # @return [Boolean] true if the public key is RSA, false otherwise
-        def rsa?
-            @spki.public_key.kind_of?(OpenSSL::PKey::RSA)
-        end
+    # Converts the SPKI into the DER format
+    #
+    # @return [String] the SPKI converted into DER format.
+    def to_der
+      @spki.to_der
+    end
 
-        # Returns whether the public key is DSA
-        #
-        # @return [Boolean] true if the public key is DSA, false otherwise
-        def dsa?
-            @spki.public_key.kind_of?(OpenSSL::PKey::DSA)
-        end
+    # Writes the SPKI into the PEM format
+    #
+    # @param [String, #write] filename_or_io Either a string of the path for
+    #  the file that you'd like to write, or an IO-like object.
+    def write_pem(filename_or_io)
+      write_data(filename_or_io, @spki.to_pem)
+    end
 
-        # Returns the bit strength of the key used to create the SPKI
-        # @return [Integer] the integer bit strength.
-        def bit_strength
-            if self.rsa?
-                return @spki.public_key.n.num_bits
-            elsif self.dsa?
-                return @spki.public_key.p.num_bits
-            end
-        end
+    # Writes the SPKI into the DER format
+    #
+    # @param [String, #write] filename_or_io Either a string of the path for
+    #  the file that you'd like to write, or an IO-like object.
+    def write_der(filename_or_io)
+      write_data(filename_or_io, @spki.to_der)
+    end
 
-        # Returns key algorithm (RSA/DSA)
-        #
-        # @return [String] value of the key algorithm. RSA or DSA
-        def key_algorithm
-            if @spki.public_key.kind_of? OpenSSL::PKey::RSA then
-                'RSA'
-            elsif @spki.public_key.kind_of? OpenSSL::PKey::DSA then
-                'DSA'
-            end
-        end
+    # Returns whether the public key is RSA
+    #
+    # @return [Boolean] true if the public key is RSA, false otherwise
+    def rsa?
+      @spki.public_key.kind_of?(OpenSSL::PKey::RSA)
+    end
 
-        # Returns a hash structure you can pass to the Ca
-        # You will want to call this method if you intend to alter the values
-        # and then pass them to the Ca class.
-        #
-        # @return [Hash] :subject and :san_names you can pass to Ca
-        def to_hash
-            { :subject => @subject.dup , :san_names => @san_names.dup }
-        end
+    # Returns whether the public key is DSA
+    #
+    # @return [Boolean] true if the public key is DSA, false otherwise
+    def dsa?
+      @spki.public_key.kind_of?(OpenSSL::PKey::DSA)
+    end
+
+    # Returns whether the public key is EC
+    #
+    # @return [Boolean] true if the public key is EC, false otherwise
+    def ec?
+      @spki.public_key.kind_of?(OpenSSL::PKey::EC)
+    end
+
+    # Returns the bit strength of the key used to create the SPKI
+    # @return [Integer] the integer bit strength.
+    def bit_strength
+      if self.rsa?
+        return @spki.public_key.n.num_bits
+      elsif self.dsa?
+        return @spki.public_key.p.num_bits
+      elsif self.ec?
+        raise R509::R509Error, 'Bit strength is not available for EC at this time.'
+      end
+    end
+
+    # Returns the short name of the elliptic curve used to generate the public key
+    # if the key is EC. If not, raises an error.
+    #
+    # @return [String] elliptic curve name
+    def curve_name
+      if self.ec?
+        @spki.public_key.group.curve_name
+      else
+        raise R509::R509Error, 'Curve name is only available with EC SPKIs'
+      end
+    end
+
+    # Returns key algorithm (RSA/DSA)
+    #
+    # @return [String] value of the key algorithm. RSA or DSA
+    def key_algorithm
+      if self.rsa?
+        :rsa
+      elsif self.dsa?
+        :dsa
+      elsif self.ec?
+        :ec
+      end
     end
+  end
 end

data/lib/r509/subject.rb

@@ -1,133 +1,226 @@
 require "openssl"
 
 module R509
-    #subject class. Used for building OpenSSL::X509::Name objects in a sane fashion
-    class Subject
-        # @param [Array, OpenSSL::X509::Name, R509::Subject] arg
-        def initialize(arg=nil)
-            case arg
-            when Array
-                @array = arg
-            when OpenSSL::X509::Name
-                sanitizer = R509::NameSanitizer.new
-                @array = sanitizer.sanitize(arg)
-            when R509::Subject
-                @array = arg.to_a
-            else
-                @array = []
-            end
-
-            # see if X509 thinks this is okay
-            name
+  # subject class. Used for building OpenSSL::X509::Name objects in a sane fashion
+  # @example
+  #   subject = R509::Subject.new
+  #   subject.CN= "test.test"
+  #   subject.organization= "r509 LLC"
+  # @example
+  #   subject = R509::Subject.new([['CN','test.test'],['O','r509 LLC']])
+  # @example
+  #   # you can also use the friendly getter/setters with custom OIDs
+  #   R509::OIDMapper.register("1.2.3.4.5.6.7.8","COI","customOID")
+  #   subject = R509::Subject.new
+  #   subject.COI="test"
+  #   # or
+  #   subject.customOID="test"
+  #   # or
+  #   subject.custom_oid="test"
+  class Subject
+    # @param [Array, OpenSSL::X509::Name, R509::Subject, DER, nil] arg
+    def initialize(arg=nil)
+      if arg.kind_of?(Array)
+        @array = arg
+      elsif arg.kind_of?(OpenSSL::X509::Name)
+        sanitizer = R509::NameSanitizer.new
+        @array = sanitizer.sanitize(arg)
+      elsif arg.kind_of?(R509::Subject)
+        @array = arg.to_a
+      else
+        @array = []
+        if not (begin OpenSSL::ASN1.decode(arg) rescue nil end).nil?
+          parse_asn1(arg)
         end
+      end
 
-        # @return [OpenSSL::X509::Name]
-        def name
-            OpenSSL::X509::Name.new(@array)
-        end
+      # see if X509 thinks this is okay
+      name
+    end
 
-        # @return [Boolean]
-        def empty?
-            @array.empty?
-        end
+    # @return [OpenSSL::X509::Name]
+    def name
+      OpenSSL::X509::Name.new(@array)
+    end
 
-        # get value for key
-        def [](key)
-            @array.each do |item|
-                if key == item[0]
-                    return item[1]
-                end
-            end
-            return nil
-        end
+    # @return [Boolean]
+    def empty?
+      @array.empty?
+    end
 
-        # set key and value
-        def []=(key, value)
-            added = false
-            @array = @array.map{ |item|
-                if key == item[0]
-                    added = true
-                    [key, value]
-                else
-                    item
-                end
-            }
-
-            if not added
-                @array << [key, value]
-            end
-
-            # see if X509 thinks this is okay
-            name
-
-            @array
+    # get value for key
+    def [](key)
+      @array.each do |item|
+        if key == item[0]
+          return item[1]
         end
+      end
+      return nil
+    end
 
-        # @param [String] key item you want deleted
-        def delete(key)
-            @array = @array.select do |item|
-                item[0] != key
-            end
+    # set key and value
+    def []=(key, value)
+      added = false
+      @array = @array.map{ |item|
+        if key == item[0]
+          added = true
+          [key, value]
+        else
+          item
         end
+      }
+
+      if not added
+        @array << [key, value]
+      end
+
+      # see if X509 thinks this is okay
+      name
+
+      @array
+    end
+
+    # @param [String] key item you want deleted
+    def delete(key)
+      @array = @array.select do |item|
+        item[0] != key
+      end
+    end
+
+    # @return [String] string of form /CN=something.com/O=whatever/L=Locality
+    def to_s
+      name.to_s
+    end
 
-        # @return [String] string of form /CN=something.com/O=whatever/L=Locality
-        def to_s
-            name.to_s
+    # @return [Array] Array of form [['CN','langui.sh']]
+    def to_a
+      @array
+    end
+
+    # @private
+    def respond_to?(method_sym, include_private = false)
+      method_sym.to_s =~ /([^=]*)/
+      oid = oid_check($1)
+      if not oid.nil?
+        true
+      else
+        super(method_sym, include_private)
+      end
+    end
+
+    private
+
+    # Try to build methods for getting/setting various subject attributes
+    # dynamically. this will also cache methods that get built via instance_eval.
+    # This code will also allow you to set subject items for custom oids
+    # defined via R509::OIDMapper
+    #
+    def method_missing(method_sym, *args, &block)
+      if method_sym.to_s =~ /(.*)=$/
+        sn = oid_check($1)
+        if not sn.nil?
+          define_dynamic_setter(method_sym,sn)
+          send(method_sym, args.first)
+        else
+          return super(method_sym, *args, &block)
         end
+      else
+        sn = oid_check(method_sym)
+        if not sn.nil?
+          define_dynamic_getter(method_sym,sn)
+          send(method_sym)
+        else
+          return super(method_sym, *args, &block)
+        end
+      end
+    end
 
-        # @return [Array] Array of form [['CN','langui.sh'],['O','Org']]
-        def to_a
-            @array
+    def define_dynamic_setter(name,sn)
+      instance_eval <<-RUBY
+        def #{name.to_s}(value)
+          self["#{sn}"]= value
         end
+      RUBY
     end
 
-    # Sanitize an X509::Name. The #to_a method replaces unknown OIDs with "UNDEF", but the #to_s
-    # method doesn't. What we want to do is build the array that would have been produced by #to_a
-    # if it didn't throw away the OID.
-    class NameSanitizer
-        # @option name [OpenSSL::X509::Name]
-        # @return [Array] array of the form [["OID", "VALUE], ["OID", "VALUE"]] with "UNDEF" replaced by the actual OID
-        def sanitize(name)
-            line = name.to_s
-            array = name.to_a.dup
-            used_oids = []
-            undefined_components(array).each do |component|
-                begin
-                    # get the OID from the subject line that has this value
-                    oids = line.scan(/\/([\d\.]+)=#{component[:value]}/).flatten
-                    if oids.size == 1
-                        oid = oids.first
-                    else
-                        oid = oids.select{ |match| not used_oids.include?(match) }.first
-                    end
-                    # replace the "UNDEF" OID name in the array at the index the UNDEF was found
-                    array[component[:index]][0] = oid
-                    # remove the first occurrence of this in the subject line (so we can handle the same oid/value pair multiple times)
-                    line = line.sub("/#{oid}=#{component[:value]}", "")
-                    # we record which OIDs we've used in case two different unknown OIDs have the same value
-                    used_oids << oid
-                rescue
-                    # I don't expect this to happen, but if it does we'll just not replace UNDEF and continue
-                end
-            end
-            array
+    def define_dynamic_getter(name,sn)
+      instance_eval <<-RUBY
+        def #{name.to_s}
+          self["#{sn}"]
         end
+      RUBY
+    end
 
-        private
-
-        # get the components from #to_a that are UNDEF
-        # @option array [Array<OpenSSL::X509::Name>]
-        # @return [Hash]
-        # @example
-        #   Return value looks like
-        #   { :index => the index in the original array where we found an UNDEF, :value => the subject component value }
-        def undefined_components(array)
-            components = []
-            array.each_index do |index|
-                components << { :index => index, :value => array[index][1] } if array[index][0] == "UNDEF"
-            end
-            components
+    def oid_check(name)
+        oid = OpenSSL::ASN1::ObjectId.new(camelize(name))
+        oid.short_name
+    end
+
+    def camelize(sym)
+      sym.to_s.split('_').inject([]){ |buffer,e| buffer.push(buffer.empty? ? e : e.capitalize) }.join
+    end
+
+    def parse_asn1(asn)
+      asn = OpenSSL::ASN1.decode asn
+      # parsing a subject DN
+      # We have to iterate a sequence, which holds sets. Each set has one value: a sequence, which has 2 values
+      # So it's effectively an array of arrays which each have only one element, which is an array of 2 values.
+      asn.value.each do |set|
+        sn = set.value.first.value.first.value
+        val = set.value.first.value.last.value
+        self[sn] = val
+      end
+    end
+  end
+
+  # Sanitize an X509::Name. The #to_a method replaces unknown OIDs with "UNDEF", but the #to_s
+  # method doesn't. What we want to do is build the array that would have been produced by #to_a
+  # if it didn't throw away the OID.
+  # This method is not required as of ruby-1.9.3p125 and up.
+  class NameSanitizer
+    # @option name [OpenSSL::X509::Name]
+    # @return [Array] array of the form [["OID", "VALUE], ["OID", "VALUE"]] with "UNDEF" replaced by the actual OID
+    def sanitize(name)
+      line = name.to_s
+      array = name.to_a.dup
+      used_oids = []
+      undefined_components(array).each do |component|
+        begin
+          # get the OID from the subject line that has this value
+          oids = line.scan(/\/([\d\.]+)=#{component[:value]}/).flatten
+          if oids.size == 1
+            oid = oids.first
+          else
+            oid = oids.select{ |match| not used_oids.include?(match) }.first
+          end
+          # replace the "UNDEF" OID name in the array at the index the UNDEF was found
+          array[component[:index]][0] = oid
+          # remove the first occurrence of this in the subject line (so we can handle the same oid/value pair multiple times)
+          line = line.sub("/#{oid}=#{component[:value]}", "")
+          # we record which OIDs we've used in case two different unknown OIDs have the same value
+          used_oids << oid
+        rescue
+          # I don't expect this to happen, but if it does we'll just not replace UNDEF and continue
         end
+      end
+      array
+    end
+
+    private
+
+    # get the components from #to_a that are UNDEF
+    # @option array [Array<OpenSSL::X509::Name>]
+    # @return [Hash]
+    # @example
+    #  Return value looks like
+    #  { :index => the index in the original array where we found an UNDEF, :value => the subject component value }
+    def undefined_components(array)
+      components = []
+      array.each_index do |index|
+        components << { :index => index, :value => array[index][1] } if array[index][0] == "UNDEF"
+      end
+      components
     end
+  end
 
 end