r509 0.8.1 → 0.9

data/lib/r509/certificateauthority.rb

@@ -1,290 +0,0 @@
-require 'openssl'
-require 'r509/config'
-require 'r509/cert'
-require 'r509/exceptions'
-
-# CertificateAuthority related classes
-module R509::CertificateAuthority
-    # Contains the certification authority signing operation methods
-    class Signer
-        # @param [R509::Config] config
-        def initialize(config=nil)
-            @config = config
-
-            if not @config.nil? and not @config.kind_of?(R509::Config::CaConfig)
-                raise R509::R509Error, "config must be a kind of R509::Config::CaConfig or nil (for self-sign only)"
-            end
-            if not @config.nil? and not @config.ca_cert.has_private_key?
-                raise R509::R509Error, "You must have a private key associated with your CA certificate to issue"
-            end
-        end
-
-        # Signs a CSR
-        # @option options :csr [R509::Csr]
-        # @option options :spki [R509::Spki]
-        # @option options :profile_name [String] The CA profile you want to use (eg "server in your config)
-        # @option options :data_hash [Hash] a hash containing the subject and SAN names you want encoded for this cert. Generate by calling Csr#to_hash or Spki#to_hash
-        # @option options :message_digest [String] the message digest to use for this certificate instead of the config's default
-        # @option options :serial [String] the serial number you want to issue the certificate with
-        # @option options :not_before [Time] the notBefore for the certificate
-        # @option options :not_after [Time] the notAfter for the certificate
-        # @return [R509::Cert] the signed cert object
-        def sign(options)
-            if @config.nil?
-                raise R509::R509Error, "When instantiating the signer without a config you can only call #selfsign"
-            elsif @config.num_profiles == 0
-                raise R509::R509Error, "You must have at least one CaProfile on your CaConfig to issue"
-            end
-
-            if options.has_key?(:csr) and options.has_key?(:spki)
-                raise ArgumentError, "You can't pass both :csr and :spki"
-            elsif not options.has_key?(:csr) and not options.has_key?(:spki)
-                raise ArgumentError, "You must supply either :csr or :spki"
-            elsif options.has_key?(:csr)
-                if not options[:csr].kind_of?(R509::Csr)
-                    raise ArgumentError, "You must pass an R509::Csr object for :csr"
-                else
-                    signable_object = options[:csr]
-                end
-            elsif not options.has_key?(:csr) and options.has_key?(:spki)
-                if not options[:spki].kind_of?(R509::Spki)
-                    raise ArgumentError, "You must pass an R509::Spki object for :spki"
-                else
-                    signable_object = options[:spki]
-                end
-            end
-
-            if options.has_key?(:data_hash)
-                san_names = options[:data_hash][:san_names]
-                subject = options[:data_hash][:subject]
-            else
-                san_names = signable_object.to_hash[:san_names]
-                subject = signable_object.to_hash[:subject]
-            end
-
-
-
-            if options.has_key?(:csr) and not options[:csr].verify_signature
-                raise R509::R509Error, "Certificate request signature is invalid."
-            end
-
-            #handle DSA here
-            if options.has_key?(:message_digest)
-                message_digest = R509::MessageDigest.new(options[:message_digest])
-            else
-                message_digest = R509::MessageDigest.new(@config.message_digest)
-            end
-
-            profile = @config.profile(options[:profile_name])
-
-            validated_subject = validate_subject(subject,profile)
-
-            cert = build_cert(
-                :subject => validated_subject.name,
-                :issuer => @config.ca_cert.subject,
-                :not_before => options[:not_before],
-                :not_after => options[:not_after],
-                :public_key => signable_object.public_key,
-                :serial => options[:serial]
-            )
-
-            basic_constraints = profile.basic_constraints
-            key_usage = profile.key_usage
-            extended_key_usage = profile.extended_key_usage
-            certificate_policies = profile.certificate_policies
-
-            build_extensions(
-                :subject_certificate => cert,
-                :issuer_certificate => @config.ca_cert.cert,
-                :basic_constraints => basic_constraints,
-                :key_usage => key_usage,
-                :extended_key_usage => extended_key_usage,
-                :certificate_policies => certificate_policies,
-                :san_names => san_names
-            )
-
-
-            #@config.ca_cert.key.key ... ugly. ca_cert returns R509::Cert
-            # #key returns R509::PrivateKey and #key on that returns OpenSSL object we need
-            cert.sign( @config.ca_cert.key.key, message_digest.digest )
-            R509::Cert.new(:cert => cert)
-        end
-
-        # Self-signs a CSR
-        # @option options :csr [R509::Csr]
-        # @option options :message_digest [String] the message digest to use for this certificate (defaults to sha1)
-        # @option options :serial [String] the serial number you want to issue the certificate with (defaults to random)
-        # @option options :not_before [Time] the notBefore for the certificate (defaults to now)
-        # @option options :not_after [Time] the notAfter for the certificate (defaults to 1 year)
-        # @option options :san_names [Array] Optional array of subject alternative names
-        # @return [R509::Cert] the signed cert object
-        def selfsign(options)
-            if not options.kind_of?(Hash)
-                raise ArgumentError, "You must pass a hash of options consisting of at minimum :csr"
-            end
-            csr = options[:csr]
-            if csr.key.nil?
-                raise ArgumentError, 'CSR must also have a private key to self sign'
-            end
-            cert = build_cert(
-                :subject => csr.subject.name,
-                :issuer => csr.subject.name,
-                :not_before => options[:not_before],
-                :not_after => options[:not_after],
-                :public_key => csr.public_key,
-                :serial => options[:serial]
-            )
-
-            if options.has_key?(:san_names)
-                san_names = options[:san_names]
-            else
-                san_names = csr.san_names
-            end
-
-            build_extensions(
-                :subject_certificate => cert,
-                :issuer_certificate => cert,
-                :basic_constraints => "CA:TRUE",
-                :san_names => san_names
-            )
-
-
-            if options.has_key?(:message_digest)
-                message_digest = R509::MessageDigest.new(options[:message_digest])
-            else
-                message_digest = R509::MessageDigest.new('sha1')
-            end
-
-            # Csr#key returns R509::PrivateKey and #key on that returns OpenSSL object we need
-            cert.sign( csr.key.key, message_digest.digest )
-            R509::Cert.new(:cert => cert)
-        end
-
-        private
-
-        def process_san_names(domains)
-            domains.map { |domain| 'DNS: '+domain }.join(",")
-        end
-
-        def build_conf(section,data)
-            conf = ["[#{section}]"]
-            conf.concat data
-            conf.join "\n"
-        end
-
-        def validate_subject(subject,profile)
-            if profile.subject_item_policy.nil? then
-                subject
-            else
-                profile.subject_item_policy.validate_subject(subject)
-            end
-        end
-
-        def build_cert(options)
-
-            cert = OpenSSL::X509::Certificate.new
-
-            cert.subject = options[:subject]
-            cert.issuer = options[:issuer]
-            cert.not_before = calculate_not_before(options[:not_before])
-            cert.not_after = calculate_not_after(options[:not_after],cert.not_before)
-            cert.public_key = options[:public_key]
-            cert.serial = create_serial(options[:serial])
-            cert.version = 2 #2 means v3
-            cert
-        end
-
-        def create_serial(serial)
-            if not serial.nil?
-                serial = OpenSSL::BN.new(serial.to_s)
-            else
-                # generate random serial in accordance with best practices
-                # guidelines state 20-bits of entropy, but we can cram more in
-                # per rfc5280 conforming CAs can make the serial field up to 20 octets
-                # to prevent even the incredibly remote possibility of collision we'll
-                # concatenate current time (to the microsecond) with a random num
-                rand = OpenSSL::BN.rand(96,0) # 96 bits is 12 bytes (octets).
-                serial = OpenSSL::BN.new((Time.now.to_f*1000000).to_i.to_s + rand.to_s)
-                # since second param is 0 the most significant bit must always be 1
-                # this theoretically gives us 95 bits of entropy + microtime, which
-                # adds a non-zero quantity of entropy. depending upon how predictable
-                # your issuance is, this could range from a reasonably large quantity
-                # of entropy to very little
-            end
-            serial
-        end
-
-        def build_extensions(options)
-            ef = OpenSSL::X509::ExtensionFactory.new
-
-            ef.subject_certificate = options[:subject_certificate]
-
-            ef.issuer_certificate = options[:issuer_certificate]
-
-            ext = []
-            if not options[:basic_constraints].nil?
-                ext << ef.create_extension("basicConstraints", options[:basic_constraints], true)
-            end
-            if options.has_key?(:key_usage) and not options[:key_usage].empty?
-                ext << ef.create_extension("keyUsage", options[:key_usage].join(","))
-            end
-            if options.has_key?(:extended_key_usage) and not options[:extended_key_usage].empty?
-                ext << ef.create_extension("extendedKeyUsage", options[:extended_key_usage].join(","))
-            end
-            ext << ef.create_extension("subjectKeyIdentifier", "hash")
-
-            #attach the key identifier if it's not a self-sign
-            if not ef.subject_certificate == ef.issuer_certificate and R509::Cert.new(:cert=>options[:issuer_certificate]).extensions['subjectKeyIdentifier']
-                ext << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
-            end
-
-            if not options[:certificate_policies].nil? and not options[:certificate_policies].empty?
-                conf = []
-                conf_names = []
-                i = 0
-                options[:certificate_policies].each do |policy|
-                    conf << build_conf("certPolicies#{i}",policy)
-                    conf_names << "@certPolicies#{i}"
-                    i+=1
-                end
-                ef.config = OpenSSL::Config.parse(conf.join("\n"))
-                ext << ef.create_extension("certificatePolicies", conf_names.join(","))
-            end
-            #ef.config = OpenSSL::Config.parse(<<-_end_of_cnf_)
-            #[certPolicies]
-            #CPS.1 = http://www.example.com/cps
-            #_end_of_cnf_
-
-            if options.has_key?(:san_names) and not options[:san_names].empty?
-                ext << ef.create_extension("subjectAltName", process_san_names(options[:san_names]))
-            end
-
-            if not @config.nil? and not @config.cdp_location.nil?
-                ext << ef.create_extension("crlDistributionPoints", @config.cdp_location)
-            end
-
-            if not @config.nil? and not @config.ocsp_location.nil? then
-            ext << ef.create_extension("authorityInfoAccess",
-                        "OCSP;" << @config.ocsp_location)
-            end
-            options[:subject_certificate].extensions = ext
-            nil
-        end
-
-        def calculate_not_before(not_before)
-            if not_before.nil?
-                #not_before will be set to 6 hours before now to prevent issues with bad system clocks (clients don't sync)
-                not_before = Time.now - 6 * 60 * 60
-            end
-            not_before
-        end
-
-        def calculate_not_after(not_after,not_before)
-            if not_after.nil?
-                not_after = not_before + 365 * 24 * 60 * 60
-            end
-            not_after
-        end
-
-    end
-end

data/lib/r509/messagedigest.rb

@@ -1,49 +0,0 @@
-require 'openssl'
-
-module R509
-    #MessageDigest allows you to specify MDs in a more friendly fashion
-    class MessageDigest
-        attr_reader :name, :digest
-
-        # @param [String,OpenSSL::Digest] arg
-        def initialize(arg)
-            if arg.kind_of?(String)
-                @name = arg.downcase
-                @digest = translate_name_to_digest
-            else
-                @digest = arg
-                @name = translate_digest_to_name
-            end
-        end
-
-        private
-
-        # @return [OpenSSL::Digest]
-        def translate_name_to_digest
-            case @name
-            when 'sha1' then OpenSSL::Digest::SHA1.new
-            when 'sha256' then OpenSSL::Digest::SHA256.new
-            when 'sha512' then OpenSSL::Digest::SHA512.new
-            when 'md5' then OpenSSL::Digest::MD5.new
-            when 'dss1' then OpenSSL::Digest::DSS1.new
-            else
-                @name = "sha1"
-                OpenSSL::Digest::SHA1.new
-            end
-        end
-
-        # @return [String]
-        def translate_digest_to_name
-            case @digest
-            when OpenSSL::Digest::SHA1 then 'sha1'
-            when OpenSSL::Digest::SHA256 then 'sha256'
-            when OpenSSL::Digest::SHA512 then 'sha512'
-            when OpenSSL::Digest::MD5 then 'md5'
-            when OpenSSL::Digest::DSS1 then 'dss1'
-            else
-                raise ArgumentError, "Unknown digest"
-            end
-        end
-    end
-end
-

data/lib/r509/oidmapper.rb

@@ -1,32 +0,0 @@
-require 'openssl'
-
-module R509
-    # Helps map raw OIDs to friendlier short names
-    class OidMapper
-        # Register an OID so we have a friendly short name
-        # @param [String] oid A string representation of the OID you want to map (e.g. "1.6.2.3.55")
-        # @param [String] short_name The short name (e.g. CN, O, OU, emailAddress)
-        # @param [String] long_name Optional long name. Defaults to the same as short_name
-        # @return [Boolean] success/failure
-        def self.register(oid,short_name,long_name=nil)
-            if long_name.nil?
-                long_name = short_name
-            end
-            OpenSSL::ASN1::ObjectId.register(oid, short_name, long_name)
-        end
-
-        # Register a batch of OIDs so we have friendly short names
-        # @param [Array] oids An array of hashes
-        # @example
-        #   R509::OidMapper.batch_register([
-        #       {:oid => "1.2.3.4.5", :short_name => "sName", :long_name => "lName"},
-        #       {:oid => "1.2.3.4.6", :short_name => "oName"}
-        #   ]
-        def self.batch_register(oids)
-            oids.each do |oid_hash|
-                self.register(oid_hash[:oid],oid_hash[:short_name],oid_hash[:long_name])
-            end
-            nil
-        end
-    end
-end

data/lib/r509/privatekey.rb

@@ -1,185 +0,0 @@
-require 'openssl'
-require 'r509/io_helpers'
-require 'r509/exceptions'
-
-module R509
-    #private key management
-    class PrivateKey
-        include R509::IOHelpers
-
-        # @option opts [Symbol] :type :rsa/:dsa
-        # @option opts [Integer] :bit_strength
-        # @option opts [String] :password
-        # @option opts [String,OpenSSL::PKey::RSA,OpenSSL::PKey::DSA] :key
-        # @option opts [OpenSSL::Engine] :engine
-        # @option opts [string] :key_name (used with engine)
-        def initialize(opts)
-            if not opts.kind_of?(Hash)
-                raise ArgumentError, 'Must provide a hash of options'
-            end
-
-            if opts.has_key?(:engine) and opts.has_key?(:key)
-                raise ArgumentError, 'You can\'t pass both :key and :engine'
-            elsif opts.has_key?(:key_name) and not opts.has_key?(:engine)
-                raise ArgumentError, 'When providing a :key_name you MUST provide an :engine'
-            elsif opts.has_key?(:engine) and not opts.has_key?(:key_name)
-                raise ArgumentError, 'When providing an :engine you MUST provide a :key_name'
-            elsif opts.has_key?(:engine) and opts.has_key?(:key_name)
-                if not opts[:engine].kind_of?(OpenSSL::Engine)
-                    raise ArgumentError, 'When providing an engine, it must be of type OpenSSL::Engine'
-                end
-                @engine = opts[:engine]
-                @key_name = opts[:key_name]
-            end
-
-            if opts.has_key?(:key)
-                password = opts[:password] || nil
-                #OpenSSL::PKey.read solves this begin/rescue garbage but is only
-                #available to Ruby 1.9.3+
-                begin
-                    @key = OpenSSL::PKey::RSA.new(opts[:key],password)
-                rescue OpenSSL::PKey::RSAError
-                    begin
-                        @key = OpenSSL::PKey::DSA.new(opts[:key],password)
-                    rescue
-                        raise R509::R509Error, "Failed to load private key. Invalid key or incorrect password."
-                    end
-                end
-            else
-                bit_strength = opts[:bit_strength] || 2048
-                type = opts[:type] || :rsa
-                case type
-                when :rsa
-                    @key = OpenSSL::PKey::RSA.new(bit_strength)
-                when :dsa
-                    @key = OpenSSL::PKey::DSA.new(bit_strength)
-                else
-                    raise ArgumentError, 'Must provide :rsa or :dsa as type when key or engine is nil'
-                end
-            end
-        end
-
-        # Helper method to quickly load a private key from the filesystem
-        #
-        # @param [String] filename Path to file you want to load
-        # @return [R509::PrivateKey] PrivateKey object
-        def self.load_from_file( filename, password = nil )
-          return R509::PrivateKey.new(:key => IOHelpers.read_data(filename), :password => password )
-        end
-
-
-        # @return [Integer]
-        def bit_strength
-            if self.rsa?
-                return self.public_key.n.num_bits
-            elsif self.dsa?
-                return self.public_key.p.num_bits
-            end
-        end
-
-        # @return [OpenSSL::PKey::RSA,OpenSSL::PKey::DSA,OpenSSL::Engine pkey] this method may return the PKey object itself or a handle to the private key in the HSM (which will not show the private key, just public)
-        def key
-            if in_hardware?
-                @engine.load_private_key(@key_name)
-            else
-                @key
-            end
-        end
-
-        # @return [Boolean] whether the key is resident in hardware or not
-        def in_hardware?
-            if not @engine.nil?
-                true
-            else
-                false
-            end
-        end
-
-        # @return [OpenSSL::PKey::RSA,OpenSSL::PKey::DSA] public key
-        def public_key
-            self.key.public_key
-        end
-
-        alias :to_s :public_key
-
-        # Converts the key into the PEM format
-        #
-        # @return [String] the key converted into PEM format.
-        def to_pem
-            if in_hardware?
-                raise R509::R509Error, "This method cannot be called when using keys in hardware"
-            end
-            self.key.to_pem
-        end
-
-        # Converts the key into encrypted PEM format
-        #
-        # @param [String,OpenSSL::Cipher] cipher to use for encryption
-        # full list of available ciphers can be obtained with OpenSSL::Cipher.ciphers
-        # (common ones are des3, aes256, aes128)
-        # @param [String] password password
-        # @return [String] the key converted into encrypted PEM format.
-        def to_encrypted_pem(cipher,password)
-            if in_hardware?
-                raise R509::R509Error, "This method cannot be called when using keys in hardware"
-            end
-            cipher = OpenSSL::Cipher::Cipher.new(cipher)
-            self.key.to_pem(cipher,password)
-        end
-
-
-        # Converts the key into the DER format
-        #
-        # @return [String] the key converted into DER format.
-        def to_der
-            if in_hardware?
-                raise R509::R509Error, "This method cannot be called when using keys in hardware"
-            end
-            self.key.to_der
-        end
-
-        # Writes the key into the PEM format
-        #
-        # @param [String, #write] filename_or_io Either a string of the path for
-        #  the file that you'd like to write, or an IO-like object.
-        def write_pem(filename_or_io)
-            write_data(filename_or_io, self.to_pem)
-        end
-
-
-        # Writes the key into encrypted PEM format with specified cipher
-        #
-        # @param [String, #write] filename_or_io Either a string of the path for
-        #  the file that you'd like to write, or an IO-like object.
-        # @param [String,OpenSSL::Cipher] cipher to use for encryption
-        # full list of available ciphers can be obtained with OpenSSL::Cipher.ciphers
-        # (common ones are des3, aes256, aes128)
-        # @param [String] password password
-        def write_encrypted_pem(filename_or_io,cipher,password)
-            write_data(filename_or_io, to_encrypted_pem(cipher,password))
-        end
-
-        # Writes the key into the DER format
-        #
-        # @param [String, #write] filename_or_io Either a string of the path for
-        #  the file that you'd like to write, or an IO-like object.
-        def write_der(filename_or_io)
-            write_data(filename_or_io, self.to_der)
-        end
-
-
-        # Returns whether the public key is RSA
-        #
-        # @return [Boolean] true if the public key is RSA, false otherwise
-        def rsa?
-            self.key.kind_of?(OpenSSL::PKey::RSA)
-        end
-
-        # Returns whether the public key is DSA
-        #
-        # @return [Boolean] true if the public key is DSA, false otherwise
-        def dsa?
-            self.key.kind_of?(OpenSSL::PKey::DSA)
-        end
-    end
-end