r509 0.8

data/lib/r509/cert/extensions.rb

@@ -0,0 +1,309 @@
+require 'openssl'
+require 'set'
+
+module R509
+  class Cert
+    module Extensions
+
+      private
+      # Regexes for OpenSSL's parsed values
+      DNS_REGEX = /DNS:([^,\n]+)/
+      IP_ADDRESS_REGEX = /IP:([^,\n]+)/
+      URI_REGEX = /URI:([^,\n]+)/
+
+      R509_EXTENSION_CLASSES = Set.new
+
+      # Registers a class as being an R509 certificate extension class. Registered
+      # classes are used by #wrap_openssl_extensions to wrap OpenSSL extensions
+      # in R509 extensions, based on the OID.
+      def self.register_class( r509_ext_class )
+        raise ArgumentError.new("R509 certificate extensions must have an OID") if r509_ext_class::OID.nil?
+        R509_EXTENSION_CLASSES << r509_ext_class
+      end
+
+      public
+      # Implements the BasicConstraints certificate extension, with methods to
+      # provide access to the components and meaning of the extension's contents.
+      class BasicConstraints < OpenSSL::X509::Extension
+        OID = "basicConstraints"
+        Extensions.register_class(self)
+
+        attr_reader :path_length
+
+        # See OpenSSL::X509::Extension#initialize
+        def initialize(*args)
+          super(*args)
+
+          @is_ca = ! ( self.value =~ /CA:TRUE/ ).nil?
+          pathlen_match = self.value.match( /pathlen:(\d+)/ )
+          @path_length = pathlen_match[1].to_i unless pathlen_match.nil?
+        end
+
+        def is_ca?()
+          return @is_ca == true
+        end
+
+        # Returns true if the path length allows this certificate to be used to
+        # sign CA certificates.
+        def allows_sub_ca?()
+          return false if @path_length.nil?
+          return @path_length > 0
+        end
+      end
+
+      # Implements the KeyUsage certificate extension, with methods to
+      # provide access to the components and meaning of the extension's contents.
+      class KeyUsage < OpenSSL::X509::Extension
+        OID = "keyUsage"
+        Extensions.register_class(self)
+
+        # The OpenSSL friendly name for the "digitalSignature" key use.
+        AU_DIGITAL_SIGNATURE = "Digital Signature"
+        # The OpenSSL friendly name for the "nonRepudiation" key use.
+        AU_NON_REPUDIATION = "Non Repudiation"
+        # The OpenSSL friendly name for the "keyEncipherment" key use.
+        AU_KEY_ENCIPHERMENT = "Key Encipherment"
+        # The OpenSSL friendly name for the "dataEncipherment" key use.
+        AU_DATA_ENCIPHERMENT = "Data Encipherment"
+        # The OpenSSL friendly name for the "keyAgreement" key use.
+        AU_KEY_AGREEMENT = "Key Agreement"
+        # The OpenSSL friendly name for the "keyCertSign" key use.
+        AU_CERTIFICATE_SIGN = "Certificate Sign"
+        # The OpenSSL friendly name for the "cRLSign" key use.
+        AU_CRL_SIGN = "CRL Sign"
+        # The OpenSSL friendly name for the "encipherOnly" key use.
+        AU_ENCIPHER_ONLY = "Encipher Only"
+        # The OpenSSL friendly name for the "decipherOnly" key use.
+        AU_DECIPHER_ONLY = "Decipher Only"
+
+        # An array of the key uses allowed. See the AU_* constants in this class.
+        attr_reader :allowed_uses
+
+        # See OpenSSL::X509::Extension#initialize
+        def initialize(*args)
+          super(*args)
+
+          @allowed_uses = self.value.split(",").map {|use| use.strip}
+        end
+
+        # Returns true if the given use is allowed by this extension.
+        # @param [string] friendly_use_name One of the AU_* constants in this class.
+        def allows?( friendly_use_name )
+          @allowed_uses.include?( friendly_use_name )
+        end
+
+        def digital_signature?
+          allows?( AU_DIGITAL_SIGNATURE )
+        end
+
+        def non_repudiation?
+          allows?( AU_NON_REPUDIATION )
+        end
+
+        def key_encipherment?
+          allows?( AU_KEY_ENCIPHERMENT )
+        end
+
+        def data_encipherment?
+          allows?( AU_DATA_ENCIPHERMENT )
+        end
+
+        def key_agreement?
+          allows?( AU_KEY_AGREEMENT )
+        end
+
+        def certificate_sign?
+          allows?( AU_CERTIFICATE_SIGN )
+        end
+
+        def crl_sign?
+          allows?( AU_CRL_SIGN )
+        end
+
+        def encipher_only?
+          allows?( AU_ENCIPHER_ONLY )
+        end
+
+        def decipher_only?
+          allows?( AU_DECIPHER_ONLY )
+        end
+      end
+
+      # Implements the ExtendedKeyUsage certificate extension, with methods to
+      # provide access to the components and meaning of the extension's contents.
+      class ExtendedKeyUsage < OpenSSL::X509::Extension
+        OID = "extendedKeyUsage"
+        Extensions.register_class(self)
+
+        # The OpenSSL friendly name for the "serverAuth" extended key use.
+        AU_WEB_SERVER_AUTH = "TLS Web Server Authentication"
+        # The OpenSSL friendly name for the "clientAuth" extended key use.
+        AU_WEB_CLIENT_AUTH = "TLS Web Client Authentication"
+        # The OpenSSL friendly name for the "codeSigning" extended key use.
+        AU_CODE_SIGNING = "Code Signing"
+        # The OpenSSL friendly name for the "emailProtection" extended key use.
+        AU_EMAIL_PROTECTION = "E-mail Protection"
+
+        # An array of the key uses allowed. See the AU_* constants in this class.
+        attr_reader :allowed_uses
+
+        # See OpenSSL::X509::Extension#initialize
+        def initialize(*args)
+          super(*args)
+
+          @allowed_uses = self.value.split(",").map {|use| use.strip}
+        end
+
+        # Returns true if the given use is allowed by this extension.
+        # @param [string] friendly_use_name One of the AU_* constants in this class.
+        def allows?( friendly_use_name )
+          @allowed_uses.include?( friendly_use_name )
+        end
+
+        def web_server_authentication?
+          allows?( AU_WEB_SERVER_AUTH )
+        end
+
+        def web_client_authentication?
+          allows?( AU_WEB_CLIENT_AUTH )
+        end
+
+        def code_signing?
+          allows?( AU_CODE_SIGNING )
+        end
+
+        def email_protection?
+          allows?( AU_EMAIL_PROTECTION )
+        end
+
+        # ...
+      end
+
+      # Implements the SubjectKeyIdentifier certificate extension, with methods to
+      # provide access to the components and meaning of the extension's contents.
+      class SubjectKeyIdentifier < OpenSSL::X509::Extension
+        OID = "subjectKeyIdentifier"
+        Extensions.register_class(self)
+
+        def key()
+          return self.value
+        end
+      end
+
+      # Implements the AuthorityKeyIdentifier certificate extension, with methods to
+      # provide access to the components and meaning of the extension's contents.
+      class AuthorityKeyIdentifier < OpenSSL::X509::Extension
+        OID = "authorityKeyIdentifier"
+        Extensions.register_class(self)
+
+      end
+
+      # Implements the SubjectAlternativeName certificate extension, with methods to
+      # provide access to the components and meaning of the extension's contents.
+      class SubjectAlternativeName < OpenSSL::X509::Extension
+        OID = "subjectAltName"
+        Extensions.register_class(self)
+
+        # An array of the DNS alternative names, if any
+        attr_reader :dns_names
+        # An array of the IP-address alternative names, if any
+        attr_reader :ip_addresses
+        # An array of the URI alternative names, if any
+        attr_reader :uris
+
+        # See OpenSSL::X509::Extension#initialize
+        def initialize(*args)
+          super(*args)
+
+          @dns_names = self.value.scan( DNS_REGEX ).map { |match| match[0] }
+          @ip_addresses = self.value.scan( IP_ADDRESS_REGEX ).map { |match| match[0] }
+          @uris = self.value.scan( URI_REGEX ).map { |match| match[0] }
+        end
+      end
+
+      # Implements the AuthorityInfoAccess certificate extension, with methods to
+      # provide access to the components and meaning of the extension's contents.
+      class AuthorityInfoAccess < OpenSSL::X509::Extension
+        OID = "authorityInfoAccess"
+        Extensions.register_class(self)
+
+        # An array of the OCSP URIs, if any
+        attr_reader :ocsp_uris
+        # An array of the CA issuers URIs, if any
+        attr_reader :ca_issuers_uris
+
+        # See OpenSSL::X509::Extension#initialize
+        def initialize(*args)
+          super(*args)
+
+          @ocsp_uris = self.value.scan( /OCSP - #{URI_REGEX}/ ).map { |match| match[0] }
+          @ca_issuers_uris = self.value.scan( /CA Issuers - #{URI_REGEX}/ ).map { |match| match[0] }
+        end
+      end
+
+      # Implements the CrlDistributionPoints certificate extension, with methods to
+      # provide access to the components and meaning of the extension's contents.
+      class CrlDistributionPoints < OpenSSL::X509::Extension
+        OID = "crlDistributionPoints"
+        Extensions.register_class(self)
+
+        # An array of the CRL URIs, if any
+        attr_reader :crl_uris
+
+        # See OpenSSL::X509::Extension#initialize
+        def initialize(*args)
+          super(*args)
+
+          @crl_uris = self.value.scan( URI_REGEX ).map { |match| match[0] }
+        end
+      end
+
+
+      #
+      # Helper class methods
+      #
+
+      # Takes OpenSSL::X509::Extension objects and wraps each in the appropriate
+      # R509::Cert::Extensions object, and returns them in a hash. The hash is
+      # keyed with the R509 extension class. Extensions without an R509
+      # implementation are ignored (see #get_unknown_extensions).
+      def self.wrap_openssl_extensions( extensions )
+        r509_extensions = {}
+        extensions.each do |openssl_extension|
+          R509_EXTENSION_CLASSES.each do |r509_class|
+            if ( r509_class::OID.downcase == openssl_extension.oid.downcase )
+              if r509_extensions.has_key?(r509_class)
+                raise ArgumentError.new("Only one extension object allowed per OID")
+              end
+              
+              r509_extensions[r509_class] = r509_class.new( openssl_extension )
+              break
+            end
+          end
+        end
+
+        return r509_extensions
+      end
+
+      # Given a list of OpenSSL::X509::Extension objects, returns those without
+      # an R509 implementation.
+      def self.get_unknown_extensions( extensions )
+        unknown_extensions = []
+        extensions.each do |openssl_extension|
+          match_found = false
+          R509_EXTENSION_CLASSES.each do |r509_class|
+            if ( r509_class::OID.downcase == openssl_extension.oid.downcase )
+              match_found = true
+              break
+            end
+          end
+          # if we make it this far (without breaking), we didn't match
+          unknown_extensions << openssl_extension unless match_found
+        end
+
+        return unknown_extensions
+      end
+    end
+  end
+end
+

data/lib/r509/certificateauthority.rb

@@ -0,0 +1,290 @@
+require 'openssl'
+require 'r509/config'
+require 'r509/cert'
+require 'r509/exceptions'
+
+# CertificateAuthority related classes
+module R509::CertificateAuthority
+    # Contains the certification authority signing operation methods
+    class Signer
+        # @param [R509::Config] config
+        def initialize(config=nil)
+            @config = config
+
+            if not @config.nil? and not @config.kind_of?(R509::Config::CaConfig)
+                raise R509::R509Error, "config must be a kind of R509::Config::CaConfig or nil (for self-sign only)"
+            end
+            if not @config.nil? and not @config.ca_cert.has_private_key?
+                raise R509::R509Error, "You must have a private key associated with your CA certificate to issue"
+            end
+        end
+
+        # Signs a CSR
+        # @option options :csr [R509::Csr]
+        # @option options :spki [R509::Spki]
+        # @option options :profile_name [String] The CA profile you want to use (eg "server in your config)
+        # @option options :data_hash [Hash] a hash containing the subject and SAN names you want encoded for this cert. Generate by calling Csr#to_hash or Spki#to_hash
+        # @option options :message_digest [String] the message digest to use for this certificate instead of the config's default
+        # @option options :serial [String] the serial number you want to issue the certificate with
+        # @option options :not_before [Time] the notBefore for the certificate
+        # @option options :not_after [Time] the notAfter for the certificate
+        # @return [R509::Cert] the signed cert object
+        def sign(options)
+            if @config.nil?
+                raise R509::R509Error, "When instantiating the signer without a config you can only call #selfsign"
+            elsif @config.num_profiles == 0
+                raise R509::R509Error, "You must have at least one CaProfile on your CaConfig to issue"
+            end
+
+            if options.has_key?(:csr) and options.has_key?(:spki)
+                raise ArgumentError, "You can't pass both :csr and :spki"
+            elsif not options.has_key?(:csr) and not options.has_key?(:spki)
+                raise ArgumentError, "You must supply either :csr or :spki"
+            elsif options.has_key?(:csr)
+                if not options[:csr].kind_of?(R509::Csr)
+                    raise ArgumentError, "You must pass an R509::Csr object for :csr"
+                else
+                    signable_object = options[:csr]
+                end
+            elsif not options.has_key?(:csr) and options.has_key?(:spki)
+                if not options[:spki].kind_of?(R509::Spki)
+                    raise ArgumentError, "You must pass an R509::Spki object for :spki"
+                else
+                    signable_object = options[:spki]
+                end
+            end
+
+            if options.has_key?(:data_hash)
+                san_names = options[:data_hash][:san_names]
+                subject = options[:data_hash][:subject]
+            else
+                san_names = signable_object.to_hash[:san_names]
+                subject = signable_object.to_hash[:subject]
+            end
+
+
+
+            if options.has_key?(:csr) and not options[:csr].verify_signature
+                raise R509::R509Error, "Certificate request signature is invalid."
+            end
+
+            #handle DSA here
+            if options.has_key?(:message_digest)
+                message_digest = R509::MessageDigest.new(options[:message_digest])
+            else
+                message_digest = R509::MessageDigest.new(@config.message_digest)
+            end
+
+            profile = @config.profile(options[:profile_name])
+
+            validated_subject = validate_subject(subject,profile)
+
+            cert = build_cert(
+                :subject => validated_subject.name,
+                :issuer => @config.ca_cert.subject,
+                :not_before => options[:not_before],
+                :not_after => options[:not_after],
+                :public_key => signable_object.public_key,
+                :serial => options[:serial]
+            )
+
+            basic_constraints = profile.basic_constraints
+            key_usage = profile.key_usage
+            extended_key_usage = profile.extended_key_usage
+            certificate_policies = profile.certificate_policies
+
+            build_extensions(
+                :subject_certificate => cert,
+                :issuer_certificate => @config.ca_cert.cert,
+                :basic_constraints => basic_constraints,
+                :key_usage => key_usage,
+                :extended_key_usage => extended_key_usage,
+                :certificate_policies => certificate_policies,
+                :san_names => san_names
+            )
+
+
+            #@config.ca_cert.key.key ... ugly. ca_cert returns R509::Cert
+            # #key returns R509::PrivateKey and #key on that returns OpenSSL object we need
+            cert.sign( @config.ca_cert.key.key, message_digest.digest )
+            R509::Cert.new(:cert => cert)
+        end
+
+        # Self-signs a CSR
+        # @option options :csr [R509::Csr]
+        # @option options :message_digest [String] the message digest to use for this certificate (defaults to sha1)
+        # @option options :serial [String] the serial number you want to issue the certificate with (defaults to random)
+        # @option options :not_before [Time] the notBefore for the certificate (defaults to now)
+        # @option options :not_after [Time] the notAfter for the certificate (defaults to 1 year)
+        # @option options :san_names [Array] Optional array of subject alternative names
+        # @return [R509::Cert] the signed cert object
+        def selfsign(options)
+            if not options.kind_of?(Hash)
+                raise ArgumentError, "You must pass a hash of options consisting of at minimum :csr"
+            end
+            csr = options[:csr]
+            if csr.key.nil?
+                raise ArgumentError, 'CSR must also have a private key to self sign'
+            end
+            cert = build_cert(
+                :subject => csr.subject.name,
+                :issuer => csr.subject.name,
+                :not_before => options[:not_before],
+                :not_after => options[:not_after],
+                :public_key => csr.public_key,
+                :serial => options[:serial]
+            )
+
+            if options.has_key?(:san_names)
+                san_names = options[:san_names]
+            else
+                san_names = csr.san_names
+            end
+
+            build_extensions(
+                :subject_certificate => cert,
+                :issuer_certificate => cert,
+                :basic_constraints => "CA:TRUE",
+                :san_names => san_names
+            )
+
+
+            if options.has_key?(:message_digest)
+                message_digest = R509::MessageDigest.new(options[:message_digest])
+            else
+                message_digest = R509::MessageDigest.new('sha1')
+            end
+
+            # Csr#key returns R509::PrivateKey and #key on that returns OpenSSL object we need
+            cert.sign( csr.key.key, message_digest.digest )
+            R509::Cert.new(:cert => cert)
+        end
+
+        private
+
+        def process_san_names(domains)
+            domains.map { |domain| 'DNS: '+domain }.join(",")
+        end
+
+        def build_conf(section,data)
+            conf = ["[#{section}]"]
+            conf.concat data
+            conf.join "\n"
+        end
+
+        def validate_subject(subject,profile)
+            if profile.subject_item_policy.nil? then
+                subject
+            else
+                profile.subject_item_policy.validate_subject(subject)
+            end
+        end
+
+        def build_cert(options)
+
+            cert = OpenSSL::X509::Certificate.new
+
+            cert.subject = options[:subject]
+            cert.issuer = options[:issuer]
+            cert.not_before = calculate_not_before(options[:not_before])
+            cert.not_after = calculate_not_after(options[:not_after],cert.not_before)
+            cert.public_key = options[:public_key]
+            cert.serial = create_serial(options[:serial])
+            cert.version = 2 #2 means v3
+            cert
+        end
+
+        def create_serial(serial)
+            if not serial.nil?
+                serial = OpenSSL::BN.new(serial.to_s)
+            else
+                # generate random serial in accordance with best practices
+                # guidelines state 20-bits of entropy, but we can cram more in
+                # per rfc5280 conforming CAs can make the serial field up to 20 octets
+                # to prevent even the incredibly remote possibility of collision we'll
+                # concatenate current time (to the microsecond) with a random num
+                rand = OpenSSL::BN.rand(96,0) # 96 bits is 12 bytes (octets).
+                serial = OpenSSL::BN.new((Time.now.to_f*1000000).to_i.to_s + rand.to_s)
+                # since second param is 0 the most significant bit must always be 1
+                # this theoretically gives us 95 bits of entropy + microtime, which
+                # adds a non-zero quantity of entropy. depending upon how predictable
+                # your issuance is, this could range from a reasonably large quantity
+                # of entropy to very little
+            end
+            serial
+        end
+
+        def build_extensions(options)
+            ef = OpenSSL::X509::ExtensionFactory.new
+
+            ef.subject_certificate = options[:subject_certificate]
+
+            ef.issuer_certificate = options[:issuer_certificate]
+
+            ext = []
+            if not options[:basic_constraints].nil?
+                ext << ef.create_extension("basicConstraints", options[:basic_constraints], true)
+            end
+            if options.has_key?(:key_usage) and not options[:key_usage].empty?
+                ext << ef.create_extension("keyUsage", options[:key_usage].join(","))
+            end
+            if options.has_key?(:extended_key_usage) and not options[:extended_key_usage].empty?
+                ext << ef.create_extension("extendedKeyUsage", options[:extended_key_usage].join(","))
+            end
+            ext << ef.create_extension("subjectKeyIdentifier", "hash")
+
+            #attach the key identifier if it's not a self-sign
+            if not ef.subject_certificate == ef.issuer_certificate and R509::Cert.new(:cert=>options[:issuer_certificate]).extensions['subjectKeyIdentifier']
+                ext << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
+            end
+
+            if not options[:certificate_policies].nil? and not options[:certificate_policies].empty?
+                conf = []
+                conf_names = []
+                i = 0
+                options[:certificate_policies].each do |policy|
+                    conf << build_conf("certPolicies#{i}",policy)
+                    conf_names << "@certPolicies#{i}"
+                    i+=1
+                end
+                ef.config = OpenSSL::Config.parse(conf.join("\n"))
+                ext << ef.create_extension("certificatePolicies", conf_names.join(","))
+            end
+            #ef.config = OpenSSL::Config.parse(<<-_end_of_cnf_)
+            #[certPolicies]
+            #CPS.1 = http://www.example.com/cps
+            #_end_of_cnf_
+
+            if options.has_key?(:san_names) and not options[:san_names].empty?
+                ext << ef.create_extension("subjectAltName", process_san_names(options[:san_names]))
+            end
+
+            if not @config.nil? and not @config.cdp_location.nil?
+                ext << ef.create_extension("crlDistributionPoints", @config.cdp_location)
+            end
+
+            if not @config.nil? and not @config.ocsp_location.nil? then
+            ext << ef.create_extension("authorityInfoAccess",
+                        "OCSP;" << @config.ocsp_location)
+            end
+            options[:subject_certificate].extensions = ext
+            nil
+        end
+
+        def calculate_not_before(not_before)
+            if not_before.nil?
+                #not_before will be set to 6 hours before now to prevent issues with bad system clocks (clients don't sync)
+                not_before = Time.now - 6 * 60 * 60
+            end
+            not_before
+        end
+
+        def calculate_not_after(not_after,not_before)
+            if not_after.nil?
+                not_after = not_before + 365 * 24 * 60 * 60
+            end
+            not_after
+        end
+
+    end
+end