r509 0.8

data/lib/r509/oidmapper.rb

@@ -0,0 +1,32 @@
+require 'openssl'
+
+module R509
+    # Helps map raw OIDs to friendlier short names
+    class OidMapper
+        # Register an OID so we have a friendly short name
+        # @param [String] oid A string representation of the OID you want to map (e.g. "1.6.2.3.55")
+        # @param [String] short_name The short name (e.g. CN, O, OU, emailAddress)
+        # @param [String] long_name Optional long name. Defaults to the same as short_name
+        # @return [Boolean] success/failure
+        def self.register(oid,short_name,long_name=nil)
+            if long_name.nil?
+                long_name = short_name
+            end
+            OpenSSL::ASN1::ObjectId.register(oid, short_name, long_name)
+        end
+
+        # Register a batch of OIDs so we have friendly short names
+        # @param [Array] oids An array of hashes
+        # @example
+        #   R509::OidMapper.batch_register([
+        #       {:oid => "1.2.3.4.5", :short_name => "sName", :long_name => "lName"},
+        #       {:oid => "1.2.3.4.6", :short_name => "oName"}
+        #   ]
+        def self.batch_register(oids)
+            oids.each do |oid_hash|
+                self.register(oid_hash[:oid],oid_hash[:short_name],oid_hash[:long_name])
+            end
+            nil
+        end
+    end
+end

data/lib/r509/privatekey.rb

@@ -0,0 +1,185 @@
+require 'openssl'
+require 'r509/io_helpers'
+require 'r509/exceptions'
+
+module R509
+    #private key management
+    class PrivateKey
+        include R509::IOHelpers
+
+        # @option opts [Symbol] :type :rsa/:dsa
+        # @option opts [Integer] :bit_strength
+        # @option opts [String] :password
+        # @option opts [String,OpenSSL::PKey::RSA,OpenSSL::PKey::DSA] :key
+        # @option opts [OpenSSL::Engine] :engine
+        # @option opts [string] :key_name (used with engine)
+        def initialize(opts)
+            if not opts.kind_of?(Hash)
+                raise ArgumentError, 'Must provide a hash of options'
+            end
+
+            if opts.has_key?(:engine) and opts.has_key?(:key)
+                raise ArgumentError, 'You can\'t pass both :key and :engine'
+            elsif opts.has_key?(:key_name) and not opts.has_key?(:engine)
+                raise ArgumentError, 'When providing a :key_name you MUST provide an :engine'
+            elsif opts.has_key?(:engine) and not opts.has_key?(:key_name)
+                raise ArgumentError, 'When providing an :engine you MUST provide a :key_name'
+            elsif opts.has_key?(:engine) and opts.has_key?(:key_name)
+                if not opts[:engine].kind_of?(OpenSSL::Engine)
+                    raise ArgumentError, 'When providing an engine, it must be of type OpenSSL::Engine'
+                end
+                @engine = opts[:engine]
+                @key_name = opts[:key_name]
+            end
+
+            if opts.has_key?(:key)
+                password = opts[:password] || nil
+                #OpenSSL::PKey.read solves this begin/rescue garbage but is only
+                #available to Ruby 1.9.3+
+                begin
+                    @key = OpenSSL::PKey::RSA.new(opts[:key],password)
+                rescue OpenSSL::PKey::RSAError
+                    begin
+                        @key = OpenSSL::PKey::DSA.new(opts[:key],password)
+                    rescue
+                        raise R509::R509Error, "Failed to load private key. Invalid key or incorrect password."
+                    end
+                end
+            else
+                bit_strength = opts[:bit_strength] || 2048
+                type = opts[:type] || :rsa
+                case type
+                when :rsa
+                    @key = OpenSSL::PKey::RSA.new(bit_strength)
+                when :dsa
+                    @key = OpenSSL::PKey::DSA.new(bit_strength)
+                else
+                    raise ArgumentError, 'Must provide :rsa or :dsa as type when key or engine is nil'
+                end
+            end
+        end
+
+        # Helper method to quickly load a private key from the filesystem
+        #
+        # @param [String] filename Path to file you want to load
+        # @return [R509::PrivateKey] PrivateKey object
+        def self.load_from_file( filename, password = nil )
+          return R509::PrivateKey.new(:key => IOHelpers.read_data(filename), :password => password )
+        end
+
+
+        # @return [Integer]
+        def bit_strength
+            if self.rsa?
+                return self.public_key.n.num_bits
+            elsif self.dsa?
+                return self.public_key.p.num_bits
+            end
+        end
+
+        # @return [OpenSSL::PKey::RSA,OpenSSL::PKey::DSA,OpenSSL::Engine pkey] this method may return the PKey object itself or a handle to the private key in the HSM (which will not show the private key, just public)
+        def key
+            if in_hardware?
+                @engine.load_private_key(@key_name)
+            else
+                @key
+            end
+        end
+
+        # @return [Boolean] whether the key is resident in hardware or not
+        def in_hardware?
+            if not @engine.nil?
+                true
+            else
+                false
+            end
+        end
+
+        # @return [OpenSSL::PKey::RSA,OpenSSL::PKey::DSA] public key
+        def public_key
+            self.key.public_key
+        end
+
+        alias :to_s :public_key
+
+        # Converts the key into the PEM format
+        #
+        # @return [String] the key converted into PEM format.
+        def to_pem
+            if in_hardware?
+                raise R509::R509Error, "This method cannot be called when using keys in hardware"
+            end
+            self.key.to_pem
+        end
+
+        # Converts the key into encrypted PEM format
+        #
+        # @param [String,OpenSSL::Cipher] cipher to use for encryption
+        # full list of available ciphers can be obtained with OpenSSL::Cipher.ciphers
+        # (common ones are des3, aes256, aes128)
+        # @param [String] password password
+        # @return [String] the key converted into encrypted PEM format.
+        def to_encrypted_pem(cipher,password)
+            if in_hardware?
+                raise R509::R509Error, "This method cannot be called when using keys in hardware"
+            end
+            cipher = OpenSSL::Cipher::Cipher.new(cipher)
+            self.key.to_pem(cipher,password)
+        end
+
+
+        # Converts the key into the DER format
+        #
+        # @return [String] the key converted into DER format.
+        def to_der
+            if in_hardware?
+                raise R509::R509Error, "This method cannot be called when using keys in hardware"
+            end
+            self.key.to_der
+        end
+
+        # Writes the key into the PEM format
+        #
+        # @param [String, #write] filename_or_io Either a string of the path for
+        #  the file that you'd like to write, or an IO-like object.
+        def write_pem(filename_or_io)
+            write_data(filename_or_io, self.to_pem)
+        end
+
+
+        # Writes the key into encrypted PEM format with specified cipher
+        #
+        # @param [String, #write] filename_or_io Either a string of the path for
+        #  the file that you'd like to write, or an IO-like object.
+        # @param [String,OpenSSL::Cipher] cipher to use for encryption
+        # full list of available ciphers can be obtained with OpenSSL::Cipher.ciphers
+        # (common ones are des3, aes256, aes128)
+        # @param [String] password password
+        def write_encrypted_pem(filename_or_io,cipher,password)
+            write_data(filename_or_io, to_encrypted_pem(cipher,password))
+        end
+
+        # Writes the key into the DER format
+        #
+        # @param [String, #write] filename_or_io Either a string of the path for
+        #  the file that you'd like to write, or an IO-like object.
+        def write_der(filename_or_io)
+            write_data(filename_or_io, self.to_der)
+        end
+
+
+        # Returns whether the public key is RSA
+        #
+        # @return [Boolean] true if the public key is RSA, false otherwise
+        def rsa?
+            self.key.kind_of?(OpenSSL::PKey::RSA)
+        end
+
+        # Returns whether the public key is DSA
+        #
+        # @return [Boolean] true if the public key is DSA, false otherwise
+        def dsa?
+            self.key.kind_of?(OpenSSL::PKey::DSA)
+        end
+    end
+end

data/lib/r509/spki.rb

@@ -0,0 +1,112 @@
+require 'openssl'
+require 'r509/exceptions'
+require 'r509/io_helpers'
+
+module R509
+    # class for handling SPKAC/SPKI requests (typically generated by the <keygen> tag
+    class Spki
+        include R509::IOHelpers
+
+        attr_reader :subject, :spki, :san_names
+        # @option opts [String,OpenSSL::Netscape::SPKI] :spki the spki you want to parse
+        # @option opts [R509::Subject,Array,OpenSSL::X509::Name] :subject array of subject items
+        # @example [['CN','langui.sh'],['ST','Illinois'],['L','Chicago'],['C','US'],['emailAddress','ca@langui.sh']]
+        # you can also pass OIDs (see tests)
+        # @option opts [Array] :san_names array of SAN names
+        def initialize(opts={})
+            if not opts.kind_of?(Hash)
+                raise ArgumentError, 'Must provide a hash of options'
+            end
+            if opts.has_key?(:spki) and not opts.has_key?(:subject)
+                raise ArgumentError, "Must provide both spki and subject"
+            end
+            if opts.has_key?(:san_names) and not opts[:san_names].kind_of?(Array)
+                raise ArgumentError, "if san_names are provided they must be in an Array"
+            end
+            @spki = OpenSSL::Netscape::SPKI.new(opts[:spki].sub("SPKAC=",""))
+            @subject = R509::Subject.new(opts[:subject])
+            @san_names = opts[:san_names] || []
+        end
+
+        # @return [OpenSSL::PKey::RSA] public key
+        def public_key
+            @spki.public_key
+        end
+
+        # Converts the SPKI into the PEM format
+        #
+        # @return [String] the SPKI converted into PEM format.
+        def to_pem
+            @spki.to_pem
+        end
+
+        alias :to_s :to_pem
+
+        # Converts the SPKI into the DER format
+        #
+        # @return [String] the SPKI converted into DER format.
+        def to_der
+            @spki.to_der
+        end
+
+        # Writes the SPKI into the PEM format
+        #
+        # @param [String, #write] filename_or_io Either a string of the path for
+        #  the file that you'd like to write, or an IO-like object.
+        def write_pem(filename_or_io)
+            write_data(filename_or_io, @spki.to_pem)
+        end
+
+        # Writes the SPKI into the DER format
+        #
+        # @param [String, #write] filename_or_io Either a string of the path for
+        #  the file that you'd like to write, or an IO-like object.
+        def write_der(filename_or_io)
+            write_data(filename_or_io, @spki.to_der)
+        end
+
+        # Returns whether the public key is RSA
+        #
+        # @return [Boolean] true if the public key is RSA, false otherwise
+        def rsa?
+            @spki.public_key.kind_of?(OpenSSL::PKey::RSA)
+        end
+
+        # Returns whether the public key is DSA
+        #
+        # @return [Boolean] true if the public key is DSA, false otherwise
+        def dsa?
+            @spki.public_key.kind_of?(OpenSSL::PKey::DSA)
+        end
+
+        # Returns the bit strength of the key used to create the SPKI
+        # @return [Integer] the integer bit strength.
+        def bit_strength
+            if self.rsa?
+                return @spki.public_key.n.num_bits
+            elsif self.dsa?
+                return @spki.public_key.p.num_bits
+            end
+        end
+
+        # Returns key algorithm (RSA/DSA)
+        #
+        # @return [String] value of the key algorithm. RSA or DSA
+        def key_algorithm
+            if @spki.public_key.kind_of? OpenSSL::PKey::RSA then
+                'RSA'
+            elsif @spki.public_key.kind_of? OpenSSL::PKey::DSA then
+                'DSA'
+            end
+        end
+
+        # Returns a hash structure you can pass to the Ca
+        # You will want to call this method if you intend to alter the values
+        # and then pass them to the Ca class.
+        #
+        # @return [Hash] :subject and :san_names you can pass to Ca
+        def to_hash
+            { :subject => @subject.dup , :san_names => @san_names.dup }
+        end
+    end
+end

data/lib/r509/subject.rb

@@ -0,0 +1,133 @@
+require "openssl"
+
+module R509
+    #subject class. Used for building OpenSSL::X509::Name objects in a sane fashion
+    class Subject
+        # @param [Array, OpenSSL::X509::Name, R509::Subject] arg
+        def initialize(arg=nil)
+            case arg
+            when Array
+                @array = arg
+            when OpenSSL::X509::Name
+                sanitizer = R509::NameSanitizer.new
+                @array = sanitizer.sanitize(arg)
+            when R509::Subject
+                @array = arg.to_a
+            else
+                @array = []
+            end
+
+            # see if X509 thinks this is okay
+            name
+        end
+
+        # @return [OpenSSL::X509::Name]
+        def name
+            OpenSSL::X509::Name.new(@array)
+        end
+
+        # @return [Boolean]
+        def empty?
+            @array.empty?
+        end
+
+        # get value for key
+        def [](key)
+            @array.each do |item|
+                if key == item[0]
+                    return item[1]
+                end
+            end
+            return nil
+        end
+
+        # set key and value
+        def []=(key, value)
+            added = false
+            @array = @array.map{ |item|
+                if key == item[0]
+                    added = true
+                    [key, value]
+                else
+                    item
+                end
+            }
+
+            if not added
+                @array << [key, value]
+            end
+
+            # see if X509 thinks this is okay
+            name
+
+            @array
+        end
+
+        # @param [String] key item you want deleted
+        def delete(key)
+            @array = @array.select do |item|
+                item[0] != key
+            end
+        end
+
+        # @return [String] string of form /CN=something.com/O=whatever/L=Locality
+        def to_s
+            name.to_s
+        end
+
+        # @return [Array] Array of form [['CN','langui.sh'],['O','Org']]
+        def to_a
+            @array
+        end
+    end
+
+    # Sanitize an X509::Name. The #to_a method replaces unknown OIDs with "UNDEF", but the #to_s
+    # method doesn't. What we want to do is build the array that would have been produced by #to_a
+    # if it didn't throw away the OID.
+    class NameSanitizer
+        # @option name [OpenSSL::X509::Name]
+        # @return [Array] array of the form [["OID", "VALUE], ["OID", "VALUE"]] with "UNDEF" replaced by the actual OID
+        def sanitize(name)
+            line = name.to_s
+            array = name.to_a.dup
+            used_oids = []
+            undefined_components(array).each do |component|
+                begin
+                    # get the OID from the subject line that has this value
+                    oids = line.scan(/\/([\d\.]+)=#{component[:value]}/).flatten
+                    if oids.size == 1
+                        oid = oids.first
+                    else
+                        oid = oids.select{ |match| not used_oids.include?(match) }.first
+                    end
+                    # replace the "UNDEF" OID name in the array at the index the UNDEF was found
+                    array[component[:index]][0] = oid
+                    # remove the first occurrence of this in the subject line (so we can handle the same oid/value pair multiple times)
+                    line = line.sub("/#{oid}=#{component[:value]}", "")
+                    # we record which OIDs we've used in case two different unknown OIDs have the same value
+                    used_oids << oid
+                rescue
+                    # I don't expect this to happen, but if it does we'll just not replace UNDEF and continue
+                end
+            end
+            array
+        end
+
+        private
+
+        # get the components from #to_a that are UNDEF
+        # @option array [Array<OpenSSL::X509::Name>]
+        # @return [Hash]
+        # @example
+        #   Return value looks like
+        #   { :index => the index in the original array where we found an UNDEF, :value => the subject component value }
+        def undefined_components(array)
+            components = []
+            array.each_index do |index|
+                components << { :index => index, :value => array[index][1] } if array[index][0] == "UNDEF"
+            end
+            components
+        end
+    end
+
+end