r509 0.9.2 → 0.10.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +2 -0
- data/CONTRIBUTING.mdown +21 -0
- data/LICENSE +13 -0
- data/README.mdown +548 -0
- data/Rakefile +5 -0
- data/bin/r509 +16 -17
- data/doc/R509.html +42 -26
- data/doc/R509/ASN1.html +22 -16
- data/doc/R509/ASN1/GeneralName.html +180 -173
- data/doc/R509/ASN1/GeneralNames.html +390 -62
- data/doc/R509/CRL.html +9 -7
- data/doc/R509/CRL/Administrator.html +208 -623
- data/doc/R509/CRL/FileReaderWriter.html +856 -0
- data/doc/R509/CRL/ReaderWriter.html +524 -0
- data/doc/R509/CRL/SignedList.html +29 -42
- data/doc/R509/CSR.html +248 -333
- data/doc/R509/Cert.html +364 -491
- data/doc/R509/Cert/Extensions.html +134 -43
- data/doc/R509/Cert/Extensions/AuthorityInfoAccess.html +335 -65
- data/doc/R509/Cert/Extensions/AuthorityKeyIdentifier.html +201 -102
- data/doc/R509/Cert/Extensions/BasicConstraints.html +297 -68
- data/doc/R509/Cert/Extensions/CRLDistributionPoints.html +690 -77
- data/doc/R509/Cert/Extensions/CertificatePolicies.html +293 -43
- data/doc/R509/Cert/Extensions/ExtendedKeyUsage.html +321 -173
- data/doc/R509/Cert/Extensions/GeneralNamesMixin.html +656 -0
- data/doc/R509/Cert/Extensions/InhibitAnyPolicy.html +270 -42
- data/doc/R509/Cert/Extensions/KeyUsage.html +334 -184
- data/doc/R509/Cert/Extensions/NameConstraints.html +363 -93
- data/doc/R509/{ASN1 → Cert/Extensions}/NoticeReference.html +209 -48
- data/doc/R509/Cert/Extensions/OCSPNoCheck.html +244 -17
- data/doc/R509/Cert/Extensions/PolicyConstraints.html +322 -71
- data/doc/R509/{ASN1 → Cert/Extensions}/PolicyInformation.html +204 -43
- data/doc/R509/{ASN1 → Cert/Extensions}/PolicyQualifiers.html +205 -48
- data/doc/R509/Cert/Extensions/SubjectAlternativeName.html +348 -143
- data/doc/R509/Cert/Extensions/SubjectKeyIdentifier.html +165 -13
- data/doc/R509/{ASN1 → Cert/Extensions}/UserNotice.html +204 -43
- data/doc/R509/Cert/Extensions/ValidationMixin.html +120 -0
- data/doc/R509/CertificateAuthority.html +9 -7
- data/doc/R509/CertificateAuthority/OptionsBuilder.html +475 -0
- data/doc/R509/CertificateAuthority/Signer.html +149 -198
- data/doc/R509/Config.html +10 -8
- data/doc/R509/Config/CAConfig.html +708 -625
- data/doc/R509/Config/CAConfigPool.html +179 -31
- data/doc/R509/Config/CertProfile.html +1544 -0
- data/doc/R509/Config/SubjectItemPolicy.html +437 -99
- data/doc/R509/Engine.html +14 -28
- data/doc/R509/Helpers.html +1014 -0
- data/doc/R509/MessageDigest.html +73 -25
- data/doc/R509/NameSanitizer.html +39 -39
- data/doc/R509/OCSP.html +5 -5
- data/doc/R509/OCSP/Request.html +5 -5
- data/doc/R509/OCSP/Request/Nonce.html +5 -5
- data/doc/R509/OCSP/Response.html +7 -7
- data/doc/R509/OIDMapper.html +121 -6
- data/doc/R509/PrivateKey.html +226 -227
- data/doc/R509/R509Error.html +5 -5
- data/doc/R509/SPKI.html +244 -342
- data/doc/R509/Subject.html +241 -70
- data/doc/R509/Validity.html +5 -5
- data/doc/R509/Validity/Checker.html +5 -5
- data/doc/R509/Validity/DefaultChecker.html +5 -9
- data/doc/R509/Validity/DefaultWriter.html +5 -9
- data/doc/R509/Validity/Status.html +5 -5
- data/doc/R509/Validity/Writer.html +5 -5
- data/doc/_index.html +92 -30
- data/doc/class_list.html +2 -2
- data/doc/file.CONTRIBUTING.html +96 -0
- data/doc/file.LICENSE.html +87 -0
- data/doc/file.README.html +279 -389
- data/doc/file.YAML.html +243 -0
- data/doc/file.r509.html +298 -105
- data/doc/file_list.html +11 -2
- data/doc/frames.html +1 -1
- data/doc/index.html +279 -389
- data/doc/js/full_list.js +6 -1
- data/doc/method_list.html +869 -1139
- data/doc/top-level-namespace.html +103 -5
- data/lib/r509.rb +7 -2
- data/lib/r509/asn1.rb +97 -135
- data/lib/r509/cert.rb +17 -106
- data/lib/r509/cert/extensions.rb +13 -676
- data/lib/r509/cert/extensions/authority_info_access.rb +128 -0
- data/lib/r509/cert/extensions/authority_key_identifier.rb +100 -0
- data/lib/r509/cert/extensions/base.rb +142 -0
- data/lib/r509/cert/extensions/basic_constraints.rb +119 -0
- data/lib/r509/cert/extensions/certificate_policies.rb +262 -0
- data/lib/r509/cert/extensions/crl_distribution_points.rb +98 -0
- data/lib/r509/cert/extensions/extended_key_usage.rb +189 -0
- data/lib/r509/cert/extensions/inhibit_any_policy.rb +70 -0
- data/lib/r509/cert/extensions/key_usage.rb +209 -0
- data/lib/r509/cert/extensions/name_constraints.rb +179 -0
- data/lib/r509/cert/extensions/ocsp_no_check.rb +56 -0
- data/lib/r509/cert/extensions/policy_constraints.rb +122 -0
- data/lib/r509/cert/extensions/subject_alternative_name.rb +88 -0
- data/lib/r509/cert/extensions/subject_key_identifier.rb +56 -0
- data/lib/r509/cert/extensions/validation_mixin.rb +42 -0
- data/lib/r509/certificate_authority/options_builder.rb +142 -0
- data/lib/r509/certificate_authority/signer.rb +189 -0
- data/lib/r509/config.rb +3 -600
- data/lib/r509/config/ca_config.rb +414 -0
- data/lib/r509/config/cert_profile.rb +110 -0
- data/lib/r509/config/subject_item_policy.rb +118 -0
- data/lib/r509/crl/administrator.rb +169 -0
- data/lib/r509/crl/reader_writer.rb +109 -0
- data/lib/r509/crl/signed_list.rb +135 -0
- data/lib/r509/csr.rb +35 -116
- data/lib/r509/engine.rb +21 -11
- data/lib/r509/helpers.rb +110 -0
- data/lib/r509/io_helpers.rb +18 -13
- data/lib/r509/message_digest.rb +13 -3
- data/lib/r509/oid_mapper.rb +14 -0
- data/lib/r509/private_key.rb +74 -50
- data/lib/r509/spki.rb +50 -113
- data/lib/r509/subject.rb +24 -2
- data/lib/r509/trollop.rb +788 -0
- data/lib/r509/version.rb +1 -1
- data/r509.yaml +289 -96
- data/spec/asn1_spec.rb +171 -98
- data/spec/cert/extensions/authority_info_access_spec.rb +247 -0
- data/spec/cert/extensions/authority_key_identifier_spec.rb +85 -0
- data/spec/cert/extensions/base_spec.rb +172 -0
- data/spec/cert/extensions/basic_constraints_spec.rb +185 -0
- data/spec/cert/extensions/certificate_policies_spec.rb +288 -0
- data/spec/cert/extensions/crl_distribution_points_spec.rb +149 -0
- data/spec/cert/extensions/extended_key_usage_spec.rb +174 -0
- data/spec/cert/extensions/inhibit_any_policy_spec.rb +92 -0
- data/spec/cert/extensions/key_usage_spec.rb +172 -0
- data/spec/cert/extensions/name_constraints_spec.rb +335 -0
- data/spec/cert/extensions/ocsp_no_check_spec.rb +76 -0
- data/spec/cert/extensions/policy_constraints_spec.rb +155 -0
- data/spec/cert/extensions/subject_alternative_name_spec.rb +354 -0
- data/spec/cert/extensions/subject_key_identifier_spec.rb +64 -0
- data/spec/cert_spec.rb +11 -9
- data/spec/certificate_authority/options_builder_spec.rb +307 -0
- data/spec/certificate_authority/signer_spec.rb +278 -0
- data/spec/config/ca_config_spec.rb +405 -0
- data/spec/config/cert_profile_spec.rb +88 -0
- data/spec/config/subject_item_policy_spec.rb +81 -0
- data/spec/crl/administrator_spec.rb +199 -0
- data/spec/crl/reader_writer_spec.rb +97 -0
- data/spec/crl/signed_list_spec.rb +84 -0
- data/spec/csr_spec.rb +43 -36
- data/spec/engine_spec.rb +51 -0
- data/spec/fixtures.rb +40 -40
- data/spec/fixtures/cert1.pem +1 -1
- data/spec/fixtures/config_pool_test_minimal.yaml +11 -15
- data/spec/fixtures/config_test.yaml +96 -59
- data/spec/fixtures/config_test_dsa.yaml +29 -35
- data/spec/fixtures/config_test_ec.yaml +29 -35
- data/spec/fixtures/config_test_engine_key.yaml +7 -7
- data/spec/fixtures/config_test_engine_no_key_name.yaml +6 -6
- data/spec/fixtures/config_test_minimal.yaml +3 -5
- data/spec/fixtures/config_test_password.yaml +4 -6
- data/spec/fixtures/config_test_various.yaml +147 -137
- data/spec/fixtures/crl_list_file.txt +1 -1
- data/spec/fixtures/test_ca_crl.cer +20 -0
- data/spec/fixtures/test_ca_crl.key +28 -0
- data/spec/fixtures/test_ca_crl.p12 +0 -0
- data/spec/message_digest_spec.rb +6 -0
- data/spec/oid_mapper_spec.rb +11 -0
- data/spec/private_key_spec.rb +19 -18
- data/spec/spec_helper.rb +10 -6
- data/spec/spki_spec.rb +38 -19
- data/spec/subject_spec.rb +16 -0
- metadata +108 -59
- metadata.gz.sig +0 -0
- data/README.md +0 -638
- data/doc/R509/Config/CAProfile.html +0 -1015
- data/doc/R509/IOHelpers.html +0 -564
- data/lib/r509/certificate_authority.rb +0 -407
- data/lib/r509/crl.rb +0 -351
- data/spec/cert/extensions_spec.rb +0 -1095
- data/spec/certificate_authority_spec.rb +0 -681
- data/spec/config_spec.rb +0 -562
- data/spec/crl_spec.rb +0 -226
data/lib/r509/cert.rb
CHANGED
@@ -1,12 +1,14 @@
|
|
1
1
|
require 'openssl'
|
2
2
|
require 'r509/exceptions'
|
3
3
|
require 'r509/io_helpers'
|
4
|
+
require 'r509/helpers'
|
4
5
|
require 'r509/cert/extensions'
|
5
6
|
|
6
7
|
module R509
|
7
8
|
# The primary certificate object.
|
8
9
|
class Cert
|
9
10
|
include R509::IOHelpers
|
11
|
+
include R509::Helpers
|
10
12
|
|
11
13
|
attr_reader :cert, :key, :subject, :issuer
|
12
14
|
|
@@ -23,7 +25,7 @@ module R509
|
|
23
25
|
elsif opts.has_key?(:pkcs12)
|
24
26
|
pkcs12 = OpenSSL::PKCS12.new( opts[:pkcs12], opts[:password] )
|
25
27
|
parse_certificate(pkcs12.certificate)
|
26
|
-
|
28
|
+
parse_private_key(pkcs12.key)
|
27
29
|
elsif not opts.has_key?(:cert)
|
28
30
|
raise ArgumentError, 'Must provide :cert or :pkcs12'
|
29
31
|
else
|
@@ -32,13 +34,8 @@ module R509
|
|
32
34
|
end
|
33
35
|
|
34
36
|
if opts.has_key?(:key)
|
35
|
-
|
36
|
-
key = opts[:key]
|
37
|
-
else
|
38
|
-
key = R509::PrivateKey.new( :key => opts[:key], :password => opts[:password] )
|
39
|
-
end
|
37
|
+
parse_private_key(opts[:key], opts[:password])
|
40
38
|
end
|
41
|
-
associate_private_key(key)
|
42
39
|
end
|
43
40
|
|
44
41
|
# Helper method to quickly load a cert from the filesystem
|
@@ -49,27 +46,8 @@ module R509
|
|
49
46
|
return R509::Cert.new(:cert => IOHelpers.read_data(filename) )
|
50
47
|
end
|
51
48
|
|
52
|
-
|
53
|
-
# Converts the Cert into the PEM format
|
54
|
-
#
|
55
|
-
# @return [String] the Cert converted into PEM format.
|
56
|
-
def to_pem
|
57
|
-
if @cert.kind_of?(OpenSSL::X509::Certificate)
|
58
|
-
return @cert.to_pem.chomp
|
59
|
-
end
|
60
|
-
end
|
61
|
-
|
62
49
|
alias :to_s :to_pem
|
63
50
|
|
64
|
-
# Converts the Cert into the DER format
|
65
|
-
#
|
66
|
-
# @return [String] the Cert converted into DER format.
|
67
|
-
def to_der
|
68
|
-
if @cert.kind_of?(OpenSSL::X509::Certificate)
|
69
|
-
return @cert.to_der
|
70
|
-
end
|
71
|
-
end
|
72
|
-
|
73
51
|
# Returns beginning (notBefore) of certificate validity period
|
74
52
|
#
|
75
53
|
# @return [Time] time object
|
@@ -161,52 +139,6 @@ module R509
|
|
161
139
|
return ret.sort.uniq
|
162
140
|
end
|
163
141
|
|
164
|
-
# Returns whether the public key is RSA
|
165
|
-
#
|
166
|
-
# @return [Boolean] true if the public key is RSA, false otherwise
|
167
|
-
def rsa?
|
168
|
-
@cert.public_key.kind_of?(OpenSSL::PKey::RSA)
|
169
|
-
end
|
170
|
-
|
171
|
-
# Returns whether the public key is DSA
|
172
|
-
#
|
173
|
-
# @return [Boolean] true if the public key is DSA, false otherwise
|
174
|
-
def dsa?
|
175
|
-
@cert.public_key.kind_of?(OpenSSL::PKey::DSA)
|
176
|
-
end
|
177
|
-
|
178
|
-
# Returns whether the public key is EC
|
179
|
-
#
|
180
|
-
# @return [Boolean] true if the public key is EC, false otherwise
|
181
|
-
def ec?
|
182
|
-
@cert.public_key.kind_of?(OpenSSL::PKey::EC)
|
183
|
-
end
|
184
|
-
|
185
|
-
# Returns the bit strength of the key used to create the certificate
|
186
|
-
#
|
187
|
-
# @return [Integer] integer value of bit strength
|
188
|
-
def bit_strength
|
189
|
-
if self.rsa?
|
190
|
-
return @cert.public_key.n.num_bits
|
191
|
-
elsif self.dsa?
|
192
|
-
return @cert.public_key.p.num_bits
|
193
|
-
elsif self.ec?
|
194
|
-
raise R509::R509Error, 'Bit strength is not available for EC at this time.'
|
195
|
-
end
|
196
|
-
end
|
197
|
-
|
198
|
-
# Returns the short name of the elliptic curve used to generate the public key
|
199
|
-
# if the key is EC. If not, raises an error.
|
200
|
-
#
|
201
|
-
# @return [String] elliptic curve name
|
202
|
-
def curve_name
|
203
|
-
if self.ec?
|
204
|
-
@cert.public_key.group.curve_name
|
205
|
-
else
|
206
|
-
raise R509::R509Error, 'Curve name is only available with EC certs'
|
207
|
-
end
|
208
|
-
end
|
209
|
-
|
210
142
|
# Returns signature algorithm
|
211
143
|
#
|
212
144
|
# @return [String] value of the signature algorithm. E.g. sha1WithRSAEncryption, sha256WithRSAEncryption, md5WithRSAEncryption, et cetera
|
@@ -214,33 +146,6 @@ module R509
|
|
214
146
|
@cert.signature_algorithm
|
215
147
|
end
|
216
148
|
|
217
|
-
# Returns key algorithm (RSA, DSA, EC)
|
218
|
-
#
|
219
|
-
# @return [Symbol] value of the key algorithm. :rsa, :dsa, :ec
|
220
|
-
def key_algorithm
|
221
|
-
if self.rsa?
|
222
|
-
:rsa
|
223
|
-
elsif self.dsa?
|
224
|
-
:dsa
|
225
|
-
elsif self.ec?
|
226
|
-
:ec
|
227
|
-
end
|
228
|
-
end
|
229
|
-
|
230
|
-
# Writes the Cert into the PEM format
|
231
|
-
# @param [String, #write] filename_or_io Either a string of the path for
|
232
|
-
# the file that you'd like to write, or an IO-like object.
|
233
|
-
def write_pem(filename_or_io)
|
234
|
-
write_data(filename_or_io, @cert.to_pem)
|
235
|
-
end
|
236
|
-
|
237
|
-
# Writes the Cert into the DER format
|
238
|
-
# @param [String, #write] filename_or_io Either a string of the path for
|
239
|
-
# the file that you'd like to write, or an IO-like object.
|
240
|
-
def write_der(filename_or_io)
|
241
|
-
write_data(filename_or_io, @cert.to_der)
|
242
|
-
end
|
243
|
-
|
244
149
|
# Writes cert and key into PKCS12 format using OpenSSL defaults for encryption (des3)
|
245
150
|
# @param [String, #write] filename_or_io Either a string of the path for
|
246
151
|
# the file that you'd like to write, or an IO-like object.
|
@@ -405,7 +310,7 @@ module R509
|
|
405
310
|
# parse a CSR as a certificate. All for Sean
|
406
311
|
def csr_check(cert)
|
407
312
|
begin
|
408
|
-
|
313
|
+
OpenSSL::X509::Request.new cert
|
409
314
|
raise ArgumentError, 'Cert provided is actually a certificate signing request.'
|
410
315
|
rescue OpenSSL::X509::RequestError
|
411
316
|
# do nothing, it shouldn't be a CSR anyway!
|
@@ -418,13 +323,19 @@ module R509
|
|
418
323
|
@issuer = R509::Subject.new(@cert.issuer)
|
419
324
|
end
|
420
325
|
|
421
|
-
def
|
422
|
-
if not key.
|
423
|
-
|
424
|
-
|
425
|
-
|
426
|
-
|
326
|
+
def parse_private_key(key, password=nil)
|
327
|
+
if not key.kind_of?(R509::PrivateKey)
|
328
|
+
key = R509::PrivateKey.new( :key => key, :password => password )
|
329
|
+
end
|
330
|
+
if not @cert.public_key.to_der == key.public_key.to_der
|
331
|
+
raise R509Error, 'Key does not match cert.'
|
427
332
|
end
|
333
|
+
@key = key
|
334
|
+
end
|
335
|
+
|
336
|
+
# Returns the proper instance variable
|
337
|
+
def internal_obj
|
338
|
+
@cert
|
428
339
|
end
|
429
340
|
|
430
341
|
end
|
data/lib/r509/cert/extensions.rb
CHANGED
@@ -1,676 +1,13 @@
|
|
1
|
-
require '
|
2
|
-
require 'r509/
|
3
|
-
require '
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
# classes are used by #wrap_openssl_extensions to wrap OpenSSL extensions
|
15
|
-
# in R509 extensions, based on the OID.
|
16
|
-
def self.register_class( r509_ext_class )
|
17
|
-
raise ArgumentError.new("R509 certificate extensions must have an OID") if r509_ext_class::OID.nil?
|
18
|
-
R509_EXTENSION_CLASSES << r509_ext_class
|
19
|
-
end
|
20
|
-
|
21
|
-
|
22
|
-
public
|
23
|
-
# Implements the BasicConstraints certificate extension, with methods to
|
24
|
-
# provide access to the components and meaning of the extension's contents.
|
25
|
-
class BasicConstraints < OpenSSL::X509::Extension
|
26
|
-
# friendly name for BasicConstraints OID
|
27
|
-
OID = "basicConstraints"
|
28
|
-
Extensions.register_class(self)
|
29
|
-
|
30
|
-
attr_reader :path_length
|
31
|
-
|
32
|
-
# See OpenSSL::X509::Extension#initialize
|
33
|
-
def initialize(*args)
|
34
|
-
super(*args)
|
35
|
-
|
36
|
-
data = R509::ASN1.get_extension_payload(self)
|
37
|
-
@is_ca = false
|
38
|
-
# BasicConstraints ::= SEQUENCE {
|
39
|
-
# cA BOOLEAN DEFAULT FALSE,
|
40
|
-
# pathLenConstraint INTEGER (0..MAX) OPTIONAL }
|
41
|
-
data.entries.each do |entry|
|
42
|
-
if entry.kind_of?(OpenSSL::ASN1::Boolean)
|
43
|
-
# since the boolean is optional it may not be present
|
44
|
-
@is_ca = entry.value
|
45
|
-
else
|
46
|
-
# There are only two kinds of entries permitted so anything
|
47
|
-
# else is an integer pathlength
|
48
|
-
@path_length = entry.value
|
49
|
-
end
|
50
|
-
end
|
51
|
-
end
|
52
|
-
|
53
|
-
def is_ca?()
|
54
|
-
return @is_ca == true
|
55
|
-
end
|
56
|
-
|
57
|
-
# Returns true if the path length allows this certificate to be used to
|
58
|
-
# create subordinate signing certificates beneath it. Does not check if
|
59
|
-
# there is a pathlen restriction in the cert chain above the current cert
|
60
|
-
def allows_sub_ca?()
|
61
|
-
return false if @path_length.nil?
|
62
|
-
return @path_length > 0
|
63
|
-
end
|
64
|
-
end
|
65
|
-
|
66
|
-
# Implements the KeyUsage certificate extension, with methods to
|
67
|
-
# provide access to the components and meaning of the extension's contents.
|
68
|
-
class KeyUsage < OpenSSL::X509::Extension
|
69
|
-
# friendly name for KeyUsage OID
|
70
|
-
OID = "keyUsage"
|
71
|
-
Extensions.register_class(self)
|
72
|
-
|
73
|
-
# An array of the key uses allowed.
|
74
|
-
attr_reader :allowed_uses
|
75
|
-
|
76
|
-
# OpenSSL short name for Digital Signature
|
77
|
-
AU_DIGITAL_SIGNATURE = "digitalSignature"
|
78
|
-
# OpenSSL short name for Non Repudiation (also known as content commitment)
|
79
|
-
AU_NON_REPUDIATION = "nonRepudiation"
|
80
|
-
# OpenSSL short name for Key Encipherment
|
81
|
-
AU_KEY_ENCIPHERMENT = "keyEncipherment"
|
82
|
-
# OpenSSL short name for Data Encipherment
|
83
|
-
AU_DATA_ENCIPHERMENT = "dataEncipherment"
|
84
|
-
# OpenSSL short name for Key Agreement
|
85
|
-
AU_KEY_AGREEMENT = "keyAgreement"
|
86
|
-
# OpenSSL short name for Certificate Sign
|
87
|
-
AU_KEY_CERT_SIGN = "keyCertSign"
|
88
|
-
# OpenSSL short name for CRL Sign
|
89
|
-
AU_CRL_SIGN = "cRLSign"
|
90
|
-
# OpenSSL short name for Encipher Only
|
91
|
-
AU_ENCIPHER_ONLY = "encipherOnly"
|
92
|
-
# OpenSSL short name for Decipher Only
|
93
|
-
AU_DECIPHER_ONLY = "decipherOnly"
|
94
|
-
|
95
|
-
# See OpenSSL::X509::Extension#initialize
|
96
|
-
def initialize(*args)
|
97
|
-
super(*args)
|
98
|
-
|
99
|
-
data = R509::ASN1.get_extension_payload(self)
|
100
|
-
|
101
|
-
# There are 9 possible bits, which means we need 2 bytes
|
102
|
-
# to represent them all. When the last bit is not set
|
103
|
-
# the second byte is not encoded. let's add it back so we can
|
104
|
-
# have the full bitmask for comparison
|
105
|
-
if data.size == 1
|
106
|
-
data = data + "\0"
|
107
|
-
end
|
108
|
-
bit_mask = data.unpack('n')[0] # treat it as a 16-bit unsigned big endian
|
109
|
-
# KeyUsage ::= BIT STRING {
|
110
|
-
# digitalSignature (0),
|
111
|
-
# nonRepudiation (1), -- recent editions of X.509 have
|
112
|
-
# -- renamed this bit to contentCommitment
|
113
|
-
# keyEncipherment (2),
|
114
|
-
# dataEncipherment (3),
|
115
|
-
# keyAgreement (4),
|
116
|
-
# keyCertSign (5),
|
117
|
-
# cRLSign (6),
|
118
|
-
# encipherOnly (7),
|
119
|
-
# decipherOnly (8) }
|
120
|
-
@allowed_uses = []
|
121
|
-
if bit_mask & 0b1000000000000000 > 0
|
122
|
-
@digital_signature = true
|
123
|
-
@allowed_uses << AU_DIGITAL_SIGNATURE
|
124
|
-
end
|
125
|
-
if bit_mask & 0b0100000000000000 > 0
|
126
|
-
@non_repudiation = true
|
127
|
-
@allowed_uses << AU_NON_REPUDIATION
|
128
|
-
end
|
129
|
-
if bit_mask & 0b0010000000000000 > 0
|
130
|
-
@key_encipherment = true
|
131
|
-
@allowed_uses << AU_KEY_ENCIPHERMENT
|
132
|
-
end
|
133
|
-
if bit_mask & 0b0001000000000000 > 0
|
134
|
-
@data_encipherment = true
|
135
|
-
@allowed_uses << AU_DATA_ENCIPHERMENT
|
136
|
-
end
|
137
|
-
if bit_mask & 0b0000100000000000 > 0
|
138
|
-
@key_agreement = true
|
139
|
-
@allowed_uses << AU_KEY_AGREEMENT
|
140
|
-
end
|
141
|
-
if bit_mask & 0b0000010000000000 > 0
|
142
|
-
@key_cert_sign = true
|
143
|
-
@allowed_uses << AU_KEY_CERT_SIGN
|
144
|
-
end
|
145
|
-
if bit_mask & 0b0000001000000000 > 0
|
146
|
-
@crl_sign = true
|
147
|
-
@allowed_uses << AU_CRL_SIGN
|
148
|
-
end
|
149
|
-
if bit_mask & 0b0000000100000000 > 0
|
150
|
-
@encipher_only = true
|
151
|
-
@allowed_uses << AU_ENCIPHER_ONLY
|
152
|
-
end
|
153
|
-
if bit_mask & 0b0000000010000000 > 0
|
154
|
-
@decipher_only = true
|
155
|
-
@allowed_uses << AU_DECIPHER_ONLY
|
156
|
-
end
|
157
|
-
end
|
158
|
-
|
159
|
-
# Returns true if the given use is allowed by this extension.
|
160
|
-
# @param [String] friendly_use_name key usage short name (e.g. digitalSignature, cRLSign, etc)
|
161
|
-
# or one of the AU_* constants in this class
|
162
|
-
# @return [Boolean]
|
163
|
-
def allows?( friendly_use_name )
|
164
|
-
@allowed_uses.include?( friendly_use_name )
|
165
|
-
end
|
166
|
-
|
167
|
-
def digital_signature?
|
168
|
-
(@digital_signature == true)
|
169
|
-
end
|
170
|
-
|
171
|
-
def non_repudiation?
|
172
|
-
(@non_repudiation == true)
|
173
|
-
end
|
174
|
-
|
175
|
-
def key_encipherment?
|
176
|
-
(@key_encipherment == true)
|
177
|
-
end
|
178
|
-
|
179
|
-
def data_encipherment?
|
180
|
-
(@data_encipherment == true)
|
181
|
-
end
|
182
|
-
|
183
|
-
def key_agreement?
|
184
|
-
(@key_agreement == true)
|
185
|
-
end
|
186
|
-
|
187
|
-
def key_cert_sign?
|
188
|
-
(@key_cert_sign == true)
|
189
|
-
end
|
190
|
-
|
191
|
-
def crl_sign?
|
192
|
-
(@crl_sign == true)
|
193
|
-
end
|
194
|
-
|
195
|
-
def encipher_only?
|
196
|
-
(@encipher_only == true)
|
197
|
-
end
|
198
|
-
|
199
|
-
def decipher_only?
|
200
|
-
(@decipher_only == true)
|
201
|
-
end
|
202
|
-
end
|
203
|
-
|
204
|
-
# Implements the ExtendedKeyUsage certificate extension, with methods to
|
205
|
-
# provide access to the components and meaning of the extension's contents.
|
206
|
-
class ExtendedKeyUsage < OpenSSL::X509::Extension
|
207
|
-
# friendly name for EKU OID
|
208
|
-
OID = "extendedKeyUsage"
|
209
|
-
Extensions.register_class(self)
|
210
|
-
|
211
|
-
# The OpenSSL short name for TLS Web Server Authentication
|
212
|
-
AU_WEB_SERVER_AUTH = "serverAuth"
|
213
|
-
# The OpenSSL short name for TLS Web Client Authentication
|
214
|
-
AU_WEB_CLIENT_AUTH = "clientAuth"
|
215
|
-
# The OpenSSL short name for Code Signing
|
216
|
-
AU_CODE_SIGNING = "codeSigning"
|
217
|
-
# The OpenSSL short name for E-mail Protection
|
218
|
-
AU_EMAIL_PROTECTION = "emailProtection"
|
219
|
-
# The OpenSSL short name for OCSP Signing
|
220
|
-
AU_OCSP_SIGNING = "OCSPSigning"
|
221
|
-
# The OpenSSL short name for Time Stamping
|
222
|
-
AU_TIME_STAMPING = "timeStamping"
|
223
|
-
# The OpenSSL short name for Any Extended Key Usage
|
224
|
-
AU_ANY_EXTENDED_KEY_USAGE = "anyExtendedKeyUsage"
|
225
|
-
|
226
|
-
attr_reader :allowed_uses
|
227
|
-
|
228
|
-
# See OpenSSL::X509::Extension#initialize
|
229
|
-
def initialize(*args)
|
230
|
-
super(*args)
|
231
|
-
|
232
|
-
@allowed_uses = []
|
233
|
-
data = R509::ASN1.get_extension_payload(self)
|
234
|
-
|
235
|
-
data.entries.each do |eku|
|
236
|
-
# The following key usage purposes are defined:
|
237
|
-
#
|
238
|
-
# anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
|
239
|
-
#
|
240
|
-
# id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
|
241
|
-
# id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
|
242
|
-
# -- TLS WWW server authentication
|
243
|
-
# -- Key usage bits that may be consistent: digitalSignature,
|
244
|
-
# -- keyEncipherment or keyAgreement
|
245
|
-
#
|
246
|
-
# id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
|
247
|
-
# -- TLS WWW client authentication
|
248
|
-
# -- Key usage bits that may be consistent: digitalSignature
|
249
|
-
# -- and/or keyAgreement
|
250
|
-
#
|
251
|
-
# id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
|
252
|
-
# -- Signing of downloadable executable code
|
253
|
-
# -- Key usage bits that may be consistent: digitalSignature
|
254
|
-
#
|
255
|
-
# id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
|
256
|
-
# -- Email protection
|
257
|
-
# -- Key usage bits that may be consistent: digitalSignature,
|
258
|
-
# -- nonRepudiation, and/or (keyEncipherment or keyAgreement)
|
259
|
-
#
|
260
|
-
# id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
|
261
|
-
# -- Binding the hash of an object to a time
|
262
|
-
# -- Key usage bits that may be consistent: digitalSignature
|
263
|
-
# -- and/or nonRepudiation
|
264
|
-
#
|
265
|
-
# id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
|
266
|
-
# -- Signing OCSP responses
|
267
|
-
# -- Key usage bits that may be consistent: digitalSignature
|
268
|
-
# -- and/or nonRepudiation
|
269
|
-
|
270
|
-
case eku.value
|
271
|
-
when AU_WEB_SERVER_AUTH
|
272
|
-
@web_server_authentication = true
|
273
|
-
when AU_WEB_CLIENT_AUTH
|
274
|
-
@web_client_authentication = true
|
275
|
-
when AU_CODE_SIGNING
|
276
|
-
@code_signing = true
|
277
|
-
when AU_EMAIL_PROTECTION
|
278
|
-
@email_protection = true
|
279
|
-
when AU_OCSP_SIGNING
|
280
|
-
@ocsp_signing = true
|
281
|
-
when AU_TIME_STAMPING
|
282
|
-
@time_stamping = true
|
283
|
-
when AU_ANY_EXTENDED_KEY_USAGE
|
284
|
-
@any_extended_key_usage = true
|
285
|
-
end
|
286
|
-
@allowed_uses << eku.value
|
287
|
-
end
|
288
|
-
end
|
289
|
-
|
290
|
-
# Returns true if the given use is allowed by this extension.
|
291
|
-
# @param [string] friendly_use_name One of the AU_* constants in this class.
|
292
|
-
def allows?( friendly_use_name )
|
293
|
-
@allowed_uses.include?( friendly_use_name )
|
294
|
-
end
|
295
|
-
|
296
|
-
def web_server_authentication?
|
297
|
-
(@web_server_authentication == true)
|
298
|
-
end
|
299
|
-
|
300
|
-
def web_client_authentication?
|
301
|
-
(@web_client_authentication == true)
|
302
|
-
end
|
303
|
-
|
304
|
-
def code_signing?
|
305
|
-
(@code_signing == true)
|
306
|
-
end
|
307
|
-
|
308
|
-
def email_protection?
|
309
|
-
(@email_protection == true)
|
310
|
-
end
|
311
|
-
|
312
|
-
def ocsp_signing?
|
313
|
-
(@ocsp_signing == true)
|
314
|
-
end
|
315
|
-
|
316
|
-
def time_stamping?
|
317
|
-
(@time_stamping == true)
|
318
|
-
end
|
319
|
-
|
320
|
-
def any_extended_key_usage?
|
321
|
-
(@any_extended_key_usage == true)
|
322
|
-
end
|
323
|
-
end
|
324
|
-
|
325
|
-
# Implements the SubjectKeyIdentifier certificate extension, with methods to
|
326
|
-
# provide access to the components and meaning of the extension's contents.
|
327
|
-
class SubjectKeyIdentifier < OpenSSL::X509::Extension
|
328
|
-
# friendly name for Subject Key Identifier OID
|
329
|
-
OID = "subjectKeyIdentifier"
|
330
|
-
Extensions.register_class(self)
|
331
|
-
|
332
|
-
# @return value of key
|
333
|
-
def key()
|
334
|
-
return self.value
|
335
|
-
end
|
336
|
-
end
|
337
|
-
|
338
|
-
# Implements the AuthorityKeyIdentifier certificate extension, with methods to
|
339
|
-
# provide access to the components and meaning of the extension's contents.
|
340
|
-
class AuthorityKeyIdentifier < OpenSSL::X509::Extension
|
341
|
-
# friendly name for Authority Key Identifier OID
|
342
|
-
OID = "authorityKeyIdentifier"
|
343
|
-
Extensions.register_class(self)
|
344
|
-
|
345
|
-
# key_identifier, if present, will be a hex string delimited by colons
|
346
|
-
# authority_cert_issuer, if present, will be a GeneralName object
|
347
|
-
# authority_cert_serial_number, if present, will be a hex string delimited by colons
|
348
|
-
attr_reader :key_identifier, :authority_cert_issuer, :authority_cert_serial_number
|
349
|
-
|
350
|
-
def initialize(*args)
|
351
|
-
super(*args)
|
352
|
-
|
353
|
-
data = R509::ASN1.get_extension_payload(self)
|
354
|
-
# AuthorityKeyIdentifier ::= SEQUENCE {
|
355
|
-
# keyIdentifier [0] KeyIdentifier OPTIONAL,
|
356
|
-
# authorityCertIssuer [1] GeneralNames OPTIONAL,
|
357
|
-
# authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
|
358
|
-
data.entries.each do |el|
|
359
|
-
case el.tag
|
360
|
-
when 0
|
361
|
-
@key_identifier = el.value.unpack("H*")[0].upcase.scan(/../).join(":")
|
362
|
-
when 1
|
363
|
-
@authority_cert_issuer = R509::ASN1::GeneralName.new(el.value.first)
|
364
|
-
when 2
|
365
|
-
arr = el.value.unpack("H*")[0].upcase.scan(/../)
|
366
|
-
# OpenSSL's convention is to drop leading 00s, so let's strip that off if
|
367
|
-
# present
|
368
|
-
if arr[0] == "00"
|
369
|
-
arr.delete_at(0)
|
370
|
-
end
|
371
|
-
@authority_cert_serial_number = arr.join(":")
|
372
|
-
end
|
373
|
-
end
|
374
|
-
|
375
|
-
end
|
376
|
-
|
377
|
-
end
|
378
|
-
|
379
|
-
# Implements the SubjectAlternativeName certificate extension, with methods to
|
380
|
-
# provide access to the components and meaning of the extension's contents.
|
381
|
-
class SubjectAlternativeName < OpenSSL::X509::Extension
|
382
|
-
# friendly name for SAN OID
|
383
|
-
OID = "subjectAltName"
|
384
|
-
Extensions.register_class(self)
|
385
|
-
|
386
|
-
attr_reader :general_names
|
387
|
-
|
388
|
-
# See OpenSSL::X509::Extension#initialize
|
389
|
-
def initialize(*args)
|
390
|
-
super(*args)
|
391
|
-
|
392
|
-
data = R509::ASN1.get_extension_payload(self)
|
393
|
-
@general_names = R509::ASN1::GeneralNames.new
|
394
|
-
data.entries.each do |gn|
|
395
|
-
@general_names.add_item(gn)
|
396
|
-
end
|
397
|
-
end
|
398
|
-
|
399
|
-
# @return [Array<String>] DNS names
|
400
|
-
def dns_names
|
401
|
-
@general_names.dns_names
|
402
|
-
end
|
403
|
-
|
404
|
-
# @return [Array<String>] IP addresses formatted as dotted quad
|
405
|
-
def ip_addresses
|
406
|
-
@general_names.ip_addresses
|
407
|
-
end
|
408
|
-
|
409
|
-
# @return [Array<String>] email addresses
|
410
|
-
def rfc_822_names
|
411
|
-
@general_names.rfc_822_names
|
412
|
-
end
|
413
|
-
|
414
|
-
# @return [Array<String>] URIs (not typically found in SAN extensions)
|
415
|
-
def uris
|
416
|
-
@general_names.uris
|
417
|
-
end
|
418
|
-
|
419
|
-
# @return [Array<R509::Subject>] directory names
|
420
|
-
def directory_names
|
421
|
-
@general_names.directory_names
|
422
|
-
end
|
423
|
-
|
424
|
-
# @return [Array] array of GeneralName objects preserving order found in the extension
|
425
|
-
def names
|
426
|
-
@general_names.names
|
427
|
-
end
|
428
|
-
end
|
429
|
-
|
430
|
-
# Implements the AuthorityInfoAccess certificate extension, with methods to
|
431
|
-
# provide access to the components and meaning of the extension's contents.
|
432
|
-
class AuthorityInfoAccess < OpenSSL::X509::Extension
|
433
|
-
# friendly name for AIA OID
|
434
|
-
OID = "authorityInfoAccess"
|
435
|
-
Extensions.register_class(self)
|
436
|
-
|
437
|
-
# An array of the OCSP data, if any
|
438
|
-
attr_reader :ocsp
|
439
|
-
# An array of the CA issuers data, if any
|
440
|
-
attr_reader :ca_issuers
|
441
|
-
|
442
|
-
# See OpenSSL::X509::Extension#initialize
|
443
|
-
def initialize(*args)
|
444
|
-
super(*args)
|
445
|
-
|
446
|
-
data = R509::ASN1.get_extension_payload(self)
|
447
|
-
@ocsp= R509::ASN1::GeneralNames.new
|
448
|
-
@ca_issuers= R509::ASN1::GeneralNames.new
|
449
|
-
data.entries.each do |access_description|
|
450
|
-
# AccessDescription ::= SEQUENCE {
|
451
|
-
# accessMethod OBJECT IDENTIFIER,
|
452
|
-
# accessLocation GeneralName }
|
453
|
-
case access_description.entries[0].value
|
454
|
-
when "OCSP"
|
455
|
-
@ocsp.add_item(access_description.entries[1])
|
456
|
-
when "caIssuers"
|
457
|
-
@ca_issuers.add_item(access_description.entries[1])
|
458
|
-
end
|
459
|
-
end
|
460
|
-
end
|
461
|
-
end
|
462
|
-
|
463
|
-
# Implements the CRLDistributionPoints certificate extension, with methods to
|
464
|
-
# provide access to the components and meaning of the extension's contents.
|
465
|
-
class CRLDistributionPoints < OpenSSL::X509::Extension
|
466
|
-
# friendly name for CDP OID
|
467
|
-
OID = "crlDistributionPoints"
|
468
|
-
Extensions.register_class(self)
|
469
|
-
|
470
|
-
# An array of the CRL URIs, if any
|
471
|
-
attr_reader :crl
|
472
|
-
|
473
|
-
# See OpenSSL::X509::Extension#initialize
|
474
|
-
def initialize(*args)
|
475
|
-
super(*args)
|
476
|
-
|
477
|
-
@crl= R509::ASN1::GeneralNames.new
|
478
|
-
data = R509::ASN1.get_extension_payload(self)
|
479
|
-
data.entries.each do |distribution_point|
|
480
|
-
# DistributionPoint ::= SEQUENCE {
|
481
|
-
# distributionPoint [0] DistributionPointName OPTIONAL,
|
482
|
-
# reasons [1] ReasonFlags OPTIONAL,
|
483
|
-
# cRLIssuer [2] GeneralNames OPTIONAL }
|
484
|
-
# DistributionPointName ::= CHOICE {
|
485
|
-
# fullName [0] GeneralNames,
|
486
|
-
# nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
|
487
|
-
# We're only going to handle DistributionPointName [0] for now
|
488
|
-
# so grab entries[0] and then get the fullName with value[0]
|
489
|
-
# and the value of that ASN1Data with value[0] again
|
490
|
-
@crl.add_item(distribution_point.entries[0].value[0].value[0])
|
491
|
-
end
|
492
|
-
end
|
493
|
-
end
|
494
|
-
|
495
|
-
# Implements the OCSP noCheck certificate extension
|
496
|
-
class OCSPNoCheck < OpenSSL::X509::Extension
|
497
|
-
# friendly name for OCSP No Check
|
498
|
-
OID = "noCheck"
|
499
|
-
Extensions.register_class(self)
|
500
|
-
|
501
|
-
# See OpenSSL::X509::Extension#initialize
|
502
|
-
def initialize(*args)
|
503
|
-
super(*args)
|
504
|
-
end
|
505
|
-
end
|
506
|
-
|
507
|
-
|
508
|
-
# Implements the CertificatePolicies certificate extension, with methods to
|
509
|
-
# provide access to the components and meaning of the extension's contents.
|
510
|
-
class CertificatePolicies < OpenSSL::X509::Extension
|
511
|
-
# friendly name for CP OID
|
512
|
-
OID = "certificatePolicies"
|
513
|
-
Extensions.register_class(self)
|
514
|
-
attr_reader :policies
|
515
|
-
|
516
|
-
def initialize(*args)
|
517
|
-
@policies = []
|
518
|
-
super(*args)
|
519
|
-
|
520
|
-
data = R509::ASN1.get_extension_payload(self)
|
521
|
-
|
522
|
-
# each element of this sequence should be part of a policy + qualifiers
|
523
|
-
# certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
|
524
|
-
data.each do |cp|
|
525
|
-
@policies << R509::ASN1::PolicyInformation.new(cp)
|
526
|
-
end if data.respond_to?(:each)
|
527
|
-
end
|
528
|
-
end
|
529
|
-
|
530
|
-
# Implements the InhibitAnyPolicy certificate extension, with methods to
|
531
|
-
# provide access to the component and meaning of the extension's contents.
|
532
|
-
class InhibitAnyPolicy < OpenSSL::X509::Extension
|
533
|
-
# friendly name for CP OID
|
534
|
-
OID = "inhibitAnyPolicy"
|
535
|
-
Extensions.register_class(self)
|
536
|
-
|
537
|
-
attr_reader :skip_certs
|
538
|
-
|
539
|
-
def initialize(*args)
|
540
|
-
super(*args)
|
541
|
-
|
542
|
-
# id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 }
|
543
|
-
# InhibitAnyPolicy ::= SkipCerts
|
544
|
-
# SkipCerts ::= INTEGER (0..MAX)
|
545
|
-
@skip_certs = R509::ASN1.get_extension_payload(self) # returns a non-negative integer
|
546
|
-
end
|
547
|
-
end
|
548
|
-
|
549
|
-
# Implements the PolicyConstraints certificate extension, with methods to
|
550
|
-
# provide access to the components and meaning of the extension's contents.
|
551
|
-
class PolicyConstraints < OpenSSL::X509::Extension
|
552
|
-
# friendly name for CP OID
|
553
|
-
OID = "policyConstraints"
|
554
|
-
Extensions.register_class(self)
|
555
|
-
|
556
|
-
attr_reader :require_explicit_policy
|
557
|
-
attr_reader :inhibit_policy_mapping
|
558
|
-
|
559
|
-
def initialize(*args)
|
560
|
-
super(*args)
|
561
|
-
|
562
|
-
# id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
|
563
|
-
# PolicyConstraints ::= SEQUENCE {
|
564
|
-
# requireExplicitPolicy [0] SkipCerts OPTIONAL,
|
565
|
-
# inhibitPolicyMapping [1] SkipCerts OPTIONAL }
|
566
|
-
#
|
567
|
-
# SkipCerts ::= INTEGER (0..MAX)
|
568
|
-
data = R509::ASN1.get_extension_payload(self)
|
569
|
-
data.each do |pc|
|
570
|
-
if pc.tag == 0
|
571
|
-
@require_explicit_policy = pc.value.bytes.to_a[0]
|
572
|
-
elsif pc.tag == 1
|
573
|
-
@inhibit_policy_mapping = pc.value.bytes.to_a[0]
|
574
|
-
end
|
575
|
-
end
|
576
|
-
end
|
577
|
-
end
|
578
|
-
|
579
|
-
# Implements the NameConstraints certificate extension, with methods to
|
580
|
-
# provide access to the components and meaning of the extension's contents.
|
581
|
-
class NameConstraints < OpenSSL::X509::Extension
|
582
|
-
# friendly name for CP OID
|
583
|
-
OID = "nameConstraints"
|
584
|
-
Extensions.register_class(self)
|
585
|
-
|
586
|
-
attr_reader :permitted_names, :excluded_names
|
587
|
-
|
588
|
-
# id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
|
589
|
-
# NameConstraints ::= SEQUENCE {
|
590
|
-
# permittedSubtrees [0] GeneralSubtrees OPTIONAL,
|
591
|
-
# excludedSubtrees [1] GeneralSubtrees OPTIONAL }
|
592
|
-
#
|
593
|
-
# GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
|
594
|
-
#
|
595
|
-
# per RFC 5280
|
596
|
-
# Within this profile, the minimum and maximum fields are not used with
|
597
|
-
# any name forms, thus, the minimum MUST be zero, and maximum MUST be
|
598
|
-
# absent
|
599
|
-
# GeneralSubtree ::= SEQUENCE {
|
600
|
-
# base GeneralName,
|
601
|
-
# minimum [0] BaseDistance DEFAULT 0,
|
602
|
-
# maximum [1] BaseDistance OPTIONAL }
|
603
|
-
#
|
604
|
-
# BaseDistance ::= INTEGER (0..MAX)
|
605
|
-
def initialize(*args)
|
606
|
-
super(*args)
|
607
|
-
|
608
|
-
@permitted_names = []
|
609
|
-
@excluded_names = []
|
610
|
-
|
611
|
-
data = R509::ASN1.get_extension_payload(self)
|
612
|
-
data.each do |gs|
|
613
|
-
gs.value.each do |asn_data|
|
614
|
-
asn_data.value.each do |obj|
|
615
|
-
gn = R509::ASN1::GeneralName.new(obj)
|
616
|
-
if gs.tag == 0 # permittedSubtrees
|
617
|
-
@permitted_names << gn
|
618
|
-
elsif gs.tag == 1 #excludedSubtrees
|
619
|
-
@excluded_names << gn
|
620
|
-
end
|
621
|
-
end
|
622
|
-
end
|
623
|
-
end
|
624
|
-
end
|
625
|
-
end
|
626
|
-
|
627
|
-
|
628
|
-
|
629
|
-
#
|
630
|
-
# Helper class methods
|
631
|
-
#
|
632
|
-
|
633
|
-
# Takes OpenSSL::X509::Extension objects and wraps each in the appropriate
|
634
|
-
# R509::Cert::Extensions object, and returns them in a hash. The hash is
|
635
|
-
# keyed with the R509 extension class. Extensions without an R509
|
636
|
-
# implementation are ignored (see #get_unknown_extensions).
|
637
|
-
def self.wrap_openssl_extensions( extensions )
|
638
|
-
r509_extensions = {}
|
639
|
-
extensions.each do |openssl_extension|
|
640
|
-
R509_EXTENSION_CLASSES.each do |r509_class|
|
641
|
-
if ( r509_class::OID.downcase == openssl_extension.oid.downcase )
|
642
|
-
if r509_extensions.has_key?(r509_class)
|
643
|
-
raise ArgumentError.new("Only one extension object allowed per OID")
|
644
|
-
end
|
645
|
-
|
646
|
-
r509_extensions[r509_class] = r509_class.new( openssl_extension )
|
647
|
-
break
|
648
|
-
end
|
649
|
-
end
|
650
|
-
end
|
651
|
-
|
652
|
-
return r509_extensions
|
653
|
-
end
|
654
|
-
|
655
|
-
# Given a list of OpenSSL::X509::Extension objects, returns those without
|
656
|
-
# an R509 implementation.
|
657
|
-
def self.get_unknown_extensions( extensions )
|
658
|
-
unknown_extensions = []
|
659
|
-
extensions.each do |openssl_extension|
|
660
|
-
match_found = false
|
661
|
-
R509_EXTENSION_CLASSES.each do |r509_class|
|
662
|
-
if ( r509_class::OID.downcase == openssl_extension.oid.downcase )
|
663
|
-
match_found = true
|
664
|
-
break
|
665
|
-
end
|
666
|
-
end
|
667
|
-
# if we make it this far (without breaking), we didn't match
|
668
|
-
unknown_extensions << openssl_extension unless match_found
|
669
|
-
end
|
670
|
-
|
671
|
-
return unknown_extensions
|
672
|
-
end
|
673
|
-
end
|
674
|
-
end
|
675
|
-
end
|
676
|
-
|
1
|
+
require 'r509/cert/extensions/authority_info_access'
|
2
|
+
require 'r509/cert/extensions/authority_key_identifier'
|
3
|
+
require 'r509/cert/extensions/basic_constraints'
|
4
|
+
require 'r509/cert/extensions/certificate_policies'
|
5
|
+
require 'r509/cert/extensions/crl_distribution_points'
|
6
|
+
require 'r509/cert/extensions/extended_key_usage'
|
7
|
+
require 'r509/cert/extensions/inhibit_any_policy'
|
8
|
+
require 'r509/cert/extensions/key_usage'
|
9
|
+
require 'r509/cert/extensions/name_constraints'
|
10
|
+
require 'r509/cert/extensions/ocsp_no_check'
|
11
|
+
require 'r509/cert/extensions/policy_constraints'
|
12
|
+
require 'r509/cert/extensions/subject_alternative_name'
|
13
|
+
require 'r509/cert/extensions/subject_key_identifier'
|