r509 0.9.2 → 0.10.0

data/lib/r509/cert/extensions/authority_info_access.rb

@@ -0,0 +1,128 @@
+require 'r509/cert/extensions/base'
+require 'r509/cert/extensions/validation_mixin'
+
+module R509
+  class Cert
+    module Extensions
+      # RFC 5280 Description (see: http://www.ietf.org/rfc/rfc5280.txt)
+      #
+      # The authority information access extension indicates how to access
+      # information and services for the issuer of the certificate in which
+      # the extension appears.  Information and services may include on-line
+      # validation services and CA policy data.  (The location of CRLs is not
+      # specified in this extension; that information is provided by the
+      # cRLDistributionPoints extension.)  This extension may be included in
+      # end entity or CA certificates.  Conforming CAs MUST mark this
+      # extension as non-critical.
+      # You can use this extension to parse an existing extension for easy access
+      # to the contents or create a new one.
+      class AuthorityInfoAccess < OpenSSL::X509::Extension
+        include R509::Cert::Extensions::ValidationMixin
+
+        # friendly name for AIA OID
+        OID = "authorityInfoAccess"
+        Extensions.register_class(self)
+
+        # An R509::ASN1::GeneralNames object of OCSP endpoints (or nil if not present)
+        # @return [R509::ASN1::GeneralNames,nil]
+        attr_reader :ocsp
+        # An R509::ASN1::GeneralNames object of CA Issuers (or nil if not present)
+        # @return [R509::ASN1::GeneralNames,nil]
+        attr_reader :ca_issuers
+
+        # This method takes a hash or an existing Extension object to parse. If passing
+        # a hash you must supply :ocsp_location and/or :ca_issuers_location. These values
+        # must be in the form seen in the examples below.
+        #
+        # @option arg :ocsp_location [Array,R509::ASN1::GeneralNames] Array of hashes (see examples) or GeneralNames object
+        # @option arg :ca_issuers_location [Array] Array of hashes (see examples) or GeneralNames object
+        # @option arg :critical [Boolean] (false)
+        # @example
+        #   R509::Cert::Extensions::AuthorityInfoAccess.new(
+        #     :ocsp_location => [ { :type => "URI", :value => "http://ocsp.domain.com" } ],
+        #     :ca_issuers_location => [ { :type => "dirName", :value => { :CN => 'myCN', :O => 'some Org' } ]
+        #   )
+        # @example
+        #   name = R509::ASN1::GeneralName.new(:type => "IP", :value => "127.0.0.1")
+        #   R509::Cert::Extensions::AuthorityInfoAccess.new(
+        #     :ca_issuers_location => [name]
+        #   )
+        def initialize(arg)
+          if not R509::Cert::Extensions.is_extension?(arg)
+            arg = build_extension(arg)
+          end
+
+          super(arg)
+          parse_extension
+        end
+
+        # @return [Hash]
+        def to_h
+          hash = { :critical => self.critical? }
+          hash[:ocsp_location] = R509::Cert::Extensions.names_to_h(@ocsp.names) unless @ocsp.names.empty?
+          hash[:ca_issuers_location] = R509::Cert::Extensions.names_to_h(@ca_issuers.names) unless @ca_issuers.names.empty?
+          hash
+        end
+
+        # @return [YAML]
+        def to_yaml
+          self.to_h.to_yaml
+        end
+
+        private
+
+        def parse_extension
+          data = R509::ASN1.get_extension_payload(self)
+          @ocsp= R509::ASN1::GeneralNames.new
+          @ca_issuers= R509::ASN1::GeneralNames.new
+          data.entries.each do |access_description|
+            #   AccessDescription  ::=  SEQUENCE {
+            #           accessMethod          OBJECT IDENTIFIER,
+            #           accessLocation        GeneralName  }
+            case access_description.entries[0].value
+            when "OCSP"
+              @ocsp.add_item(access_description.entries[1])
+            when "caIssuers"
+              @ca_issuers.add_item(access_description.entries[1])
+            end
+          end
+        end
+
+        def build_extension(arg)
+          validate_authority_info_access(arg)
+          aia = []
+          aia_conf = []
+
+          locations = [
+            { :key => :ocsp_location, :short_name => 'OCSP' },
+            { :key => :ca_issuers_location, :short_name => 'caIssuers' }
+          ]
+
+          locations.each do |pair|
+            validate_location(pair[:key].to_s,arg[pair[:key]])
+            data = arg[pair[:key]]
+            if not data.nil?
+              elements = R509::ASN1::GeneralNames.new(data)
+              elements.names.each do |name|
+                serialize = name.serialize_name
+                aia.push "#{pair[:short_name]};#{serialize[:extension_string]}"
+                aia_conf.push serialize[:conf]
+              end
+            end
+          end
+
+          ef = OpenSSL::X509::ExtensionFactory.new
+          ef.config = OpenSSL::Config.parse(aia_conf.join("\n"))
+          critical = R509::Cert::Extensions.calculate_critical(arg[:critical], false)
+          return ef.create_extension("authorityInfoAccess",aia.join(","),critical)
+        end
+
+        def validate_authority_info_access(aia)
+          if not aia.kind_of?(Hash) or (aia[:ocsp_location].nil? and aia[:ca_issuers_location].nil?)
+            raise ArgumentError, "You must pass a hash with at least one of the following two keys (:ocsp_location, :ca_issuers_location)"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/r509/cert/extensions/authority_key_identifier.rb

@@ -0,0 +1,100 @@
+require 'r509/cert/extensions/base'
+
+module R509
+  class Cert
+    module Extensions
+      # RFC 5280 Description (see: http://www.ietf.org/rfc/rfc5280.txt)
+      #
+      # The authority key identifier extension provides a means of
+      # identifying the public key corresponding to the private key used to
+      # sign a certificate.  This extension is used where an issuer has
+      # multiple signing keys (either due to multiple concurrent key pairs or
+      # due to changeover).  The identification MAY be based on either the
+      # key identifier (the subject key identifier in the issuer's
+      # certificate) or the issuer name and serial number.
+      #
+      # You can use this extension to parse an existing extension for easy access
+      # to the contents or create a new one.
+      class AuthorityKeyIdentifier < OpenSSL::X509::Extension
+
+        # friendly name for Authority Key Identifier OID
+        OID = "authorityKeyIdentifier"
+        # default extension behavior when generating
+        AKI_EXTENSION_DEFAULT = "keyid"
+        Extensions.register_class(self)
+
+        # key_identifier, if present, will be a hex string delimited by colons
+        # @return [String,nil]
+        attr_reader :key_identifier
+        # authority_cert_issuer, if present, will be a GeneralName object
+        # @return [R509::ASN1::GeneralName,nil]
+        attr_reader :authority_cert_issuer
+        # authority_cert_serial_number, if present, will be a hex string delimited by colons
+        # @return [String,nil]
+        attr_reader :authority_cert_serial_number
+
+
+        # @option arg :public_key [OpenSSL::PKey] Required if embedding keyid
+        # @option arg :issuer_subject [R509::Subject] Required if embedding issuer
+        # @option arg :value [String] (keyid) For the rules of :value see: http://www.openssl.org/docs/apps/x509v3_config.html#Authority_Key_Identifier_. If you want to embed issuer you MUST supply :issuer_certificate and not :public_key
+        # @option arg :critical [Boolean] (false)
+        def initialize(arg)
+          if not R509::Cert::Extensions.is_extension?(arg)
+            arg = build_extension(arg)
+          end
+
+          super(arg)
+          parse_extension
+        end
+
+        private
+
+        def parse_extension
+          data = R509::ASN1.get_extension_payload(self)
+          #   AuthorityKeyIdentifier ::= SEQUENCE {
+          #      keyIdentifier             [0] KeyIdentifier           OPTIONAL,
+          #      authorityCertIssuer       [1] GeneralNames            OPTIONAL,
+          #      authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }
+          data.entries.each do |el|
+            case el.tag
+            when 0
+              @key_identifier = el.value.unpack("H*")[0].upcase.scan(/../).join(":")
+            when 1
+              @authority_cert_issuer = R509::ASN1::GeneralName.new(el.value.first)
+            when 2
+              arr = el.value.unpack("H*")[0].upcase.scan(/../)
+              # OpenSSL's convention is to drop leading 00s, so let's strip that off if
+              # present
+              if arr[0] == "00"
+                arr.delete_at(0)
+              end
+              @authority_cert_serial_number = arr.join(":")
+            end
+          end
+        end
+
+        def build_extension(arg)
+          arg[:value] = AKI_EXTENSION_DEFAULT unless not arg[:value].nil?
+          validate_authority_key_identifier(arg)
+          ef = OpenSSL::X509::ExtensionFactory.new
+          fake_cert = OpenSSL::X509::Certificate.new
+          fake_cert.extensions = [R509::Cert::Extensions::SubjectKeyIdentifier.new(:public_key => arg[:public_key])] unless arg[:public_key].nil?
+          fake_cert.subject = arg[:issuer_subject].name unless arg[:issuer_subject].nil?
+          ef.issuer_certificate = fake_cert
+          critical = R509::Cert::Extensions.calculate_critical(arg[:critical], false)
+          return ef.create_extension("authorityKeyIdentifier", arg[:value], critical) # this could also be keyid:always,issuer:always
+        end
+
+        def validate_authority_key_identifier(aki)
+          if aki[:value].downcase.include?("keyid") and aki[:public_key].nil?
+            raise ArgumentError, "You must supply an OpenSSL::PKey object to :public_key if aki value contains keyid (present by default)"
+          end
+          if aki[:value].downcase.include?("issuer") and not aki[:issuer_subject].kind_of?(R509::Subject)
+            raise ArgumentError, "You must supply an R509::Subject object to :issuer_subject if aki value contains issuer"
+          end
+          aki
+        end
+      end
+    end
+  end
+end

data/lib/r509/cert/extensions/base.rb

@@ -0,0 +1,142 @@
+require 'openssl'
+require 'r509/asn1'
+require 'set'
+
+module R509
+  class Cert
+    # module to contain extension classes for R509::Cert
+    module Extensions
+      #
+      # Helper class methods
+      #
+
+      # Takes OpenSSL::X509::Extension objects and wraps each in the appropriate
+      # R509::Cert::Extensions object, and returns them in a hash. The hash is
+      # keyed with the R509 extension class. Extensions without an R509
+      # implementation are ignored (see #get_unknown_extensions).
+      def self.wrap_openssl_extensions( extensions )
+        r509_extensions = {}
+        extensions.each do |openssl_extension|
+          R509_EXTENSION_CLASSES.each do |r509_class|
+            if ( r509_class::OID.downcase == openssl_extension.oid.downcase )
+              if r509_extensions.has_key?(r509_class)
+                raise ArgumentError.new("Only one extension object allowed per OID")
+              end
+
+              r509_extensions[r509_class] = r509_class.new( openssl_extension )
+              break
+            end
+          end
+        end
+
+        return r509_extensions
+      end
+
+      # Given a list of OpenSSL::X509::Extension objects, returns those without
+      # an R509 implementation.
+      def self.get_unknown_extensions( extensions )
+        unknown_extensions = []
+        extensions.each do |openssl_extension|
+          match_found = false
+          R509_EXTENSION_CLASSES.each do |r509_class|
+            if ( r509_class::OID.downcase == openssl_extension.oid.downcase )
+              match_found = true
+              break
+            end
+          end
+          # if we make it this far (without breaking), we didn't match
+          unknown_extensions << openssl_extension unless match_found
+        end
+
+        return unknown_extensions
+      end
+
+
+      # Takes an array of R509::ASN1::GeneralName objects and returns a hash that can be
+      # encoded to YAML (used by #to_yaml methods)
+      def self.names_to_h(array)
+        data = []
+        array.each do |name|
+          value = (name.value.kind_of?(R509::Subject))? name.value.to_h : name.value
+          data.push(
+            {
+              :type => name.short_type,
+              :value => value
+            }
+          )
+        end
+        data
+      end
+
+      # Mixed into extensions that have a single generalnames object to
+      # simplify getting data out of them
+      module GeneralNamesMixin
+        # @return [Array<String>] DNS names
+        def dns_names
+          @general_names.dns_names
+        end
+
+        # @return [Array<String>] IP addresses. They will be formatted as strings (dotted quad with optional netmask for IPv4 and colon-hexadecimal with optional netmask for IPv6
+        def ip_addresses
+          @general_names.ip_addresses
+        end
+        alias :ips :ip_addresses
+
+        # @return [Array<String>] email addresses
+        def rfc_822_names
+          @general_names.rfc_822_names
+        end
+        alias :email_names :rfc_822_names
+
+        # @return [Array<String>] URIs (not typically found in SAN extensions)
+        def uris
+          @general_names.uris
+        end
+
+        # @return [Array<R509::Subject>] directory names
+        def directory_names
+          @general_names.directory_names
+        end
+        alias :dir_names :directory_names
+
+        # @return [Array] array of GeneralName objects preserving order found in the extension
+        def names
+          @general_names.names
+        end
+      end
+
+      private
+      R509_EXTENSION_CLASSES = Set.new
+
+      # Registers a class as being an R509 certificate extension class. Registered
+      # classes are used by #wrap_openssl_extensions to wrap OpenSSL extensions
+      # in R509 extensions, based on the OID.
+      def self.register_class( r509_ext_class )
+        raise ArgumentError.new("R509 certificate extensions must have an OID") if r509_ext_class::OID.nil?
+        R509_EXTENSION_CLASSES << r509_ext_class
+      end
+
+      def self.calculate_critical(critical,default)
+        if critical.kind_of?(TrueClass) or critical.kind_of?(FalseClass)
+          critical
+        else
+          default
+        end
+      end
+
+      # Method attempts to determine if data being passed to an extension is already
+      # an extension/asn.1 data or not.
+      def self.is_extension?(data)
+        return true if data.kind_of?(OpenSSL::X509::Extension)
+        return false if not data.kind_of?(String)
+        begin
+          OpenSSL::X509::Extension.new(data)
+          return true
+        rescue
+          return false
+        end
+      end
+
+    end
+  end
+end

data/lib/r509/cert/extensions/basic_constraints.rb

@@ -0,0 +1,119 @@
+require 'r509/cert/extensions/base'
+
+module R509
+  class Cert
+    module Extensions
+      # RFC 5280 Description (see: http://www.ietf.org/rfc/rfc5280.txt)
+      #
+      # The basic constraints extension identifies whether the subject of the
+      # certificate is a CA and the maximum depth of valid certification
+      # paths that include this certificate.
+      #
+      # You can use this extension to parse an existing extension for easy access
+      # to the contents or create a new one.
+      class BasicConstraints < OpenSSL::X509::Extension
+
+        # friendly name for BasicConstraints OID
+        OID = "basicConstraints"
+        Extensions.register_class(self)
+
+        # returns the path length (if present)
+        # @return [Integer,nil]
+        attr_reader :path_length
+
+        # This method takes a hash or an existing Extension object to parse
+        # @option arg :ca [Boolean] The ca key is required and must be set to true (for an issuing CA) or false (everything else).
+        # @option arg :path_length optional [Integer] This option is only allowed if ca is set to TRUE. path_length allows you to define the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path. For example, if you set this value to 0 then the certificate issued can only issue end entity certificates, not additional subroots. This must be a non-negative integer (>=0).
+        # @option arg :critical [Boolean] (true)
+        def initialize(arg)
+          if not R509::Cert::Extensions.is_extension?(arg)
+            arg = build_extension(arg)
+          end
+
+          super(arg)
+          parse_extension
+        end
+
+        # Check whether the extension value would make the parent certificate a CA
+        # @return [Boolean]
+        def is_ca?
+          return @is_ca == true
+        end
+
+        # Returns true if the path length allows this certificate to be used to
+        # create subordinate signing certificates beneath it. Does not check if
+        # there is a pathlen restriction in the cert chain above the current cert
+        # @return [Boolean]
+        def allows_sub_ca?
+          return false unless is_ca?
+          return true if @path_length.nil?
+          return @path_length > 0
+        end
+
+        # @return [Hash]
+        def to_h
+          hash = { :ca => @is_ca, :critical => self.critical? }
+          hash[:path_length] = @path_length unless @path_length.nil? or not is_ca?
+          hash
+        end
+
+        # @return [YAML]
+        def to_yaml
+          self.to_h.to_yaml
+        end
+
+        private
+
+        def parse_extension
+          data = R509::ASN1.get_extension_payload(self)
+          @is_ca = false
+          #   BasicConstraints ::= SEQUENCE {
+          #        cA                      BOOLEAN DEFAULT FALSE,
+          #        pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+          data.entries.each do |entry|
+            if entry.kind_of?(OpenSSL::ASN1::Boolean)
+              @is_ca = entry.value
+            else
+              # There are only two kinds of entries permitted so anything
+              # else is an integer pathlength. it is in OpenSSL::BN form by default
+              # but that's annoying so let's cast it.
+              @path_length = entry.value.to_i
+            end
+          end
+        end
+
+        def build_extension(arg)
+          validate_basic_constraints(arg)
+          ef = OpenSSL::X509::ExtensionFactory.new
+          if arg[:ca] == true
+            bc_value = "CA:TRUE"
+            if not arg[:path_length].nil?
+              bc_value += ",pathlen:#{arg[:path_length]}"
+            end
+          else
+            bc_value = "CA:FALSE"
+          end
+          critical = R509::Cert::Extensions.calculate_critical(arg[:critical], true)
+          return ef.create_extension("basicConstraints", bc_value, critical)
+        end
+
+        # validates the structure of the certificate policies array
+        def validate_basic_constraints(constraints)
+          if constraints.nil? or not constraints.respond_to?(:has_key?) or not constraints.has_key?(:ca)
+            raise ArgumentError, "You must supply a hash with a key named :ca with a boolean value"
+          end
+          if constraints[:ca].nil? or (not constraints[:ca].kind_of?(TrueClass) and not constraints[:ca].kind_of?(FalseClass))
+            raise ArgumentError, "You must supply true/false for the :ca key when specifying basic constraints"
+          end
+          if constraints[:ca] == false and not constraints[:path_length].nil?
+            raise ArgumentError, ":path_length is not allowed when :ca is false"
+          end
+          if constraints[:ca] == true and not constraints[:path_length].nil? and (constraints[:path_length] < 0 or not constraints[:path_length].kind_of?(Integer))
+            raise ArgumentError, "Path length must be a positive integer (>= 0)"
+          end
+          constraints
+        end
+      end
+    end
+  end
+end