r509 0.9.2 → 0.10.0

data/lib/r509/config/subject_item_policy.rb

@@ -0,0 +1,118 @@
+require 'yaml'
+require 'openssl'
+require 'r509/exceptions'
+require 'r509/io_helpers'
+require 'r509/subject'
+require 'r509/private_key'
+require 'r509/engine'
+require 'fileutils'
+require 'pathname'
+
+module R509
+  # Module to contain all configuration related classes (e.g. CAConfig, CertProfile, SubjectItemPolicy)
+  module Config
+    # The Subject Item Policy allows you to define what subject fields are allowed in a
+    # certificate. Required means that field *must* be supplied, optional means it will
+    # be encoded if provided, and match means the field must be present and must match
+    # the value specified.
+    #
+    # Using R509::OIDMapper you can create new shortnames that will be usable inside this class.
+    class SubjectItemPolicy
+      # @return [Array]
+      attr_reader :required, :optional, :match, :match_values
+
+      # @param [Hash] hash of required/optional/matching subject items. These must be in OpenSSL shortname format.
+      # @example sample hash
+      #  {"CN" => { :policy => "required" },
+      #  "O" => { :policy => "required" },
+      #  "OU" => { :policy => "optional" },
+      #  "ST" => { :policy => "required" },
+      #  "C" => { :policy => "required" },
+      #  "L" => { :policy => "match", :value => "Chicago" },
+      #  "emailAddress" => { :policy => "optional" }
+      def initialize(hash={})
+        if not hash.kind_of?(Hash)
+          raise ArgumentError, "Must supply a hash in form 'shortname'=>hash_with_policy_info"
+        end
+        @required = []
+        @optional = []
+        @match_values = {}
+        @match = []
+        if not hash.empty?
+          hash.each_pair do |key,value|
+            if not value.kind_of?(Hash)
+              raise ArgumentError, "Each value must be a hash with a :policy key"
+            end
+            case value[:policy]
+            when 'required' then @required.push(key)
+            when 'optional' then @optional.push(key)
+            when 'match' then
+              @match_values[key] = value[:value]
+              @match.push(key)
+            else
+              raise ArgumentError, "Unknown subject item policy value. Allowed values are required, optional, or match"
+            end
+          end
+        end
+      end
+
+      # @param [R509::Subject] subject
+      # @return [R509::Subject] validated version of the subject or error
+      def validate_subject(subject)
+        # check if match components are present and match
+        validate_match(subject)
+        validate_required_match(subject)
+
+        # the validated subject contains only those subject components that are either
+        # required, optional, or match
+        R509::Subject.new(subject.to_a.select do |item|
+          @required.include?(item[0]) or @optional.include?(item[0]) or @match.include?(item[0])
+        end)
+      end
+
+    # @return [Hash]
+      def to_h
+        hash = {}
+        @required.each { |r| hash[r] = {:policy => "required" } }
+        @optional.each { |o| hash[o] = {:policy => "optional" } }
+        @match.each { |m| hash[m] = {:policy => "match", :value => @match_values[m]} }
+        hash
+      end
+
+    # @return [YAML]
+      def to_yaml
+        self.to_h.to_yaml
+      end
+
+      private
+      # validates that the provided subject has the expected values for the
+      # match policy
+      def validate_match(subject)
+        subject.to_a.each do |item|
+          if @match.include?(item[0])
+            if @match_values[item[0]] != item[1]
+              raise R509::R509Error, "This profile requires that #{item[0]} have value: #{@match_values[item[0]]}"
+            end
+          end
+        end unless @match.empty?
+      end
+
+      # validates that all the subject elements that are required or match in the
+      # subject item policy are present in the supplied subject
+      def validate_required_match(subject)
+        # convert the subject components into an array of component names that match
+        # those that are on the required list
+        supplied = subject.to_a.each do |item|
+          @required.include?(item[0]) or @match.include?(item[0])
+        end.map do |item|
+          item[0]
+        end
+        # so we can make sure they gave us everything that's required
+        diff = @required + @match - supplied
+        if not diff.empty?
+          raise R509::R509Error, "This profile requires you supply "+(@required+@match).join(", ")
+        end
+      end
+    end
+  end
+end

data/lib/r509/crl/administrator.rb

@@ -0,0 +1,169 @@
+require 'openssl'
+require 'r509/config'
+require 'r509/exceptions'
+require 'r509/io_helpers'
+
+module R509
+  # contains CRL related classes (generator and a pre-existing list loader)
+  module CRL
+    # Used to manage revocations and generate CRLs
+    class Administrator
+      include R509::IOHelpers
+
+      attr_reader :crl_number, :config
+
+      # @param config [R509::Config::CAConfig]
+      # @param reader_writer [R509::CRL::ReaderWriter] A subclass off the R509::CRL::ReaderWriter. Defaults to an instance of R509::CRL::FileReaderWriter.
+      def initialize(config,reader_writer=R509::CRL::FileReaderWriter.new)
+        @config = config
+        unless @config.kind_of?(R509::Config::CAConfig)
+          raise R509Error, "config must be a kind of R509::Config::CAConfig"
+        end
+
+        if not reader_writer.kind_of?(R509::CRL::ReaderWriter)
+          raise ArgumentError, "argument reader_writer must be a subclass of R509::CRL::ReaderWriter"
+        end
+        @rw = reader_writer
+        @rw.crl_list_file = @config.crl_list_file unless not @rw.respond_to?(:crl_list_file=)
+        @rw.crl_number_file = @config.crl_number_file unless not @rw.respond_to?(:crl_number_file=)
+        @crl_number = @rw.read_number
+        @revoked_certs = {}
+        @rw.read_list(self)
+
+        @crl_md = R509::MessageDigest.new(@config.crl_md)
+        @crl = nil
+      end
+
+      # Indicates whether the serial number has been revoked, or not.
+      #
+      # @param [Integer] serial The serial number we want to check
+      # @return [Boolean] True if the serial number was revoked. False, otherwise.
+      def revoked?(serial)
+        @revoked_certs.has_key?(serial.to_i)
+      end
+
+      # @return [Array] serial, reason, revoke_time tuple
+      def revoked_cert(serial)
+        @revoked_certs[serial]
+      end
+
+      # Adds a certificate to the revocation list. After calling you must call generate_crl to sign a new CRL
+      #
+      # @param serial [Integer] serial number of the certificate to revoke
+      # @param reason [Integer,nil] reason for revocation
+      # @param revoke_time [Integer]
+      # @param write [Boolean] whether or not to write the revocation event. Should only be false if you're doing an initial load
+      #
+      # reason codes defined by rfc 5280
+      #
+      # CRLReason ::= ENUMERATED {
+      #     unspecified       (0),
+      #     keyCompromise       (1),
+      #     cACompromise        (2),
+      #     affiliationChanged    (3),
+      #     superseded        (4),
+      #     cessationOfOperation    (5),
+      #     certificateHold     (6),
+      #     removeFromCRL       (8),
+      #     privilegeWithdrawn    (9),
+      #     aACompromise       (10) }
+      def revoke_cert(serial,reason=nil, revoke_time=Time.now.to_i, write=true)
+        if not reason.nil?
+          if not reason.kind_of?(Integer) or not reason.between?(0,10) or reason == 7
+            raise ArgumentError, "Revocation reason must be integer 0-10 (excluding 7) or nil"
+          end
+        end
+
+        serial = serial.to_i
+        revoke_time = revoke_time.to_i
+        if revoked?(serial)
+          raise R509::R509Error, "Cannot revoke a previously revoked certificate"
+        end
+        @revoked_certs[serial] = {:reason => reason, :revoke_time => revoke_time}
+        if write == true
+          @rw.write_list_entry(serial, revoke_time, reason)
+        end
+        nil
+      end
+
+      # Remove serial from revocation list. After unrevoking you must call generate_crl to sign a new CRL
+      #
+      # @param serial [Integer] serial number of the certificate to remove from revocation
+      def unrevoke_cert(serial)
+        @revoked_certs.delete(serial)
+        @rw.remove_list_entry(serial)
+        nil
+      end
+
+      # Generate the CRL
+      # @param last_update [Time] the lastUpdate for the CRL
+      # @param next_update [Time] the nextUpdate for the CRL
+      #
+      # @return [R509::CRL::SignedList] signed CRL
+      def generate_crl(last_update=Time.at(Time.now.to_i)-@config.crl_start_skew_seconds,next_update=Time.at(Time.now)+@config.crl_validity_hours*3600)
+        # Time.at(Time.now.to_i) removes sub-second precision. Subsecond precision is irrelevant
+        # for CRL update times and makes testing harder.
+        crl = create_crl_object(last_update,next_update)
+
+        self.revoked_certs.each do |serial, reason, revoke_time|
+          revoked = OpenSSL::X509::Revoked.new
+          revoked.serial = OpenSSL::BN.new serial.to_s
+          revoked.time = Time.at(revoke_time)
+          if not reason.nil?
+            enum = OpenSSL::ASN1::Enumerated(reason)
+            ext = OpenSSL::X509::Extension.new("CRLReason", enum)
+            revoked.add_extension(ext)
+          end
+          # now add it to the crl
+          crl.add_revoked(revoked)
+        end
+
+        crl.sign(@config.crl_cert.key.key, @crl_md.digest)
+        R509::CRL::SignedList.new(crl)
+      end
+
+      # @return [Array<Array>] Returns an array of serial, reason, revoke_time
+      #  tuples.
+      def revoked_certs
+        ret = []
+        @revoked_certs.keys.sort.each do |serial|
+          ret << [serial, @revoked_certs[serial][:reason], @revoked_certs[serial][:revoke_time]]
+        end
+        ret
+      end
+
+      private
+
+      def create_crl_object(last_update,next_update)
+        crl = OpenSSL::X509::CRL.new
+        crl.version = 1
+        crl.last_update = last_update
+        crl.next_update = next_update
+        crl.issuer = @config.crl_cert.subject.name
+        ef = OpenSSL::X509::ExtensionFactory.new
+        ef.issuer_certificate = @config.crl_cert.cert
+        ef.crl = crl
+        crl_number = increment_crl_number
+        crlnum = OpenSSL::ASN1::Integer(crl_number)
+        crl.add_extension(OpenSSL::X509::Extension.new("crlNumber", crlnum))
+        extensions = []
+        extensions << ["authorityKeyIdentifier", "keyid", false]
+        extensions.each{|oid, value, critical|
+          crl.add_extension(ef.create_extension(oid, value, critical))
+        }
+        crl
+      end
+
+      # Increments the crl_number.
+      # @return [Integer] the new CRL number
+      #
+      def increment_crl_number
+        @crl_number += 1
+        @rw.write_number(@crl_number)
+        @crl_number
+      end
+
+    end
+  end
+end
+

data/lib/r509/crl/reader_writer.rb

@@ -0,0 +1,109 @@
+require 'openssl'
+require 'r509/config'
+require 'r509/exceptions'
+require 'r509/io_helpers'
+
+module R509
+  # contains CRL related classes (generator and a pre-existing list loader)
+  module CRL
+    # Abstract base class for a CRL writer. Use this to construct a subclass that can then be passed to
+    # R509::CRL::Administrator to read/write CRL data with whatever backend you want.
+    class ReaderWriter
+      def write_list_entry
+        raise NotImplementedError, "You must call #write_list_entry on a subclass of ReaderWriter"
+      end
+
+      def remove_list_entry
+        raise NotImplementedError, "You must call #remove_list_entry on a subclass of ReaderWriter"
+      end
+
+      def write_number
+        raise NotImplementedError, "You must call #write_number on a subclass of ReaderWriter"
+      end
+
+      def read_list
+        raise NotImplementedError, "You must call #read_list on a subclass of ReaderWriter"
+      end
+
+      def read_number
+        raise NotImplementedError, "You must call #read_number on a subclass of ReaderWriter"
+      end
+    end
+
+    # File-based implementation of the CRL reader/writer. Uses the crl_number_file and crl_list_file attributes in CAConfig
+    class FileReaderWriter < R509::CRL::ReaderWriter
+      include R509::IOHelpers
+
+      attr_accessor :crl_number_file, :crl_list_file
+
+      def initialize
+        @crl_number_file = nil
+        @crl_list_file = nil
+      end
+
+      # Reads a CRL list file from a file or StringIO
+      # @param admin [R509::CRL::Administrator] the parent CRL Administrator object
+      def read_list(admin)
+        return nil if @crl_list_file.nil?
+
+        data = read_data(@crl_list_file)
+
+        data.each_line do |line|
+          line.chomp!
+          serial,  revoke_time, reason = line.split(',', 3)
+          serial = serial.to_i
+          reason = (reason == '') ? nil : reason.to_i
+          revoke_time = (revoke_time == '') ? nil : revoke_time.to_i
+          admin.revoke_cert(serial, reason, revoke_time, false)
+        end
+        nil
+      end
+
+      # Appends a CRL list entry to a file or StringIO
+      # @param serial [Integer] serial number of the certificate to revoke
+      # @param reason [Integer,nil] reason for revocation
+      # @param revoke_time [Integer]
+      def write_list_entry(serial, revoke_time, reason)
+        return nil if @crl_list_file.nil?
+
+        entry = [serial,revoke_time,reason].join(",")
+        write_data(@crl_list_file, entry+"\n" ,'a:ascii-8bit')
+      end
+
+      # Remove a CRL list entry
+      # @param serial [Integer] serial number of the certificate to remove from the list
+      def remove_list_entry(serial)
+        return nil if @crl_list_file.nil?
+
+        data = read_data(@crl_list_file)
+
+        updated_list = []
+
+        data.each_line do |line|
+          line.chomp!
+          revoke_info = line.split(',', 3)
+          if revoke_info[0].to_i != serial
+            updated_list.push(line)
+          end
+        end
+        write_data(@crl_list_file, updated_list.join("\n")+"\n")
+        nil
+      end
+
+      # read the CRL number from a file or StringIO
+      def read_number
+        return 0 if @crl_number_file.nil?
+
+        read_data(@crl_number_file).to_i
+      end
+
+      # write the CRL number to a file or StringIO
+      def write_number(crl_number)
+        return nil if @crl_number_file.nil?
+
+        write_data(@crl_number_file,crl_number.to_s)
+      end
+    end
+  end
+end
+

data/lib/r509/crl/signed_list.rb

@@ -0,0 +1,135 @@
+require 'openssl'
+require 'r509/config'
+require 'r509/exceptions'
+require 'r509/io_helpers'
+
+module R509
+  # contains CRL related classes (generator and a pre-existing list loader)
+  module CRL
+    # Parses CRLs
+    class SignedList
+      include R509::IOHelpers
+
+      attr_reader :crl, :issuer
+
+      # @param [String,OpenSSL::X509::CRL] crl
+      def initialize(crl)
+        @crl = OpenSSL::X509::CRL.new(crl)
+        @issuer = R509::Subject.new(@crl.issuer)
+      end
+
+      # Helper method to quickly load a CRL from the filesystem
+      #
+      # @param [String] filename Path to file you want to load
+      # @return [R509::CRL::SignedList] CRL object
+      def self.load_from_file( filename )
+        return R509::CRL::SignedList.new( IOHelpers.read_data(filename) )
+      end
+
+      # @return [String]
+      def signature_algorithm
+        @crl.signature_algorithm
+      end
+
+      # Writes the CRL into the PEM format
+      #
+      # @param [String, #write] filename_or_io Either a string of the path for
+      #  the file that you'd like to write, or an IO-like object.
+      def write_pem(filename_or_io)
+        write_data(filename_or_io, @crl.to_pem)
+      end
+
+      # Writes the CRL into the PEM format
+      #
+      # @param [String, #write] filename_or_io Either a string of the path for
+      #  the file that you'd like to write, or an IO-like object.
+      def write_der(filename_or_io)
+        write_data(filename_or_io, @crl.to_der)
+      end
+
+      # Returns the signing time of the CRL
+      #
+      # @return [Time] when the CRL was signed
+      def last_update
+        @crl.last_update
+      end
+
+      # Returns the next update time for the CRL
+      #
+      # @return [Time] when it will be updated next
+      def next_update
+        @crl.next_update
+      end
+
+      # Pass a public key to verify that the CRL is signed by a specific certificate (call cert.public_key on that object)
+      #
+      # @param [OpenSSL::PKey::PKey] public_key
+      # @return [Boolean]
+      def verify(public_key)
+        @crl.verify(public_key)
+      end
+
+      # @param [Integer] serial number
+      # @return [Boolean]
+      def revoked?(serial)
+        if @crl.revoked.find { |revoked| revoked.serial == serial.to_i }
+          true
+        else
+          false
+        end
+      end
+
+      # Returns the CRL in PEM format
+      #
+      # @return [String] the CRL in PEM format
+      def to_pem
+        @crl.to_pem
+      end
+
+      alias :to_s :to_pem
+
+      # Returns the CRL in DER format
+      #
+      # @return [String] the CRL in DER format
+      def to_der
+        @crl.to_der
+      end
+
+      # @return [Hash] hash of serial => { :time, :reason } hashes
+      def revoked
+        revoked_list = {}
+        @crl.revoked.each do |revoked|
+          reason = get_reason(revoked)
+          revoked_list[revoked.serial.to_i] = { :time => revoked.time, :reason => reason }
+        end
+
+        revoked_list
+      end
+
+      # @param [Integer] serial number
+      # @return [Hash] hash with :time and :reason
+      def revoked_cert(serial)
+        revoked = @crl.revoked.find { |r| r.serial == serial }
+        if revoked
+          reason = get_reason(revoked)
+          { :time => revoked.time, :reason => reason }
+        else
+          nil
+        end
+      end
+
+      private
+      def get_reason(revocation_object)
+        reason = nil
+        revocation_object.extensions.each do |extension|
+          if extension.oid == "CRLReason"
+            reason = extension.value
+          end
+        end
+
+        reason
+      end
+    end
+  end
+end
+