r509 0.9.2 → 0.10.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +2 -0
- data/CONTRIBUTING.mdown +21 -0
- data/LICENSE +13 -0
- data/README.mdown +548 -0
- data/Rakefile +5 -0
- data/bin/r509 +16 -17
- data/doc/R509.html +42 -26
- data/doc/R509/ASN1.html +22 -16
- data/doc/R509/ASN1/GeneralName.html +180 -173
- data/doc/R509/ASN1/GeneralNames.html +390 -62
- data/doc/R509/CRL.html +9 -7
- data/doc/R509/CRL/Administrator.html +208 -623
- data/doc/R509/CRL/FileReaderWriter.html +856 -0
- data/doc/R509/CRL/ReaderWriter.html +524 -0
- data/doc/R509/CRL/SignedList.html +29 -42
- data/doc/R509/CSR.html +248 -333
- data/doc/R509/Cert.html +364 -491
- data/doc/R509/Cert/Extensions.html +134 -43
- data/doc/R509/Cert/Extensions/AuthorityInfoAccess.html +335 -65
- data/doc/R509/Cert/Extensions/AuthorityKeyIdentifier.html +201 -102
- data/doc/R509/Cert/Extensions/BasicConstraints.html +297 -68
- data/doc/R509/Cert/Extensions/CRLDistributionPoints.html +690 -77
- data/doc/R509/Cert/Extensions/CertificatePolicies.html +293 -43
- data/doc/R509/Cert/Extensions/ExtendedKeyUsage.html +321 -173
- data/doc/R509/Cert/Extensions/GeneralNamesMixin.html +656 -0
- data/doc/R509/Cert/Extensions/InhibitAnyPolicy.html +270 -42
- data/doc/R509/Cert/Extensions/KeyUsage.html +334 -184
- data/doc/R509/Cert/Extensions/NameConstraints.html +363 -93
- data/doc/R509/{ASN1 → Cert/Extensions}/NoticeReference.html +209 -48
- data/doc/R509/Cert/Extensions/OCSPNoCheck.html +244 -17
- data/doc/R509/Cert/Extensions/PolicyConstraints.html +322 -71
- data/doc/R509/{ASN1 → Cert/Extensions}/PolicyInformation.html +204 -43
- data/doc/R509/{ASN1 → Cert/Extensions}/PolicyQualifiers.html +205 -48
- data/doc/R509/Cert/Extensions/SubjectAlternativeName.html +348 -143
- data/doc/R509/Cert/Extensions/SubjectKeyIdentifier.html +165 -13
- data/doc/R509/{ASN1 → Cert/Extensions}/UserNotice.html +204 -43
- data/doc/R509/Cert/Extensions/ValidationMixin.html +120 -0
- data/doc/R509/CertificateAuthority.html +9 -7
- data/doc/R509/CertificateAuthority/OptionsBuilder.html +475 -0
- data/doc/R509/CertificateAuthority/Signer.html +149 -198
- data/doc/R509/Config.html +10 -8
- data/doc/R509/Config/CAConfig.html +708 -625
- data/doc/R509/Config/CAConfigPool.html +179 -31
- data/doc/R509/Config/CertProfile.html +1544 -0
- data/doc/R509/Config/SubjectItemPolicy.html +437 -99
- data/doc/R509/Engine.html +14 -28
- data/doc/R509/Helpers.html +1014 -0
- data/doc/R509/MessageDigest.html +73 -25
- data/doc/R509/NameSanitizer.html +39 -39
- data/doc/R509/OCSP.html +5 -5
- data/doc/R509/OCSP/Request.html +5 -5
- data/doc/R509/OCSP/Request/Nonce.html +5 -5
- data/doc/R509/OCSP/Response.html +7 -7
- data/doc/R509/OIDMapper.html +121 -6
- data/doc/R509/PrivateKey.html +226 -227
- data/doc/R509/R509Error.html +5 -5
- data/doc/R509/SPKI.html +244 -342
- data/doc/R509/Subject.html +241 -70
- data/doc/R509/Validity.html +5 -5
- data/doc/R509/Validity/Checker.html +5 -5
- data/doc/R509/Validity/DefaultChecker.html +5 -9
- data/doc/R509/Validity/DefaultWriter.html +5 -9
- data/doc/R509/Validity/Status.html +5 -5
- data/doc/R509/Validity/Writer.html +5 -5
- data/doc/_index.html +92 -30
- data/doc/class_list.html +2 -2
- data/doc/file.CONTRIBUTING.html +96 -0
- data/doc/file.LICENSE.html +87 -0
- data/doc/file.README.html +279 -389
- data/doc/file.YAML.html +243 -0
- data/doc/file.r509.html +298 -105
- data/doc/file_list.html +11 -2
- data/doc/frames.html +1 -1
- data/doc/index.html +279 -389
- data/doc/js/full_list.js +6 -1
- data/doc/method_list.html +869 -1139
- data/doc/top-level-namespace.html +103 -5
- data/lib/r509.rb +7 -2
- data/lib/r509/asn1.rb +97 -135
- data/lib/r509/cert.rb +17 -106
- data/lib/r509/cert/extensions.rb +13 -676
- data/lib/r509/cert/extensions/authority_info_access.rb +128 -0
- data/lib/r509/cert/extensions/authority_key_identifier.rb +100 -0
- data/lib/r509/cert/extensions/base.rb +142 -0
- data/lib/r509/cert/extensions/basic_constraints.rb +119 -0
- data/lib/r509/cert/extensions/certificate_policies.rb +262 -0
- data/lib/r509/cert/extensions/crl_distribution_points.rb +98 -0
- data/lib/r509/cert/extensions/extended_key_usage.rb +189 -0
- data/lib/r509/cert/extensions/inhibit_any_policy.rb +70 -0
- data/lib/r509/cert/extensions/key_usage.rb +209 -0
- data/lib/r509/cert/extensions/name_constraints.rb +179 -0
- data/lib/r509/cert/extensions/ocsp_no_check.rb +56 -0
- data/lib/r509/cert/extensions/policy_constraints.rb +122 -0
- data/lib/r509/cert/extensions/subject_alternative_name.rb +88 -0
- data/lib/r509/cert/extensions/subject_key_identifier.rb +56 -0
- data/lib/r509/cert/extensions/validation_mixin.rb +42 -0
- data/lib/r509/certificate_authority/options_builder.rb +142 -0
- data/lib/r509/certificate_authority/signer.rb +189 -0
- data/lib/r509/config.rb +3 -600
- data/lib/r509/config/ca_config.rb +414 -0
- data/lib/r509/config/cert_profile.rb +110 -0
- data/lib/r509/config/subject_item_policy.rb +118 -0
- data/lib/r509/crl/administrator.rb +169 -0
- data/lib/r509/crl/reader_writer.rb +109 -0
- data/lib/r509/crl/signed_list.rb +135 -0
- data/lib/r509/csr.rb +35 -116
- data/lib/r509/engine.rb +21 -11
- data/lib/r509/helpers.rb +110 -0
- data/lib/r509/io_helpers.rb +18 -13
- data/lib/r509/message_digest.rb +13 -3
- data/lib/r509/oid_mapper.rb +14 -0
- data/lib/r509/private_key.rb +74 -50
- data/lib/r509/spki.rb +50 -113
- data/lib/r509/subject.rb +24 -2
- data/lib/r509/trollop.rb +788 -0
- data/lib/r509/version.rb +1 -1
- data/r509.yaml +289 -96
- data/spec/asn1_spec.rb +171 -98
- data/spec/cert/extensions/authority_info_access_spec.rb +247 -0
- data/spec/cert/extensions/authority_key_identifier_spec.rb +85 -0
- data/spec/cert/extensions/base_spec.rb +172 -0
- data/spec/cert/extensions/basic_constraints_spec.rb +185 -0
- data/spec/cert/extensions/certificate_policies_spec.rb +288 -0
- data/spec/cert/extensions/crl_distribution_points_spec.rb +149 -0
- data/spec/cert/extensions/extended_key_usage_spec.rb +174 -0
- data/spec/cert/extensions/inhibit_any_policy_spec.rb +92 -0
- data/spec/cert/extensions/key_usage_spec.rb +172 -0
- data/spec/cert/extensions/name_constraints_spec.rb +335 -0
- data/spec/cert/extensions/ocsp_no_check_spec.rb +76 -0
- data/spec/cert/extensions/policy_constraints_spec.rb +155 -0
- data/spec/cert/extensions/subject_alternative_name_spec.rb +354 -0
- data/spec/cert/extensions/subject_key_identifier_spec.rb +64 -0
- data/spec/cert_spec.rb +11 -9
- data/spec/certificate_authority/options_builder_spec.rb +307 -0
- data/spec/certificate_authority/signer_spec.rb +278 -0
- data/spec/config/ca_config_spec.rb +405 -0
- data/spec/config/cert_profile_spec.rb +88 -0
- data/spec/config/subject_item_policy_spec.rb +81 -0
- data/spec/crl/administrator_spec.rb +199 -0
- data/spec/crl/reader_writer_spec.rb +97 -0
- data/spec/crl/signed_list_spec.rb +84 -0
- data/spec/csr_spec.rb +43 -36
- data/spec/engine_spec.rb +51 -0
- data/spec/fixtures.rb +40 -40
- data/spec/fixtures/cert1.pem +1 -1
- data/spec/fixtures/config_pool_test_minimal.yaml +11 -15
- data/spec/fixtures/config_test.yaml +96 -59
- data/spec/fixtures/config_test_dsa.yaml +29 -35
- data/spec/fixtures/config_test_ec.yaml +29 -35
- data/spec/fixtures/config_test_engine_key.yaml +7 -7
- data/spec/fixtures/config_test_engine_no_key_name.yaml +6 -6
- data/spec/fixtures/config_test_minimal.yaml +3 -5
- data/spec/fixtures/config_test_password.yaml +4 -6
- data/spec/fixtures/config_test_various.yaml +147 -137
- data/spec/fixtures/crl_list_file.txt +1 -1
- data/spec/fixtures/test_ca_crl.cer +20 -0
- data/spec/fixtures/test_ca_crl.key +28 -0
- data/spec/fixtures/test_ca_crl.p12 +0 -0
- data/spec/message_digest_spec.rb +6 -0
- data/spec/oid_mapper_spec.rb +11 -0
- data/spec/private_key_spec.rb +19 -18
- data/spec/spec_helper.rb +10 -6
- data/spec/spki_spec.rb +38 -19
- data/spec/subject_spec.rb +16 -0
- metadata +108 -59
- metadata.gz.sig +0 -0
- data/README.md +0 -638
- data/doc/R509/Config/CAProfile.html +0 -1015
- data/doc/R509/IOHelpers.html +0 -564
- data/lib/r509/certificate_authority.rb +0 -407
- data/lib/r509/crl.rb +0 -351
- data/spec/cert/extensions_spec.rb +0 -1095
- data/spec/certificate_authority_spec.rb +0 -681
- data/spec/config_spec.rb +0 -562
- data/spec/crl_spec.rb +0 -226
@@ -0,0 +1,118 @@
|
|
1
|
+
require 'yaml'
|
2
|
+
require 'openssl'
|
3
|
+
require 'r509/exceptions'
|
4
|
+
require 'r509/io_helpers'
|
5
|
+
require 'r509/subject'
|
6
|
+
require 'r509/private_key'
|
7
|
+
require 'r509/engine'
|
8
|
+
require 'fileutils'
|
9
|
+
require 'pathname'
|
10
|
+
|
11
|
+
module R509
|
12
|
+
# Module to contain all configuration related classes (e.g. CAConfig, CertProfile, SubjectItemPolicy)
|
13
|
+
module Config
|
14
|
+
# The Subject Item Policy allows you to define what subject fields are allowed in a
|
15
|
+
# certificate. Required means that field *must* be supplied, optional means it will
|
16
|
+
# be encoded if provided, and match means the field must be present and must match
|
17
|
+
# the value specified.
|
18
|
+
#
|
19
|
+
# Using R509::OIDMapper you can create new shortnames that will be usable inside this class.
|
20
|
+
class SubjectItemPolicy
|
21
|
+
# @return [Array]
|
22
|
+
attr_reader :required, :optional, :match, :match_values
|
23
|
+
|
24
|
+
# @param [Hash] hash of required/optional/matching subject items. These must be in OpenSSL shortname format.
|
25
|
+
# @example sample hash
|
26
|
+
# {"CN" => { :policy => "required" },
|
27
|
+
# "O" => { :policy => "required" },
|
28
|
+
# "OU" => { :policy => "optional" },
|
29
|
+
# "ST" => { :policy => "required" },
|
30
|
+
# "C" => { :policy => "required" },
|
31
|
+
# "L" => { :policy => "match", :value => "Chicago" },
|
32
|
+
# "emailAddress" => { :policy => "optional" }
|
33
|
+
def initialize(hash={})
|
34
|
+
if not hash.kind_of?(Hash)
|
35
|
+
raise ArgumentError, "Must supply a hash in form 'shortname'=>hash_with_policy_info"
|
36
|
+
end
|
37
|
+
@required = []
|
38
|
+
@optional = []
|
39
|
+
@match_values = {}
|
40
|
+
@match = []
|
41
|
+
if not hash.empty?
|
42
|
+
hash.each_pair do |key,value|
|
43
|
+
if not value.kind_of?(Hash)
|
44
|
+
raise ArgumentError, "Each value must be a hash with a :policy key"
|
45
|
+
end
|
46
|
+
case value[:policy]
|
47
|
+
when 'required' then @required.push(key)
|
48
|
+
when 'optional' then @optional.push(key)
|
49
|
+
when 'match' then
|
50
|
+
@match_values[key] = value[:value]
|
51
|
+
@match.push(key)
|
52
|
+
else
|
53
|
+
raise ArgumentError, "Unknown subject item policy value. Allowed values are required, optional, or match"
|
54
|
+
end
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
59
|
+
# @param [R509::Subject] subject
|
60
|
+
# @return [R509::Subject] validated version of the subject or error
|
61
|
+
def validate_subject(subject)
|
62
|
+
# check if match components are present and match
|
63
|
+
validate_match(subject)
|
64
|
+
validate_required_match(subject)
|
65
|
+
|
66
|
+
# the validated subject contains only those subject components that are either
|
67
|
+
# required, optional, or match
|
68
|
+
R509::Subject.new(subject.to_a.select do |item|
|
69
|
+
@required.include?(item[0]) or @optional.include?(item[0]) or @match.include?(item[0])
|
70
|
+
end)
|
71
|
+
end
|
72
|
+
|
73
|
+
# @return [Hash]
|
74
|
+
def to_h
|
75
|
+
hash = {}
|
76
|
+
@required.each { |r| hash[r] = {:policy => "required" } }
|
77
|
+
@optional.each { |o| hash[o] = {:policy => "optional" } }
|
78
|
+
@match.each { |m| hash[m] = {:policy => "match", :value => @match_values[m]} }
|
79
|
+
hash
|
80
|
+
end
|
81
|
+
|
82
|
+
# @return [YAML]
|
83
|
+
def to_yaml
|
84
|
+
self.to_h.to_yaml
|
85
|
+
end
|
86
|
+
|
87
|
+
private
|
88
|
+
# validates that the provided subject has the expected values for the
|
89
|
+
# match policy
|
90
|
+
def validate_match(subject)
|
91
|
+
subject.to_a.each do |item|
|
92
|
+
if @match.include?(item[0])
|
93
|
+
if @match_values[item[0]] != item[1]
|
94
|
+
raise R509::R509Error, "This profile requires that #{item[0]} have value: #{@match_values[item[0]]}"
|
95
|
+
end
|
96
|
+
end
|
97
|
+
end unless @match.empty?
|
98
|
+
end
|
99
|
+
|
100
|
+
# validates that all the subject elements that are required or match in the
|
101
|
+
# subject item policy are present in the supplied subject
|
102
|
+
def validate_required_match(subject)
|
103
|
+
# convert the subject components into an array of component names that match
|
104
|
+
# those that are on the required list
|
105
|
+
supplied = subject.to_a.each do |item|
|
106
|
+
@required.include?(item[0]) or @match.include?(item[0])
|
107
|
+
end.map do |item|
|
108
|
+
item[0]
|
109
|
+
end
|
110
|
+
# so we can make sure they gave us everything that's required
|
111
|
+
diff = @required + @match - supplied
|
112
|
+
if not diff.empty?
|
113
|
+
raise R509::R509Error, "This profile requires you supply "+(@required+@match).join(", ")
|
114
|
+
end
|
115
|
+
end
|
116
|
+
end
|
117
|
+
end
|
118
|
+
end
|
@@ -0,0 +1,169 @@
|
|
1
|
+
require 'openssl'
|
2
|
+
require 'r509/config'
|
3
|
+
require 'r509/exceptions'
|
4
|
+
require 'r509/io_helpers'
|
5
|
+
|
6
|
+
module R509
|
7
|
+
# contains CRL related classes (generator and a pre-existing list loader)
|
8
|
+
module CRL
|
9
|
+
# Used to manage revocations and generate CRLs
|
10
|
+
class Administrator
|
11
|
+
include R509::IOHelpers
|
12
|
+
|
13
|
+
attr_reader :crl_number, :config
|
14
|
+
|
15
|
+
# @param config [R509::Config::CAConfig]
|
16
|
+
# @param reader_writer [R509::CRL::ReaderWriter] A subclass off the R509::CRL::ReaderWriter. Defaults to an instance of R509::CRL::FileReaderWriter.
|
17
|
+
def initialize(config,reader_writer=R509::CRL::FileReaderWriter.new)
|
18
|
+
@config = config
|
19
|
+
unless @config.kind_of?(R509::Config::CAConfig)
|
20
|
+
raise R509Error, "config must be a kind of R509::Config::CAConfig"
|
21
|
+
end
|
22
|
+
|
23
|
+
if not reader_writer.kind_of?(R509::CRL::ReaderWriter)
|
24
|
+
raise ArgumentError, "argument reader_writer must be a subclass of R509::CRL::ReaderWriter"
|
25
|
+
end
|
26
|
+
@rw = reader_writer
|
27
|
+
@rw.crl_list_file = @config.crl_list_file unless not @rw.respond_to?(:crl_list_file=)
|
28
|
+
@rw.crl_number_file = @config.crl_number_file unless not @rw.respond_to?(:crl_number_file=)
|
29
|
+
@crl_number = @rw.read_number
|
30
|
+
@revoked_certs = {}
|
31
|
+
@rw.read_list(self)
|
32
|
+
|
33
|
+
@crl_md = R509::MessageDigest.new(@config.crl_md)
|
34
|
+
@crl = nil
|
35
|
+
end
|
36
|
+
|
37
|
+
# Indicates whether the serial number has been revoked, or not.
|
38
|
+
#
|
39
|
+
# @param [Integer] serial The serial number we want to check
|
40
|
+
# @return [Boolean] True if the serial number was revoked. False, otherwise.
|
41
|
+
def revoked?(serial)
|
42
|
+
@revoked_certs.has_key?(serial.to_i)
|
43
|
+
end
|
44
|
+
|
45
|
+
# @return [Array] serial, reason, revoke_time tuple
|
46
|
+
def revoked_cert(serial)
|
47
|
+
@revoked_certs[serial]
|
48
|
+
end
|
49
|
+
|
50
|
+
# Adds a certificate to the revocation list. After calling you must call generate_crl to sign a new CRL
|
51
|
+
#
|
52
|
+
# @param serial [Integer] serial number of the certificate to revoke
|
53
|
+
# @param reason [Integer,nil] reason for revocation
|
54
|
+
# @param revoke_time [Integer]
|
55
|
+
# @param write [Boolean] whether or not to write the revocation event. Should only be false if you're doing an initial load
|
56
|
+
#
|
57
|
+
# reason codes defined by rfc 5280
|
58
|
+
#
|
59
|
+
# CRLReason ::= ENUMERATED {
|
60
|
+
# unspecified (0),
|
61
|
+
# keyCompromise (1),
|
62
|
+
# cACompromise (2),
|
63
|
+
# affiliationChanged (3),
|
64
|
+
# superseded (4),
|
65
|
+
# cessationOfOperation (5),
|
66
|
+
# certificateHold (6),
|
67
|
+
# removeFromCRL (8),
|
68
|
+
# privilegeWithdrawn (9),
|
69
|
+
# aACompromise (10) }
|
70
|
+
def revoke_cert(serial,reason=nil, revoke_time=Time.now.to_i, write=true)
|
71
|
+
if not reason.nil?
|
72
|
+
if not reason.kind_of?(Integer) or not reason.between?(0,10) or reason == 7
|
73
|
+
raise ArgumentError, "Revocation reason must be integer 0-10 (excluding 7) or nil"
|
74
|
+
end
|
75
|
+
end
|
76
|
+
|
77
|
+
serial = serial.to_i
|
78
|
+
revoke_time = revoke_time.to_i
|
79
|
+
if revoked?(serial)
|
80
|
+
raise R509::R509Error, "Cannot revoke a previously revoked certificate"
|
81
|
+
end
|
82
|
+
@revoked_certs[serial] = {:reason => reason, :revoke_time => revoke_time}
|
83
|
+
if write == true
|
84
|
+
@rw.write_list_entry(serial, revoke_time, reason)
|
85
|
+
end
|
86
|
+
nil
|
87
|
+
end
|
88
|
+
|
89
|
+
# Remove serial from revocation list. After unrevoking you must call generate_crl to sign a new CRL
|
90
|
+
#
|
91
|
+
# @param serial [Integer] serial number of the certificate to remove from revocation
|
92
|
+
def unrevoke_cert(serial)
|
93
|
+
@revoked_certs.delete(serial)
|
94
|
+
@rw.remove_list_entry(serial)
|
95
|
+
nil
|
96
|
+
end
|
97
|
+
|
98
|
+
# Generate the CRL
|
99
|
+
# @param last_update [Time] the lastUpdate for the CRL
|
100
|
+
# @param next_update [Time] the nextUpdate for the CRL
|
101
|
+
#
|
102
|
+
# @return [R509::CRL::SignedList] signed CRL
|
103
|
+
def generate_crl(last_update=Time.at(Time.now.to_i)-@config.crl_start_skew_seconds,next_update=Time.at(Time.now)+@config.crl_validity_hours*3600)
|
104
|
+
# Time.at(Time.now.to_i) removes sub-second precision. Subsecond precision is irrelevant
|
105
|
+
# for CRL update times and makes testing harder.
|
106
|
+
crl = create_crl_object(last_update,next_update)
|
107
|
+
|
108
|
+
self.revoked_certs.each do |serial, reason, revoke_time|
|
109
|
+
revoked = OpenSSL::X509::Revoked.new
|
110
|
+
revoked.serial = OpenSSL::BN.new serial.to_s
|
111
|
+
revoked.time = Time.at(revoke_time)
|
112
|
+
if not reason.nil?
|
113
|
+
enum = OpenSSL::ASN1::Enumerated(reason)
|
114
|
+
ext = OpenSSL::X509::Extension.new("CRLReason", enum)
|
115
|
+
revoked.add_extension(ext)
|
116
|
+
end
|
117
|
+
# now add it to the crl
|
118
|
+
crl.add_revoked(revoked)
|
119
|
+
end
|
120
|
+
|
121
|
+
crl.sign(@config.crl_cert.key.key, @crl_md.digest)
|
122
|
+
R509::CRL::SignedList.new(crl)
|
123
|
+
end
|
124
|
+
|
125
|
+
# @return [Array<Array>] Returns an array of serial, reason, revoke_time
|
126
|
+
# tuples.
|
127
|
+
def revoked_certs
|
128
|
+
ret = []
|
129
|
+
@revoked_certs.keys.sort.each do |serial|
|
130
|
+
ret << [serial, @revoked_certs[serial][:reason], @revoked_certs[serial][:revoke_time]]
|
131
|
+
end
|
132
|
+
ret
|
133
|
+
end
|
134
|
+
|
135
|
+
private
|
136
|
+
|
137
|
+
def create_crl_object(last_update,next_update)
|
138
|
+
crl = OpenSSL::X509::CRL.new
|
139
|
+
crl.version = 1
|
140
|
+
crl.last_update = last_update
|
141
|
+
crl.next_update = next_update
|
142
|
+
crl.issuer = @config.crl_cert.subject.name
|
143
|
+
ef = OpenSSL::X509::ExtensionFactory.new
|
144
|
+
ef.issuer_certificate = @config.crl_cert.cert
|
145
|
+
ef.crl = crl
|
146
|
+
crl_number = increment_crl_number
|
147
|
+
crlnum = OpenSSL::ASN1::Integer(crl_number)
|
148
|
+
crl.add_extension(OpenSSL::X509::Extension.new("crlNumber", crlnum))
|
149
|
+
extensions = []
|
150
|
+
extensions << ["authorityKeyIdentifier", "keyid", false]
|
151
|
+
extensions.each{|oid, value, critical|
|
152
|
+
crl.add_extension(ef.create_extension(oid, value, critical))
|
153
|
+
}
|
154
|
+
crl
|
155
|
+
end
|
156
|
+
|
157
|
+
# Increments the crl_number.
|
158
|
+
# @return [Integer] the new CRL number
|
159
|
+
#
|
160
|
+
def increment_crl_number
|
161
|
+
@crl_number += 1
|
162
|
+
@rw.write_number(@crl_number)
|
163
|
+
@crl_number
|
164
|
+
end
|
165
|
+
|
166
|
+
end
|
167
|
+
end
|
168
|
+
end
|
169
|
+
|
@@ -0,0 +1,109 @@
|
|
1
|
+
require 'openssl'
|
2
|
+
require 'r509/config'
|
3
|
+
require 'r509/exceptions'
|
4
|
+
require 'r509/io_helpers'
|
5
|
+
|
6
|
+
module R509
|
7
|
+
# contains CRL related classes (generator and a pre-existing list loader)
|
8
|
+
module CRL
|
9
|
+
# Abstract base class for a CRL writer. Use this to construct a subclass that can then be passed to
|
10
|
+
# R509::CRL::Administrator to read/write CRL data with whatever backend you want.
|
11
|
+
class ReaderWriter
|
12
|
+
def write_list_entry
|
13
|
+
raise NotImplementedError, "You must call #write_list_entry on a subclass of ReaderWriter"
|
14
|
+
end
|
15
|
+
|
16
|
+
def remove_list_entry
|
17
|
+
raise NotImplementedError, "You must call #remove_list_entry on a subclass of ReaderWriter"
|
18
|
+
end
|
19
|
+
|
20
|
+
def write_number
|
21
|
+
raise NotImplementedError, "You must call #write_number on a subclass of ReaderWriter"
|
22
|
+
end
|
23
|
+
|
24
|
+
def read_list
|
25
|
+
raise NotImplementedError, "You must call #read_list on a subclass of ReaderWriter"
|
26
|
+
end
|
27
|
+
|
28
|
+
def read_number
|
29
|
+
raise NotImplementedError, "You must call #read_number on a subclass of ReaderWriter"
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
# File-based implementation of the CRL reader/writer. Uses the crl_number_file and crl_list_file attributes in CAConfig
|
34
|
+
class FileReaderWriter < R509::CRL::ReaderWriter
|
35
|
+
include R509::IOHelpers
|
36
|
+
|
37
|
+
attr_accessor :crl_number_file, :crl_list_file
|
38
|
+
|
39
|
+
def initialize
|
40
|
+
@crl_number_file = nil
|
41
|
+
@crl_list_file = nil
|
42
|
+
end
|
43
|
+
|
44
|
+
# Reads a CRL list file from a file or StringIO
|
45
|
+
# @param admin [R509::CRL::Administrator] the parent CRL Administrator object
|
46
|
+
def read_list(admin)
|
47
|
+
return nil if @crl_list_file.nil?
|
48
|
+
|
49
|
+
data = read_data(@crl_list_file)
|
50
|
+
|
51
|
+
data.each_line do |line|
|
52
|
+
line.chomp!
|
53
|
+
serial, revoke_time, reason = line.split(',', 3)
|
54
|
+
serial = serial.to_i
|
55
|
+
reason = (reason == '') ? nil : reason.to_i
|
56
|
+
revoke_time = (revoke_time == '') ? nil : revoke_time.to_i
|
57
|
+
admin.revoke_cert(serial, reason, revoke_time, false)
|
58
|
+
end
|
59
|
+
nil
|
60
|
+
end
|
61
|
+
|
62
|
+
# Appends a CRL list entry to a file or StringIO
|
63
|
+
# @param serial [Integer] serial number of the certificate to revoke
|
64
|
+
# @param reason [Integer,nil] reason for revocation
|
65
|
+
# @param revoke_time [Integer]
|
66
|
+
def write_list_entry(serial, revoke_time, reason)
|
67
|
+
return nil if @crl_list_file.nil?
|
68
|
+
|
69
|
+
entry = [serial,revoke_time,reason].join(",")
|
70
|
+
write_data(@crl_list_file, entry+"\n" ,'a:ascii-8bit')
|
71
|
+
end
|
72
|
+
|
73
|
+
# Remove a CRL list entry
|
74
|
+
# @param serial [Integer] serial number of the certificate to remove from the list
|
75
|
+
def remove_list_entry(serial)
|
76
|
+
return nil if @crl_list_file.nil?
|
77
|
+
|
78
|
+
data = read_data(@crl_list_file)
|
79
|
+
|
80
|
+
updated_list = []
|
81
|
+
|
82
|
+
data.each_line do |line|
|
83
|
+
line.chomp!
|
84
|
+
revoke_info = line.split(',', 3)
|
85
|
+
if revoke_info[0].to_i != serial
|
86
|
+
updated_list.push(line)
|
87
|
+
end
|
88
|
+
end
|
89
|
+
write_data(@crl_list_file, updated_list.join("\n")+"\n")
|
90
|
+
nil
|
91
|
+
end
|
92
|
+
|
93
|
+
# read the CRL number from a file or StringIO
|
94
|
+
def read_number
|
95
|
+
return 0 if @crl_number_file.nil?
|
96
|
+
|
97
|
+
read_data(@crl_number_file).to_i
|
98
|
+
end
|
99
|
+
|
100
|
+
# write the CRL number to a file or StringIO
|
101
|
+
def write_number(crl_number)
|
102
|
+
return nil if @crl_number_file.nil?
|
103
|
+
|
104
|
+
write_data(@crl_number_file,crl_number.to_s)
|
105
|
+
end
|
106
|
+
end
|
107
|
+
end
|
108
|
+
end
|
109
|
+
|
@@ -0,0 +1,135 @@
|
|
1
|
+
require 'openssl'
|
2
|
+
require 'r509/config'
|
3
|
+
require 'r509/exceptions'
|
4
|
+
require 'r509/io_helpers'
|
5
|
+
|
6
|
+
module R509
|
7
|
+
# contains CRL related classes (generator and a pre-existing list loader)
|
8
|
+
module CRL
|
9
|
+
# Parses CRLs
|
10
|
+
class SignedList
|
11
|
+
include R509::IOHelpers
|
12
|
+
|
13
|
+
attr_reader :crl, :issuer
|
14
|
+
|
15
|
+
# @param [String,OpenSSL::X509::CRL] crl
|
16
|
+
def initialize(crl)
|
17
|
+
@crl = OpenSSL::X509::CRL.new(crl)
|
18
|
+
@issuer = R509::Subject.new(@crl.issuer)
|
19
|
+
end
|
20
|
+
|
21
|
+
# Helper method to quickly load a CRL from the filesystem
|
22
|
+
#
|
23
|
+
# @param [String] filename Path to file you want to load
|
24
|
+
# @return [R509::CRL::SignedList] CRL object
|
25
|
+
def self.load_from_file( filename )
|
26
|
+
return R509::CRL::SignedList.new( IOHelpers.read_data(filename) )
|
27
|
+
end
|
28
|
+
|
29
|
+
# @return [String]
|
30
|
+
def signature_algorithm
|
31
|
+
@crl.signature_algorithm
|
32
|
+
end
|
33
|
+
|
34
|
+
# Writes the CRL into the PEM format
|
35
|
+
#
|
36
|
+
# @param [String, #write] filename_or_io Either a string of the path for
|
37
|
+
# the file that you'd like to write, or an IO-like object.
|
38
|
+
def write_pem(filename_or_io)
|
39
|
+
write_data(filename_or_io, @crl.to_pem)
|
40
|
+
end
|
41
|
+
|
42
|
+
# Writes the CRL into the PEM format
|
43
|
+
#
|
44
|
+
# @param [String, #write] filename_or_io Either a string of the path for
|
45
|
+
# the file that you'd like to write, or an IO-like object.
|
46
|
+
def write_der(filename_or_io)
|
47
|
+
write_data(filename_or_io, @crl.to_der)
|
48
|
+
end
|
49
|
+
|
50
|
+
# Returns the signing time of the CRL
|
51
|
+
#
|
52
|
+
# @return [Time] when the CRL was signed
|
53
|
+
def last_update
|
54
|
+
@crl.last_update
|
55
|
+
end
|
56
|
+
|
57
|
+
# Returns the next update time for the CRL
|
58
|
+
#
|
59
|
+
# @return [Time] when it will be updated next
|
60
|
+
def next_update
|
61
|
+
@crl.next_update
|
62
|
+
end
|
63
|
+
|
64
|
+
# Pass a public key to verify that the CRL is signed by a specific certificate (call cert.public_key on that object)
|
65
|
+
#
|
66
|
+
# @param [OpenSSL::PKey::PKey] public_key
|
67
|
+
# @return [Boolean]
|
68
|
+
def verify(public_key)
|
69
|
+
@crl.verify(public_key)
|
70
|
+
end
|
71
|
+
|
72
|
+
# @param [Integer] serial number
|
73
|
+
# @return [Boolean]
|
74
|
+
def revoked?(serial)
|
75
|
+
if @crl.revoked.find { |revoked| revoked.serial == serial.to_i }
|
76
|
+
true
|
77
|
+
else
|
78
|
+
false
|
79
|
+
end
|
80
|
+
end
|
81
|
+
|
82
|
+
# Returns the CRL in PEM format
|
83
|
+
#
|
84
|
+
# @return [String] the CRL in PEM format
|
85
|
+
def to_pem
|
86
|
+
@crl.to_pem
|
87
|
+
end
|
88
|
+
|
89
|
+
alias :to_s :to_pem
|
90
|
+
|
91
|
+
# Returns the CRL in DER format
|
92
|
+
#
|
93
|
+
# @return [String] the CRL in DER format
|
94
|
+
def to_der
|
95
|
+
@crl.to_der
|
96
|
+
end
|
97
|
+
|
98
|
+
# @return [Hash] hash of serial => { :time, :reason } hashes
|
99
|
+
def revoked
|
100
|
+
revoked_list = {}
|
101
|
+
@crl.revoked.each do |revoked|
|
102
|
+
reason = get_reason(revoked)
|
103
|
+
revoked_list[revoked.serial.to_i] = { :time => revoked.time, :reason => reason }
|
104
|
+
end
|
105
|
+
|
106
|
+
revoked_list
|
107
|
+
end
|
108
|
+
|
109
|
+
# @param [Integer] serial number
|
110
|
+
# @return [Hash] hash with :time and :reason
|
111
|
+
def revoked_cert(serial)
|
112
|
+
revoked = @crl.revoked.find { |r| r.serial == serial }
|
113
|
+
if revoked
|
114
|
+
reason = get_reason(revoked)
|
115
|
+
{ :time => revoked.time, :reason => reason }
|
116
|
+
else
|
117
|
+
nil
|
118
|
+
end
|
119
|
+
end
|
120
|
+
|
121
|
+
private
|
122
|
+
def get_reason(revocation_object)
|
123
|
+
reason = nil
|
124
|
+
revocation_object.extensions.each do |extension|
|
125
|
+
if extension.oid == "CRLReason"
|
126
|
+
reason = extension.value
|
127
|
+
end
|
128
|
+
end
|
129
|
+
|
130
|
+
reason
|
131
|
+
end
|
132
|
+
end
|
133
|
+
end
|
134
|
+
end
|
135
|
+
|