r509 0.9.2 → 0.10.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +2 -0
- data/CONTRIBUTING.mdown +21 -0
- data/LICENSE +13 -0
- data/README.mdown +548 -0
- data/Rakefile +5 -0
- data/bin/r509 +16 -17
- data/doc/R509.html +42 -26
- data/doc/R509/ASN1.html +22 -16
- data/doc/R509/ASN1/GeneralName.html +180 -173
- data/doc/R509/ASN1/GeneralNames.html +390 -62
- data/doc/R509/CRL.html +9 -7
- data/doc/R509/CRL/Administrator.html +208 -623
- data/doc/R509/CRL/FileReaderWriter.html +856 -0
- data/doc/R509/CRL/ReaderWriter.html +524 -0
- data/doc/R509/CRL/SignedList.html +29 -42
- data/doc/R509/CSR.html +248 -333
- data/doc/R509/Cert.html +364 -491
- data/doc/R509/Cert/Extensions.html +134 -43
- data/doc/R509/Cert/Extensions/AuthorityInfoAccess.html +335 -65
- data/doc/R509/Cert/Extensions/AuthorityKeyIdentifier.html +201 -102
- data/doc/R509/Cert/Extensions/BasicConstraints.html +297 -68
- data/doc/R509/Cert/Extensions/CRLDistributionPoints.html +690 -77
- data/doc/R509/Cert/Extensions/CertificatePolicies.html +293 -43
- data/doc/R509/Cert/Extensions/ExtendedKeyUsage.html +321 -173
- data/doc/R509/Cert/Extensions/GeneralNamesMixin.html +656 -0
- data/doc/R509/Cert/Extensions/InhibitAnyPolicy.html +270 -42
- data/doc/R509/Cert/Extensions/KeyUsage.html +334 -184
- data/doc/R509/Cert/Extensions/NameConstraints.html +363 -93
- data/doc/R509/{ASN1 → Cert/Extensions}/NoticeReference.html +209 -48
- data/doc/R509/Cert/Extensions/OCSPNoCheck.html +244 -17
- data/doc/R509/Cert/Extensions/PolicyConstraints.html +322 -71
- data/doc/R509/{ASN1 → Cert/Extensions}/PolicyInformation.html +204 -43
- data/doc/R509/{ASN1 → Cert/Extensions}/PolicyQualifiers.html +205 -48
- data/doc/R509/Cert/Extensions/SubjectAlternativeName.html +348 -143
- data/doc/R509/Cert/Extensions/SubjectKeyIdentifier.html +165 -13
- data/doc/R509/{ASN1 → Cert/Extensions}/UserNotice.html +204 -43
- data/doc/R509/Cert/Extensions/ValidationMixin.html +120 -0
- data/doc/R509/CertificateAuthority.html +9 -7
- data/doc/R509/CertificateAuthority/OptionsBuilder.html +475 -0
- data/doc/R509/CertificateAuthority/Signer.html +149 -198
- data/doc/R509/Config.html +10 -8
- data/doc/R509/Config/CAConfig.html +708 -625
- data/doc/R509/Config/CAConfigPool.html +179 -31
- data/doc/R509/Config/CertProfile.html +1544 -0
- data/doc/R509/Config/SubjectItemPolicy.html +437 -99
- data/doc/R509/Engine.html +14 -28
- data/doc/R509/Helpers.html +1014 -0
- data/doc/R509/MessageDigest.html +73 -25
- data/doc/R509/NameSanitizer.html +39 -39
- data/doc/R509/OCSP.html +5 -5
- data/doc/R509/OCSP/Request.html +5 -5
- data/doc/R509/OCSP/Request/Nonce.html +5 -5
- data/doc/R509/OCSP/Response.html +7 -7
- data/doc/R509/OIDMapper.html +121 -6
- data/doc/R509/PrivateKey.html +226 -227
- data/doc/R509/R509Error.html +5 -5
- data/doc/R509/SPKI.html +244 -342
- data/doc/R509/Subject.html +241 -70
- data/doc/R509/Validity.html +5 -5
- data/doc/R509/Validity/Checker.html +5 -5
- data/doc/R509/Validity/DefaultChecker.html +5 -9
- data/doc/R509/Validity/DefaultWriter.html +5 -9
- data/doc/R509/Validity/Status.html +5 -5
- data/doc/R509/Validity/Writer.html +5 -5
- data/doc/_index.html +92 -30
- data/doc/class_list.html +2 -2
- data/doc/file.CONTRIBUTING.html +96 -0
- data/doc/file.LICENSE.html +87 -0
- data/doc/file.README.html +279 -389
- data/doc/file.YAML.html +243 -0
- data/doc/file.r509.html +298 -105
- data/doc/file_list.html +11 -2
- data/doc/frames.html +1 -1
- data/doc/index.html +279 -389
- data/doc/js/full_list.js +6 -1
- data/doc/method_list.html +869 -1139
- data/doc/top-level-namespace.html +103 -5
- data/lib/r509.rb +7 -2
- data/lib/r509/asn1.rb +97 -135
- data/lib/r509/cert.rb +17 -106
- data/lib/r509/cert/extensions.rb +13 -676
- data/lib/r509/cert/extensions/authority_info_access.rb +128 -0
- data/lib/r509/cert/extensions/authority_key_identifier.rb +100 -0
- data/lib/r509/cert/extensions/base.rb +142 -0
- data/lib/r509/cert/extensions/basic_constraints.rb +119 -0
- data/lib/r509/cert/extensions/certificate_policies.rb +262 -0
- data/lib/r509/cert/extensions/crl_distribution_points.rb +98 -0
- data/lib/r509/cert/extensions/extended_key_usage.rb +189 -0
- data/lib/r509/cert/extensions/inhibit_any_policy.rb +70 -0
- data/lib/r509/cert/extensions/key_usage.rb +209 -0
- data/lib/r509/cert/extensions/name_constraints.rb +179 -0
- data/lib/r509/cert/extensions/ocsp_no_check.rb +56 -0
- data/lib/r509/cert/extensions/policy_constraints.rb +122 -0
- data/lib/r509/cert/extensions/subject_alternative_name.rb +88 -0
- data/lib/r509/cert/extensions/subject_key_identifier.rb +56 -0
- data/lib/r509/cert/extensions/validation_mixin.rb +42 -0
- data/lib/r509/certificate_authority/options_builder.rb +142 -0
- data/lib/r509/certificate_authority/signer.rb +189 -0
- data/lib/r509/config.rb +3 -600
- data/lib/r509/config/ca_config.rb +414 -0
- data/lib/r509/config/cert_profile.rb +110 -0
- data/lib/r509/config/subject_item_policy.rb +118 -0
- data/lib/r509/crl/administrator.rb +169 -0
- data/lib/r509/crl/reader_writer.rb +109 -0
- data/lib/r509/crl/signed_list.rb +135 -0
- data/lib/r509/csr.rb +35 -116
- data/lib/r509/engine.rb +21 -11
- data/lib/r509/helpers.rb +110 -0
- data/lib/r509/io_helpers.rb +18 -13
- data/lib/r509/message_digest.rb +13 -3
- data/lib/r509/oid_mapper.rb +14 -0
- data/lib/r509/private_key.rb +74 -50
- data/lib/r509/spki.rb +50 -113
- data/lib/r509/subject.rb +24 -2
- data/lib/r509/trollop.rb +788 -0
- data/lib/r509/version.rb +1 -1
- data/r509.yaml +289 -96
- data/spec/asn1_spec.rb +171 -98
- data/spec/cert/extensions/authority_info_access_spec.rb +247 -0
- data/spec/cert/extensions/authority_key_identifier_spec.rb +85 -0
- data/spec/cert/extensions/base_spec.rb +172 -0
- data/spec/cert/extensions/basic_constraints_spec.rb +185 -0
- data/spec/cert/extensions/certificate_policies_spec.rb +288 -0
- data/spec/cert/extensions/crl_distribution_points_spec.rb +149 -0
- data/spec/cert/extensions/extended_key_usage_spec.rb +174 -0
- data/spec/cert/extensions/inhibit_any_policy_spec.rb +92 -0
- data/spec/cert/extensions/key_usage_spec.rb +172 -0
- data/spec/cert/extensions/name_constraints_spec.rb +335 -0
- data/spec/cert/extensions/ocsp_no_check_spec.rb +76 -0
- data/spec/cert/extensions/policy_constraints_spec.rb +155 -0
- data/spec/cert/extensions/subject_alternative_name_spec.rb +354 -0
- data/spec/cert/extensions/subject_key_identifier_spec.rb +64 -0
- data/spec/cert_spec.rb +11 -9
- data/spec/certificate_authority/options_builder_spec.rb +307 -0
- data/spec/certificate_authority/signer_spec.rb +278 -0
- data/spec/config/ca_config_spec.rb +405 -0
- data/spec/config/cert_profile_spec.rb +88 -0
- data/spec/config/subject_item_policy_spec.rb +81 -0
- data/spec/crl/administrator_spec.rb +199 -0
- data/spec/crl/reader_writer_spec.rb +97 -0
- data/spec/crl/signed_list_spec.rb +84 -0
- data/spec/csr_spec.rb +43 -36
- data/spec/engine_spec.rb +51 -0
- data/spec/fixtures.rb +40 -40
- data/spec/fixtures/cert1.pem +1 -1
- data/spec/fixtures/config_pool_test_minimal.yaml +11 -15
- data/spec/fixtures/config_test.yaml +96 -59
- data/spec/fixtures/config_test_dsa.yaml +29 -35
- data/spec/fixtures/config_test_ec.yaml +29 -35
- data/spec/fixtures/config_test_engine_key.yaml +7 -7
- data/spec/fixtures/config_test_engine_no_key_name.yaml +6 -6
- data/spec/fixtures/config_test_minimal.yaml +3 -5
- data/spec/fixtures/config_test_password.yaml +4 -6
- data/spec/fixtures/config_test_various.yaml +147 -137
- data/spec/fixtures/crl_list_file.txt +1 -1
- data/spec/fixtures/test_ca_crl.cer +20 -0
- data/spec/fixtures/test_ca_crl.key +28 -0
- data/spec/fixtures/test_ca_crl.p12 +0 -0
- data/spec/message_digest_spec.rb +6 -0
- data/spec/oid_mapper_spec.rb +11 -0
- data/spec/private_key_spec.rb +19 -18
- data/spec/spec_helper.rb +10 -6
- data/spec/spki_spec.rb +38 -19
- data/spec/subject_spec.rb +16 -0
- metadata +108 -59
- metadata.gz.sig +0 -0
- data/README.md +0 -638
- data/doc/R509/Config/CAProfile.html +0 -1015
- data/doc/R509/IOHelpers.html +0 -564
- data/lib/r509/certificate_authority.rb +0 -407
- data/lib/r509/crl.rb +0 -351
- data/spec/cert/extensions_spec.rb +0 -1095
- data/spec/certificate_authority_spec.rb +0 -681
- data/spec/config_spec.rb +0 -562
- data/spec/crl_spec.rb +0 -226
data/lib/r509/message_digest.rb
CHANGED
|
@@ -3,13 +3,23 @@ require 'openssl'
|
|
|
3
3
|
module R509
|
|
4
4
|
#MessageDigest allows you to specify MDs in a more friendly fashion
|
|
5
5
|
class MessageDigest
|
|
6
|
+
# a list of message digests that this class understands
|
|
7
|
+
KNOWN_MDS = ['SHA1','SHA224','SHA256','SHA384','SHA512','DSS1','MD5']
|
|
8
|
+
|
|
9
|
+
# this constant defines the default message digest if it is not supplied
|
|
10
|
+
# or an invalid digest is passed
|
|
11
|
+
DEFAULT_MD = 'SHA1'
|
|
12
|
+
|
|
6
13
|
attr_reader :name, :digest
|
|
7
14
|
|
|
8
15
|
# @param [String,OpenSSL::Digest] arg
|
|
9
|
-
def initialize(arg)
|
|
16
|
+
def initialize(arg=nil)
|
|
10
17
|
if arg.kind_of?(String)
|
|
11
18
|
@name = arg.downcase
|
|
12
19
|
@digest = translate_name_to_digest
|
|
20
|
+
elsif arg.nil?
|
|
21
|
+
@name = DEFAULT_MD
|
|
22
|
+
@digest = translate_name_to_digest
|
|
13
23
|
else
|
|
14
24
|
@digest = arg
|
|
15
25
|
@name = translate_digest_to_name
|
|
@@ -29,8 +39,8 @@ module R509
|
|
|
29
39
|
when 'md5' then OpenSSL::Digest::MD5.new
|
|
30
40
|
when 'dss1' then OpenSSL::Digest::DSS1.new
|
|
31
41
|
else
|
|
32
|
-
@name =
|
|
33
|
-
|
|
42
|
+
@name = DEFAULT_MD.downcase
|
|
43
|
+
translate_name_to_digest
|
|
34
44
|
end
|
|
35
45
|
end
|
|
36
46
|
|
data/lib/r509/oid_mapper.rb
CHANGED
|
@@ -28,5 +28,19 @@ module R509
|
|
|
28
28
|
end
|
|
29
29
|
nil
|
|
30
30
|
end
|
|
31
|
+
|
|
32
|
+
# Load YAML and register OIDs
|
|
33
|
+
# @param [String] name Name of the config within the file
|
|
34
|
+
# @param [String] yaml_data YAML data to load
|
|
35
|
+
# @example
|
|
36
|
+
# custom_oids:
|
|
37
|
+
# - :oid: 1.4.3.2.1.2.3.4.4.4.5
|
|
38
|
+
# :short_name: testOIDName
|
|
39
|
+
# - :oid: 1.4.3.2.1.2.5.4.4.4.5
|
|
40
|
+
# :short_name: anotherOIDName
|
|
41
|
+
def self.register_from_yaml(name, yaml_data)
|
|
42
|
+
conf = YAML.load(yaml_data)
|
|
43
|
+
self.batch_register(conf[name])
|
|
44
|
+
end
|
|
31
45
|
end
|
|
32
46
|
end
|
data/lib/r509/private_key.rb
CHANGED
|
@@ -7,9 +7,19 @@ module R509
|
|
|
7
7
|
class PrivateKey
|
|
8
8
|
include R509::IOHelpers
|
|
9
9
|
|
|
10
|
-
#
|
|
11
|
-
|
|
12
|
-
#
|
|
10
|
+
# a list of key types
|
|
11
|
+
KNOWN_TYPES = ["RSA","DSA","EC"]
|
|
12
|
+
# the default type
|
|
13
|
+
DEFAULT_TYPE = "RSA"
|
|
14
|
+
# default bit length for DSA/RSA
|
|
15
|
+
DEFAULT_STRENGTH = 2048
|
|
16
|
+
# default curve name for EC
|
|
17
|
+
DEFAULT_CURVE = "secp384r1"
|
|
18
|
+
|
|
19
|
+
# @option opts [Symbol] :type Defaults to R509::PrivateKey::DEFAULT_TYPE. Allows R509::PrivateKey::KNOWN_TYPES.
|
|
20
|
+
# @option opts [String] :curve_name ("secp384r1") Only used if :type is EC
|
|
21
|
+
# @option opts [Integer] :bit_length (2048) Only used if :type is RSA or DSA
|
|
22
|
+
# @option opts [Integer] :bit_strength (2048) Deprecated, identical to bit_length.
|
|
13
23
|
# @option opts [String] :password
|
|
14
24
|
# @option opts [String,OpenSSL::PKey::RSA,OpenSSL::PKey::DSA,OpenSSL::PKey::EC] :key
|
|
15
25
|
# @option opts [OpenSSL::Engine] :engine
|
|
@@ -18,53 +28,12 @@ module R509
|
|
|
18
28
|
if not opts.kind_of?(Hash)
|
|
19
29
|
raise ArgumentError, 'Must provide a hash of options'
|
|
20
30
|
end
|
|
21
|
-
|
|
22
|
-
if opts.has_key?(:engine) and opts.has_key?(:key)
|
|
23
|
-
raise ArgumentError, 'You can\'t pass both :key and :engine'
|
|
24
|
-
elsif opts.has_key?(:key_name) and not opts.has_key?(:engine)
|
|
25
|
-
raise ArgumentError, 'When providing a :key_name you MUST provide an :engine'
|
|
26
|
-
elsif opts.has_key?(:engine) and not opts.has_key?(:key_name)
|
|
27
|
-
raise ArgumentError, 'When providing an :engine you MUST provide a :key_name'
|
|
28
|
-
elsif opts.has_key?(:engine) and opts.has_key?(:key_name)
|
|
29
|
-
if not opts[:engine].kind_of?(OpenSSL::Engine)
|
|
30
|
-
raise ArgumentError, 'When providing an engine, it must be of type OpenSSL::Engine'
|
|
31
|
-
end
|
|
32
|
-
@engine = opts[:engine]
|
|
33
|
-
@key_name = opts[:key_name]
|
|
34
|
-
end
|
|
31
|
+
validate_engine(opts)
|
|
35
32
|
|
|
36
33
|
if opts.has_key?(:key)
|
|
37
|
-
|
|
38
|
-
#OpenSSL::PKey.read solves this begin/rescue garbage but is only
|
|
39
|
-
#available to Ruby 1.9.3+ and may not solve the EC portion
|
|
40
|
-
begin
|
|
41
|
-
@key = OpenSSL::PKey::RSA.new(opts[:key],password)
|
|
42
|
-
rescue OpenSSL::PKey::RSAError
|
|
43
|
-
begin
|
|
44
|
-
@key = OpenSSL::PKey::DSA.new(opts[:key],password)
|
|
45
|
-
rescue
|
|
46
|
-
begin
|
|
47
|
-
@key = OpenSSL::PKey::EC.new(opts[:key],password)
|
|
48
|
-
rescue
|
|
49
|
-
raise R509::R509Error, "Failed to load private key. Invalid key or incorrect password."
|
|
50
|
-
end
|
|
51
|
-
end
|
|
52
|
-
end
|
|
34
|
+
validate_key(opts)
|
|
53
35
|
else
|
|
54
|
-
|
|
55
|
-
type = opts[:type] || :rsa
|
|
56
|
-
case type
|
|
57
|
-
when :rsa
|
|
58
|
-
@key = OpenSSL::PKey::RSA.new(bit_strength)
|
|
59
|
-
when :dsa
|
|
60
|
-
@key = OpenSSL::PKey::DSA.new(bit_strength)
|
|
61
|
-
when :ec
|
|
62
|
-
curve_name = opts[:curve_name] || "secp384r1"
|
|
63
|
-
@key = OpenSSL::PKey::EC.new(curve_name)
|
|
64
|
-
@key.generate_key
|
|
65
|
-
else
|
|
66
|
-
raise ArgumentError, 'Must provide :rsa, :dsa , or :ec as type when key or engine is nil'
|
|
67
|
-
end
|
|
36
|
+
generate_key(opts)
|
|
68
37
|
end
|
|
69
38
|
end
|
|
70
39
|
|
|
@@ -77,18 +46,19 @@ module R509
|
|
|
77
46
|
end
|
|
78
47
|
|
|
79
48
|
|
|
80
|
-
# Returns the bit
|
|
49
|
+
# Returns the bit length of the key
|
|
81
50
|
#
|
|
82
51
|
# @return [Integer]
|
|
83
|
-
def
|
|
52
|
+
def bit_length
|
|
84
53
|
if self.rsa?
|
|
85
54
|
return self.public_key.n.num_bits
|
|
86
55
|
elsif self.dsa?
|
|
87
56
|
return self.public_key.p.num_bits
|
|
88
57
|
elsif self.ec?
|
|
89
|
-
raise R509::R509Error, 'Bit
|
|
58
|
+
raise R509::R509Error, 'Bit length is not available for EC at this time.'
|
|
90
59
|
end
|
|
91
60
|
end
|
|
61
|
+
alias :bit_strength :bit_length
|
|
92
62
|
|
|
93
63
|
# Returns the short name of the elliptic curve used to generate the private key
|
|
94
64
|
# if the key is EC. If not, raises an error.
|
|
@@ -224,5 +194,59 @@ module R509
|
|
|
224
194
|
def ec?
|
|
225
195
|
self.key.kind_of?(OpenSSL::PKey::EC)
|
|
226
196
|
end
|
|
197
|
+
|
|
198
|
+
private
|
|
199
|
+
|
|
200
|
+
def validate_engine(opts)
|
|
201
|
+
if opts.has_key?(:engine) and opts.has_key?(:key)
|
|
202
|
+
raise ArgumentError, 'You can\'t pass both :key and :engine'
|
|
203
|
+
elsif opts.has_key?(:key_name) and not opts.has_key?(:engine)
|
|
204
|
+
raise ArgumentError, 'When providing a :key_name you MUST provide an :engine'
|
|
205
|
+
elsif opts.has_key?(:engine) and not opts.has_key?(:key_name)
|
|
206
|
+
raise ArgumentError, 'When providing an :engine you MUST provide a :key_name'
|
|
207
|
+
elsif opts.has_key?(:engine) and opts.has_key?(:key_name)
|
|
208
|
+
if not opts[:engine].kind_of?(OpenSSL::Engine)
|
|
209
|
+
raise ArgumentError, 'When providing an engine, it must be of type OpenSSL::Engine'
|
|
210
|
+
end
|
|
211
|
+
@engine = opts[:engine]
|
|
212
|
+
@key_name = opts[:key_name]
|
|
213
|
+
end
|
|
214
|
+
end
|
|
215
|
+
|
|
216
|
+
def validate_key(opts)
|
|
217
|
+
password = opts[:password] || nil
|
|
218
|
+
#OpenSSL::PKey.read solves this begin/rescue garbage but is only
|
|
219
|
+
#available to Ruby 1.9.3+ and may not solve the EC portion
|
|
220
|
+
begin
|
|
221
|
+
@key = OpenSSL::PKey::RSA.new(opts[:key],password)
|
|
222
|
+
rescue OpenSSL::PKey::RSAError
|
|
223
|
+
begin
|
|
224
|
+
@key = OpenSSL::PKey::DSA.new(opts[:key],password)
|
|
225
|
+
rescue
|
|
226
|
+
begin
|
|
227
|
+
@key = OpenSSL::PKey::EC.new(opts[:key],password)
|
|
228
|
+
rescue
|
|
229
|
+
raise R509::R509Error, "Failed to load private key. Invalid key or incorrect password."
|
|
230
|
+
end
|
|
231
|
+
end
|
|
232
|
+
end
|
|
233
|
+
end
|
|
234
|
+
|
|
235
|
+
def generate_key(opts)
|
|
236
|
+
bit_length = opts[:bit_length] || opts[:bit_strength] || DEFAULT_STRENGTH
|
|
237
|
+
type = opts[:type] || DEFAULT_TYPE
|
|
238
|
+
case type.upcase
|
|
239
|
+
when "RSA"
|
|
240
|
+
@key = OpenSSL::PKey::RSA.new(bit_length)
|
|
241
|
+
when "DSA"
|
|
242
|
+
@key = OpenSSL::PKey::DSA.new(bit_length)
|
|
243
|
+
when "EC"
|
|
244
|
+
curve_name = opts[:curve_name] || DEFAULT_CURVE
|
|
245
|
+
@key = OpenSSL::PKey::EC.new(curve_name)
|
|
246
|
+
@key.generate_key
|
|
247
|
+
else
|
|
248
|
+
raise ArgumentError, "Must provide #{KNOWN_TYPES.join(", ")} as type when key or engine is nil"
|
|
249
|
+
end
|
|
250
|
+
end
|
|
227
251
|
end
|
|
228
252
|
end
|
data/lib/r509/spki.rb
CHANGED
|
@@ -1,11 +1,13 @@
|
|
|
1
1
|
require 'openssl'
|
|
2
2
|
require 'r509/exceptions'
|
|
3
3
|
require 'r509/io_helpers'
|
|
4
|
+
require 'r509/helpers'
|
|
4
5
|
|
|
5
6
|
module R509
|
|
6
7
|
# class for loading/generating SPKAC/SPKI requests (typically generated by the <keygen> tag
|
|
7
8
|
class SPKI
|
|
8
9
|
include R509::IOHelpers
|
|
10
|
+
include R509::Helpers
|
|
9
11
|
|
|
10
12
|
attr_reader :spki, :key
|
|
11
13
|
# @option opts [String,OpenSSL::Netscape::SPKI] :spki the spki you want to parse
|
|
@@ -18,45 +20,13 @@ module R509
|
|
|
18
20
|
raise ArgumentError, 'Must provide either :spki or :key'
|
|
19
21
|
end
|
|
20
22
|
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
@key = opts[:key]
|
|
24
|
-
else
|
|
25
|
-
@key = R509::PrivateKey.new(:key => opts[:key])
|
|
26
|
-
end
|
|
27
|
-
end
|
|
23
|
+
@key = load_private_key(opts)
|
|
24
|
+
|
|
28
25
|
if opts.has_key?(:spki)
|
|
29
|
-
spki = opts[:spki]
|
|
30
|
-
|
|
31
|
-
# OpenSSL hates SPKAC=
|
|
32
|
-
spki.sub!("SPKAC=","")
|
|
33
|
-
# it really hates newlines (Firefox loves 'em)
|
|
34
|
-
# so let's normalize line endings
|
|
35
|
-
spki.gsub!(/\r\n?/, "\n")
|
|
36
|
-
# and nuke 'em
|
|
37
|
-
spki.gsub!("\n", "")
|
|
38
|
-
# ...and leading/trailing whitespace
|
|
39
|
-
spki.strip!
|
|
40
|
-
@spki = OpenSSL::Netscape::SPKI.new(spki)
|
|
41
|
-
if not @key.nil? and not @spki.verify(@key.public_key) then
|
|
42
|
-
raise R509Error, 'Key does not match SPKI.'
|
|
43
|
-
end
|
|
44
|
-
end
|
|
26
|
+
@spki = parse_spki(opts[:spki])
|
|
27
|
+
else
|
|
45
28
|
# create the SPKI from the private key if it wasn't passed in
|
|
46
|
-
|
|
47
|
-
@spki = OpenSSL::Netscape::SPKI.new
|
|
48
|
-
@spki.public_key = @key.public_key
|
|
49
|
-
if @key.dsa?
|
|
50
|
-
#only DSS1 is acceptable for DSA signing in OpenSSL < 1.0
|
|
51
|
-
#post-1.0 you can sign with anything, but let's be conservative
|
|
52
|
-
#see: http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/PKey/DSA.html
|
|
53
|
-
message_digest = R509::MessageDigest.new('dss1')
|
|
54
|
-
elsif opts.has_key?(:message_digest)
|
|
55
|
-
message_digest = R509::MessageDigest.new(opts[:message_digest])
|
|
56
|
-
else
|
|
57
|
-
message_digest = R509::MessageDigest.new('sha1')
|
|
58
|
-
end
|
|
59
|
-
@spki.sign(@key.key,message_digest.digest)
|
|
29
|
+
@spki = build_spki(opts[:message_digest])
|
|
60
30
|
end
|
|
61
31
|
end
|
|
62
32
|
|
|
@@ -71,94 +41,61 @@ module R509
|
|
|
71
41
|
@spki.verify(public_key)
|
|
72
42
|
end
|
|
73
43
|
|
|
74
|
-
# Converts the SPKI into the PEM format
|
|
75
|
-
#
|
|
76
|
-
# @return [String] the SPKI converted into PEM format.
|
|
77
|
-
def to_pem
|
|
78
|
-
@spki.to_pem
|
|
79
|
-
end
|
|
80
|
-
|
|
81
44
|
alias :to_s :to_pem
|
|
82
45
|
|
|
83
|
-
#
|
|
84
|
-
#
|
|
85
|
-
# @return [String] the SPKI converted into DER format.
|
|
86
|
-
def to_der
|
|
87
|
-
@spki.to_der
|
|
88
|
-
end
|
|
89
|
-
|
|
90
|
-
# Writes the SPKI into the PEM format
|
|
91
|
-
#
|
|
92
|
-
# @param [String, #write] filename_or_io Either a string of the path for
|
|
93
|
-
# the file that you'd like to write, or an IO-like object.
|
|
94
|
-
def write_pem(filename_or_io)
|
|
95
|
-
write_data(filename_or_io, @spki.to_pem)
|
|
96
|
-
end
|
|
97
|
-
|
|
98
|
-
# Writes the SPKI into the DER format
|
|
46
|
+
# Returns the signature algorithm (e.g., RSA-SHA1, ecdsa-with-SHA256)
|
|
99
47
|
#
|
|
100
|
-
# @
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
48
|
+
# @return [String] signature algorithm string
|
|
49
|
+
def signature_algorithm
|
|
50
|
+
data = OpenSSL::ASN1.decode(self.to_der)
|
|
51
|
+
return data.entries[1].value.entries[0].value
|
|
104
52
|
end
|
|
105
53
|
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
#
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
end
|
|
126
|
-
|
|
127
|
-
# Returns the bit strength of the key used to create the SPKI
|
|
128
|
-
# @return [Integer] the integer bit strength.
|
|
129
|
-
def bit_strength
|
|
130
|
-
if self.rsa?
|
|
131
|
-
return @spki.public_key.n.num_bits
|
|
132
|
-
elsif self.dsa?
|
|
133
|
-
return @spki.public_key.p.num_bits
|
|
134
|
-
elsif self.ec?
|
|
135
|
-
raise R509::R509Error, 'Bit strength is not available for EC at this time.'
|
|
54
|
+
private
|
|
55
|
+
|
|
56
|
+
# Tries to clean and parse an inbound SPKI
|
|
57
|
+
# @param [String] spki string
|
|
58
|
+
# @return [OpenSSL::Netscape::SPKI] spki object
|
|
59
|
+
def parse_spki(spki)
|
|
60
|
+
# first let's try cleaning up the input a bit so OpenSSL is happy with it
|
|
61
|
+
# OpenSSL hates SPKAC=
|
|
62
|
+
spki.sub!("SPKAC=","")
|
|
63
|
+
# it really hates newlines (Firefox loves 'em)
|
|
64
|
+
# so let's normalize line endings
|
|
65
|
+
spki.gsub!(/\r\n?/, "\n")
|
|
66
|
+
# and nuke 'em
|
|
67
|
+
spki.gsub!("\n", "")
|
|
68
|
+
# ...and leading/trailing whitespace
|
|
69
|
+
spki.strip!
|
|
70
|
+
spki = OpenSSL::Netscape::SPKI.new(spki)
|
|
71
|
+
if not @key.nil? and not spki.verify(@key.public_key) then
|
|
72
|
+
raise R509Error, 'Key does not match SPKI.'
|
|
136
73
|
end
|
|
74
|
+
return spki
|
|
137
75
|
end
|
|
138
76
|
|
|
139
|
-
#
|
|
140
|
-
#
|
|
141
|
-
#
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
77
|
+
# Tries to build an SPKI using an existing private key
|
|
78
|
+
# @param [String] md optional message digest
|
|
79
|
+
# @return [OpenSSL::Netscape::SPKI] spki object
|
|
80
|
+
def build_spki(md)
|
|
81
|
+
spki = OpenSSL::Netscape::SPKI.new
|
|
82
|
+
spki.public_key = @key.public_key
|
|
83
|
+
if @key.dsa?
|
|
84
|
+
#only DSS1 is acceptable for DSA signing in OpenSSL < 1.0
|
|
85
|
+
#post-1.0 you can sign with anything, but let's be conservative
|
|
86
|
+
#see: http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/PKey/DSA.html
|
|
87
|
+
message_digest = R509::MessageDigest.new('dss1')
|
|
146
88
|
else
|
|
147
|
-
|
|
89
|
+
message_digest = R509::MessageDigest.new(md)
|
|
148
90
|
end
|
|
91
|
+
spki.sign(@key.key,message_digest.digest)
|
|
92
|
+
return spki
|
|
149
93
|
end
|
|
150
94
|
|
|
151
|
-
# Returns
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
def key_algorithm
|
|
155
|
-
if self.rsa?
|
|
156
|
-
:rsa
|
|
157
|
-
elsif self.dsa?
|
|
158
|
-
:dsa
|
|
159
|
-
elsif self.ec?
|
|
160
|
-
:ec
|
|
161
|
-
end
|
|
95
|
+
# Returns the proper instance variable
|
|
96
|
+
def internal_obj
|
|
97
|
+
@spki
|
|
162
98
|
end
|
|
99
|
+
|
|
163
100
|
end
|
|
164
101
|
end
|
data/lib/r509/subject.rb
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require "openssl"
|
|
2
2
|
|
|
3
3
|
module R509
|
|
4
|
-
# subject class. Used for building
|
|
4
|
+
# The primary subject class. Used for building subject DNs in a sane fashion.
|
|
5
5
|
# @example
|
|
6
6
|
# subject = R509::Subject.new
|
|
7
7
|
# subject.CN= "test.test"
|
|
@@ -9,6 +9,8 @@ module R509
|
|
|
9
9
|
# @example
|
|
10
10
|
# subject = R509::Subject.new([['CN','test.test'],['O','r509 LLC']])
|
|
11
11
|
# @example
|
|
12
|
+
# subject = R509::Subject.new(:CN => 'test.test', :O => 'r509 LLC')
|
|
13
|
+
# @example
|
|
12
14
|
# # you can also use the friendly getter/setters with custom OIDs
|
|
13
15
|
# R509::OIDMapper.register("1.2.3.4.5.6.7.8","COI","customOID")
|
|
14
16
|
# subject = R509::Subject.new
|
|
@@ -18,10 +20,12 @@ module R509
|
|
|
18
20
|
# # or
|
|
19
21
|
# subject.custom_oid="test"
|
|
20
22
|
class Subject
|
|
21
|
-
# @param [Array, OpenSSL::X509::Name, R509::Subject, DER, nil] arg
|
|
23
|
+
# @param [Array, OpenSSL::X509::Name, R509::Subject, DER, Hash, nil] arg
|
|
22
24
|
def initialize(arg=nil)
|
|
23
25
|
if arg.kind_of?(Array)
|
|
24
26
|
@array = arg
|
|
27
|
+
elsif arg.kind_of?(Hash)
|
|
28
|
+
@array = arg.map { |k,v| [k.to_s.upcase,v] }
|
|
25
29
|
elsif arg.kind_of?(OpenSSL::X509::Name)
|
|
26
30
|
sanitizer = R509::NameSanitizer.new
|
|
27
31
|
@array = sanitizer.sanitize(arg)
|
|
@@ -97,6 +101,20 @@ module R509
|
|
|
97
101
|
@array
|
|
98
102
|
end
|
|
99
103
|
|
|
104
|
+
# @return [Hash]
|
|
105
|
+
def to_h
|
|
106
|
+
hash = {}
|
|
107
|
+
@array.each do |el|
|
|
108
|
+
hash[el[0].to_sym] = el[1]
|
|
109
|
+
end
|
|
110
|
+
hash
|
|
111
|
+
end
|
|
112
|
+
|
|
113
|
+
# @return [YAML]
|
|
114
|
+
def to_yaml
|
|
115
|
+
self.to_h.to_yaml
|
|
116
|
+
end
|
|
117
|
+
|
|
100
118
|
# @private
|
|
101
119
|
def respond_to?(method_sym, include_private = false)
|
|
102
120
|
method_sym.to_s =~ /([^=]*)/
|
|
@@ -115,6 +133,10 @@ module R509
|
|
|
115
133
|
# This code will also allow you to set subject items for custom oids
|
|
116
134
|
# defined via R509::OIDMapper
|
|
117
135
|
#
|
|
136
|
+
# @example
|
|
137
|
+
# subject = R509::Subject.new
|
|
138
|
+
# subject.CN = 'test' # method built via method missing.
|
|
139
|
+
#
|
|
118
140
|
def method_missing(method_sym, *args, &block)
|
|
119
141
|
if method_sym.to_s =~ /(.*)=$/
|
|
120
142
|
sn = oid_check($1)
|