ruby_scep 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 21d583fad0aab1365951300aaa682ada282a3e89
+  data.tar.gz: b67e773f8d760d5edeef761007f6eac24ceb2bec
+SHA512:
+  metadata.gz: 40ab20bc9faf28782f58e726fb3cd9836afd431714aa1de335b95849506f168cb76e235ca1bd5391f95b8278fc7382d2cb57c869186bd516444a55330ff44728
+  data.tar.gz: 768b1540be23d55cc95bd2c7dbd44e896a44e1642254b9068343b3e4b2944ec26bc55a57e3ae2a264c2573b45310260b8759bc85a52c5d6610c52ab0c1a601cf

data/.circleci/config.yml

@@ -0,0 +1,30 @@
+version: 2.0
+jobs:
+  "ruby-2.3":
+    docker:
+      - image: circleci/ruby:2.3-node
+    working_directory: ~/ruby_scep
+    steps:
+      - checkout
+      - run: bundle install --path vendor/bundle
+      - run:
+          name: Run tests
+          command: bundle exec rspec spec --format progress
+
+  "ruby-2.4":
+    docker:
+      - image: circleci/ruby:2.4-node
+    working_directory: ~/ruby_scep
+    steps:
+      - checkout
+      - run: bundle install --path vendor/bundle
+      - run:
+          name: Run tests
+          command: bundle exec rspec spec --format progress
+
+workflows:
+  version: 2
+  build:
+    jobs:
+      - "ruby-2.3"
+      - "ruby-2.4"

data/Gemfile.lock

@@ -0,0 +1,40 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    coderay (1.1.1)
+    diff-lcs (1.3)
+    method_source (0.8.2)
+    pry (0.10.4)
+      coderay (~> 1.1.0)
+      method_source (~> 0.8.1)
+      slop (~> 3.4)
+    rspec (3.6.0)
+      rspec-core (~> 3.6.0)
+      rspec-expectations (~> 3.6.0)
+      rspec-mocks (~> 3.6.0)
+    rspec-core (3.6.0)
+      rspec-support (~> 3.6.0)
+    rspec-expectations (3.6.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.6.0)
+    rspec-its (1.2.0)
+      rspec-core (>= 3.0.0)
+      rspec-expectations (>= 3.0.0)
+    rspec-mocks (3.6.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.6.0)
+    rspec-support (3.6.0)
+    slop (3.6.0)
+    timecop (0.9.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  pry
+  rspec
+  rspec-its
+  timecop
+
+BUNDLED WITH
+   1.15.3

data/License

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Appaloosa.io
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,54 @@
+Ruby SCEP [![CircleCI](https://circleci.com/gh/appaloosa-store/ruby_scep.svg?style=svg)](https://circleci.com/gh/appaloosa-store/ruby_scep)
+---
+A Ruby gem to handle SCEP.
+
+Installation
+---
+To install *Ruby Scep*:
+
+```
+$ gem install ruby_scep
+```
+
+Or you can include this in your project's `Gemfile`:
+
+```
+gem 'ruby_scep'
+```
+
+Then execute:
+
+```
+$ bundle
+```
+Usage
+---
+
+You must use a webserver (Webrick or related will do the trick) and declare two endpoints:
+- `GET /scep`
+- `POST /scep`
+An example server is [included](https://github.com/appaloosa-store/ruby_scep/tree/master/example_server) in this gem.
+
+Acknowledgements
+---
+This gem would not exist without the following repos:
+- Nolan Browns's IosCertEnrollment. Non-working SCEP but the profiles generation part worked alright https://github.com/nolanbrown/ios-cert-enrollment
+- MicroMDM's SCEP Go server. It worked perfectly, so we could use it as a reference https://github.com/micromdm/scep/
+- OneLogin SCEP gem. The first instance of OpenSSL::ASN1 that led me to the AppBlade repo https://github.com/onelogin/scep-gem/blob/master/lib/scep/asn1.rb
+- AppBlade's SCEP controller. The final pieces of the puzzle: the PKIMessage building using a ASN1 structure. I could'nt have done it without them. https://github.com/AppBlade/TestHub/blob/master/app/controllers/scep_controller.rb
+
+We decided to open-source our solution to give back to the community that helped us greatly. Do the same with your projects!
+
+Documentation
+---
+- CISCO's description of the SCEP protocol. Information about PKIMessage structure are also available here. https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167-technote-scep-00.html
+- SCEP RFC https://tools.ietf.org/html/draft-nourse-scep-23
+- OID correspondance. A lifesaver to understand the ASN1 OIDs http://oid-info.com/
+
+Contributing
+---
+1. Fork it ( https://github.com/appaloosa-store/ruby_scep )
+2. Create your feature branch (git checkout -b my-new-feature)
+3. Commit your changes (git commit -am 'Add some feature')
+4. Push to the branch (git push origin my-new-feature)
+5. Create a new Pull Request.

data/example_server/Gemfile

@@ -0,0 +1,4 @@
+source 'http://rubygems.org'
+ruby '2.4.1'
+gem 'sinatra'
+gem 'ruby_scep', path: '../'

data/example_server/Gemfile.lock

@@ -0,0 +1,31 @@
+PATH
+  remote: ..
+  specs:
+    ruby_scep (0.1.0)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    mustermann (1.0.1)
+    rack (2.0.3)
+    rack-protection (2.0.0)
+      rack
+    sinatra (2.0.0)
+      mustermann (~> 1.0)
+      rack (~> 2.0)
+      rack-protection (= 2.0.0)
+      tilt (~> 2.0)
+    tilt (2.0.8)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  ruby_scep!
+  sinatra
+
+RUBY VERSION
+   ruby 2.4.1p111
+
+BUNDLED WITH
+   1.15.3

data/example_server/Procfile

@@ -0,0 +1 @@
+web: bundle exec rackup config.ru -p $PORT

data/example_server/application.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+require 'sinatra'
+require 'yaml'
+require 'sinatra/base'
+require 'webrick'
+require 'webrick/https'
+require 'openssl'
+require 'ruby_scep'
+
+RubyScep.configure do |config|
+  config.ca_cert_path = 'certs/ca.pem'
+  config.ca_key_path = 'certs/passwordless.key'
+end
+
+get '/scep' do
+  p 'get scep'
+  case params['operation']
+  when 'GetCACert'
+    p 'operation: GetCACert'
+    # todo, verify signer
+    content_type 'application/x-x509-ca-cert'
+    RubyScep.configuration.ca.to_der
+  when 'GetCACaps'
+    p 'operation: GetCACaps'
+    content_type 'text/plain'
+    "SHA-1\nSHA-256\nAES\nDES3\nSCEPStandard\nPOSTPKIOperation"
+    # see complete list of capabilities https://tools.ietf.org/html/draft-nourse-scep-23#appendix-C.2
+  else
+    'Invalid Action'
+  end
+end
+
+post '/scep' do
+  p 'post scep'
+  if params['operation'] == 'PKIOperation'
+    content_type 'application/x-pki-message'
+    RubyScep::PkiOperation.build_response(request.body.read)
+  else
+    'Invalid Action'
+  end
+end

data/example_server/certs/ca.pem

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFHzCCAwegAwIBAgIBATANBgkqhkiG9w0BAQsFADAxMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHc2NlcC1jYTEQMA4GA1UECxMHU0NFUCBDQTAeFw0xNzA3MjUxMzIx
+MzJaFw0yNzA3MjUxMzIxMzJaMDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdzY2Vw
+LWNhMRAwDgYDVQQLEwdTQ0VQIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEApMk9/OV2JFxvGHeG4KjqrJ2hua/rUHeXfsEvV2Kf7g7qtcY0+w24FSq1
+wbTcnW7XG39eL5XNEtu2RF/0RdZp8jZ7VGuCUTX7X0tpKEzQqiy0+hSsarHoXEKA
+k4lQMnJcM7tbiopz/vgtIjaREjAhmFcNv3OGkBAvNd7lk+4mVbiMpnh8IdZZBhf+
+o0bVxGcTxxF39UIA6PqKp+SPvsVO1qZmEQJ1gpsu0nt0YTcl9PImIW+GYHD/r7UP
+8AV+jfRJLZB5rzk46vAKMjV91jMhjASYJc+NUHcl4LDrha3O0pw5I9qLDmzcHel+
+SFzpaTf9vBDo5ufQfKYlau6feNyq6O+L40V645jPmphU2lPOqr2UDqAaXELbNosP
+xz6eFPY+EiU4XKMLumJrYgOK0ToE9KNoPwvRWUWjnEOnnJZrfKIMBClc0h6TG96T
+oPavNbu+5nGS97dxs9pBYaRP1EuzCzXnmip5d/o0bTr2+l3nfZ1bNEAL/70YNZBx
+2OIP1zGptBRqSV+2bLHJ1unRQSz8K/1xMnywJBAe9AS1HgaU0YTN59b8ptkQzDYE
+UUuN85odKWiqp5QSaLDuZKA9GCnAFmg3FAGF7wMpkwXMdPXxo1SaQPzH0IC+rWIl
+HD68kf3dmwMSrQKq63DxtuXx3kyOnA28Z6vZf4f/i4OZ66U3a0sCAwEAAaNCMEAw
+DgYDVR0PAQH/BAQDAgIEMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFO2b2cg9
+xw7Cx8MFKadgIsMJMl10MA0GCSqGSIb3DQEBCwUAA4ICAQAi8hKgoJYyl8mzBoJ1
+G4UKWXdrsbWBkrmzy2OpA6BeLGk+EboJ6gsfFmxJ1T7MsqscsNx0VgXrxh/fz73+
+uWI9FNZ29IQEjN8e24FO2uaYRVCCtC2T+DHtwOilCE0RbdZtbjH7pdceAJ+lnHBB
+3zNnNm86lrjMG6dXF6NG68m7h8hV0sJnw5tGvccdg3b8nhxewXZSDfXgAew/nOQN
+tdyZbIXOb6CKy+t4H3oKISC2DrSgreWqACLoIyAvFH6mC25QA/EIJBfoqbuHTinb
+Mj8F13SpqgjeRsz4l0bhKzHDhmTgmcO0vXMmBbTFyzKtfa82eaL52rZ/YQrHOyef
+ez1TmeHDtrfUZkbXxTEMEs01i6suiKfeb7rR2MzV6eIzX0yw/rSYgmbN+Ay7M6Vu
+sVI3kTwEAFhlj2Gk2X1QjIXfB+rnmNe02TARLxNTAPZtuBrvhuLK7egLHofVRQcE
+v6qWLZ2HmHn8rFs0wTsG73LFvvCo+zKboDDya+rHwbVGBFbk7cRw2cNTCoh58tSI
+dzOqKwhKosE/uPNkFFu4wHoK7USjMSJL922B6DZKtZpzB02X5Q7M0pR507oFsBo/
+6jp2/pUKk1XCiFe7aE/Xz71B3a4HwIDPvY/9re9LmTaHM2+V1jC3RzSbAHpElv7N
+fEgf4g2JSNreyvurE0jM672I7Q==
+-----END CERTIFICATE-----

data/example_server/certs/passwordless.key

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKgIBAAKCAgEApMk9/OV2JFxvGHeG4KjqrJ2hua/rUHeXfsEvV2Kf7g7qtcY0
++w24FSq1wbTcnW7XG39eL5XNEtu2RF/0RdZp8jZ7VGuCUTX7X0tpKEzQqiy0+hSs
+arHoXEKAk4lQMnJcM7tbiopz/vgtIjaREjAhmFcNv3OGkBAvNd7lk+4mVbiMpnh8
+IdZZBhf+o0bVxGcTxxF39UIA6PqKp+SPvsVO1qZmEQJ1gpsu0nt0YTcl9PImIW+G
+YHD/r7UP8AV+jfRJLZB5rzk46vAKMjV91jMhjASYJc+NUHcl4LDrha3O0pw5I9qL
+DmzcHel+SFzpaTf9vBDo5ufQfKYlau6feNyq6O+L40V645jPmphU2lPOqr2UDqAa
+XELbNosPxz6eFPY+EiU4XKMLumJrYgOK0ToE9KNoPwvRWUWjnEOnnJZrfKIMBClc
+0h6TG96ToPavNbu+5nGS97dxs9pBYaRP1EuzCzXnmip5d/o0bTr2+l3nfZ1bNEAL
+/70YNZBx2OIP1zGptBRqSV+2bLHJ1unRQSz8K/1xMnywJBAe9AS1HgaU0YTN59b8
+ptkQzDYEUUuN85odKWiqp5QSaLDuZKA9GCnAFmg3FAGF7wMpkwXMdPXxo1SaQPzH
+0IC+rWIlHD68kf3dmwMSrQKq63DxtuXx3kyOnA28Z6vZf4f/i4OZ66U3a0sCAwEA
+AQKCAgA5kdUGNWRA78ogUiHc+yaBh9Cofr1HL4DN19AiR2J4WN3HA6gezXwyaOl2
+8yjgF4kvIiBVn5A1tmzHFn7Qp0f8RuxvYd/1X1aixEXIvo1n5paTiAV0gRMcqF8j
+LCXIegucRyiEDjrYKPwbp9Sm9gnGnyM+b63jRsQ3nde3Bsx9xivdPNqhN7GCX3+m
+q2ijZR+TvJacKKMIwf8PCNrvWx9f/mJKLwG+z1hcUKUoEYxBNxf7NmtL5i5txGP9
+Bu5fyaiHMqJQhT1NVu84+1crLlHaCQDetNQ5+GZTSXv/B+npyopr7D4InB+Kk7h6
+r3scN2N+AKpdgT9lTOZlpVgxcWaDyun2isQLLA5pIXBHL3p9toLHa6qtMKCJ+PCI
+u243Il3lM3yC1N6ODHMs9hbckyoIC9seIVW+XI8GRlSihYF3eT9UpfiwBN2OTn2r
+QKXyVzLk7ZrxAvK8/DK2LY7R6+1p+YdBG9sUYxbPs5FK4df0XYHdXY1SNRRCD/+K
+EYlTB9SLmnj5cp9af+Rfq1XzzSbz+OxSDABk3gtQAZ9dV1hW2boiRJGJEna1bsyA
+p1G3dyx4k4anoEG3qfWa45qXWg/psy54IxgASm+uU6Qgi0Zs2kOwAa6HdgWJ68a8
+ocwMdhT/z4EbDp1aMSmiWI0SyS3Ftx0WIi7ePSVXQ1vGfdAdAQKCAQEA2dKMNPnL
+UKhOFHJclBb2gga8Y/7oiT3ZrEVRLdxjuTcbSBsyDwftveNekngqbCR3LKHuDQzv
+45hprS7f0oxhrRPMZBh8AGDyagoaM1p4z1BSy2zyzloe4+3DpCAFF1nMzBwJKQOb
+EomyWqcpk0T2mBleVpaJ7f1+TYC0ehRFCzk5f1jvxnZ3jrmZVX9P1cuc5m78WxZ3
+LkviMbHRyDf4pBr2RD9r57z2rW16Lnhp1ZOGHVMy0Af1KpTJ0BEeF+xkWOuDdKMY
++4yHIN9VFa7lOyUooFRMCRz0Q6B+BKnpT/ASTKmZVKAXL/oI5HyOYU1C9GGUWWhK
+z1qy3dp9yfrkQwKCAQEAwasDHAOfWNzR+SKeT4f4YXjzQiqPJg0N3wf7kSBMsUDX
+ip+wjkZQ5xEfESRVHZcyQwnTzseimpqj8qjwtd9/MpzTWcfCBP+thkr7mdBSVWKi
+UBnepoA8mXupzgo/QIVddql1ECwntDLWqv1cpy6Ikcy3U8hKqxLxiLGFiNySIyJx
+HJ6iR5MtI8qnqvodUHNGR9gMWv+i4aTB5F9w15zpfe/97nhht+eDiaQVrzcvJaJU
+CyBpD24vxYficoxHesHxWrKpOHIYA9tiFbzGnRjKQbPzoKB/OnuecvMU6xUu09Zj
+/RBnw5g8vt4O8V02n+8RfG6I6NZ0z4Co9sDt1rCwWQKCAQEArScLH52mesKf9u8G
+Gw65/JjgL1lWfqq1G5Wqt5snhveAb2x2+a3i1n0lE6gEiRzfw5IhyywKklD5SJsn
+f5bqmoxPgQ5ZnG90pMjNFR+JQ7vlZSKBTXokbin2yMRPZ8WR4Hs06O6d2jmtlxSl
+HxXGNRiNfqWClbZaLb/vN9BfJlHiHBKV4J0R41o0wttGmnyWiDOX1czhBuN5tulV
+CyU7OTDZrV0BKSF0sl6Bruk3sHjqNuuJTAfXY3cNiqHg20Gmb20gfZqdZHHMhVwj
+pe32+XJLflAkdWYX4p51Lr3m4w3Dbj+vzK7KX/ASG5fMExs4602agQw/09+Uqnli
+XypbQwKCAQEAl3sosnfO4pXOEt1WEIUc7TjKpN1fHHcne2TmC2zFL/u02/PuCErN
+qv7EWwcdIEkMAk2kg1+5Os5sIDiuFsPa3P63fcj2ZCyMULdDttqwG6NLq/WgJoG1
+ZKPKfKOdN91Y7qC7NMwkvhjpudL07rtCDTCf0IOgi9EEZVPdS+Ci2aJt8OHPssZW
+j2FK5jw+Q5f2x+kgOOktQOs60WMpgyxzoZLe/vDgFhWa2EUkxOkYEoq2zAEsy+n2
+qb2QjOJWYpliK/wEymbLi/DD9payj1w9j0iu7du7yEW6+NRTb1EhUIanrOBxGRdx
+pCVScM3lFRHMjpRyuBROR6OuBVuAbOXE+QKCAQEAsWtxW3onxdmdgnqBt/iduCMO
+GpO/GBohk4Sqvx1tHQ0MaarFGjV3ZwixrXD9/vwE/iQEXK8GXqs8Duv7U1Ip4PN2
+/T2JFayPLzZR3yAMKdPuZjJUP2oVETsog6dXDwDqziNm4sLmq9tNLWDDPQP1EUrA
+TLl60soFUb7x9OpwtyMoF7CstmnGVH0MWGRiq6TvFbwsW3qCq+vgAnFNAFAjcacm
+flGUlaLcV0M2jOYk2rKCcQwO/Nbgx/XVArJrxNz5TPdMMQ4OkVdbJ9h6kXrE6veI
+D87UYifdesmfkUJ4Wj5l5NwHzt2Npu1kH8eRAFCHR3M2pp8ZJtv0AIpxhUIx6Q==
+-----END RSA PRIVATE KEY-----

data/example_server/config.ru

@@ -0,0 +1,2 @@
+require './application'
+run Sinatra::Application

data/example_server/configuration.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module Server
+  class Configuration
+    attr_accessor :ca_cert_path, :ca_key_path,
+                  :ca, :ca_key,
+                  :certificates_store
+
+    def ca
+      @ca ||= OpenSSL::X509::Certificate.new(File.read(@ca_cert_path))
+    end
+
+    def ca_key
+      @ca_key ||= OpenSSL::PKey::RSA.new(File.read(@ca_key_path))
+    end
+
+    def certificates_store
+      return @certificates_store if defined?(@certificates_store)
+      @certificates_store = OpenSSL::X509::Store.new
+      @certificates_store.add_cert(ca)
+    end
+  end
+end

data/lib/ruby_scep/certificate_builder.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+module RubyScep
+  class CertificateBuilder
+    class << self
+      ONE_YEAR_IN_NUMBER_OF_SECONDS = 31536000
+      def build(csr)
+        certificate = OpenSSL::X509::Certificate.new
+        certificate.serial = Random.rand(730750818665451459101842416358141509827966271488) # will need to improve that
+        certificate.version = 1
+        certificate.public_key = csr.public_key
+        certificate.issuer = RubyScep.configuration.ca.subject
+        certificate.subject = csr.subject
+        certificate.not_before = Time.now
+        certificate.not_after = Time.now + ONE_YEAR_IN_NUMBER_OF_SECONDS
+        extension_factory = OpenSSL::X509::ExtensionFactory.new
+        extension_factory.subject_certificate = certificate
+        extension_factory.subject_request = csr
+        extension_factory.issuer_certificate = RubyScep.configuration.ca
+        certificate.add_extension(
+          extension_factory.create_extension(
+            'keyUsage', 'digitalSignature,keyEncipherment'
+          )
+        )
+        certificate
+      end
+    end
+  end
+end

data/lib/ruby_scep/configuration.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module RubyScep
+  class Configuration
+    attr_accessor :ca_cert_path, :ca_key_path,
+                  :ca, :ca_key,
+                  :certificates_store
+
+    def ca
+      @ca ||= OpenSSL::X509::Certificate.new(File.read(@ca_cert_path))
+    end
+
+    def ca_key
+      @ca_key ||= OpenSSL::PKey::RSA.new(File.read(@ca_key_path))
+    end
+
+    def certificates_store
+      return @certificates_store if defined?(@certificates_store)
+      @certificates_store = OpenSSL::X509::Store.new
+      @certificates_store.add_cert(ca)
+    end
+  end
+end

data/lib/ruby_scep/pki_message/degenerate.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+module RubyScep
+  class PkiMessage
+    class Degenerate
+
+      def initialize(certificate)
+        @certificate = certificate
+      end
+
+      def to_der
+        OpenSSL::ASN1::Sequence.new(
+          [
+            OpenSSL::ASN1::ObjectId.new(OID_SIGNED_DATA),
+            OpenSSL::ASN1::ASN1Data.new(
+              [
+                OpenSSL::ASN1::Sequence.new(
+                  [
+                    OpenSSL::ASN1::Integer.new(1),
+                    OpenSSL::ASN1::Set.new([]),
+                    OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::ObjectId.new(OID_DATA)]),
+                    OpenSSL::ASN1::ASN1Data.new([OpenSSL::ASN1::decode(@certificate.to_der)], 0, :CONTEXT_SPECIFIC),
+                    OpenSSL::ASN1::ASN1Data.new([], 1, :CONTEXT_SPECIFIC),
+                    OpenSSL::ASN1::Set.new([])
+                  ]
+                )
+              ],
+              0,
+              :CONTEXT_SPECIFIC)
+          ]
+        ).to_der
+      end
+    end
+  end
+end

data/lib/ruby_scep/pki_message/enveloped_data.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+module RubyScep
+  class PkiMessage
+    class EnvelopedData
+
+      def initialize(p7, encryption_key, encryption_iv, encrypted_payload)
+        @p7 = p7
+        @encryption_key = encryption_key
+        @encryption_iv = encryption_iv
+        @encrypted_payload = encrypted_payload
+      end
+
+      def to_der
+        OpenSSL::ASN1::Sequence.new(
+          [
+            OpenSSL::ASN1::ObjectId.new(OID_ENVELOPED_DATA),
+            OpenSSL::ASN1::ASN1Data.new(
+              [
+                OpenSSL::ASN1::Sequence.new(
+                  [
+                    OpenSSL::ASN1::Integer.new(0),
+                    OpenSSL::ASN1::Set.new(
+                      [
+                        OpenSSL::ASN1::Sequence.new(
+                          [
+                            OpenSSL::ASN1::Integer.new(0),
+                            OpenSSL::ASN1::Sequence.new(
+                              [
+                                OpenSSL::ASN1::decode(@p7.certificates.first.subject.to_der),
+                                OpenSSL::ASN1::Integer.new(@p7.certificates.first.serial.to_i)
+                              ]
+                            ),
+                            OpenSSL::ASN1::Sequence.new(
+                              [
+                                OpenSSL::ASN1::ObjectId.new(OID_RSA_ENCRYPTION),
+                                OpenSSL::ASN1::Null.new(nil)
+                              ]
+                            ),
+                            OpenSSL::ASN1::OctetString.new(@p7.certificates.first.public_key.public_encrypt(@encryption_key))
+                          ]
+                        )
+                      ]
+                    ),
+                    OpenSSL::ASN1::Sequence.new(
+                      [
+                        OpenSSL::ASN1::ObjectId.new(OID_DATA),
+                        OpenSSL::ASN1::Sequence.new(
+                          [
+                            OpenSSL::ASN1::ObjectId.new(OID_DES_ALGO),
+                            OpenSSL::ASN1::OctetString.new(@encryption_iv)
+                          ]
+                        ),
+                        OpenSSL::ASN1::ASN1Data.new(@encrypted_payload, 0, :CONTEXT_SPECIFIC)
+                      ]
+                    )
+                  ]
+                )
+              ],
+              0,
+              :CONTEXT_SPECIFIC
+            )
+          ]
+        ).to_der
+      end
+    end
+  end
+end

data/lib/ruby_scep/pki_message/signed_data.rb

@@ -0,0 +1,153 @@
+# frozen_string_literal: true
+module RubyScep
+  class PkiMessage
+    class SignedData
+
+      def initialize(envelop_sequence, ca, ca_key, sender_nonce, transaction_id)
+        @envelop_sequence = envelop_sequence
+        @ca = ca
+        @ca_key = ca_key
+        @sender_nonce = sender_nonce
+        @transaction_id = transaction_id
+        @sha1 = OpenSSL::Digest::SHA1.new
+      end
+
+      def to_der
+        signed_attributes = signed_attributes_sequence
+        signed_attributes_digest = @ca_key.private_encrypt(
+          algo_identifier_sequence(signed_attributes, @sha1).to_der
+        )
+        OpenSSL::ASN1::Sequence.new(
+          [
+            OpenSSL::ASN1::ObjectId.new(OID_SIGNED_DATA),
+            OpenSSL::ASN1::ASN1Data.new(
+              [
+                OpenSSL::ASN1::Sequence.new(
+                  [
+                    OpenSSL::ASN1::Integer.new(1),
+                    OpenSSL::ASN1::Set.new(
+                      [
+                        OpenSSL::ASN1::Sequence.new(
+                          [
+                            OpenSSL::ASN1::ObjectId.new(OID_HASH_ALGO_IDENTIFIER),
+                            OpenSSL::ASN1::Null.new(nil)
+                          ]
+                        )
+                      ]
+                    ),
+                    OpenSSL::ASN1::Sequence.new(
+                      [
+                        OpenSSL::ASN1::ObjectId.new(OID_DATA),
+                        OpenSSL::ASN1::ASN1Data.new([OpenSSL::ASN1::OctetString.new(@envelop_sequence)], 0, :CONTEXT_SPECIFIC)]
+                    ),
+                    OpenSSL::ASN1::Set.new(
+                      [
+                        OpenSSL::ASN1::Sequence.new(
+                          [
+                            OpenSSL::ASN1::Integer.new(1),
+                            OpenSSL::ASN1::Sequence.new(
+                              [
+                                OpenSSL::ASN1::decode(@ca.subject.to_der),
+                                OpenSSL::ASN1::Integer.new(@ca.serial)
+                              ]
+                            ),
+                            OpenSSL::ASN1::Sequence.new(
+                              [
+                                OpenSSL::ASN1::ObjectId.new(OID_HASH_ALGO_IDENTIFIER),
+                                OpenSSL::ASN1::Null.new(nil)
+                              ]
+                            ),
+                            signed_attributes,
+                            OpenSSL::ASN1::Sequence.new(
+                              [
+                                OpenSSL::ASN1::ObjectId.new(OID_RSA_ENCRYPTION),
+                                OpenSSL::ASN1::Null.new(nil)
+                              ]
+                            ),
+                            OpenSSL::ASN1::OctetString.new(signed_attributes_digest)
+                          ]
+                        ),
+                      ]
+                    )
+                  ]
+                )],
+              0,
+              :CONTEXT_SPECIFIC
+            )
+          ]
+        ).to_der
+      end
+
+      def signed_attributes_sequence
+        OpenSSL::ASN1::ASN1Data.new(
+          [
+            OpenSSL::ASN1::Sequence.new(
+              [
+                OpenSSL::ASN1::ObjectId.new(OID_CONTENT_TYPE),
+                OpenSSL::ASN1::Set.new([OpenSSL::ASN1::ObjectId.new(OID_DATA)])
+              ]
+            ),
+            OpenSSL::ASN1::Sequence.new(
+              [
+                OpenSSL::ASN1::ObjectId.new(OID_SIGNING_TIME),
+                OpenSSL::ASN1::Set.new([OpenSSL::ASN1::UTCTime.new(Time.now)])
+              ]
+            ),
+            OpenSSL::ASN1::Sequence.new(
+              [
+                OpenSSL::ASN1::ObjectId.new(OID_MESSAGE_DIGEST),
+                OpenSSL::ASN1::Set.new([OpenSSL::ASN1::OctetString.new(@sha1.digest(@envelop_sequence))])
+              ]
+            ),
+            OpenSSL::ASN1::Sequence.new(
+              [
+                OpenSSL::ASN1::ObjectId.new(OID_MESSAGE_TYPE),
+                OpenSSL::ASN1::Set.new([OpenSSL::ASN1::PrintableString.new(SCEP_MESSAGE_TYPES['CertRep'].to_s)])
+              ]
+            ),
+            OpenSSL::ASN1::Sequence.new(
+              [
+                OpenSSL::ASN1::ObjectId.new(OID_PKI_STATUS),
+                OpenSSL::ASN1::Set.new([OpenSSL::ASN1::PrintableString.new(SCEP_PKI_STATUSES['SUCCESS'].to_s)])
+              ]
+            ),
+            OpenSSL::ASN1::Sequence.new(
+              [
+                OpenSSL::ASN1::ObjectId.new(OID_RECIPIENT_NOUNCE),
+                OpenSSL::ASN1::Set.new([OpenSSL::ASN1::OctetString.new([@sender_nonce].pack('H*'))])
+              ]
+            ),
+            OpenSSL::ASN1::Sequence.new(
+              [
+                OpenSSL::ASN1::ObjectId.new(OID_SENDER_NONCE),
+                OpenSSL::ASN1::Set.new([OpenSSL::ASN1::OctetString.new([@sender_nonce].pack('H*'))])
+              ]
+            ),
+            OpenSSL::ASN1::Sequence.new(
+              [
+                OpenSSL::ASN1::ObjectId.new(OID_TRANSACTION_ID),
+                OpenSSL::ASN1::Set.new([OpenSSL::ASN1::PrintableString.new(@transaction_id)])
+              ]
+            )
+          ],
+          0,
+          :CONTEXT_SPECIFIC
+        )
+      end
+
+      def algo_identifier_sequence(signed_attributes, sha1)
+        OpenSSL::ASN1::Sequence.new(
+          [
+            OpenSSL::ASN1::Sequence.new(
+              [
+                OpenSSL::ASN1::ObjectId.new(OID_HASH_ALGO_IDENTIFIER),
+                OpenSSL::ASN1::Null.new(nil)
+              ]
+            ),
+            OpenSSL::ASN1::OctetString.new(sha1.digest(OpenSSL::ASN1::Set.new(signed_attributes.value[0..-1]).to_der))
+          ]
+        )
+      end
+    end
+  end
+end

data/lib/ruby_scep/pki_message.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+require 'openssl'
+
+module RubyScep
+  class PkiMessage
+    include OpenSSL::ASN1
+
+    # get OID corresponding name http://oid-info.com/get/<the oid>
+    # get possible balues for a given OID in the CMS RFC https://www.ietf.org/rfc/rfc3369.txt
+    OID_MESSAGE_TYPE = '2.16.840.1.113733.1.9.2'
+    OID_PKI_STATUS = '2.16.840.1.113733.1.9.3'
+    OID_FAIL_INFO = '2.16.840.1.113733.1.9.4'
+    OID_SENDER_NONCE = '2.16.840.1.113733.1.9.5'
+    OID_RECIPIENT_NOUNCE = '2.16.840.1.113733.1.9.6'
+    OID_TRANSACTION_ID = '2.16.840.1.113733.1.9.7'
+    OID_EXTENSION_REQUEST = '2.16.840.1.113733.1.9.8'
+    OID_SIGNED_DATA = '1.2.840.113549.1.7.2'
+    OID_DATA = '1.2.840.113549.1.7.1'
+    OID_ENVELOPED_DATA = '1.2.840.113549.1.7.3'
+    OID_RSA_ENCRYPTION = '1.2.840.113549.1.1.1'
+    OID_DES_ALGO = '1.2.840.113549.3.7'
+    OID_CONTENT_TYPE = '1.2.840.113549.1.9.3'
+    OID_SIGNING_TIME = '1.2.840.113549.1.9.5'
+    OID_MESSAGE_DIGEST = '1.2.840.113549.1.9.4'
+    OID_HASH_ALGO_IDENTIFIER = '1.3.14.3.2.26'
+
+    # complete list of possible SCEP values can be found in CISCO's documentation
+    # https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167-technote-scep-00.html
+    SCEP_MESSAGE_TYPES = { 'PKCSReq' => 19, 'CertRep' => 3, 'GetCertInitial' => 20, 'GetCert' => 21, 'GetCRL' => 22 }
+    SCEP_PKI_STATUSES = { 'SUCCESS' => 0, 'FAILURE' => 2, 'PENDING' => 3 }
+    SCEP_FAIL_INFOS = { 'badAlg' => 0, 'badMessageCheck' => 1, 'badRequest' => 2, 'badTime' => 3, 'badCertId' => 4 }
+
+    attr_accessor :p7
+
+    def initialize(asn1, p7)
+      signed_attributes = retrieve_signed_attributes(asn1)
+      @message_type = SCEP_MESSAGE_TYPES.key(signed_attributes[OID_MESSAGE_TYPE].to_i)
+      @transaction_id = signed_attributes[OID_TRANSACTION_ID]
+      @sender_nonce = signed_attributes[OID_SENDER_NONCE]
+      @p7 = p7
+    end
+
+    # We are building a SCEP Secure Message Object with a valid PKCS7 structure, as referenced
+    #   in https://tools.ietf.org/html/draft-nourse-scep-23#section-3
+    # To see a graphical representation of the final PKCS7 structure, go to
+    #   https://www.cisco.com/c/dam/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167-technote-scep-00-01.jpeg
+    # Structure:
+    #   1. degenerate
+    #     a. version
+    #     b. x509
+    #   2. enveloped data
+    #     a. version
+    #     b. list of recepients
+    #     c. encrypted data (aka 1. degenerate)
+    #   3. signed data
+    #     a. version
+    #     b. hashing algo
+    #     c. signed (unencrypted) data (aka 2. enveloped data)
+    #     d. ca certificate
+    #     e. digital signature
+    def build_enrollment_response(csr)
+      degenerate_sequence = build_degenerate_sequence(csr)
+      enveloped_data_sequence = build_enveloped_data_sequence(degenerate_sequence)
+      build_signed_data_sequence(enveloped_data_sequence)
+    end
+
+    private
+
+    def retrieve_signed_attributes(asn1)
+      # cheers AppBlade! https://github.com/AppBlade/TestHub/blob/master/app/controllers/scep_controller.rb#L92-L112
+      raw_signed_attributes = asn1.value[1].value.first.value[4].first.value[3].value
+      raw_signed_attributes.inject({}) do |hash, raw_signed_attribute|
+        hash.merge(raw_signed_attribute.value.first.value => raw_signed_attribute.value.last.value.first.value)
+      end
+    end
+
+    def build_degenerate_sequence(csr)
+      certificate = CertificateBuilder.build(csr)
+      certificate.sign(RubyScep.configuration.ca_key, OpenSSL::Digest::SHA1.new)
+      PkiMessage::Degenerate.new(certificate).to_der
+    end
+
+    def build_enveloped_data_sequence(degenerate_sequence)
+      encrypted_payload, encryption_key, encryption_iv = encrypt_payload(degenerate_sequence)
+      PkiMessage::EnvelopedData.new(@p7, encryption_key, encryption_iv, encrypted_payload).to_der
+    end
+
+    def encrypt_payload(der)
+      des = OpenSSL::Cipher::Cipher.new('des-ede3-cbc')
+      des.encrypt
+      encryption_key = des.random_key
+      encryption_iv = des.random_iv
+      des.key = encryption_key
+      des.iv = encryption_iv
+      [des.update(der) + des.final, encryption_key, encryption_iv]
+    end
+
+    def build_signed_data_sequence(enveloped_data_sequence)
+      PkiMessage::SignedData.new(
+        enveloped_data_sequence,
+        RubyScep.configuration.ca,
+        RubyScep.configuration.ca_key,
+        @sender_nonce,
+        @transaction_id
+      ).to_der
+    end
+  end
+end

data/lib/ruby_scep/pki_operation.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+module RubyScep
+  class PkiOperation
+    class << self
+      # @param raw_csr [String] The binary encoded CSR
+      # @return DER-encoded [String], PkiMessage represented in an OpenSSL::ASN1 structure containing the
+      #   device's MDM certificate to be installed
+      def build_response(raw_csr)
+        pki_message = parse_pki_message(raw_csr)
+        csr = decrypt_pki_envelope(pki_message)
+        pki_message.build_enrollment_response(csr)
+      end
+
+      private
+
+      # @param raw_csr [String] The binary encoded CSR
+      # @return [RubyScep::PkiMessage], containing the CSR info
+      def parse_pki_message(raw_csr)
+        p7 = OpenSSL::PKCS7.new(raw_csr)
+        flags = OpenSSL::PKCS7::BINARY | OpenSSL::PKCS7::NOVERIFY
+        # OpenSSL::PKCS7::NOVERIFY is necessary otherwise the verify step fails
+        p7.verify(nil, RubyScep.configuration.certificates_store, nil, flags) # necessary to populate the p7 data field
+        asn1 = OpenSSL::ASN1.decode(p7.to_der)
+        PkiMessage.new(asn1, p7)
+      end
+
+      # @param pki_message [RubyScep::PkiMessage] The PkiMessage containing the CSR info sent by the iOS device
+      # @return [OpenSSL::X509::Request], the decrypted CSR
+      def decrypt_pki_envelope(pki_message)
+        encrypted_p7 = OpenSSL::PKCS7.new(pki_message.p7.data)
+        raw_csr = encrypted_p7.decrypt(RubyScep.configuration.ca_key, RubyScep.configuration.ca, OpenSSL::PKCS7::BINARY)
+        # this is the moment when we could extract the device info from the CSR (device id and challenge password)
+        # see https://github.com/AppBlade/TestHub/blob/master/app/controllers/scep_controller.rb#L57
+        OpenSSL::X509::Request.new(raw_csr)
+      end
+    end
+  end
+end

data/lib/ruby_scep/version.rb

@@ -0,0 +1,14 @@
+# encoding: utf-8
+# frozen_string_literal: true
+
+module RubyScep
+  module Version
+    STRING = '0.1.0'
+
+    module_function
+
+    def version(*_args)
+      STRING
+    end
+  end
+end

data/lib/ruby_scep.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+require 'ruby_scep/version'
+require 'ruby_scep/configuration'
+require 'ruby_scep/certificate_builder'
+require 'ruby_scep/pki_message'
+require 'ruby_scep/pki_message/degenerate'
+require 'ruby_scep/pki_message/enveloped_data'
+require 'ruby_scep/pki_message/signed_data'
+require 'ruby_scep/pki_operation'
+
+module RubyScep
+  attr_accessor :configuration
+
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
+  def self.configure
+    yield(configuration)
+  end
+end

data/ruby_scep.gemspec

@@ -0,0 +1,34 @@
+# encoding: utf-8
+# frozen_string_literal: true
+$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
+require 'ruby_scep/version'
+
+Gem::Specification.new do |s|
+  s.name = 'ruby_scep'
+  s.version = RubyScep::Version::STRING
+  s.platform = Gem::Platform::RUBY
+  s.required_ruby_version = '>= 2.3.0'
+  s.authors = ['Christophe Valentin']
+  s.description = <<-EOF
+   Ruby implementation of SCEP
+  EOF
+  s.email = 'dev@appaloosa-store.com'
+  s.files = `git ls-files`.split($RS).reject do |file|
+    file =~ %r{^(?:
+   spec/.*
+   |Gemfile
+   |\.rspec
+   |\.gitignore
+   )$}x
+  end
+  s.extra_rdoc_files = %w(README.md)
+  s.homepage = 'https://github.com/appaloosa-store/ruby_scep'
+  s.licenses = ['MIT']
+  s.require_paths = ['lib']
+
+  s.summary = 'Ruby implementation of SCEP'
+
+  s.add_development_dependency('rspec', '~> 3.6')
+  s.add_development_dependency('rspec-its', '~> 1.2.0')
+  s.add_development_dependency('timecop', '~> 0.9.1')
+end

metadata

@@ -0,0 +1,108 @@
+--- !ruby/object:Gem::Specification
+name: ruby_scep
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Christophe Valentin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-09-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.6'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+description: "   Ruby implementation of SCEP\n"
+email: dev@appaloosa-store.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- README.md
+files:
+- ".circleci/config.yml"
+- Gemfile.lock
+- License
+- README.md
+- example_server/Gemfile
+- example_server/Gemfile.lock
+- example_server/Procfile
+- example_server/application.rb
+- example_server/certs/ca.pem
+- example_server/certs/passwordless.key
+- example_server/config.ru
+- example_server/configuration.rb
+- lib/ruby_scep.rb
+- lib/ruby_scep/certificate_builder.rb
+- lib/ruby_scep/configuration.rb
+- lib/ruby_scep/pki_message.rb
+- lib/ruby_scep/pki_message/degenerate.rb
+- lib/ruby_scep/pki_message/enveloped_data.rb
+- lib/ruby_scep/pki_message/signed_data.rb
+- lib/ruby_scep/pki_operation.rb
+- lib/ruby_scep/version.rb
+- ruby_scep.gemspec
+homepage: https://github.com/appaloosa-store/ruby_scep
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.13
+signing_key: 
+specification_version: 4
+summary: Ruby implementation of SCEP
+test_files: []