RubyGems - scep - Versions diffs - 0.0.1 → 0.0.2 - Mend

scep 0.0.1 → 0.0.2

Files changed (39) hide show

checksums.yaml +4 -4
data/.gitignore +1 -0
data/.travis.yml +5 -1
data/.yardopts +3 -0
data/README.md +19 -1
data/lib/scep.rb +2 -4
data/lib/scep/asn1.rb +38 -0
data/lib/scep/endpoint.rb +2 -0
data/lib/scep/jscep_cli.rb +26 -0
data/lib/scep/keypair.rb +4 -0
data/lib/scep/pki_operation/base.rb +25 -0
data/lib/scep/pki_operation/request.rb +122 -1
data/lib/scep/version.rb +1 -1
data/scep.gemspec +4 -1
data/spec/console +2 -0
data/spec/fixtures/ejbca/ca.crt +20 -0
data/spec/fixtures/ejbca/ca.key +27 -0
data/spec/fixtures/ejbca/ca/README +14 -0
data/spec/fixtures/ejbca/ca/management_ca/data.xml +511 -0
data/spec/fixtures/ejbca/ca/management_ca/keystore.p12.b64 +75 -0
data/spec/fixtures/ejbca/ca/management_ca/xkmskeystore.p12.b64 +75 -0
data/spec/fixtures/ejbca/management_ca.crt +20 -0
data/spec/fixtures/ejbca/management_ca.full.crt +22 -0
data/spec/fixtures/ejbca/management_ca.key +27 -0
data/spec/fixtures/ejbca/management_ca.new.key +27 -0
data/spec/fixtures/ejbca/sample-request.csr +8 -0
data/spec/fixtures/ejbca/sample-request.key +9 -0
data/spec/fixtures/ejbca/sample-scep-request.pkcs7 +0 -0
data/spec/fixtures/ejbca/subca.crt +20 -0
data/spec/fixtures/ejbca/subca.key +27 -0
data/spec/fixtures/ejbca/subca.p12.base64 +75 -0
data/spec/fixtures/ejbca/superadmin.key +27 -0
data/spec/fixtures/foo.b64 +30 -0
data/spec/integration/ejbca_spec.rb +79 -0
data/spec/integration/jscep_cli_spec.rb +21 -0
data/spec/lib/scep/pki_operation/base_spec.rb +32 -0
data/spec/lib/scep/pki_operation/request_spec.rb +64 -8
data/spec/spec_helper.rb +10 -2
metadata +74 -3

data/spec/integration/ejbca_spec.rb ADDED

@@ -0,0 +1,79 @@
+require 'spec_helper'
+describe 'SCEP and EJBCA' do
+  before do
+    WebMock.allow_net_connect!
+  end
+  let(:ejbca_scep_url) { 'http://172.16.2.134:8080/ejbca/publicweb/apply/scep/scep/pkiclient.exe' }
+  let(:endpoint)       { SCEP::Endpoint.new(ejbca_scep_url) }
+  describe 'GetCACaps' do
+    it 'supports the POSTPKIOperation' do
+      expect(endpoint.capabilities).to include('POSTPKIOperation')
+    end
+  end
+  describe 'GetCACert' do
+    context 'CA certificate' do
+      it 'successfully downloads the CA certificate' do
+        expect(endpoint.ca_certificate).to be_a(OpenSSL::X509::Certificate)
+      end
+    end
+    context 'RA certificate' do
+      it 'successfully downloads the RA certificate' do
+        expect(endpoint.ra_certificate).to be_a(OpenSSL::X509::Certificate)
+      end
+    end
+  end
+  describe 'PostPKIOperation' do
+    let(:ra_cert)     { endpoint.ra_certificate }
+    let(:our_keypair) { generate_keypair }
+    let(:csr)         { OpenSSL::X509::Request.new read_fixture('ejbca/sample-request.csr') }
+    let(:request) do
+      req = SCEP::PKIOperation::Request.new(our_keypair)
+      req.csr = csr
+      req.challenge_password = 'foo123'
+      req
+    end
+    it 'signs a CSR' do
+      binding.pry
+      puts request.challenge_password
+      puts csr.subject
+      encrypted = request.encrypt(ra_cert)
+      asn1 = OpenSSL::ASN1.decode(encrypted.to_der)
+      pkcs_cert_resp_signed = asn1.value[1].value[0]
+      signer_info = pkcs_cert_resp_signed.value[4].value[0]
+      authenticated_attributes = signer_info.value[3]
+      #digest =
+      puts request.challenge_password
+      # binding.pry
+      puts csr.subject
+      endpoint.pki_operation(encrypted.to_der)
+    end
+  end
+  describe 'unpacking sample request' do
+    let(:ca_keypair) { SCEP::Keypair.read fixture_path('ejbca/management_ca.crt'), fixture_path('ejbca/superadmin.key') }
+    let(:request)    { SCEP::PKIOperation::Request.new(ca_keypair) }
+    let(:enc_req)    { read_fixture('ejbca/sample-scep-request.pkcs7') }
+    before { request.decrypt(enc_req, false) }
+    it 'foos' do
+      puts :foo
+    end
+  end
+end

data/spec/integration/jscep_cli_spec.rb ADDED

@@ -0,0 +1,21 @@
+require 'spec_helper'
+describe SCEP::JSCEPCli do
+  let(:cli) { SCEP::JSCEPCli.new }
+  let(:private_key) { OpenSSL::PKey::RSA.new read_fixture('ejbca/sample-request.key') }
+  let(:csr) { OpenSSL::X509::Request.new read_fixture('ejbca/sample-request.csr') }
+  let(:challenge) { 'foo123' }
+  let(:dn) { 'CN=user'}
+  let(:url) { 'http://172.16.2.132:8080/ejbca/publicweb/apply/scep/scep/pkiclient.exe' }
+  let(:ca_identifier) { 'ManagementCA' }
+  let(:request) { SCEP::JSCEPCli::Request.new(csr, private_key, ca_identifier, dn, challenge, url) }
+  describe 'certificate generation' do
+    it 'generates a valid cert' do
+      cli.forward(request)
+    end
+  end
+end

data/spec/lib/scep/pki_operation/base_spec.rb CHANGED

@@ -53,4 +53,36 @@ describe SCEP::PKIOperation::Base do
       end
     end
   end
+  describe '#check_if_recipient_matches_ra_certificate_name' do
+    let(:misc_keypair) { generate_keypair(nil, nil, '/C=Asdf/O=Fake')  }
+    let(:p7enc)        { OpenSSL::PKCS7.encrypt([target_cert], 'foo', base.class.create_default_cipher)}
+    context 'with matching recipients' do
+      let(:target_cert)  { ra_keypair.certificate }
+      it 'returns true' do
+        matches = base.send(:check_if_recipient_matches_ra_certificate_name, p7enc)
+        expect(matches).to eql(true)
+      end
+    end
+    context 'with non-matching recepients' do
+      let(:target_cert) { misc_keypair.certificate }
+      it 'returns false' do
+        matches = base.send(:check_if_recipient_matches_ra_certificate_name, p7enc)
+        expect(matches).to eql(false)
+      end
+    end
+    context 'with no recepients' do
+      let(:p7enc) { OpenSSL::PKCS7.new }
+      it 'returns false' do
+        matches = base.send(:check_if_recipient_matches_ra_certificate_name, p7enc)
+        expect(matches).to eql(false)
+      end
+    end
+  end
 end

data/spec/lib/scep/pki_operation/request_spec.rb CHANGED

@@ -23,15 +23,35 @@ describe SCEP::PKIOperation::Request do
   end
   describe '#encrypt' do
-    it 'encrypts and signs the CSR' do
-      subject.csr = csr
-      encrypted = subject.encrypt(misc_keypair.certificate)
+    context 'without message type tampering' do
+      it 'encrypts and signs the CSR' do
+        subject.csr = csr
+        encrypted = subject.encrypt(misc_keypair.certificate)
-      # Might as well use our already tested decryption method above
-      request = SCEP::PKIOperation::Request.new(misc_keypair)
-      request.add_verification_certificate(ra_keypair.certificate)
-      request.decrypt(encrypted)
-      expect(request.csr.to_pem).to eql(csr.to_pem)
+        # Might as well use our already tested decryption method above
+        request = SCEP::PKIOperation::Request.new(misc_keypair)
+        request.add_verification_certificate(ra_keypair.certificate)
+        request.decrypt(encrypted)
+        expect(request.csr.to_pem).to eql(csr.to_pem)
+      end
+    end
+    context 'with message type tampering' do
+      it 'encrypts, but breaks verification' do
+        subject.csr = csr
+        subject.tamper_scep_message_type = true
+        signed_and_encrypted = subject.encrypt(misc_keypair.certificate)
+        p7sign = OpenSSL::PKCS7.new(signed_and_encrypted)
+        store = OpenSSL::X509::Store.new
+        store.add_cert(ra_keypair.certificate)
+        verified = p7sign.verify([], store, nil, OpenSSL::PKCS7::BINARY)
+        # Is this test failing?
+        # Is #add_scep_message_type method adding the correct digest? Then this test is invalid - delete it!
+        # Otherwise, you might be returning the pre-tampered message
+        expect(verified).to eql(false)
+      end
     end
   end
@@ -52,4 +72,40 @@ describe SCEP::PKIOperation::Request do
     end
   end
+  # The procedure of this test:
+  #
+  #  1 - Generate a PKCS7 request
+  #  2 - Get it's original authenticatedAttributes digest
+  #  3 - Re-calculate the authenticatedAttributes
+  #  4 - Ensure new digest is exactly the same as the original
+  #
+  # Currently stuck, so commented out for now
+  describe '#recalculate_authenticated_attributes_digest' do
+    def pluck_digest(signer_info)
+      encrypted_digest = signer_info.value.last.value
+      decrypted_asn1_digest = subject.ra_keypair.private_key.public_decrypt(encrypted_digest)
+      decrypted_asn1_digest = OpenSSL::ASN1.decode(decrypted_asn1_digest)
+      return decrypted_asn1_digest.value.last.value
+    end
+    it 'correctly generates a new digest' do
+      pending 'Need to figure out how to correctly generate a digest!'
+      subject.csr = csr
+      p7sign = subject.encrypt(misc_keypair.certificate)
+      asn1 =  OpenSSL::ASN1.decode(p7sign.to_der)
+      signer_info = asn1.value[1].value[0].value[4].value[0]
+      original_digest = pluck_digest(signer_info)
+      subject.send(:recalculate_authenticated_attributes_digest, signer_info)
+      new_digest = pluck_digest(signer_info)
+      expect(new_digest).to eql(original_digest)
+    end
+  end
 end

data/spec/spec_helper.rb CHANGED

@@ -3,7 +3,15 @@ require 'bundler'
 Bundler.require :default
+require 'pry'
 require 'webmock/rspec'
+require 'scep'
+if RUBY_VERSION > '1.8.7'
+  require 'codeclimate-test-reporter'
+  WebMock.disable_net_connect!(:allow => 'codeclimate.com')
+  CodeClimate::TestReporter.start
+end
 def read_fixture(path)
   File.open(fixture_path path).read
@@ -24,11 +32,11 @@ end
 # @param [SCEP::Keypair] signer
 # @return [SCEP::Keypair]
 # @see http://stackoverflow.com/questions/2381394/ruby-generate-self-signed-certificate
-def generate_keypair(signer = nil, serial = nil)
+def generate_keypair(signer = nil, serial = nil, subj = nil)
   serial ||= next_serial
   private_key = OpenSSL::PKey::RSA.new(1024)
-  subject = '/C=BE/O=Test/OU=Test/CN=Test'
+  subject = subj || '/C=BE/O=Test/OU=Test/CN=Test'
   signer_private_key = signer ? signer.private_key : private_key
   signer_name        = signer ? signer.certificate.subject : OpenSSL::X509::Name.parse(subject)

metadata CHANGED

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: scep
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - Christopher Thornton
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-05-12 00:00:00.000000000 Z
+date: 2015-06-18 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: openssl-extensions
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: httparty
   requirement: !ruby/object:Gem::Requirement
@@ -24,6 +38,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: codeclimate-test-reporter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -105,11 +133,14 @@ files:
 - ".rspec"
 - ".ruby-version"
 - ".travis.yml"
+- ".yardopts"
 - Gemfile
 - README.md
 - Rakefile
 - lib/scep.rb
+- lib/scep/asn1.rb
 - lib/scep/endpoint.rb
+- lib/scep/jscep_cli.rb
 - lib/scep/keypair.rb
 - lib/scep/pkcs7_cert_only.rb
 - lib/scep/pki_operation.rb
@@ -120,9 +151,29 @@ files:
 - lib/scep/version.rb
 - scep.gemspec
 - spec/console
+- spec/fixtures/ejbca/ca.crt
+- spec/fixtures/ejbca/ca.key
+- spec/fixtures/ejbca/ca/README
+- spec/fixtures/ejbca/ca/management_ca/data.xml
+- spec/fixtures/ejbca/ca/management_ca/keystore.p12.b64
+- spec/fixtures/ejbca/ca/management_ca/xkmskeystore.p12.b64
+- spec/fixtures/ejbca/management_ca.crt
+- spec/fixtures/ejbca/management_ca.full.crt
+- spec/fixtures/ejbca/management_ca.key
+- spec/fixtures/ejbca/management_ca.new.key
+- spec/fixtures/ejbca/sample-request.csr
+- spec/fixtures/ejbca/sample-request.key
+- spec/fixtures/ejbca/sample-scep-request.pkcs7
+- spec/fixtures/ejbca/subca.crt
+- spec/fixtures/ejbca/subca.key
+- spec/fixtures/ejbca/subca.p12.base64
+- spec/fixtures/ejbca/superadmin.key
+- spec/fixtures/foo.b64
 - spec/fixtures/self-signed.crt
 - spec/fixtures/self-signed.csr
 - spec/fixtures/self-signed.key
+- spec/integration/ejbca_spec.rb
+- spec/integration/jscep_cli_spec.rb
 - spec/lib/scep/endpoint_spec.rb
 - spec/lib/scep/keypair_spec.rb
 - spec/lib/scep/pkcs7_cert_only_spec.rb
@@ -133,7 +184,7 @@ files:
 - spec/spec_helper.rb
 homepage: https://github.com/onelogin/scep-gem
 licenses:
-- Proprietary
+- MIT
 metadata: {}
 post_install_message:
 rdoc_options: []
@@ -157,9 +208,29 @@ specification_version: 4
 summary: SCEP libraries
 test_files:
 - spec/console
+- spec/fixtures/ejbca/ca.crt
+- spec/fixtures/ejbca/ca.key
+- spec/fixtures/ejbca/ca/README
+- spec/fixtures/ejbca/ca/management_ca/data.xml
+- spec/fixtures/ejbca/ca/management_ca/keystore.p12.b64
+- spec/fixtures/ejbca/ca/management_ca/xkmskeystore.p12.b64
+- spec/fixtures/ejbca/management_ca.crt
+- spec/fixtures/ejbca/management_ca.full.crt
+- spec/fixtures/ejbca/management_ca.key
+- spec/fixtures/ejbca/management_ca.new.key
+- spec/fixtures/ejbca/sample-request.csr
+- spec/fixtures/ejbca/sample-request.key
+- spec/fixtures/ejbca/sample-scep-request.pkcs7
+- spec/fixtures/ejbca/subca.crt
+- spec/fixtures/ejbca/subca.key
+- spec/fixtures/ejbca/subca.p12.base64
+- spec/fixtures/ejbca/superadmin.key
+- spec/fixtures/foo.b64
 - spec/fixtures/self-signed.crt
 - spec/fixtures/self-signed.csr
 - spec/fixtures/self-signed.key
+- spec/integration/ejbca_spec.rb
+- spec/integration/jscep_cli_spec.rb
 - spec/lib/scep/endpoint_spec.rb
 - spec/lib/scep/keypair_spec.rb
 - spec/lib/scep/pkcs7_cert_only_spec.rb