scep 0.0.1 → 0.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/.travis.yml +5 -1
- data/.yardopts +3 -0
- data/README.md +19 -1
- data/lib/scep.rb +2 -4
- data/lib/scep/asn1.rb +38 -0
- data/lib/scep/endpoint.rb +2 -0
- data/lib/scep/jscep_cli.rb +26 -0
- data/lib/scep/keypair.rb +4 -0
- data/lib/scep/pki_operation/base.rb +25 -0
- data/lib/scep/pki_operation/request.rb +122 -1
- data/lib/scep/version.rb +1 -1
- data/scep.gemspec +4 -1
- data/spec/console +2 -0
- data/spec/fixtures/ejbca/ca.crt +20 -0
- data/spec/fixtures/ejbca/ca.key +27 -0
- data/spec/fixtures/ejbca/ca/README +14 -0
- data/spec/fixtures/ejbca/ca/management_ca/data.xml +511 -0
- data/spec/fixtures/ejbca/ca/management_ca/keystore.p12.b64 +75 -0
- data/spec/fixtures/ejbca/ca/management_ca/xkmskeystore.p12.b64 +75 -0
- data/spec/fixtures/ejbca/management_ca.crt +20 -0
- data/spec/fixtures/ejbca/management_ca.full.crt +22 -0
- data/spec/fixtures/ejbca/management_ca.key +27 -0
- data/spec/fixtures/ejbca/management_ca.new.key +27 -0
- data/spec/fixtures/ejbca/sample-request.csr +8 -0
- data/spec/fixtures/ejbca/sample-request.key +9 -0
- data/spec/fixtures/ejbca/sample-scep-request.pkcs7 +0 -0
- data/spec/fixtures/ejbca/subca.crt +20 -0
- data/spec/fixtures/ejbca/subca.key +27 -0
- data/spec/fixtures/ejbca/subca.p12.base64 +75 -0
- data/spec/fixtures/ejbca/superadmin.key +27 -0
- data/spec/fixtures/foo.b64 +30 -0
- data/spec/integration/ejbca_spec.rb +79 -0
- data/spec/integration/jscep_cli_spec.rb +21 -0
- data/spec/lib/scep/pki_operation/base_spec.rb +32 -0
- data/spec/lib/scep/pki_operation/request_spec.rb +64 -8
- data/spec/spec_helper.rb +10 -2
- metadata +74 -3
@@ -0,0 +1,79 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'SCEP and EJBCA' do
|
4
|
+
before do
|
5
|
+
WebMock.allow_net_connect!
|
6
|
+
end
|
7
|
+
|
8
|
+
let(:ejbca_scep_url) { 'http://172.16.2.134:8080/ejbca/publicweb/apply/scep/scep/pkiclient.exe' }
|
9
|
+
let(:endpoint) { SCEP::Endpoint.new(ejbca_scep_url) }
|
10
|
+
|
11
|
+
describe 'GetCACaps' do
|
12
|
+
it 'supports the POSTPKIOperation' do
|
13
|
+
expect(endpoint.capabilities).to include('POSTPKIOperation')
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
describe 'GetCACert' do
|
18
|
+
context 'CA certificate' do
|
19
|
+
it 'successfully downloads the CA certificate' do
|
20
|
+
expect(endpoint.ca_certificate).to be_a(OpenSSL::X509::Certificate)
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
context 'RA certificate' do
|
25
|
+
it 'successfully downloads the RA certificate' do
|
26
|
+
expect(endpoint.ra_certificate).to be_a(OpenSSL::X509::Certificate)
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
describe 'PostPKIOperation' do
|
32
|
+
let(:ra_cert) { endpoint.ra_certificate }
|
33
|
+
let(:our_keypair) { generate_keypair }
|
34
|
+
let(:csr) { OpenSSL::X509::Request.new read_fixture('ejbca/sample-request.csr') }
|
35
|
+
let(:request) do
|
36
|
+
req = SCEP::PKIOperation::Request.new(our_keypair)
|
37
|
+
req.csr = csr
|
38
|
+
req.challenge_password = 'foo123'
|
39
|
+
req
|
40
|
+
end
|
41
|
+
|
42
|
+
it 'signs a CSR' do
|
43
|
+
binding.pry
|
44
|
+
puts request.challenge_password
|
45
|
+
puts csr.subject
|
46
|
+
encrypted = request.encrypt(ra_cert)
|
47
|
+
|
48
|
+
asn1 = OpenSSL::ASN1.decode(encrypted.to_der)
|
49
|
+
|
50
|
+
pkcs_cert_resp_signed = asn1.value[1].value[0]
|
51
|
+
signer_info = pkcs_cert_resp_signed.value[4].value[0]
|
52
|
+
authenticated_attributes = signer_info.value[3]
|
53
|
+
|
54
|
+
#digest =
|
55
|
+
puts request.challenge_password
|
56
|
+
# binding.pry
|
57
|
+
|
58
|
+
puts csr.subject
|
59
|
+
|
60
|
+
endpoint.pki_operation(encrypted.to_der)
|
61
|
+
end
|
62
|
+
end
|
63
|
+
|
64
|
+
describe 'unpacking sample request' do
|
65
|
+
let(:ca_keypair) { SCEP::Keypair.read fixture_path('ejbca/management_ca.crt'), fixture_path('ejbca/superadmin.key') }
|
66
|
+
let(:request) { SCEP::PKIOperation::Request.new(ca_keypair) }
|
67
|
+
let(:enc_req) { read_fixture('ejbca/sample-scep-request.pkcs7') }
|
68
|
+
|
69
|
+
before { request.decrypt(enc_req, false) }
|
70
|
+
|
71
|
+
it 'foos' do
|
72
|
+
puts :foo
|
73
|
+
end
|
74
|
+
|
75
|
+
|
76
|
+
end
|
77
|
+
|
78
|
+
|
79
|
+
end
|
@@ -0,0 +1,21 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe SCEP::JSCEPCli do
|
4
|
+
let(:cli) { SCEP::JSCEPCli.new }
|
5
|
+
let(:private_key) { OpenSSL::PKey::RSA.new read_fixture('ejbca/sample-request.key') }
|
6
|
+
let(:csr) { OpenSSL::X509::Request.new read_fixture('ejbca/sample-request.csr') }
|
7
|
+
let(:challenge) { 'foo123' }
|
8
|
+
let(:dn) { 'CN=user'}
|
9
|
+
let(:url) { 'http://172.16.2.132:8080/ejbca/publicweb/apply/scep/scep/pkiclient.exe' }
|
10
|
+
let(:ca_identifier) { 'ManagementCA' }
|
11
|
+
|
12
|
+
let(:request) { SCEP::JSCEPCli::Request.new(csr, private_key, ca_identifier, dn, challenge, url) }
|
13
|
+
|
14
|
+
describe 'certificate generation' do
|
15
|
+
it 'generates a valid cert' do
|
16
|
+
cli.forward(request)
|
17
|
+
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
end
|
@@ -53,4 +53,36 @@ describe SCEP::PKIOperation::Base do
|
|
53
53
|
end
|
54
54
|
end
|
55
55
|
end
|
56
|
+
|
57
|
+
describe '#check_if_recipient_matches_ra_certificate_name' do
|
58
|
+
let(:misc_keypair) { generate_keypair(nil, nil, '/C=Asdf/O=Fake') }
|
59
|
+
let(:p7enc) { OpenSSL::PKCS7.encrypt([target_cert], 'foo', base.class.create_default_cipher)}
|
60
|
+
|
61
|
+
context 'with matching recipients' do
|
62
|
+
let(:target_cert) { ra_keypair.certificate }
|
63
|
+
|
64
|
+
it 'returns true' do
|
65
|
+
matches = base.send(:check_if_recipient_matches_ra_certificate_name, p7enc)
|
66
|
+
expect(matches).to eql(true)
|
67
|
+
end
|
68
|
+
end
|
69
|
+
|
70
|
+
context 'with non-matching recepients' do
|
71
|
+
let(:target_cert) { misc_keypair.certificate }
|
72
|
+
|
73
|
+
it 'returns false' do
|
74
|
+
matches = base.send(:check_if_recipient_matches_ra_certificate_name, p7enc)
|
75
|
+
expect(matches).to eql(false)
|
76
|
+
end
|
77
|
+
end
|
78
|
+
|
79
|
+
context 'with no recepients' do
|
80
|
+
let(:p7enc) { OpenSSL::PKCS7.new }
|
81
|
+
|
82
|
+
it 'returns false' do
|
83
|
+
matches = base.send(:check_if_recipient_matches_ra_certificate_name, p7enc)
|
84
|
+
expect(matches).to eql(false)
|
85
|
+
end
|
86
|
+
end
|
87
|
+
end
|
56
88
|
end
|
@@ -23,15 +23,35 @@ describe SCEP::PKIOperation::Request do
|
|
23
23
|
end
|
24
24
|
|
25
25
|
describe '#encrypt' do
|
26
|
-
|
27
|
-
|
28
|
-
|
26
|
+
context 'without message type tampering' do
|
27
|
+
it 'encrypts and signs the CSR' do
|
28
|
+
subject.csr = csr
|
29
|
+
encrypted = subject.encrypt(misc_keypair.certificate)
|
29
30
|
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
31
|
+
# Might as well use our already tested decryption method above
|
32
|
+
request = SCEP::PKIOperation::Request.new(misc_keypair)
|
33
|
+
request.add_verification_certificate(ra_keypair.certificate)
|
34
|
+
request.decrypt(encrypted)
|
35
|
+
expect(request.csr.to_pem).to eql(csr.to_pem)
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
context 'with message type tampering' do
|
40
|
+
it 'encrypts, but breaks verification' do
|
41
|
+
subject.csr = csr
|
42
|
+
subject.tamper_scep_message_type = true
|
43
|
+
signed_and_encrypted = subject.encrypt(misc_keypair.certificate)
|
44
|
+
|
45
|
+
p7sign = OpenSSL::PKCS7.new(signed_and_encrypted)
|
46
|
+
store = OpenSSL::X509::Store.new
|
47
|
+
store.add_cert(ra_keypair.certificate)
|
48
|
+
verified = p7sign.verify([], store, nil, OpenSSL::PKCS7::BINARY)
|
49
|
+
|
50
|
+
# Is this test failing?
|
51
|
+
# Is #add_scep_message_type method adding the correct digest? Then this test is invalid - delete it!
|
52
|
+
# Otherwise, you might be returning the pre-tampered message
|
53
|
+
expect(verified).to eql(false)
|
54
|
+
end
|
35
55
|
end
|
36
56
|
end
|
37
57
|
|
@@ -52,4 +72,40 @@ describe SCEP::PKIOperation::Request do
|
|
52
72
|
end
|
53
73
|
end
|
54
74
|
|
75
|
+
# The procedure of this test:
|
76
|
+
#
|
77
|
+
# 1 - Generate a PKCS7 request
|
78
|
+
# 2 - Get it's original authenticatedAttributes digest
|
79
|
+
# 3 - Re-calculate the authenticatedAttributes
|
80
|
+
# 4 - Ensure new digest is exactly the same as the original
|
81
|
+
#
|
82
|
+
# Currently stuck, so commented out for now
|
83
|
+
describe '#recalculate_authenticated_attributes_digest' do
|
84
|
+
def pluck_digest(signer_info)
|
85
|
+
encrypted_digest = signer_info.value.last.value
|
86
|
+
decrypted_asn1_digest = subject.ra_keypair.private_key.public_decrypt(encrypted_digest)
|
87
|
+
decrypted_asn1_digest = OpenSSL::ASN1.decode(decrypted_asn1_digest)
|
88
|
+
return decrypted_asn1_digest.value.last.value
|
89
|
+
end
|
90
|
+
|
91
|
+
it 'correctly generates a new digest' do
|
92
|
+
pending 'Need to figure out how to correctly generate a digest!'
|
93
|
+
|
94
|
+
subject.csr = csr
|
95
|
+
p7sign = subject.encrypt(misc_keypair.certificate)
|
96
|
+
asn1 = OpenSSL::ASN1.decode(p7sign.to_der)
|
97
|
+
|
98
|
+
signer_info = asn1.value[1].value[0].value[4].value[0]
|
99
|
+
original_digest = pluck_digest(signer_info)
|
100
|
+
|
101
|
+
subject.send(:recalculate_authenticated_attributes_digest, signer_info)
|
102
|
+
|
103
|
+
new_digest = pluck_digest(signer_info)
|
104
|
+
|
105
|
+
expect(new_digest).to eql(original_digest)
|
106
|
+
|
107
|
+
|
108
|
+
end
|
109
|
+
|
110
|
+
end
|
55
111
|
end
|
data/spec/spec_helper.rb
CHANGED
@@ -3,7 +3,15 @@ require 'bundler'
|
|
3
3
|
|
4
4
|
Bundler.require :default
|
5
5
|
|
6
|
+
require 'pry'
|
6
7
|
require 'webmock/rspec'
|
8
|
+
require 'scep'
|
9
|
+
|
10
|
+
if RUBY_VERSION > '1.8.7'
|
11
|
+
require 'codeclimate-test-reporter'
|
12
|
+
WebMock.disable_net_connect!(:allow => 'codeclimate.com')
|
13
|
+
CodeClimate::TestReporter.start
|
14
|
+
end
|
7
15
|
|
8
16
|
def read_fixture(path)
|
9
17
|
File.open(fixture_path path).read
|
@@ -24,11 +32,11 @@ end
|
|
24
32
|
# @param [SCEP::Keypair] signer
|
25
33
|
# @return [SCEP::Keypair]
|
26
34
|
# @see http://stackoverflow.com/questions/2381394/ruby-generate-self-signed-certificate
|
27
|
-
def generate_keypair(signer = nil, serial = nil)
|
35
|
+
def generate_keypair(signer = nil, serial = nil, subj = nil)
|
28
36
|
serial ||= next_serial
|
29
37
|
|
30
38
|
private_key = OpenSSL::PKey::RSA.new(1024)
|
31
|
-
subject = '/C=BE/O=Test/OU=Test/CN=Test'
|
39
|
+
subject = subj || '/C=BE/O=Test/OU=Test/CN=Test'
|
32
40
|
|
33
41
|
signer_private_key = signer ? signer.private_key : private_key
|
34
42
|
signer_name = signer ? signer.certificate.subject : OpenSSL::X509::Name.parse(subject)
|
metadata
CHANGED
@@ -1,15 +1,29 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: scep
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Christopher Thornton
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2015-
|
11
|
+
date: 2015-06-18 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: openssl-extensions
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - ">="
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: '0'
|
20
|
+
type: :runtime
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - ">="
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '0'
|
13
27
|
- !ruby/object:Gem::Dependency
|
14
28
|
name: httparty
|
15
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -24,6 +38,20 @@ dependencies:
|
|
24
38
|
- - ">="
|
25
39
|
- !ruby/object:Gem::Version
|
26
40
|
version: '0'
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: codeclimate-test-reporter
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - ">="
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '0'
|
48
|
+
type: :development
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - ">="
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '0'
|
27
55
|
- !ruby/object:Gem::Dependency
|
28
56
|
name: bundler
|
29
57
|
requirement: !ruby/object:Gem::Requirement
|
@@ -105,11 +133,14 @@ files:
|
|
105
133
|
- ".rspec"
|
106
134
|
- ".ruby-version"
|
107
135
|
- ".travis.yml"
|
136
|
+
- ".yardopts"
|
108
137
|
- Gemfile
|
109
138
|
- README.md
|
110
139
|
- Rakefile
|
111
140
|
- lib/scep.rb
|
141
|
+
- lib/scep/asn1.rb
|
112
142
|
- lib/scep/endpoint.rb
|
143
|
+
- lib/scep/jscep_cli.rb
|
113
144
|
- lib/scep/keypair.rb
|
114
145
|
- lib/scep/pkcs7_cert_only.rb
|
115
146
|
- lib/scep/pki_operation.rb
|
@@ -120,9 +151,29 @@ files:
|
|
120
151
|
- lib/scep/version.rb
|
121
152
|
- scep.gemspec
|
122
153
|
- spec/console
|
154
|
+
- spec/fixtures/ejbca/ca.crt
|
155
|
+
- spec/fixtures/ejbca/ca.key
|
156
|
+
- spec/fixtures/ejbca/ca/README
|
157
|
+
- spec/fixtures/ejbca/ca/management_ca/data.xml
|
158
|
+
- spec/fixtures/ejbca/ca/management_ca/keystore.p12.b64
|
159
|
+
- spec/fixtures/ejbca/ca/management_ca/xkmskeystore.p12.b64
|
160
|
+
- spec/fixtures/ejbca/management_ca.crt
|
161
|
+
- spec/fixtures/ejbca/management_ca.full.crt
|
162
|
+
- spec/fixtures/ejbca/management_ca.key
|
163
|
+
- spec/fixtures/ejbca/management_ca.new.key
|
164
|
+
- spec/fixtures/ejbca/sample-request.csr
|
165
|
+
- spec/fixtures/ejbca/sample-request.key
|
166
|
+
- spec/fixtures/ejbca/sample-scep-request.pkcs7
|
167
|
+
- spec/fixtures/ejbca/subca.crt
|
168
|
+
- spec/fixtures/ejbca/subca.key
|
169
|
+
- spec/fixtures/ejbca/subca.p12.base64
|
170
|
+
- spec/fixtures/ejbca/superadmin.key
|
171
|
+
- spec/fixtures/foo.b64
|
123
172
|
- spec/fixtures/self-signed.crt
|
124
173
|
- spec/fixtures/self-signed.csr
|
125
174
|
- spec/fixtures/self-signed.key
|
175
|
+
- spec/integration/ejbca_spec.rb
|
176
|
+
- spec/integration/jscep_cli_spec.rb
|
126
177
|
- spec/lib/scep/endpoint_spec.rb
|
127
178
|
- spec/lib/scep/keypair_spec.rb
|
128
179
|
- spec/lib/scep/pkcs7_cert_only_spec.rb
|
@@ -133,7 +184,7 @@ files:
|
|
133
184
|
- spec/spec_helper.rb
|
134
185
|
homepage: https://github.com/onelogin/scep-gem
|
135
186
|
licenses:
|
136
|
-
-
|
187
|
+
- MIT
|
137
188
|
metadata: {}
|
138
189
|
post_install_message:
|
139
190
|
rdoc_options: []
|
@@ -157,9 +208,29 @@ specification_version: 4
|
|
157
208
|
summary: SCEP libraries
|
158
209
|
test_files:
|
159
210
|
- spec/console
|
211
|
+
- spec/fixtures/ejbca/ca.crt
|
212
|
+
- spec/fixtures/ejbca/ca.key
|
213
|
+
- spec/fixtures/ejbca/ca/README
|
214
|
+
- spec/fixtures/ejbca/ca/management_ca/data.xml
|
215
|
+
- spec/fixtures/ejbca/ca/management_ca/keystore.p12.b64
|
216
|
+
- spec/fixtures/ejbca/ca/management_ca/xkmskeystore.p12.b64
|
217
|
+
- spec/fixtures/ejbca/management_ca.crt
|
218
|
+
- spec/fixtures/ejbca/management_ca.full.crt
|
219
|
+
- spec/fixtures/ejbca/management_ca.key
|
220
|
+
- spec/fixtures/ejbca/management_ca.new.key
|
221
|
+
- spec/fixtures/ejbca/sample-request.csr
|
222
|
+
- spec/fixtures/ejbca/sample-request.key
|
223
|
+
- spec/fixtures/ejbca/sample-scep-request.pkcs7
|
224
|
+
- spec/fixtures/ejbca/subca.crt
|
225
|
+
- spec/fixtures/ejbca/subca.key
|
226
|
+
- spec/fixtures/ejbca/subca.p12.base64
|
227
|
+
- spec/fixtures/ejbca/superadmin.key
|
228
|
+
- spec/fixtures/foo.b64
|
160
229
|
- spec/fixtures/self-signed.crt
|
161
230
|
- spec/fixtures/self-signed.csr
|
162
231
|
- spec/fixtures/self-signed.key
|
232
|
+
- spec/integration/ejbca_spec.rb
|
233
|
+
- spec/integration/jscep_cli_spec.rb
|
163
234
|
- spec/lib/scep/endpoint_spec.rb
|
164
235
|
- spec/lib/scep/keypair_spec.rb
|
165
236
|
- spec/lib/scep/pkcs7_cert_only_spec.rb
|