scep 0.0.1 → 0.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/.travis.yml +5 -1
- data/.yardopts +3 -0
- data/README.md +19 -1
- data/lib/scep.rb +2 -4
- data/lib/scep/asn1.rb +38 -0
- data/lib/scep/endpoint.rb +2 -0
- data/lib/scep/jscep_cli.rb +26 -0
- data/lib/scep/keypair.rb +4 -0
- data/lib/scep/pki_operation/base.rb +25 -0
- data/lib/scep/pki_operation/request.rb +122 -1
- data/lib/scep/version.rb +1 -1
- data/scep.gemspec +4 -1
- data/spec/console +2 -0
- data/spec/fixtures/ejbca/ca.crt +20 -0
- data/spec/fixtures/ejbca/ca.key +27 -0
- data/spec/fixtures/ejbca/ca/README +14 -0
- data/spec/fixtures/ejbca/ca/management_ca/data.xml +511 -0
- data/spec/fixtures/ejbca/ca/management_ca/keystore.p12.b64 +75 -0
- data/spec/fixtures/ejbca/ca/management_ca/xkmskeystore.p12.b64 +75 -0
- data/spec/fixtures/ejbca/management_ca.crt +20 -0
- data/spec/fixtures/ejbca/management_ca.full.crt +22 -0
- data/spec/fixtures/ejbca/management_ca.key +27 -0
- data/spec/fixtures/ejbca/management_ca.new.key +27 -0
- data/spec/fixtures/ejbca/sample-request.csr +8 -0
- data/spec/fixtures/ejbca/sample-request.key +9 -0
- data/spec/fixtures/ejbca/sample-scep-request.pkcs7 +0 -0
- data/spec/fixtures/ejbca/subca.crt +20 -0
- data/spec/fixtures/ejbca/subca.key +27 -0
- data/spec/fixtures/ejbca/subca.p12.base64 +75 -0
- data/spec/fixtures/ejbca/superadmin.key +27 -0
- data/spec/fixtures/foo.b64 +30 -0
- data/spec/integration/ejbca_spec.rb +79 -0
- data/spec/integration/jscep_cli_spec.rb +21 -0
- data/spec/lib/scep/pki_operation/base_spec.rb +32 -0
- data/spec/lib/scep/pki_operation/request_spec.rb +64 -8
- data/spec/spec_helper.rb +10 -2
- metadata +74 -3
|
@@ -0,0 +1,79 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe 'SCEP and EJBCA' do
|
|
4
|
+
before do
|
|
5
|
+
WebMock.allow_net_connect!
|
|
6
|
+
end
|
|
7
|
+
|
|
8
|
+
let(:ejbca_scep_url) { 'http://172.16.2.134:8080/ejbca/publicweb/apply/scep/scep/pkiclient.exe' }
|
|
9
|
+
let(:endpoint) { SCEP::Endpoint.new(ejbca_scep_url) }
|
|
10
|
+
|
|
11
|
+
describe 'GetCACaps' do
|
|
12
|
+
it 'supports the POSTPKIOperation' do
|
|
13
|
+
expect(endpoint.capabilities).to include('POSTPKIOperation')
|
|
14
|
+
end
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
describe 'GetCACert' do
|
|
18
|
+
context 'CA certificate' do
|
|
19
|
+
it 'successfully downloads the CA certificate' do
|
|
20
|
+
expect(endpoint.ca_certificate).to be_a(OpenSSL::X509::Certificate)
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
context 'RA certificate' do
|
|
25
|
+
it 'successfully downloads the RA certificate' do
|
|
26
|
+
expect(endpoint.ra_certificate).to be_a(OpenSSL::X509::Certificate)
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
describe 'PostPKIOperation' do
|
|
32
|
+
let(:ra_cert) { endpoint.ra_certificate }
|
|
33
|
+
let(:our_keypair) { generate_keypair }
|
|
34
|
+
let(:csr) { OpenSSL::X509::Request.new read_fixture('ejbca/sample-request.csr') }
|
|
35
|
+
let(:request) do
|
|
36
|
+
req = SCEP::PKIOperation::Request.new(our_keypair)
|
|
37
|
+
req.csr = csr
|
|
38
|
+
req.challenge_password = 'foo123'
|
|
39
|
+
req
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
it 'signs a CSR' do
|
|
43
|
+
binding.pry
|
|
44
|
+
puts request.challenge_password
|
|
45
|
+
puts csr.subject
|
|
46
|
+
encrypted = request.encrypt(ra_cert)
|
|
47
|
+
|
|
48
|
+
asn1 = OpenSSL::ASN1.decode(encrypted.to_der)
|
|
49
|
+
|
|
50
|
+
pkcs_cert_resp_signed = asn1.value[1].value[0]
|
|
51
|
+
signer_info = pkcs_cert_resp_signed.value[4].value[0]
|
|
52
|
+
authenticated_attributes = signer_info.value[3]
|
|
53
|
+
|
|
54
|
+
#digest =
|
|
55
|
+
puts request.challenge_password
|
|
56
|
+
# binding.pry
|
|
57
|
+
|
|
58
|
+
puts csr.subject
|
|
59
|
+
|
|
60
|
+
endpoint.pki_operation(encrypted.to_der)
|
|
61
|
+
end
|
|
62
|
+
end
|
|
63
|
+
|
|
64
|
+
describe 'unpacking sample request' do
|
|
65
|
+
let(:ca_keypair) { SCEP::Keypair.read fixture_path('ejbca/management_ca.crt'), fixture_path('ejbca/superadmin.key') }
|
|
66
|
+
let(:request) { SCEP::PKIOperation::Request.new(ca_keypair) }
|
|
67
|
+
let(:enc_req) { read_fixture('ejbca/sample-scep-request.pkcs7') }
|
|
68
|
+
|
|
69
|
+
before { request.decrypt(enc_req, false) }
|
|
70
|
+
|
|
71
|
+
it 'foos' do
|
|
72
|
+
puts :foo
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
|
|
79
|
+
end
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe SCEP::JSCEPCli do
|
|
4
|
+
let(:cli) { SCEP::JSCEPCli.new }
|
|
5
|
+
let(:private_key) { OpenSSL::PKey::RSA.new read_fixture('ejbca/sample-request.key') }
|
|
6
|
+
let(:csr) { OpenSSL::X509::Request.new read_fixture('ejbca/sample-request.csr') }
|
|
7
|
+
let(:challenge) { 'foo123' }
|
|
8
|
+
let(:dn) { 'CN=user'}
|
|
9
|
+
let(:url) { 'http://172.16.2.132:8080/ejbca/publicweb/apply/scep/scep/pkiclient.exe' }
|
|
10
|
+
let(:ca_identifier) { 'ManagementCA' }
|
|
11
|
+
|
|
12
|
+
let(:request) { SCEP::JSCEPCli::Request.new(csr, private_key, ca_identifier, dn, challenge, url) }
|
|
13
|
+
|
|
14
|
+
describe 'certificate generation' do
|
|
15
|
+
it 'generates a valid cert' do
|
|
16
|
+
cli.forward(request)
|
|
17
|
+
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
end
|
|
@@ -53,4 +53,36 @@ describe SCEP::PKIOperation::Base do
|
|
|
53
53
|
end
|
|
54
54
|
end
|
|
55
55
|
end
|
|
56
|
+
|
|
57
|
+
describe '#check_if_recipient_matches_ra_certificate_name' do
|
|
58
|
+
let(:misc_keypair) { generate_keypair(nil, nil, '/C=Asdf/O=Fake') }
|
|
59
|
+
let(:p7enc) { OpenSSL::PKCS7.encrypt([target_cert], 'foo', base.class.create_default_cipher)}
|
|
60
|
+
|
|
61
|
+
context 'with matching recipients' do
|
|
62
|
+
let(:target_cert) { ra_keypair.certificate }
|
|
63
|
+
|
|
64
|
+
it 'returns true' do
|
|
65
|
+
matches = base.send(:check_if_recipient_matches_ra_certificate_name, p7enc)
|
|
66
|
+
expect(matches).to eql(true)
|
|
67
|
+
end
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
context 'with non-matching recepients' do
|
|
71
|
+
let(:target_cert) { misc_keypair.certificate }
|
|
72
|
+
|
|
73
|
+
it 'returns false' do
|
|
74
|
+
matches = base.send(:check_if_recipient_matches_ra_certificate_name, p7enc)
|
|
75
|
+
expect(matches).to eql(false)
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
context 'with no recepients' do
|
|
80
|
+
let(:p7enc) { OpenSSL::PKCS7.new }
|
|
81
|
+
|
|
82
|
+
it 'returns false' do
|
|
83
|
+
matches = base.send(:check_if_recipient_matches_ra_certificate_name, p7enc)
|
|
84
|
+
expect(matches).to eql(false)
|
|
85
|
+
end
|
|
86
|
+
end
|
|
87
|
+
end
|
|
56
88
|
end
|
|
@@ -23,15 +23,35 @@ describe SCEP::PKIOperation::Request do
|
|
|
23
23
|
end
|
|
24
24
|
|
|
25
25
|
describe '#encrypt' do
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
26
|
+
context 'without message type tampering' do
|
|
27
|
+
it 'encrypts and signs the CSR' do
|
|
28
|
+
subject.csr = csr
|
|
29
|
+
encrypted = subject.encrypt(misc_keypair.certificate)
|
|
29
30
|
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
31
|
+
# Might as well use our already tested decryption method above
|
|
32
|
+
request = SCEP::PKIOperation::Request.new(misc_keypair)
|
|
33
|
+
request.add_verification_certificate(ra_keypair.certificate)
|
|
34
|
+
request.decrypt(encrypted)
|
|
35
|
+
expect(request.csr.to_pem).to eql(csr.to_pem)
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
context 'with message type tampering' do
|
|
40
|
+
it 'encrypts, but breaks verification' do
|
|
41
|
+
subject.csr = csr
|
|
42
|
+
subject.tamper_scep_message_type = true
|
|
43
|
+
signed_and_encrypted = subject.encrypt(misc_keypair.certificate)
|
|
44
|
+
|
|
45
|
+
p7sign = OpenSSL::PKCS7.new(signed_and_encrypted)
|
|
46
|
+
store = OpenSSL::X509::Store.new
|
|
47
|
+
store.add_cert(ra_keypair.certificate)
|
|
48
|
+
verified = p7sign.verify([], store, nil, OpenSSL::PKCS7::BINARY)
|
|
49
|
+
|
|
50
|
+
# Is this test failing?
|
|
51
|
+
# Is #add_scep_message_type method adding the correct digest? Then this test is invalid - delete it!
|
|
52
|
+
# Otherwise, you might be returning the pre-tampered message
|
|
53
|
+
expect(verified).to eql(false)
|
|
54
|
+
end
|
|
35
55
|
end
|
|
36
56
|
end
|
|
37
57
|
|
|
@@ -52,4 +72,40 @@ describe SCEP::PKIOperation::Request do
|
|
|
52
72
|
end
|
|
53
73
|
end
|
|
54
74
|
|
|
75
|
+
# The procedure of this test:
|
|
76
|
+
#
|
|
77
|
+
# 1 - Generate a PKCS7 request
|
|
78
|
+
# 2 - Get it's original authenticatedAttributes digest
|
|
79
|
+
# 3 - Re-calculate the authenticatedAttributes
|
|
80
|
+
# 4 - Ensure new digest is exactly the same as the original
|
|
81
|
+
#
|
|
82
|
+
# Currently stuck, so commented out for now
|
|
83
|
+
describe '#recalculate_authenticated_attributes_digest' do
|
|
84
|
+
def pluck_digest(signer_info)
|
|
85
|
+
encrypted_digest = signer_info.value.last.value
|
|
86
|
+
decrypted_asn1_digest = subject.ra_keypair.private_key.public_decrypt(encrypted_digest)
|
|
87
|
+
decrypted_asn1_digest = OpenSSL::ASN1.decode(decrypted_asn1_digest)
|
|
88
|
+
return decrypted_asn1_digest.value.last.value
|
|
89
|
+
end
|
|
90
|
+
|
|
91
|
+
it 'correctly generates a new digest' do
|
|
92
|
+
pending 'Need to figure out how to correctly generate a digest!'
|
|
93
|
+
|
|
94
|
+
subject.csr = csr
|
|
95
|
+
p7sign = subject.encrypt(misc_keypair.certificate)
|
|
96
|
+
asn1 = OpenSSL::ASN1.decode(p7sign.to_der)
|
|
97
|
+
|
|
98
|
+
signer_info = asn1.value[1].value[0].value[4].value[0]
|
|
99
|
+
original_digest = pluck_digest(signer_info)
|
|
100
|
+
|
|
101
|
+
subject.send(:recalculate_authenticated_attributes_digest, signer_info)
|
|
102
|
+
|
|
103
|
+
new_digest = pluck_digest(signer_info)
|
|
104
|
+
|
|
105
|
+
expect(new_digest).to eql(original_digest)
|
|
106
|
+
|
|
107
|
+
|
|
108
|
+
end
|
|
109
|
+
|
|
110
|
+
end
|
|
55
111
|
end
|
data/spec/spec_helper.rb
CHANGED
|
@@ -3,7 +3,15 @@ require 'bundler'
|
|
|
3
3
|
|
|
4
4
|
Bundler.require :default
|
|
5
5
|
|
|
6
|
+
require 'pry'
|
|
6
7
|
require 'webmock/rspec'
|
|
8
|
+
require 'scep'
|
|
9
|
+
|
|
10
|
+
if RUBY_VERSION > '1.8.7'
|
|
11
|
+
require 'codeclimate-test-reporter'
|
|
12
|
+
WebMock.disable_net_connect!(:allow => 'codeclimate.com')
|
|
13
|
+
CodeClimate::TestReporter.start
|
|
14
|
+
end
|
|
7
15
|
|
|
8
16
|
def read_fixture(path)
|
|
9
17
|
File.open(fixture_path path).read
|
|
@@ -24,11 +32,11 @@ end
|
|
|
24
32
|
# @param [SCEP::Keypair] signer
|
|
25
33
|
# @return [SCEP::Keypair]
|
|
26
34
|
# @see http://stackoverflow.com/questions/2381394/ruby-generate-self-signed-certificate
|
|
27
|
-
def generate_keypair(signer = nil, serial = nil)
|
|
35
|
+
def generate_keypair(signer = nil, serial = nil, subj = nil)
|
|
28
36
|
serial ||= next_serial
|
|
29
37
|
|
|
30
38
|
private_key = OpenSSL::PKey::RSA.new(1024)
|
|
31
|
-
subject = '/C=BE/O=Test/OU=Test/CN=Test'
|
|
39
|
+
subject = subj || '/C=BE/O=Test/OU=Test/CN=Test'
|
|
32
40
|
|
|
33
41
|
signer_private_key = signer ? signer.private_key : private_key
|
|
34
42
|
signer_name = signer ? signer.certificate.subject : OpenSSL::X509::Name.parse(subject)
|
metadata
CHANGED
|
@@ -1,15 +1,29 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: scep
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Christopher Thornton
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-
|
|
11
|
+
date: 2015-06-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: openssl-extensions
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - ">="
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: '0'
|
|
20
|
+
type: :runtime
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - ">="
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: '0'
|
|
13
27
|
- !ruby/object:Gem::Dependency
|
|
14
28
|
name: httparty
|
|
15
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -24,6 +38,20 @@ dependencies:
|
|
|
24
38
|
- - ">="
|
|
25
39
|
- !ruby/object:Gem::Version
|
|
26
40
|
version: '0'
|
|
41
|
+
- !ruby/object:Gem::Dependency
|
|
42
|
+
name: codeclimate-test-reporter
|
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
|
44
|
+
requirements:
|
|
45
|
+
- - ">="
|
|
46
|
+
- !ruby/object:Gem::Version
|
|
47
|
+
version: '0'
|
|
48
|
+
type: :development
|
|
49
|
+
prerelease: false
|
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
51
|
+
requirements:
|
|
52
|
+
- - ">="
|
|
53
|
+
- !ruby/object:Gem::Version
|
|
54
|
+
version: '0'
|
|
27
55
|
- !ruby/object:Gem::Dependency
|
|
28
56
|
name: bundler
|
|
29
57
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -105,11 +133,14 @@ files:
|
|
|
105
133
|
- ".rspec"
|
|
106
134
|
- ".ruby-version"
|
|
107
135
|
- ".travis.yml"
|
|
136
|
+
- ".yardopts"
|
|
108
137
|
- Gemfile
|
|
109
138
|
- README.md
|
|
110
139
|
- Rakefile
|
|
111
140
|
- lib/scep.rb
|
|
141
|
+
- lib/scep/asn1.rb
|
|
112
142
|
- lib/scep/endpoint.rb
|
|
143
|
+
- lib/scep/jscep_cli.rb
|
|
113
144
|
- lib/scep/keypair.rb
|
|
114
145
|
- lib/scep/pkcs7_cert_only.rb
|
|
115
146
|
- lib/scep/pki_operation.rb
|
|
@@ -120,9 +151,29 @@ files:
|
|
|
120
151
|
- lib/scep/version.rb
|
|
121
152
|
- scep.gemspec
|
|
122
153
|
- spec/console
|
|
154
|
+
- spec/fixtures/ejbca/ca.crt
|
|
155
|
+
- spec/fixtures/ejbca/ca.key
|
|
156
|
+
- spec/fixtures/ejbca/ca/README
|
|
157
|
+
- spec/fixtures/ejbca/ca/management_ca/data.xml
|
|
158
|
+
- spec/fixtures/ejbca/ca/management_ca/keystore.p12.b64
|
|
159
|
+
- spec/fixtures/ejbca/ca/management_ca/xkmskeystore.p12.b64
|
|
160
|
+
- spec/fixtures/ejbca/management_ca.crt
|
|
161
|
+
- spec/fixtures/ejbca/management_ca.full.crt
|
|
162
|
+
- spec/fixtures/ejbca/management_ca.key
|
|
163
|
+
- spec/fixtures/ejbca/management_ca.new.key
|
|
164
|
+
- spec/fixtures/ejbca/sample-request.csr
|
|
165
|
+
- spec/fixtures/ejbca/sample-request.key
|
|
166
|
+
- spec/fixtures/ejbca/sample-scep-request.pkcs7
|
|
167
|
+
- spec/fixtures/ejbca/subca.crt
|
|
168
|
+
- spec/fixtures/ejbca/subca.key
|
|
169
|
+
- spec/fixtures/ejbca/subca.p12.base64
|
|
170
|
+
- spec/fixtures/ejbca/superadmin.key
|
|
171
|
+
- spec/fixtures/foo.b64
|
|
123
172
|
- spec/fixtures/self-signed.crt
|
|
124
173
|
- spec/fixtures/self-signed.csr
|
|
125
174
|
- spec/fixtures/self-signed.key
|
|
175
|
+
- spec/integration/ejbca_spec.rb
|
|
176
|
+
- spec/integration/jscep_cli_spec.rb
|
|
126
177
|
- spec/lib/scep/endpoint_spec.rb
|
|
127
178
|
- spec/lib/scep/keypair_spec.rb
|
|
128
179
|
- spec/lib/scep/pkcs7_cert_only_spec.rb
|
|
@@ -133,7 +184,7 @@ files:
|
|
|
133
184
|
- spec/spec_helper.rb
|
|
134
185
|
homepage: https://github.com/onelogin/scep-gem
|
|
135
186
|
licenses:
|
|
136
|
-
-
|
|
187
|
+
- MIT
|
|
137
188
|
metadata: {}
|
|
138
189
|
post_install_message:
|
|
139
190
|
rdoc_options: []
|
|
@@ -157,9 +208,29 @@ specification_version: 4
|
|
|
157
208
|
summary: SCEP libraries
|
|
158
209
|
test_files:
|
|
159
210
|
- spec/console
|
|
211
|
+
- spec/fixtures/ejbca/ca.crt
|
|
212
|
+
- spec/fixtures/ejbca/ca.key
|
|
213
|
+
- spec/fixtures/ejbca/ca/README
|
|
214
|
+
- spec/fixtures/ejbca/ca/management_ca/data.xml
|
|
215
|
+
- spec/fixtures/ejbca/ca/management_ca/keystore.p12.b64
|
|
216
|
+
- spec/fixtures/ejbca/ca/management_ca/xkmskeystore.p12.b64
|
|
217
|
+
- spec/fixtures/ejbca/management_ca.crt
|
|
218
|
+
- spec/fixtures/ejbca/management_ca.full.crt
|
|
219
|
+
- spec/fixtures/ejbca/management_ca.key
|
|
220
|
+
- spec/fixtures/ejbca/management_ca.new.key
|
|
221
|
+
- spec/fixtures/ejbca/sample-request.csr
|
|
222
|
+
- spec/fixtures/ejbca/sample-request.key
|
|
223
|
+
- spec/fixtures/ejbca/sample-scep-request.pkcs7
|
|
224
|
+
- spec/fixtures/ejbca/subca.crt
|
|
225
|
+
- spec/fixtures/ejbca/subca.key
|
|
226
|
+
- spec/fixtures/ejbca/subca.p12.base64
|
|
227
|
+
- spec/fixtures/ejbca/superadmin.key
|
|
228
|
+
- spec/fixtures/foo.b64
|
|
160
229
|
- spec/fixtures/self-signed.crt
|
|
161
230
|
- spec/fixtures/self-signed.csr
|
|
162
231
|
- spec/fixtures/self-signed.key
|
|
232
|
+
- spec/integration/ejbca_spec.rb
|
|
233
|
+
- spec/integration/jscep_cli_spec.rb
|
|
163
234
|
- spec/lib/scep/endpoint_spec.rb
|
|
164
235
|
- spec/lib/scep/keypair_spec.rb
|
|
165
236
|
- spec/lib/scep/pkcs7_cert_only_spec.rb
|