scep 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: ceb79fd8756349928c7653f5c59191e3cc8cbfe7
+  data.tar.gz: 9f322dce3a3d7a45f7ae7c220d67b2908dc57380
+SHA512:
+  metadata.gz: 26c7b9378ffd100b39788cd61973e568b4413887bb6dac749ff68bb5d29419fb34028eade582235cd29970f9f27cdeeb39d73eb542ba011a0bddf4c5dc2f44fc
+  data.tar.gz: c864e7169c4ab8403d706b294cd48bfc535d010807d5e793b7347bd5463659095ea702db69cef2be1c2956afab5400c4e435b4d3a5d0809c220a972018b87d43

data/.gitignore

@@ -0,0 +1,15 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+.idea

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format=documentation

data/.ruby-version

@@ -0,0 +1 @@
+2.2.0

data/.travis.yml

@@ -0,0 +1,6 @@
+language: ruby
+cache: bundler
+rvm:
+  - 1.8.7
+  - 2.2.1
+script: bundle exec rspec

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in scep-gem.gemspec
+gemspec

data/README.md

@@ -0,0 +1,144 @@
+SCEP Gem
+========
+Libraries that allow you to be a SCEP server, be a SCEP proxy, etc.
+
+If you believe you have discovered a security vulnerability in this gem, please email security@onelogin.com with a description. You can also use the form based submission located here: https://www.onelogin.com/security. We follow responsible disclosure guidelines, and will work with you to quickly find a resolution.
+
+## Terminology
+
+* CSR - Certificate Signing Request. "I want you to sign my public key so you know who I am in the future"
+* CA - Certificate Authority. The ultimate authority who can sign certificates.
+* RA - Registration Authority. RA Certificates must be signed by CA. Accepts CSR on behalf of CA.
+  Forwards CSR to CA for signing. You can proxy through to multiple CA
+
+Note that a CA can be an RA.
+
+
+## SCEP Requests
+Contains a CSR that requires signing
+
+### Encrypt request
+When we want to forward a CSR to a RA. We may or may not be an RA ourselves.
+
+First,collect some certificates:
+
+```ruby
+their_ra_cert = OpenSSL::X509::Certificate.new File.read(their-ra.crt')
+our_keypair   = SCEP::Keypair.read 'our.crt', 'our.key'
+csr           = OpenSSL::X509::Request.new File.read('some.csr')
+```
+
+Now create a request object and get the encrypted result:
+
+```ruby
+request = SCEP::PKIOperation::Request.new(our_keypair)
+request.csr = csr
+encrypted = request.encrypt(their_ra_cert)
+```
+
+We can then send `encrypted` to an RA
+
+### Decrypt Request
+When we are an RA.
+
+First, collect some certificates:
+
+```ruby
+their_cert     = OpenSSL::X509::Certificate.new File.read('their.crt')
+our_ra_keypair = SCEP::Keypair.read 'our-ra.crt', 'our-ra.key'
+```
+
+Now we can make a request object and get the original CSR:
+
+```ruby
+request = SCEP::PKIOperation::Request.new(our_ra_keypair)
+request.verify_against(their_cert) # Make sure the response was signed by someone we trust
+
+# Fails decryption if not signed by `their_cert`
+request.decrypt(encrypted_request)
+
+# Will always decrypt and ignore signature verification
+request.decrypt(encrypted_request, false)
+
+# Now get the encoded CSR
+puts request.csr # => OpenSSL::X509::Request
+```
+
+### Proxying a Request
+If we are an RA, we can decrypt a request intended for us and re-encrypt it for another RA
+and grab the CSR in the process
+
+
+```ruby
+their_cert     = OpenSSL::X509::Certificate.new File.read('their.crt')
+their_ra_cert  = OpenSSL::X509::Certificate.new File.read('their-ra.crt')
+our_ra_keypair = SCEP::Keypair.read 'our-ra.crt', 'our-ra.key'
+
+request = SCEP::PKIOperation::Request.new(our_ra_keypair)
+request.verify_against(their_cert)
+newly_encrypted = request.proxy(original_encrypted_result, their_ra_cert)
+p request.csr # => OpenSSL::X509::Request
+```
+
+## SCEP Response
+Contains the signed X509 Certificate
+
+### Encrypting a Response
+When we are an RA
+
+```ruby
+their_cert     = OpenSSL::X509::Certificate.new File.read('their.crt')
+our_ra_keypair = SCEP::Keypair.read 'our-ra.crt', 'our-ra.key'
+
+signed_cert    = OpenSSL::X509::Certificate.new File.read('cert-signed-by-ca.crt')
+
+response = SCEP::PKIOperation::Response.new(our_ra_keypair)
+encrypted = response.encrypt(their_cert)
+```
+
+### Decrypting a Response
+When we are decrypting information from an RA
+
+```ruby
+their_ra_cert = OpenSSL::X509::Certificate.new File.read('their-ra.crt')
+our_keypair   = SCEP::Keypair.read 'our.crt', 'our.key'
+
+response = SCEP::PKIOperation::Response.new(our_keypair)
+response.verify_against(their_ra_cert)
+response.decrypt(encrypted_response)
+p response.signed_certificates  # => [OpenSSL::X509::Certificate]
+```
+
+## SCEP Proxy
+
+Easily be a SCEP proxy (psuedo sinatra syntax):
+
+```ruby
+require 'scep'
+
+ra_keypair = SCEP::Keypair.read('certs/ra.crt', 'certs/ra.key')
+scep_server = SCEP::Endpoint.new 'https://some-final-endpoint.com'
+
+post '/scep?operation=PKIOperation' do
+  proxy = SCEP::PKIOperation::Proxy.new(server, ra_keypair)
+
+  # Options to verify certificates:
+
+  # Verify request came from apple certificate
+  proxy.add_request_verification_certificate(@apple_cert) # OpenSSL::X509::Certificate
+
+  # Verify response came from CA certificate
+  proxy.add_response_verificaion_certificate(@ca_certificate) # OpenSSL::X509::Certificate
+
+  # Or don't verify anything
+  proxy.no_verify!
+
+  result = proxy.forward_pki_request(request.raw_post)
+
+  puts result.csr # The CSR they sent
+  puts result.signed_certificates # Returned signed certs from the SCEP server
+
+  headers['content-type'] = 'application/x-pki-message'
+  render results.p7enc_response.to_der
+end
+```

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+

data/lib/scep/endpoint.rb

@@ -0,0 +1,169 @@
+require 'httparty'
+require 'set'
+
+module SCEP
+  # Handles making requests to a SCEP server and storing the RA and CA certs. Currently uses
+  # the URL defined in the `config/endpoints.yml` file.
+  #
+  # @example
+  #   scep_endpoint = SCEP::Endpoint.new('https://scep-server-url.com')
+  #   # Downloads RA, CA certs
+  #   puts scep_endpoint.ca_certificate # => OpenSSL::X509::Certificate
+  #   puts scep_endpoint.ra_certificate
+  #
+  # @todo GetCACaps
+  class Endpoint
+    include HTTParty
+    include SCEP::Loggable
+
+    # An exception raised if the SCEP server does not properly support the SCEP protocol.
+    class ProtocolError < StandardError; end
+
+    default_timeout 2
+
+    attr_writer :ra_certificate
+
+    attr_writer :ca_certificate
+
+    attr_accessor :default_options
+
+    def initialize(base_uri, default_options = {})
+      @default_options = default_options.merge(:base_uri => base_uri)
+    end
+
+    # Gets the CA certificate. Will automatically download the CA certificate from
+    # the server if it has not yet been downloaded.
+    # @return [OpenSSL::X509::Certificate]
+    # @raise [ProtocolError] if the SCEP server does not return valid certs
+    def ca_certificate
+      download_certificates if @ca_certificate.nil?
+      return @ca_certificate
+    end
+
+    # Gets the RA certificate.
+    # @return [OpenSSL::X509::Certificate]
+    # @raise [ProtocolError] if the SCEP server does not return valid certs
+    # @note This will return the {#ca_certificate CA certificate} if the SCEP server does not
+    #   support RA certs.
+    def ra_certificate
+      # Force download of CA, possibly RA certificate
+      @ra_certificate || ca_certificate
+    end
+
+    # Checks to see if the SCEP server supports the RA certificate
+    # @return [Boolean]
+    def supports_ra_certificate?
+      ca_certificate != ra_certificate
+    end
+
+    # Downloads RA and CA certificates from the SCEP server using the `GetCACert` operation.
+    # Will give {#ra_certificate} and {#ca_certificate} values.
+    # @return [HTTParty::Response] the response from the SCEP server.
+    # @raise [ProtocolError] if the
+    def download_certificates
+      logger.debug 'Downloading CA, possibly RA certificate from SCEP server'
+      response = scep_request 'GetCACert'
+      if response.content_type == 'application/x-x509-ca-cert' # Only a CA cert
+        handle_ca_only_cert(response.body)
+      elsif response.content_type == 'application/x-x509-ca-ra-cert'
+        handle_ca_ra_cert(response.body)
+      else
+        fail ProtocolError, "SCEP server returned invalid content type of #{response.content_type}"
+      end
+      return response
+    end
+    alias_method :get_ca_cert, :download_certificates
+
+
+    # Gets server capabilities. Memoized version of {#fetch_capabilities}
+    # @return [Set<String>] a set of capabilities
+    def capabilities
+      @capabilities || fetch_capabilities
+    end
+
+    # Gets server capabilities. Always triggers a download of capabilities
+    # @return [Set<String>] a set of capabilities
+    def fetch_capabilities
+      logger.debug 'Getting SCEP endpoint capabilities'
+      response = scep_request 'GetCACaps'
+      caps = response.body.strip.split("\n")
+      @capabilities = Set.new(caps)
+      logger.debug "SCEP endpoint supports capabilities: #{@capabilities.inspect}"
+      return @capabilities
+    end
+
+    # Whether the SCEP endpoint supports the POSTPKIOperation
+    # @return [Boolean] TRUE if it is supported, FALSE otherwise
+    def post_pki_operation?
+      capabilities.include?('POSTPKIOperation')
+    end
+
+    # Executes a SCEP request.
+    # @param [String] operation the SCEP operation to perform
+    # @param [String] message an optional message to send
+    # @return [HTTParty::Response] the httparty response
+    def scep_request(operation, message = nil, is_post = false)
+      query = { :operation => operation }
+      query[:message] = message unless message.nil?
+      if is_post
+        logger.debug "Executing POST ?operation=#{operation}"
+        response = self.class.post '/', { :query => { :operation => operation}, :body => message }.merge(default_options)
+      else
+        logger.debug "Executing GET ?operation=#{operation}&message=#{message}"
+        response = self.class.get '/', { :query => query }.merge(default_options)
+      end
+
+      if response.code != 200
+        raise ProtocolError, "SCEP request returned non-200 code of #{response.code}"
+      end
+
+      return response
+    end
+
+
+    # @todo: handle GET PKIOperations
+    # @todo: verify actually signed by CA?
+    # @param [String] payload the raw payload to send
+    # @return [String] the response body
+    def pki_operation(payload)
+      response = scep_request('PKIOperation', payload, true)
+      if response.content_type != 'application/x-pki-message'
+        raise ProtocolError,
+          "SCEP PKIOperation didn't return content-type of application/x-pki-message (returned #{response.content_type})"
+      end
+      return response.body
+    end
+
+    protected
+
+    def handle_ca_only_cert(response_body)
+      logger.debug 'SCEP server does not support RA certificate - only using CA cert'
+      @ca_certificate = OpenSSL::X509::Certificate.new(response_body)
+    rescue StandardError
+      fail ProtocolError, 'SCEP server did not return parseable X509::Certificate'
+    end
+
+    def handle_ca_ra_cert(response_body)
+      logger.debug 'SCEP server has both RA and CA certificate'
+
+      begin
+        pcerts = PKCS7CertOnly.decode(response_body)
+      rescue StandardError
+        fail ProtocolError, 'SCEP server did not return a parseable PKCS#7'
+      end
+
+      fail ProtocolError,
+           'SCEP server did not return two certificates in PKCS#7 cert chain' unless
+        pcerts.certificates.length == 2
+
+
+      unless pcerts.certificates[1].verify(pcerts.certificates[0].public_key)
+        fail ProtocolError,
+          'RA certificate must be signed by CA certificate when using RA/CA cert combination'
+      end
+
+      @ca_certificate = pcerts.certificates[0]
+      @ra_certificate = pcerts.certificates[1]
+    end
+  end
+end

data/lib/scep/keypair.rb

@@ -0,0 +1,69 @@
+module SCEP
+  # A public / private keypair
+  class Keypair
+
+    # The various cryptosystems we support. Used mostly for ruby 1.8.7, which cannot
+    # automatically determine which cryptosystem is being used.
+    SUPPORTED_CRYPTOSYSTEMS = [
+      OpenSSL::PKey::RSA,
+      OpenSSL::PKey::DSA,
+      OpenSSL::PKey::EC,
+      OpenSSL::PKey::DH
+    ]
+
+    # @return [OpenSSL::X509::Certificate]
+    attr_accessor :certificate
+    alias_method :cert, :certificate
+
+    # @return [OpenSSL::PKey]
+    attr_accessor :private_key
+
+    def initialize(certificate, private_key)
+      raise ArgumentError, '`certificate` must be an OpenSSL::X509::Certificate' unless
+        certificate.is_a?(OpenSSL::X509::Certificate)
+
+      @certificate = certificate
+      @private_key = private_key
+    end
+
+    # Loads a keypair from a file
+    # @param [String] certificate_filepath
+    # @param [String] private_key_filepath
+    # @param [String] private_key_passphrase add this if you
+    # @return [Keypair]
+    def self.read(certificate_filepath, private_key_filepath, private_key_passphrase = nil)
+      x509_cert = OpenSSL::X509::Certificate.new File.read(certificate_filepath.to_s)
+      pkey      = read_private_key(File.open(private_key_filepath.to_s).read, private_key_passphrase)
+      new(x509_cert, pkey)
+    end
+
+    protected
+
+    # Reads a DER or PEM encoded private key that is one of the {SUPPORTED_CRYPTOSYSTEMS}. In
+    # ruby 1.9+ we can do this easily. In ruby 1.8.7 we have to keep on guessing until we get
+    # it right.
+    def self.read_private_key(encoded_key, passphrase = nil)
+      # Ruby 1.9.3+
+      if OpenSSL::PKey.respond_to?(:read)
+        OpenSSL::PKey.read encoded_key, passphrase
+
+      # Ruby 1.8.7 - keep on guessing which cryptosystem until we're correct
+      else
+        SUPPORTED_CRYPTOSYSTEMS.each do |system|
+          begin
+            return system.new(encoded_key, passphrase)
+          rescue
+          end
+        end
+
+        # If we're here, then the file is probably invalid
+        raise UnsupportedCryptosystem,
+          "Either private key is invalid, passphrase is invalid, or does not support one " \
+          "of cryptosystems: #{SUPPORTED_CRYPTOSYSTEMS.map(&:name).join(', ')}"
+      end
+    end
+
+
+    class UnsupportedCryptosystem < StandardError; end
+  end
+end

data/lib/scep/pkcs7_cert_only.rb

@@ -0,0 +1,86 @@
+module SCEP
+  # Workaround for issue generating PKCS#7 certificate only in ruby 2.x.
+  #
+  # Normally you could generate the certificate chain using the following code:
+  #
+  # ```ruby
+  # p7certs = OpenSSL::PKCS7.new
+  # p7certs.type = 'signed'
+  # p7certs.certificates = [x509_cert_1, x509_cert_2]
+  # ````
+  #
+  # But producing this in a der format is not valid:
+  #
+  # ```ruby
+  # der = p7certs.to_der
+  # p7decoded = OpenSSL::PKCS7.new(der) # exception!
+  # ```
+  #
+  # This class manually creates the ASN1 notation and creates a correctly formatted result:
+  #
+  # ```ruby
+  # p7certs = Pkcs7CertOnly.new([x509_cert_1, x509_cert_2])
+  # der = p7certs.to_der
+  # p7decoded = OpenSSL::PKCS7.new(der) # works!
+  # p7decoded.certificates # => [ array of the original x509 certificates ]
+  # ```
+  #
+  # @see https://groups.google.com/forum/#!topic/mailing.openssl.users/AIZndhJuG7I
+  # @see https://gist.github.com/cgthornt/fe1f9d68e18cc4d1ba20
+  class PKCS7CertOnly
+    include OpenSSL::ASN1
+
+    # @return [Array<OpenSSL::X509::Certificate>]
+    attr_accessor :certificates
+
+    def initialize(certificates = [])
+      @certificates = certificates
+    end
+
+    # Takes a binary encoded DER PKCS#7 certificates only payload and decodes it
+    # @param [String] der_encoded the encoded payload
+    # @return [Pkcs7CertOnly]
+    def self.decode(der_encoded)
+      p7certs = OpenSSL::PKCS7.new(der_encoded)
+      new(p7certs.certificates)
+    end
+
+    # Converts this into an ASN1 sequence
+    # @return [OpenSSL::ASN1::Sequence]
+    def to_asn1
+
+      # Converts to an array of ASN1 encoded certs
+      asn1_certs = certificates.map do |cert|
+        decode(cert.to_der)
+      end
+
+      Sequence.new([
+       OpenSSL::ASN1::ObjectId.new('1.2.840.113549.1.7.2'),
+       ASN1Data.new([
+        Sequence.new([
+         OpenSSL::ASN1::Integer.new(1),
+         OpenSSL::ASN1::Set.new([]),
+         Sequence.new([
+            OpenSSL::ASN1::ObjectId.new('1.2.840.113549.1.7.1')
+          ]),
+         ASN1Data.new(asn1_certs, 0, :CONTEXT_SPECIFIC),
+         ASN1Data.new([], 1, :CONTEXT_SPECIFIC),
+         OpenSSL::ASN1::Set.new([])
+       ])
+      ], 0, :CONTEXT_SPECIFIC)
+     ])
+    end
+
+    # Gets this in a der (binary) format
+    # @return [String] binary encoded format
+    def to_der
+      to_asn1.to_der
+    end
+
+    # Gets this as a PKCS7 object
+    # @return [OpenSSL::PKCS7]
+    def to_pkcs7
+      OpenSSL::PKCS7.new(to_der)
+    end
+  end
+end

data/lib/scep/pki_operation/base.rb

@@ -0,0 +1,121 @@
+module SCEP
+  module PKIOperation
+
+    # Base class that contains commonalities between both requests and repsonses:
+    #
+    # * {#ra_certificate RA Certificate}
+    # * {#ra_private_key RA Private Key}
+    #
+    class Base
+      DEFAULT_CIPHER_ALGORITHM = 'aes-256-cbc'
+
+      # Our keypair
+      # @return [Keypair]
+      attr_accessor :ra_keypair
+
+      # The last signed payload
+      # @return [OpenSSL::PKCS7]
+      attr_reader :p7sign
+
+      # The last encrypted payload
+      # @return [OpenSSL::PKCS7]
+      attr_reader :p7enc
+
+      # The store of trusted certs
+      # @return [OpenSSL::X509::Store]
+      attr_writer :x509_store
+
+      # Creates a new payload
+      # @param [Keypair] ra_keypair
+      def initialize(ra_keypair)
+        @ra_keypair = ra_keypair
+      end
+
+      # Gets an x509 store. Defaults to a store with system default paths. Used for
+      # {#unsign_and_unencrypt_raw decryption}.
+      # @return [OpenSSL::X509::Store]
+      def x509_store
+        @x509_store ||= OpenSSL::X509::Store.new
+      end
+
+      # Adds a certificate to verify against
+      # @param [OpenSSL::X509::Certificate] cert
+      def add_verification_certificate(cert)
+        x509_store.add_cert(cert)
+      end
+      alias_method :verify_against, :add_verification_certificate
+
+      protected
+
+      # Takes a raw binary string and returns the raw, unencrypted data
+      # @param [String] signed_and_encrypted_csr the signed and encrypted data
+      # @param [Boolean] verify if TRUE, verifies the signed PKCS7 payload against the {#x509_store}
+      # @raise [SCEP::PKIOperation::VerificationFailed] if `verify` is TRUE and the signed payload
+      #   was *not* verified against the {#x509_store}.
+      # @return [String] the decrypted and unsigned data (original format)
+      def unsign_and_unencrypt_raw(signed_and_encrypted_csr, verify = true)
+        # Remove signature
+        @p7sign = OpenSSL::PKCS7.new(signed_and_encrypted_csr)
+
+        flags = OpenSSL::PKCS7::BINARY
+        flags |= OpenSSL::PKCS7::NOVERIFY unless verify
+
+        # See http://openssl.6102.n7.nabble.com/pkcs7-verification-with-ruby-td28455.html
+        verified = @p7sign.verify([], x509_store, nil, flags)
+
+        if !verified
+          raise SCEP::PKIOperation::VerificationFailed,
+            'Unable to verify signature against certificate store - did you add the correct certificates?'
+        end
+
+
+        # Decrypt
+        @p7enc   = OpenSSL::PKCS7.new(@p7sign.data)
+        @p7enc.decrypt(ra_keypair.private_key, ra_keypair.certificate, OpenSSL::PKCS7::BINARY)
+      end
+
+      # Signs and encrypts the given raw data
+      # @param [String] raw_data the raw data to sign and encrypt
+      # @param [OpenSSL::X509::Certificate] target_encryption_certs the cert(s) to encrypt for
+      # @param [OpenSSL::Cipher::Cipher] cipher the cipher to use. Defaults to {.create_default_cipher}
+      # @return [OpenSSL::PKCS7] the signed and encrypted payload
+      def sign_and_encrypt_raw(raw_data, target_encryption_certs, cipher = nil)
+        cipher ||= self.class.create_default_cipher
+
+        encrypted = OpenSSL::PKCS7.encrypt(
+          wrap_array(target_encryption_certs),
+          raw_data,
+          cipher,
+          OpenSSL::PKCS7::BINARY)
+
+        OpenSSL::PKCS7.sign(
+          ra_keypair.certificate,
+          ra_keypair.private_key,
+          encrypted.to_der,
+          [ra_keypair.certificate],
+          OpenSSL::PKCS7::BINARY)
+      end
+
+      # Creates an {OpenSSL::Cipher} using the {DEFAULT_CIPHER_ALGORITHM}. It's best to create a new Cipher object
+      # for every new encryption call so that we don't re-use sensitive data (IV's) [citation needed].
+      # @return [OpenSSL::Cipher]
+      def self.create_default_cipher
+        OpenSSL::Cipher.new(DEFAULT_CIPHER_ALGORITHM)
+      end
+
+      protected
+
+      # Same as `Array.wrap`
+      # @see http://apidock.com/rails/Array/wrap/class
+      def wrap_array(object)
+        if object.nil?
+          []
+        elsif object.respond_to?(:to_ary)
+          object.to_ary || [object]
+        else
+          [object]
+        end
+      end
+    end
+  end
+end