scep 0.0.1

data/spec/lib/scep/pki_operation/base_spec.rb

@@ -0,0 +1,56 @@
+require 'spec_helper'
+
+describe SCEP::PKIOperation::Base do
+  let(:ca_keypair)      { generate_keypair}
+  let(:signed_keypair)  { generate_keypair(ca_keypair) }
+  let(:ra_keypair)      { generate_keypair }
+  let(:payload)         { 'Hello World!' }
+  let(:base)            { SCEP::PKIOperation::Base.new(ra_keypair) }
+
+  describe '#x509_store' do
+    it 'returns an OpenSSL::X509::Store object' do
+      expect(base.x509_store).to be_a(OpenSSL::X509::Store)
+    end
+  end
+
+  describe '#unsign_and_unencrypt_raw' do
+
+    let(:p7enc)  { OpenSSL::PKCS7.encrypt([ra_keypair.certificate], payload, SCEP::PKIOperation::Base.create_default_cipher, OpenSSL::PKCS7::BINARY) }
+    let(:p7sign) { OpenSSL::PKCS7.sign(signed_keypair.certificate, signed_keypair.private_key, p7enc.to_der, [signed_keypair.certificate], OpenSSL::PKCS7::BINARY) }
+
+    context 'without verification' do
+      it 'decrypts the paylaod without issue' do
+        decrypted = base.send(:unsign_and_unencrypt_raw, p7sign.to_der, false)
+        expect(decrypted).to eql(payload)
+      end
+    end
+
+    context 'with verification enabled' do
+
+      context 'when verification succeeds' do
+        it 'decrypts the payload' do
+          base.x509_store.add_cert signed_keypair.certificate
+          decrypted = base.send(:unsign_and_unencrypt_raw, p7sign.to_der, true)
+          expect(decrypted).to eql(payload)
+        end
+      end
+
+      context 'when verification fails' do
+        let(:unrelated_keypair) { generate_keypair }
+
+        it 'raises VerificationFailed if it is not verified against the correct certificate' do
+          base.x509_store.add_cert unrelated_keypair.certificate
+          expect {
+            base.send(:unsign_and_unencrypt_raw, p7sign.to_der, true)
+          }.to raise_error(SCEP::PKIOperation::VerificationFailed)
+        end
+
+        it 'raises VerificationFailed if no certs are added to the x509_store' do
+          expect {
+            base.send(:unsign_and_unencrypt_raw, p7sign.to_der, true)
+          }.to raise_error(SCEP::PKIOperation::VerificationFailed)
+        end
+      end
+    end
+  end
+end

data/spec/lib/scep/pki_operation/proxy_spec.rb

@@ -0,0 +1,45 @@
+require 'spec_helper'
+
+describe SCEP::PKIOperation::Proxy do
+
+  let(:endpoint)         { SCEP::Endpoint.new('https://scep.com') }
+  let(:our_ra_keypair)   { generate_keypair }
+  let(:their_ca_keypair) { generate_keypair }
+  let(:original_keypair) { generate_keypair }
+  let(:proxy)            { SCEP::PKIOperation::Proxy.new(endpoint, our_ra_keypair) }
+  let(:csr)              { OpenSSL::X509::Request.new read_fixture('self-signed.csr') }
+  let(:original_request) { SCEP::PKIOperation::Request.new(original_keypair)}
+
+  before do
+    proxy.add_response_verification_certificate(their_ca_keypair.cert)
+    proxy.add_request_verification_certificate(original_keypair.cert)
+    original_request.csr = csr
+  end
+
+  describe '#forward_pki_request' do
+    let(:signed_keypair) { generate_keypair(their_ca_keypair) }
+
+    let(:stubbed_response) do
+      response = SCEP::PKIOperation::Response.new(their_ca_keypair)
+      response.signed_certificates = signed_keypair.cert
+      response
+    end
+
+    let(:stubbed_response_der) { stubbed_response.encrypt(our_ra_keypair.cert) }
+
+    before do
+      allow(endpoint).to receive(:pki_operation).and_return(stubbed_response_der)
+
+      allow(endpoint).to receive(:ca_certificate).and_return(their_ca_keypair.cert)
+    end
+
+    it 'returns a correctly formatted response' do
+      der_original_request = original_request.encrypt(our_ra_keypair.cert)
+      result = proxy.forward_pki_request(der_original_request)
+
+      expect(result.csr.to_pem).to eql(csr.to_pem)
+      expect(result.signed_certificates.first.to_pem).to eql(signed_keypair.cert.to_pem)
+      expect(result.p7enc_response.to_der.length).to_not eql(0)
+    end
+  end
+end

data/spec/lib/scep/pki_operation/request_spec.rb

@@ -0,0 +1,55 @@
+require 'spec_helper'
+
+describe SCEP::PKIOperation::Request do
+
+  let(:ra_keypair)   { generate_keypair }
+  let(:misc_keypair) { generate_keypair}
+  let(:csr)     { OpenSSL::X509::Request.new read_fixture('self-signed.csr') }
+  let(:payload) { csr.to_der }
+  let(:p7enc)   { OpenSSL::PKCS7.encrypt([ra_keypair.certificate], payload, SCEP::PKIOperation::Base.create_default_cipher, OpenSSL::PKCS7::BINARY) }
+  let(:p7sign)  { OpenSSL::PKCS7.sign(misc_keypair.certificate, misc_keypair.private_key, p7enc.to_der, [misc_keypair.certificate], OpenSSL::PKCS7::BINARY) }
+
+  subject { SCEP::PKIOperation::Request.new(ra_keypair) }
+
+  before do
+    subject.x509_store.add_cert(misc_keypair.certificate)
+  end
+
+  describe '#decrypt' do
+    it 'decrypts the csr in its original format' do
+      subject.decrypt(p7sign.to_der)
+      expect(subject.csr.to_pem).to eql(csr.to_pem)
+    end
+  end
+
+  describe '#encrypt' do
+    it 'encrypts and signs the CSR' do
+      subject.csr = csr
+      encrypted = subject.encrypt(misc_keypair.certificate)
+
+      # Might as well use our already tested decryption method above
+      request = SCEP::PKIOperation::Request.new(misc_keypair)
+      request.add_verification_certificate(ra_keypair.certificate)
+      request.decrypt(encrypted)
+      expect(request.csr.to_pem).to eql(csr.to_pem)
+    end
+  end
+
+  describe '#proxy' do
+    let(:final_keypair) { generate_keypair }
+
+    it 'decrypts the csr and then re-encrypts it for another target cert' do
+      subject.verify_against(ra_keypair.certificate)
+      encrypted = subject.proxy(p7sign.to_der, final_keypair.certificate)
+      expect(subject.csr.to_pem).to eql(csr.to_pem)
+
+      # Now make sure our new keypair can access & decrypt it
+      request = SCEP::PKIOperation::Request.new(final_keypair)
+      request.verify_against(ra_keypair.certificate)
+      request.decrypt(encrypted)
+      expect(request.csr.to_pem).to eql(csr.to_pem)
+      # As you can imagine, we should be able to do *n* number of proxies
+    end
+  end
+
+end

data/spec/lib/scep/pki_operation/response_spec.rb

@@ -0,0 +1,36 @@
+require 'spec_helper'
+
+describe SCEP::PKIOperation::Response do
+
+  let(:ra_keypair)    { generate_keypair }
+  let(:our_keypair)   { generate_keypair}
+  let(:response_cert) { generate_keypair.cert }
+
+  let(:payload) { SCEP::PKCS7CertOnly.new([response_cert]).to_der }
+  let(:p7enc)   { OpenSSL::PKCS7.encrypt([our_keypair.certificate], payload, SCEP::PKIOperation::Base.create_default_cipher, OpenSSL::PKCS7::BINARY) }
+  let(:p7sign)  { OpenSSL::PKCS7.sign(ra_keypair.certificate, ra_keypair.private_key, p7enc.to_der, [ra_keypair.certificate], OpenSSL::PKCS7::BINARY) }
+
+
+  describe '#decrypt' do
+    it 'assigns #signed_certificates correctly' do
+      response = SCEP::PKIOperation::Response.new(our_keypair)
+      response.verify_against ra_keypair.certificate
+      response.decrypt(p7sign.to_der)
+      expect(response.signed_certificates.first.to_pem).to eql(response_cert.to_pem)
+    end
+  end
+
+  describe '#encrypt' do
+    it 'successfully encrypts a PKCS7 payload' do
+      first_response = SCEP::PKIOperation::Response.new(ra_keypair)
+      first_response.signed_certificates = [response_cert]
+      encrypted = first_response.encrypt(our_keypair.certificate)
+
+      final_response = SCEP::PKIOperation::Response.new(our_keypair)
+      final_response.verify_against ra_keypair.cert
+      final_response.decrypt(encrypted)
+      expect(final_response.signed_certificates.first.to_pem).to eql(response_cert.to_pem)
+    end
+  end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,61 @@
+require 'rubygems'
+require 'bundler'
+
+Bundler.require :default
+
+require 'webmock/rspec'
+
+def read_fixture(path)
+  File.open(fixture_path path).read
+end
+
+def fixture_path(path)
+  "spec/fixtures/#{path}"
+end
+
+
+def next_serial
+  @serial ||= 0
+  @serial += 1
+  @serial
+end
+
+# Helper to generate a self-signed certificate
+# @param [SCEP::Keypair] signer
+# @return [SCEP::Keypair]
+# @see http://stackoverflow.com/questions/2381394/ruby-generate-self-signed-certificate
+def generate_keypair(signer = nil, serial = nil)
+  serial ||= next_serial
+
+  private_key = OpenSSL::PKey::RSA.new(1024)
+  subject = '/C=BE/O=Test/OU=Test/CN=Test'
+
+  signer_private_key = signer ? signer.private_key : private_key
+  signer_name        = signer ? signer.certificate.subject : OpenSSL::X509::Name.parse(subject)
+
+  cert = OpenSSL::X509::Certificate.new
+  cert.subject    = OpenSSL::X509::Name.parse(subject)
+  cert.issuer     = signer_name
+  cert.not_before = Time.now
+  cert.not_after  = Time.now + 365 * 24 * 360
+  cert.public_key = private_key.public_key
+  cert.serial     = serial
+  cert.version    = 3
+
+  ef = OpenSSL::X509::ExtensionFactory.new
+  ef.subject_certificate = cert
+  ef.issuer_certificate  = cert
+  cert.extensions = [
+    ef.create_extension('basicConstraints', 'CA:TRUE', true),
+    ef.create_extension('subjectKeyIdentifier', 'hash')
+  ]
+  cert.add_extension ef.create_extension(
+    'authorityKeyIdentifier',
+    'keyid:alyways,issuer:always')
+
+
+  cert.sign signer_private_key, OpenSSL::Digest::SHA1.new
+
+
+  return SCEP::Keypair.new(cert, private_key)
+end

metadata

@@ -0,0 +1,171 @@
+--- !ruby/object:Gem::Specification
+name: scep
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Christopher Thornton
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-05-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.0
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Makes development of SCEP services easier
+email:
+- christopher.thornton@onelogin.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".ruby-version"
+- ".travis.yml"
+- Gemfile
+- README.md
+- Rakefile
+- lib/scep.rb
+- lib/scep/endpoint.rb
+- lib/scep/keypair.rb
+- lib/scep/pkcs7_cert_only.rb
+- lib/scep/pki_operation.rb
+- lib/scep/pki_operation/base.rb
+- lib/scep/pki_operation/proxy.rb
+- lib/scep/pki_operation/request.rb
+- lib/scep/pki_operation/response.rb
+- lib/scep/version.rb
+- scep.gemspec
+- spec/console
+- spec/fixtures/self-signed.crt
+- spec/fixtures/self-signed.csr
+- spec/fixtures/self-signed.key
+- spec/lib/scep/endpoint_spec.rb
+- spec/lib/scep/keypair_spec.rb
+- spec/lib/scep/pkcs7_cert_only_spec.rb
+- spec/lib/scep/pki_operation/base_spec.rb
+- spec/lib/scep/pki_operation/proxy_spec.rb
+- spec/lib/scep/pki_operation/request_spec.rb
+- spec/lib/scep/pki_operation/response_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/onelogin/scep-gem
+licenses:
+- Proprietary
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: SCEP libraries
+test_files:
+- spec/console
+- spec/fixtures/self-signed.crt
+- spec/fixtures/self-signed.csr
+- spec/fixtures/self-signed.key
+- spec/lib/scep/endpoint_spec.rb
+- spec/lib/scep/keypair_spec.rb
+- spec/lib/scep/pkcs7_cert_only_spec.rb
+- spec/lib/scep/pki_operation/base_spec.rb
+- spec/lib/scep/pki_operation/proxy_spec.rb
+- spec/lib/scep/pki_operation/request_spec.rb
+- spec/lib/scep/pki_operation/response_spec.rb
+- spec/spec_helper.rb
+has_rdoc: