scep 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ceb79fd8756349928c7653f5c59191e3cc8cbfe7
-  data.tar.gz: 9f322dce3a3d7a45f7ae7c220d67b2908dc57380
+  metadata.gz: ad5f9fb037bd11d20202a13cccea4df7fae8bfc5
+  data.tar.gz: 3a65c1f2080b37093293cf42794127b9eeefac73
 SHA512:
-  metadata.gz: 26c7b9378ffd100b39788cd61973e568b4413887bb6dac749ff68bb5d29419fb34028eade582235cd29970f9f27cdeeb39d73eb542ba011a0bddf4c5dc2f44fc
-  data.tar.gz: c864e7169c4ab8403d706b294cd48bfc535d010807d5e793b7347bd5463659095ea702db69cef2be1c2956afab5400c4e435b4d3a5d0809c220a972018b87d43
+  metadata.gz: 0180abbc2c0b712c577c2cdd3542448666ebaf03db74bcceef19ebd3f7079592f66bf24945da2940faf33fd3db10f58252279043c080b4ffdc21d48fd2d60a80
+  data.tar.gz: 5cb798cd5f3267efd6d9ad78c33cbac8b30cb6ff0d03ea201787fcd12ea863dda74b36c1a84b3fb322b65b9e2b4a735f1ba8d03a81b48349fa8a06327e503dd0

data/.gitignore

@@ -13,3 +13,4 @@
 *.a
 mkmf.log
 .idea
+.DS_Store

data/.travis.yml

@@ -1,6 +1,10 @@
 language: ruby
 cache: bundler
+addons:
+  code_climate:
+    repo_token: 3feb9a3ab131bce3ab5393ca281d31ad367d7b87feaaa02dd60ec5e7f3c57d6d
 rvm:
   - 1.8.7
+  - 1.9.3
   - 2.2.1
-script: bundle exec rspec
+script: bundle exec rspec spec/lib

data/.yardopts

@@ -0,0 +1,3 @@
+--markup markdown
+--protected
+--private

data/README.md

@@ -1,5 +1,7 @@
 SCEP Gem
 ========
+[![Build Status](https://travis-ci.org/onelogin/scep-gem.svg?branch=master)](https://travis-ci.org/onelogin/scep-gem) [![Code Climate](https://codeclimate.com/github/onelogin/scep-gem/badges/gpa.svg)](https://codeclimate.com/github/onelogin/scep-gem)  [![Test Coverage](https://codeclimate.com/github/onelogin/scep-gem/badges/coverage.svg)](https://codeclimate.com/github/onelogin/scep-gem/coverage)
+
 Libraries that allow you to be a SCEP server, be a SCEP proxy, etc.
 
 If you believe you have discovered a security vulnerability in this gem, please email security@onelogin.com with a description. You can also use the form based submission located here: https://www.onelogin.com/security. We follow responsible disclosure guidelines, and will work with you to quickly find a resolution.
@@ -23,7 +25,7 @@ When we want to forward a CSR to a RA. We may or may not be an RA ourselves.
 First,collect some certificates:
 
 ```ruby
-their_ra_cert = OpenSSL::X509::Certificate.new File.read(their-ra.crt')
+their_ra_cert = OpenSSL::X509::Certificate.new File.read('their-ra.crt')
 our_keypair   = SCEP::Keypair.read 'our.crt', 'our.key'
 csr           = OpenSSL::X509::Request.new File.read('some.csr')
 ```
@@ -142,3 +144,19 @@ post '/scep?operation=PKIOperation' do
   render results.p7enc_response.to_der
 end
 ```
+
+### EJBCA Support
+EJBCA supports the SCEP specification rigorously. This requires tampering with the ASN1 format of PKCS#7. To
+solve this, use the following code for SCEP requests:
+
+```ruby
+request = SCEP::PKIOperation::Request.new(@keypair)
+request.tamper_scep_message_type = true
+# send request
+```
+
+EJBCA should accept this message. However, this MAY break verifications for other SCEP endpoints. Until this issue
+is fixed, it is suggested you avoid using this unless you absolutely have to.
+
+## License
+This gem is released under the [MIT License](http://opensource.org/licenses/MIT)

data/lib/scep.rb

@@ -1,5 +1,6 @@
 require 'logger'
 require 'openssl'
+require 'openssl-extensions/all'
 
 require 'scep/version'
 
@@ -8,10 +9,7 @@ module SCEP
   autoload :PKIOperation,   'scep/pki_operation'
   autoload :PKCS7CertOnly,  'scep/pkcs7_cert_only'
   autoload :Keypair,        'scep/keypair'
-
-  # Allows backwards-compatibility between ruby 1.8.7 and newer versions
-  # @return [OpenSSL::PKCS7]
-  PKCS7 = defined?(OpenSSL::PKCS7::PKCS7) ? OpenSSL::PKCS7::PKCS7 : OpenSSL::PKCS7
+  autoload :ASN1,           'scep/asn1'
 
   class << self
 

data/lib/scep/asn1.rb

@@ -0,0 +1,38 @@
+# Add OpenSSL ASN1 objects here as needed
+
+OpenSSL::ASN1::ObjectId.register('2.16.840.1.113733.1.9.2', 'messageType', 'scep-messageType')
+
+
+module SCEP
+
+  # Re-usable ASN1 compnents for some of the finer points of SCEP
+  module ASN1
+
+    MESSAGE_TYPE_PKCS_REQ = 19
+
+    # Pre-made ASN1 value that identifies what type of message this is
+    def self.message_type(type = MESSAGE_TYPE_PKCS_REQ)
+      OpenSSL::ASN1::Sequence.new([
+        OpenSSL::ASN1::ObjectId.new('scep-messageType'),
+        OpenSSL::ASN1::Set.new([
+          OpenSSL::ASN1::PrintableString.new(type.to_s)
+        ])
+      ])
+    end
+
+    def self.pkcs7_signature_hash(hash, algorithm_name)
+      OpenSSL::ASN1::Sequence.new([
+        OpenSSL::ASN1::Sequence.new([
+          OpenSSL::ASN1::ObjectId.new(algorithm_name),
+          OpenSSL::ASN1::Null.new(nil)
+        ]),
+        OpenSSL::ASN1::OctetString.new(hash)
+      ])
+    end
+
+    def self.calculate_and_generate_pkcs7_signature_hash(data, algorithm)
+      hash = OpenSSL::Digest.digest(algorithm, data)
+      pkcs7_signature_hash(hash, algorithm)
+    end
+  end
+end

data/lib/scep/endpoint.rb

@@ -114,6 +114,8 @@ module SCEP
       end
 
       if response.code != 200
+        logger.debug "Response body:"
+        logger.debug response.body
         raise ProtocolError, "SCEP request returned non-200 code of #{response.code}"
       end
 

data/lib/scep/jscep_cli.rb

@@ -0,0 +1,26 @@
+module SCEP
+  class JSCEPCli
+    include SCEP::Loggable
+    autoload :Request, 'scep/jscep_cli/request'
+
+    BUNDLED_JSCEP_CLI_JAR_PATH = File.join(File.dirname(__FILE__), '..', '..', 'bin', 'jscepcli-1.0.jar')
+
+    attr_accessor :jarfile
+
+    attr_accessor :java_executable
+
+    def initialize(java_executable = 'java', jarfile = BUNDLED_JSCEP_CLI_JAR_PATH)
+      @jarfile = jarfile
+      @java_executable = java_executable
+    end
+
+    # @param request [SCEP::JSCEPCli::Request] the request to forward
+    def forward(request)
+      logger.info "Making JSCEP CLI request to #{request.url}"
+      cmd = "#{java_executable} -jar #{jarfile} #{request.to_cli_arguments}"
+      logger.debug "Executing command: #{cmd}"
+      system cmd
+    end
+
+  end
+end

data/lib/scep/keypair.rb

@@ -22,6 +22,10 @@ module SCEP
       raise ArgumentError, '`certificate` must be an OpenSSL::X509::Certificate' unless
         certificate.is_a?(OpenSSL::X509::Certificate)
 
+      unless certificate.check_private_key(private_key)
+        raise ArgumentError, '`private_key` does not match `certificate`'
+      end
+
       @certificate = certificate
       @private_key = private_key
     end

data/lib/scep/pki_operation/base.rb

@@ -7,6 +7,8 @@ module SCEP
     # * {#ra_private_key RA Private Key}
     #
     class Base
+      include SCEP::Loggable
+
       DEFAULT_CIPHER_ALGORITHM = 'aes-256-cbc'
 
       # Our keypair
@@ -71,6 +73,7 @@ module SCEP
 
         # Decrypt
         @p7enc   = OpenSSL::PKCS7.new(@p7sign.data)
+        check_if_recipient_matches_ra_certificate_name(@p7enc)
         @p7enc.decrypt(ra_keypair.private_key, ra_keypair.certificate, OpenSSL::PKCS7::BINARY)
       end
 
@@ -105,6 +108,28 @@ module SCEP
 
       protected
 
+      def check_if_recipient_matches_ra_certificate_name(p7enc)
+        if p7enc.recipients.nil? || p7enc.recipients.empty?
+          logger.warn 'SCEP request does not have any recipient info - ' \
+            'cannot determine if SCEP request is intended for us'
+          return false
+        end
+
+        matched = false
+        names = p7enc.recipients.map(&:issuer).each do |name|
+          if name.cmp(ra_keypair.certificate.subject) == 0
+            matched = true
+            break
+          end
+        end
+
+        unless matched
+          logger.warn 'SCEP request does not appear to be addressed to us! ' \
+            "RA Cert: #{ra_keypair.certificate.subject.to_s}, Recipients: [#{names.map(&:to_s).join(', ')}]"
+        end
+        matched
+      end
+
       # Same as `Array.wrap`
       # @see http://apidock.com/rails/Array/wrap/class
       def wrap_array(object)

data/lib/scep/pki_operation/request.rb

@@ -4,6 +4,9 @@ module SCEP
 
     # Handles decoding or creation of a scep CSR request.
     #
+    # ## EJBCA Support
+    # This requires tampering of the SCEP request. Please see {#tamper_scep_message_type}
+    #
     # @example Get Certificates Ready
     #   ra_cert = SCEP::DEFAULT_RA_CERTIFICATE
     #   ra_key  = SCEP::DEFAULT_RA_PRIVATE_KEY
@@ -37,6 +40,64 @@ module SCEP
       # @return [OpenSSL::X509::Request]
       attr_accessor :csr
 
+      # Whether we should tamper with the SCEP message type. This is **required** to work with some SCEP
+      # implementations, but this may cause verification to fail. Only affects encryption.
+      # @example Without Tampering
+      #   request = SCEP::PKIOperation::Request.new(keypair)
+      #   encrypted = request.encrypt(another_keypair)
+      #
+      #   # Here, `encrypted` will not be accepted by EJBCA, but ruby will parse it just fine
+      #   p7sign = OpenSSL::PKCS7.new(encrypted)
+      #   verified = p7sign.verify([keypair.certificate], nil, nil)
+      #   p verified # => true
+      #
+      # @example With Tampering
+      #   request = SCEP::PKIOperation::Request.new(keypair)
+      #   request.tamper_scep_message_type = true
+      #   encrypted = request.encrypt(another_keypair)
+      #
+      #   # Here, `encrypted` will be accepted by EJBCA, but rejected by ruby
+      #   p7sign = OpenSSL::PKCS7.new(encrypted)
+      #   verified = p7sign.verify([keypair.certificate], nil, nil)
+      #   p verified # => false
+      #
+      # @todo Need to figure out how to re-calculate the SCEP extended attributes signature, which will make
+      #   this obsolete!
+      # @return [Boolean] whether to tamper with the SCEP message type
+      attr_accessor :tamper_scep_message_type
+      alias_method :tamper_scep_message_type?, :tamper_scep_message_type
+
+      def initialize(ra_keypair)
+        super
+        @tamper_scep_message_type = false
+      end
+
+      # @return [Boolean] TRUE if the request has a challenge password, FALSE otherwise
+      def challenge_password?
+        csr && csr.challenge_password?
+      end
+
+      # Get the challenge password from the request, if any
+      # @return [String,nil] a STRING representation of the challenge password, NIL if there is
+      #   no challenge password
+      def challenge_password
+        return nil unless challenge_password?
+        csr_challenge_password.value.value.first.value
+      end
+
+      # @todo: add code to set the challenge password
+      # def challenge_password=(password)
+      #   return false if csr.blank?
+      #   attribute = csr_challenge_password
+      #   if attribute.blank?
+      #     attribute = generate_challenge_password(password)
+      #     csr.add_attribute(attribute)
+      #   else
+      #     binding.pry
+      #     attribute.value.value.first.value = password
+      #   end
+      # end
+
       # Decrypts a signed and encrypted csr. Sets {#csr} to the decrypted value
       # @param [String] signed_and_encrypted_csr the raw and encrypted
       # @param [Boolean] verify if TRUE, verifies against {#x509_store}. If FALSE, skips verification
@@ -54,7 +115,12 @@ module SCEP
       def encrypt(target_encryption_certs)
         raise ArgumentError, '#csr must be an OpenSSL::X509::Request' unless
           csr.is_a?(OpenSSL::X509::Request)
-        sign_and_encrypt_raw(csr.to_der, target_encryption_certs)
+        p7enc = sign_and_encrypt_raw(csr.to_der, target_encryption_certs)
+        if tamper_scep_message_type?
+          logger.info 'Tampering SCEP message type - request may be rejected by RA'
+          p7enc = add_scep_message_type(p7enc)
+        end
+        p7enc
       end
 
       # Decrypts a signed and encrypted payload and then re-encrypts it. {#csr} will contain the CSR object
@@ -65,6 +131,61 @@ module SCEP
         decrypt(signed_and_encrypted_csr, verify)
         encrypt(target_encryption_certs)
       end
+
+      protected
+
+      # Gets the challenge password from the CSR
+      def csr_challenge_password
+        csr.send(:read_attributes_by_oid, 'challengePassword')
+      end
+
+      # Adds a required message type to the PKCS7 request. I can't believe I'm doing this...
+      #
+      # Take a look at https://tools.ietf.org/html/draft-nourse-scep-11. Here, we're adding the
+      # signerInfo/messageType of "PKCSReq" inside of the "Signed PKCSReq."
+      #
+      # @param [OpenSSL::PKCS7] pkcs7 a pkcs7 message
+      # @return [OpenSSL::PKCS7] a new pkcs7 message with the proper scep message type
+      # @note Don't tamper with the signer info once you've used this method!
+      def add_scep_message_type(pkcs7)
+        asn1 = OpenSSL::ASN1.decode(pkcs7.to_der)
+        pkcs_cert_resp_signed = asn1.value[1].value[0]
+        signer_info = pkcs_cert_resp_signed.value[4].value[0]
+        authenticated_attributes = signer_info.value[3]
+        authenticated_attributes.value << SCEP::ASN1.message_type(SCEP::ASN1::MESSAGE_TYPE_PKCS_REQ)
+        # todo: broken?? --
+        # recalculate_authenticated_attributes_digest(signer_info)
+        return OpenSSL::PKCS7.new(asn1.to_der)
+      end
+
+      # todo: this currently does not work! Kept here for future purposes
+      def recalculate_authenticated_attributes_digest(signer_info)
+        digest_algorithm = signer_info.value[2].value[0].sn # => "SHA256"
+
+        # This is where this is not working - we need to hash the "authenticatedAttributes",
+        # but this does not appear to be hashing the correct thing!
+        authenticated_attributes = signer_info.value[3]
+
+        new_digest = SCEP::ASN1.calculate_and_generate_pkcs7_signature_hash(
+          authenticated_attributes.to_der,
+          digest_algorithm)
+
+        encrypted_digest = ra_keypair.private_key.private_encrypt(new_digest.to_der)
+        signer_info.value.last.value = encrypted_digest
+      end
+
+      # Takes a password and generates an attribute
+      # @param password [String] what the challenge password should be
+      # @return [OpenSSL::X509::Attribute]
+      # @todo: This does not currently work!
+      # def self.generate_challenge_password(password)
+      #   attribute = OpenSSL::X509::Attribute.new('challengePassword')
+      #   attribute.value = OpenSSL::ASN1::Set.new([
+      #     OpenSSL::ASN1::PrintableString.new(password.to_s)
+      #   ])
+      #   attribute
+      # end
+
     end
   end
 end

data/lib/scep/version.rb

@@ -1,3 +1,3 @@
 module SCEP
-  VERSION = '0.0.1'
+  VERSION = '0.0.2'
 end

data/scep.gemspec

@@ -11,17 +11,20 @@ Gem::Specification.new do |spec|
   spec.summary       = %q{SCEP libraries}
   spec.description   = %q{Makes development of SCEP services easier}
   spec.homepage      = 'https://github.com/onelogin/scep-gem'
-  spec.license       = 'Proprietary'
+  spec.license       = 'MIT'
 
   spec.files         = `git ls-files -z`.split("\x0")
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
 
+  spec.add_dependency 'openssl-extensions'
+
   if RUBY_VERSION < '1.9'
     spec.add_dependency 'httparty', '<= 0.11'
   else
     spec.add_dependency 'httparty'
+    spec.add_development_dependency 'codeclimate-test-reporter'
   end
 
   spec.add_development_dependency 'bundler', '~> 1.7'

data/spec/console

@@ -1,7 +1,9 @@
 #!/usr/bin/env ruby
+require 'rubygems'
 require 'bundler'
 Bundler.require :default
 require 'scep'
 require 'pry'
+require './spec/spec_helper'
 
 pry

data/spec/fixtures/ejbca/ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUTCCAjmgAwIBAgIIDUmm3traB2EwDQYJKoZIhvcNAQELBQAwOzEVMBMGA1UE
+AwwMTWFuYWdlbWVudENBMRUwEwYDVQQKDAxFSkJDQSBTYW1wbGUxCzAJBgNVBAYT
+AlNFMB4XDTE0MTAyMDIxMjYyMFoXDTE2MTAxOTIxMjYyMFowFTETMBEGA1UEAwwK
+U3VwZXJBZG1pbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIW5crVk
+NX759XMuPJKda3DbhP3/3uPHBwN05GHN1qw4/BvUoZthDW53/0Myskv1MY0lAUHs
+UCLdLUQBEzsX/wLfRNDAfmcnNbRvzm5LccZrrWrEgvvQD0lGeQazX75V5QM+fkUh
+rty9W7QVFEM5pQ773JD0uuo+JcO0TEqfIMg4YguZlF+FmUOc/j7Himm89Fo4HFtA
+ROBhZf2L+vroktl7/RK4AoFPdtTCszhQJnBy1x1WyWkmV9tt7lNS5XJrRCOdZ5aM
+JNN0A+/ySjGd3ASu2l0H8dIMkcjmHSgSPs8DQpq3xg75wIqDp3PZX4T+KBpBVl4Q
+lb2m8josfw5rdGUCAwEAAaN/MH0wHQYDVR0OBBYEFHBewXga2nNj/pGhkjNDC4sN
+AlerMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUPW27M+6uIGgi3cf1zgBipX/F
+I8swDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
+BDANBgkqhkiG9w0BAQsFAAOCAQEAeb/8j8/rAMRO6I7XM3rX3wq5ZBBQIWi9Sy6/
+fJhQo+T7MXpgnN5bx5BS9ebeC3kvPDhfSF+bCr+MT/mvnkh4/aybuJweZtP4GZiU
+0GC2gIu6syccdF0TTMawjbX7s7Q3i/7ysKH6D2V1fSJC9Td6cIdKSNytDPdZlCLZ
+xbPQQYC0tj7AQ8Nj+kx3VI3bWEoD8C2AyecoKfANvRU7oiWGUT/j5UvnzU6dpVbE
+DwcZMHnmDGWAh1WpVOGjSrzg1nEiYvPwDfdPBYfF9HLkCOXMvZEOTdDuEHdSvYSq
+MXoCf9aY0dc8wbZbYUP5bdWR/1qb81rQfPoaZ5/4MSdh3GXyvg==
+-----END CERTIFICATE-----

data/spec/fixtures/ejbca/ca.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAhblytWQ1fvn1cy48kp1rcNuE/f/e48cHA3TkYc3WrDj8G9Sh
+m2ENbnf/QzKyS/UxjSUBQexQIt0tRAETOxf/At9E0MB+Zyc1tG/ObktxxmutasSC
++9APSUZ5BrNfvlXlAz5+RSGu3L1btBUUQzmlDvvckPS66j4lw7RMSp8gyDhiC5mU
+X4WZQ5z+PseKabz0WjgcW0BE4GFl/Yv6+uiS2Xv9ErgCgU921MKzOFAmcHLXHVbJ
+aSZX223uU1LlcmtEI51nlowk03QD7/JKMZ3cBK7aXQfx0gyRyOYdKBI+zwNCmrfG
+DvnAioOnc9lfhP4oGkFWXhCVvabyOix/Dmt0ZQIDAQABAoIBACRp6ViHnyGigzoI
+Hyp1f2pN/JsF7/XqnnhMflw7pvdi1RPnBNLAzN2GA5aS2YZhkEq1BvCinve/brIT
+8N6onCJ2FdEaedExFii6QWY7WRIFBEYMmPZlI6R6cj5m3e2Aikol3FCK6Yjmb3BM
+RSZBLjc0Uk2Ots9OeQ4frJ6tUkny23W3GO8H7X4jqRtRiPgm+CkSMB7YbnL0P/8u
+4dv5+qzVi73nXL4pN+L0O/3N52pnxoFEbqzLvzvALKQNz6ISxOCGHbHRnjcoiRCA
+aoaq+MWBa3JJcYEM1inntIBwyILaf5Vf2LhyyVBoHpDtKx7PdH2BHLSX4FsAH1kP
+HzqKfokCgYEAyMNZQBkE2nyj7hh1auIWTtTZJl2qr3o+9+ZaxWIJ0GdkP5ndpRSJ
+N3IaJcDcCbX1trTNlwVvaDSFRRTY7WERdXp994xqbHFTSIrXkKUEopZmB8Q5atHo
+Kf6De6GCwic3mEkkvNdjeyJTQRmOt2R5CgioNfgUV0GibXjuZt9/rM8CgYEAqoRD
+N7LLgOu8n9COtkzAYH4UJjQWU0cNpRjmqHWOIa86TZ44WAJkjsvrgFN6WV/edVgc
+opP+X6LJNhuyotTskjidjio3hiozUeMlhrH1wd+FUOThLcSTu8ixx9MWM3kEPEtx
+YaKbfv/LbRRvfnDfRWrjB1s34HR+eW8gFKjFYIsCgYEAu1FpiODPInyBB7pSc/OX
+FN6L7bwfcbMB5ZNMxjX/KjAN3TnXEBvlG5KeyvLzWywnot13pZ0woW2/mwEklfen
+rpEnzz14Xs4uAtVo5FDTzk+9yylO2VgY4nXSgBvmQPkOakx0tq3Q6CbSvz71Zi+c
+r7v8Fr7tW6ylvLbE2b9XBQkCgYEAgoLDM/FsY1uLPsMRSCTMpc46O9doMwtSPUgm
+209Gny+QL3Jna61BLC6WLN036wo+qY/sMt+VNbvRx9FBU/Ims/ATX4mef9jy+L0j
+rsms8VvUnUrhsvcfn/4HXIuLFZCNllykBnfADl9YYz/d6mgX6/jYlXvS88AWQXm1
+kzpt/+sCgYEAtcZXruPcTc+IYvTIhn7hEL+/Osw+ZFRlSOTAnkGtgWl+fbI/EI7H
+NtgvbZWFS+x5HeMFFlv7W/jTZW67HDlg4d+q7A4EoiS3rWJwAeYS2MKUn6B2vPEd
+SolJW17YVSB0l4iAHUf6Ew32/rr/VeX48gKvS+CiuQNB7Tp5SnnKuBw=
+-----END RSA PRIVATE KEY-----