cchandler / certificate_authority Goto Github PK

View Code? Open in Web Editor NEW

193.0 193.0 46.0 255 KB

Ruby gem for managing the core functions outlined in RFC-3280 for PKI

Home Page: https://github.com/cchandler/certificate_authority

Ruby 100.00%

certificate_authority's People

Contributors

Stargazers

Watchers

certificate_authority's Issues

Ability to configure the signing algorithm

Hi,

Is there way to configure the certificate signing algorithms's when creating certificates?

Best Regards,

Carl

Failing specs

With a fresh_clone of certificate_authority, I run the specs and get:

OpenSSL::Engine::EngineError in 'CertificateAuthority::MemoryKeyMaterial in hardware should return a Pkey ref if the private key is requested'
dso not found
/private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:55:in ctrl_cmd' /private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:55:ininitialize_engine'
/private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:51:in by_id' /private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:51:ininitialize_engine'
/private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:32:in `private_key'
/private/tmp/certificate_authority/spec/units/key_material_spec.rb:59:

OpenSSL::Engine::EngineError in 'CertificateAuthority::MemoryKeyMaterial in hardware should return a Pkey ref if the private key is requested'
dso not found
/private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:55:in ctrl_cmd' /private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:55:ininitialize_engine'
/private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:51:in by_id' /private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:51:ininitialize_engine'
/private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:37:in `public_key'
/private/tmp/certificate_authority/spec/units/key_material_spec.rb:63:

Ability to convert a PEM to a SSH key pair and use with PKCS#11

It'd be helpful if I could use this gem to create a certificat authority, convert it to a SSH key pair and then use that key pair with PKCS#11 for additional security when SSH'ing into another server.

"CertificateAuthority::Certificate from_openssl should check to make sure that if a certificate had extensions they were imported" fails with OpenSSL 3.0

The print format for X509v3 authority key identifier was changed in openssl, and in openssl >= 3.0 the keyid: prefix is no longer included in most cases. See openssl/openssl@86afd00 and openssl/openssl#6226 for context.

This appears to cause a test failure when running against openssl 3.0:

Failures:

  1) CertificateAuthority::Certificate from_openssl should check to make sure that if a certificate had extensions they were imported
     Failure/Error: expect(@cert_with_extensions.extensions["authorityKeyIdentifier"]).to eq(expected_authorityKeyIdentifier)

       expected: #<CertificateAuthority::Extensions::AuthorityKeyIdentifier:0x000055d255e61018 @critical=false, @identifier="keyid:4C:58:CB:25:F0:41:4F:52:F4:28:C8:81:43:9B:A6:A8:A0:E6:92:E5">
            got: #<CertificateAuthority::Extensions::AuthorityKeyIdentifier:0x000055d255e58828 @critical=false, @identifier="4C:58:CB:25:F0:41:4F:52:F4:28:C8:81:43:9B:A6:A8:A0:E6:92:E5">

       (compared using ==)

       Diff:

       @@ -1,5 +1,4 @@
       -#<CertificateAuthority::Extensions::AuthorityKeyIdentifier:0x000055d255e61018
       +#<CertificateAuthority::Extensions::AuthorityKeyIdentifier:0x000055d255e58828
         @critical=false,
       - @identifier=
       -  "keyid:4C:58:CB:25:F0:41:4F:52:F4:28:C8:81:43:9B:A6:A8:A0:E6:92:E5">
       + @identifier="4C:58:CB:25:F0:41:4F:52:F4:28:C8:81:43:9B:A6:A8:A0:E6:92:E5">
     # ./spec/units/certificate_spec.rb:427:in `block (3 levels) in <top (required)>'

Finished in 1.22 seconds (files took 0.44575 seconds to load)
189 examples, 1 failure, 1 pending

Failed examples:

rspec ./spec/units/certificate_spec.rb:403 # CertificateAuthority::Certificate from_openssl should check to make sure that if a certificate had extensions they were imported

This is from an Ubuntu package build, and the full log can be found here: https://launchpadlibrarian.net/609963185/buildlog_ubuntu-kinetic-amd64.ruby-certificate-authority_1.0.0-1_BUILDING.txt.gz.

Signing certs with loaded pem files

I am doing something like this:
signing_key = OpenSSL::X509::Certificate.new File.read "intermediate.pem"
plain_cert = CertificateAuthority::Certificate.new
plain_cert.subject.common_name = "mydomain.com"
plain_cert.serial_number.number = 4
plain_cert.key_material.generate_key
plain_cert.parent = signing_key
plain_cert.sign!

just to test the loading and pems to sign client certs. and i get the following error:

gems/certificate_authority-0.1.6/lib/certificate_authority/certificate.rb:58:in sign!': undefined methoddistinguished_name' for #OpenSSL::X509::Certificate:0x00000001801438 (NoMethodError)

Am I missing something?

The root and intermediate were built using the example code and saved to disk using to_pem

Registration Authority and Validation Authority

You mentioned Registration Authority and Validation Authority. Does this package have these functionality? If not, could you please recommend gems for them? Thank you.

Can't require in jruby

I'm currently developing against the master branch, as it's the only that runs in ruby 2.3 and greater without warnings.

I've encountered this problem when running the ssl tests against the latest jruby, when I require this gem:

jruby/jruby-openssl#24

This has been recently fixed, but not yet released (check the discrepancy between report date and fix date):

jruby/jruby-openssl#124

I'd like to argue for autoloading the handlers in this gem, instead of requiring them. It will have the following advantages:

better on-boot memory utilization
only require what you use
don't break if openssl side-feature isn't implemented by the distribution.

The last one is obviously the important :) As long as the components are thread-safe, autoloading shouldn't be an issue.

What do you think?

constant OpenSSL::Digest::Digest is deprecated

A deprecated warning appears in example code from README:

/Users/ztz/.rvm/gems/ruby-2.6.5/gems/certificate_authority-0.1.6/lib/certificate_authority/certificate.rb:94: warning: constant OpenSSL::Digest::Digest is deprecated

Code:

require 'certificate_authority'
root = CertificateAuthority::Certificate.new
root.subject.common_name= "http://mydomain.com"
root.serial_number.number=1
root.key_material.generate_key
root.signing_entity = true
signing_profile = {"extensions" => {"keyUsage" => {"usage" => ["critical", "keyCertSign"] }} }
root.sign!(signing_profile)

Ruby version:

ruby 2.6.5p114 (2019-10-01 revision 67812) [x86_64-darwin19]

Plans to release?

Are you planning to release 0.2.0? There are few methods I find useful :)

Readme formatting screwed up!

Fix it!

distinguished_name stuff

On distinguished_name you have:

name = OpenSSL::X509::Name.new
name.add_entry("CN", common_name)
name.add_entry("O", organization) unless organization.blank?
name.add_entry("OU", common_name) unless organizational_unit.blank?
name.add_entry("S", common_name) unless state.blank?
name.add_entry("L", common_name) unless locality.blank?

The common_name variable on OU, S and L, seems to be misplaced. It should be organizational_unit, state and locality (respectively)
I had an error while trying to add a state to the certificate. I changed "S" to "ST", as it is stated on several online resources. It worked
Finally, it seems that country was forgotten.

My code is currently working like this:

name = OpenSSL::X509::Name.new
name.add_entry("CN", common_name)
name.add_entry("O", organization) unless organization.blank?
name.add_entry("OU", organizational_unit) unless organizational_unit.blank?
name.add_entry("ST", state) unless state.blank?
name.add_entry("L", locality) unless locality.blank?
name.add_entry("C", country) unless country.blank?

Doesn't work against openssl 3.0.0

Hi,

I'm updating certificate_authority to 1.0.0 in Debian, where we are now at ruby 3.0 and openssl 3.0.0, and the tests fail for me there:

$ gem list openssl

*** LOCAL GEMS ***

openssl (default: 3.0.0)
$ rake
/usr/lib/ruby-standalone/bin/ruby -I/home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-support-3.9.3/lib:/home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-core-3.9.2/lib /home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-core-3.9.2/exe/rspec --pattern spec/\*\*\{,/\*/\*\*\}/\*_spec.rb --colour --format progress --tag ~pkcs11
[Coveralls] Set up the SimpleCov formatter.
[Coveralls] Using SimpleCov's default settings.
Run options: exclude {:pkcs11=>true}
.......................................FFFFFFFFFFFFF*FFFF....................................................................................................................................

Pending: (Failures listed here are expected and do not affect your suite's status)

  1) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CertificatePolicies should contain a nested userNotice if specified
     # No reason given
     Failure/Error: config[k] = hash[k]
     
     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

Failures:

  1) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support BasicConstraints
     Failure/Error: config[k] = hash[k]
     
     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  2) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support subjectKeyIdentifier
     Failure/Error: config[k] = hash[k]
     
     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  3) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support authorityKeyIdentifier
     Failure/Error: config[k] = hash[k]
     
     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  4) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should order subjectKeyIdentifier before authorityKeyIdentifier
     Failure/Error: config[k] = hash[k]
     
     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  5) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support keyUsage
     Failure/Error: config[k] = hash[k]
     
     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  6) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support extendedKeyUsage
     Failure/Error: config[k] = hash[k]
     
     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  7) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should have a subjectAltName if specified
     Failure/Error: config[k] = hash[k]
     
     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  8) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should NOT have a subjectAltName if one was not specified
     Failure/Error: config[k] = hash[k]
     
     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  9) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should replace email:copy with email address
     Failure/Error: config[k] = hash[k]
     
     NoMethodError:
       undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
     # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
     # ./lib/certificate_authority/certificate.rb:228:in `each'
     # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
     # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
     # ./lib/certificate_authority/certificate.rb:93:in `each'
     # ./lib/certificate_authority/certificate.rb:93:in `sign!'
     # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  10) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates AuthorityInfoAccess should have an authority info access if specified
      Failure/Error: config[k] = hash[k]
      
      NoMethodError:
        undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
      # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
      # ./lib/certificate_authority/certificate.rb:228:in `each'
      # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
      # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
      # ./lib/certificate_authority/certificate.rb:93:in `each'
      # ./lib/certificate_authority/certificate.rb:93:in `sign!'
      # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  11) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CrlDistributionPoints should have a crlDistributionPoint if specified
      Failure/Error: config[k] = hash[k]
      
      NoMethodError:
        undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
      # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
      # ./lib/certificate_authority/certificate.rb:228:in `each'
      # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
      # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
      # ./lib/certificate_authority/certificate.rb:93:in `each'
      # ./lib/certificate_authority/certificate.rb:93:in `sign!'
      # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  12) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CrlDistributionPoints should NOT have a crlDistributionPoint if one was not specified
      Failure/Error: config[k] = hash[k]
      
      NoMethodError:
        undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
      # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
      # ./lib/certificate_authority/certificate.rb:228:in `each'
      # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
      # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
      # ./lib/certificate_authority/certificate.rb:93:in `each'
      # ./lib/certificate_authority/certificate.rb:93:in `sign!'
      # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  13) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CertificatePolicies should have a certificatePolicy if specified
      Failure/Error: config[k] = hash[k]
      
      NoMethodError:
        undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
      # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
      # ./lib/certificate_authority/certificate.rb:228:in `each'
      # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
      # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
      # ./lib/certificate_authority/certificate.rb:93:in `each'
      # ./lib/certificate_authority/certificate.rb:93:in `sign!'
      # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  14) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CertificatePolicies should NOT include a certificatePolicy if not specified
      Failure/Error: config[k] = hash[k]
      
      NoMethodError:
        undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
      # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
      # ./lib/certificate_authority/certificate.rb:228:in `each'
      # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
      # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
      # ./lib/certificate_authority/certificate.rb:93:in `each'
      # ./lib/certificate_authority/certificate.rb:93:in `sign!'
      # ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'

  15) CertificateAuthority::Certificate Signing profile should be able to sign with an optional policy hash
      Failure/Error: config[k] = hash[k]
      
      NoMethodError:
        undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
      # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
      # ./lib/certificate_authority/certificate.rb:228:in `each'
      # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
      # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
      # ./lib/certificate_authority/certificate.rb:93:in `each'
      # ./lib/certificate_authority/certificate.rb:93:in `sign!'
      # ./spec/units/certificate_spec.rb:353:in `block (3 levels) in <top (required)>'

  16) CertificateAuthority::Certificate Signing profile should support a default signing digest of SHA512
      Failure/Error: config[k] = hash[k]
      
      NoMethodError:
        undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
      # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
      # ./lib/certificate_authority/certificate.rb:228:in `each'
      # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
      # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
      # ./lib/certificate_authority/certificate.rb:93:in `each'
      # ./lib/certificate_authority/certificate.rb:93:in `sign!'
      # ./spec/units/certificate_spec.rb:357:in `block (3 levels) in <top (required)>'

  17) CertificateAuthority::Certificate Signing profile should support a configurable digest algorithm
      Failure/Error: config[k] = hash[k]
      
      NoMethodError:
        undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
      # ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
      # ./lib/certificate_authority/certificate.rb:228:in `each'
      # ./lib/certificate_authority/certificate.rb:228:in `merge_options'
      # ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
      # ./lib/certificate_authority/certificate.rb:93:in `each'
      # ./lib/certificate_authority/certificate.rb:93:in `sign!'
      # ./spec/units/certificate_spec.rb:364:in `block (3 levels) in <top (required)>'

Finished in 1 second (files took 0.38893 seconds to load)
189 examples, 17 failures, 1 pending

Failed examples:

rspec ./spec/units/certificate_spec.rb:293 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support BasicConstraints
rspec ./spec/units/certificate_spec.rb:298 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support subjectKeyIdentifier
rspec ./spec/units/certificate_spec.rb:303 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support authorityKeyIdentifier
rspec ./spec/units/certificate_spec.rb:308 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should order subjectKeyIdentifier before authorityKeyIdentifier
rspec ./spec/units/certificate_spec.rb:315 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support keyUsage
rspec ./spec/units/certificate_spec.rb:320 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support extendedKeyUsage
rspec ./spec/units/certificate_spec.rb:180 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should have a subjectAltName if specified
rspec ./spec/units/certificate_spec.rb:186 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should NOT have a subjectAltName if one was not specified
rspec ./spec/units/certificate_spec.rb:192 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should replace email:copy with email address
rspec ./spec/units/certificate_spec.rb:211 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates AuthorityInfoAccess should have an authority info access if specified
rspec ./spec/units/certificate_spec.rb:226 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CrlDistributionPoints should have a crlDistributionPoint if specified
rspec ./spec/units/certificate_spec.rb:232 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CrlDistributionPoints should NOT have a crlDistributionPoint if one was not specified
rspec ./spec/units/certificate_spec.rb:248 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CertificatePolicies should have a certificatePolicy if specified
rspec ./spec/units/certificate_spec.rb:285 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CertificatePolicies should NOT include a certificatePolicy if not specified
rspec ./spec/units/certificate_spec.rb:352 # CertificateAuthority::Certificate Signing profile should be able to sign with an optional policy hash
rspec ./spec/units/certificate_spec.rb:356 # CertificateAuthority::Certificate Signing profile should support a default signing digest of SHA512
rspec ./spec/units/certificate_spec.rb:362 # CertificateAuthority::Certificate Signing profile should support a configurable digest algorithm

[Coveralls] Outside the CI environment, not sending data.
/usr/lib/ruby-standalone/bin/ruby -I/home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-support-3.9.3/lib:/home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-core-3.9.2/lib /home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-core-3.9.2/exe/rspec --pattern spec/\*\*\{,/\*/\*\*\}/\*_spec.rb --colour --format progress --tag ~pkcs11 failed

This change make all the tests pass, but is probably breaking something that is not covered by the tests:

diff --git a/lib/certificate_authority/certificate.rb b/lib/certificate_authority/certificate.rb
index cdf432c..63d150b 100644
--- a/lib/certificate_authority/certificate.rb
+++ b/lib/certificate_authority/certificate.rb
@@ -92,7 +92,7 @@ module CertificateAuthority
 
       self.extensions.keys.each do |k|
         config_extensions = extensions[k].config_extensions
-        openssl_config = merge_options(openssl_config,config_extensions)
+        #openssl_config = merge_options(openssl_config,config_extensions)
       end
 
       # p openssl_config.sections

remove activesupport dependency

Commit e79424f introduced a dependency on ActiveSupport, but the code does not actually appear to use ActiveSupport anywhere, except for these two lines:

-      self.not_before = Time.now
-      self.not_after = Time.now + 60 * 60 * 24 * 365 #One year
+      self.not_before = Time.now.change(:min => 0).utc
+      self.not_after = Time.now.change(:min => 0).utc + 1.year

ActiveSupport is a beast of a dependency, because of the way it changes the behavior of so much of the standard ruby classes. In my case, ActiveSupport is incompatible with my program for several reasons (it forces loading of json/ext but i need json/pure, and it completely overrides default to_json behavior).

ActiveSupport is a fine thing for an end application to depend on, but it is an unkind dependency for a library. ActiveSupport has 111 source files under core_ext! Nope, I didn't just type an extra one. One hundred eleven separate source files for all the modifications to standard ruby. Certainly impressive, but that is not appropriate in all situations.

Have certificates validate their extensions

Seems like each of the X509v3 extension classes support being validated. Perhaps checking the validity of a Certificate should also check the validity of any underlying extension instances.

For example, this script:

#!/usr/bin/env ruby

require 'rubygems'
require 'certificate_authority'

root = CertificateAuthority::Certificate.new
root.subject.common_name = 'test root cert'
root.serial_number.number = 1
root.key_material.generate_key 768

puts "Simple root cert validity: #{root.valid?}"

root.extensions['basicConstraints'].ca = 'waffles'

puts "Root cert validity with bunk CA string is: #{root.valid?}"
puts "basicConstraints extension with bunk CA string is: #{root.extensions['basicConstraints'].valid?}"

root.extensions['basicConstraints'].ca = 'true'

puts "Root cert validity with bunk CA string is: #{root.valid?}"
puts "basicConstraints extension with bunk CA string is: #{root.extensions['basicConstraints'].valid?}"```

Returns:

Simple root cert validity: true
Root cert validity with bunk CA string is: true
basicConstraints extension with bunk CA string is: false
Root cert validity with bunk CA string is: true
basicConstraints extension with bunk CA string is: false


Strangely, Extensions::BasicConstraints doesn't seem to recover from ever having been false, after it's switched to valid values.

Doc issue in README: "pathlen" should be "path_len"

There is no example of using path_len in the full "signing_profile", and the details about "Basic Constraints" makes the user believe that the key should be called "pathlen", where it is actually "path_len".

reconstituting a certificate to use for signing a new cert

I'm trying to use a public/private pair in order to reconstitute a certificate in order to sign an intermediate. I have the minimal use-case here: https://gist.github.com/tobowers/bdcb3426b4e3f733d88a#file-minimal-rb-L19-L22

In the real world I would be feeding in public/private from files in order to create the root again and then use that root to sign the intermediate. Or doing something similar to reconstitute the intermediate and sign a terminal cert.

However, in this use case this fails with:

/tmp/intermediate.pem: /CN=My snazzy intermediate!
error 20 at 0 depth lookup:unable to get local issuer certificate

If I use the root itself (not new_root) then everything works fine.

Ability to specify certificate chain in ocsp response

More specifically something like this (using a monkey patch atm):

module CertificateAuthority
  class OCSPResponseBuilder
     # snip
     def build_response(chain=nil)
       # snip
       @ocsp_response.sign(OpenSSL::X509::Certificate.new(@parent.to_pem), @parent.key_material.private_key, chain, nil) ## specifying chain here
       OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, @ocsp_response)
     end
  end
end

This way I could get stunnel to do ocsp correctly. It's a shortcoming of stunnel but it is valid to include the certificate chain of the ocsp and that gets around that shortcoming.

Should SHA512 really be used for the digest?

I've encountered software that doesn't understand this and won't work with the generated certificates (in my case RabbitMQ which I guess is really a possible problem with the erlang ssl library). Anyway, why doesn't certificate_authority default to SHA1?

Cert Serial Numbers should be random, not incremental

Even though MD5 is not being used by certificate_authority not making it vulnerable to [http://lwn.net/Articles/314997/], maybe the randomization of serial numbers should be the default option (or at least, an option).

Ability to configure the signing algorithm

Hi,

Is there way to configure the certificate signing algorithms's when creating certificates?

Best Regards,

Carl

key_material changes

This is not an issue, but I propose to change the following on key_material:

change the modulus_bits=2048 (to set 2048 bits as default)
Add the following two methods: save_keys and load_keys:

def save_keys(file,password)
File.open(file, 'w') {|f| f.write(self.keypair.to_pem(OpenSSL::Cipher.new("AES-256-CBC"),password)) }
end

def load_keys(file,password)
self.keypair = OpenSSL::PKey::RSA.new(File.read(file), password)
self.private_key = keypair
self.public_key = keypair.public_key
self.keypair
end

Order of attributes in issuer field matters

When signing a certificate, the issuer field is currently derived from CertificateAuthority::DistingishedName. The problem is the DistingishedName will reorder the attributes (and, as you know the order of these attributes has changed between versions 0.1.6 and 0.2.0).

It is very important that a certificate's issuer field exactly match with the actual issuer. So, rather than parse it, I think it would be better to use the parent's subject field directly.

In other words, replace this:

class Certificate
  def sign!
    ...
    openssl_cert.issuer = parent.distinguished_name.to_x509_name
    ...
  end
end

With this:

openssl_cert.issuer = parent.openssl_body.subject

I am not sure if there is a standard order for attributes or not. Regardless, I think the the certificate should probably match the parent, even if the parent has a non-standard dn.

Without some change along these lines, this gem will generate invalid certificates in many cases.

Thanks.

LocalJumpError on sign!

When I try to sign any certificate (even when following the steps given in the Readme), I keep getting the following LocalJumpError:

ree-1.8.7-2011.03 :008 > root.sign!
LocalJumpError: unexpected return
from /Users/diogo/.rvm/gems/ree-1.8.7-2011.03/gems/certificate_authority-0.1.2/lib/certificate_authority/certificate.rb:24:in _callback_before_13' from /Users/diogo/.rvm/gems/ree-1.8.7-2011.03/gems/certificate_authority-0.1.2/lib/certificate_authority/certificate.rb:23:ineach'
from /Users/diogo/.rvm/gems/ree-1.8.7-2011.03/gems/certificate_authority-0.1.2/lib/certificate_authority/certificate.rb:23:in _callback_before_13' from /Users/diogo/.rvm/gems/ree-1.8.7-2011.03/gems/activesupport-3.0.7/lib/active_support/callbacks.rb:415:in_run_validate_callbacks'
from /Users/diogo/.rvm/gems/ree-1.8.7-2011.03/gems/activemodel-3.0.7/lib/active_model/validations.rb:212:in run_validations!' from /Users/diogo/.rvm/gems/ree-1.8.7-2011.03/gems/activemodel-3.0.7/lib/active_model/validations.rb:179:invalid?'
from /Users/diogo/.rvm/gems/ree-1.8.7-2011.03/gems/certificate_authority-0.1.2/lib/certificate_authority/certificate.rb:43:in `sign!'
from (irb):8

I'm using ruby 1.8.7 (2011-02-18 patchlevel 334) [i686-darwin10.7.3], MBARI 0x6770, Ruby Enterprise Edition 2011.03, and the latest version of certificate_authority.

Is this a known issue?

Parse and consume CSR automatically

Hi @cchandler, this library is dope - great work!

I notice that the README mentions conveniences for CSR as coming soon. Did you make any progress with that? I'm about to spike something out and didn't want to reinvent the wheel if you had some WIP somewhere I could build on!

Cheers,
Mike

#!/usr/bin/env ruby

require 'rubygems'
require 'certificate_authority'

root = CertificateAuthority::Certificate.new
root.subject.common_name = 'test root cert'
root.serial_number.number = 1
root.key_material.generate_key 768

puts "Simple root cert validity: #{root.valid?}"

root.extensions['basicConstraints'].ca = 'waffles'

puts "Root cert validity with bunk CA string is: #{root.valid?}"
puts "basicConstraints extension with bunk CA string is: #{root.extensions['basicConstraints'].valid?}"

root.extensions['basicConstraints'].ca = 'true'

puts "Root cert validity with bunk CA string is: #{root.valid?}"
puts "basicConstraints extension with bunk CA string is: #{root.extensions['basicConstraints'].valid?}"

Returns:

Simple root cert validity: true
Root cert validity with bunk CA string is: true
basicConstraints extension with bunk CA string is: false
Root cert validity with bunk CA string is: true
basicConstraints extension with bunk CA string is: false

Strangely, Extensions::BasicConstraints doesn't seem to recover from ever having been false, after it's switched to valid values.

cchandler / certificate_authority Goto Github PK

certificate_authority's People

Contributors

Stargazers

Watchers

Forkers

certificate_authority's Issues

Recommend Projects

Recommend Topics

Recommend Org