cchandler / certificate_authority Goto Github PK
View Code? Open in Web Editor NEWRuby gem for managing the core functions outlined in RFC-3280 for PKI
Home Page: https://github.com/cchandler/certificate_authority
Ruby gem for managing the core functions outlined in RFC-3280 for PKI
Home Page: https://github.com/cchandler/certificate_authority
Hi,
Is there way to configure the certificate signing algorithms's when creating certificates?
Best Regards,
Carl
With a fresh_clone of certificate_authority, I run the specs and get:
OpenSSL::Engine::EngineError in 'CertificateAuthority::MemoryKeyMaterial in hardware should return a Pkey ref if the private key is requested'
dso not found
/private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:55:in ctrl_cmd' /private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:55:in
initialize_engine'
/private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:51:in by_id' /private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:51:in
initialize_engine'
/private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:32:in `private_key'
/private/tmp/certificate_authority/spec/units/key_material_spec.rb:59:
OpenSSL::Engine::EngineError in 'CertificateAuthority::MemoryKeyMaterial in hardware should return a Pkey ref if the private key is requested'
dso not found
/private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:55:in ctrl_cmd' /private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:55:in
initialize_engine'
/private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:51:in by_id' /private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:51:in
initialize_engine'
/private/tmp/certificate_authority/lib/certificate_authority/pkcs11_key_material.rb:37:in `public_key'
/private/tmp/certificate_authority/spec/units/key_material_spec.rb:63:
It'd be helpful if I could use this gem to create a certificat authority, convert it to a SSH key pair and then use that key pair with PKCS#11 for additional security when SSH'ing into another server.
The print format for X509v3 authority key identifier was changed in openssl, and in openssl >= 3.0 the keyid:
prefix is no longer included in most cases. See openssl/openssl@86afd00 and openssl/openssl#6226 for context.
This appears to cause a test failure when running against openssl 3.0:
Failures:
1) CertificateAuthority::Certificate from_openssl should check to make sure that if a certificate had extensions they were imported
Failure/Error: expect(@cert_with_extensions.extensions["authorityKeyIdentifier"]).to eq(expected_authorityKeyIdentifier)
expected: #<CertificateAuthority::Extensions::AuthorityKeyIdentifier:0x000055d255e61018 @critical=false, @identifier="keyid:4C:58:CB:25:F0:41:4F:52:F4:28:C8:81:43:9B:A6:A8:A0:E6:92:E5">
got: #<CertificateAuthority::Extensions::AuthorityKeyIdentifier:0x000055d255e58828 @critical=false, @identifier="4C:58:CB:25:F0:41:4F:52:F4:28:C8:81:43:9B:A6:A8:A0:E6:92:E5">
(compared using ==)
Diff:
@@ -1,5 +1,4 @@
-#<CertificateAuthority::Extensions::AuthorityKeyIdentifier:0x000055d255e61018
+#<CertificateAuthority::Extensions::AuthorityKeyIdentifier:0x000055d255e58828
@critical=false,
- @identifier=
- "keyid:4C:58:CB:25:F0:41:4F:52:F4:28:C8:81:43:9B:A6:A8:A0:E6:92:E5">
+ @identifier="4C:58:CB:25:F0:41:4F:52:F4:28:C8:81:43:9B:A6:A8:A0:E6:92:E5">
# ./spec/units/certificate_spec.rb:427:in `block (3 levels) in <top (required)>'
Finished in 1.22 seconds (files took 0.44575 seconds to load)
189 examples, 1 failure, 1 pending
Failed examples:
rspec ./spec/units/certificate_spec.rb:403 # CertificateAuthority::Certificate from_openssl should check to make sure that if a certificate had extensions they were imported
This is from an Ubuntu package build, and the full log can be found here: https://launchpadlibrarian.net/609963185/buildlog_ubuntu-kinetic-amd64.ruby-certificate-authority_1.0.0-1_BUILDING.txt.gz.
I am doing something like this:
signing_key = OpenSSL::X509::Certificate.new File.read "intermediate.pem"
plain_cert = CertificateAuthority::Certificate.new
plain_cert.subject.common_name = "mydomain.com"
plain_cert.serial_number.number = 4
plain_cert.key_material.generate_key
plain_cert.parent = signing_key
plain_cert.sign!
just to test the loading and pems to sign client certs. and i get the following error:
gems/certificate_authority-0.1.6/lib/certificate_authority/certificate.rb:58:in sign!': undefined method
distinguished_name' for #OpenSSL::X509::Certificate:0x00000001801438 (NoMethodError)
Am I missing something?
The root and intermediate were built using the example code and saved to disk using to_pem
You mentioned Registration Authority and Validation Authority. Does this package have these functionality? If not, could you please recommend gems for them? Thank you.
I'm currently developing against the master branch, as it's the only that runs in ruby 2.3 and greater without warnings.
I've encountered this problem when running the ssl tests against the latest jruby, when I require this gem:
This has been recently fixed, but not yet released (check the discrepancy between report date and fix date):
I'd like to argue for autoloading the handlers in this gem, instead of requiring them. It will have the following advantages:
The last one is obviously the important :) As long as the components are thread-safe, autoloading shouldn't be an issue.
What do you think?
A deprecated warning appears in example code from README:
/Users/ztz/.rvm/gems/ruby-2.6.5/gems/certificate_authority-0.1.6/lib/certificate_authority/certificate.rb:94: warning: constant OpenSSL::Digest::Digest is deprecated
Code:
require 'certificate_authority'
root = CertificateAuthority::Certificate.new
root.subject.common_name= "http://mydomain.com"
root.serial_number.number=1
root.key_material.generate_key
root.signing_entity = true
signing_profile = {"extensions" => {"keyUsage" => {"usage" => ["critical", "keyCertSign"] }} }
root.sign!(signing_profile)
Ruby version:
ruby 2.6.5p114 (2019-10-01 revision 67812) [x86_64-darwin19]
Are you planning to release 0.2.0? There are few methods I find useful :)
Fix it!
On distinguished_name you have:
name = OpenSSL::X509::Name.new
name.add_entry("CN", common_name)
name.add_entry("O", organization) unless organization.blank?
name.add_entry("OU", common_name) unless organizational_unit.blank?
name.add_entry("S", common_name) unless state.blank?
name.add_entry("L", common_name) unless locality.blank?
My code is currently working like this:
name = OpenSSL::X509::Name.new
name.add_entry("CN", common_name)
name.add_entry("O", organization) unless organization.blank?
name.add_entry("OU", organizational_unit) unless organizational_unit.blank?
name.add_entry("ST", state) unless state.blank?
name.add_entry("L", locality) unless locality.blank?
name.add_entry("C", country) unless country.blank?
Hi,
I'm updating certificate_authority
to 1.0.0 in Debian, where we are now at ruby 3.0 and openssl 3.0.0, and the tests fail for me there:
$ gem list openssl
*** LOCAL GEMS ***
openssl (default: 3.0.0)
$ rake
/usr/lib/ruby-standalone/bin/ruby -I/home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-support-3.9.3/lib:/home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-core-3.9.2/lib /home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-core-3.9.2/exe/rspec --pattern spec/\*\*\{,/\*/\*\*\}/\*_spec.rb --colour --format progress --tag ~pkcs11
[Coveralls] Set up the SimpleCov formatter.
[Coveralls] Using SimpleCov's default settings.
Run options: exclude {:pkcs11=>true}
.......................................FFFFFFFFFFFFF*FFFF....................................................................................................................................
Pending: (Failures listed here are expected and do not affect your suite's status)
1) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CertificatePolicies should contain a nested userNotice if specified
# No reason given
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'
Failures:
1) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support BasicConstraints
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'
2) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support subjectKeyIdentifier
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'
3) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support authorityKeyIdentifier
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'
4) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should order subjectKeyIdentifier before authorityKeyIdentifier
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'
5) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support keyUsage
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'
6) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support extendedKeyUsage
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'
7) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should have a subjectAltName if specified
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'
8) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should NOT have a subjectAltName if one was not specified
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'
9) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should replace email:copy with email address
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'
10) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates AuthorityInfoAccess should have an authority info access if specified
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'
11) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CrlDistributionPoints should have a crlDistributionPoint if specified
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'
12) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CrlDistributionPoints should NOT have a crlDistributionPoint if one was not specified
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'
13) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CertificatePolicies should have a certificatePolicy if specified
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'
14) CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CertificatePolicies should NOT include a certificatePolicy if not specified
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:169:in `block (3 levels) in <top (required)>'
15) CertificateAuthority::Certificate Signing profile should be able to sign with an optional policy hash
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:353:in `block (3 levels) in <top (required)>'
16) CertificateAuthority::Certificate Signing profile should support a default signing digest of SHA512
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:357:in `block (3 levels) in <top (required)>'
17) CertificateAuthority::Certificate Signing profile should support a configurable digest algorithm
Failure/Error: config[k] = hash[k]
NoMethodError:
undefined method `[]=' for #<OpenSSL::Config sections=["default"]>
# ./lib/certificate_authority/certificate.rb:229:in `block in merge_options'
# ./lib/certificate_authority/certificate.rb:228:in `each'
# ./lib/certificate_authority/certificate.rb:228:in `merge_options'
# ./lib/certificate_authority/certificate.rb:95:in `block in sign!'
# ./lib/certificate_authority/certificate.rb:93:in `each'
# ./lib/certificate_authority/certificate.rb:93:in `sign!'
# ./spec/units/certificate_spec.rb:364:in `block (3 levels) in <top (required)>'
Finished in 1 second (files took 0.38893 seconds to load)
189 examples, 17 failures, 1 pending
Failed examples:
rspec ./spec/units/certificate_spec.rb:293 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support BasicConstraints
rspec ./spec/units/certificate_spec.rb:298 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support subjectKeyIdentifier
rspec ./spec/units/certificate_spec.rb:303 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support authorityKeyIdentifier
rspec ./spec/units/certificate_spec.rb:308 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should order subjectKeyIdentifier before authorityKeyIdentifier
rspec ./spec/units/certificate_spec.rb:315 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support keyUsage
rspec ./spec/units/certificate_spec.rb:320 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates should support extendedKeyUsage
rspec ./spec/units/certificate_spec.rb:180 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should have a subjectAltName if specified
rspec ./spec/units/certificate_spec.rb:186 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should NOT have a subjectAltName if one was not specified
rspec ./spec/units/certificate_spec.rb:192 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates SubjectAltName should replace email:copy with email address
rspec ./spec/units/certificate_spec.rb:211 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates AuthorityInfoAccess should have an authority info access if specified
rspec ./spec/units/certificate_spec.rb:226 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CrlDistributionPoints should have a crlDistributionPoint if specified
rspec ./spec/units/certificate_spec.rb:232 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CrlDistributionPoints should NOT have a crlDistributionPoint if one was not specified
rspec ./spec/units/certificate_spec.rb:248 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CertificatePolicies should have a certificatePolicy if specified
rspec ./spec/units/certificate_spec.rb:285 # CertificateAuthority::Certificate X.509 V3 Extensions on Signed Certificates CertificatePolicies should NOT include a certificatePolicy if not specified
rspec ./spec/units/certificate_spec.rb:352 # CertificateAuthority::Certificate Signing profile should be able to sign with an optional policy hash
rspec ./spec/units/certificate_spec.rb:356 # CertificateAuthority::Certificate Signing profile should support a default signing digest of SHA512
rspec ./spec/units/certificate_spec.rb:362 # CertificateAuthority::Certificate Signing profile should support a configurable digest algorithm
[Coveralls] Outside the CI environment, not sending data.
/usr/lib/ruby-standalone/bin/ruby -I/home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-support-3.9.3/lib:/home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-core-3.9.2/lib /home/terceiro/.ruby-standalone/gems/ruby/3.0.0/gems/rspec-core-3.9.2/exe/rspec --pattern spec/\*\*\{,/\*/\*\*\}/\*_spec.rb --colour --format progress --tag ~pkcs11 failed
This change make all the tests pass, but is probably breaking something that is not covered by the tests:
diff --git a/lib/certificate_authority/certificate.rb b/lib/certificate_authority/certificate.rb
index cdf432c..63d150b 100644
--- a/lib/certificate_authority/certificate.rb
+++ b/lib/certificate_authority/certificate.rb
@@ -92,7 +92,7 @@ module CertificateAuthority
self.extensions.keys.each do |k|
config_extensions = extensions[k].config_extensions
- openssl_config = merge_options(openssl_config,config_extensions)
+ #openssl_config = merge_options(openssl_config,config_extensions)
end
# p openssl_config.sections
Commit e79424f introduced a dependency on ActiveSupport, but the code does not actually appear to use ActiveSupport anywhere, except for these two lines:
- self.not_before = Time.now
- self.not_after = Time.now + 60 * 60 * 24 * 365 #One year
+ self.not_before = Time.now.change(:min => 0).utc
+ self.not_after = Time.now.change(:min => 0).utc + 1.year
ActiveSupport is a beast of a dependency, because of the way it changes the behavior of so much of the standard ruby classes. In my case, ActiveSupport is incompatible with my program for several reasons (it forces loading of json/ext but i need json/pure, and it completely overrides default to_json behavior).
ActiveSupport is a fine thing for an end application to depend on, but it is an unkind dependency for a library. ActiveSupport has 111 source files under core_ext! Nope, I didn't just type an extra one. One hundred eleven separate source files for all the modifications to standard ruby. Certainly impressive, but that is not appropriate in all situations.
Seems like each of the X509v3 extension classes support being validated. Perhaps checking the validity of a Certificate should also check the validity of any underlying extension instances.
For example, this script:
#!/usr/bin/env ruby
require 'rubygems'
require 'certificate_authority'
root = CertificateAuthority::Certificate.new
root.subject.common_name = 'test root cert'
root.serial_number.number = 1
root.key_material.generate_key 768
puts "Simple root cert validity: #{root.valid?}"
root.extensions['basicConstraints'].ca = 'waffles'
puts "Root cert validity with bunk CA string is: #{root.valid?}"
puts "basicConstraints extension with bunk CA string is: #{root.extensions['basicConstraints'].valid?}"
root.extensions['basicConstraints'].ca = 'true'
puts "Root cert validity with bunk CA string is: #{root.valid?}"
puts "basicConstraints extension with bunk CA string is: #{root.extensions['basicConstraints'].valid?}"```
Returns:
Simple root cert validity: true
Root cert validity with bunk CA string is: true
basicConstraints extension with bunk CA string is: false
Root cert validity with bunk CA string is: true
basicConstraints extension with bunk CA string is: false
Strangely, Extensions::BasicConstraints doesn't seem to recover from ever having been false, after it's switched to valid values.
There is no example of using path_len in the full "signing_profile", and the details about "Basic Constraints" makes the user believe that the key should be called "pathlen", where it is actually "path_len".
I'm trying to use a public/private pair in order to reconstitute a certificate in order to sign an intermediate. I have the minimal use-case here: https://gist.github.com/tobowers/bdcb3426b4e3f733d88a#file-minimal-rb-L19-L22
In the real world I would be feeding in public/private from files in order to create the root again and then use that root to sign the intermediate. Or doing something similar to reconstitute the intermediate and sign a terminal cert.
However, in this use case this fails with:
/tmp/intermediate.pem: /CN=My snazzy intermediate!
error 20 at 0 depth lookup:unable to get local issuer certificate
If I use the root itself (not new_root) then everything works fine.
More specifically something like this (using a monkey patch atm):
module CertificateAuthority
class OCSPResponseBuilder
# snip
def build_response(chain=nil)
# snip
@ocsp_response.sign(OpenSSL::X509::Certificate.new(@parent.to_pem), @parent.key_material.private_key, chain, nil) ## specifying chain here
OpenSSL::OCSP::Response.create(OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL, @ocsp_response)
end
end
end
This way I could get stunnel to do ocsp correctly. It's a shortcoming of stunnel but it is valid to include the certificate chain of the ocsp and that gets around that shortcoming.
I've encountered software that doesn't understand this and won't work with the generated certificates (in my case RabbitMQ which I guess is really a possible problem with the erlang ssl library). Anyway, why doesn't certificate_authority default to SHA1?
Even though MD5 is not being used by certificate_authority not making it vulnerable to [http://lwn.net/Articles/314997/], maybe the randomization of serial numbers should be the default option (or at least, an option).
Hi,
Is there way to configure the certificate signing algorithms's when creating certificates?
Best Regards,
Carl
This is not an issue, but I propose to change the following on key_material:
def save_keys(file,password)
File.open(file, 'w') {|f| f.write(self.keypair.to_pem(OpenSSL::Cipher.new("AES-256-CBC"),password)) }
end
def load_keys(file,password)
self.keypair = OpenSSL::PKey::RSA.new(File.read(file), password)
self.private_key = keypair
self.public_key = keypair.public_key
self.keypair
end
When signing a certificate, the issuer field is currently derived from CertificateAuthority::DistingishedName. The problem is the DistingishedName will reorder the attributes (and, as you know the order of these attributes has changed between versions 0.1.6 and 0.2.0).
It is very important that a certificate's issuer field exactly match with the actual issuer. So, rather than parse it, I think it would be better to use the parent's subject field directly.
In other words, replace this:
class Certificate
def sign!
...
openssl_cert.issuer = parent.distinguished_name.to_x509_name
...
end
end
With this:
openssl_cert.issuer = parent.openssl_body.subject
I am not sure if there is a standard order for attributes or not. Regardless, I think the the certificate should probably match the parent, even if the parent has a non-standard dn.
Without some change along these lines, this gem will generate invalid certificates in many cases.
Thanks.
When I try to sign any certificate (even when following the steps given in the Readme), I keep getting the following LocalJumpError:
ree-1.8.7-2011.03 :008 > root.sign!
LocalJumpError: unexpected return
from /Users/diogo/.rvm/gems/ree-1.8.7-2011.03/gems/certificate_authority-0.1.2/lib/certificate_authority/certificate.rb:24:in _callback_before_13' from /Users/diogo/.rvm/gems/ree-1.8.7-2011.03/gems/certificate_authority-0.1.2/lib/certificate_authority/certificate.rb:23:in
each'
from /Users/diogo/.rvm/gems/ree-1.8.7-2011.03/gems/certificate_authority-0.1.2/lib/certificate_authority/certificate.rb:23:in _callback_before_13' from /Users/diogo/.rvm/gems/ree-1.8.7-2011.03/gems/activesupport-3.0.7/lib/active_support/callbacks.rb:415:in
_run_validate_callbacks'
from /Users/diogo/.rvm/gems/ree-1.8.7-2011.03/gems/activemodel-3.0.7/lib/active_model/validations.rb:212:in run_validations!' from /Users/diogo/.rvm/gems/ree-1.8.7-2011.03/gems/activemodel-3.0.7/lib/active_model/validations.rb:179:in
valid?'
from /Users/diogo/.rvm/gems/ree-1.8.7-2011.03/gems/certificate_authority-0.1.2/lib/certificate_authority/certificate.rb:43:in `sign!'
from (irb):8
I'm using ruby 1.8.7 (2011-02-18 patchlevel 334) [i686-darwin10.7.3], MBARI 0x6770, Ruby Enterprise Edition 2011.03, and the latest version of certificate_authority.
Is this a known issue?
Hi @cchandler, this library is dope - great work!
I notice that the README mentions conveniences for CSR as coming soon. Did you make any progress with that? I'm about to spike something out and didn't want to reinvent the wheel if you had some WIP somewhere I could build on!
Cheers,
Mike
Please release certificate_authority 0.2.0, which appears to remove the dependency on ActiveModel
I think you want BasicConstraints :)
Firefox apparently requires both "digitalSignature" and "keyEncipherment" on the root certificate X509 extensions.
If you dont include them, Firefox returns a sec_error_inadequate_key_usage when you try to access a website signed by that specific root authority.
Seems like each of the X509v3 extension classes support being validated. Perhaps checking the validity of a Certificate should also check the validity of any underlying extension instances.
For example, this script:
#!/usr/bin/env ruby
require 'rubygems'
require 'certificate_authority'
root = CertificateAuthority::Certificate.new
root.subject.common_name = 'test root cert'
root.serial_number.number = 1
root.key_material.generate_key 768
puts "Simple root cert validity: #{root.valid?}"
root.extensions['basicConstraints'].ca = 'waffles'
puts "Root cert validity with bunk CA string is: #{root.valid?}"
puts "basicConstraints extension with bunk CA string is: #{root.extensions['basicConstraints'].valid?}"
root.extensions['basicConstraints'].ca = 'true'
puts "Root cert validity with bunk CA string is: #{root.valid?}"
puts "basicConstraints extension with bunk CA string is: #{root.extensions['basicConstraints'].valid?}"
Returns:
Simple root cert validity: true
Root cert validity with bunk CA string is: true
basicConstraints extension with bunk CA string is: false
Root cert validity with bunk CA string is: true
basicConstraints extension with bunk CA string is: false
Strangely, Extensions::BasicConstraints doesn't seem to recover from ever having been false, after it's switched to valid values.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.