зеркало из https://github.com/github/ruby.git
847 строки
20 KiB
C
847 строки
20 KiB
C
/*
|
|
* 'OpenSSL for Ruby' project
|
|
* Copyright (C) 2001-2002 Michal Rokos <m.rokos@sh.cvut.cz>
|
|
* All rights reserved.
|
|
*/
|
|
/*
|
|
* This program is licensed under the same licence as Ruby.
|
|
* (See the file 'LICENCE'.)
|
|
*/
|
|
#include "ossl.h"
|
|
|
|
#define NewX509(klass) \
|
|
TypedData_Wrap_Struct((klass), &ossl_x509_type, 0)
|
|
#define SetX509(obj, x509) do { \
|
|
if (!(x509)) { \
|
|
ossl_raise(rb_eRuntimeError, "CERT wasn't initialized!"); \
|
|
} \
|
|
RTYPEDDATA_DATA(obj) = (x509); \
|
|
} while (0)
|
|
#define GetX509(obj, x509) do { \
|
|
TypedData_Get_Struct((obj), X509, &ossl_x509_type, (x509)); \
|
|
if (!(x509)) { \
|
|
ossl_raise(rb_eRuntimeError, "CERT wasn't initialized!"); \
|
|
} \
|
|
} while (0)
|
|
|
|
/*
|
|
* Classes
|
|
*/
|
|
VALUE cX509Cert;
|
|
VALUE eX509CertError;
|
|
|
|
static void
|
|
ossl_x509_free(void *ptr)
|
|
{
|
|
X509_free(ptr);
|
|
}
|
|
|
|
static const rb_data_type_t ossl_x509_type = {
|
|
"OpenSSL/X509",
|
|
{
|
|
0, ossl_x509_free,
|
|
},
|
|
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
|
};
|
|
|
|
/*
|
|
* Public
|
|
*/
|
|
VALUE
|
|
ossl_x509_new(X509 *x509)
|
|
{
|
|
X509 *new;
|
|
VALUE obj;
|
|
|
|
obj = NewX509(cX509Cert);
|
|
if (!x509) {
|
|
new = X509_new();
|
|
} else {
|
|
new = X509_dup(x509);
|
|
}
|
|
if (!new) {
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
SetX509(obj, new);
|
|
|
|
return obj;
|
|
}
|
|
|
|
X509 *
|
|
GetX509CertPtr(VALUE obj)
|
|
{
|
|
X509 *x509;
|
|
|
|
GetX509(obj, x509);
|
|
|
|
return x509;
|
|
}
|
|
|
|
X509 *
|
|
DupX509CertPtr(VALUE obj)
|
|
{
|
|
X509 *x509;
|
|
|
|
GetX509(obj, x509);
|
|
|
|
X509_up_ref(x509);
|
|
|
|
return x509;
|
|
}
|
|
|
|
/*
|
|
* Private
|
|
*/
|
|
static VALUE
|
|
ossl_x509_alloc(VALUE klass)
|
|
{
|
|
X509 *x509;
|
|
VALUE obj;
|
|
|
|
obj = NewX509(klass);
|
|
x509 = X509_new();
|
|
if (!x509) ossl_raise(eX509CertError, NULL);
|
|
SetX509(obj, x509);
|
|
|
|
return obj;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* Certificate.new => cert
|
|
* Certificate.new(string) => cert
|
|
*/
|
|
static VALUE
|
|
ossl_x509_initialize(int argc, VALUE *argv, VALUE self)
|
|
{
|
|
BIO *in;
|
|
X509 *x509, *x = DATA_PTR(self);
|
|
VALUE arg;
|
|
|
|
if (rb_scan_args(argc, argv, "01", &arg) == 0) {
|
|
/* create just empty X509Cert */
|
|
return self;
|
|
}
|
|
arg = ossl_to_der_if_possible(arg);
|
|
in = ossl_obj2bio(&arg);
|
|
x509 = PEM_read_bio_X509(in, &x, NULL, NULL);
|
|
DATA_PTR(self) = x;
|
|
if (!x509) {
|
|
OSSL_BIO_reset(in);
|
|
x509 = d2i_X509_bio(in, &x);
|
|
DATA_PTR(self) = x;
|
|
}
|
|
BIO_free(in);
|
|
if (!x509) ossl_raise(eX509CertError, NULL);
|
|
|
|
return self;
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509_copy(VALUE self, VALUE other)
|
|
{
|
|
X509 *a, *b, *x509;
|
|
|
|
rb_check_frozen(self);
|
|
if (self == other) return self;
|
|
|
|
GetX509(self, a);
|
|
GetX509(other, b);
|
|
|
|
x509 = X509_dup(b);
|
|
if (!x509) ossl_raise(eX509CertError, NULL);
|
|
|
|
DATA_PTR(self) = x509;
|
|
X509_free(a);
|
|
|
|
return self;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.to_der => string
|
|
*/
|
|
static VALUE
|
|
ossl_x509_to_der(VALUE self)
|
|
{
|
|
X509 *x509;
|
|
VALUE str;
|
|
long len;
|
|
unsigned char *p;
|
|
|
|
GetX509(self, x509);
|
|
if ((len = i2d_X509(x509, NULL)) <= 0)
|
|
ossl_raise(eX509CertError, NULL);
|
|
str = rb_str_new(0, len);
|
|
p = (unsigned char *)RSTRING_PTR(str);
|
|
if (i2d_X509(x509, &p) <= 0)
|
|
ossl_raise(eX509CertError, NULL);
|
|
ossl_str_adjust(str, p);
|
|
|
|
return str;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.to_pem => string
|
|
*/
|
|
static VALUE
|
|
ossl_x509_to_pem(VALUE self)
|
|
{
|
|
X509 *x509;
|
|
BIO *out;
|
|
VALUE str;
|
|
|
|
GetX509(self, x509);
|
|
out = BIO_new(BIO_s_mem());
|
|
if (!out) ossl_raise(eX509CertError, NULL);
|
|
|
|
if (!PEM_write_bio_X509(out, x509)) {
|
|
BIO_free(out);
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
str = ossl_membio2str(out);
|
|
|
|
return str;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.to_text => string
|
|
*/
|
|
static VALUE
|
|
ossl_x509_to_text(VALUE self)
|
|
{
|
|
X509 *x509;
|
|
BIO *out;
|
|
VALUE str;
|
|
|
|
GetX509(self, x509);
|
|
|
|
out = BIO_new(BIO_s_mem());
|
|
if (!out) ossl_raise(eX509CertError, NULL);
|
|
|
|
if (!X509_print(out, x509)) {
|
|
BIO_free(out);
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
str = ossl_membio2str(out);
|
|
|
|
return str;
|
|
}
|
|
|
|
#if 0
|
|
/*
|
|
* Makes from X509 X509_REQuest
|
|
*/
|
|
static VALUE
|
|
ossl_x509_to_req(VALUE self)
|
|
{
|
|
X509 *x509;
|
|
X509_REQ *req;
|
|
VALUE obj;
|
|
|
|
GetX509(self, x509);
|
|
if (!(req = X509_to_X509_REQ(x509, NULL, EVP_md5()))) {
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
obj = ossl_x509req_new(req);
|
|
X509_REQ_free(req);
|
|
|
|
return obj;
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.version => integer
|
|
*/
|
|
static VALUE
|
|
ossl_x509_get_version(VALUE self)
|
|
{
|
|
X509 *x509;
|
|
|
|
GetX509(self, x509);
|
|
|
|
return LONG2NUM(X509_get_version(x509));
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.version = integer => integer
|
|
*/
|
|
static VALUE
|
|
ossl_x509_set_version(VALUE self, VALUE version)
|
|
{
|
|
X509 *x509;
|
|
long ver;
|
|
|
|
if ((ver = NUM2LONG(version)) < 0) {
|
|
ossl_raise(eX509CertError, "version must be >= 0!");
|
|
}
|
|
GetX509(self, x509);
|
|
if (!X509_set_version(x509, ver)) {
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
|
|
return version;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.serial => integer
|
|
*/
|
|
static VALUE
|
|
ossl_x509_get_serial(VALUE self)
|
|
{
|
|
X509 *x509;
|
|
|
|
GetX509(self, x509);
|
|
|
|
return asn1integer_to_num(X509_get_serialNumber(x509));
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.serial = integer => integer
|
|
*/
|
|
static VALUE
|
|
ossl_x509_set_serial(VALUE self, VALUE num)
|
|
{
|
|
X509 *x509;
|
|
|
|
GetX509(self, x509);
|
|
X509_set_serialNumber(x509, num_to_asn1integer(num, X509_get_serialNumber(x509)));
|
|
|
|
return num;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.signature_algorithm => string
|
|
*/
|
|
static VALUE
|
|
ossl_x509_get_signature_algorithm(VALUE self)
|
|
{
|
|
X509 *x509;
|
|
BIO *out;
|
|
VALUE str;
|
|
|
|
GetX509(self, x509);
|
|
out = BIO_new(BIO_s_mem());
|
|
if (!out) ossl_raise(eX509CertError, NULL);
|
|
|
|
if (!i2a_ASN1_OBJECT(out, X509_get0_tbs_sigalg(x509)->algorithm)) {
|
|
BIO_free(out);
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
str = ossl_membio2str(out);
|
|
|
|
return str;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.subject => name
|
|
*/
|
|
static VALUE
|
|
ossl_x509_get_subject(VALUE self)
|
|
{
|
|
X509 *x509;
|
|
X509_NAME *name;
|
|
|
|
GetX509(self, x509);
|
|
if (!(name = X509_get_subject_name(x509))) { /* NO DUP - don't free! */
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
|
|
return ossl_x509name_new(name);
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.subject = name => name
|
|
*/
|
|
static VALUE
|
|
ossl_x509_set_subject(VALUE self, VALUE subject)
|
|
{
|
|
X509 *x509;
|
|
|
|
GetX509(self, x509);
|
|
if (!X509_set_subject_name(x509, GetX509NamePtr(subject))) { /* DUPs name */
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
|
|
return subject;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.issuer => name
|
|
*/
|
|
static VALUE
|
|
ossl_x509_get_issuer(VALUE self)
|
|
{
|
|
X509 *x509;
|
|
X509_NAME *name;
|
|
|
|
GetX509(self, x509);
|
|
if(!(name = X509_get_issuer_name(x509))) { /* NO DUP - don't free! */
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
|
|
return ossl_x509name_new(name);
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.issuer = name => name
|
|
*/
|
|
static VALUE
|
|
ossl_x509_set_issuer(VALUE self, VALUE issuer)
|
|
{
|
|
X509 *x509;
|
|
|
|
GetX509(self, x509);
|
|
if (!X509_set_issuer_name(x509, GetX509NamePtr(issuer))) { /* DUPs name */
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
|
|
return issuer;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.not_before => time
|
|
*/
|
|
static VALUE
|
|
ossl_x509_get_not_before(VALUE self)
|
|
{
|
|
X509 *x509;
|
|
const ASN1_TIME *asn1time;
|
|
|
|
GetX509(self, x509);
|
|
if (!(asn1time = X509_get0_notBefore(x509))) {
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
|
|
return asn1time_to_time(asn1time);
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.not_before = time => time
|
|
*/
|
|
static VALUE
|
|
ossl_x509_set_not_before(VALUE self, VALUE time)
|
|
{
|
|
X509 *x509;
|
|
ASN1_TIME *asn1time;
|
|
|
|
GetX509(self, x509);
|
|
asn1time = ossl_x509_time_adjust(NULL, time);
|
|
if (!X509_set1_notBefore(x509, asn1time)) {
|
|
ASN1_TIME_free(asn1time);
|
|
ossl_raise(eX509CertError, "X509_set_notBefore");
|
|
}
|
|
ASN1_TIME_free(asn1time);
|
|
|
|
return time;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.not_after => time
|
|
*/
|
|
static VALUE
|
|
ossl_x509_get_not_after(VALUE self)
|
|
{
|
|
X509 *x509;
|
|
const ASN1_TIME *asn1time;
|
|
|
|
GetX509(self, x509);
|
|
if (!(asn1time = X509_get0_notAfter(x509))) {
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
|
|
return asn1time_to_time(asn1time);
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.not_after = time => time
|
|
*/
|
|
static VALUE
|
|
ossl_x509_set_not_after(VALUE self, VALUE time)
|
|
{
|
|
X509 *x509;
|
|
ASN1_TIME *asn1time;
|
|
|
|
GetX509(self, x509);
|
|
asn1time = ossl_x509_time_adjust(NULL, time);
|
|
if (!X509_set1_notAfter(x509, asn1time)) {
|
|
ASN1_TIME_free(asn1time);
|
|
ossl_raise(eX509CertError, "X509_set_notAfter");
|
|
}
|
|
ASN1_TIME_free(asn1time);
|
|
|
|
return time;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.public_key => key
|
|
*/
|
|
static VALUE
|
|
ossl_x509_get_public_key(VALUE self)
|
|
{
|
|
X509 *x509;
|
|
EVP_PKEY *pkey;
|
|
|
|
GetX509(self, x509);
|
|
if (!(pkey = X509_get_pubkey(x509))) { /* adds an reference */
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
|
|
return ossl_pkey_new(pkey); /* NO DUP - OK */
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.public_key = key
|
|
*/
|
|
static VALUE
|
|
ossl_x509_set_public_key(VALUE self, VALUE key)
|
|
{
|
|
X509 *x509;
|
|
EVP_PKEY *pkey;
|
|
|
|
GetX509(self, x509);
|
|
pkey = GetPKeyPtr(key);
|
|
ossl_pkey_check_public_key(pkey);
|
|
if (!X509_set_pubkey(x509, pkey))
|
|
ossl_raise(eX509CertError, "X509_set_pubkey");
|
|
return key;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.sign(key, digest) => self
|
|
*/
|
|
static VALUE
|
|
ossl_x509_sign(VALUE self, VALUE key, VALUE digest)
|
|
{
|
|
X509 *x509;
|
|
EVP_PKEY *pkey;
|
|
const EVP_MD *md;
|
|
|
|
pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
|
|
md = ossl_evp_get_digestbyname(digest);
|
|
GetX509(self, x509);
|
|
if (!X509_sign(x509, pkey, md)) {
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
|
|
return self;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.verify(key) => true | false
|
|
*
|
|
* Verifies the signature of the certificate, with the public key _key_. _key_
|
|
* must be an instance of OpenSSL::PKey.
|
|
*/
|
|
static VALUE
|
|
ossl_x509_verify(VALUE self, VALUE key)
|
|
{
|
|
X509 *x509;
|
|
EVP_PKEY *pkey;
|
|
|
|
GetX509(self, x509);
|
|
pkey = GetPKeyPtr(key);
|
|
ossl_pkey_check_public_key(pkey);
|
|
switch (X509_verify(x509, pkey)) {
|
|
case 1:
|
|
return Qtrue;
|
|
case 0:
|
|
ossl_clear_error();
|
|
return Qfalse;
|
|
default:
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.check_private_key(key) -> true | false
|
|
*
|
|
* Returns +true+ if _key_ is the corresponding private key to the Subject
|
|
* Public Key Information, +false+ otherwise.
|
|
*/
|
|
static VALUE
|
|
ossl_x509_check_private_key(VALUE self, VALUE key)
|
|
{
|
|
X509 *x509;
|
|
EVP_PKEY *pkey;
|
|
|
|
/* not needed private key, but should be */
|
|
pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
|
|
GetX509(self, x509);
|
|
if (!X509_check_private_key(x509, pkey)) {
|
|
ossl_clear_error();
|
|
return Qfalse;
|
|
}
|
|
|
|
return Qtrue;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.extensions => [extension...]
|
|
*/
|
|
static VALUE
|
|
ossl_x509_get_extensions(VALUE self)
|
|
{
|
|
X509 *x509;
|
|
int count, i;
|
|
X509_EXTENSION *ext;
|
|
VALUE ary;
|
|
|
|
GetX509(self, x509);
|
|
count = X509_get_ext_count(x509);
|
|
if (count < 0) {
|
|
return rb_ary_new();
|
|
}
|
|
ary = rb_ary_new2(count);
|
|
for (i=0; i<count; i++) {
|
|
ext = X509_get_ext(x509, i); /* NO DUP - don't free! */
|
|
rb_ary_push(ary, ossl_x509ext_new(ext));
|
|
}
|
|
|
|
return ary;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.extensions = [ext...] => [ext...]
|
|
*/
|
|
static VALUE
|
|
ossl_x509_set_extensions(VALUE self, VALUE ary)
|
|
{
|
|
X509 *x509;
|
|
X509_EXTENSION *ext;
|
|
long i;
|
|
|
|
Check_Type(ary, T_ARRAY);
|
|
/* All ary's members should be X509Extension */
|
|
for (i=0; i<RARRAY_LEN(ary); i++) {
|
|
OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
|
|
}
|
|
GetX509(self, x509);
|
|
while ((ext = X509_delete_ext(x509, 0)))
|
|
X509_EXTENSION_free(ext);
|
|
for (i=0; i<RARRAY_LEN(ary); i++) {
|
|
ext = GetX509ExtPtr(RARRAY_AREF(ary, i));
|
|
if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext */
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
}
|
|
|
|
return ary;
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert.add_extension(extension) => extension
|
|
*/
|
|
static VALUE
|
|
ossl_x509_add_extension(VALUE self, VALUE extension)
|
|
{
|
|
X509 *x509;
|
|
X509_EXTENSION *ext;
|
|
|
|
GetX509(self, x509);
|
|
ext = GetX509ExtPtr(extension);
|
|
if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext - FREE it */
|
|
ossl_raise(eX509CertError, NULL);
|
|
}
|
|
|
|
return extension;
|
|
}
|
|
|
|
static VALUE
|
|
ossl_x509_inspect(VALUE self)
|
|
{
|
|
return rb_sprintf("#<%"PRIsVALUE": subject=%+"PRIsVALUE", "
|
|
"issuer=%+"PRIsVALUE", serial=%+"PRIsVALUE", "
|
|
"not_before=%+"PRIsVALUE", not_after=%+"PRIsVALUE">",
|
|
rb_obj_class(self),
|
|
ossl_x509_get_subject(self),
|
|
ossl_x509_get_issuer(self),
|
|
ossl_x509_get_serial(self),
|
|
ossl_x509_get_not_before(self),
|
|
ossl_x509_get_not_after(self));
|
|
}
|
|
|
|
/*
|
|
* call-seq:
|
|
* cert1 == cert2 -> true | false
|
|
*
|
|
* Compares the two certificates. Note that this takes into account all fields,
|
|
* not just the issuer name and the serial number.
|
|
*/
|
|
static VALUE
|
|
ossl_x509_eq(VALUE self, VALUE other)
|
|
{
|
|
X509 *a, *b;
|
|
|
|
GetX509(self, a);
|
|
if (!rb_obj_is_kind_of(other, cX509Cert))
|
|
return Qfalse;
|
|
GetX509(other, b);
|
|
|
|
return !X509_cmp(a, b) ? Qtrue : Qfalse;
|
|
}
|
|
|
|
/*
|
|
* INIT
|
|
*/
|
|
void
|
|
Init_ossl_x509cert(void)
|
|
{
|
|
#if 0
|
|
mOSSL = rb_define_module("OpenSSL");
|
|
eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
|
|
mX509 = rb_define_module_under(mOSSL, "X509");
|
|
#endif
|
|
|
|
eX509CertError = rb_define_class_under(mX509, "CertificateError", eOSSLError);
|
|
|
|
/* Document-class: OpenSSL::X509::Certificate
|
|
*
|
|
* Implementation of an X.509 certificate as specified in RFC 5280.
|
|
* Provides access to a certificate's attributes and allows certificates
|
|
* to be read from a string, but also supports the creation of new
|
|
* certificates from scratch.
|
|
*
|
|
* === Reading a certificate from a file
|
|
*
|
|
* Certificate is capable of handling DER-encoded certificates and
|
|
* certificates encoded in OpenSSL's PEM format.
|
|
*
|
|
* raw = File.read "cert.cer" # DER- or PEM-encoded
|
|
* certificate = OpenSSL::X509::Certificate.new raw
|
|
*
|
|
* === Saving a certificate to a file
|
|
*
|
|
* A certificate may be encoded in DER format
|
|
*
|
|
* cert = ...
|
|
* File.open("cert.cer", "wb") { |f| f.print cert.to_der }
|
|
*
|
|
* or in PEM format
|
|
*
|
|
* cert = ...
|
|
* File.open("cert.pem", "wb") { |f| f.print cert.to_pem }
|
|
*
|
|
* X.509 certificates are associated with a private/public key pair,
|
|
* typically a RSA, DSA or ECC key (see also OpenSSL::PKey::RSA,
|
|
* OpenSSL::PKey::DSA and OpenSSL::PKey::EC), the public key itself is
|
|
* stored within the certificate and can be accessed in form of an
|
|
* OpenSSL::PKey. Certificates are typically used to be able to associate
|
|
* some form of identity with a key pair, for example web servers serving
|
|
* pages over HTTPs use certificates to authenticate themselves to the user.
|
|
*
|
|
* The public key infrastructure (PKI) model relies on trusted certificate
|
|
* authorities ("root CAs") that issue these certificates, so that end
|
|
* users need to base their trust just on a selected few authorities
|
|
* that themselves again vouch for subordinate CAs issuing their
|
|
* certificates to end users.
|
|
*
|
|
* The OpenSSL::X509 module provides the tools to set up an independent
|
|
* PKI, similar to scenarios where the 'openssl' command line tool is
|
|
* used for issuing certificates in a private PKI.
|
|
*
|
|
* === Creating a root CA certificate and an end-entity certificate
|
|
*
|
|
* First, we need to create a "self-signed" root certificate. To do so,
|
|
* we need to generate a key first. Please note that the choice of "1"
|
|
* as a serial number is considered a security flaw for real certificates.
|
|
* Secure choices are integers in the two-digit byte range and ideally
|
|
* not sequential but secure random numbers, steps omitted here to keep
|
|
* the example concise.
|
|
*
|
|
* root_key = OpenSSL::PKey::RSA.new 2048 # the CA's public/private key
|
|
* root_ca = OpenSSL::X509::Certificate.new
|
|
* root_ca.version = 2 # cf. RFC 5280 - to make it a "v3" certificate
|
|
* root_ca.serial = 1
|
|
* root_ca.subject = OpenSSL::X509::Name.parse "/DC=org/DC=ruby-lang/CN=Ruby CA"
|
|
* root_ca.issuer = root_ca.subject # root CA's are "self-signed"
|
|
* root_ca.public_key = root_key.public_key
|
|
* root_ca.not_before = Time.now
|
|
* root_ca.not_after = root_ca.not_before + 2 * 365 * 24 * 60 * 60 # 2 years validity
|
|
* ef = OpenSSL::X509::ExtensionFactory.new
|
|
* ef.subject_certificate = root_ca
|
|
* ef.issuer_certificate = root_ca
|
|
* root_ca.add_extension(ef.create_extension("basicConstraints","CA:TRUE",true))
|
|
* root_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
|
|
* root_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
|
|
* root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false))
|
|
* root_ca.sign(root_key, OpenSSL::Digest::SHA256.new)
|
|
*
|
|
* The next step is to create the end-entity certificate using the root CA
|
|
* certificate.
|
|
*
|
|
* key = OpenSSL::PKey::RSA.new 2048
|
|
* cert = OpenSSL::X509::Certificate.new
|
|
* cert.version = 2
|
|
* cert.serial = 2
|
|
* cert.subject = OpenSSL::X509::Name.parse "/DC=org/DC=ruby-lang/CN=Ruby certificate"
|
|
* cert.issuer = root_ca.subject # root CA is the issuer
|
|
* cert.public_key = key.public_key
|
|
* cert.not_before = Time.now
|
|
* cert.not_after = cert.not_before + 1 * 365 * 24 * 60 * 60 # 1 years validity
|
|
* ef = OpenSSL::X509::ExtensionFactory.new
|
|
* ef.subject_certificate = cert
|
|
* ef.issuer_certificate = root_ca
|
|
* cert.add_extension(ef.create_extension("keyUsage","digitalSignature", true))
|
|
* cert.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
|
|
* cert.sign(root_key, OpenSSL::Digest::SHA256.new)
|
|
*
|
|
*/
|
|
cX509Cert = rb_define_class_under(mX509, "Certificate", rb_cObject);
|
|
|
|
rb_define_alloc_func(cX509Cert, ossl_x509_alloc);
|
|
rb_define_method(cX509Cert, "initialize", ossl_x509_initialize, -1);
|
|
rb_define_method(cX509Cert, "initialize_copy", ossl_x509_copy, 1);
|
|
|
|
rb_define_method(cX509Cert, "to_der", ossl_x509_to_der, 0);
|
|
rb_define_method(cX509Cert, "to_pem", ossl_x509_to_pem, 0);
|
|
rb_define_alias(cX509Cert, "to_s", "to_pem");
|
|
rb_define_method(cX509Cert, "to_text", ossl_x509_to_text, 0);
|
|
rb_define_method(cX509Cert, "version", ossl_x509_get_version, 0);
|
|
rb_define_method(cX509Cert, "version=", ossl_x509_set_version, 1);
|
|
rb_define_method(cX509Cert, "signature_algorithm", ossl_x509_get_signature_algorithm, 0);
|
|
rb_define_method(cX509Cert, "serial", ossl_x509_get_serial, 0);
|
|
rb_define_method(cX509Cert, "serial=", ossl_x509_set_serial, 1);
|
|
rb_define_method(cX509Cert, "subject", ossl_x509_get_subject, 0);
|
|
rb_define_method(cX509Cert, "subject=", ossl_x509_set_subject, 1);
|
|
rb_define_method(cX509Cert, "issuer", ossl_x509_get_issuer, 0);
|
|
rb_define_method(cX509Cert, "issuer=", ossl_x509_set_issuer, 1);
|
|
rb_define_method(cX509Cert, "not_before", ossl_x509_get_not_before, 0);
|
|
rb_define_method(cX509Cert, "not_before=", ossl_x509_set_not_before, 1);
|
|
rb_define_method(cX509Cert, "not_after", ossl_x509_get_not_after, 0);
|
|
rb_define_method(cX509Cert, "not_after=", ossl_x509_set_not_after, 1);
|
|
rb_define_method(cX509Cert, "public_key", ossl_x509_get_public_key, 0);
|
|
rb_define_method(cX509Cert, "public_key=", ossl_x509_set_public_key, 1);
|
|
rb_define_method(cX509Cert, "sign", ossl_x509_sign, 2);
|
|
rb_define_method(cX509Cert, "verify", ossl_x509_verify, 1);
|
|
rb_define_method(cX509Cert, "check_private_key", ossl_x509_check_private_key, 1);
|
|
rb_define_method(cX509Cert, "extensions", ossl_x509_get_extensions, 0);
|
|
rb_define_method(cX509Cert, "extensions=", ossl_x509_set_extensions, 1);
|
|
rb_define_method(cX509Cert, "add_extension", ossl_x509_add_extension, 1);
|
|
rb_define_method(cX509Cert, "inspect", ossl_x509_inspect, 0);
|
|
rb_define_method(cX509Cert, "==", ossl_x509_eq, 1);
|
|
}
|