ezsig.rb
12.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
require 'ezcrypto'
require 'net/http'
=begin rdoc
These modules provides a simple ruby like way to create and verify digital signatures.
== License
ActiveCrypto and EzCrypto are released under the MIT license.
== Support
To contact the author, send mail to pelleb@gmail.com
Also see my blogs at:
http://stakeventures.com and
http://neubia.com
This project was based on code used in my project StakeItOut, where you can securely share web services with your partners.
https://stakeitout.com
(C) 2005 Pelle Braendgaard
=end
module EzCrypto
=begin rdoc
The signer is used for signing stuff. It encapsulates the functionality of a private key.
=end
class Signer
=begin rdoc
Initialize a Signer with a OpenSSL Private Key. You generally should not call new directly.
Unless you are interfacing with your own underlying OpenSSL code.
=end
def initialize(priv,options = {})
@priv=priv
end
=begin rdoc
Generate a new keypair. Defaults to 2048 bit RSA.
=end
def self.generate(strength=2048,type=:rsa)
key_class=case type
when :dsa
OpenSSL::PKey::DSA
else
OpenSSL::PKey::RSA
end
EzCrypto::Signer.new(key_class.generate(strength))
end
=begin rdoc
Decode a PEM encoded Private Key and return a signer. Takes an optional password
=end
def self.decode(encoded,password=nil)
begin
EzCrypto::Signer.new(OpenSSL::PKey::RSA.new( encoded,password))
rescue
EzCrypto::Signer.new(OpenSSL::PKey::DSA.new( encoded,password))
end
end
=begin rdoc
Decode a PEM encoded Private Key file and return a signer. Takes an optional password
=end
def self.from_file(filename,password=nil)
file = File.read( filename )
decode(file,password)
end
=begin rdoc
Returns the OpenSSL Public Key object. You normally do not need to use this.
=end
def public_key
@priv.public_key
end
=begin rdoc
Returns the corresponding Verifier object.
=end
def verifier
Verifier.new(public_key)
end
=begin rdoc
Returns the OpenSSL Private Key object. You normally do not need to use this.
=end
def private_key
@priv
end
=begin rdoc
signs data using the private key and the corresponding digest function. SHA1 for RSA and DSS1 for DSA.
99% of signing use these parameters.
Email a request or send me a patch if you have other requirements.
=end
def sign(data)
if rsa?
@priv.sign(OpenSSL::Digest::SHA1.new,data)
elsif dsa?
@priv.sign(OpenSSL::Digest::DSS1.new,data)
end
end
=begin rdoc
Returns true if it is a RSA private key
=end
def rsa?
@priv.is_a? OpenSSL::PKey::RSA
end
=begin rdoc
Returns true if it is a DSA private key
=end
def dsa?
@priv.is_a? OpenSSL::PKey::DSA
end
end
=begin rdoc
The Verifier is used for verifying signatures. If you use the decode or
from_file methods you can use either raw PEM encoded public keys or certificate.
=end
class Verifier
=begin rdoc
Initializes a Verifier using a OpenSSL public key object.
=end
def initialize(pub)
@pub=pub
end
=begin rdoc
Decodes a PEM encoded Certificate or Public Key and returns a Verifier object.
=end
def self.decode(encoded)
case encoded
when /-----BEGIN CERTIFICATE-----/
EzCrypto::Certificate.new(OpenSSL::X509::Certificate.new( encoded))
else
begin
EzCrypto::Verifier.new(OpenSSL::PKey::RSA.new( encoded))
rescue
EzCrypto::Verifier.new(OpenSSL::PKey::DSA.new( encoded))
end
end
end
=begin rdoc
Decodes a PEM encoded Certificate or Public Key from a file and returns a Verifier object.
=end
def self.from_file(filename)
file = File.read( filename )
decode(file)
end
=begin rdoc
Load a certificate or public key from PKYP based on it's hex digest
=end
def self.from_pkyp(digest)
digest=digest.strip.downcase
if digest=~/[0123456789abcdef]{40}/
# Net::HTTP.start("localhost", 9000) do |query|
Net::HTTP.start("pkyp.org", 80) do |query|
response=query.get "/#{digest}.pem"
if response.code=="200"
decode(response.body)
else
raise "Error occured (#{response.code}): #{response.body}"
end
end
else
raise "Invalid digest"
end
end
=begin rdoc
Decodes all certificates or public keys in a file and returns an array.
=end
def self.load_all_from_file(filename)
file = File.read( filename )
certs=[]
count=0
file.split( %q{-----BEGIN}).each do |pem|
if pem and pem!=""
pem="-----BEGIN#{pem}\n"
cert=decode(pem)
if cert.is_a? EzCrypto::Verifier
certs<<cert
end
end
end
certs
end
=begin rdoc
Is the Verifier a Certificate or not.
=end
def cert?
false
end
=begin rdoc
Returns the OpenSSL public key object. You would normally not need to use this.
=end
def public_key
@pub
end
=begin rdoc
Returns the SHA1 hexdigest of the DER encoded public key. This can be used as a unique key identifier.
=end
def digest
Digest::SHA1.hexdigest(@pub.to_der)
end
=begin rdoc
Is this a RSA key?
=end
def rsa?
@pub.is_a? OpenSSL::PKey::RSA
end
=begin rdoc
Is this a DSA key?
=end
def dsa?
@pub.is_a? OpenSSL::PKey::DSA
end
=begin rdoc
Returns true if the public key signed the given data.
=end
def verify(sig,data)
if rsa?
@pub.verify( OpenSSL::Digest::SHA1.new, sig, data )
elsif dsa?
@pub.verify( OpenSSL::Digest::DSS1.new, sig, data )
else
false
end
end
=begin rdoc
Register the public key or certificate at PKYP
=end
def register_with_pkyp
send_to_pkyp(@pub.to_s)
end
protected
def send_to_pkyp(pem)
# Net::HTTP.start("localhost", 9000) do |query|
Net::HTTP.start("pkyp.org", 80) do |query|
output=URI.escape(pem).gsub("+","%2b")
response=query.post "/register","body="+output
if response.code=="302"
response["Location"]=~/([0123456789abcdef]{40}$)/
$1
else
raise "Error occured (#{response.code}): #{response.body}"
end
end
end
end
=begin rdoc
Certificate provides functionality to make it easy to extract information from a Certificate.
This also provides all the same functionality as a Verifier.
=end
class Certificate < Verifier
=begin rdoc
Intialize with a OpenSSL cert object.
=end
def initialize(cert)
super(cert.public_key)
@cert=cert
end
=begin rdoc
Returns true
=end
def cert?
true
end
=begin rdoc
Register the certificate at PKYP
=end
def register_with_pkyp
send_to_pkyp(@cert.to_s)
end
=begin rdoc
Returns the SHA1 hex digest of a the DER encoded certificate. This is useful as a unique identifier.
=end
def cert_digest
Digest::SHA1.hexdigest(@cert.to_der)
end
=begin rdoc
Returns a Name object containt the subject of the certificate. The subject in X509 speak is the details of the certificate owner.
=end
def subject
@subject=EzCrypto::Name.new(@cert.subject) unless @subject
@subject
end
=begin rdoc
Returns a Name object containt the issuer of the certificate.
=end
def issuer
@issuer=EzCrypto::Name.new(@cert.issuer) unless @issuer
@issuer
end
=begin rdoc
Returns the issuers serial number for this certificate
=end
def serial
@cert.serial
end
=begin rdoc
Returns the OpenSSL Certificate object
=end
def cert
@cert
end
=begin rdoc
Returns the certificates valid not before date.
=end
def not_before
@cert.not_before
end
=begin rdoc
Returns the certificates valid not after date.
=end
def not_after
@cert.not_after
end
=begin rdoc
Is this certificate valid at this point in time. Note this only checks if it is valid with respect to time.
It is important to realize that it does not check with any CRL or OCSP services to see if the certificate was
revoked.
=end
def valid?(time=Time.now.utc)
time>not_before && time<self.not_after
end
=begin rdoc
Returns the hash of extensions available in the certificate. These are not always present.
=end
def extensions
unless @extensions
@extensions={}
cert.extensions.each {|e| @extensions[e.oid]=e.value} if cert.extensions
end
@extensions
end
=begin rdoc
Any methods defined in Name can be used here. This means you can do cert.email rather than cert.subject.email.
=end
def method_missing(method)
subject.send method
end
end
=begin rdoc
A handy ruby wrapper around OpenSSL's Name object. This was created to make it really easy to extract information out of the certificate.
=end
class Name
=begin rdoc
Initializes the Name object with the underlying OpenSSL Name object. You generally do not need to use this.
Rather use the Certificates subject or issuer methods.
=end
def initialize(name)
@name=name
@attributes={}
name.to_s.split(/\//).each do |field|
key, val = field.split(/=/,2)
if key
@attributes[key.to_sym]=val
end
end
end
=begin rdoc
Returns the full name object in classic horrible X500 format.
=end
def to_s
@name.to_s
end
=begin rdoc
Returns the email if present in the name
=end
def email
self[:emailAddress]
end
=begin rdoc
The 2 letter country code of the name
=end
def country
self[:C]
end
alias_method :c,:country
=begin rdoc
The state or province code
=end
def state
self[:ST]
end
alias_method :st,:state
alias_method :province,:state
=begin rdoc
The locality
=end
def locality
self[:L]
end
alias_method :l,:locality
=begin rdoc
The Organizational Unit
=end
def organizational_unit
self[:OU]
end
alias_method :ou,:organizational_unit
alias_method :organisational_unit,:organizational_unit
=begin rdoc
The Organization
=end
def organization
self[:O]
end
alias_method :o,:organization
alias_method :organisation,:organization
=begin rdoc
The common name. For SSL this means the domain name. For personal certificates it is the name.
=end
def common_name
self[:CN]
end
alias_method :name,:common_name
alias_method :cn,:common_name
=begin rdoc
Lookup fields in the certificate.
=end
def [](attr_key)
@attributes[attr_key.to_sym]
end
def method_missing(method)
self[method]
end
end
=begin rdoc
Wraps around the OpenSSL trust store. This allows you to decide which certificates you trust.
You can either point it at a path which contains a OpenSSL trust store (see OpenSSL for more) or build it up manually.
For a certificate to verify you need the issuer and the issuers issuers certs added to the Trust store.
NOTE: Currently this does not support CRL's or OCSP. We may add support for this later.
=end
class TrustStore
=begin rdoc
Create a trust store of normally trusted root certificates as found in a browser. Extracted from Safari.
=end
def self.default_trusted
load_from_file(File.dirname(__FILE__) + "/trusted.pem")
end
=begin rdoc
Create a trust store from a list of certificates in a pem file.
These certificates should just be listed one after each other.
=end
def self.load_from_file(file)
store=TrustStore.new
EzCrypto::Verifier.load_all_from_file(file).each do |cert|
store.add cert
end
store
end
=begin rdoc
Create trust store with an optional list of paths of openssl trust stores.
=end
def initialize(*paths)
@store=OpenSSL::X509::Store.new
# @store.set_default_path paths.shift if paths.length>0
paths.each {|path| @store.add_path path}
end
=begin rdoc
Add either a EzCrypto::Certificate or a OpenSSL::X509::Cert object to the TrustStore. This should be a trusted certificate such as a CA's issuer certificate.
=end
def add(obj)
if obj.kind_of?(EzCrypto::Certificate)
@store.add_cert obj.cert
elsif obj.kind_of?(OpenSSL::X509::Certificate)
@store.add_cert obj
else
raise "unsupported object type"
end
end
=begin rdoc
Returns true if either the EzCrypto::Certificate or OpenSSL::X509::Cert object is verified using issuer certificates in the trust store.
=end
def verify(cert)
if cert.kind_of?(EzCrypto::Certificate)
@store.verify cert.cert
elsif cert.kind_of?(OpenSSL::X509::Certificate)
@store.verify cert
else
false
end
end
end
end