require 'openssl' require 'r509/config' require 'r509/exceptions' require 'r509/io_helpers' module R509 # contains CRL related classes (generator and a pre-existing list loader) module CRL # Parses CRLs class SignedList include R509::IOHelpers attr_reader :crl, :issuer # @param [String,OpenSSL::X509::CRL] crl def initialize(crl) @crl = OpenSSL::X509::CRL.new(crl) @issuer = R509::Subject.new(@crl.issuer) end # Helper method to quickly load a CRL from the filesystem # # @param [String] filename Path to file you want to load # @return [R509::CRL::SignedList] CRL object def self.load_from_file( filename ) return R509::CRL::SignedList.new( IOHelpers.read_data(filename) ) end # @return [String] def signature_algorithm @crl.signature_algorithm end # Writes the CRL into the PEM format # # @param [String, #write] filename_or_io Either a string of the path for # the file that you'd like to write, or an IO-like object. def write_pem(filename_or_io) write_data(filename_or_io, @crl.to_pem) end # Writes the CRL into the PEM format # # @param [String, #write] filename_or_io Either a string of the path for # the file that you'd like to write, or an IO-like object. def write_der(filename_or_io) write_data(filename_or_io, @crl.to_der) end # Returns the signing time of the CRL # # @return [Time] when the CRL was signed def last_update @crl.last_update end # Returns the next update time for the CRL # # @return [Time] when it will be updated next def next_update @crl.next_update end # Pass a public key to verify that the CRL is signed by a specific certificate (call cert.public_key on that object) # # @param [OpenSSL::PKey::PKey] public_key # @return [Boolean] def verify(public_key) @crl.verify(public_key) end # @param [Integer] serial number # @return [Boolean] def revoked?(serial) if @crl.revoked.find { |revoked| revoked.serial == serial } true else false end end # Returns the CRL in PEM format # # @return [String] the CRL in PEM format def to_pem @crl.to_pem end alias :to_s :to_pem # Returns the CRL in DER format # # @return [String] the CRL in DER format def to_der @crl.to_der end # @return [Hash] hash of serial => { :time, :reason } hashes def revoked revoked_list = {} @crl.revoked.each do |revoked| reason = get_reason(revoked) revoked_list[revoked.serial.to_i] = { :time => revoked.time, :reason => reason } end revoked_list end # @param [Integer] serial number # @return [Hash] hash with :time and :reason def revoked_cert(serial) revoked = @crl.revoked.find { |revoked| revoked.serial == serial } if revoked reason = get_reason(revoked) { :time => revoked.time, :reason => reason } else nil end end private def get_reason(revocation_object) reason = nil revocation_object.extensions.each do |extension| if extension.oid == "CRLReason" reason = extension.value end end reason end end # Used to manage revocations and generate CRLs class Administrator include R509::IOHelpers attr_reader :crl_number,:crl_list_file,:crl_number_file, :validity_hours, :crl # @param [R509::Config::CAConfig] config def initialize(config) @config = config unless @config.kind_of?(R509::Config::CAConfig) raise R509Error, "config must be a kind of R509::Config::CAConfig" end @validity_hours = @config.crl_validity_hours @start_skew_seconds = @config.crl_start_skew_seconds @crl = nil @crl_number_file = @config.crl_number_file if not @crl_number_file.nil? @crl_number = read_data(@crl_number_file).to_i else @crl_number = 0 end @crl_list_file = @config.crl_list_file load_crl_list(@crl_list_file) end # Indicates whether the serial number has been revoked, or not. # # @param [Integer] serial The serial number we want to check # @return [Boolean] True if the serial number was revoked. False, otherwise. def revoked?(serial) @revoked_certs.has_key?(serial) end # @return [Array] serial, reason, revoke_time tuple def revoked_cert(serial) @revoked_certs[serial] end # Adds a certificate to the revocation list. After calling you must call generate_crl to sign a new CRL # # @param serial [Integer] serial number of the certificate to revoke # @param reason [Integer] reason for revocation # @param revoke_time [Integer] # @param generate_and_save [Boolean] whether we want to generate the CRL and save its file (default=true) # # reason codes defined by rfc 5280 # # CRLReason ::= ENUMERATED { # unspecified (0), # keyCompromise (1), # cACompromise (2), # affiliationChanged (3), # superseded (4), # cessationOfOperation (5), # certificateHold (6), # removeFromCRL (8), # privilegeWithdrawn (9), # aACompromise (10) } def revoke_cert(serial,reason=nil, revoke_time=Time.now.to_i, generate_and_save=true) if not reason.to_i.between?(0,10) reason = 0 end serial = serial.to_i if not reason.nil? reason = reason.to_i end revoke_time = revoke_time.to_i if revoked?(serial) raise R509::R509Error, "Cannot revoke a previously revoked certificate" end @revoked_certs[serial] = {:reason => reason, :revoke_time => revoke_time} if generate_and_save generate_crl save_crl_list end nil end # Remove serial from revocation list. After unrevoking you must call generate_crl to sign a new CRL # # @param serial [Integer] serial number of the certificate to remove from revocation def unrevoke_cert(serial) @revoked_certs.delete(serial) generate_crl save_crl_list nil end # Generate the CRL # # @return [String] PEM encoded signed CRL def generate_crl crl = OpenSSL::X509::CRL.new crl.version = 1 now = Time.at Time.now.to_i crl.last_update = now-@start_skew_seconds crl.next_update = now+@validity_hours*3600 crl.issuer = @config.ca_cert.subject.name self.revoked_certs.each do |serial, reason, revoke_time| revoked = OpenSSL::X509::Revoked.new revoked.serial = OpenSSL::BN.new serial.to_s revoked.time = Time.at(revoke_time) if not reason.nil? enum = OpenSSL::ASN1::Enumerated(reason) #see reason codes below ext = OpenSSL::X509::Extension.new("CRLReason", enum) revoked.add_extension(ext) end #now add it to the crl crl.add_revoked(revoked) end ef = OpenSSL::X509::ExtensionFactory.new ef.issuer_certificate = @config.ca_cert.cert ef.crl = crl #grab crl number from file, increment, write back crl_number = increment_crl_number crlnum = OpenSSL::ASN1::Integer(crl_number) crl.add_extension(OpenSSL::X509::Extension.new("crlNumber", crlnum)) extensions = [] extensions << ["authorityKeyIdentifier", "keyid:always,issuer:always", false] extensions.each{|oid, value, critical| crl.add_extension(ef.create_extension(oid, value, critical)) } crl.sign(@config.ca_cert.key.key, OpenSSL::Digest::SHA1.new) @crl = R509::CRL::SignedList.new crl @crl.to_pem end # @return [Array] Returns an array of serial, reason, revoke_time # tuples. def revoked_certs ret = [] @revoked_certs.keys.sort.each do |serial| ret << [serial, @revoked_certs[serial][:reason], @revoked_certs[serial][:revoke_time]] end ret end # Saves the CRL list to a filename or IO. If the class was initialized # with :crl_list_file, then the filename specified by that will be used # by default. # @param [String, #write, nil] filename_or_io If provided, the generated # crl will be written to either the file (if a string), or IO. If nil, # then the @crl_list_file will be used. If that is nil, then an error # will be raised. def save_crl_list(filename_or_io = @crl_list_file) return nil if filename_or_io.nil? data = [] self.revoked_certs.each do |serial, reason, revoke_time| data << [serial, revoke_time, reason].join(',') end write_data(filename_or_io, data.join("\n")) nil end # Save the CRL number to a filename or IO. If the class was initialized # with :crl_number_file, then the filename specified by that will be used # by default. # @param [String, #write, nil] filename_or_io If provided, the current # crl number will be written to either the file (if a string), or IO. If nil, # then the @crl_number_file will be used. If that is nil, then an error # will be raised. def save_crl_number(filename_or_io = @crl_number_file) return nil if filename_or_io.nil? # No valid filename or IO was specified, so bail. write_data(filename_or_io, self.crl_number.to_s) nil end private # Increments the crl_number. # @return [Integer] the new CRL number # def increment_crl_number @crl_number += 1 save_crl_number @crl_number end # Loads the certificate revocation list from file. # @param [String, #read, nil] filename_or_io The # crl will be read from either the file (if a string), or IO. def load_crl_list(filename_or_io) @revoked_certs = {} if filename_or_io.nil? generate_crl return nil end data = read_data(filename_or_io) data.each_line do |line| line.chomp! serial, revoke_time, reason = line.split(',', 3) serial = serial.to_i reason = (reason == '') ? nil : reason.to_i revoke_time = (revoke_time == '') ? nil : revoke_time.to_i self.revoke_cert(serial, reason, revoke_time, false) end generate_crl save_crl_list nil end end end end