Class: R509::Config::CAConfig

Inherits:
Object
  • Object
show all
Defined in:
lib/r509/config/ca_config.rb

Overview

Stores a configuration for our CA.

Constant Summary

DEFAULT_OCSP_START_SKEW_SECONDS =

Default number of seconds to subtract from now when calculating the signing time of an OCSP response

3600
DEFAULT_OCSP_VALIDITY_HOURS =

Default number of hours an OCSP response should be valid for

168
DEFAULT_CRL_VALIDITY_HOURS =

Default number of hours a CRL should be valid for

168
DEFAULT_CRL_START_SKEW_SECONDS =

Default number of seconds to subtract from now when calculating the signing time of a CRL

3600

Instance Attribute Summary (collapse)

Class Method Summary (collapse)

Instance Method Summary (collapse)

Constructor Details

- (CAConfig) initialize(opts = {})

A new instance of CAConfig

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :crl_list_file (String)

    A file to serialize revoked certificates into. This is only used if you use the default FileReaderWriter in CRL::Administrator

  • :ocsp_cert (R509::Cert)

    An optional cert+key pair OCSP signing delegate

  • :crl_cert (R509::Cert)

    An optional cert+key pair CRL signing delegate

  • :ocsp_chain (Array<OpenSSL::X509::Certificate>)

    An optional array that constitutes the chain to attach to an OCSP response

  • :ocsp_validity_hours (Integer)

    Number of hours OCSP responses should be valid for

  • :ocsp_start_skew_seconds (Integer)

    The number of seconds to subtract from Time.now when calculating the signing time of an OCSP response. This is important to handle bad user clocks.

  • :crl_validity_hours (Integer)

    Number of hours CRLs should be valid for

  • :crl_start_skew_seconds (Integer)

    The number of seconds to subtract from Time.now when calculating the signing time of a CRL. This is important to handle bad user clocks.



99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
 
# File 'lib/r509/config/ca_config.rb', line 99

def initialize(opts = {} )
  if not opts.has_key?(:ca_cert) then
    raise ArgumentError, 'Config object requires that you pass :ca_cert'
  end

  @ca_cert = opts[:ca_cert]

  if not @ca_cert.kind_of?(R509::Cert) then
    raise ArgumentError, ':ca_cert must be of type R509::Cert'
  end

  parse_ocsp_data(opts)
  parse_crl_data(opts)

  @profiles = {}
  if opts[:profiles]
    opts[:profiles].each_pair do |name, prof|
      set_profile(name, prof)
    end
  end
end

Instance Attribute Details

- (Object) ca_cert (readonly)

Returns the value of attribute ca_cert



66
67
68
 
# File 'lib/r509/config/ca_config.rb', line 66

def ca_cert
  @ca_cert
end

- (Object) crl_list_file (readonly)

Returns the value of attribute crl_list_file



66
67
68
 
# File 'lib/r509/config/ca_config.rb', line 66

def crl_list_file
  @crl_list_file
end

- (Object) crl_md (readonly)

Returns the value of attribute crl_md



66
67
68
 
# File 'lib/r509/config/ca_config.rb', line 66

def crl_md
  @crl_md
end

- (Object) crl_number_file (readonly)

Returns the value of attribute crl_number_file



66
67
68
 
# File 'lib/r509/config/ca_config.rb', line 66

def crl_number_file
  @crl_number_file
end

- (Object) crl_start_skew_seconds (readonly)

Returns the value of attribute crl_start_skew_seconds



66
67
68
 
# File 'lib/r509/config/ca_config.rb', line 66

def crl_start_skew_seconds
  @crl_start_skew_seconds
end

- (Object) crl_validity_hours (readonly)

Returns the value of attribute crl_validity_hours



66
67
68
 
# File 'lib/r509/config/ca_config.rb', line 66

def crl_validity_hours
  @crl_validity_hours
end

- (Object) ocsp_chain (readonly)

Returns the value of attribute ocsp_chain



66
67
68
 
# File 'lib/r509/config/ca_config.rb', line 66

def ocsp_chain
  @ocsp_chain
end

- (Object) ocsp_start_skew_seconds (readonly)

Returns the value of attribute ocsp_start_skew_seconds



66
67
68
 
# File 'lib/r509/config/ca_config.rb', line 66

def ocsp_start_skew_seconds
  @ocsp_start_skew_seconds
end

- (Object) ocsp_validity_hours (readonly)

Returns the value of attribute ocsp_validity_hours



66
67
68
 
# File 'lib/r509/config/ca_config.rb', line 66

def ocsp_validity_hours
  @ocsp_validity_hours
end

Class Method Details

+ (Object) from_yaml(conf_name, yaml_data, opts = {})

Loads the named configuration config from a yaml string.

Parameters:

  • conf_name (String)

    The name of the config within the file. Note that a single yaml file can contain more than one configuration.

  • yaml_data (String)

    The filename to load yaml config data from.



271
272
273
274
 
# File 'lib/r509/config/ca_config.rb', line 271

def self.from_yaml(conf_name, yaml_data, opts = {})
  conf = YAML.load(yaml_data)
  self.load_from_hash(conf[conf_name], opts)
end

+ (Object) load_from_hash(conf, opts = {})

Load the configuration from a data hash. The same type that might be used when loading from a YAML file.

Parameters:

  • conf (Hash)

    A hash containing all the configuration options

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :ca_root_path (String)

    The root path for the CA. Defaults to the current working directory.



184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
 
# File 'lib/r509/config/ca_config.rb', line 184

def self.load_from_hash(conf, opts = {})
  if conf.nil?
    raise ArgumentError, "conf not found"
  end
  unless conf.kind_of?(Hash)
    raise ArgumentError, "conf must be a Hash"
  end

  ca_root_path = Pathname.new(opts[:ca_root_path] || FileUtils.getwd)

  unless File.directory?(ca_root_path)
    raise R509Error, "ca_root_path is not a directory: #{ca_root_path}"
  end

  ca_cert = self.load_ca_cert(conf['ca_cert'],ca_root_path)

  ocsp_cert = self.load_ca_cert(conf['ocsp_cert'],ca_root_path)

  crl_cert = self.load_ca_cert(conf['crl_cert'],ca_root_path)

  ocsp_chain = build_ocsp_chain(conf['ocsp_chain'],ca_root_path)

  opts = {
    :ca_cert => ca_cert,
    :ocsp_cert => ocsp_cert,
    :crl_cert => crl_cert,
    :ocsp_chain => ocsp_chain,
    :crl_validity_hours => conf['crl_validity_hours'],
    :ocsp_validity_hours => conf['ocsp_validity_hours'],
    :ocsp_start_skew_seconds => conf['ocsp_start_skew_seconds'],
    :crl_md => conf['crl_md'],
  }

  if conf.has_key?("crl_list_file")
    opts[:crl_list_file] = (ca_root_path + conf['crl_list_file']).to_s
  end

  if conf.has_key?("crl_number_file")
    opts[:crl_number_file] = (ca_root_path + conf['crl_number_file']).to_s
  end

  opts[:profiles] = self.load_profiles(conf['profiles'])

  # Create the instance.
  self.new(opts)
end

+ (Hash) load_profiles(profiles)

Used by load_from_hash

Parameters:

  • profiles (Hash)

    Hash of profiles

Returns:

  • (Hash)

    hash of parsed profiles



235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
 
# File 'lib/r509/config/ca_config.rb', line 235

def self.load_profiles(profiles)
  profs = {}
  profiles.each do |profile,data|
    if not data["subject_item_policy"].nil?
      subject_item_policy = R509::Config::SubjectItemPolicy.new(data["subject_item_policy"])
    end
    profs[profile] = R509::Config::CertProfile.new(:key_usage => data["key_usage"],
                       :extended_key_usage => data["extended_key_usage"],
                       :basic_constraints => data["basic_constraints"],
                       :certificate_policies => data["certificate_policies"],
                       :ocsp_no_check => data["ocsp_no_check"],
                       :inhibit_any_policy => data["inhibit_any_policy"],
                       :policy_constraints => data["policy_constraints"],
                       :name_constraints => data["name_constraints"],
                       :crl_distribution_points => data["crl_distribution_points"],
                       :authority_info_access => data["authority_info_access"],
                       :default_md => data["default_md"],
                       :allowed_mds => data["allowed_mds"],
                       :subject_item_policy => subject_item_policy)
  end unless profiles.nil?
  profs
end

+ (Object) load_yaml(conf_name, yaml_file, opts = {})

Loads the named configuration config from a yaml file.

Parameters:

  • conf_name (String)

    The name of the config within the file. Note that a single yaml file can contain more than one configuration.

  • yaml_file (String)

    The filename to load yaml config data from.



262
263
264
265
 
# File 'lib/r509/config/ca_config.rb', line 262

def self.load_yaml(conf_name, yaml_file, opts = {})
  conf = YAML.load_file(yaml_file)
  self.load_from_hash(conf[conf_name], opts)
end

Instance Method Details

- (R509::Cert) crl_cert

Either a custom CRL cert or the ca_cert

Returns:

  • (R509::Cert)

    either a custom CRL cert or the ca_cert



127
128
129
 
# File 'lib/r509/config/ca_config.rb', line 127

def crl_cert
  if @crl_cert.nil? then @ca_cert else @crl_cert end
end

- (Integer) num_profiles

The number of profiles

Returns:

  • (Integer)

    The number of profiles



150
151
152
 
# File 'lib/r509/config/ca_config.rb', line 150

def num_profiles
  @profiles.count
end

- (R509::Cert) ocsp_cert

Either a custom OCSP cert or the ca_cert

Returns:

  • (R509::Cert)

    either a custom OCSP cert or the ca_cert



122
123
124
 
# File 'lib/r509/config/ca_config.rb', line 122

def ocsp_cert
  if @ocsp_cert.nil? then @ca_cert else @ocsp_cert end
end

- (R509::Config::CertProfile) profile(prof)

The config profile.

Parameters:

  • prof (String)

Returns:



142
143
144
145
146
147
 
# File 'lib/r509/config/ca_config.rb', line 142

def profile(prof)
  if !@profiles.has_key?(prof)
    raise R509::R509Error, "unknown profile '#{prof}'"
  end
  @profiles[prof]
end

- (Object) set_profile(name, prof)

Parameters:



133
134
135
136
137
138
 
# File 'lib/r509/config/ca_config.rb', line 133

def set_profile(name, prof)
  unless prof.is_a?(R509::Config::CertProfile)
    raise TypeError, "profile is supposed to be a R509::Config::CertProfile"
  end
  @profiles[name] = prof
end

- (Hash) to_h

Returns:

  • (Hash) 


155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
 
# File 'lib/r509/config/ca_config.rb', line 155

def to_h
  hash = {}
  hash["ca_cert"] = build_cert_hash(@ca_cert)
  hash["ocsp_cert"] = build_cert_hash(@ocsp_cert) unless @ocsp_cert.nil?
  hash["crl_cert"] = build_cert_hash(@crl_cert) unless @crl_cert.nil?
  hash["ocsp_chain"] = "<add_path>" unless @ocsp_chain.nil?
  hash["ocsp_start_skew_seconds"] = @ocsp_start_skew_seconds
  hash["ocsp_validity_hours"] = @ocsp_validity_hours
  hash["crl_start_skew_seconds"] = @crl_start_skew_seconds
  hash["crl_validity_hours"] = @crl_validity_hours
  hash["crl_list_file"] = @crl_list_file unless @crl_list_file.nil?
  hash["crl_number_file"] = @crl_number_file unless @crl_number_file.nil?
  hash["crl_md"] = @crl_md
  hash["profiles"] = @profiles.merge(@profiles) { |k,v| v.to_h } unless @profiles.empty?
  hash
end

- (YAML) to_yaml

Returns:

  • (YAML) 


173
174
175
 
# File 'lib/r509/config/ca_config.rb', line 173

def to_yaml
  self.to_h.to_yaml
end