Class: R509::Config::CAConfig

Inherits:

Object

• Object
• R509::Config::CAConfig

Defined in:

lib/r509/config/ca_config.rb

Overview

Stores a configuration for our CA.

Constant Summary

DEFAULT_OCSP_START_SKEW_SECONDS =

Default number of seconds to subtract from now when calculating the signing time of an OCSP response

3600

DEFAULT_OCSP_VALIDITY_HOURS =

Default number of hours an OCSP response should be valid for

168

DEFAULT_CRL_VALIDITY_HOURS =

Default number of hours a CRL should be valid for

168

DEFAULT_CRL_START_SKEW_SECONDS =

Default number of seconds to subtract from now when calculating the signing time of a CRL

3600

Instance Attribute Summary

• #ca_cert ⇒ Object readonly

  Returns the value of attribute ca_cert.

• #crl_list_file ⇒ Object readonly

  Returns the value of attribute crl_list_file.

• #crl_md ⇒ Object readonly

  Returns the value of attribute crl_md.

• #crl_number_file ⇒ Object readonly

  Returns the value of attribute crl_number_file.

• #crl_start_skew_seconds ⇒ Object readonly

  Returns the value of attribute crl_start_skew_seconds.

• #crl_validity_hours ⇒ Object readonly

  Returns the value of attribute crl_validity_hours.

• #ocsp_chain ⇒ Object readonly

  Returns the value of attribute ocsp_chain.

• #ocsp_start_skew_seconds ⇒ Object readonly

  Returns the value of attribute ocsp_start_skew_seconds.

• #ocsp_validity_hours ⇒ Object readonly

  Returns the value of attribute ocsp_validity_hours.

Class Method Summary

• .from_yaml(conf_name, yaml_data, opts = {}) ⇒ Object

  Loads the named configuration config from a yaml string.

• .load_from_hash(conf, opts = {}) ⇒ Object

  Load the configuration from a data hash.

• .load_profiles(profiles) ⇒ Hash

  Used by load_from_hash.

• .load_yaml(conf_name, yaml_file, opts = {}) ⇒ Object

  Loads the named configuration config from a yaml file.

Instance Method Summary

• #crl_cert ⇒ R509::Cert

  Either a custom CRL cert or the ca_cert.

• #initialize(opts = {}) ⇒ CAConfig constructor

  A new instance of CAConfig.

• #num_profiles ⇒ Integer

  The number of profiles.

• #ocsp_cert ⇒ R509::Cert

  Either a custom OCSP cert or the ca_cert.

• #profile(prof) ⇒ R509::Config::CertProfile

  The config profile.

• #set_profile(name, prof) ⇒ Object
• #to_h ⇒ Hash
• #to_yaml ⇒ YAML

Constructor Details

#initialize(opts = {}) ⇒ CAConfig

Returns a new instance of CAConfig

Parameters:

• opts (Hash) (defaults to: {}) —

  a customizable set of options

Options Hash (opts):

• :ca_cert (R509::Cert) —

  Cert+Key pair

• :crl_validity_hours (Integer) — default: 168 —

  The number of hours that a CRL will be valid. Defaults to 7 days.

• :profiles (Hash<String, R509::Config::CertProfile>)
• :crl_number_file (String) —

  A file to save the CRL number into. This is only used if you use the default FileReaderWriter in CRL::Administrator

• :crl_md (String) —

  Optional digest for signing CRLs. sha1, sha224, sha256, sha384, sha512, md5. Defaults to R509::MessageDigest::DEFAULT_MD

• :crl_list_file (String) —

  A file to serialize revoked certificates into. This is only used if you use the default FileReaderWriter in CRL::Administrator

• :ocsp_cert (R509::Cert) —

  An optional cert+key pair OCSP signing delegate

• :crl_cert (R509::Cert) —

  An optional cert+key pair CRL signing delegate

• :ocsp_chain (Array<OpenSSL::X509::Certificate>) —

  An optional array that constitutes the chain to attach to an OCSP response

• :ocsp_validity_hours (Integer) —

  Number of hours OCSP responses should be valid for

• :ocsp_start_skew_seconds (Integer) —

  The number of seconds to subtract from Time.now when calculating the signing time of an OCSP response. This is important to handle bad user clocks.

• :crl_validity_hours (Integer) —

  Number of hours CRLs should be valid for

• :crl_start_skew_seconds (Integer) —

  The number of seconds to subtract from Time.now when calculating the signing time of a CRL. This is important to handle bad user clocks.

# File 'lib/r509/config/ca_config.rb', line 99

def initialize(opts = {})
  unless opts.key?(:ca_cert)
    raise ArgumentError, 'Config object requires that you pass :ca_cert'
  end

  @ca_cert = opts[:ca_cert]

  unless @ca_cert.is_a?(R509::Cert)
    raise ArgumentError, ':ca_cert must be of type R509::Cert'
  end

  parse_ocsp_data(opts)
  parse_crl_data(opts)

  @profiles = {}
  opts[:profiles].each_pair do |name, prof|
    set_profile(name, prof)
  end if opts[:profiles]
end

Instance Attribute Details

#ca_cert ⇒ Object (readonly)

Returns the value of attribute ca_cert

# File 'lib/r509/config/ca_config.rb', line 66

def ca_cert
  @ca_cert
end

#crl_list_file ⇒ Object (readonly)

Returns the value of attribute crl_list_file

# File 'lib/r509/config/ca_config.rb', line 66

def crl_list_file
  @crl_list_file
end

#crl_md ⇒ Object (readonly)

Returns the value of attribute crl_md

# File 'lib/r509/config/ca_config.rb', line 66

def crl_md
  @crl_md
end

#crl_number_file ⇒ Object (readonly)

Returns the value of attribute crl_number_file

# File 'lib/r509/config/ca_config.rb', line 66

def crl_number_file
  @crl_number_file
end

#crl_start_skew_seconds ⇒ Object (readonly)

Returns the value of attribute crl_start_skew_seconds

# File 'lib/r509/config/ca_config.rb', line 66

def crl_start_skew_seconds
  @crl_start_skew_seconds
end

#crl_validity_hours ⇒ Object (readonly)

Returns the value of attribute crl_validity_hours

# File 'lib/r509/config/ca_config.rb', line 66

def crl_validity_hours
  @crl_validity_hours
end

#ocsp_chain ⇒ Object (readonly)

Returns the value of attribute ocsp_chain

# File 'lib/r509/config/ca_config.rb', line 66

def ocsp_chain
  @ocsp_chain
end

#ocsp_start_skew_seconds ⇒ Object (readonly)

Returns the value of attribute ocsp_start_skew_seconds

# File 'lib/r509/config/ca_config.rb', line 66

def ocsp_start_skew_seconds
  @ocsp_start_skew_seconds
end

#ocsp_validity_hours ⇒ Object (readonly)

Returns the value of attribute ocsp_validity_hours

# File 'lib/r509/config/ca_config.rb', line 66

def ocsp_validity_hours
  @ocsp_validity_hours
end

Class Method Details

.from_yaml(conf_name, yaml_data, opts = {}) ⇒ Object

Loads the named configuration config from a yaml string.

Parameters:

• conf_name (String) —

  The name of the config within the file. Note that a single yaml file can contain more than one configuration.

• yaml_data (String) —

  The filename to load yaml config data from.

# File 'lib/r509/config/ca_config.rb', line 271

def self.from_yaml(conf_name, yaml_data, opts = {})
  conf = YAML.load(yaml_data)
  self.load_from_hash(conf[conf_name], opts)
end

.load_from_hash(conf, opts = {}) ⇒ Object

Load the configuration from a data hash. The same type that might be used when loading from a YAML file.

Parameters:

• conf (Hash) —

  A hash containing all the configuration options

• opts (Hash) (defaults to: {}) —

  a customizable set of options

Options Hash (opts):

• :ca_root_path (String) —

  The root path for the CA. Defaults to the current working directory.

# File 'lib/r509/config/ca_config.rb', line 182

def self.load_from_hash(conf, opts = {})
  if conf.nil?
    raise ArgumentError, "conf not found"
  end
  unless conf.is_a?(Hash)
    raise ArgumentError, "conf must be a Hash"
  end

  ca_root_path = Pathname.new(opts[:ca_root_path] || FileUtils.getwd)

  unless File.directory?(ca_root_path)
    raise R509Error, "ca_root_path is not a directory: #{ca_root_path}"
  end

  ca_cert = self.load_ca_cert(conf['ca_cert'], ca_root_path)

  ocsp_cert = self.load_ca_cert(conf['ocsp_cert'], ca_root_path)

  crl_cert = self.load_ca_cert(conf['crl_cert'], ca_root_path)

  ocsp_chain = build_ocsp_chain(conf['ocsp_chain'], ca_root_path)

  opts = {
    :ca_cert => ca_cert,
    :ocsp_cert => ocsp_cert,
    :crl_cert => crl_cert,
    :ocsp_chain => ocsp_chain,
    :crl_validity_hours => conf['crl_validity_hours'],
    :ocsp_validity_hours => conf['ocsp_validity_hours'],
    :ocsp_start_skew_seconds => conf['ocsp_start_skew_seconds'],
    :crl_md => conf['crl_md']
  }

  if conf.key?("crl_list_file")
    opts[:crl_list_file] = (ca_root_path + conf['crl_list_file']).to_s
  end

  if conf.key?("crl_number_file")
    opts[:crl_number_file] = (ca_root_path + conf['crl_number_file']).to_s
  end

  opts[:profiles] = self.load_profiles(conf['profiles'])

  # Create the instance.
  self.new(opts)
end

.load_profiles(profiles) ⇒ Hash

Used by load_from_hash

Parameters:

• profiles (Hash) —

  Hash of profiles

Returns:

• (Hash) —

  hash of parsed profiles

# File 'lib/r509/config/ca_config.rb', line 233

def self.load_profiles(profiles)
  profs = {}
  profiles.each do |profile, data|
    unless data["subject_item_policy"].nil?
      subject_item_policy = R509::Config::SubjectItemPolicy.new(data["subject_item_policy"])
    end
    profs[profile] = R509::Config::CertProfile.new(
      :key_usage => data["key_usage"],
      :extended_key_usage => data["extended_key_usage"],
      :basic_constraints => data["basic_constraints"],
      :certificate_policies => data["certificate_policies"],
      :ocsp_no_check => data["ocsp_no_check"],
      :inhibit_any_policy => data["inhibit_any_policy"],
      :policy_constraints => data["policy_constraints"],
      :name_constraints => data["name_constraints"],
      :crl_distribution_points => data["crl_distribution_points"],
      :authority_info_access => data["authority_info_access"],
      :default_md => data["default_md"],
      :allowed_mds => data["allowed_mds"],
      :subject_item_policy => subject_item_policy
    )
  end unless profiles.nil?
  profs
end

.load_yaml(conf_name, yaml_file, opts = {}) ⇒ Object

Loads the named configuration config from a yaml file.

Parameters:

• conf_name (String) —

  The name of the config within the file. Note that a single yaml file can contain more than one configuration.

• yaml_file (String) —

  The filename to load yaml config data from.

# File 'lib/r509/config/ca_config.rb', line 262

def self.load_yaml(conf_name, yaml_file, opts = {})
  conf = YAML.load_file(yaml_file)
  self.load_from_hash(conf[conf_name], opts)
end

Instance Method Details

#crl_cert ⇒ R509::Cert

Returns either a custom CRL cert or the ca_cert

Returns:

• (R509::Cert) —

  either a custom CRL cert or the ca_cert

# File 'lib/r509/config/ca_config.rb', line 125

def crl_cert
  (@crl_cert.nil?) ? @ca_cert : @crl_cert
end

#num_profiles ⇒ Integer

Returns The number of profiles

Returns:

• (Integer) —

  The number of profiles

# File 'lib/r509/config/ca_config.rb', line 148

def num_profiles
  @profiles.count
end

#ocsp_cert ⇒ R509::Cert

Returns either a custom OCSP cert or the ca_cert

Returns:

• (R509::Cert) —

  either a custom OCSP cert or the ca_cert

# File 'lib/r509/config/ca_config.rb', line 120

def ocsp_cert
  (@ocsp_cert.nil?) ? @ca_cert : @ocsp_cert
end

#profile(prof) ⇒ R509::Config::CertProfile

Returns The config profile.

Parameters:

• prof (String)

Returns:

• (R509::Config::CertProfile) —

  The config profile.

# File 'lib/r509/config/ca_config.rb', line 140

def profile(prof)
  unless @profiles.key?(prof)
    raise R509::R509Error, "unknown profile '#{prof}'"
  end
  @profiles[prof]
end

#set_profile(name, prof) ⇒ Object

Parameters:

• name (String) —

  The name of the profile

• prof (R509::Config::CertProfile) —

  The profile configuration

# File 'lib/r509/config/ca_config.rb', line 131

def set_profile(name, prof)
  unless prof.is_a?(R509::Config::CertProfile)
    raise TypeError, "profile is supposed to be a R509::Config::CertProfile"
  end
  @profiles[name] = prof
end

#to_h ⇒ Hash

Returns:

• (Hash)

# File 'lib/r509/config/ca_config.rb', line 153

def to_h
  hash = {}
  hash["ca_cert"] = build_cert_hash(@ca_cert)
  hash["ocsp_cert"] = build_cert_hash(@ocsp_cert) unless @ocsp_cert.nil?
  hash["crl_cert"] = build_cert_hash(@crl_cert) unless @crl_cert.nil?
  hash["ocsp_chain"] = "<add_path>" unless @ocsp_chain.nil?
  hash["ocsp_start_skew_seconds"] = @ocsp_start_skew_seconds
  hash["ocsp_validity_hours"] = @ocsp_validity_hours
  hash["crl_start_skew_seconds"] = @crl_start_skew_seconds
  hash["crl_validity_hours"] = @crl_validity_hours
  hash["crl_list_file"] = @crl_list_file unless @crl_list_file.nil?
  hash["crl_number_file"] = @crl_number_file unless @crl_number_file.nil?
  hash["crl_md"] = @crl_md
  hash["profiles"] = @profiles.merge(@profiles) { |_k, v| v.to_h } unless @profiles.empty?
  hash
end

#to_yaml ⇒ YAML

Returns:

• (YAML)

# File 'lib/r509/config/ca_config.rb', line 171

def to_yaml
  self.to_h.to_yaml
end