Class: R509::Cert

Inherits:

Object

• Object
• R509::Cert

Includes:

Helpers

Defined in:

lib/r509/cert.rb,
lib/r509/cert/extensions/base.rb,
lib/r509/cert/extensions/key_usage.rb,
lib/r509/cert/extensions/ocsp_no_check.rb,
lib/r509/cert/extensions/validation_mixin.rb,
lib/r509/cert/extensions/name_constraints.rb,
lib/r509/cert/extensions/basic_constraints.rb,
lib/r509/cert/extensions/policy_constraints.rb,
lib/r509/cert/extensions/inhibit_any_policy.rb,
lib/r509/cert/extensions/extended_key_usage.rb,
lib/r509/cert/extensions/certificate_policies.rb,
lib/r509/cert/extensions/authority_info_access.rb,
lib/r509/cert/extensions/subject_key_identifier.rb,
lib/r509/cert/extensions/crl_distribution_points.rb,
lib/r509/cert/extensions/subject_alternative_name.rb,
lib/r509/cert/extensions/authority_key_identifier.rb

Overview

The primary certificate object.

Defined Under Namespace

Modules: Extensions

Instance Attribute Summary

• #cert ⇒ Object (also: #internal_obj) readonly

  Returns the value of attribute cert.

• #issuer ⇒ Object readonly

  Returns the value of attribute issuer.

• #key ⇒ Object readonly

  Returns the value of attribute key.

• #subject ⇒ Object readonly

  Returns the value of attribute subject.

Class Method Summary

• .load_from_file(filename) ⇒ R509::Cert

  Helper method to quickly load a cert from the filesystem.

Instance Method Summary

• #all_names ⇒ Array

  Return the CN, as well as all the subject alternative names (SANs).

• #authority_info_access ⇒ R509::Cert::Extensions::AuthorityInfoAccess (also: #aia)

  Returns this object's AuthorityInfoAccess extension as an R509 extension.

• #authority_key_identifier ⇒ R509::Cert::Extensions::AuthorityKeyIdentifier

  Returns this object's AuthorityKeyIdentifier extension as an R509 extension.

• #basic_constraints ⇒ R509::Cert::Extensions::BasicConstraints

  Returns this object's BasicConstraints extension as an R509 extension.

• #bit_length ⇒ Integer (also: #bit_strength) included from Helpers

  Returns the bit length of the key.

• #certificate_policies ⇒ R509::Cert::Extensions::CertificatePolicies

  Returns this object's CertificatePolicies extension as an R509 extension.

• #crl_distribution_points ⇒ R509::Cert::Extensions::CRLDistributionPoints (also: #cdp)

  Returns this object's CRLDistributionPoints extension as an R509 extension.

• #curve_name ⇒ String included from Helpers

  Returns the short name of the elliptic curve used to generate the public key if the key is EC.

• #dsa? ⇒ Boolean included from Helpers

  Returns whether the public key is DSA.

• #ec? ⇒ Boolean included from Helpers

  Returns whether the public key is EC.

• #extended_key_usage ⇒ R509::Cert::Extensions::ExtendedKeyUsage (also: #eku)

  Returns this object's ExtendedKeyUsage extension as an R509 extension.

• #extensions ⇒ Hash

  Returns the certificate extensions as a hash of R509::Cert::Extensions specific objects.

• #fingerprint(algorithm = 'sha256') ⇒ String

  Returns the certificate fingerprint with the specified algorithm (default sha256).

• #has_private_key? ⇒ Boolean

  Boolean of whether the object contains a private key.

• #hexserial ⇒ String

  Returns the serial number of the certificate in hexadecimal form.

• #inhibit_any_policy ⇒ R509::Cert::Extensions::InhibitAnyPolicy

  Returns this object's InhibitAnyPolicy extension as an R509 extension.

• #initialize(opts = {}) ⇒ Cert constructor

  A new instance of Cert.

• #is_revoked_by_crl?(r509_crl) ⇒ Boolean

  Checks the given CRL for this certificate's serial number.

• #key_algorithm ⇒ String included from Helpers

  Returns key algorithm (RSA/DSA/EC).

• #key_usage ⇒ R509::Cert::Extensions::KeyUsage (also: #ku)

  Returns this object's KeyUsage extension as an R509 extension.

• #name_constraints ⇒ R509::Cert::Extensions::NameConstraints

  Returns this object's NameConstraints extension as an R509 extension.

• #not_after ⇒ Time

  Returns ending (notAfter) of certificate validity period.

• #not_before ⇒ Time

  Returns beginning (notBefore) of certificate validity period.

• #ocsp_no_check? ⇒ Boolean

  Returns true if the OCSP No Check extension is present (value is irrelevant to this extension).

• #policy_constraints ⇒ R509::Cert::Extensions::PolicyConstraints

  Returns this object's PolicyConstraints extension as an R509 extension.

• #public_key ⇒ OpenSSL::PKey::RSA

  Returns the certificate public key.

• #rsa? ⇒ Boolean included from Helpers

  Returns whether the public key is RSA.

• #serial ⇒ Integer

  Returns the serial number of the certificate in decimal form.

• #signature_algorithm ⇒ String

  Returns signature algorithm.

• #subject_alternative_name ⇒ R509::Cert::Extensions::SubjectAlternativeName (also: #san, #subject_alt_name)

  Returns this object's SubjectAlternativeName extension as an R509 extension.

• #subject_key_identifier ⇒ R509::Cert::Extensions::SubjectKeyIdentifier

  Returns this object's SubjectKeyIdentifier extension as an R509 extension.

• #to_der ⇒ String included from Helpers

  Converts the object into DER format.

• #to_pem ⇒ String included from Helpers

  Converts the object into PEM format.

• #unknown_extensions ⇒ Array

  Returns an array of OpenSSL::X509::Extension objects representing the extensions that do not have R509 implementations.

• #valid? ⇒ Boolean

  Returns whether the current time is between the notBefore and notAfter times in the certificate.

• #valid_at?(time) ⇒ Boolean

  Returns whether the certificate was between its notBefore and notAfter at the time provided.

• #write_der(filename_or_io) ⇒ Object included from Helpers

  Writes the object into DER format.

• #write_pem(filename_or_io) ⇒ Object included from Helpers

  Writes the object into PEM format.

• #write_pkcs12(filename_or_io, password, friendly_name = 'r509 pkcs12') ⇒ Object

  Writes cert and key into PKCS12 format using OpenSSL defaults for encryption (des3).

Constructor Details

#initialize(opts = {}) ⇒ Cert

Returns a new instance of Cert

Parameters:

• opts (Hash) (defaults to: {}) —

  a customizable set of options

Options Hash (opts):

• :cert (String, OpenSSL::X509::Certificate) —

  a cert

• :key (R509::PrivateKey, String) —

  optional private key to supply. either an unencrypted PEM/DER string or an R509::PrivateKey object (use the latter if you need password/hardware support)

• :pkcs12 (String) —

  a PKCS12 object containing both key and cert

• :password (String) —

  password for PKCS12 or private key (if supplied)

# File 'lib/r509/cert.rb', line 19

def initialize(opts = {})
  unless opts.is_a?(Hash)
    raise ArgumentError, 'Must provide a hash of options'
  end
  if opts.key?(:pkcs12) && ( opts.key?(:key) || opts.key?(:cert))
    raise ArgumentError, "When providing pkcs12, do not pass cert or key"
  elsif opts.key?(:pkcs12)
    pkcs12 = OpenSSL::PKCS12.new(opts[:pkcs12], opts[:password])
    parse_certificate(pkcs12.certificate)
    parse_private_key(pkcs12.key)
  elsif !opts.key?(:cert)
    raise ArgumentError, 'Must provide :cert or :pkcs12'
  else
    csr_check(opts[:cert])
    parse_certificate(opts[:cert])
  end

  if opts.key?(:key)
    parse_private_key(opts[:key], opts[:password])
  end
end

Instance Attribute Details

#cert ⇒ Object (readonly) Also known as: internal_obj

Returns the value of attribute cert

# File 'lib/r509/cert.rb', line 13

def cert
  @cert
end

#issuer ⇒ Object (readonly)

Returns the value of attribute issuer

# File 'lib/r509/cert.rb', line 13

def issuer
  @issuer
end

#key ⇒ Object (readonly)

Returns the value of attribute key

# File 'lib/r509/cert.rb', line 13

def key
  @key
end

#subject ⇒ Object (readonly)

Returns the value of attribute subject

# File 'lib/r509/cert.rb', line 13

def subject
  @subject
end

Class Method Details

.load_from_file(filename) ⇒ R509::Cert

Helper method to quickly load a cert from the filesystem

Parameters:

• filename (String) —

  Path to file you want to load

Returns:

• (R509::Cert) —

  cert object

# File 'lib/r509/cert.rb', line 45

def self.load_from_file(filename)
  R509::Cert.new(:cert => IOHelpers.read_data(filename))
end

Instance Method Details

#all_names ⇒ Array

Return the CN, as well as all the subject alternative names (SANs).

Returns:

• (Array) —

  the array of names. Returns an empty array if there are no names, at all. Discards SAN types

# File 'lib/r509/cert.rb', line 130

def all_names
  ret = []
  ret << @subject.CN unless @subject.CN.nil?
  ret.concat(self.san.names.map { |n| n.value }) unless self.san.nil?

  ret.sort.uniq
end

#authority_info_access ⇒ R509::Cert::Extensions::AuthorityInfoAccess Also known as: aia

Returns this object's AuthorityInfoAccess extension as an R509 extension

if this cert does not have a AuthorityInfoAccess extension.

Returns:

• (R509::Cert::Extensions::AuthorityInfoAccess) —

  The object, or nil

# File 'lib/r509/cert.rb', line 250

def authority_info_access
  extensions[R509::Cert::Extensions::AuthorityInfoAccess]
end

#authority_key_identifier ⇒ R509::Cert::Extensions::AuthorityKeyIdentifier

Returns this object's AuthorityKeyIdentifier extension as an R509 extension

if this cert does not have a AuthorityKeyIdentifier extension.

Returns:

• (R509::Cert::Extensions::AuthorityKeyIdentifier) —

  The object, or nil

# File 'lib/r509/cert.rb', line 232

def authority_key_identifier
  extensions[R509::Cert::Extensions::AuthorityKeyIdentifier]
end

#basic_constraints ⇒ R509::Cert::Extensions::BasicConstraints

Returns this object's BasicConstraints extension as an R509 extension

if this cert does not have a BasicConstraints extension.

Returns:

• (R509::Cert::Extensions::BasicConstraints) —

  The object, or nil

# File 'lib/r509/cert.rb', line 198

def basic_constraints
  extensions[R509::Cert::Extensions::BasicConstraints]
end

#bit_length ⇒ Integer Also known as: bit_strength Originally defined in module Helpers

Returns the bit length of the key

Returns:

• (Integer) —

  the integer bit length.

#certificate_policies ⇒ R509::Cert::Extensions::CertificatePolicies

Returns this object's CertificatePolicies extension as an R509 extension

if this cert does not have a CertificatePolicies extension.

Returns:

• (R509::Cert::Extensions::CertificatePolicies) —

  The object, or nil

# File 'lib/r509/cert.rb', line 276

def certificate_policies
  extensions[R509::Cert::Extensions::CertificatePolicies]
end

#crl_distribution_points ⇒ R509::Cert::Extensions::CRLDistributionPoints Also known as: cdp

Returns this object's CRLDistributionPoints extension as an R509 extension

if this cert does not have a CRLDistributionPoints extension.

Returns:

• (R509::Cert::Extensions::CRLDistributionPoints) —

  The object, or nil

# File 'lib/r509/cert.rb', line 259

def crl_distribution_points
  extensions[R509::Cert::Extensions::CRLDistributionPoints]
end

#curve_name ⇒ String Originally defined in module Helpers

Returns the short name of the elliptic curve used to generate the public key if the key is EC. If not, raises an error.

Returns:

• (String) —

  elliptic curve name

#dsa? ⇒ Boolean Originally defined in module Helpers

Returns whether the public key is DSA

Returns:

• (Boolean) —

  true if the public key is DSA, false otherwise

#ec? ⇒ Boolean Originally defined in module Helpers

Returns whether the public key is EC

Returns:

• (Boolean) —

  true if the public key is EC, false otherwise

#extended_key_usage ⇒ R509::Cert::Extensions::ExtendedKeyUsage Also known as: eku

Returns this object's ExtendedKeyUsage extension as an R509 extension

if this cert does not have a ExtendedKeyUsage extension.

Returns:

• (R509::Cert::Extensions::ExtendedKeyUsage) —

  The object, or nil

# File 'lib/r509/cert.rb', line 215

def extended_key_usage
  extensions[R509::Cert::Extensions::ExtendedKeyUsage]
end

#extensions ⇒ Hash

Returns the certificate extensions as a hash of R509::Cert::Extensions specific objects.

R509::Cert::Extensions module, each specific to the extension. The hash is keyed with the R509 extension class. Extensions without an R509 implementation are ignored (see #get_unknown_extensions).

Returns:

• (Hash) —

  A hash, in which the values are classes from the

# File 'lib/r509/cert.rb', line 174

def extensions
  if @r509_extensions.nil?
    @r509_extensions = Extensions.wrap_openssl_extensions(self.cert.extensions)
  end

  @r509_extensions
end

#fingerprint(algorithm = 'sha256') ⇒ String

Returns the certificate fingerprint with the specified algorithm (default sha256)

Parameters:

• algorithm (String) (defaults to: 'sha256') —

  Which algorithm to use for the fingerprint. See R509::MessageDigest for supported algorithm names

Returns:

• (String) —

  hex digest of the certificate

# File 'lib/r509/cert.rb', line 90

def fingerprint(algorithm = 'sha256')
  message_digest = R509::MessageDigest.new(algorithm)
  md = message_digest.digest
  md.update(@cert.to_der)
  md.to_s
end

#has_private_key? ⇒ Boolean

Returns Boolean of whether the object contains a private key

Returns:

• (Boolean) —

  Boolean of whether the object contains a private key

# File 'lib/r509/cert.rb', line 122

def has_private_key?
  !@key.nil?
end

#hexserial ⇒ String

Returns the serial number of the certificate in hexadecimal form

Returns:

• (String)

# File 'lib/r509/cert.rb', line 68

def hexserial
  @cert.serial.to_s(16)
end

#inhibit_any_policy ⇒ R509::Cert::Extensions::InhibitAnyPolicy

Returns this object's InhibitAnyPolicy extension as an R509 extension

if this cert does not have a InhibitAnyPolicy extension.

Returns:

• (R509::Cert::Extensions::InhibitAnyPolicy) —

  The object, or nil

# File 'lib/r509/cert.rb', line 284

def inhibit_any_policy
  extensions[R509::Cert::Extensions::InhibitAnyPolicy]
end

#is_revoked_by_crl?(r509_crl) ⇒ Boolean

Checks the given CRL for this certificate's serial number. Note that this does NOT check to verify that the CRL you're checking is signed by the same CA as the cert so do that check yourself

Parameters:

• r509_crl (R509::CRL::SignedList) —

  A CRL from the CA that issued this certificate.

Returns:

• (Boolean)

# File 'lib/r509/cert.rb', line 163

def is_revoked_by_crl?(r509_crl)
  r509_crl.revoked?(self.serial)
end

#key_algorithm ⇒ String Originally defined in module Helpers

Returns key algorithm (RSA/DSA/EC)

Returns:

• (String) —

  value of the key algorithm.

#key_usage ⇒ R509::Cert::Extensions::KeyUsage Also known as: ku

Returns this object's KeyUsage extension as an R509 extension

if this cert does not have a KeyUsage extension.

Returns:

• (R509::Cert::Extensions::KeyUsage) —

  The object, or nil

# File 'lib/r509/cert.rb', line 206

def key_usage
  extensions[R509::Cert::Extensions::KeyUsage]
end

#name_constraints ⇒ R509::Cert::Extensions::NameConstraints

Returns this object's NameConstraints extension as an R509 extension

if this cert does not have a NameConstraints extension.

Returns:

• (R509::Cert::Extensions::NameConstraints) —

  The object, or nil

# File 'lib/r509/cert.rb', line 300

def name_constraints
  extensions[R509::Cert::Extensions::NameConstraints]
end

#not_after ⇒ Time

Returns ending (notAfter) of certificate validity period

Returns:

• (Time) —

  time object

# File 'lib/r509/cert.rb', line 75

def not_after
  @cert.not_after
end

#not_before ⇒ Time

Returns beginning (notBefore) of certificate validity period

Returns:

• (Time) —

  time object

# File 'lib/r509/cert.rb', line 54

def not_before
  @cert.not_before
end

#ocsp_no_check? ⇒ Boolean

Returns true if the OCSP No Check extension is present (value is irrelevant to this extension)

Returns:

• (Boolean) —

  presence/absence of the nocheck extension

# File 'lib/r509/cert.rb', line 268

def ocsp_no_check?
  (extensions.key?(R509::Cert::Extensions::OCSPNoCheck))
end

#policy_constraints ⇒ R509::Cert::Extensions::PolicyConstraints

Returns this object's PolicyConstraints extension as an R509 extension

if this cert does not have a PolicyConstraints extension.

Returns:

• (R509::Cert::Extensions::PolicyConstraints) —

  The object, or nil

# File 'lib/r509/cert.rb', line 292

def policy_constraints
  extensions[R509::Cert::Extensions::PolicyConstraints]
end

#public_key ⇒ OpenSSL::PKey::RSA

Returns the certificate public key

Returns:

• (OpenSSL::PKey::RSA) —

  public key object

# File 'lib/r509/cert.rb', line 82

def public_key
  @cert.public_key
end

#rsa? ⇒ Boolean Originally defined in module Helpers

Returns whether the public key is RSA

Returns:

• (Boolean) —

  true if the public key is RSA, false otherwise

#serial ⇒ Integer

Returns the serial number of the certificate in decimal form

Returns:

• (Integer)

# File 'lib/r509/cert.rb', line 61

def serial
  @cert.serial.to_i
end

#signature_algorithm ⇒ String

Returns signature algorithm

Returns:

• (String) —

  value of the signature algorithm. E.g. sha1WithRSAEncryption, sha256WithRSAEncryption, md5WithRSAEncryption, et cetera

# File 'lib/r509/cert.rb', line 141

def signature_algorithm
  @cert.signature_algorithm
end

#subject_alternative_name ⇒ R509::Cert::Extensions::SubjectAlternativeName Also known as: san, subject_alt_name

Returns this object's SubjectAlternativeName extension as an R509 extension

if this cert does not have a SubjectAlternativeName extension.

Returns:

• (R509::Cert::Extensions::SubjectAlternativeName) —

  The object, or nil

# File 'lib/r509/cert.rb', line 240

def subject_alternative_name
  extensions[R509::Cert::Extensions::SubjectAlternativeName]
end

#subject_key_identifier ⇒ R509::Cert::Extensions::SubjectKeyIdentifier

Returns this object's SubjectKeyIdentifier extension as an R509 extension

if this cert does not have a SubjectKeyIdentifier extension.

Returns:

• (R509::Cert::Extensions::SubjectKeyIdentifier) —

  The object, or nil

# File 'lib/r509/cert.rb', line 224

def subject_key_identifier
  extensions[R509::Cert::Extensions::SubjectKeyIdentifier]
end

#to_der ⇒ String Originally defined in module Helpers

Converts the object into DER format

Returns:

• (String) —

  the object converted into DER format.

#to_pem ⇒ String Originally defined in module Helpers

Converts the object into PEM format

Returns:

• (String) —

  the object converted into PEM format.

#unknown_extensions ⇒ Array

Returns an array of OpenSSL::X509::Extension objects representing the extensions that do not have R509 implementations.

Returns:

• (Array) —

  An array of OpenSSL::X509::Extension objects.

# File 'lib/r509/cert.rb', line 186

def unknown_extensions
  Extensions.get_unknown_extensions(self.cert.extensions)
end

#valid? ⇒ Boolean

Returns whether the current time is between the notBefore and notAfter times in the certificate.

Returns:

• (Boolean)

# File 'lib/r509/cert.rb', line 101

def valid?
  valid_at?(Time.now)
end

#valid_at?(time) ⇒ Boolean

Returns whether the certificate was between its notBefore and notAfter at the time provided

Parameters:

• time (Time, Integer) —

  Time object or integer timestamp

Returns:

• (Boolean)

# File 'lib/r509/cert.rb', line 109

def valid_at?(time)
  if time.is_a?(Integer)
    time = Time.at(time)
  end

  if (self.not_after < time) || (self.not_before > time)
    false
  else
    true
  end
end

#write_der(filename_or_io) ⇒ Object Originally defined in module Helpers

Writes the object into DER format

Parameters:

• filename_or_io (String, #write) —

  Either a string of the path for the file that you'd like to write, or an IO-like object.

#write_pem(filename_or_io) ⇒ Object Originally defined in module Helpers

Writes the object into PEM format

Parameters:

• filename_or_io (String, #write) —

  Either a string of the path for the file that you'd like to write, or an IO-like object.

#write_pkcs12(filename_or_io, password, friendly_name = 'r509 pkcs12') ⇒ Object

Writes cert and key into PKCS12 format using OpenSSL defaults for encryption (des3)

Parameters:

• filename_or_io (String, #write) —

  Either a string of the path for the file that you'd like to write, or an IO-like object.

• password (String) —

  password

• friendly_name (String) (defaults to: 'r509 pkcs12') —

  An optional string to encode in the PKCS12 for friendlyName. defaults to “r509 pkcs12”

# File 'lib/r509/cert.rb', line 150

def write_pkcs12(filename_or_io, password, friendly_name = 'r509 pkcs12')
  if @key.nil?
    raise R509::R509Error, "Writing a PKCS12 requires both key and cert"
  end
  pkcs12 = OpenSSL::PKCS12.create(password, friendly_name, @key.key, @cert)
  write_data(filename_or_io, pkcs12.to_der)
end