Class: R509::Config::CAConfig

Inherits:
Object
  • Object
show all
Extended by:
IOHelpers
Includes:
IOHelpers
Defined in:
lib/r509/config.rb

Overview

Stores a configuration for our CA.

Instance Attribute Summary (collapse)

Class Method Summary (collapse)

Instance Method Summary (collapse)

Methods included from IOHelpers

read_data, read_data, write_data, write_data

Constructor Details

- (CAConfig) initialize(opts = {})

OCSP signing delegate that constitutes the chain to attach to an OCSP response

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :ca_cert (R509::Cert)

    Cert+Key pair

  • :crl_validity_hours (Integer) — default: 168

    The number of hours that a CRL will be valid. Defaults to 7 days.

  • :profiles (Hash<String, R509::Config::CAProfile>)
  • :message_digest (String) — default: SHA1

    The hashing algorithm to use.

  • :cdp_location (Array)

    array of strings (URLs)

  • :ocsp_location (Array)

    array of strings (URLs)

  • :ca_issuers_location (Array)

    array of strings (URLs)

  • :crl_number_file (String)

    The file that we will save the CRL numbers to. defaults to a StringIO object if not provided

  • :crl_list_file (String)

    The file that we will save the CRL list data to. defaults to a StringIO object if not provided

  • :ocsp_cert (R509::Cert)

    An optional cert+key pair

  • :ocsp_chain (Array<OpenSSL::X509::Certificate>)

    An optional array



316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
 
# File 'lib/r509/config.rb', line 316

def initialize(opts = {} )
  if not opts.has_key?(:ca_cert) then
    raise ArgumentError, 'Config object requires that you pass :ca_cert'
  end

  @ca_cert = opts[:ca_cert]

  if not @ca_cert.kind_of?(R509::Cert) then
    raise ArgumentError, ':ca_cert must be of type R509::Cert'
  end

  #ocsp data
  if opts.has_key?(:ocsp_cert) and not opts[:ocsp_cert].kind_of?(R509::Cert) and not opts[:ocsp_cert].nil?
    raise ArgumentError, ':ocsp_cert, if provided, must be of type R509::Cert'
  end
  if opts.has_key?(:ocsp_cert) and not opts[:ocsp_cert].nil? and not opts[:ocsp_cert].has_private_key?
    raise ArgumentError, ':ocsp_cert must contain a private key, not just a certificate'
  end
  @ocsp_cert = opts[:ocsp_cert] unless opts[:ocsp_cert].nil?
  validate_ocsp_location opts[:ocsp_location]
  validate_ca_issuers_location opts[:ca_issuers_location]
  @ocsp_chain = opts[:ocsp_chain] if opts[:ocsp_chain].kind_of?(Array)
  @ocsp_validity_hours = opts[:ocsp_validity_hours] || 168
  @ocsp_start_skew_seconds = opts[:ocsp_start_skew_seconds] || 3600

  @crl_validity_hours = opts[:crl_validity_hours] || 168
  @crl_start_skew_seconds = opts[:crl_start_skew_seconds] || 3600
  @crl_number_file = opts[:crl_number_file] || nil
  @crl_list_file = opts[:crl_list_file] || nil
  validate_cdp_location opts[:cdp_location]
  @message_digest = opts[:message_digest] || "SHA1"



  @profiles = {}
    if opts[:profiles]
    opts[:profiles].each_pair do |name, prof|
      set_profile(name, prof)
    end
  end

end

Instance Attribute Details

- (Object) ca_cert

Returns the value of attribute ca_cert



294
295
296
 
# File 'lib/r509/config.rb', line 294

def ca_cert
  @ca_cert
end

- (Object) ca_issuers_location

Returns the value of attribute ca_issuers_location



294
295
296
 
# File 'lib/r509/config.rb', line 294

def ca_issuers_location
  @ca_issuers_location
end

- (Object) cdp_location

Returns the value of attribute cdp_location



294
295
296
 
# File 'lib/r509/config.rb', line 294

def cdp_location
  @cdp_location
end

- (Object) crl_list_file

Returns the value of attribute crl_list_file



294
295
296
 
# File 'lib/r509/config.rb', line 294

def crl_list_file
  @crl_list_file
end

- (Object) crl_number_file

Returns the value of attribute crl_number_file



294
295
296
 
# File 'lib/r509/config.rb', line 294

def crl_number_file
  @crl_number_file
end

- (Object) crl_start_skew_seconds

Returns the value of attribute crl_start_skew_seconds



294
295
296
 
# File 'lib/r509/config.rb', line 294

def crl_start_skew_seconds
  @crl_start_skew_seconds
end

- (Object) crl_validity_hours

Returns the value of attribute crl_validity_hours



294
295
296
 
# File 'lib/r509/config.rb', line 294

def crl_validity_hours
  @crl_validity_hours
end

- (Object) message_digest

Returns the value of attribute message_digest



294
295
296
 
# File 'lib/r509/config.rb', line 294

def message_digest
  @message_digest
end

- (Object) ocsp_chain

Returns the value of attribute ocsp_chain



294
295
296
 
# File 'lib/r509/config.rb', line 294

def ocsp_chain
  @ocsp_chain
end

- (Object) ocsp_location

Returns the value of attribute ocsp_location



294
295
296
 
# File 'lib/r509/config.rb', line 294

def ocsp_location
  @ocsp_location
end

- (Object) ocsp_start_skew_seconds

Returns the value of attribute ocsp_start_skew_seconds



294
295
296
 
# File 'lib/r509/config.rb', line 294

def ocsp_start_skew_seconds
  @ocsp_start_skew_seconds
end

- (Object) ocsp_validity_hours

Returns the value of attribute ocsp_validity_hours



294
295
296
 
# File 'lib/r509/config.rb', line 294

def ocsp_validity_hours
  @ocsp_validity_hours
end

Class Method Details

+ (Object) from_yaml(conf_name, yaml_data, opts = {})

Loads the named configuration config from a yaml string.

Parameters:

  • conf_name (String)

    The name of the config within the file. Note that a single yaml file can contain more than one configuration.

  • yaml_data (String)

    The filename to load yaml config data from.



503
504
505
506
 
# File 'lib/r509/config.rb', line 503

def self.from_yaml(conf_name, yaml_data, opts = {})
  conf = YAML.load(yaml_data)
  self.load_from_hash(conf[conf_name], opts)
end

+ (Object) load_from_hash(conf, opts = {})

Load the configuration from a data hash. The same type that might be used when loading from a YAML file.

Parameters:

  • conf (Hash)

    A hash containing all the configuration options

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :ca_root_path (String)

    The root path for the CA. Defaults to the current working directory.



395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
 
# File 'lib/r509/config.rb', line 395

def self.load_from_hash(conf, opts = {})
  if conf.nil?
    raise ArgumentError, "conf not found"
  end
  unless conf.kind_of?(Hash)
    raise ArgumentError, "conf must be a Hash"
  end

  ca_root_path = Pathname.new(opts[:ca_root_path] || FileUtils.getwd)

  unless File.directory?(ca_root_path)
    raise R509Error, "ca_root_path is not a directory: #{ca_root_path}"
  end

  ca_cert_hash = conf['ca_cert']

  if ca_cert_hash.has_key?('engine')
    ca_cert = self.load_with_engine(ca_cert_hash,ca_root_path)
  end

  if ca_cert.nil? and ca_cert_hash.has_key?('pkcs12')
    ca_cert = self.load_with_pkcs12(ca_cert_hash,ca_root_path)
  end

  if ca_cert.nil? and ca_cert_hash.has_key?('cert')
    ca_cert = self.load_with_key(ca_cert_hash,ca_root_path)
  end

  if conf.has_key?("ocsp_cert")
    if conf["ocsp_cert"].has_key?('engine')
      ocsp_cert = self.load_with_engine(conf["ocsp_cert"],ca_root_path)
    end

    if ocsp_cert.nil? and conf["ocsp_cert"].has_key?('pkcs12')
      ocsp_cert = self.load_with_pkcs12(conf["ocsp_cert"],ca_root_path)
    end

    if ocsp_cert.nil? and conf["ocsp_cert"].has_key?('cert')
      ocsp_cert = self.load_with_key(conf["ocsp_cert"],ca_root_path)
    end
  end

  ocsp_chain = []
  if conf.has_key?("ocsp_chain")
    ocsp_chain_data = read_data(ca_root_path+conf["ocsp_chain"])
    cert_regex = /-----BEGIN CERTIFICATE-----.+?-----END CERTIFICATE-----/m
    ocsp_chain_data.scan(cert_regex) do |cert|
      ocsp_chain.push(OpenSSL::X509::Certificate.new(cert))
    end
  end

  opts = {
    :ca_cert => ca_cert,
    :ocsp_cert => ocsp_cert,
    :ocsp_chain => ocsp_chain,
    :crl_validity_hours => conf['crl_validity_hours'],
    :ocsp_validity_hours => conf['ocsp_validity_hours'],
    :ocsp_start_skew_seconds => conf['ocsp_start_skew_seconds'],
    :ocsp_location => conf['ocsp_location'],
    :ca_issuers_location => conf['ca_issuers_location'],
    :cdp_location => conf['cdp_location'],
    :message_digest => conf['message_digest'],
  }

  if conf.has_key?("crl_list")
    opts[:crl_list_file] = (ca_root_path + conf['crl_list']).to_s
  end

  if conf.has_key?("crl_number")
    opts[:crl_number_file] = (ca_root_path + conf['crl_number']).to_s
  end


  profs = {}
  conf['profiles'].keys.each do |profile|
    data = conf['profiles'][profile]
    if not data["subject_item_policy"].nil?
      subject_item_policy = R509::Config::SubjectItemPolicy.new(data["subject_item_policy"])
    end
    profs[profile] = R509::Config::CAProfile.new(:key_usage => data["key_usage"],
                       :extended_key_usage => data["extended_key_usage"],
                       :basic_constraints => data["basic_constraints"],
                       :certificate_policies => data["certificate_policies"],
                       :ocsp_no_check => data["ocsp_no_check"],
                       :inhibit_any_policy => data["inhibit_any_policy"],
                       :policy_constraints => data["policy_constraints"],
                       :name_constraints => data["name_constraints"],
                       :subject_item_policy => subject_item_policy)
  end unless conf['profiles'].nil?
  opts[:profiles] = profs

  # Create the instance.
  self.new(opts)
end

+ (Object) load_yaml(conf_name, yaml_file, opts = {})

Loads the named configuration config from a yaml file.

Parameters:

  • conf_name (String)

    The name of the config within the file. Note that a single yaml file can contain more than one configuration.

  • yaml_file (String)

    The filename to load yaml config data from.



494
495
496
497
 
# File 'lib/r509/config.rb', line 494

def self.load_yaml(conf_name, yaml_file, opts = {})
  conf = YAML.load_file(yaml_file)
  self.load_from_hash(conf[conf_name], opts)
end

Instance Method Details

- (Integer) num_profiles

The number of profiles

Returns:

  • (Integer)

    The number of profiles



383
384
385
 
# File 'lib/r509/config.rb', line 383

def num_profiles
  @profiles.count
end

- (R509::Cert) ocsp_cert

Either a custom OCSP cert or the ca_cert

Returns:

  • (R509::Cert)

    either a custom OCSP cert or the ca_cert



360
361
362
 
# File 'lib/r509/config.rb', line 360

def ocsp_cert
  if @ocsp_cert.nil? then @ca_cert else @ocsp_cert end
end

- (R509::Config::CAProfile) profile(prof)

The config profile.

Parameters:

  • prof (String)

Returns:



375
376
377
378
379
380
 
# File 'lib/r509/config.rb', line 375

def profile(prof)
  if !@profiles.has_key?(prof)
    raise R509::R509Error, "unknown profile '#{prof}'"
  end
  @profiles[prof]
end

- (Object) set_profile(name, prof)

Parameters:



366
367
368
369
370
371
 
# File 'lib/r509/config.rb', line 366

def set_profile(name, prof)
  unless prof.is_a?(R509::Config::CAProfile)
    raise TypeError, "profile is supposed to be a R509::Config::CAProfile"
  end
  @profiles[name] = prof
end