Class: R509::Cert

Inherits:
Object
  • Object
show all
Includes:
Helpers
Defined in:
lib/r509/cert.rb,
lib/r509/cert/extensions/base.rb,
lib/r509/cert/extensions/key_usage.rb,
lib/r509/cert/extensions/ocsp_no_check.rb,
lib/r509/cert/extensions/name_constraints.rb,
lib/r509/cert/extensions/validation_mixin.rb,
lib/r509/cert/extensions/basic_constraints.rb,
lib/r509/cert/extensions/extended_key_usage.rb,
lib/r509/cert/extensions/policy_constraints.rb,
lib/r509/cert/extensions/inhibit_any_policy.rb,
lib/r509/cert/extensions/certificate_policies.rb,
lib/r509/cert/extensions/authority_info_access.rb,
lib/r509/cert/extensions/subject_key_identifier.rb,
lib/r509/cert/extensions/crl_distribution_points.rb,
lib/r509/cert/extensions/subject_alternative_name.rb,
lib/r509/cert/extensions/authority_key_identifier.rb

Overview

The primary certificate object.

Defined Under Namespace

Modules: Extensions

Instance Attribute Summary (collapse)

Class Method Summary (collapse)

Instance Method Summary (collapse)

Constructor Details

- (Cert) initialize(opts = {})

A new instance of Cert

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :cert (String, OpenSSL::X509::Certificate)

    a cert

  • :key (R509::PrivateKey, String)

    optional private key to supply. either an unencrypted PEM/DER string or an R509::PrivateKey object (use the latter if you need password/hardware support)

  • :pkcs12 (String)

    a PKCS12 object containing both key and cert

  • :password (String)

    password for PKCS12 or private key (if supplied)



19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
 
# File 'lib/r509/cert.rb', line 19

def initialize(opts={})
  if not opts.kind_of?(Hash)
    raise ArgumentError, 'Must provide a hash of options'
  end
  if opts.has_key?(:pkcs12) and ( opts.has_key?(:key) or opts.has_key?(:cert) )
    raise ArgumentError, "When providing pkcs12, do not pass cert or key"
  elsif opts.has_key?(:pkcs12)
    pkcs12 = OpenSSL::PKCS12.new( opts[:pkcs12], opts[:password] )
    parse_certificate(pkcs12.certificate)
    parse_private_key(pkcs12.key)
  elsif not opts.has_key?(:cert)
    raise ArgumentError, 'Must provide :cert or :pkcs12'
  else
    csr_check(opts[:cert])
    parse_certificate(opts[:cert])
  end

  if opts.has_key?(:key)
    parse_private_key(opts[:key], opts[:password])
  end
end

Instance Attribute Details

- (Object) cert (readonly)

Returns the value of attribute cert



13
14
15
 
# File 'lib/r509/cert.rb', line 13

def cert
  @cert
end

- (Object) issuer (readonly)

Returns the value of attribute issuer



13
14
15
 
# File 'lib/r509/cert.rb', line 13

def issuer
  @issuer
end

- (Object) key (readonly)

Returns the value of attribute key



13
14
15
 
# File 'lib/r509/cert.rb', line 13

def key
  @key
end

- (Object) subject (readonly)

Returns the value of attribute subject



13
14
15
 
# File 'lib/r509/cert.rb', line 13

def subject
  @subject
end

Class Method Details

+ (R509::Cert) load_from_file(filename)

Helper method to quickly load a cert from the filesystem

Parameters:

  • filename (String)

    Path to file you want to load

Returns:



45
46
47
 
# File 'lib/r509/cert.rb', line 45

def self.load_from_file( filename )
  return R509::Cert.new(:cert => IOHelpers.read_data(filename) )
end

Instance Method Details

- (Array) all_names

Return the CN, as well as all the subject alternative names (SANs).

Returns:

  • (Array)

    the array of names. Returns an empty array if there are no names, at all. Discards SAN types



134
135
136
137
138
139
140
 
# File 'lib/r509/cert.rb', line 134

def all_names
  ret = []
  ret << @subject.CN unless @subject.CN.nil?
  ret.concat( self.san.names.map { |n| n.value } ) unless self.san.nil?

  return ret.sort.uniq
end

- (R509::Cert::Extensions::AuthorityInfoAccess) authority_info_access Also known as: aia

Returns this object's AuthorityInfoAccess extension as an R509 extension

if this cert does not have a AuthorityInfoAccess extension.

Returns:



254
255
256
 
# File 'lib/r509/cert.rb', line 254

def authority_info_access
  return extensions[R509::Cert::Extensions::AuthorityInfoAccess]
end

- (R509::Cert::Extensions::AuthorityKeyIdentifier) authority_key_identifier

Returns this object's AuthorityKeyIdentifier extension as an R509 extension

if this cert does not have a AuthorityKeyIdentifier extension.

Returns:



236
237
238
 
# File 'lib/r509/cert.rb', line 236

def authority_key_identifier
  return extensions[R509::Cert::Extensions::AuthorityKeyIdentifier]
end

- (R509::Cert::Extensions::BasicConstraints) basic_constraints

Returns this object's BasicConstraints extension as an R509 extension

if this cert does not have a BasicConstraints extension.

Returns:



202
203
204
 
# File 'lib/r509/cert.rb', line 202

def basic_constraints
  return extensions[R509::Cert::Extensions::BasicConstraints]
end

- (Integer) bit_length Also known as: bit_strength Originally defined in module Helpers

Returns the bit length of the key

Returns:

  • (Integer)

    the integer bit length.

- (R509::Cert::Extensions::CertificatePolicies) certificate_policies

Returns this object's CertificatePolicies extension as an R509 extension

if this cert does not have a CertificatePolicies extension.

Returns:



280
281
282
 
# File 'lib/r509/cert.rb', line 280

def certificate_policies
  return extensions[R509::Cert::Extensions::CertificatePolicies]
end

- (R509::Cert::Extensions::CRLDistributionPoints) crl_distribution_points Also known as: cdp

Returns this object's CRLDistributionPoints extension as an R509 extension

if this cert does not have a CRLDistributionPoints extension.

Returns:



263
264
265
 
# File 'lib/r509/cert.rb', line 263

def crl_distribution_points
  return extensions[R509::Cert::Extensions::CRLDistributionPoints]
end

- (String) curve_name Originally defined in module Helpers

Returns the short name of the elliptic curve used to generate the public key if the key is EC. If not, raises an error.

Returns:

  • (String)

    elliptic curve name

- (Boolean) dsa? Originally defined in module Helpers

Returns whether the public key is DSA

Returns:

  • (Boolean)

    true if the public key is DSA, false otherwise

- (Boolean) ec? Originally defined in module Helpers

Returns whether the public key is EC

Returns:

  • (Boolean)

    true if the public key is EC, false otherwise

- (R509::Cert::Extensions::ExtendedKeyUsage) extended_key_usage Also known as: eku

Returns this object's ExtendedKeyUsage extension as an R509 extension

if this cert does not have a ExtendedKeyUsage extension.

Returns:



219
220
221
 
# File 'lib/r509/cert.rb', line 219

def extended_key_usage
  return extensions[R509::Cert::Extensions::ExtendedKeyUsage]
end

- (Hash) extensions

Returns the certificate extensions as a hash of R509::Cert::Extensions specific objects.

R509::Cert::Extensions module, each specific to the extension. The hash is keyed with the R509 extension class. Extensions without an R509 implementation are ignored (see #get_unknown_extensions).

Returns:

  • (Hash)

    A hash, in which the values are classes from the



178
179
180
181
182
183
184
 
# File 'lib/r509/cert.rb', line 178

def extensions
  if @r509_extensions.nil?
    @r509_extensions = Extensions.wrap_openssl_extensions( self.cert.extensions )
  end

  return @r509_extensions
end

- (String) fingerprint(algorithm = 'sha1')

Returns the certificate fingerprint with the specified algorithm (default sha1)

Parameters:

  • algorithm (String) (defaults to: 'sha1')

    Which algorithm to use for the fingerprint. See R509::MessageDigest for supported algorithm names

Returns:

  • (String)

    hex digest of the certificate



90
91
92
93
94
95
 
# File 'lib/r509/cert.rb', line 90

def fingerprint(algorithm='sha1')
  message_digest = R509::MessageDigest.new(algorithm)
  md = message_digest.digest
  md.update(@cert.to_der)
  md.to_s
end

- (Boolean) has_private_key?

Boolean of whether the object contains a private key

Returns:

  • (Boolean)

    Boolean of whether the object contains a private key



122
123
124
125
126
127
128
 
# File 'lib/r509/cert.rb', line 122

def has_private_key?
  if not @key.nil?
    true
  else
    false
  end
end

- (String) hexserial

Returns the serial number of the certificate in hexadecimal form

Returns:

  • (String) 


68
69
70
 
# File 'lib/r509/cert.rb', line 68

def hexserial
  @cert.serial.to_s(16)
end

- (R509::Cert::Extensions::InhibitAnyPolicy) inhibit_any_policy

Returns this object's InhibitAnyPolicy extension as an R509 extension

if this cert does not have a InhibitAnyPolicy extension.

Returns:



288
289
290
 
# File 'lib/r509/cert.rb', line 288

def inhibit_any_policy
  return extensions[R509::Cert::Extensions::InhibitAnyPolicy]
end

- (Boolean) is_revoked_by_crl?(r509_crl)

Checks the given CRL for this certificate's serial number. Note that this does NOT check to verify that the CRL you're checking is signed by the same CA as the cert so do that check yourself

Parameters:

Returns:

  • (Boolean) 


167
168
169
 
# File 'lib/r509/cert.rb', line 167

def is_revoked_by_crl?( r509_crl )
  return r509_crl.revoked?( self.serial )
end

- (String) key_algorithm Originally defined in module Helpers

Returns key algorithm (RSA/DSA/EC)

Returns:

  • (String)

    value of the key algorithm.

- (R509::Cert::Extensions::KeyUsage) key_usage Also known as: ku

Returns this object's KeyUsage extension as an R509 extension

if this cert does not have a KeyUsage extension.

Returns:



210
211
212
 
# File 'lib/r509/cert.rb', line 210

def key_usage
  return extensions[R509::Cert::Extensions::KeyUsage]
end

- (R509::Cert::Extensions::NameConstraints) name_constraints

Returns this object's NameConstraints extension as an R509 extension

if this cert does not have a NameConstraints extension.

Returns:



304
305
306
 
# File 'lib/r509/cert.rb', line 304

def name_constraints
  return extensions[R509::Cert::Extensions::NameConstraints]
end

- (Time) not_after

Returns ending (notAfter) of certificate validity period

Returns:

  • (Time)

    time object



75
76
77
 
# File 'lib/r509/cert.rb', line 75

def not_after
  @cert.not_after
end

- (Time) not_before

Returns beginning (notBefore) of certificate validity period

Returns:

  • (Time)

    time object



54
55
56
 
# File 'lib/r509/cert.rb', line 54

def not_before
  @cert.not_before
end

- (Boolean) ocsp_no_check?

Returns true if the OCSP No Check extension is present (value is irrelevant to this extension)

Returns:

  • (Boolean)

    presence/absence of the nocheck extension



272
273
274
 
# File 'lib/r509/cert.rb', line 272

def ocsp_no_check?
  return (extensions.has_key?(R509::Cert::Extensions::OCSPNoCheck))
end

- (R509::Cert::Extensions::PolicyConstraints) policy_constraints

Returns this object's PolicyConstraints extension as an R509 extension

if this cert does not have a PolicyConstraints extension.

Returns:



296
297
298
 
# File 'lib/r509/cert.rb', line 296

def policy_constraints
  return extensions[R509::Cert::Extensions::PolicyConstraints]
end

- (OpenSSL::PKey::RSA) public_key

Returns the certificate public key

Returns:

  • (OpenSSL::PKey::RSA)

    public key object



82
83
84
 
# File 'lib/r509/cert.rb', line 82

def public_key
  @cert.public_key
end

- (Boolean) rsa? Originally defined in module Helpers

Returns whether the public key is RSA

Returns:

  • (Boolean)

    true if the public key is RSA, false otherwise

- (Integer) serial

Returns the serial number of the certificate in decimal form

Returns:

  • (Integer) 


61
62
63
 
# File 'lib/r509/cert.rb', line 61

def serial
  @cert.serial.to_i
end

- (String) signature_algorithm

Returns signature algorithm

Returns:

  • (String)

    value of the signature algorithm. E.g. sha1WithRSAEncryption, sha256WithRSAEncryption, md5WithRSAEncryption, et cetera



145
146
147
 
# File 'lib/r509/cert.rb', line 145

def signature_algorithm
  @cert.signature_algorithm
end

- (R509::Cert::Extensions::SubjectAlternativeName) subject_alternative_name Also known as: san, subject_alt_name

Returns this object's SubjectAlternativeName extension as an R509 extension

if this cert does not have a SubjectAlternativeName extension.

Returns:



244
245
246
 
# File 'lib/r509/cert.rb', line 244

def subject_alternative_name
  return extensions[R509::Cert::Extensions::SubjectAlternativeName]
end

- (R509::Cert::Extensions::SubjectKeyIdentifier) subject_key_identifier

Returns this object's SubjectKeyIdentifier extension as an R509 extension

if this cert does not have a SubjectKeyIdentifier extension.

Returns:



228
229
230
 
# File 'lib/r509/cert.rb', line 228

def subject_key_identifier
  return extensions[R509::Cert::Extensions::SubjectKeyIdentifier]
end

- (String) to_der Originally defined in module Helpers

Converts the object into DER format

Returns:

  • (String)

    the object converted into DER format.

- (String) to_pem Originally defined in module Helpers

Converts the object into PEM format

Returns:

  • (String)

    the object converted into PEM format.

- (Array) unknown_extensions

Returns an array of OpenSSL::X509::Extension objects representing the extensions that do not have R509 implementations.

Returns:

  • (Array)

    An array of OpenSSL::X509::Extension objects.



190
191
192
 
# File 'lib/r509/cert.rb', line 190

def unknown_extensions
  return Extensions.get_unknown_extensions( self.cert.extensions )
end

- (Boolean) valid?

Returns whether the current time is between the notBefore and notAfter times in the certificate.

Returns:

  • (Boolean) 


101
102
103
 
# File 'lib/r509/cert.rb', line 101

def valid?
  valid_at?(Time.now)
end

- (Boolean) valid_at?(time)

Returns whether the certificate was between its notBefore and notAfter at the time provided

Parameters:

  • time (Time, Integer)

    Time object or integer timestamp

Returns:

  • (Boolean) 


109
110
111
112
113
114
115
116
117
118
119
 
# File 'lib/r509/cert.rb', line 109

def valid_at?(time)
  if time.kind_of?(Integer)
    time = Time.at(time)
  end

  if (self.not_after < time) or (self.not_before > time)
    false
  else
    true
  end
end

- (Object) write_der(filename_or_io) Originally defined in module Helpers

Writes the object into DER format

Parameters:

  • filename_or_io (String, #write)

    Either a string of the path for the file that you'd like to write, or an IO-like object.

- (Object) write_pem(filename_or_io) Originally defined in module Helpers

Writes the object into PEM format

Parameters:

  • filename_or_io (String, #write)

    Either a string of the path for the file that you'd like to write, or an IO-like object.

- (Object) write_pkcs12(filename_or_io, password, friendly_name = 'r509 pkcs12')

Writes cert and key into PKCS12 format using OpenSSL defaults for encryption (des3)

Parameters:

  • filename_or_io (String, #write)

    Either a string of the path for the file that you'd like to write, or an IO-like object.

  • password (String)

    password

  • friendly_name (String) (defaults to: 'r509 pkcs12')

    An optional string to encode in the PKCS12 for friendlyName. defaults to “r509 pkcs12”



154
155
156
157
158
159
160
 
# File 'lib/r509/cert.rb', line 154

def write_pkcs12(filename_or_io,password,friendly_name='r509 pkcs12')
  if @key.nil?
    raise R509::R509Error, "Writing a PKCS12 requires both key and cert"
  end
  pkcs12 = OpenSSL::PKCS12.create(password,friendly_name,@key.key,@cert)
  write_data(filename_or_io, pkcs12.to_der)
end