Class: R509::CSR

Inherits:
Object
  • Object
show all
Includes:
Helpers
Defined in:
lib/r509/csr.rb

Overview

The primary certificate signing request object

Instance Attribute Summary (collapse)

Class Method Summary (collapse)

Instance Method Summary (collapse)

Constructor Details

- (CSR) initialize(opts = {})

A new instance of CSR

Examples:

Generate a 4096-bit RSA key + CSR

:type => "RSA",
:bit_length => 4096,
:subject => [
  ['CN','somedomain.com'],
  ['O','My Org'],
  ['L','City'],
  ['ST','State'],
  ['C','US']
]

Generate a 2048-bit RSA key + CSR

:type => "RSA",
:bit_length => 4096,
:subject => { :CN => "myCN", :O => "org" }

Generate an ECDSA key using the secp384r1 curve parameters + CSR and sign with SHA512

:type => "EC",
:curve_name => 'secp384r1',
:message_digest => 'sha512',
:subject => [
  ['CN','somedomain.com'],
]

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :csr (String, OpenSSL::X509::Request)

    a csr

  • :type (String)

    Required if not providing existing :csr. Defaults to R509::PrivateKey::DEFAULT_TYPE. Allows R509::PrivateKey::KNOWN_TYPES.

  • :curve_name (String) — default: "secp384r1"

    Only used if :type is EC

  • :bit_length (Integer) — default: 2048

    Only used if :type is RSA or DSA

  • :bit_strength (Integer) — default: 2048

    Deprecated, identical to bit_length.

  • :message_digest (String)

    Optional digest. sha1, sha224, sha256, sha384, sha512, md5. Defaults to sha1

  • :san_names (Array, R509::ASN1::GeneralNames)

    List of domains, IPs, email addresses, or URIs to encode as subjectAltNames. The type is determined from the structure of the strings via the R509::ASN1.general_name_parser method. You can also pass an explicit R509::ASN1::GeneralNames object. Parsed names will be uniqued, but a GeneralNames object will not be touched.

  • :subject (R509::Subject, Array, OpenSSL::X509::Name)

    array of subject items

  • :key (R509::PrivateKey, String)

    optional private key to supply. either an unencrypted PEM/DER string or an R509::PrivateKey object (use the latter if you need password/hardware support)



46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# File 'lib/r509/csr.rb', line 46

def initialize(opts={})
  if not opts.kind_of?(Hash)
    raise ArgumentError, 'Must provide a hash of options'
  end
  if opts.has_key?(:subject) and opts.has_key?(:csr)
    raise ArgumentError, "You must provide :subject or :csr, not both"
  end
  @bit_length = opts[:bit_length] || opts[:bit_strength] || R509::PrivateKey::DEFAULT_STRENGTH
  @curve_name = opts[:curve_name] || R509::PrivateKey::DEFAULT_CURVE

  @key = load_private_key(opts)


  @type = opts[:type] || R509::PrivateKey::DEFAULT_TYPE
  if not R509::PrivateKey::KNOWN_TYPES.include?(@type.upcase) and @key.nil?
    raise ArgumentError, "Must provide #{R509::PrivateKey::KNOWN_TYPES.join(", ")} as type when key is nil"
  end

  if opts.has_key?(:subject)
    san_names = R509::ASN1.general_name_parser(opts[:san_names])
    create_request(opts[:subject], san_names) #sets @req
  elsif opts.has_key?(:csr)
    if opts.has_key?(:san_names)
      raise ArgumentError, "You can't add domains to an existing CSR"
    end
    parse_csr(opts[:csr])
  else
    raise ArgumentError, "You must provide :subject or :csr"
  end

  if dsa?
    #only DSS1 is acceptable for DSA signing in OpenSSL < 1.0
    #post-1.0 you can sign with anything, but let's be conservative
    #see: http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/PKey/DSA.html
    @message_digest = R509::MessageDigest.new('dss1')
  else
    @message_digest = R509::MessageDigest.new(opts[:message_digest])
  end

  if not opts.has_key?(:csr)
    @req.sign(@key.key, @message_digest.digest)
  end
  if not @key.nil? and not @req.verify(@key.public_key) then
    raise R509Error, 'Key does not match request.'
  end

end

Instance Attribute Details

- (Object) attributes (readonly)

Returns the value of attribute attributes



15
16
17
# File 'lib/r509/csr.rb', line 15

def attributes
  @attributes
end

- (Object) key (readonly)

Returns the value of attribute key



15
16
17
# File 'lib/r509/csr.rb', line 15

def key
  @key
end

- (Object) message_digest (readonly)

Returns the value of attribute message_digest



15
16
17
# File 'lib/r509/csr.rb', line 15

def message_digest
  @message_digest
end

- (Object) req (readonly)

Returns the value of attribute req



15
16
17
# File 'lib/r509/csr.rb', line 15

def req
  @req
end

- (Object) san (readonly)

Returns the value of attribute san



15
16
17
# File 'lib/r509/csr.rb', line 15

def san
  @san
end

- (Object) subject (readonly)

Returns the value of attribute subject



15
16
17
# File 'lib/r509/csr.rb', line 15

def subject
  @subject
end

Class Method Details

+ (R509::CSR) load_from_file(filename)

Helper method to quickly load a CSR from the filesystem

Parameters:

  • filename (String)

    Path to file you want to load

Returns:



98
99
100
# File 'lib/r509/csr.rb', line 98

def self.load_from_file( filename )
  return R509::CSR.new(:csr => IOHelpers.read_data(filename) )
end

Instance Method Details

- (Integer) bit_length Also known as: bit_strength Originally defined in module Helpers

Returns the bit length of the key

Returns:

  • (Integer)

    the integer bit length.

- (String) curve_name Originally defined in module Helpers

Returns the short name of the elliptic curve used to generate the public key if the key is EC. If not, raises an error.

Returns:

  • (String)

    elliptic curve name

- (Boolean) dsa? Originally defined in module Helpers

Returns whether the public key is DSA

Returns:

  • (Boolean)

    true if the public key is DSA, false otherwise

- (Boolean) ec? Originally defined in module Helpers

Returns whether the public key is EC

Returns:

  • (Boolean)

    true if the public key is EC, false otherwise

- (Boolean) has_private_key?

Boolean of whether the object contains a private key

Returns:

  • (Boolean)

    Boolean of whether the object contains a private key



116
117
118
119
120
121
122
# File 'lib/r509/csr.rb', line 116

def has_private_key?
  if not @key.nil?
    true
  else
    false
  end
end

- (String) key_algorithm

Returns key algorithm (RSA/DSA/EC)

Returns:

  • (String)

    value of the key algorithm. RSA, DSA, or EC



148
149
150
151
152
153
154
155
156
# File 'lib/r509/csr.rb', line 148

def key_algorithm
  if @req.public_key.kind_of? OpenSSL::PKey::RSA then
    "RSA"
  elsif @req.public_key.kind_of? OpenSSL::PKey::DSA then
    "DSA"
  elsif @req.public_key.kind_of? OpenSSL::PKey::EC then
    "EC"
  end
end

- (OpenSSL::PKey::RSA, ...) public_key

Public key

Returns:

  • (OpenSSL::PKey::RSA, OpenSSL::PKey::DSA, OpenSSL::PKey::EC)

    public key



103
104
105
106
107
# File 'lib/r509/csr.rb', line 103

def public_key
  if(@req.kind_of?(OpenSSL::X509::Request)) then
    @req.public_key
  end
end

- (Boolean) rsa? Originally defined in module Helpers

Returns whether the public key is RSA

Returns:

  • (Boolean)

    true if the public key is RSA, false otherwise

- (String) signature_algorithm

Returns signature algorithm

Returns:

  • (String)

    value of the signature algorithm. E.g. sha1WithRSAEncryption, sha256WithRSAEncryption, md5WithRSAEncryption



141
142
143
# File 'lib/r509/csr.rb', line 141

def signature_algorithm
  @req.signature_algorithm
end

- (String) subject_component(short_name)

Returns subject component

Returns:

  • (String)

    value of the subject component requested



129
130
131
132
133
134
135
136
# File 'lib/r509/csr.rb', line 129

def subject_component short_name
  @req.subject.to_a.each do |element|
    if element[0].downcase == short_name.downcase then
      return element[1]
    end
  end
  nil
end

- (String) to_der Originally defined in module Helpers

Converts the object into DER format

Returns:

  • (String)

    the object converted into DER format.

- (String) to_pem Originally defined in module Helpers

Converts the object into PEM format

Returns:

  • (String)

    the object converted into PEM format.

- (Boolean) verify_signature

Verifies the integrity of the signature on the request

Returns:

  • (Boolean)


111
112
113
# File 'lib/r509/csr.rb', line 111

def verify_signature
  @req.verify(public_key)
end

- (Object) write_der(filename_or_io) Originally defined in module Helpers

Writes the object into DER format

Parameters:

  • filename_or_io (String, #write)

    Either a string of the path for the file that you'd like to write, or an IO-like object.

- (Object) write_pem(filename_or_io) Originally defined in module Helpers

Writes the object into PEM format

Parameters:

  • filename_or_io (String, #write)

    Either a string of the path for the file that you'd like to write, or an IO-like object.