authority.rb in localhost-1.1.9

- old
+ new

@@ -20,63 +20,99 @@
 
 require 'yaml'
 require 'openssl'
 
 module Localhost
+	# Represents a single public/private key pair for a given hostname.
 	class Authority
 		def self.path
 			File.expand_path("~/.localhost")
 		end
 		
-		def self.fetch(*args)
-			authority = self.new(*args)
-			path = self.path
+		# List all certificate authorities in the given directory:
+		def self.list(root = self.path)
+			return to_enum(:list) unless block_given?
 			
-			unless authority.load(path)
-				Dir.mkdir(path, 0700) unless File.directory?(path)
+			Dir.glob("*.crt", base: root) do |path|
+				name = File.basename(path, ".crt")
 				
-				authority.save(path)
+				authority = self.new(name, root: root)
+				
+				if authority.load
+					yield authority
+				end
 			end
+		end
+		
+		# Fetch (load or create) a certificate with the given hostname.
+		# See {#initialize} for the format of the arguments.
+		def self.fetch(*arguments, **options)
+			authority = self.new(*arguments, **options)
 			
+			unless authority.load
+				authority.save
+			end
+			
 			return authority
 		end
 		
-		def initialize(hostname = "localhost")
+		# Create an authority forn the given hostname.
+		# @parameter hostname [String] The common name to use for the certificate.
+		# @parameter root [String] The root path for loading and saving the certificate.
+		def initialize(hostname = "localhost", root: self.class.path)
+			@root = root
 			@hostname = hostname
 			
 			@key = nil
 			@name = nil
 			@certificate = nil
 			@store = nil
 		end
 		
+		# The hostname of the certificate authority.
+		attr :hostname
+		
 		BITS = 1024*2
 		
 		def ecdh_key
 			@ecdh_key ||= OpenSSL::PKey::EC.new "prime256v1"
 		end
 		
 		def dh_key
 			@dh_key ||= OpenSSL::PKey::DH.new(BITS)
 		end
 		
+		# The private key path.
+		def key_path
+			File.join(@root, "#{@hostname}.key")
+		end
+		
+		# The public certificate path.
+		def certificate_path
+			File.join(@root, "#{@hostname}.crt")
+		end
+		
+		# The private key.
 		def key
 			@key ||= OpenSSL::PKey::RSA.new(BITS)
 		end
 		
 		def key= key
 			@key = key
 		end
 		
+		# The certificate name.
 		def name
 			@name ||= OpenSSL::X509::Name.parse("/O=Development/CN=#{@hostname}")
 		end
 		
 		def name= name
 			@name = name
 		end
 		
+		# The public certificate.
+		# @returns [OpenSSL::X509::Certificate] A self-signed certificate.
 		def certificate
 			@certificate ||= OpenSSL::X509::Certificate.new.tap do |certificate|
 				certificate.subject = self.name
 				# We use the same issuer as the subject, which makes this certificate self-signed:
 				certificate.issuer = self.name
@@ -103,21 +139,22 @@
 				
 				certificate.sign self.key, OpenSSL::Digest::SHA256.new
 			end
 		end
 		
-		# The certificate store which is used for validating the server certificate:
+		# The certificate store which is used for validating the server certificate.
 		def store
 			@store ||= OpenSSL::X509::Store.new.tap do |store|
 				store.add_cert(self.certificate)
 			end
 		end
 		
 		SERVER_CIPHERS = "EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5".freeze
 		
-		def server_context(*args)
-			OpenSSL::SSL::SSLContext.new(*args).tap do |context|
+		# @returns [OpenSSL::SSL::SSLContext] An context suitable for implementing a secure server.
+		def server_context(*arguments)
+			OpenSSL::SSL::SSLContext.new(*arguments).tap do |context|
 				context.key = self.key
 				context.cert = self.certificate
 				
 				context.session_id_context = "localhost"
 				
@@ -136,22 +173,23 @@
 					verify_mode: OpenSSL::SSL::VERIFY_NONE,
 				)
 			end
 		end
 		
+		# @returns [OpenSSL::SSL::SSLContext] An context suitable for connecting to a secure server using this authority.
 		def client_context(*args)
 			OpenSSL::SSL::SSLContext.new(*args).tap do |context|
 				context.cert_store = self.store
 				
 				context.set_params(
 					verify_mode: OpenSSL::SSL::VERIFY_PEER,
 				)
 			end
 		end
 		
-		def load(path)
-			if File.directory? path
+		def load(path = @root)
+			if File.directory?(path)
 				certificate_path = File.join(path, "#{@hostname}.crt")
 				key_path = File.join(path, "#{@hostname}.key")
 				
 				return false unless File.exist?(certificate_path) and File.exist?(key_path)
 				
@@ -166,10 +204,12 @@
 				
 				return true
 			end
 		end
 		
-		def save(path)
+		def save(path = @root)
+			Dir.mkdir(path, 0700) unless File.directory?(path)
+			
 			lockfile_path = File.join(path, "#{@hostname}.lock")
 			
 			File.open(lockfile_path, File::RDWR|File::CREAT, 0644) do |lockfile|
 				lockfile.flock(File::LOCK_EX)
 				