Class: R509::Cert

Inherits:

Object

• Object
• R509::Cert

Includes:

Helpers, IOHelpers

Defined in:

lib/r509/cert.rb,
lib/r509/cert/extensions/base.rb,
lib/r509/cert/extensions/key_usage.rb,
lib/r509/cert/extensions/ocsp_no_check.rb,
lib/r509/cert/extensions/name_constraints.rb,
lib/r509/cert/extensions/validation_mixin.rb,
lib/r509/cert/extensions/basic_constraints.rb,
lib/r509/cert/extensions/extended_key_usage.rb,
lib/r509/cert/extensions/inhibit_any_policy.rb,
lib/r509/cert/extensions/policy_constraints.rb,
lib/r509/cert/extensions/certificate_policies.rb,
lib/r509/cert/extensions/authority_info_access.rb,
lib/r509/cert/extensions/subject_key_identifier.rb,
lib/r509/cert/extensions/crl_distribution_points.rb,
lib/r509/cert/extensions/authority_key_identifier.rb,
lib/r509/cert/extensions/subject_alternative_name.rb

Overview

The primary certificate object.

Defined Under Namespace

Modules: Extensions

Instance Attribute Summary

• #cert ⇒ Object (also: #internal_obj) readonly

  Returns the value of attribute cert.

• #issuer ⇒ Object readonly

  Returns the value of attribute issuer.

• #key ⇒ Object readonly

  Returns the value of attribute key.

• #subject ⇒ Object readonly

  Returns the value of attribute subject.

Class Method Summary

• .load_from_file(filename) ⇒ R509::Cert

  Helper method to quickly load a cert from the filesystem.

Instance Method Summary

• #all_names ⇒ Array

  Return the CN, as well as all the subject alternative names (SANs).

• #authority_info_access ⇒ R509::Cert::Extensions::AuthorityInfoAccess (also: #aia)

  Returns this object’s AuthorityInfoAccess extension as an R509 extension.

• #authority_key_identifier ⇒ R509::Cert::Extensions::AuthorityKeyIdentifier

  Returns this object’s AuthorityKeyIdentifier extension as an R509 extension.

• #basic_constraints ⇒ R509::Cert::Extensions::BasicConstraints

  Returns this object’s BasicConstraints extension as an R509 extension.

• #certificate_policies ⇒ R509::Cert::Extensions::CertificatePolicies

  Returns this object’s CertificatePolicies extension as an R509 extension.

• #crl_distribution_points ⇒ R509::Cert::Extensions::CRLDistributionPoints (also: #cdp)

  Returns this object’s CRLDistributionPoints extension as an R509 extension.

• #extended_key_usage ⇒ R509::Cert::Extensions::ExtendedKeyUsage (also: #eku)

  Returns this object’s ExtendedKeyUsage extension as an R509 extension.

• #extensions ⇒ Hash

  Returns the certificate extensions as a hash of R509::Cert::Extensions specific objects.

• #fingerprint(algorithm = 'sha256') ⇒ String

  Returns the certificate fingerprint with the specified algorithm (default sha256).

• #has_private_key? ⇒ Boolean

  Boolean of whether the object contains a private key.

• #hexserial ⇒ String

  Returns the serial number of the certificate in hexadecimal form.

• #inhibit_any_policy ⇒ R509::Cert::Extensions::InhibitAnyPolicy

  Returns this object’s InhibitAnyPolicy extension as an R509 extension.

• #initialize(opts = {}) ⇒ Cert constructor

  A new instance of Cert.

• #is_revoked_by_crl?(r509_crl) ⇒ Boolean

  Checks the given CRL for this certificate’s serial number.

• #key_usage ⇒ R509::Cert::Extensions::KeyUsage (also: #ku)

  Returns this object’s KeyUsage extension as an R509 extension.

• #name_constraints ⇒ R509::Cert::Extensions::NameConstraints

  Returns this object’s NameConstraints extension as an R509 extension.

• #not_after ⇒ Time

  Returns ending (notAfter) of certificate validity period.

• #not_before ⇒ Time

  Returns beginning (notBefore) of certificate validity period.

• #ocsp_no_check? ⇒ Boolean

  Returns true if the OCSP No Check extension is present (value is irrelevant to this extension).

• #policy_constraints ⇒ R509::Cert::Extensions::PolicyConstraints

  Returns this object’s PolicyConstraints extension as an R509 extension.

• #public_key ⇒ OpenSSL::PKey::RSA

  Returns the certificate public key.

• #serial ⇒ Integer

  Returns the serial number of the certificate in decimal form.

• #signature_algorithm ⇒ String

  Returns signature algorithm.

• #subject_alternative_name ⇒ R509::Cert::Extensions::SubjectAlternativeName (also: #san, #subject_alt_name)

  Returns this object’s SubjectAlternativeName extension as an R509 extension.

• #subject_key_identifier ⇒ R509::Cert::Extensions::SubjectKeyIdentifier

  Returns this object’s SubjectKeyIdentifier extension as an R509 extension.

• #unknown_extensions ⇒ Array

  Returns an array of OpenSSL::X509::Extension objects representing the extensions that do not have R509 implementations.

• #valid? ⇒ Boolean

  Returns whether the current time is between the notBefore and notAfter times in the certificate.

• #valid_at?(time) ⇒ Boolean

  Returns whether the certificate was between its notBefore and notAfter at the time provided.

• #write_pkcs12(filename_or_io, password, friendly_name = 'r509 pkcs12') ⇒ Object

  Writes cert and key into PKCS12 format using OpenSSL defaults for encryption (des3).

Methods included from Helpers

#bit_length, #curve_name, #dsa?, #ec?, #key_algorithm, #load_private_key, #rsa?, #to_der, #to_pem, #write_der, #write_pem

Methods included from IOHelpers

#read_data, read_data, write_data, #write_data

Constructor Details

#initialize(opts = {}) ⇒ Cert

Returns a new instance of Cert.

Parameters:

• opts (Hash) (defaults to: {}) —

  a customizable set of options

Options Hash (opts):

• :cert (String, OpenSSL::X509::Certificate) —

  a cert

• :key (R509::PrivateKey, String) —

  optional private key to supply. either an unencrypted PEM/DER string or an R509::PrivateKey object (use the latter if you need password/hardware support)

• :pkcs12 (String) —

  a PKCS12 object containing both key and cert

• :password (String) —

  password for PKCS12 or private key (if supplied)

# File 'lib/r509/cert.rb', line 19

def initialize(opts = {})
  unless opts.is_a?(Hash)
    raise ArgumentError, 'Must provide a hash of options'
  end
  if opts.key?(:pkcs12) && ( opts.key?(:key) || opts.key?(:cert))
    raise ArgumentError, "When providing pkcs12, do not pass cert or key"
  elsif opts.key?(:pkcs12)
    pkcs12 = OpenSSL::PKCS12.new(opts[:pkcs12], opts[:password])
    parse_certificate(pkcs12.certificate)
    parse_private_key(pkcs12.key)
  elsif !opts.key?(:cert)
    raise ArgumentError, 'Must provide :cert or :pkcs12'
  else
    csr_check(opts[:cert])
    parse_certificate(opts[:cert])
  end

  if opts.key?(:key)
    parse_private_key(opts[:key], opts[:password])
  end
end

Instance Attribute Details

#cert ⇒ Object (readonly) Also known as: internal_obj

Returns the value of attribute cert.

# File 'lib/r509/cert.rb', line 13

def cert
  @cert
end

#issuer ⇒ Object (readonly)

Returns the value of attribute issuer.

# File 'lib/r509/cert.rb', line 13

def issuer
  @issuer
end

#key ⇒ Object (readonly)

Returns the value of attribute key.

# File 'lib/r509/cert.rb', line 13

def key
  @key
end

#subject ⇒ Object (readonly)

Returns the value of attribute subject.

# File 'lib/r509/cert.rb', line 13

def subject
  @subject
end

Class Method Details

.load_from_file(filename) ⇒ R509::Cert

Helper method to quickly load a cert from the filesystem

Parameters:

• filename (String) —

  Path to file you want to load

Returns:

• (R509::Cert) —

  cert object

# File 'lib/r509/cert.rb', line 45

def self.load_from_file(filename)
  R509::Cert.new(:cert => IOHelpers.read_data(filename))
end

Instance Method Details

#all_names ⇒ Array

Return the CN, as well as all the subject alternative names (SANs).

Returns:

• (Array) —

  the array of names. Returns an empty array if there are no names, at all. Discards SAN types

# File 'lib/r509/cert.rb', line 130

def all_names
  ret = []
  ret << @subject.CN unless @subject.CN.nil?
  ret.concat(self.san.names.map { |n| n.value }) unless self.san.nil?

  ret.sort.uniq
end

#authority_info_access ⇒ R509::Cert::Extensions::AuthorityInfoAccess Also known as: aia

Returns this object’s AuthorityInfoAccess extension as an R509 extension

if this cert does not have a AuthorityInfoAccess extension.

Returns:

• (R509::Cert::Extensions::AuthorityInfoAccess) —

  The object, or nil

# File 'lib/r509/cert.rb', line 250

def authority_info_access
  extensions[R509::Cert::Extensions::AuthorityInfoAccess]
end

#authority_key_identifier ⇒ R509::Cert::Extensions::AuthorityKeyIdentifier

Returns this object’s AuthorityKeyIdentifier extension as an R509 extension

if this cert does not have a AuthorityKeyIdentifier extension.

Returns:

• (R509::Cert::Extensions::AuthorityKeyIdentifier) —

  The object, or nil

# File 'lib/r509/cert.rb', line 232

def authority_key_identifier
  extensions[R509::Cert::Extensions::AuthorityKeyIdentifier]
end

#basic_constraints ⇒ R509::Cert::Extensions::BasicConstraints

Returns this object’s BasicConstraints extension as an R509 extension

if this cert does not have a BasicConstraints extension.

Returns:

• (R509::Cert::Extensions::BasicConstraints) —

  The object, or nil

# File 'lib/r509/cert.rb', line 198

def basic_constraints
  extensions[R509::Cert::Extensions::BasicConstraints]
end

#certificate_policies ⇒ R509::Cert::Extensions::CertificatePolicies

Returns this object’s CertificatePolicies extension as an R509 extension

if this cert does not have a CertificatePolicies extension.

Returns:

• (R509::Cert::Extensions::CertificatePolicies) —

  The object, or nil

# File 'lib/r509/cert.rb', line 276

def certificate_policies
  extensions[R509::Cert::Extensions::CertificatePolicies]
end

#crl_distribution_points ⇒ R509::Cert::Extensions::CRLDistributionPoints Also known as: cdp

Returns this object’s CRLDistributionPoints extension as an R509 extension

if this cert does not have a CRLDistributionPoints extension.

Returns:

• (R509::Cert::Extensions::CRLDistributionPoints) —

  The object, or nil

# File 'lib/r509/cert.rb', line 259

def crl_distribution_points
  extensions[R509::Cert::Extensions::CRLDistributionPoints]
end

#extended_key_usage ⇒ R509::Cert::Extensions::ExtendedKeyUsage Also known as: eku

Returns this object’s ExtendedKeyUsage extension as an R509 extension

if this cert does not have a ExtendedKeyUsage extension.

Returns:

• (R509::Cert::Extensions::ExtendedKeyUsage) —

  The object, or nil

# File 'lib/r509/cert.rb', line 215

def extended_key_usage
  extensions[R509::Cert::Extensions::ExtendedKeyUsage]
end

#extensions ⇒ Hash

Returns the certificate extensions as a hash of R509::Cert::Extensions specific objects.

R509::Cert::Extensions module, each specific to the extension. The hash is keyed with the R509 extension class. Extensions without an R509 implementation are ignored (see #get_unknown_extensions).

Returns:

• (Hash) —

  A hash, in which the values are classes from the

# File 'lib/r509/cert.rb', line 174

def extensions
  if @r509_extensions.nil?
    @r509_extensions = Extensions.wrap_openssl_extensions(self.cert.extensions)
  end

  @r509_extensions
end

#fingerprint(algorithm = 'sha256') ⇒ String

Returns the certificate fingerprint with the specified algorithm (default sha256)

Parameters:

• algorithm (String) (defaults to: 'sha256') —

  Which algorithm to use for the fingerprint. See R509::MessageDigest for supported algorithm names

Returns:

• (String) —

  hex digest of the certificate

# File 'lib/r509/cert.rb', line 90

def fingerprint(algorithm = 'sha256')
  message_digest = R509::MessageDigest.new(algorithm)
  md = message_digest.digest
  md.update(@cert.to_der)
  md.to_s
end

#has_private_key? ⇒ Boolean

Returns Boolean of whether the object contains a private key.

Returns:

• (Boolean) —

  Boolean of whether the object contains a private key

# File 'lib/r509/cert.rb', line 122

def has_private_key?
  !@key.nil?
end

#hexserial ⇒ String

Returns the serial number of the certificate in hexadecimal form

Returns:

• (String)

# File 'lib/r509/cert.rb', line 68

def hexserial
  @cert.serial.to_s(16)
end

#inhibit_any_policy ⇒ R509::Cert::Extensions::InhibitAnyPolicy

Returns this object’s InhibitAnyPolicy extension as an R509 extension

if this cert does not have a InhibitAnyPolicy extension.

Returns:

• (R509::Cert::Extensions::InhibitAnyPolicy) —

  The object, or nil

# File 'lib/r509/cert.rb', line 284

def inhibit_any_policy
  extensions[R509::Cert::Extensions::InhibitAnyPolicy]
end

#is_revoked_by_crl?(r509_crl) ⇒ Boolean

Checks the given CRL for this certificate’s serial number. Note that this does NOT check to verify that the CRL you’re checking is signed by the same CA as the cert so do that check yourself

Parameters:

• r509_crl (R509::CRL::SignedList) —

  A CRL from the CA that issued this certificate.

Returns:

• (Boolean)

# File 'lib/r509/cert.rb', line 163

def is_revoked_by_crl?(r509_crl)
  r509_crl.revoked?(self.serial)
end

#key_usage ⇒ R509::Cert::Extensions::KeyUsage Also known as: ku

Returns this object’s KeyUsage extension as an R509 extension

if this cert does not have a KeyUsage extension.

Returns:

• (R509::Cert::Extensions::KeyUsage) —

  The object, or nil

# File 'lib/r509/cert.rb', line 206

def key_usage
  extensions[R509::Cert::Extensions::KeyUsage]
end

#name_constraints ⇒ R509::Cert::Extensions::NameConstraints

Returns this object’s NameConstraints extension as an R509 extension

if this cert does not have a NameConstraints extension.

Returns:

• (R509::Cert::Extensions::NameConstraints) —

  The object, or nil

# File 'lib/r509/cert.rb', line 300

def name_constraints
  extensions[R509::Cert::Extensions::NameConstraints]
end

#not_after ⇒ Time

Returns ending (notAfter) of certificate validity period

Returns:

• (Time) —

  time object

# File 'lib/r509/cert.rb', line 75

def not_after
  @cert.not_after
end

#not_before ⇒ Time

Returns beginning (notBefore) of certificate validity period

Returns:

• (Time) —

  time object

# File 'lib/r509/cert.rb', line 54

def not_before
  @cert.not_before
end

#ocsp_no_check? ⇒ Boolean

Returns true if the OCSP No Check extension is present (value is irrelevant to this extension)

Returns:

• (Boolean) —

  presence/absence of the nocheck extension

# File 'lib/r509/cert.rb', line 268

def ocsp_no_check?
  (extensions.key?(R509::Cert::Extensions::OCSPNoCheck))
end

#policy_constraints ⇒ R509::Cert::Extensions::PolicyConstraints

Returns this object’s PolicyConstraints extension as an R509 extension

if this cert does not have a PolicyConstraints extension.

Returns:

• (R509::Cert::Extensions::PolicyConstraints) —

  The object, or nil

# File 'lib/r509/cert.rb', line 292

def policy_constraints
  extensions[R509::Cert::Extensions::PolicyConstraints]
end

#public_key ⇒ OpenSSL::PKey::RSA

Returns the certificate public key

Returns:

• (OpenSSL::PKey::RSA) —

  public key object

# File 'lib/r509/cert.rb', line 82

def public_key
  @cert.public_key
end

#serial ⇒ Integer

Returns the serial number of the certificate in decimal form

Returns:

• (Integer)

# File 'lib/r509/cert.rb', line 61

def serial
  @cert.serial.to_i
end

#signature_algorithm ⇒ String

Returns signature algorithm

Returns:

• (String) —

  value of the signature algorithm. E.g. sha1WithRSAEncryption, sha256WithRSAEncryption, md5WithRSAEncryption, et cetera

# File 'lib/r509/cert.rb', line 141

def signature_algorithm
  @cert.signature_algorithm
end

#subject_alternative_name ⇒ R509::Cert::Extensions::SubjectAlternativeName Also known as: san, subject_alt_name

Returns this object’s SubjectAlternativeName extension as an R509 extension

if this cert does not have a SubjectAlternativeName extension.

Returns:

• (R509::Cert::Extensions::SubjectAlternativeName) —

  The object, or nil

# File 'lib/r509/cert.rb', line 240

def subject_alternative_name
  extensions[R509::Cert::Extensions::SubjectAlternativeName]
end

#subject_key_identifier ⇒ R509::Cert::Extensions::SubjectKeyIdentifier

Returns this object’s SubjectKeyIdentifier extension as an R509 extension

if this cert does not have a SubjectKeyIdentifier extension.

Returns:

• (R509::Cert::Extensions::SubjectKeyIdentifier) —

  The object, or nil

# File 'lib/r509/cert.rb', line 224

def subject_key_identifier
  extensions[R509::Cert::Extensions::SubjectKeyIdentifier]
end

#unknown_extensions ⇒ Array

Returns an array of OpenSSL::X509::Extension objects representing the extensions that do not have R509 implementations.

Returns:

• (Array) —

  An array of OpenSSL::X509::Extension objects.

# File 'lib/r509/cert.rb', line 186

def unknown_extensions
  Extensions.get_unknown_extensions(self.cert.extensions)
end

#valid? ⇒ Boolean

Returns whether the current time is between the notBefore and notAfter times in the certificate.

Returns:

• (Boolean)

# File 'lib/r509/cert.rb', line 101

def valid?
  valid_at?(Time.now)
end

#valid_at?(time) ⇒ Boolean

Returns whether the certificate was between its notBefore and notAfter at the time provided

Parameters:

• time (Time, Integer) —

  Time object or integer timestamp

Returns:

• (Boolean)

# File 'lib/r509/cert.rb', line 109

def valid_at?(time)
  if time.is_a?(Integer)
    time = Time.at(time)
  end

  if (self.not_after < time) || (self.not_before > time)
    false
  else
    true
  end
end

#write_pkcs12(filename_or_io, password, friendly_name = 'r509 pkcs12') ⇒ Object

Writes cert and key into PKCS12 format using OpenSSL defaults for encryption (des3)

Parameters:

• filename_or_io (String, #write) —

  Either a string of the path for the file that you’d like to write, or an IO-like object.

• password (String) —

  password

• friendly_name (String) (defaults to: 'r509 pkcs12') —

  An optional string to encode in the PKCS12 for friendlyName. defaults to “r509 pkcs12”

# File 'lib/r509/cert.rb', line 150

def write_pkcs12(filename_or_io, password, friendly_name = 'r509 pkcs12')
  if @key.nil?
    raise R509::R509Error, "Writing a PKCS12 requires both key and cert"
  end
  pkcs12 = OpenSSL::PKCS12.create(password, friendly_name, @key.key, @cert)
  write_data(filename_or_io, pkcs12.to_der)
end