Module: Bullion::Helpers::Ssl

Defined in:
lib/bullion/helpers/ssl.rb

Overview

SSL-related helper methods

Instance Method Summary collapse

Instance Method Details

#base64_to_long(data) ⇒ Object 



52
53
54
55
56
 
# File 'lib/bullion/helpers/ssl.rb', line 52

def base64_to_long(data)
  Base64.urlsafe_decode64(data).to_s.unpack("C*").map do |byte|
    to_hex(byte)
  end.join.to_i(16)
end

#base64_to_octet(data) ⇒ Object 



58
59
60
 
# File 'lib/bullion/helpers/ssl.rb', line 58

def base64_to_octet(data)
  Base64.urlsafe_decode64(data)
end

#cn_from_csr(csr) ⇒ Object 



177
178
179
180
181
182
183
184
185
 
# File 'lib/bullion/helpers/ssl.rb', line 177

def cn_from_csr(csr)
  if csr.subject.to_s
    cns = csr.subject.to_s.split("/").grep(/^CN=/)

    return cns.first.split("=").last if cns && !cns.empty?
  end

  csr_sans(csr).first.split(":").last
end

#csr_sans(csr) ⇒ Object 



131
132
133
134
135
136
137
138
139
140
141
142
143
144
 
# File 'lib/bullion/helpers/ssl.rb', line 131

def csr_sans(csr)
  raw_attributes = csr.attributes
  return [] unless raw_attributes

  seq = extract_csr_attrs(csr)
  return [] unless seq

  values = extract_san_values(seq)
  return [] unless values

  values = OpenSSL::ASN1.decode(values).value

  values.select { |v| v.tag == 2 }.map { |v| "DNS:#{v.value}" }
end

#digest_from_alg(alg) ⇒ Object 



62
63
64
65
66
67
68
69
70
 
# File 'lib/bullion/helpers/ssl.rb', line 62

def digest_from_alg(alg)
  if alg.end_with?("256")
    OpenSSL::Digest.new("SHA256")
  elsif alg.end_with?("384")
    OpenSSL::Digest.new("SHA384")
  else
    OpenSSL::Digest.new("SHA512")
  end
end

#ecdsa_sig_to_der(incoming) ⇒ Object

This is for ECDSA keys.

See Also:



74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
 
# File 'lib/bullion/helpers/ssl.rb', line 74

def ecdsa_sig_to_der(incoming)
  # Base64 decode the signature
  joined_ints = Base64.urlsafe_decode64(incoming)
  # Break it apart into the two 32-byte words
  r = joined_ints[0..31]
  s = joined_ints[32..]
  # Unpack each word to a hex string
  hexnums = [r, s].map { |n| n.unpack1("H*") }
  # Convert each to an Integer
  ints = hexnums.map { |bn| bn.to_i(16) }
  # Convert each Integer to a BigNumber
  bns = ints.map { |int| OpenSSL::BN.new(int) }
  # Wrap each BigNum in a ASN1 encoding
  asn1_wrapped = bns.map { |bn| OpenSSL::ASN1::Integer.new(bn) }
  # Create an ASN1 sequence from the ASN1-wrapped Integers
  seq = OpenSSL::ASN1::Sequence.new(asn1_wrapped)
  # Return the DER-encoded sequence for verification
  seq.to_der
end

#extract_csr_attrs(csr) ⇒ Object 



146
147
148
 
# File 'lib/bullion/helpers/ssl.rb', line 146

def extract_csr_attrs(csr)
  csr.attributes.select { |a| a.oid == "extReq" }.map { |a| a.value.map(&:value) }
end

#extract_csr_domains(csr_sans) ⇒ Object 



154
155
156
157
 
# File 'lib/bullion/helpers/ssl.rb', line 154

def extract_csr_domains(csr_sans)
  csr_decoded_sans = OpenSSL::ASN1.decode(csr_sans.first.value[1].value)
  csr_decoded_sans.select { |v| v.tag == 2 }.map(&:value)
end

#extract_csr_sans(csr_attrs) ⇒ Object 



150
151
152
 
# File 'lib/bullion/helpers/ssl.rb', line 150

def extract_csr_sans(csr_attrs)
  csr_attrs.flatten.select { |a| a.value.first.value == "subjectAltName" }
end

#extract_san_values(sequence) ⇒ Object 



159
160
161
162
163
164
165
166
167
168
 
# File 'lib/bullion/helpers/ssl.rb', line 159

def extract_san_values(sequence)
  unpacked_sequence = sequence
  unpacked_sequence = unpacked_sequence.first while unpacked_sequence.first.is_a?(Array)
  seqvalues = nil
  unpacked_sequence.each do |outer_value|
    seqvalues = outer_value.value[1].value if outer_value.value[0].value == "subjectAltName"
    break if seqvalues
  end
  seqvalues
end

#filter_sans(potential_sans) ⇒ Object 



170
171
172
173
174
175
 
# File 'lib/bullion/helpers/ssl.rb', line 170

def filter_sans(potential_sans)
  # Select only those that are part of the appropriate domain
  potential_sans.select do |alt|
    CA_DOMAINS.filter_map { |domain| alt.end_with?(".#{domain}") }.any?
  end
end

#key_data_to_ecdsa(key_data) ⇒ Object 



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
 
# File 'lib/bullion/helpers/ssl.rb', line 36

def key_data_to_ecdsa(key_data)
  crv_mapping = {
    "P-256" => "prime256v1",
    "P-384" => "secp384r1",
    "P-521" => "secp521r1"
  }

  key = OpenSSL::PKey::EC.new(crv_mapping[key_data["crv"]])
  x = base64_to_octet(key_data["x"])
  y = base64_to_octet(key_data["y"])

  key_bn = OpenSSL::BN.new("\x04#{x}#{y}", 2)
  key.public_key = OpenSSL::PKey::EC::Point.new(key.group, key_bn)
  key
end

#key_data_to_rsa(key_data) ⇒ Object

See Also:



23
24
25
26
27
28
29
30
31
32
33
34
 
# File 'lib/bullion/helpers/ssl.rb', line 23

def key_data_to_rsa(key_data)
  key = OpenSSL::PKey::RSA.new
  exponent = key_data["e"]
  modulus = key_data["n"]

  key.set_key(
    base64_to_long(modulus),
    base64_to_long(exponent),
    nil
  )
  key
end

#manage_csr_extensions(csr, new_cert) ⇒ Object 



102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
 
# File 'lib/bullion/helpers/ssl.rb', line 102

def manage_csr_extensions(csr, new_cert)
  # Build extensions
  ef = OpenSSL::X509::ExtensionFactory.new
  ef.subject_certificate = new_cert
  ef.issuer_certificate = Bullion.ca_cert
  new_cert.add_extension(
    ef.create_extension("basicConstraints", "CA:FALSE", true)
  )
  new_cert.add_extension(
    ef.create_extension("keyUsage", "keyEncipherment,dataEncipherment,digitalSignature", true)
  )
  new_cert.add_extension(
    ef.create_extension("subjectKeyIdentifier", "hash")
  )
  new_cert.add_extension(
    ef.create_extension("extendedKeyUsage", "serverAuth")
  )

  # Alternate Names
  cn = cn_from_csr(csr)
  existing_sans = filter_sans(csr_sans(csr))
  valid_alts = (["DNS:#{cn}"] + [*existing_sans]).uniq

  new_cert.add_extension(ef.create_extension("subjectAltName", valid_alts.join(",")))

  # return the updated cert and any subject alternate names added
  [new_cert, valid_alts]
end

#openssl_compat(key_data) ⇒ Object

Converts the incoming key data to an OpenSSL public key usable to verify JWT signatures



8
9
10
11
12
13
14
15
 
# File 'lib/bullion/helpers/ssl.rb', line 8

def openssl_compat(key_data)
  case key_data["kty"]
  when "RSA"
    key_data_to_rsa(key_data)
  when "EC"
    key_data_to_ecdsa(key_data)
  end
end

#openssl_compat_csr(csrdata) ⇒ Object 



17
18
19
20
 
# File 'lib/bullion/helpers/ssl.rb', line 17

def openssl_compat_csr(csrdata)
  "-----BEGIN CERTIFICATE REQUEST-----\n" \
    "#{csrdata}-----END CERTIFICATE REQUEST-----"
end

#sign_csr(csr, username) ⇒ Object

Signs an ACME CSR rubocop:disable Metrics/AbcSize



189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
 
# File 'lib/bullion/helpers/ssl.rb', line 189

def sign_csr(csr, username)
  cert = Models::Certificate.from_csr(csr)
  # Create a OpenSSL cert using select info from the CSR
  csr_cert = OpenSSL::X509::Certificate.new
  csr_cert.serial = cert.serial
  csr_cert.version = 2
  csr_cert.not_before = Time.now
  # only 90 days for ACMEv2
  csr_cert.not_after = csr_cert.not_before + (3 * 30 * 24 * 60 * 60)

  # Force a subject if the cert doesn't have one
  cert.subject = simple_subject(cn_from_csr(csr)) unless cert.subject

  csr_cert.subject = simple_subject(cert.subject.to_s)

  csr_cert.public_key = csr.public_key
  csr_cert.issuer = Bullion.ca_cert.issuer

  csr_cert, sans = manage_csr_extensions(csr, csr_cert)

  csr_cert.sign(Bullion.ca_key, OpenSSL::Digest.new("SHA256"))

  cert.data = csr_cert.to_pem
  cert.alternate_names = sans unless sans.empty?
  cert.requester = username
  cert.validated = true
  cert.save

  [csr_cert, cert.id]
end

#simple_subject(common_name) ⇒ Object 



98
99
100
 
# File 'lib/bullion/helpers/ssl.rb', line 98

def simple_subject(common_name)
  OpenSSL::X509::Name.new([["CN", common_name, OpenSSL::ASN1::UTF8STRING]])
end

#to_hex(int) ⇒ Object 



94
95
96
 
# File 'lib/bullion/helpers/ssl.rb', line 94

def to_hex(int)
  int < 16 ? "0#{int.to_s(16)}" : int.to_s(16)
end