Class: HTTPAccess2::SSLConfig

Inherits:

Object

• Object
• HTTPAccess2::SSLConfig

Defined in:

lib/http-access2.rb

Overview

HTTPAccess2::SSLConfig – SSL configuration of a client.

Instance Attribute Summary

• #cert_store ⇒ Object

  don’t use if you don’t know what it is.

• #ciphers ⇒ Object

  Returns the value of attribute ciphers.

• #client_ca ⇒ Object

  Returns the value of attribute client_ca.

• #client_cert ⇒ Object

  :nodoc:.

• #client_key ⇒ Object

  Returns the value of attribute client_key.

• #options ⇒ Object

  Returns the value of attribute options.

• #timeout ⇒ Object

  Returns the value of attribute timeout.

• #verify_callback ⇒ Object

  Returns the value of attribute verify_callback.

• #verify_depth ⇒ Object

  Returns the value of attribute verify_depth.

• #verify_mode ⇒ Object

  Returns the value of attribute verify_mode.

Instance Method Summary

• #default_verify_callback(is_ok, ctx) ⇒ Object

  Default callback for verification: only dumps error.

• #initialize(client) ⇒ SSLConfig constructor

  A new instance of SSLConfig.

• #post_connection_check(peer_cert, hostname) ⇒ Object

  this definition must match with the one in ext/openssl/lib/openssl/ssl.rb.

• #sample_verify_callback(is_ok, ctx) ⇒ Object

  Sample callback method: CAUTION: does not check CRL/ARL.

• #set_client_cert_file(cert_file, key_file) ⇒ Object
• #set_context(ctx) ⇒ Object

  interfaces for SSLSocketWrap.

• #set_crl(crl_file) ⇒ Object
• #set_trust_ca(trust_ca_file_or_hashed_dir) ⇒ Object

Constructor Details

#initialize(client) ⇒ SSLConfig

Returns a new instance of SSLConfig.

# File 'lib/http-access2.rb', line 506

def initialize(client)
  return unless SSLEnabled
  @client = client
  @cert_store = OpenSSL::X509::Store.new
  @client_cert = @client_key = @client_ca = nil
  @verify_mode = OpenSSL::SSL::VERIFY_PEER |
    OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
  @verify_depth = nil
  @verify_callback = nil
  @dest = nil
  @timeout = nil
  @options = defined?(OpenSSL::SSL::OP_ALL) ?
    OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2 : nil
  @ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
end

Instance Attribute Details

#cert_store ⇒ Object

don’t use if you don’t know what it is.

# File 'lib/http-access2.rb', line 504

def cert_store
  @cert_store
end

#ciphers ⇒ Object

Returns the value of attribute ciphers.

# File 'lib/http-access2.rb', line 502

def ciphers
  @ciphers
end

#client_ca ⇒ Object

Returns the value of attribute client_ca.

# File 'lib/http-access2.rb', line 494

def client_ca
  @client_ca
end

#client_cert ⇒ Object

:nodoc:

# File 'lib/http-access2.rb', line 492

def client_cert
  @client_cert
end

#client_key ⇒ Object

Returns the value of attribute client_key.

# File 'lib/http-access2.rb', line 493

def client_key
  @client_key
end

#options ⇒ Object

Returns the value of attribute options.

# File 'lib/http-access2.rb', line 501

def options
  @options
end

#timeout ⇒ Object

Returns the value of attribute timeout.

# File 'lib/http-access2.rb', line 500

def timeout
  @timeout
end

#verify_callback ⇒ Object

Returns the value of attribute verify_callback.

# File 'lib/http-access2.rb', line 498

def verify_callback
  @verify_callback
end

#verify_depth ⇒ Object

Returns the value of attribute verify_depth.

# File 'lib/http-access2.rb', line 497

def verify_depth
  @verify_depth
end

#verify_mode ⇒ Object

Returns the value of attribute verify_mode.

# File 'lib/http-access2.rb', line 496

def verify_mode
  @verify_mode
end

Instance Method Details

#default_verify_callback(is_ok, ctx) ⇒ Object

Default callback for verification: only dumps error.

# File 'lib/http-access2.rb', line 640

def default_verify_callback(is_ok, ctx)
  if $DEBUG
    puts "#{ is_ok ? 'ok' : 'ng' }: #{ctx.current_cert.subject}"
  end
  if !is_ok
    depth = ctx.error_depth
    code = ctx.error
    msg = ctx.error_string
    STDERR.puts "at depth #{depth} - #{code}: #{msg}"
  end
  is_ok
end

#post_connection_check(peer_cert, hostname) ⇒ Object

this definition must match with the one in ext/openssl/lib/openssl/ssl.rb

Raises:

• (OpenSSL::SSL::SSLError)

# File 'lib/http-access2.rb', line 613

def post_connection_check(peer_cert, hostname)
  check_common_name = true
  cert = peer_cert
  cert.extensions.each{|ext|
    next if ext.oid != "subjectAltName"
    ext.value.split(/,\s+/).each{|general_name|
      if /\ADNS:(.*)/ =~ general_name
        check_common_name = false
        reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
        return true if /\A#{reg}\z/i =~ hostname
      elsif /\AIP Address:(.*)/ =~ general_name
        check_common_name = false
        return true if $1 == hostname
      end
    }
  }
  if check_common_name
    cert.subject.to_a.each{|oid, value|
      if oid == "CN" && value.casecmp(hostname) == 0
        return true
      end
    }
  end
  raise OpenSSL::SSL::SSLError, "hostname not match"
end

#sample_verify_callback(is_ok, ctx) ⇒ Object

Sample callback method: CAUTION: does not check CRL/ARL.

# File 'lib/http-access2.rb', line 654

def sample_verify_callback(is_ok, ctx)
  unless is_ok
    depth = ctx.error_depth
    code = ctx.error
    msg = ctx.error_string
    STDERR.puts "at depth #{depth} - #{code}: #{msg}" if $DEBUG
    return false
  end

  cert = ctx.current_cert
  self_signed = false
  ca = false
  pathlen = nil
  server_auth = true
  self_signed = (cert.subject.cmp(cert.issuer) == 0)

  # Check extensions whatever its criticality is. (sample)
  cert.extensions.each do |ex|
    case ex.oid
    when 'basicConstraints'
	/CA:(TRUE|FALSE), pathlen:(\d+)/ =~ ex.value
	ca = ($1 == 'TRUE')
	pathlen = $2.to_i
    when 'keyUsage'
	usage = ex.value.split(/\s*,\s*/)
	ca = usage.include?('Certificate Sign')
	server_auth = usage.include?('Key Encipherment')
    when 'extendedKeyUsage'
	usage = ex.value.split(/\s*,\s*/)
	server_auth = usage.include?('Netscape Server Gated Crypto')
    when 'nsCertType'
	usage = ex.value.split(/\s*,\s*/)
	ca = usage.include?('SSL CA')
	server_auth = usage.include?('SSL Server')
    end
  end

  if self_signed
    STDERR.puts 'self signing CA' if $DEBUG
    return true
  elsif ca
    STDERR.puts 'middle level CA' if $DEBUG
    return true
  elsif server_auth
    STDERR.puts 'for server authentication' if $DEBUG
    return true
  end

  return false
end

#set_client_cert_file(cert_file, key_file) ⇒ Object

# File 'lib/http-access2.rb', line 522

def set_client_cert_file(cert_file, key_file)
  @client_cert = OpenSSL::X509::Certificate.new(File.open(cert_file).read)
  @client_key = OpenSSL::PKey::RSA.new(File.open(key_file).read)
  change_notify
end

#set_context(ctx) ⇒ Object

interfaces for SSLSocketWrap.

# File 'lib/http-access2.rb', line 597

def set_context(ctx)
  # Verification: Use Store#verify_callback instead of SSLContext#verify*?
  ctx.cert_store = @cert_store
  ctx.verify_mode = @verify_mode
  ctx.verify_depth = @verify_depth if @verify_depth
  ctx.verify_callback = @verify_callback || method(:default_verify_callback)
  # SSL config
  ctx.cert = @client_cert
  ctx.key = @client_key
  ctx.client_ca = @client_ca
  ctx.timeout = @timeout
  ctx.options = @options
  ctx.ciphers = @ciphers
end

#set_crl(crl_file) ⇒ Object

# File 'lib/http-access2.rb', line 537

def set_crl(crl_file)
  crl = OpenSSL::X509::CRL.new(File.open(crl_file).read)
  @cert_store.add_crl(crl)
  @cert_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
  change_notify
end

#set_trust_ca(trust_ca_file_or_hashed_dir) ⇒ Object

# File 'lib/http-access2.rb', line 528

def set_trust_ca(trust_ca_file_or_hashed_dir)
  if FileTest.directory?(trust_ca_file_or_hashed_dir)
    @cert_store.add_path(trust_ca_file_or_hashed_dir)
  else
    @cert_store.add_file(trust_ca_file_or_hashed_dir)
  end
  change_notify
end