Class: Acmesmith::Certificate

Inherits:

Object

• Object
• Acmesmith::Certificate

Defined in:

lib/acmesmith/certificate.rb

Defined Under Namespace

Classes: CertificateExport, PassphraseRequired, PrivateKeyDecrypted

Instance Attribute Summary

• #certificate ⇒ OpenSSL::X509::Certificate readonly
• #chain ⇒ Array<OpenSSL::X509::Certificate> readonly
• #csr ⇒ OpenSSL::X509::Request readonly

Class Method Summary

• .by_issuance(pem_chain, csr) ⇒ Acmesmith::Certificate

  Return Acmesmith::Certificate by an issued certificate.

• .split_pems(pems) ⇒ Array<String>

  Split string containing multiple PEMs into Array of PEM strings.

Instance Method Summary

• #common_name ⇒ String

  Common name.

• #export(passphrase, cipher: OpenSSL::Cipher.new('aes-256-cbc')) ⇒ CertificateExport
• #fullchain ⇒ String

  Leaf certificate + full certificate chain.

• #initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil) ⇒ Certificate constructor

  A new instance of Certificate.

• #issuer_pems ⇒ String

  Issuer certificate chain.

• #key_passphrase=(pw) ⇒ Object

  Try to decrypt private_key if encrypted.

• #pkcs12(passphrase) ⇒ OpenSSL::PKCS12
• #private_key ⇒ OpenSSL::PKey::PKey
• #public_key ⇒ OpenSSL::PKey::PKey
• #sans ⇒ Array<String>

  Subject Alternative Names (dNSname).

• #version ⇒ String

  Version string (consists of NotBefore time & certificate serial).

Constructor Details

#initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil) ⇒ Certificate

Returns a new instance of Certificate.

Parameters:

• certificate (OpenSSL::X509::Certificate, String)
• chain (String, Array<String>, Array<OpenSSL::X509::Certificate>)
• private_key (String, OpenSSL::PKey::PKey)
• key_passphrase (String, nil) (defaults to: nil)
• csr (String, OpenSSL::X509::Request, nil) (defaults to: nil)

# File 'lib/acmesmith/certificate.rb', line 31

def initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil)
  @certificate = case certificate
                 when OpenSSL::X509::Certificate
                   certificate
                 when String
                   OpenSSL::X509::Certificate.new(certificate)
                 else
                    raise TypeError, 'certificate is expected to be a String or OpenSSL::X509::Certificate'
                 end
  chain = case chain
          when String
            self.class.split_pems(chain)
          when Array
            chain
          when nil
            []
          else
            raise TypeError, 'chain is expected to be an Array<String or OpenSSL::X509::Certificate> or nil'
          end

  @chain = chain.map { |cert|
    case cert
    when OpenSSL::X509::Certificate
      cert
    when String
      OpenSSL::X509::Certificate.new(cert)
    else
      raise TypeError, 'chain is expected to be an Array<String or OpenSSL::X509::Certificate> or nil'
    end
  }

  case private_key
  when String
    @raw_private_key = private_key
    if key_passphrase
      self.key_passphrase = key_passphrase
    else
      begin
        @private_key = OpenSSL::PKey.read(@raw_private_key) { nil }
      rescue OpenSSL::PKey::PKeyError
        # may be encrypted
      end
    end
  when OpenSSL::PKey::PKey
    @private_key = private_key
  else
    raise TypeError, 'private_key is expected to be a String or OpenSSL::PKey::PKey'
  end

  @csr = case csr
         when nil
           nil
         when String
           OpenSSL::X509::Request.new(csr)
         when OpenSSL::X509::Request
           csr
         end
end

Instance Attribute Details

#certificate ⇒ OpenSSL::X509::Certificate (readonly)

Returns:

• (OpenSSL::X509::Certificate)

# File 'lib/acmesmith/certificate.rb', line 91

def certificate
  @certificate
end

#chain ⇒ Array<OpenSSL::X509::Certificate> (readonly)

Returns:

• (Array<OpenSSL::X509::Certificate>)

# File 'lib/acmesmith/certificate.rb', line 93

def chain
  @chain
end

#csr ⇒ OpenSSL::X509::Request (readonly)

Returns:

• (OpenSSL::X509::Request)

# File 'lib/acmesmith/certificate.rb', line 95

def csr
  @csr
end

Class Method Details

.by_issuance(pem_chain, csr) ⇒ Acmesmith::Certificate

Return Acmesmith::Certificate by an issued certificate

Parameters:

• pem_chain (String)
• csr (Acme::Client::CertificateRequest)

Returns:

• (Acmesmith::Certificate)

# File 'lib/acmesmith/certificate.rb', line 21

def self.by_issuance(pem_chain, csr)
  pems = split_pems(pem_chain)
  new(pems[0], pems[1..-1], csr.private_key, nil, csr)
end

.split_pems(pems) ⇒ Array<String>

Split string containing multiple PEMs into Array of PEM strings.

Parameters:

• (String)

Returns:

• (Array<String>)

# File 'lib/acmesmith/certificate.rb', line 13

def self.split_pems(pems)
  pems.each_line.slice_before(/^-----BEGIN CERTIFICATE-----$/).map(&:join)
end

Instance Method Details

#common_name ⇒ String

Returns common name.

Returns:

• (String) —

  common name

# File 'lib/acmesmith/certificate.rb', line 132

def common_name
  certificate.subject.to_a.assoc('CN')[1]
end

#export(passphrase, cipher: OpenSSL::Cipher.new('aes-256-cbc')) ⇒ CertificateExport

Returns:

• (CertificateExport)

# File 'lib/acmesmith/certificate.rb', line 154

def export(passphrase, cipher: OpenSSL::Cipher.new('aes-256-cbc'))
  CertificateExport.new.tap do |h|
    h.certificate = certificate.to_pem
    h.chain = issuer_pems
    h.fullchain = fullchain
    h.private_key = if passphrase
      private_key.export(cipher, passphrase)
    else
      private_key.export
    end
  end
end

#fullchain ⇒ String

Returns leaf certificate + full certificate chain.

Returns:

• (String) —

  leaf certificate + full certificate chain

# File 'lib/acmesmith/certificate.rb', line 122

def fullchain
  "#{certificate.to_pem}\n#{issuer_pems}".gsub(/\n+/,?\n)
end

#issuer_pems ⇒ String

Returns issuer certificate chain.

Returns:

• (String) —

  issuer certificate chain

# File 'lib/acmesmith/certificate.rb', line 127

def issuer_pems
  chain.map(&:to_pem).join("\n")
end

#key_passphrase=(pw) ⇒ Object

Try to decrypt private_key if encrypted.

Parameters:

• pw (String) —

  passphrase for encrypted PEM

Raises:

• (PrivateKeyDecrypted) —

  if private_key is decrypted

# File 'lib/acmesmith/certificate.rb', line 100

def key_passphrase=(pw)
  raise PrivateKeyDecrypted, 'private_key already given' if @private_key

  @private_key = OpenSSL::PKey.read(@raw_private_key, pw)

  @raw_private_key = nil
  nil
end

#pkcs12(passphrase) ⇒ OpenSSL::PKCS12

Returns:

• (OpenSSL::PKCS12)

# File 'lib/acmesmith/certificate.rb', line 149

def pkcs12(passphrase)
  OpenSSL::PKCS12.create(passphrase, common_name, private_key, certificate, chain)
end

#private_key ⇒ OpenSSL::PKey::PKey

Returns:

• (OpenSSL::PKey::PKey)

Raises:

• (PassphraseRequired) —

  if private_key is not yet decrypted

# File 'lib/acmesmith/certificate.rb', line 111

def private_key
  return @private_key if @private_key
  raise PassphraseRequired, 'key_passphrase required'
end

#public_key ⇒ OpenSSL::PKey::PKey

Returns:

• (OpenSSL::PKey::PKey)

# File 'lib/acmesmith/certificate.rb', line 117

def public_key
  @certificate.public_key
end

#sans ⇒ Array<String>

Returns Subject Alternative Names (dNSname).

Returns:

• (Array<String>) —

  Subject Alternative Names (dNSname)

# File 'lib/acmesmith/certificate.rb', line 137

def sans
  certificate.extensions.select { |_| _.oid == 'subjectAltName' }.flat_map do |ext|
    ext.value.split(/,\s*/).select { |_| _.start_with?('DNS:') }.map { |_| _[4..-1] }
  end
end

#version ⇒ String

Returns Version string (consists of NotBefore time & certificate serial).

Returns:

• (String) —

  Version string (consists of NotBefore time & certificate serial)

# File 'lib/acmesmith/certificate.rb', line 144

def version
  "#{certificate.not_before.utc.strftime('%Y%m%d-%H%M%S')}_#{certificate.serial.to_i.to_s(16)}"
end