Module: Bullion::Helpers::Ssl

Defined in:
lib/bullion/helpers/ssl.rb

Overview

SSL-related helper methods

Instance Method Summary collapse

Instance Method Details

#base64_to_long(data) ⇒ Object



66
67
68
69
70
# File 'lib/bullion/helpers/ssl.rb', line 66

def base64_to_long(data)
  Base64.urlsafe_decode64(data).to_s.unpack("C*").map do |byte|
    to_hex(byte)
  end.join.to_i(16)
end

#base64_to_octet(data) ⇒ Object



72
73
74
# File 'lib/bullion/helpers/ssl.rb', line 72

def base64_to_octet(data)
  Base64.urlsafe_decode64(data)
end

#cn_from_csr(csr) ⇒ Object



191
192
193
194
195
196
197
198
199
# File 'lib/bullion/helpers/ssl.rb', line 191

def cn_from_csr(csr)
  if csr.subject.to_s
    cns = csr.subject.to_s.split("/").grep(/^CN=/)

    return cns.first.split("=").last if cns && !cns.empty?
  end

  csr_sans(csr).first.split(":").last
end

#csr_sans(csr) ⇒ Object



145
146
147
148
149
150
151
152
153
154
155
156
157
158
# File 'lib/bullion/helpers/ssl.rb', line 145

def csr_sans(csr)
  raw_attributes = csr.attributes
  return [] unless raw_attributes

  seq = extract_csr_attrs(csr)
  return [] unless seq

  values = extract_san_values(seq)
  return [] unless values

  values = OpenSSL::ASN1.decode(values).value

  values.select { |v| v.tag == 2 }.map { |v| "DNS:#{v.value}" }
end

#digest_from_alg(alg) ⇒ Object



76
77
78
79
80
81
82
83
84
# File 'lib/bullion/helpers/ssl.rb', line 76

def digest_from_alg(alg)
  if alg.end_with?("256")
    OpenSSL::Digest.new("SHA256")
  elsif alg.end_with?("384")
    OpenSSL::Digest.new("SHA384")
  else
    OpenSSL::Digest.new("SHA512")
  end
end

#ecdsa_sig_to_der(incoming) ⇒ Object

This is for ECDSA keys.



88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# File 'lib/bullion/helpers/ssl.rb', line 88

def ecdsa_sig_to_der(incoming)
  # Base64 decode the signature
  joined_ints = Base64.urlsafe_decode64(incoming)
  # Break it apart into the two 32-byte words
  r = joined_ints[0..31]
  s = joined_ints[32..]
  # Unpack each word to a hex string
  hexnums = [r, s].map { |n| n.unpack1("H*") }
  # Convert each to an Integer
  ints = hexnums.map { |bn| bn.to_i(16) }
  # Convert each Integer to a BigNumber
  bns = ints.map { |int| OpenSSL::BN.new(int) }
  # Wrap each BigNum in a ASN1 encoding
  asn1_wrapped = bns.map { |bn| OpenSSL::ASN1::Integer.new(bn) }
  # Create an ASN1 sequence from the ASN1-wrapped Integers
  seq = OpenSSL::ASN1::Sequence.new(asn1_wrapped)
  # Return the DER-encoded sequence for verification
  seq.to_der
end

#extract_csr_attrs(csr) ⇒ Object



160
161
162
# File 'lib/bullion/helpers/ssl.rb', line 160

def extract_csr_attrs(csr)
  csr.attributes.select { |a| a.oid == "extReq" }.map { |a| a.value.map(&:value) }
end

#extract_csr_domains(csr_sans) ⇒ Object



168
169
170
171
# File 'lib/bullion/helpers/ssl.rb', line 168

def extract_csr_domains(csr_sans)
  csr_decoded_sans = OpenSSL::ASN1.decode(csr_sans.first.value[1].value)
  csr_decoded_sans.select { |v| v.tag == 2 }.map(&:value)
end

#extract_csr_sans(csr_attrs) ⇒ Object



164
165
166
# File 'lib/bullion/helpers/ssl.rb', line 164

def extract_csr_sans(csr_attrs)
  csr_attrs.flatten.select { |a| a.value.first.value == "subjectAltName" }
end

#extract_san_values(sequence) ⇒ Object



173
174
175
176
177
178
179
180
181
182
# File 'lib/bullion/helpers/ssl.rb', line 173

def extract_san_values(sequence)
  unpacked_sequence = sequence
  unpacked_sequence = unpacked_sequence.first while unpacked_sequence.first.is_a?(Array)
  seqvalues = nil
  unpacked_sequence.each do |outer_value|
    seqvalues = outer_value.value[1].value if outer_value.value[0].value == "subjectAltName"
    break if seqvalues
  end
  seqvalues
end

#filter_sans(potential_sans) ⇒ Object



184
185
186
187
188
189
# File 'lib/bullion/helpers/ssl.rb', line 184

def filter_sans(potential_sans)
  # Select only those that are part of the appropriate domain
  potential_sans.select do |alt|
    Bullion.config.ca.domains.filter_map { |domain| alt.end_with?(".#{domain}") }.any?
  end
end

#key_data_to_ecdsa(key_data) ⇒ Object



39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# File 'lib/bullion/helpers/ssl.rb', line 39

def key_data_to_ecdsa(key_data)
  crv_mapping = {
    "P-256" => "prime256v1",
    "secp256k1" => "secp256k1",
    "P-384" => "secp384r1",
    "P-521" => "secp521r1"
  }

  x = base64_to_octet(key_data["x"])
  y = base64_to_octet(key_data["y"])
  curve_name = crv_mapping[key_data["crv"]]
  raise "Unknown curve" unless curve_name

  key_group = OpenSSL::PKey::EC::Group.new(curve_name)
  key_bn = OpenSSL::BN.new("\x04#{x}#{y}", 2)
  key_point = OpenSSL::PKey::EC::Point.new(key_group, key_bn)

  pk_sequence = OpenSSL::ASN1::Sequence.new(
    [OpenSSL::ASN1::ObjectId("id-ecPublicKey"), OpenSSL::ASN1::ObjectId(curve_name)]
  )
  bitstring = OpenSSL::ASN1::BitString.new(key_point.to_octet_string(:uncompressed))

  outer_sequence = OpenSSL::ASN1::Sequence.new([pk_sequence, bitstring])

  OpenSSL::PKey::EC.new(outer_sequence.to_der)
end

#key_data_to_rsa(key_data) ⇒ Object



23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# File 'lib/bullion/helpers/ssl.rb', line 23

def key_data_to_rsa(key_data)
  exponent = base64_to_long(key_data["e"])
  modulus = base64_to_long(key_data["n"])

  data_sequence = OpenSSL::ASN1::Sequence.new(
    [
      OpenSSL::ASN1::Integer.new(modulus),
      OpenSSL::ASN1::Integer.new(exponent)
    ]
  )

  outer_sequence = OpenSSL::ASN1::Sequence.new(data_sequence)

  OpenSSL::PKey::RSA.new(outer_sequence.to_der)
end

#manage_csr_extensions(csr, new_cert) ⇒ Object



116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# File 'lib/bullion/helpers/ssl.rb', line 116

def manage_csr_extensions(csr, new_cert)
  # Build extensions
  ef = OpenSSL::X509::ExtensionFactory.new
  ef.subject_certificate = new_cert
  ef.issuer_certificate = Bullion.ca_cert
  new_cert.add_extension(
    ef.create_extension("basicConstraints", "CA:FALSE", true)
  )
  new_cert.add_extension(
    ef.create_extension("keyUsage", "keyEncipherment,dataEncipherment,digitalSignature", true)
  )
  new_cert.add_extension(
    ef.create_extension("subjectKeyIdentifier", "hash")
  )
  new_cert.add_extension(
    ef.create_extension("extendedKeyUsage", "serverAuth")
  )

  # Alternate Names
  cn = cn_from_csr(csr)
  existing_sans = filter_sans(csr_sans(csr))
  valid_alts = (["DNS:#{cn}"] + [*existing_sans]).uniq

  new_cert.add_extension(ef.create_extension("subjectAltName", valid_alts.join(",")))

  # return the updated cert and any subject alternate names added
  [new_cert, valid_alts]
end

#openssl_compat(key_data) ⇒ Object

Converts the incoming key data to an OpenSSL public key usable to verify JWT signatures



8
9
10
11
12
13
14
15
# File 'lib/bullion/helpers/ssl.rb', line 8

def openssl_compat(key_data)
  case key_data["kty"]
  when "RSA"
    key_data_to_rsa(key_data)
  when "EC"
    key_data_to_ecdsa(key_data)
  end
end

#openssl_compat_csr(csrdata) ⇒ Object



17
18
19
20
# File 'lib/bullion/helpers/ssl.rb', line 17

def openssl_compat_csr(csrdata)
  "-----BEGIN CERTIFICATE REQUEST-----\n" \
    "#{csrdata}-----END CERTIFICATE REQUEST-----"
end

#sign_csr(csr, username) ⇒ Object

Signs an ACME CSR rubocop:disable Metrics/AbcSize



203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
# File 'lib/bullion/helpers/ssl.rb', line 203

def sign_csr(csr, username)
  cert = Models::Certificate.from_csr(csr)
  # Create a OpenSSL cert using select info from the CSR
  csr_cert = OpenSSL::X509::Certificate.new
  csr_cert.serial = cert.serial
  csr_cert.version = 2
  csr_cert.not_before = Time.now
  # only 90 days for ACMEv2
  csr_cert.not_after = csr_cert.not_before + (3 * 30 * 24 * 60 * 60)

  # Force a subject if the cert doesn't have one
  cert.subject = simple_subject(cn_from_csr(csr)) unless cert.subject

  csr_cert.subject = simple_subject(cert.subject.to_s)

  csr_cert.public_key = csr.public_key
  csr_cert.issuer = Bullion.ca_cert.subject

  csr_cert, sans = manage_csr_extensions(csr, csr_cert)

  csr_cert.sign(Bullion.ca_key, OpenSSL::Digest.new("SHA256"))

  cert.data = csr_cert.to_pem
  cert.alternate_names = sans unless sans.empty?
  cert.requester = username
  cert.validated = true
  cert.save

  [csr_cert, cert.id]
end

#simple_subject(common_name) ⇒ Object



112
113
114
# File 'lib/bullion/helpers/ssl.rb', line 112

def simple_subject(common_name)
  OpenSSL::X509::Name.new([["CN", common_name, OpenSSL::ASN1::UTF8STRING]])
end

#to_hex(int) ⇒ Object



108
109
110
# File 'lib/bullion/helpers/ssl.rb', line 108

def to_hex(int)
  int < 16 ? "0#{int.to_s(16)}" : int.to_s(16)
end