Class: MobileId::Cert

Inherits:

Object

• Object
• MobileId::Cert

Defined in:

lib/mobile_id/cert.rb

Instance Attribute Summary

• #cert ⇒ Object

  Returns the value of attribute cert.

• #subject ⇒ Object

  Returns the value of attribute subject.

Class Method Summary

• .build_store(paths) ⇒ Object
• .live_store ⇒ Object
• .root_path ⇒ Object
• .test_store ⇒ Object

Instance Method Summary

• #common_name ⇒ Object
• #country ⇒ Object
• #cvc_to_der(cvc) ⇒ Object
• #given_name ⇒ Object (also: #first_name)
• #initialize(base64_cert, live:) ⇒ Cert constructor

  A new instance of Cert.

• #organizational_unit ⇒ Object
• #serial_number ⇒ Object (also: #personal_code)
• #surname ⇒ Object (also: #last_name)
• #verify!(cert, live:) ⇒ Object
• #verify_signature!(signature_base64, doc) ⇒ Object

Constructor Details

#initialize(base64_cert, live:) ⇒ Cert

Returns a new instance of Cert.

# File 'lib/mobile_id/cert.rb', line 52

def initialize(base64_cert, live:)
  self.cert = OpenSSL::X509::Certificate.new(Base64.decode64(base64_cert))
  verify!(cert, live: live)
  build_cert_subject
end

Instance Attribute Details

#cert ⇒ Object

Returns the value of attribute cert.

# File 'lib/mobile_id/cert.rb', line 50

def cert
  @cert
end

#subject ⇒ Object

Returns the value of attribute subject.

# File 'lib/mobile_id/cert.rb', line 50

def subject
  @subject
end

Class Method Details

.build_store(paths) ⇒ Object

# File 'lib/mobile_id/cert.rb', line 40

def build_store(paths)
  store = OpenSSL::X509::Store.new
  paths.each do |path|
    cert = OpenSSL::X509::Certificate.new(File.read(path))
    store.add_cert(cert)
  end
  store
end

.live_store ⇒ Object

# File 'lib/mobile_id/cert.rb', line 10

def live_store
  @live_store ||=
    build_store(
      [
        File.join(root_path, 'EE_Certification_Centre_Root_CA.pem.crt'),
        File.join(root_path, 'EE-GovCA2018.pem.crt'),
        File.join(root_path, 'EID-SK_2011.pem.crt'),
        File.join(root_path, 'EID-SK_2016.pem.crt'),
        File.join(root_path, 'esteid2018.pem.crt'),
        File.join(root_path, 'ESTEID-SK_2011.pem.crt'),
        File.join(root_path, 'ESTEID-SK_2015.pem.crt'),
        File.join(root_path, 'KLASS3-SK_2010_EECCRCA.pem.crt'),
        File.join(root_path, 'KLASS3-SK_2010_EECCRCA_SHA384.pem.crt'),
        File.join(root_path, 'KLASS3-SK_2016_EECCRCA_SHA384.pem.crt'),
        File.join(root_path, 'KLASS3-SK.pem.crt'),
        File.join(root_path, 'NQ-SK_2016.pem.crt')
      ]
    )
end

.root_path ⇒ Object

# File 'lib/mobile_id/cert.rb', line 6

def root_path
  @root_path ||= File.expand_path('certs', __dir__)
end

.test_store ⇒ Object

# File 'lib/mobile_id/cert.rb', line 30

def test_store
  @test_store ||=
    build_store(
      [
        File.join(root_path, 'TEST_of_EE_Certification_Centre_Root_CA.pem.crt'),
        File.join(root_path, 'TEST_of_ESTEID-SK_2015.pem.crt')
      ]
    )
end

Instance Method Details

#common_name ⇒ Object

# File 'lib/mobile_id/cert.rb', line 112

def common_name
  subject['CN']
end

#country ⇒ Object

# File 'lib/mobile_id/cert.rb', line 108

def country
  subject['C'].tr(',', ' ')
end

#cvc_to_der(cvc) ⇒ Object

# File 'lib/mobile_id/cert.rb', line 89

def cvc_to_der(cvc)
  sign_hex = cvc.unpack1('H*')
  half = sign_hex.size / 2
  i = [OpenSSL::ASN1::Integer.new(sign_hex[0...half].to_i(16)),
       OpenSSL::ASN1::Integer.new(sign_hex[half..sign_hex.size].to_i(16))]
  seq = OpenSSL::ASN1::Sequence.new(i)
  seq.to_der
end

#given_name ⇒ Object Also known as: first_name

# File 'lib/mobile_id/cert.rb', line 98

def given_name
  subject['GN'].tr(',', ' ')
end

#organizational_unit ⇒ Object

# File 'lib/mobile_id/cert.rb', line 116

def organizational_unit
  subject['OU']
end

#serial_number ⇒ Object Also known as: personal_code

# File 'lib/mobile_id/cert.rb', line 120

def serial_number
  subject['serialNumber']
end

#surname ⇒ Object Also known as: last_name

# File 'lib/mobile_id/cert.rb', line 103

def surname
  subject['SN'].tr(',', ' ')
end

#verify!(cert, live:) ⇒ Object

Raises:

• (Error)

# File 'lib/mobile_id/cert.rb', line 58

def verify!(cert, live:)
  if live == true
    raise Error, 'User certificate is not valid' unless self.class.live_store.verify(cert)
  else
    unless self.class.test_store.verify(cert) || self.class.live_store.verify(cert)
      raise Error,
            'User certificate is not valid'
    end
  end

  raise Error, 'User certificate is not valid [check_key]' unless cert.public_key.check_key
  raise Error, 'User certificate is expired' unless (cert.not_before...cert.not_after).include?(Time.now)

  true
end

#verify_signature!(signature_base64, doc) ⇒ Object

Raises:

• (Error)

# File 'lib/mobile_id/cert.rb', line 74

def verify_signature!(signature_base64, doc)
  signature = Base64.decode64(signature_base64)
  digest = OpenSSL::Digest::SHA256.new(doc)

  valid =
    begin
      cert.public_key.verify(digest, signature, doc)
    rescue OpenSSL::PKey::PKeyError
      der_signature = cvc_to_der(signature) # Probably signature is CVC encoded
      cert.public_key.verify(digest, der_signature, doc)
    end

  raise Error, 'We could not verify user signature' unless valid
end