Class: SCEP::PKIOperation::Response

Inherits:

Base

• Object
• Base
• SCEP::PKIOperation::Response

Defined in:

lib/scep/pki_operation/response.rb

Overview

Represents a SCEP response from the PKIOperation, which can do two of the following:

• Parse a response form another SCEP server (useful for proxying)
• Create our own SCEP response

Examples:

Get Certificates Ready

ra_cert = SCEP::DEFAULT_RA_CERTIFICATE
ra_key  = SCEP::DEFAULT_RA_PRIVATE_KEY

Decrypt a SCEP Response

# get encrypted and signed scep response somehow
encrypted_scep_response = foo

# Make response & decrypt
response = SCEP::PKIOperation::Response.new(ra_cert, ra_key)
certs  = response.decrypt(encrypted_scep_response)  # Array of OpenSSL::X509::Certificate

Create an Encrypted and Signed Response

# This should be an OpenSSL::X509::Certificate signed by a CA.
# This will be from an earlier part of the scep flow
recently_signed_x509_cert = foo

# This is the target OpenSSL::X509::Certificate that we should encrypt this for.
# This will usually be the certificate of whomever signed the initial scep request
target_encryption_cert  = bar

# Make the response objects and attach certs
response = SCEP::PKIOperation::Response.new(ra_cert, ra_key)
response.signed_certificates = recently_signed_x509_cert

# Finally, encrypt it in a der format
encrypted_binary_string = response.encrypt(target_encryption_cert)

Constant Summary

Constants inherited from Base

Base::DEFAULT_CIPHER_ALGORITHM

Instance Attribute Summary

Attributes inherited from Base

#p7enc, #p7sign, #ra_keypair, #x509_store

Instance Method Summary

• #decrypt(raw_string, verify = true) ⇒ Array<OpenSSL::X509::Certificates>

  Decrypts a raw response and assigns #signed_certificates.

• #encrypt(target_encryption_certs) ⇒ String

  Takes the #signed_certificates attached to this object and return them in a format defined by SCEP.

• #proxy(signed_and_encrypted_certs, target_encryption_certs, verify = true) ⇒ OpenSSL::PKCS7

  Decrypts a signed and encrypted response, gets the certificates (#signed_certificates) and then re-encrypts and signs it.

• #signed_certificates ⇒ Array<OpenSSL::X509::Certificate>

  Gets any signed certificates that will be encrypted and signed in a SCEP format.

• #signed_certificates=(certs) ⇒ Object

  Adds a single, or many certificates to encrypt and sign further.

Methods inherited from Base

#add_verification_certificate, #check_if_recipient_matches_ra_certificate_name, create_default_cipher, #initialize, #sign_and_encrypt_raw, #unsign_and_unencrypt_raw, #wrap_array

Methods included from Loggable

#logger

Constructor Details

This class inherits a constructor from SCEP::PKIOperation::Base

Instance Method Details

#decrypt(raw_string, verify = true) ⇒ Array<OpenSSL::X509::Certificates>

Decrypts a raw response and assigns #signed_certificates

Parameters:

• raw_string (String) —

  the raw response

Returns:

• (Array<OpenSSL::X509::Certificates>) —

  the certificates that were contained in raw_string.

# File 'lib/scep/pki_operation/response.rb', line 56

def decrypt(raw_string, verify = true)
  p7raw = unsign_and_unencrypt_raw(raw_string, verify)
  p7certs = OpenSSL::PKCS7.new(p7raw)
  @signed_certificates = p7certs.certificates
end

#encrypt(target_encryption_certs) ⇒ String

Takes the #signed_certificates attached to this object and return them in a format defined by SCEP.

Parameters:

• target_encryption_certs (Array<OpenSSL::X509::Certificate>) —

  only those who possess a private key of one of the target_encryption_certs will be able to decrypt the resulting payload.

Returns:

• (String) —

  the signed and encrypted payload in binary (DER) format

Raises:

• (ArgumentError)

# File 'lib/scep/pki_operation/response.rb', line 68

def encrypt(target_encryption_certs)
  raise ArgumentError, 'Must contain at least one of #signed_certificates' unless
    signed_certificates.any?
  p7certs = PKCS7CertOnly.new(signed_certificates)
  sign_and_encrypt_raw(p7certs.to_der, target_encryption_certs)
end

#proxy(signed_and_encrypted_certs, target_encryption_certs, verify = true) ⇒ OpenSSL::PKCS7

Decrypts a signed and encrypted response, gets the certificates (#signed_certificates) and then re-encrypts and signs it.

Parameters:

• signed_and_encrypted_certs (String)
• target_encryption_certs (OpenSSL::X509::Certificate)

Returns:

• (OpenSSL::PKCS7)

# File 'lib/scep/pki_operation/response.rb', line 80

def proxy(signed_and_encrypted_certs, target_encryption_certs, verify = true)
  decrypt(signed_and_encrypted_certs, verify)
  encrypt(target_encryption_certs)
end

#signed_certificates ⇒ Array<OpenSSL::X509::Certificate>

Gets any signed certificates that will be encrypted and signed in a SCEP format

Returns:

• (Array<OpenSSL::X509::Certificate>)

# File 'lib/scep/pki_operation/response.rb', line 48

def signed_certificates
  @signed_certificates ||= []
end

#signed_certificates=(certs) ⇒ Object

Adds a single, or many certificates to encrypt and sign further

Parameters:

• certs (Array<OpenSSL::X509::Certificate>)

# File 'lib/scep/pki_operation/response.rb', line 42

def signed_certificates=(certs)
  @signed_certificates = wrap_array(certs)
end