Class: Spiffe::Workload::X509SVIDWrapper

Inherits:

Object

• Object
• Spiffe::Workload::X509SVIDWrapper

Defined in:

lib/spiffe/workload/x509_svid.rb

Overview

Represents an X.509 SVID with certificate chain, private key, and trust bundle

Instance Attribute Summary

• #cert_chain ⇒ Object readonly

  Returns the value of attribute cert_chain.

• #hint ⇒ Object readonly

  Returns the value of attribute hint.

• #private_key ⇒ Object readonly

  Returns the value of attribute private_key.

• #spiffe_id ⇒ Object readonly

  Returns the value of attribute spiffe_id.

• #trust_bundle ⇒ Object readonly

  Returns the value of attribute trust_bundle.

Class Method Summary

• .from_proto(proto_svid) ⇒ X509SVID

  Parse X.509 SVID from proto response.

Instance Method Summary

• #expired? ⇒ Boolean

  Check if the SVID is expired.

• #initialize(spiffe_id:, cert_chain:, private_key:, trust_bundle:, hint: nil) ⇒ X509SVIDWrapper constructor

  A new instance of X509SVIDWrapper.

• #leaf_certificate ⇒ OpenSSL::X509::Certificate

  Get the leaf certificate (first in chain).

• #ttl ⇒ Float

  Get time until expiration.

Constructor Details

#initialize(spiffe_id:, cert_chain:, private_key:, trust_bundle:, hint: nil) ⇒ X509SVIDWrapper

Returns a new instance of X509SVIDWrapper.

Parameters:

• spiffe_id (String) —

  The SPIFFE ID of this SVID

• cert_chain (Array<OpenSSL::X509::Certificate>) —

  Certificate chain

• private_key (OpenSSL::PKey::RSA, OpenSSL::PKey::EC) —

  Private key

• trust_bundle (OpenSSL::X509::Store) —

  Trust bundle for the trust domain

• hint (String, nil) (defaults to: nil) —

  Optional hint for SVID usage

# File 'lib/spiffe/workload/x509_svid.rb', line 16

def initialize(spiffe_id:, cert_chain:, private_key:, trust_bundle:, hint: nil)
  @spiffe_id = spiffe_id
  @cert_chain = cert_chain
  @private_key = private_key
  @trust_bundle = trust_bundle
  @hint = hint
end

Instance Attribute Details

#cert_chain ⇒ Object (readonly)

Returns the value of attribute cert_chain.

# File 'lib/spiffe/workload/x509_svid.rb', line 9

def cert_chain
  @cert_chain
end

#hint ⇒ Object (readonly)

Returns the value of attribute hint.

# File 'lib/spiffe/workload/x509_svid.rb', line 9

def hint
  @hint
end

#private_key ⇒ Object (readonly)

Returns the value of attribute private_key.

# File 'lib/spiffe/workload/x509_svid.rb', line 9

def private_key
  @private_key
end

#spiffe_id ⇒ Object (readonly)

Returns the value of attribute spiffe_id.

# File 'lib/spiffe/workload/x509_svid.rb', line 9

def spiffe_id
  @spiffe_id
end

#trust_bundle ⇒ Object (readonly)

Returns the value of attribute trust_bundle.

# File 'lib/spiffe/workload/x509_svid.rb', line 9

def trust_bundle
  @trust_bundle
end

Class Method Details

.from_proto(proto_svid) ⇒ X509SVID

Parse X.509 SVID from proto response

Parameters:

• proto_svid (Spiffe::Workload::X509SVIDProto) —

  Proto message

Returns:

• (X509SVID)

# File 'lib/spiffe/workload/x509_svid.rb', line 45

def self.from_proto(proto_svid)
  # Parse certificate chain
  cert_chain = []
  cert_data = proto_svid.x509_svid
  
  # The cert data may contain multiple certificates
  # We need to extract all of them
  offset = 0
  while offset < cert_data.bytesize
    begin
      cert = OpenSSL::X509::Certificate.new(cert_data[offset..-1])
      cert_chain << cert
      # Move offset forward by the size of the DER-encoded cert
      offset += cert.to_der.bytesize
    rescue OpenSSL::X509::CertificateError
      break
    end
  end

  # Parse private key (PKCS#8 unencrypted)
  private_key = OpenSSL::PKey.read(proto_svid.x509_svid_key)

  # Parse trust bundle
  trust_bundle = OpenSSL::X509::Store.new
  bundle_data = proto_svid.bundle
  
  # Parse all certificates in the bundle
  offset = 0
  while offset < bundle_data.bytesize
    begin
      ca_cert = OpenSSL::X509::Certificate.new(bundle_data[offset..-1])
      trust_bundle.add_cert(ca_cert)
      offset += ca_cert.to_der.bytesize
    rescue OpenSSL::X509::CertificateError
      break
    end
  end

  new(
    spiffe_id: proto_svid.spiffe_id,
    cert_chain: cert_chain,
    private_key: private_key,
    trust_bundle: trust_bundle,
    hint: proto_svid.hint.empty? ? nil : proto_svid.hint
  )
end

Instance Method Details

#expired? ⇒ Boolean

Check if the SVID is expired

Returns:

• (Boolean)

# File 'lib/spiffe/workload/x509_svid.rb', line 32

def expired?
  leaf_certificate.not_after < Time.now
end

#leaf_certificate ⇒ OpenSSL::X509::Certificate

Get the leaf certificate (first in chain)

Returns:

• (OpenSSL::X509::Certificate)

# File 'lib/spiffe/workload/x509_svid.rb', line 26

def leaf_certificate
  @cert_chain.first
end

#ttl ⇒ Float

Get time until expiration

Returns:

• (Float) —

  Seconds until expiration

# File 'lib/spiffe/workload/x509_svid.rb', line 38

def ttl
  leaf_certificate.not_after - Time.now
end