Module: Acme::PKI::Information

Included in:
Acme::PKI
Defined in:
lib/acme/pki/information.rb

Instance Method Summary collapse

Instance Method Details

#certifificate_info(crt) ⇒ Object 



34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
# File 'lib/acme/pki/information.rb', line 34

def certifificate_info(crt)
	title 'Subject'
	puts "\t#{crt.subject}"
	title 'Issuer'
	puts "\t#{crt.issuer}"

	der = crt.to_der

	fingerprint der

	hpkp = Digest::SHA256.digest der
	hpkp = Base64.encode64(hpkp).strip
	title 'HPKP'
	puts "\tPublic-Key-Pins \"max-age=5184000; pin-sha256=\\\"#{hpkp}\\\";".colorize(:blue)

	tlsa = Digest::SHA512.hexdigest der
	title 'TLSA'
	puts "\tTLSA 1 0 2 #{tlsa}".colorize(:blue)

	title 'Public key'
	key_info crt.public_key, tab: 1
end

#chain_info(chain) ⇒ Object 



57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
 
# File 'lib/acme/pki/information.rb', line 57

def chain_info(chain)
	chain = File.read(chain).split('-----BEGIN CERTIFICATE-----')
					.reject { |s| s.empty? }
					.collect { |s| '-----BEGIN CERTIFICATE-----' + s }
					.collect { |s| OpenSSL::X509::Certificate.new s }
	loop do
		last   = chain.last
		issuer = last.issuer
		break if last.subject == issuer
		# This is not a root, fetch the issuer

		aia = last.extensions.detect { |e| e.oid == 'authorityInfoAccess' }
		break unless aia

		uri = aia.value.split("\n").find { |s| s.start_with? 'CA Issuers - URI:' }
					  .sub /^CA Issuers - URI:/, ''
		puts "Fetch certificate #{issuer} from #{uri}"
		file = Digest::MD5.hexdigest uri
		file = file File.join 'cache', file
		dir  = File.dirname file
		FileUtils.mkpath dir unless Dir.exist? dir
		crt = if File.exist? file
				  open(file, 'r') { |f| OpenSSL::X509::Certificate.new f }
			  else
				  crt = Faraday.get uri
				  break unless crt.success?
				  crt = crt.body

				  crt = begin
					  OpenSSL::X509::Certificate.new crt
				  rescue
					  pkcs7 = OpenSSL::PKCS7.new crt
					  pkcs7.certificates.first
				  end

				  File.write file, crt.to_pem
				  crt
			  end

		subject = crt.subject
		puts "Warning : expecting #{issuer}, get #{subject}".colorize :magenta unless subject == issuer

		chain << crt
	end

	chain.each do |c|
		certifificate_info c
		puts ''
	end
end

#key_info(key, tab: 0) ⇒ Object 



6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 
# File 'lib/acme/pki/information.rb', line 6

def key_info(key, tab: 0)
	key = open(key, 'r') { |f| OpenSSL::PKey.read f } unless key.is_a? OpenSSL::PKey::PKey

	der = case key
			  when OpenSSL::PKey::EC
				  puts "\t" * (tab) + "#{'Key'.colorize :red} : ECC #{key.group.curve_name}"

				  point          = key.public_key
				  pub            = OpenSSL::PKey::EC.new point.group
				  pub.public_key = point
				  pub
			  when OpenSSL::PKey::RSA
				  puts "\t" * (tab) + "#{'Key'.colorize :red} : RSA #{key.n.num_bits} bits"
				  key.public_key
		  end.to_der

	fingerprint der, tab: tab

	hpkp = Digest::SHA256.digest der
	hpkp = Base64.encode64(hpkp).strip
	title 'HPKP', tab: tab
	puts "\t" * (tab+1) + "Public-Key-Pins \"max-age=5184000; pin-sha256=\\\"#{hpkp}\\\";".colorize(:blue)

	tlsa = Digest::SHA512.hexdigest der
	title 'TLSA', tab: tab
	puts "\t" * (tab+1) + "TLSA 1 1 2 #{tlsa}".colorize(:blue)
end