Class: Acmesmith::Certificate

Inherits:

Object

• Object
• Acmesmith::Certificate

Defined in:

lib/acmesmith/certificate.rb

Defined Under Namespace

Classes: PassphraseRequired

Instance Attribute Summary

• #certificate ⇒ Object readonly

  Returns the value of attribute certificate.

• #chain ⇒ Object readonly

  Returns the value of attribute chain.

• #csr ⇒ Object readonly

  Returns the value of attribute csr.

Class Method Summary

• .by_issuance(pem_chain, csr) ⇒ Object
• .split_pems(pems) ⇒ Object

Instance Method Summary

• #common_name ⇒ Object
• #export(passphrase, cipher: OpenSSL::Cipher.new('aes-256-cbc')) ⇒ Object
• #fullchain ⇒ Object
• #initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil) ⇒ Certificate constructor

  A new instance of Certificate.

• #issuer_pems ⇒ Object
• #key_passphrase=(pw) ⇒ Object
• #pkcs12(passphrase) ⇒ Object
• #private_key ⇒ Object
• #sans ⇒ Object
• #version ⇒ Object

Constructor Details

#initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil) ⇒ Certificate

Returns a new instance of Certificate.

# File 'lib/acmesmith/certificate.rb', line 16

def initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil)
  @certificate = case certificate
                 when OpenSSL::X509::Certificate
                   certificate
                 when String
                   OpenSSL::X509::Certificate.new(certificate)
                 else
                    raise TypeError, 'certificate is expected to be a String or OpenSSL::X509::Certificate'
                 end
  chain = case chain
          when String
            self.class.split_pems(chain)
          when Array
            chain
          when nil
            []
          else
            raise TypeError, 'chain is expected to be an Array<String or OpenSSL::X509::Certificate> or nil'
          end

  @chain = chain.map { |cert|
    case cert
    when OpenSSL::X509::Certificate
      cert
    when String
      OpenSSL::X509::Certificate.new(cert)
    else
      raise TypeError, 'chain is expected to be an Array<String or OpenSSL::X509::Certificate> or nil'
    end
  }

  case private_key
  when String
    @raw_private_key = private_key
    if key_passphrase
      self.key_passphrase = key_passphrase 
    else
      begin
        @private_key = OpenSSL::PKey::RSA.new(@raw_private_key) { nil }
      rescue OpenSSL::PKey::RSAError
        # may be encrypted
      end
    end
  when OpenSSL::PKey::RSA
    @private_key = private_key
  else
    raise TypeError, 'private_key is expected to be a String or OpenSSL::PKey::RSA'
  end

  @csr = case csr
         when nil
           nil
         when String
           OpenSSL::X509::Request.new(csr)
         when OpenSSL::X509::Request
           csr
         end
end

Instance Attribute Details

#certificate ⇒ Object (readonly)

Returns the value of attribute certificate.

# File 'lib/acmesmith/certificate.rb', line 75

def certificate
  @certificate
end

#chain ⇒ Object (readonly)

Returns the value of attribute chain.

# File 'lib/acmesmith/certificate.rb', line 75

def chain
  @chain
end

#csr ⇒ Object (readonly)

Returns the value of attribute csr.

# File 'lib/acmesmith/certificate.rb', line 75

def csr
  @csr
end

Class Method Details

.by_issuance(pem_chain, csr) ⇒ Object

# File 'lib/acmesmith/certificate.rb', line 11

def self.by_issuance(pem_chain, csr)
  pems = split_pems(pem_chain)
  new(*pems, csr.private_key, nil, csr)
end

.split_pems(pems) ⇒ Object

# File 'lib/acmesmith/certificate.rb', line 7

def self.split_pems(pems)
  pems.each_line.slice_before(/^-----BEGIN CERTIFICATE-----$/).map(&:join)
end

Instance Method Details

#common_name ⇒ Object

# File 'lib/acmesmith/certificate.rb', line 99

def common_name
  certificate.subject.to_a.assoc('CN')[1]
end

#export(passphrase, cipher: OpenSSL::Cipher.new('aes-256-cbc')) ⇒ Object

# File 'lib/acmesmith/certificate.rb', line 117

def export(passphrase, cipher: OpenSSL::Cipher.new('aes-256-cbc'))
  {}.tap do |h|
    h[:certificate] = certificate.to_pem
    h[:chain] = issuer_pems
    h[:fullchain] = fullchain

    h[:private_key] = if passphrase
      private_key.export(cipher, passphrase)
    else
      private_key.export
    end
  end
end

#fullchain ⇒ Object

# File 'lib/acmesmith/certificate.rb', line 91

def fullchain
  "#{certificate.to_pem}\n#{issuer_pems}".gsub(/\n+/,?\n)
end

#issuer_pems ⇒ Object

# File 'lib/acmesmith/certificate.rb', line 95

def issuer_pems
  chain.map(&:to_pem).join("\n")
end

#key_passphrase=(pw) ⇒ Object

# File 'lib/acmesmith/certificate.rb', line 77

def key_passphrase=(pw)
  raise 'private_key already given' if @private_key

  @private_key = OpenSSL::PKey::RSA.new(@raw_private_key, pw)

  @raw_private_key = nil
  nil
end

#pkcs12(passphrase) ⇒ Object

# File 'lib/acmesmith/certificate.rb', line 113

def pkcs12(passphrase)
  OpenSSL::PKCS12.create(passphrase, common_name, private_key, certificate)
end

#private_key ⇒ Object

Raises:

• (PassphraseRequired)

# File 'lib/acmesmith/certificate.rb', line 86

def private_key
  return @private_key if @private_key
  raise PassphraseRequired, 'key_passphrase required'
end

#sans ⇒ Object

# File 'lib/acmesmith/certificate.rb', line 103

def sans
  certificate.extensions.select { |_| _.oid == 'subjectAltName' }.flat_map do |ext|
    ext.value.split(/,\s*/).select { |_| _.start_with?('DNS:') }.map { |_| _[4..-1] }
  end
end

#version ⇒ Object

# File 'lib/acmesmith/certificate.rb', line 109

def version
  "#{certificate.not_before.utc.strftime('%Y%m%d-%H%M%S')}_#{certificate.serial.to_i.to_s(16)}"
end