Class: Acmesmith::Certificate

Inherits:

Object

• Object
• Acmesmith::Certificate

Defined in:

lib/acmesmith/certificate.rb

Defined Under Namespace

Classes: CertificateExport, PassphraseRequired, PrivateKeyDecrypted

Instance Attribute Summary

• #certificate ⇒ OpenSSL::X509::Certificate readonly
• #chain ⇒ Array<OpenSSL::X509::Certificate> readonly
• #csr ⇒ OpenSSL::X509::Request readonly
• #name ⇒ String

  Returns a predicted certificate name, taken from common name or first SAN.

Class Method Summary

• .by_issuance(pem_chain, csr, name: nil) ⇒ Acmesmith::Certificate

  Return Acmesmith::Certificate by an issued certificate.

• .split_pems(pems) ⇒ Array<String>

  Split string containing multiple PEMs into Array of PEM strings.

Instance Method Summary

• #all_sans ⇒ Array<String>

  Returns a list of subject alternative names included in the certificate.

• #common_name ⇒ String^?

  Returns a certificate common name taken from the certificate subject’s CN field.

• #export(passphrase, cipher: OpenSSL::Cipher.new('aes-256-cbc')) ⇒ CertificateExport
• #fullchain ⇒ String

  Leaf certificate + full certificate chain.

• #initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil, name: nil) ⇒ Certificate constructor

  A new instance of Certificate.

• #issuer_pems ⇒ String

  Issuer certificate chain.

• #key_passphrase=(pw) ⇒ Object

  Try to decrypt private_key if encrypted.

• #pkcs12(passphrase) ⇒ OpenSSL::PKCS12
• #private_key ⇒ OpenSSL::PKey::PKey
• #public_key ⇒ OpenSSL::PKey::PKey
• #sans ⇒ Array<String>

  Returns a list of DNS subject alternative names included in the certificate.

• #version ⇒ String

  Version string (consists of NotBefore time & certificate serial).

Constructor Details

#initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil, name: nil) ⇒ Certificate

Returns a new instance of Certificate.

Parameters:

• certificate (OpenSSL::X509::Certificate, String)
• chain (String, Array<String>, Array<OpenSSL::X509::Certificate>)
• private_key (String, OpenSSL::PKey::PKey)
• key_passphrase (String, nil) (defaults to: nil)
• csr (String, OpenSSL::X509::Request, nil) (defaults to: nil)
• name (String, nil) (defaults to: nil)

# File 'lib/acmesmith/certificate.rb', line 33

def initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil, name: nil)
  @name = name
  @certificate = case certificate
                 when OpenSSL::X509::Certificate
                   certificate
                 when String
                   OpenSSL::X509::Certificate.new(certificate)
                 else
                    raise TypeError, 'certificate is expected to be a String or OpenSSL::X509::Certificate'
                 end
  chain = case chain
          when String
            self.class.split_pems(chain)
          when Array
            chain
          when nil
            []
          else
            raise TypeError, 'chain is expected to be an Array<String or OpenSSL::X509::Certificate> or nil'
          end

  @chain = chain.map { |cert|
    case cert
    when OpenSSL::X509::Certificate
      cert
    when String
      OpenSSL::X509::Certificate.new(cert)
    else
      raise TypeError, 'chain is expected to be an Array<String or OpenSSL::X509::Certificate> or nil'
    end
  }

  case private_key
  when String
    @raw_private_key = private_key
    if key_passphrase
      self.key_passphrase = key_passphrase
    else
      begin
        @private_key = OpenSSL::PKey.read(@raw_private_key) { nil }
      rescue OpenSSL::PKey::PKeyError
        # may be encrypted
      end
    end
  when OpenSSL::PKey::PKey
    @private_key = private_key
  else
    raise TypeError, 'private_key is expected to be a String or OpenSSL::PKey::PKey'
  end

  @csr = case csr
         when nil
           nil
         when String
           OpenSSL::X509::Request.new(csr)
         when OpenSSL::X509::Request
           csr
         end
end

Instance Attribute Details

#certificate ⇒ OpenSSL::X509::Certificate (readonly)

Returns:

• (OpenSSL::X509::Certificate)

# File 'lib/acmesmith/certificate.rb', line 94

def certificate
  @certificate
end

#chain ⇒ Array<OpenSSL::X509::Certificate> (readonly)

Returns:

• (Array<OpenSSL::X509::Certificate>)

# File 'lib/acmesmith/certificate.rb', line 96

def chain
  @chain
end

#csr ⇒ OpenSSL::X509::Request (readonly)

Returns:

• (OpenSSL::X509::Request)

# File 'lib/acmesmith/certificate.rb', line 98

def csr
  @csr
end

#name ⇒ String

Returns a predicted certificate name, taken from common name or first SAN. Note that this value can contain colons (‘:’) if name is taken from non-DNS subject alternative name.

Returns:

• (String) —

  certificate name

# File 'lib/acmesmith/certificate.rb', line 139

def name
  @name || common_name || sans.first || all_sans.first
end

Class Method Details

.by_issuance(pem_chain, csr, name: nil) ⇒ Acmesmith::Certificate

Return Acmesmith::Certificate by an issued certificate

Parameters:

• pem_chain (String)
• csr (Acme::Client::CertificateRequest)
• name (String, nil) (defaults to: nil)

Returns:

• (Acmesmith::Certificate)

# File 'lib/acmesmith/certificate.rb', line 22

def self.by_issuance(pem_chain, csr, name: nil)
  pems = split_pems(pem_chain)
  new(pems[0], pems[1..-1], csr.private_key, nil, csr, name: name)
end

.split_pems(pems) ⇒ Array<String>

Split string containing multiple PEMs into Array of PEM strings.

Parameters:

• (String)

Returns:

• (Array<String>)

# File 'lib/acmesmith/certificate.rb', line 13

def self.split_pems(pems)
  pems.each_line.slice_before(/^-----BEGIN CERTIFICATE-----$/).map(&:join)
end

Instance Method Details

#all_sans ⇒ Array<String>

Returns a list of subject alternative names included in the certificate.

Returns:

• (Array<String>) —

  Subject Alternative Names

# File 'lib/acmesmith/certificate.rb', line 153

def all_sans
  certificate.extensions.select { |_| _.oid == 'subjectAltName' }.flat_map do |ext|
    ext.value.split(/,\s*/)
  end
end

#common_name ⇒ String^?

Returns a certificate common name taken from the certificate subject’s CN field. Under the real CA, CNs can be missing. Use #name instead to retrieve the certificate name for most cases. ref. github.com/letsencrypt/pebble/pull/491#pullrequestreview-2718607820

Returns:

• (String, nil) —

  common name

# File 'lib/acmesmith/certificate.rb', line 147

def common_name
  certificate.subject.to_a.assoc('CN')&.fetch(1)
end

#export(passphrase, cipher: OpenSSL::Cipher.new('aes-256-cbc')) ⇒ CertificateExport

Returns:

• (CertificateExport)

# File 'lib/acmesmith/certificate.rb', line 179

def export(passphrase, cipher: OpenSSL::Cipher.new('aes-256-cbc'))
  CertificateExport.new.tap do |h|
    h.certificate = certificate.to_pem
    h.chain = issuer_pems
    h.fullchain = fullchain
    h.private_key = if passphrase
      private_key.export(cipher, passphrase)
    else
      private_key.export
    end
  end
end

#fullchain ⇒ String

Returns leaf certificate + full certificate chain.

Returns:

• (String) —

  leaf certificate + full certificate chain

# File 'lib/acmesmith/certificate.rb', line 127

def fullchain
  "#{certificate.to_pem}\n#{issuer_pems}".gsub(/\n+/,?\n)
end

#issuer_pems ⇒ String

Returns issuer certificate chain.

Returns:

• (String) —

  issuer certificate chain

# File 'lib/acmesmith/certificate.rb', line 132

def issuer_pems
  chain.map(&:to_pem).join("\n")
end

#key_passphrase=(pw) ⇒ Object

Try to decrypt private_key if encrypted.

Parameters:

• pw (String) —

  passphrase for encrypted PEM

Raises:

• (PrivateKeyDecrypted) —

  if private_key is decrypted

# File 'lib/acmesmith/certificate.rb', line 105

def key_passphrase=(pw)
  raise PrivateKeyDecrypted, 'private_key already given' if @private_key

  @private_key = OpenSSL::PKey.read(@raw_private_key, pw)

  @raw_private_key = nil
  nil
end

#pkcs12(passphrase) ⇒ OpenSSL::PKCS12

Returns:

• (OpenSSL::PKCS12)

# File 'lib/acmesmith/certificate.rb', line 174

def pkcs12(passphrase)
  OpenSSL::PKCS12.create(passphrase, name, private_key, certificate, chain)
end

#private_key ⇒ OpenSSL::PKey::PKey

Returns:

• (OpenSSL::PKey::PKey)

Raises:

• (PassphraseRequired) —

  if private_key is not yet decrypted

# File 'lib/acmesmith/certificate.rb', line 116

def private_key
  return @private_key if @private_key
  raise PassphraseRequired, 'key_passphrase required'
end

#public_key ⇒ OpenSSL::PKey::PKey

Returns:

• (OpenSSL::PKey::PKey)

# File 'lib/acmesmith/certificate.rb', line 122

def public_key
  @certificate.public_key
end

#sans ⇒ Array<String>

Returns a list of DNS subject alternative names included in the certificate. Strips DNS: prefix from returned values.

Returns:

• (Array<String>) —

  Subject Alternative Names (dNSname)

# File 'lib/acmesmith/certificate.rb', line 162

def sans
  all_sans.select do |san|
    san.start_with?('DNS:')
  end.map { |_| _[4..-1] }
end

#version ⇒ String

Returns Version string (consists of NotBefore time & certificate serial).

Returns:

• (String) —

  Version string (consists of NotBefore time & certificate serial)

# File 'lib/acmesmith/certificate.rb', line 169

def version
  "#{certificate.not_before.utc.strftime('%Y%m%d-%H%M%S')}_#{certificate.serial.to_i.to_s(16)}"
end