Class: Blather::CertStore
- Inherits:
-
Object
- Object
- Blather::CertStore
- Defined in:
- lib/blather/cert_store.rb
Overview
An X509 certificate store that validates certificate trust chains. This uses the #cert_directory/*.crt files as the list of trusted root CA certificates.
Instance Method Summary collapse
-
#certs ⇒ Object
Return the trusted root CA certificates installed in the @cert_directory.
-
#domain?(pem, domain) ⇒ Boolean
Return true if the domain name matches one of the names in the certificate.
-
#initialize(cert_directory) ⇒ CertStore
constructor
A new instance of CertStore.
-
#trusted?(pem) ⇒ Boolean
Return true if the certificate is signed by a CA certificate in the store.
Constructor Details
#initialize(cert_directory) ⇒ CertStore
Returns a new instance of CertStore.
9 10 11 12 13 |
# File 'lib/blather/cert_store.rb', line 9 def initialize(cert_directory) @cert_directory = cert_directory @store = OpenSSL::X509::Store.new certs.each {|c| @store.add_cert(c) } end |
Instance Method Details
#certs ⇒ Object
Return the trusted root CA certificates installed in the @cert_directory. These certificates are used to start the trust chain needed to validate certs we receive from clients and servers.
43 44 45 46 47 48 49 50 51 52 53 |
# File 'lib/blather/cert_store.rb', line 43 def certs @certs ||= begin pattern = /-{5}BEGIN CERTIFICATE-{5}\n.*?-{5}END CERTIFICATE-{5}\n/m Dir[File.join(@cert_directory, '*.crt')] .map {|f| File.read(f) } .map {|c| c.scan(pattern) } .flatten .map {|c| OpenSSL::X509::Certificate.new(c) } .reject {|c| c.not_after < Time.now } end end |
#domain?(pem, domain) ⇒ Boolean
Return true if the domain name matches one of the names in the certificate. In other words, is the certificate provided to us really for the domain to which we think we’re connected?
34 35 36 37 38 |
# File 'lib/blather/cert_store.rb', line 34 def domain?(pem, domain) if cert = OpenSSL::X509::Certificate.new(pem) OpenSSL::SSL.verify_certificate_identity(cert, domain) end end |
#trusted?(pem) ⇒ Boolean
Return true if the certificate is signed by a CA certificate in the store. If the certificate can be trusted, it’s added to the store so it can be used to trust other certs.
18 19 20 21 22 23 24 25 26 27 28 29 |
# File 'lib/blather/cert_store.rb', line 18 def trusted?(pem) if cert = OpenSSL::X509::Certificate.new(pem) @store.verify(cert).tap do |trusted| begin @store.add_cert(cert) if trusted rescue OpenSSL::X509::StoreError end end end rescue OpenSSL::X509::CertificateError nil end |