Module: Bullion::Helpers::Ssl

Defined in:

lib/bullion/helpers/ssl.rb

Overview

SSL-related helper methods

Instance Method Summary

• #base64_to_long(data) ⇒ Object
• #base64_to_octet(data) ⇒ Object
• #build_valid_alt_names(csr) ⇒ Object
• #cn_from_csr(csr) ⇒ Object
• #cn_or_first_san_from_csr(csr) ⇒ Object
• #digest_from_alg(alg) ⇒ Object
• #domains_from_csr(csr) ⇒ Object
• #ecdsa_sig_to_der(incoming) ⇒ Object

  This is for ECDSA keys.

• #extract_csr_attrs(csr) ⇒ Object
• #extract_csr_domains(csr_sans) ⇒ Object
• #extract_csr_sans(csr_attrs) ⇒ Object
• #extract_san_values(sequence) ⇒ Object
• #filter_sans(potential_sans) ⇒ Object
• #key_data_to_ecdsa(key_data) ⇒ Object
• #key_data_to_rsa(key_data) ⇒ Object
• #manage_csr_extensions(csr, new_cert) ⇒ Object
• #openssl_compat(key_data) ⇒ Object

  Converts the incoming key data to an OpenSSL public key usable to verify JWT signatures.

• #sign_csr(csr, username) ⇒ Object

  Signs an ACME CSR rubocop:disable Metrics/AbcSize.

• #simple_subject(common_name) ⇒ Object
• #to_hex(int) ⇒ Object

Instance Method Details

#base64_to_long(data) ⇒ Object

# File 'lib/bullion/helpers/ssl.rb', line 61

def base64_to_long(data)
  Base64.urlsafe_decode64(data).to_s.unpack("C*").map do |byte|
    to_hex(byte)
  end.join.to_i(16)
end

#base64_to_octet(data) ⇒ Object

# File 'lib/bullion/helpers/ssl.rb', line 67

def base64_to_octet(data)
  Base64.urlsafe_decode64(data)
end

#build_valid_alt_names(csr) ⇒ Object

# File 'lib/bullion/helpers/ssl.rb', line 193

def build_valid_alt_names(csr)
  cn = cn_or_first_san_from_csr(csr)
  csr_domains = domains_from_csr(csr)
  existing_sans = filter_sans(csr_domains).map { |d| "DNS:#{d}" }
  (["DNS:#{cn}"] + [*existing_sans]).uniq
end

#cn_from_csr(csr) ⇒ Object

# File 'lib/bullion/helpers/ssl.rb', line 170

def cn_from_csr(csr)
  return unless csr.subject.to_s

  cns = csr.subject.to_s.split("/").grep(/^CN=/)

  cns.first.split("=").last if cns && !cns.empty?
end

#cn_or_first_san_from_csr(csr) ⇒ Object

# File 'lib/bullion/helpers/ssl.rb', line 178

def cn_or_first_san_from_csr(csr)
  cn = cn_from_csr(csr)
  return cn if cn

  csr_attrs = extract_csr_attrs(csr)
  csr_sans = extract_csr_sans(csr_attrs)
  extract_csr_domains(csr_sans).first
end

#digest_from_alg(alg) ⇒ Object

# File 'lib/bullion/helpers/ssl.rb', line 71

def digest_from_alg(alg)
  if alg.end_with?("256")
    OpenSSL::Digest.new("SHA256")
  elsif alg.end_with?("384")
    OpenSSL::Digest.new("SHA384")
  else
    OpenSSL::Digest.new("SHA512")
  end
end

#domains_from_csr(csr) ⇒ Object

# File 'lib/bullion/helpers/ssl.rb', line 187

def domains_from_csr(csr)
  csr_attrs = extract_csr_attrs(csr)
  csr_sans = extract_csr_sans(csr_attrs)
  extract_csr_domains(csr_sans)
end

#ecdsa_sig_to_der(incoming) ⇒ Object

This is for ECDSA keys.

See Also:

• https://bit.ly/3b7yZFd

# File 'lib/bullion/helpers/ssl.rb', line 83

def ecdsa_sig_to_der(incoming)
  # Base64 decode the signature
  joined_ints = Base64.urlsafe_decode64(incoming)
  # Break it apart into the two 32-byte words
  r = joined_ints[0..31]
  s = joined_ints[32..]
  # Unpack each word to a hex string
  hexnums = [r, s].map { |n| n.unpack1("H*") }
  # Convert each to an Integer
  ints = hexnums.map { |bn| bn.to_i(16) }
  # Convert each Integer to a BigNumber
  bns = ints.map { |int| OpenSSL::BN.new(int) }
  # Wrap each BigNum in a ASN1 encoding
  asn1_wrapped = bns.map { |bn| OpenSSL::ASN1::Integer.new(bn) }
  # Create an ASN1 sequence from the ASN1-wrapped Integers
  seq = OpenSSL::ASN1::Sequence.new(asn1_wrapped)
  # Return the DER-encoded sequence for verification
  seq.to_der
end

#extract_csr_attrs(csr) ⇒ Object

# File 'lib/bullion/helpers/ssl.rb', line 138

def extract_csr_attrs(csr)
  csr.attributes.select { |a| a.oid == "extReq" }.map { |a| a.value.map(&:value) }
end

#extract_csr_domains(csr_sans) ⇒ Object

# File 'lib/bullion/helpers/ssl.rb', line 146

def extract_csr_domains(csr_sans)
  subject_alt_names = csr_sans.first.value.find { |v| v.tag == 4 }
  csr_decoded_sans = OpenSSL::ASN1.decode(subject_alt_names.value)
  csr_decoded_sans.value.select { |v| v.tag == 2 }.map(&:value)
end

#extract_csr_sans(csr_attrs) ⇒ Object

# File 'lib/bullion/helpers/ssl.rb', line 142

def extract_csr_sans(csr_attrs)
  csr_attrs.flatten.select { |a| a.value.first.value == "subjectAltName" }
end

#extract_san_values(sequence) ⇒ Object

# File 'lib/bullion/helpers/ssl.rb', line 152

def extract_san_values(sequence)
  unpacked_sequence = sequence
  unpacked_sequence = unpacked_sequence.first while unpacked_sequence.first.is_a?(Array)
  seqvalues = nil
  unpacked_sequence.each do |outer_value|
    seqvalues = outer_value.value[1].value if outer_value.value[0].value == "subjectAltName"
    break if seqvalues
  end
  seqvalues
end

#filter_sans(potential_sans) ⇒ Object

# File 'lib/bullion/helpers/ssl.rb', line 163

def filter_sans(potential_sans)
  # Select only those that are part of the appropriate domain
  potential_sans.select do |alt|
    Bullion.config.ca.domains.filter_map { |domain| alt.end_with?(".#{domain}") }.any?
  end
end

#key_data_to_ecdsa(key_data) ⇒ Object

# File 'lib/bullion/helpers/ssl.rb', line 34

def key_data_to_ecdsa(key_data)
  crv_mapping = {
    "P-256" => "prime256v1",
    "secp256k1" => "secp256k1",
    "P-384" => "secp384r1",
    "P-521" => "secp521r1"
  }

  x = base64_to_octet(key_data["x"])
  y = base64_to_octet(key_data["y"])
  curve_name = crv_mapping[key_data["crv"]]
  raise "Unknown curve" unless curve_name

  key_group = OpenSSL::PKey::EC::Group.new(curve_name)
  key_bn = OpenSSL::BN.new("\x04#{x}#{y}", 2)
  key_point = OpenSSL::PKey::EC::Point.new(key_group, key_bn)

  pk_sequence = OpenSSL::ASN1::Sequence.new(
    [OpenSSL::ASN1::ObjectId("id-ecPublicKey"), OpenSSL::ASN1::ObjectId(curve_name)]
  )
  bitstring = OpenSSL::ASN1::BitString.new(key_point.to_octet_string(:uncompressed))

  outer_sequence = OpenSSL::ASN1::Sequence.new([pk_sequence, bitstring])

  OpenSSL::PKey::EC.new(outer_sequence.to_der)
end

#key_data_to_rsa(key_data) ⇒ Object

See Also:

• https://tools.ietf.org/html/rfc7518#page-30

# File 'lib/bullion/helpers/ssl.rb', line 18

def key_data_to_rsa(key_data)
  exponent = base64_to_long(key_data["e"])
  modulus = base64_to_long(key_data["n"])

  data_sequence = OpenSSL::ASN1::Sequence.new(
    [
      OpenSSL::ASN1::Integer.new(modulus),
      OpenSSL::ASN1::Integer.new(exponent)
    ]
  )

  outer_sequence = OpenSSL::ASN1::Sequence.new(data_sequence)

  OpenSSL::PKey::RSA.new(outer_sequence.to_der)
end

#manage_csr_extensions(csr, new_cert) ⇒ Object

# File 'lib/bullion/helpers/ssl.rb', line 111

def manage_csr_extensions(csr, new_cert)
  # Build extensions
  ef = OpenSSL::X509::ExtensionFactory.new
  ef.subject_certificate = new_cert
  ef.issuer_certificate = Bullion.ca_cert
  new_cert.add_extension(
    ef.create_extension("basicConstraints", "CA:FALSE", true)
  )
  new_cert.add_extension(
    ef.create_extension("keyUsage", "keyEncipherment,dataEncipherment,digitalSignature", true)
  )
  new_cert.add_extension(
    ef.create_extension("subjectKeyIdentifier", "hash")
  )
  new_cert.add_extension(
    ef.create_extension("extendedKeyUsage", "serverAuth")
  )

  # Alternate Names
  valid_alts = build_valid_alt_names(csr)

  new_cert.add_extension(ef.create_extension("subjectAltName", valid_alts.join(",")))

  # return the updated cert and any subject alternate names added
  [new_cert, valid_alts]
end

#openssl_compat(key_data) ⇒ Object

Converts the incoming key data to an OpenSSL public key usable to verify JWT signatures

# File 'lib/bullion/helpers/ssl.rb', line 8

def openssl_compat(key_data)
  case key_data["kty"]
  when "RSA"
    key_data_to_rsa(key_data)
  when "EC"
    key_data_to_ecdsa(key_data)
  end
end

#sign_csr(csr, username) ⇒ Object

Signs an ACME CSR rubocop:disable Metrics/AbcSize

# File 'lib/bullion/helpers/ssl.rb', line 202

def sign_csr(csr, username)
  cert = Models::Certificate.from_csr(csr)
  # Create a OpenSSL cert using select info from the CSR
  csr_cert = OpenSSL::X509::Certificate.new
  csr_cert.serial = cert.serial
  csr_cert.version = 2 # OpenSSL uses zero-indexed versions: 2 = x509v3
  csr_cert.not_before = Time.now
  # only 90 days for ACMEv2
  csr_cert.not_after = csr_cert.not_before + (3 * 30 * 24 * 60 * 60)

  # Force a subject if the cert doesn't have one
  cert.subject = simple_subject(cn_or_first_san_from_csr(csr)) unless cert.subject

  csr_cert.subject = simple_subject(cert.subject.to_s)

  csr_cert.public_key = csr.public_key
  csr_cert.issuer = Bullion.ca_cert.subject

  csr_cert, sans = manage_csr_extensions(csr, csr_cert)

  csr_cert.sign(Bullion.ca_key, OpenSSL::Digest.new("SHA256"))

  cert.data = csr_cert.to_pem
  cert.alternate_names = sans unless sans.empty?
  cert.requester = username
  cert.validated = true
  cert.save

  [csr_cert, cert.id]
end

#simple_subject(common_name) ⇒ Object

# File 'lib/bullion/helpers/ssl.rb', line 107

def simple_subject(common_name)
  OpenSSL::X509::Name.new([["CN", common_name, OpenSSL::ASN1::UTF8STRING]])
end

#to_hex(int) ⇒ Object

# File 'lib/bullion/helpers/ssl.rb', line 103

def to_hex(int)
  int < 16 ? "0#{int.to_s(16)}" : int.to_s(16)
end