Class: DevPKI::CA

Inherits:
Object
  • Object
show all
Defined in:
lib/devpki/ca.rb

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(id = 0) ⇒ CA

Returns a new instance of CA.

Raises:



13
14
15
16
17
18
 
# File 'lib/devpki/ca.rb', line 13

def initialize(id=0)
  raise CADBError.new("CA ##{id} does not exist. It must be initialized first.") if not DevPKI::CA.exists?(id)

  @sqlite_db = SQLite3::Database.open(DevPKI::CA.db_path(id))
  @id = id
end

Instance Attribute Details

#idObject

Returns the value of attribute id.



11
12
13
 
# File 'lib/devpki/ca.rb', line 11

def id
  @id
end

#sqlite_dbObject

Returns the value of attribute sqlite_db.



10
11
12
 
# File 'lib/devpki/ca.rb', line 10

def sqlite_db
  @sqlite_db
end

Class Method Details

.db_path(id) ⇒ Object

Returns the path to a CA database



117
118
119
 
# File 'lib/devpki/ca.rb', line 117

def self.db_path(id)
  DevPKI::DataDirectory::absolute_path_for("ca_#{id}.db")
end

.delete(id) ⇒ Object

Raises:



20
21
22
23
 
# File 'lib/devpki/ca.rb', line 20

def self.delete(id)
  raise InvalidOption.new("CA with ID #{id} does not exist.") if not self.exists?(id)
  File.delete self.db_path(id)
end

.exists?(id) ⇒ Boolean

Checks if CA with given ID exists

Returns:

  • (Boolean) 


112
113
114
 
# File 'lib/devpki/ca.rb', line 112

def self.exists?(id)
  File.exists?(self.db_path(id))
end

.init(id, name = nil, parent_ca_id = nil) ⇒ Object

Initializes an empty CA database and generates a certificate for self

Raises:



26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
 
# File 'lib/devpki/ca.rb', line 26

def self.init(id, name=nil, parent_ca_id=nil)
  raise InvalidOption.new("CA with ID #{id} already exists!") if self.exists?(id)
  raise InvalidOption.new("Parent CA with ID #{id} does not exist!") if parent_ca_id != nil and not self.exists?(parent_ca_id)

  db = SQLite3::Database.new(self.db_path(id))

  sql = <<-SQL
    create table certificates (
      id integer primary key autoincrement,
      private_key_id integer not null,
      pem text,

      FOREIGN KEY(private_key_id) REFERENCES private_keys(id)
    );

    create table private_keys (
      id integer primary key autoincrement,
      pem text
    );
  SQL

  db.execute_batch(sql)

  if parent_ca_id != nil
    raise InvalidOption.new("Parent CA with ID #{id} does not exist!") if not self.exists?(parent_ca_id)
    puts "Exists: #{self.exists?(parent_ca_id)}"
    parent_db = SQLite3::Database.open(self.db_path(parent_ca_id))

    parent_ca_raw = parent_db.get_first_value( "select pem from certificates" )
    parent_key_raw = parent_db.get_first_value( "select pem from private_keys" )

    parent_ca_cert = OpenSSL::X509::Certificate.new parent_ca_raw
    parent_ca_key = OpenSSL::PKey::RSA.new parent_key_raw
  end

  key = OpenSSL::PKey::RSA.new(2048)
  public_key = key.public_key

  name ||= "Generic DevPKI CA ##{id}"
  subject = "/CN=#{name}"

  cert = OpenSSL::X509::Certificate.new
  cert.subject = OpenSSL::X509::Name.parse(subject)
  if parent_ca_id == nil
    cert.issuer = cert.subject
  else
    cert.issuer = parent_ca_cert.subject
  end
  cert.not_before = Time.now
  cert.not_after = Time.now + 2 * 365 * 24 * 60 * 60
  cert.public_key = public_key
  cert.serial = Random.rand(1..100000)
  cert.version = 2

  ef = OpenSSL::X509::ExtensionFactory.new
  ef.subject_certificate = cert

  if parent_ca_id == nil
    ef.issuer_certificate = cert
  else
    ef.issuer_certificate = parent_ca_cert
  end

  cert.extensions = [
    ef.create_extension("basicConstraints","CA:TRUE", true),
    ef.create_extension("subjectKeyIdentifier", "hash"),
  ]
  cert.add_extension ef.create_extension("authorityKeyIdentifier",
                                         "keyid:always,issuer:always")

  if parent_ca_id == nil
    cert.sign key, OpenSSL::Digest::SHA512.new
  else
    cert.sign parent_ca_key, OpenSSL::Digest::SHA512.new
  end

  db.execute( "INSERT INTO private_keys (pem) VALUES ( ? )", key.to_pem )
  private_key_id = db.last_insert_row_id

  db.execute( "INSERT INTO certificates (private_key_id, pem) VALUES ( ?, ? )", private_key_id, cert.to_pem)

  puts key.to_pem
  puts cert.to_pem
end