Class: EasyRSA::Revoke

Inherits:
Object
  • Object
show all
Defined in:
lib/easyrsa/revoke.rb

Defined Under Namespace

Classes: InvalidCARootPrivateKey, InvalidCertificate, InvalidCertificateRevocationList, MissingCARootKey, MissingParameter, UnableToRevoke

Instance Method Summary collapse

Constructor Details

#initialize(revoke = nil, &block) ⇒ Revoke

Lets get revoking



12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 
# File 'lib/easyrsa/revoke.rb', line 12

def initialize(revoke=nil, &block)
  if revoke.nil?
    fail EasyRSA::Revoke::InvalidCertificate, 
      'Unable to revoke this cert because it is not a certificate'
  end

# TODO: Make this a bit better in checking serial vs cert
  if revoke.include?('BEGIN CERTIFICATE')
    cert = OpenSSL::X509::Certificate.new(revoke)
    serialToRevoke = cert.serial
  else
    serialToRevoke = revoke
  end
  
# Create the revoked object
  @revoked = OpenSSL::X509::Revoked.new

# Add serial and timestamp of revocation
  @revoked.serial = serialToRevoke
  @revoked.time = Time.now

end

Instance Method Details

#revoke!(cakey = nil, crl = nil, next_update = 36000) ⇒ Object 



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
 
# File 'lib/easyrsa/revoke.rb', line 35

def revoke!(cakey=nil, crl=nil, next_update=36000)
  if cakey.nil?
    fail EasyRSA::Revoke::MissingCARootKey,
      'Please provide the root CA cert for the CRL'
  end

# Get cert details if it's in a file
  unless cakey.is_a? OpenSSL::PKey::RSA
    if cakey.include?('BEGIN RSA PRIVATE KEY')
      cakey = OpenSSL::PKey::RSA.new cakey
    else
      begin
        cakey = OpenSSL::PKey::RSA.new File.read cakey
      rescue OpenSSL::PKey::RSAError => e
        fail EasyRSA::Revoke::InvalidCARootPrivateKey,
          'This is not a valid Private key file.'
      end
    end
  end

# This is not a private key
  unless cakey.private?
    fail EasyRSA::Revoke::InvalidCARootPrivateKey,
      'This is not a valid Private key file.'
  end

# Create or load the CRL
  unless crl.nil?
    begin
      @crl = OpenSSL::X509::CRL.new crl
    rescue
      fail EasyRSA::Revoke::InvalidCertificateRevocationList,
        'Invalid CRL provided.'
    end
  else
    @crl = OpenSSL::X509::CRL.new
  end

# Add the revoked cert
  @crl.add_revoked(@revoked)

# Needed CRL options
  @crl.last_update = @revoked.time
  @crl.next_update = Time.now + next_update
  @crl.version = 1

# Update the CRL issuer
  @crl.issuer = EasyRSA::gen_issuer

# Sign the CRL
  @updated_crl = @crl.sign(cakey, OpenSSL::Digest::SHA256.new)
  @updated_crl
end

#to_pemObject 



89
90
91
 
# File 'lib/easyrsa/revoke.rb', line 89

def to_pem
  @updated_crl.to_pem
end