Class: SCEP::PKIOperation::Request
- Defined in:
- lib/scep/pki_operation/request.rb
Overview
Handles decoding or creation of a scep CSR request.
EJBCA Support
This requires tampering of the SCEP request. Please see #tamper_scep_message_type
Constant Summary
Constants inherited from Base
Base::DEFAULT_CIPHER_ALGORITHM
Instance Attribute Summary collapse
-
#csr ⇒ OpenSSL::X509::Request
The certificate request.
-
#tamper_scep_message_type ⇒ Boolean
(also: #tamper_scep_message_type?)
Whether we should tamper with the SCEP message type.
Attributes inherited from Base
#p7enc, #p7sign, #ra_keypair, #x509_store
Instance Method Summary collapse
-
#add_scep_message_type(pkcs7) ⇒ OpenSSL::PKCS7
protected
Adds a required message type to the PKCS7 request.
-
#challenge_password ⇒ String?
Get the challenge password from the request, if any.
-
#challenge_password? ⇒ Boolean
TRUE if the request has a challenge password, FALSE otherwise.
-
#csr_challenge_password ⇒ Object
protected
Gets the challenge password from the CSR.
-
#decrypt(signed_and_encrypted_csr, verify = true) ⇒ OpenSSL::X509::Request
Decrypts a signed and encrypted csr.
-
#encrypt(target_encryption_certs) ⇒ OpenSSL::PKCS7
Encrypt and sign the CSR.
-
#initialize(ra_keypair) ⇒ Request
constructor
A new instance of Request.
-
#proxy(signed_and_encrypted_csr, target_encryption_certs, verify = true) ⇒ OpenSSL::PKCS7
Decrypts a signed and encrypted payload and then re-encrypts it.
-
#recalculate_authenticated_attributes_digest(signer_info) ⇒ Object
protected
todo: this currently does not work! Kept here for future purposes.
Methods inherited from Base
#add_verification_certificate, #check_if_recipient_matches_ra_certificate_name, create_default_cipher, #sign_and_encrypt_raw, #unsign_and_unencrypt_raw, #wrap_array
Methods included from Loggable
Constructor Details
#initialize(ra_keypair) ⇒ Request
Returns a new instance of Request.
70 71 72 73 |
# File 'lib/scep/pki_operation/request.rb', line 70 def initialize(ra_keypair) super @tamper_scep_message_type = false end |
Instance Attribute Details
#csr ⇒ OpenSSL::X509::Request
The certificate request
41 42 43 |
# File 'lib/scep/pki_operation/request.rb', line 41 def csr @csr end |
#tamper_scep_message_type ⇒ Boolean Also known as: tamper_scep_message_type?
Need to figure out how to re-calculate the SCEP extended attributes signature, which will make this obsolete!
Whether we should tamper with the SCEP message type. This is required to work with some SCEP implementations, but this may cause verification to fail. Only affects encryption.
67 68 69 |
# File 'lib/scep/pki_operation/request.rb', line 67 def @tamper_scep_message_type end |
Instance Method Details
#add_scep_message_type(pkcs7) ⇒ OpenSSL::PKCS7 (protected)
Don't tamper with the signer info once you've used this method!
Adds a required message type to the PKCS7 request. I can't believe I'm doing this...
Take a look at https://tools.ietf.org/html/draft-nourse-scep-11. Here, we're adding the signerInfo/messageType of "PKCSReq" inside of the "Signed PKCSReq."
150 151 152 153 154 155 156 157 158 159 |
# File 'lib/scep/pki_operation/request.rb', line 150 def (pkcs7) asn1 = OpenSSL::ASN1.decode(pkcs7.to_der) pkcs_cert_resp_signed = asn1.value[1].value[0] signer_info = pkcs_cert_resp_signed.value[4].value[0] authenticated_attributes = signer_info.value[3] authenticated_attributes.value << SCEP::ASN1.(SCEP::ASN1::MESSAGE_TYPE_PKCS_REQ) # todo: broken?? -- # recalculate_authenticated_attributes_digest(signer_info) return OpenSSL::PKCS7.new(asn1.to_der) end |
#challenge_password ⇒ String?
Get the challenge password from the request, if any
83 84 85 86 |
# File 'lib/scep/pki_operation/request.rb', line 83 def challenge_password return nil unless challenge_password? csr_challenge_password.value.value.first.value end |
#challenge_password? ⇒ Boolean
Returns TRUE if the request has a challenge password, FALSE otherwise.
76 77 78 |
# File 'lib/scep/pki_operation/request.rb', line 76 def challenge_password? csr && csr.challenge_password? end |
#csr_challenge_password ⇒ Object (protected)
Gets the challenge password from the CSR
138 139 140 |
# File 'lib/scep/pki_operation/request.rb', line 138 def csr_challenge_password csr.send(:read_attributes_by_oid, 'challengePassword') end |
#decrypt(signed_and_encrypted_csr, verify = true) ⇒ OpenSSL::X509::Request
Decrypts a signed and encrypted csr. Sets #csr to the decrypted value
107 108 109 110 |
# File 'lib/scep/pki_operation/request.rb', line 107 def decrypt(signed_and_encrypted_csr, verify = true) raw_csr = unsign_and_unencrypt_raw(signed_and_encrypted_csr, verify) @csr = OpenSSL::X509::Request.new(raw_csr) end |
#encrypt(target_encryption_certs) ⇒ OpenSSL::PKCS7
Encrypt and sign the CSR
115 116 117 118 119 120 121 122 123 124 |
# File 'lib/scep/pki_operation/request.rb', line 115 def encrypt(target_encryption_certs) raise ArgumentError, '#csr must be an OpenSSL::X509::Request' unless csr.is_a?(OpenSSL::X509::Request) p7enc = sign_and_encrypt_raw(csr.to_der, target_encryption_certs) if logger.info 'Tampering SCEP message type - request may be rejected by RA' p7enc = (p7enc) end p7enc end |
#proxy(signed_and_encrypted_csr, target_encryption_certs, verify = true) ⇒ OpenSSL::PKCS7
Decrypts a signed and encrypted payload and then re-encrypts it. #csr will contain the CSR object
130 131 132 133 |
# File 'lib/scep/pki_operation/request.rb', line 130 def proxy(signed_and_encrypted_csr, target_encryption_certs, verify = true) decrypt(signed_and_encrypted_csr, verify) encrypt(target_encryption_certs) end |
#recalculate_authenticated_attributes_digest(signer_info) ⇒ Object (protected)
todo: this currently does not work! Kept here for future purposes
162 163 164 165 166 167 168 169 170 171 172 173 174 175 |
# File 'lib/scep/pki_operation/request.rb', line 162 def recalculate_authenticated_attributes_digest(signer_info) digest_algorithm = signer_info.value[2].value[0].sn # => "SHA256" # This is where this is not working - we need to hash the "authenticatedAttributes", # but this does not appear to be hashing the correct thing! authenticated_attributes = signer_info.value[3] new_digest = SCEP::ASN1.calculate_and_generate_pkcs7_signature_hash( authenticated_attributes.to_der, digest_algorithm) encrypted_digest = ra_keypair.private_key.private_encrypt(new_digest.to_der) signer_info.value.last.value = encrypted_digest end |