Class: Vines::Store
- Inherits:
-
Object
- Object
- Vines::Store
- Defined in:
- lib/vines/store.rb
Overview
An X509 certificate store that validates certificate trust chains. This uses the conf/certs/*.crt files as the list of trusted root CA certificates.
Constant Summary collapse
- @@certs =
nil
Instance Method Summary collapse
-
#certs ⇒ Object
Return the trusted root CA certificates installed in conf/certs.
-
#domain?(pem, domain) ⇒ Boolean
Return true if the domain name matches one of the names in the certificate.
-
#initialize ⇒ Store
constructor
A new instance of Store.
-
#trusted?(pem) ⇒ Boolean
Return true if the certificate is signed by a CA certificate in the store.
Constructor Details
#initialize ⇒ Store
Returns a new instance of Store.
11 12 13 14 |
# File 'lib/vines/store.rb', line 11 def initialize @store = OpenSSL::X509::Store.new certs.each {|c| @store.add_cert(c) } end |
Instance Method Details
#certs ⇒ Object
Return the trusted root CA certificates installed in conf/certs. These certificates are used to start the trust chain needed to validate certs we receive from clients and servers.
39 40 41 42 43 44 45 46 47 48 49 |
# File 'lib/vines/store.rb', line 39 def certs unless @@certs pattern = /-{5}BEGIN CERTIFICATE-{5}\n.*?-{5}END CERTIFICATE-{5}\n/m dir = File.join(VINES_ROOT, 'conf', 'certs') certs = Dir[File.join(dir, '*.crt')].map {|f| File.read(f) } certs = certs.map {|c| c.scan(pattern) }.flatten certs.map! {|c| OpenSSL::X509::Certificate.new(c) } @@certs = certs.reject {|c| c.not_after < Time.now } end @@certs end |
#domain?(pem, domain) ⇒ Boolean
Return true if the domain name matches one of the names in the certificate. In other words, is the certificate provided to us really for the domain to which we think we’re connected?
30 31 32 33 34 |
# File 'lib/vines/store.rb', line 30 def domain?(pem, domain) if cert = OpenSSL::X509::Certificate.new(pem) rescue nil OpenSSL::SSL.verify_certificate_identity(cert, domain) rescue false end end |
#trusted?(pem) ⇒ Boolean
Return true if the certificate is signed by a CA certificate in the store. If the certificate can be trusted, it’s added to the store so it can be used to trust other certs.
19 20 21 22 23 24 25 |
# File 'lib/vines/store.rb', line 19 def trusted?(pem) if cert = OpenSSL::X509::Certificate.new(pem) rescue nil @store.verify(cert).tap do |trusted| @store.add_cert(cert) if trusted rescue nil end end end |