Class: Registration::SslCertificate

Inherits:
Object
  • Object
show all
Defined in:
src/lib/registration/ssl_certificate.rb

Overview

class handling SSL certificate TODO: move it to yast2 to share it?

Constant Summary collapse

INSTSYS_SERVER_CERT_FILE =

Path to the registration certificate in the instsys

"/etc/pki/trust/anchors/registration_server.pem".freeze
CA_CERTS_DIR =

Path to system CA certificates

"/var/lib/ca-certificates".freeze
TMP_CA_CERTS_DIR =

Path to temporal CA certificates (to be used only in instsys)

"/var/lib/YaST2/ca-certificates".freeze

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(x509_cert) ⇒ SslCertificate

Returns a new instance of SslCertificate


31
32
33
# File 'src/lib/registration/ssl_certificate.rb', line 31

def initialize(x509_cert)
  @x509_cert = x509_cert
end

Instance Attribute Details

#x509_certObject (readonly)

Returns the value of attribute x509_cert


19
20
21
# File 'src/lib/registration/ssl_certificate.rb', line 19

def x509_cert
  @x509_cert
end

Class Method Details

.default_certificate_pathString

Path to store the certificate of the registration server

During installation, the certificate should be written to a read-write directory. On an installed system, the method relies in SUSEConnect.

Returns:

  • (String)

    Path to store the certificate


27
28
29
# File 'src/lib/registration/ssl_certificate.rb', line 27

def self.default_certificate_path
  Yast::Stage.initial ? INSTSYS_SERVER_CERT_FILE : SUSE::Connect::YaST::SERVER_CERT_FILE
end

.download(url, insecure: false) ⇒ Object


44
45
46
47
# File 'src/lib/registration/ssl_certificate.rb', line 44

def self.download(url, insecure: false)
  result = Downloader.download(url, insecure: insecure)
  load(result)
end

.load(data) ⇒ Object


39
40
41
42
# File 'src/lib/registration/ssl_certificate.rb', line 39

def self.load(data)
  cert = OpenSSL::X509::Certificate.new(data)
  SslCertificate.new(cert)
end

.load_file(file) ⇒ Object


35
36
37
# File 'src/lib/registration/ssl_certificate.rb', line 35

def self.load_file(file)
  load(File.read(file))
end

.update_instsys_caBoolean

Update instys CA certificates

update-ca-certificates script cannot be used in inst-sys. See bsc#981428 and bsc#989787.

Returns:

  • (Boolean)

    true if update was successful; false otherwise.

See Also:


61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# File 'src/lib/registration/ssl_certificate.rb', line 61

def self.update_instsys_ca
  # Update database
  Yast::Execute.locally("trust", "extract", "--format=openssl-directory", "--filter=ca-anchors",
    "--overwrite", TMP_CA_CERTS_DIR)

  # Copy certificates/links
  files = Dir[File.join(TMP_CA_CERTS_DIR, "*")]
  return false if files.empty?
  targets = ["pem", "openssl"].map { |d| File.join(CA_CERTS_DIR, d) }
  new_files = targets.each_with_object([]) do |subdir, memo|
    FileUtils.mkdir_p(subdir) unless Dir.exist?(subdir)
    files.each do |file|
      # FileUtils.cp does not seem to allow copying the links without dereferencing them.
      Yast::Execute.locally("cp", "--no-dereference", "--preserve=links", file, subdir)
      memo << File.join(subdir, File.basename(file))
    end
  end

  # Cleanup
  FileUtils.rm_rf(TMP_CA_CERTS_DIR)

  # Check that last file was copied to return true or false
  File.exist?(new_files.last)
end

Instance Method Details

#expired?Boolean

Returns:

  • (Boolean)

103
104
105
# File 'src/lib/registration/ssl_certificate.rb', line 103

def expired?
  Time.now > x509_cert.not_after
end

#expires_onObject


99
100
101
# File 'src/lib/registration/ssl_certificate.rb', line 99

def expires_on
  x509_cert.not_after.localtime.strftime("%F")
end

#fingerprint(sum) ⇒ Object


131
132
133
134
135
136
137
138
139
140
# File 'src/lib/registration/ssl_certificate.rb', line 131

def fingerprint(sum)
  case sum.upcase
  when Fingerprint::SHA1
    sha1_fingerprint
  when Fingerprint::SHA256
    sha256_fingerprint
  else
    raise "Unsupported checksum type '#{sum}'"
  end
end

#importObject


154
155
156
# File 'src/lib/registration/ssl_certificate.rb', line 154

def import
  Yast::Stage.initial ? import_to_instsys : import_to_system
end

#import_to_instsysBoolean

Import the certificate to the installation system

This method exists because the procedure to import certificates to installation system is slightly different to the one followed to import certificates to a installed system.

Returns:

  • (Boolean)

    true if import was successful; false otherwise.

See Also:


178
179
180
181
182
183
184
# File 'src/lib/registration/ssl_certificate.rb', line 178

def import_to_instsys
  # Copy certificate
  File.write(self.class.default_certificate_path, x509_cert.to_pem)

  # Update database
  self.class.update_instsys_ca
end

#import_to_systemBoolean

Import a certificate to the installed system

Returns:

  • (Boolean)

    true if import was successful; false otherwise.


161
162
163
164
165
166
167
# File 'src/lib/registration/ssl_certificate.rb', line 161

def import_to_system
  ::SUSE::Connect::YaST.import_certificate(x509_cert)
  true
rescue ::SUSE::Connect::SystemCallError => e
  log.error("Error updating system CA certificates: #{e.message}")
  false
end

#issued_onObject


91
92
93
# File 'src/lib/registration/ssl_certificate.rb', line 91

def issued_on
  x509_cert.not_before.localtime.strftime("%F")
end

#issuer_nameObject


119
120
121
# File 'src/lib/registration/ssl_certificate.rb', line 119

def issuer_name
  find_issuer_attribute("CN")
end

#issuer_organizationObject


123
124
125
# File 'src/lib/registration/ssl_certificate.rb', line 123

def issuer_organization
  find_issuer_attribute("O")
end

#issuer_organization_unitObject


127
128
129
# File 'src/lib/registration/ssl_certificate.rb', line 127

def issuer_organization_unit
  find_issuer_attribute("OU")
end

#serialObject

certificate serial number (in HEX format, e.g. AB:CD:42:FF...)


87
88
89
# File 'src/lib/registration/ssl_certificate.rb', line 87

def serial
  x509_cert.serial.to_s(16).scan(/../).join(":")
end

#subject_nameObject


107
108
109
# File 'src/lib/registration/ssl_certificate.rb', line 107

def subject_name
  find_subject_attribute("CN")
end

#subject_organizationObject


111
112
113
# File 'src/lib/registration/ssl_certificate.rb', line 111

def subject_organization
  find_subject_attribute("O")
end

#subject_organization_unitObject


115
116
117
# File 'src/lib/registration/ssl_certificate.rb', line 115

def subject_organization_unit
  find_subject_attribute("OU")
end

#valid_yet?Boolean

Returns:

  • (Boolean)

95
96
97
# File 'src/lib/registration/ssl_certificate.rb', line 95

def valid_yet?
  Time.now > x509_cert.not_before
end