Class: Registration::SslCertificate

Inherits:

Object

• Object
• Registration::SslCertificate

Defined in:

src/lib/registration/ssl_certificate.rb

Overview

class handling SSL certificate TODO: move it to yast2 to share it?

Constant Summary

INSTSYS_SERVER_CERT_FILE =

Path to the registration certificate in the instsys

"/etc/pki/trust/anchors/registration_server.pem".freeze

CA_CERTS_DIR =

Path to system CA certificates

"/var/lib/ca-certificates".freeze

TMP_CA_CERTS_DIR =

Path to temporal CA certificates (to be used only in instsys)

"/var/lib/YaST2/ca-certificates".freeze

Instance Attribute Summary

• #x509_cert ⇒ Object readonly

  Returns the value of attribute x509_cert.

Class Method Summary

• .default_certificate_path ⇒ String

  Path to store the certificate of the registration server.

• .download(url, insecure: false) ⇒ Object
• .load(data) ⇒ Object
• .load_file(file) ⇒ Object
• .update_instsys_ca ⇒ Boolean

  Update instys CA certificates.

Instance Method Summary

• #expired? ⇒ Boolean
• #expires_on ⇒ Object
• #fingerprint(sum) ⇒ Object
• #import ⇒ Object
• #import_to_instsys ⇒ Boolean

  Import the certificate to the installation system.

• #import_to_system ⇒ Boolean

  Import a certificate to the installed system.

• #initialize(x509_cert) ⇒ SslCertificate constructor

  A new instance of SslCertificate.

• #issued_on ⇒ Object
• #issuer_name ⇒ Object
• #issuer_organization ⇒ Object
• #issuer_organization_unit ⇒ Object
• #serial ⇒ Object

  certificate serial number (in HEX format, e.g. AB:CD:42:FF...).

• #subject_name ⇒ Object
• #subject_organization ⇒ Object
• #subject_organization_unit ⇒ Object
• #valid_yet? ⇒ Boolean

Constructor Details

#initialize(x509_cert) ⇒ SslCertificate

Returns a new instance of SslCertificate

# File 'src/lib/registration/ssl_certificate.rb', line 31

def initialize(x509_cert)
  @x509_cert = x509_cert
end

Instance Attribute Details

#x509_cert ⇒ Object (readonly)

Returns the value of attribute x509_cert

# File 'src/lib/registration/ssl_certificate.rb', line 19

def x509_cert
  @x509_cert
end

Class Method Details

.default_certificate_path ⇒ String

Path to store the certificate of the registration server

During installation, the certificate should be written to a read-write directory. On an installed system, the method relies in SUSEConnect.

Returns:

• (String) —

  Path to store the certificate

# File 'src/lib/registration/ssl_certificate.rb', line 27

def self.default_certificate_path
  Yast::Stage.initial ? INSTSYS_SERVER_CERT_FILE : SUSE::Connect::YaST::SERVER_CERT_FILE
end

.download(url, insecure: false) ⇒ Object

# File 'src/lib/registration/ssl_certificate.rb', line 44

def self.download(url, insecure: false)
  result = Downloader.download(url, insecure: insecure)
  load(result)
end

.load(data) ⇒ Object

# File 'src/lib/registration/ssl_certificate.rb', line 39

def self.load(data)
  cert = OpenSSL::X509::Certificate.new(data)
  SslCertificate.new(cert)
end

.load_file(file) ⇒ Object

# File 'src/lib/registration/ssl_certificate.rb', line 35

def self.load_file(file)
  load(File.read(file))
end

.update_instsys_ca ⇒ Boolean

Update instys CA certificates

update-ca-certificates script cannot be used in inst-sys. See bsc#981428 and bsc#989787.

Returns:

• (Boolean) —

  true if update was successful; false otherwise.

See Also:

• CA_CERTS_DIR
• TMP_CA_CERTS_DIR

# File 'src/lib/registration/ssl_certificate.rb', line 61

def self.update_instsys_ca
  # Update database
  Yast::Execute.locally("trust", "extract", "--format=openssl-directory", "--filter=ca-anchors",
    "--overwrite", TMP_CA_CERTS_DIR)

  # Copy certificates/links
  files = Dir[File.join(TMP_CA_CERTS_DIR, "*")]
  return false if files.empty?
  targets = ["pem", "openssl"].map { |d| File.join(CA_CERTS_DIR, d) }
  new_files = targets.each_with_object([]) do |subdir, memo|
    FileUtils.mkdir_p(subdir) unless Dir.exist?(subdir)
    files.each do |file|
      # FileUtils.cp does not seem to allow copying the links without dereferencing them.
      Yast::Execute.locally("cp", "--no-dereference", "--preserve=links", file, subdir)
      memo << File.join(subdir, File.basename(file))
    end
  end

  # Cleanup
  FileUtils.rm_rf(TMP_CA_CERTS_DIR)

  # Check that last file was copied to return true or false
  File.exist?(new_files.last)
end

Instance Method Details

#expired? ⇒ Boolean

Returns:

• (Boolean)

# File 'src/lib/registration/ssl_certificate.rb', line 103

def expired?
  Time.now > x509_cert.not_after
end

#expires_on ⇒ Object

# File 'src/lib/registration/ssl_certificate.rb', line 99

def expires_on
  x509_cert.not_after.localtime.strftime("%F")
end

#fingerprint(sum) ⇒ Object

# File 'src/lib/registration/ssl_certificate.rb', line 131

def fingerprint(sum)
  case sum.upcase
  when Fingerprint::SHA1
    sha1_fingerprint
  when Fingerprint::SHA256
    sha256_fingerprint
  else
    raise "Unsupported checksum type '#{sum}'"
  end
end

#import ⇒ Object

See Also:

• #import_to_system
• #import_to_instsys

# File 'src/lib/registration/ssl_certificate.rb', line 154

def import
  Yast::Stage.initial ? import_to_instsys : import_to_system
end

#import_to_instsys ⇒ Boolean

Import the certificate to the installation system

This method exists because the procedure to import certificates to installation system is slightly different to the one followed to import certificates to a installed system.

Returns:

• (Boolean) —

  true if import was successful; false otherwise.

See Also:

• update_instsys_ca

# File 'src/lib/registration/ssl_certificate.rb', line 178

def import_to_instsys
  # Copy certificate
  File.write(self.class.default_certificate_path, x509_cert.to_pem)

  # Update database
  self.class.update_instsys_ca
end

#import_to_system ⇒ Boolean

Import a certificate to the installed system

Returns:

• (Boolean) —

  true if import was successful; false otherwise.

# File 'src/lib/registration/ssl_certificate.rb', line 161

def import_to_system
  ::SUSE::Connect::YaST.import_certificate(x509_cert)
  true
rescue ::SUSE::Connect::SystemCallError => e
  log.error("Error updating system CA certificates: #{e.message}")
  false
end

#issued_on ⇒ Object

# File 'src/lib/registration/ssl_certificate.rb', line 91

def issued_on
  x509_cert.not_before.localtime.strftime("%F")
end

#issuer_name ⇒ Object

# File 'src/lib/registration/ssl_certificate.rb', line 119

def issuer_name
  find_issuer_attribute("CN")
end

#issuer_organization ⇒ Object

# File 'src/lib/registration/ssl_certificate.rb', line 123

def issuer_organization
  find_issuer_attribute("O")
end

#issuer_organization_unit ⇒ Object

# File 'src/lib/registration/ssl_certificate.rb', line 127

def issuer_organization_unit
  find_issuer_attribute("OU")
end

#serial ⇒ Object

certificate serial number (in HEX format, e.g. AB:CD:42:FF...)

# File 'src/lib/registration/ssl_certificate.rb', line 87

def serial
  x509_cert.serial.to_s(16).scan(/../).join(":")
end

#subject_name ⇒ Object

# File 'src/lib/registration/ssl_certificate.rb', line 107

def subject_name
  find_subject_attribute("CN")
end

#subject_organization ⇒ Object

# File 'src/lib/registration/ssl_certificate.rb', line 111

def subject_organization
  find_subject_attribute("O")
end

#subject_organization_unit ⇒ Object

# File 'src/lib/registration/ssl_certificate.rb', line 115

def subject_organization_unit
  find_subject_attribute("OU")
end

#valid_yet? ⇒ Boolean

Returns:

• (Boolean)

# File 'src/lib/registration/ssl_certificate.rb', line 95

def valid_yet?
  Time.now > x509_cert.not_before
end