Class: Registration::SslCertificate
- Inherits:
-
Object
- Object
- Registration::SslCertificate
- Defined in:
- src/lib/registration/ssl_certificate.rb
Overview
class handling SSL certificate TODO: move it to yast2 to share it?
Constant Summary collapse
- INSTSYS_SERVER_CERT_FILE =
Path to the registration certificate in the instsys
"/etc/pki/trust/anchors/registration_server.pem".freeze
- CA_CERTS_DIR =
Path to system CA certificates
"/var/lib/ca-certificates".freeze
- TMP_CA_CERTS_DIR =
Path to temporal CA certificates (to be used only in instsys)
"/var/lib/YaST2/ca-certificates".freeze
Instance Attribute Summary collapse
-
#x509_cert ⇒ Object
readonly
Returns the value of attribute x509_cert.
Class Method Summary collapse
-
.default_certificate_path ⇒ String
Path to store the certificate of the registration server.
- .download(url, insecure: false) ⇒ Object
- .load(data) ⇒ Object
- .load_file(file) ⇒ Object
-
.update_instsys_ca ⇒ Boolean
Update instys CA certificates.
Instance Method Summary collapse
- #expired? ⇒ Boolean
- #expires_on ⇒ Object
- #fingerprint(sum) ⇒ Object
- #import ⇒ Object
-
#import_to_instsys ⇒ Boolean
Import the certificate to the installation system.
-
#import_to_system ⇒ Boolean
Import a certificate to the installed system.
-
#initialize(x509_cert) ⇒ SslCertificate
constructor
A new instance of SslCertificate.
- #issued_on ⇒ Object
- #issuer_name ⇒ Object
- #issuer_organization ⇒ Object
- #issuer_organization_unit ⇒ Object
-
#serial ⇒ Object
certificate serial number (in HEX format, e.g. AB:CD:42:FF...).
- #subject_name ⇒ Object
- #subject_organization ⇒ Object
- #subject_organization_unit ⇒ Object
- #valid_yet? ⇒ Boolean
Constructor Details
#initialize(x509_cert) ⇒ SslCertificate
Returns a new instance of SslCertificate
31 32 33 |
# File 'src/lib/registration/ssl_certificate.rb', line 31 def initialize(x509_cert) @x509_cert = x509_cert end |
Instance Attribute Details
#x509_cert ⇒ Object (readonly)
Returns the value of attribute x509_cert
19 20 21 |
# File 'src/lib/registration/ssl_certificate.rb', line 19 def x509_cert @x509_cert end |
Class Method Details
.default_certificate_path ⇒ String
Path to store the certificate of the registration server
During installation, the certificate should be written to a read-write directory. On an installed system, the method relies in SUSEConnect.
27 28 29 |
# File 'src/lib/registration/ssl_certificate.rb', line 27 def self.default_certificate_path Yast::Stage.initial ? INSTSYS_SERVER_CERT_FILE : SUSE::Connect::YaST::SERVER_CERT_FILE end |
.download(url, insecure: false) ⇒ Object
44 45 46 47 |
# File 'src/lib/registration/ssl_certificate.rb', line 44 def self.download(url, insecure: false) result = Downloader.download(url, insecure: insecure) load(result) end |
.load(data) ⇒ Object
39 40 41 42 |
# File 'src/lib/registration/ssl_certificate.rb', line 39 def self.load(data) cert = OpenSSL::X509::Certificate.new(data) SslCertificate.new(cert) end |
.load_file(file) ⇒ Object
35 36 37 |
# File 'src/lib/registration/ssl_certificate.rb', line 35 def self.load_file(file) load(File.read(file)) end |
.update_instsys_ca ⇒ Boolean
Update instys CA certificates
update-ca-certificates script cannot be used in inst-sys. See bsc#981428 and bsc#989787.
61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 |
# File 'src/lib/registration/ssl_certificate.rb', line 61 def self.update_instsys_ca # Update database Yast::Execute.locally("trust", "extract", "--format=openssl-directory", "--filter=ca-anchors", "--overwrite", TMP_CA_CERTS_DIR) # Copy certificates/links files = Dir[File.join(TMP_CA_CERTS_DIR, "*")] return false if files.empty? targets = ["pem", "openssl"].map { |d| File.join(CA_CERTS_DIR, d) } new_files = targets.each_with_object([]) do |subdir, memo| FileUtils.mkdir_p(subdir) unless Dir.exist?(subdir) files.each do |file| # FileUtils.cp does not seem to allow copying the links without dereferencing them. Yast::Execute.locally("cp", "--no-dereference", "--preserve=links", file, subdir) memo << File.join(subdir, File.basename(file)) end end # Cleanup FileUtils.rm_rf(TMP_CA_CERTS_DIR) # Check that last file was copied to return true or false File.exist?(new_files.last) end |
Instance Method Details
#expired? ⇒ Boolean
103 104 105 |
# File 'src/lib/registration/ssl_certificate.rb', line 103 def expired? Time.now > x509_cert.not_after end |
#expires_on ⇒ Object
99 100 101 |
# File 'src/lib/registration/ssl_certificate.rb', line 99 def expires_on x509_cert.not_after.localtime.strftime("%F") end |
#fingerprint(sum) ⇒ Object
131 132 133 134 135 136 137 138 139 140 |
# File 'src/lib/registration/ssl_certificate.rb', line 131 def fingerprint(sum) case sum.upcase when Fingerprint::SHA1 sha1_fingerprint when Fingerprint::SHA256 sha256_fingerprint else raise "Unsupported checksum type '#{sum}'" end end |
#import ⇒ Object
154 155 156 |
# File 'src/lib/registration/ssl_certificate.rb', line 154 def import Yast::Stage.initial ? import_to_instsys : import_to_system end |
#import_to_instsys ⇒ Boolean
Import the certificate to the installation system
This method exists because the procedure to import certificates to installation system is slightly different to the one followed to import certificates to a installed system.
178 179 180 181 182 183 184 |
# File 'src/lib/registration/ssl_certificate.rb', line 178 def import_to_instsys # Copy certificate File.write(self.class.default_certificate_path, x509_cert.to_pem) # Update database self.class.update_instsys_ca end |
#import_to_system ⇒ Boolean
Import a certificate to the installed system
161 162 163 164 165 166 167 |
# File 'src/lib/registration/ssl_certificate.rb', line 161 def import_to_system ::SUSE::Connect::YaST.import_certificate(x509_cert) true rescue ::SUSE::Connect::SystemCallError => e log.error("Error updating system CA certificates: #{e.message}") false end |
#issued_on ⇒ Object
91 92 93 |
# File 'src/lib/registration/ssl_certificate.rb', line 91 def issued_on x509_cert.not_before.localtime.strftime("%F") end |
#issuer_name ⇒ Object
119 120 121 |
# File 'src/lib/registration/ssl_certificate.rb', line 119 def issuer_name find_issuer_attribute("CN") end |
#issuer_organization ⇒ Object
123 124 125 |
# File 'src/lib/registration/ssl_certificate.rb', line 123 def issuer_organization find_issuer_attribute("O") end |
#issuer_organization_unit ⇒ Object
127 128 129 |
# File 'src/lib/registration/ssl_certificate.rb', line 127 def issuer_organization_unit find_issuer_attribute("OU") end |
#serial ⇒ Object
certificate serial number (in HEX format, e.g. AB:CD:42:FF...)
87 88 89 |
# File 'src/lib/registration/ssl_certificate.rb', line 87 def serial x509_cert.serial.to_s(16).scan(/../).join(":") end |
#subject_name ⇒ Object
107 108 109 |
# File 'src/lib/registration/ssl_certificate.rb', line 107 def subject_name find_subject_attribute("CN") end |
#subject_organization ⇒ Object
111 112 113 |
# File 'src/lib/registration/ssl_certificate.rb', line 111 def subject_organization find_subject_attribute("O") end |
#subject_organization_unit ⇒ Object
115 116 117 |
# File 'src/lib/registration/ssl_certificate.rb', line 115 def subject_organization_unit find_subject_attribute("OU") end |
#valid_yet? ⇒ Boolean
95 96 97 |
# File 'src/lib/registration/ssl_certificate.rb', line 95 def valid_yet? Time.now > x509_cert.not_before end |