1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
class Acme::Client::CertificateRequest
extend Forwardable
DEFAULT_KEY_LENGTH = 2048
DEFAULT_DIGEST = OpenSSL::Digest::SHA256
SUBJECT_KEYS = {
common_name: 'CN',
country_name: 'C',
organization_name: 'O',
organizational_unit: 'OU',
state_or_province: 'ST',
locality_name: 'L'
}.freeze
SUBJECT_TYPES = {
'CN' => OpenSSL::ASN1::UTF8STRING,
'C' => OpenSSL::ASN1::UTF8STRING,
'O' => OpenSSL::ASN1::UTF8STRING,
'OU' => OpenSSL::ASN1::UTF8STRING,
'ST' => OpenSSL::ASN1::UTF8STRING,
'L' => OpenSSL::ASN1::UTF8STRING
}.freeze
attr_reader :private_key, :common_name, :names, :subject
def_delegators :csr, :to_pem, :to_der
def initialize(common_name: nil, names: [], private_key: generate_private_key, subject: {}, digest: DEFAULT_DIGEST.new)
@digest = digest
@private_key = private_key
@subject = normalize_subject(subject)
@common_name = common_name || @subject[SUBJECT_KEYS[:common_name]] || @subject[:common_name]
@names = names.to_a.dup
normalize_names
@subject[SUBJECT_KEYS[:common_name]] ||= @common_name
validate_subject
end
def csr
@csr ||= generate
end
private
def generate_private_key
OpenSSL::PKey::RSA.new(DEFAULT_KEY_LENGTH)
end
def normalize_subject(subject)
@subject = subject.each_with_object({}) do |(key, value), hash|
hash[SUBJECT_KEYS.fetch(key, key)] = value.to_s
end
end
def normalize_names
if @common_name
@names.unshift(@common_name) unless @names.include?(@common_name)
else
raise ArgumentError, 'No common name and no list of names given' if @names.empty?
@common_name = @names.first
end
end
def validate_subject
validate_subject_attributes
validate_subject_common_name
end
def validate_subject_attributes
extra_keys = @subject.keys - SUBJECT_KEYS.keys - SUBJECT_KEYS.values
return if extra_keys.empty?
raise ArgumentError, "Unexpected subject attributes given: #{extra_keys.inspect}"
end
def validate_subject_common_name
return if @common_name == @subject[SUBJECT_KEYS[:common_name]]
raise ArgumentError, 'Conflicting common name given in arguments and subject'
end
def generate
OpenSSL::X509::Request.new.tap do |csr|
csr.public_key = @private_key.public_key
csr.subject = generate_subject
csr.version = 2
add_extension(csr)
csr.sign @private_key, @digest
end
end
def generate_subject
OpenSSL::X509::Name.new(
@subject.map {|name, value|
[name, value, SUBJECT_TYPES[name]]
}
)
end
def add_extension(csr)
return if @names.size <= 1
extension = OpenSSL::X509::ExtensionFactory.new.create_extension(
'subjectAltName', @names.map { |name| "DNS:#{name}" }.join(', '), false
)
csr.add_attribute(
OpenSSL::X509::Attribute.new(
'extReq',
OpenSSL::ASN1::Set.new([OpenSSL::ASN1::Sequence.new([extension])])
)
)
end
end
|
