summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
Diffstat (limited to 'app')
-rw-r--r--app/controllers/v1/certs_controller.rb50
-rw-r--r--app/models/client_certificate.rb113
2 files changed, 163 insertions, 0 deletions
diff --git a/app/controllers/v1/certs_controller.rb b/app/controllers/v1/certs_controller.rb
new file mode 100644
index 0000000..64cfa7f
--- /dev/null
+++ b/app/controllers/v1/certs_controller.rb
@@ -0,0 +1,50 @@
+class V1::CertsController < ApplicationController
+
+ before_filter :require_login, :unless => :anonymous_certs_allowed?
+
+ # GET /cert
+ def show
+ @cert = ClientCertificate.new(:prefix => certificate_prefix)
+ render text: @cert.to_s, content_type: 'text/plain'
+ end
+
+ protected
+
+ def anonymous_certs_allowed?
+ APP_CONFIG[:allow_anonymous_certs]
+ end
+ #
+ # this is some temporary logic until we store the service level in the user db.
+ #
+ # better logic might look like this:
+ #
+ # if logged_in?
+ # service_level = user.service_level
+ # elsif allow_anonymous?
+ # service_level = service_levels[:anonymous]
+ # else
+ # service_level = nil
+ # end
+ #
+ # if service_level.bandwidth == 'limited' && allow_limited?
+ # prefix = limited
+ # elsif allow_unlimited?
+ # prefix = unlimited
+ # else
+ # prefix = nil
+ # end
+ #
+ def certificate_prefix
+ if logged_in?
+ if APP_CONFIG[:allow_unlimited_certs]
+ APP_CONFIG[:unlimited_cert_prefix]
+ elsif APP_CONFIG[:allow_limited_certs]
+ APP_CONFIG[:limited_cert_prefix]
+ end
+ elsif !APP_CONFIG[:allow_limited_certs]
+ APP_CONFIG[:unlimited_cert_prefix]
+ else
+ APP_CONFIG[:limited_cert_prefix]
+ end
+ end
+end
diff --git a/app/models/client_certificate.rb b/app/models/client_certificate.rb
new file mode 100644
index 0000000..76b07a2
--- /dev/null
+++ b/app/models/client_certificate.rb
@@ -0,0 +1,113 @@
+#
+# Model for certificates
+#
+# This file must be loaded after Config has been loaded.
+#
+require 'base64'
+require 'digest/md5'
+require 'openssl'
+require 'certificate_authority'
+require 'date'
+
+class ClientCertificate
+
+ attr_accessor :key # the client private RSA key
+ attr_accessor :cert # the client x509 certificate, signed by the CA
+
+ #
+ # generate the private key and client certificate
+ #
+ def initialize(options = {})
+ cert = CertificateAuthority::Certificate.new
+
+ # set subject
+ cert.subject.common_name = common_name(options[:prefix])
+
+ # set expiration
+ cert.not_before = yesterday
+ cert.not_after = months_from_yesterday(APP_CONFIG[:client_cert_lifespan])
+
+ # generate key
+ cert.serial_number.number = cert_serial_number
+ cert.key_material.generate_key(APP_CONFIG[:client_cert_bit_size])
+
+ # sign
+ cert.parent = ClientCertificate.root_ca
+ cert.sign! client_signing_profile
+
+ self.key = cert.key_material.private_key
+ self.cert = cert
+ end
+
+ def to_s
+ self.key.to_pem + self.cert.to_pem
+ end
+
+ private
+
+ def self.root_ca
+ @root_ca ||= begin
+ crt = File.read(APP_CONFIG[:client_ca_cert])
+ key = File.read(APP_CONFIG[:client_ca_key])
+ openssl_cert = OpenSSL::X509::Certificate.new(crt)
+ cert = CertificateAuthority::Certificate.from_openssl(openssl_cert)
+ cert.key_material.private_key = OpenSSL::PKey::RSA.new(key, APP_CONFIG[:ca_key_password])
+ cert
+ end
+ end
+
+ #
+ # For cert serial numbers, we need a non-colliding number less than 160 bits.
+ # md5 will do nicely, since there is no need for a secure hash, just a short one.
+ # (md5 is 128 bits)
+ #
+ def cert_serial_number
+ Digest::MD5.hexdigest("#{rand(10**10)} -- #{Time.now}").to_i(16)
+ end
+
+ def common_name(prefix = nil)
+ [prefix, random_common_name].join
+ end
+
+ #
+ # for the random common name, we need a text string that will be unique across all certs.
+ # ruby 1.8 doesn't have a built-in uuid generator, or we would use SecureRandom.uuid
+ #
+ def random_common_name
+ cert_serial_number.to_s(36)
+ end
+
+ def client_signing_profile
+ {
+ "digest" => APP_CONFIG[:client_cert_hash],
+ "extensions" => {
+ "keyUsage" => {
+ "usage" => ["digitalSignature"]
+ },
+ "extendedKeyUsage" => {
+ "usage" => ["clientAuth"]
+ }
+ }
+ }
+ end
+
+ ##
+ ## TIME HELPERS
+ ##
+ ## note: we use 'yesterday' instead of 'today', because times are in UTC, and some people on the planet
+ ## are behind UTC.
+ ##
+
+ def yesterday
+ t = Time.now - 24*60*60
+ Time.utc t.year, t.month, t.day
+ end
+
+ def months_from_yesterday(num)
+ t = yesterday
+ date = Date.new t.year, t.month, t.day
+ date = date >> num # >> is months in the future operator
+ Time.utc date.year, date.month, date.day
+ end
+
+end