From c1486cb9688d53c5ae266ff22ab279ead12eaa36 Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Thu, 10 Apr 2014 12:45:21 +0200
Subject: move certs into toplevel

cleaned up all the engine stuff that was never really used.
Afterwards there is not that much left that makes it into the toplevel.
---
 app/controllers/v1/certs_controller.rb |  50 +++++++++++++++
 app/models/client_certificate.rb       | 113 +++++++++++++++++++++++++++++++++
 2 files changed, 163 insertions(+)
 create mode 100644 app/controllers/v1/certs_controller.rb
 create mode 100644 app/models/client_certificate.rb

(limited to 'app')

diff --git a/app/controllers/v1/certs_controller.rb b/app/controllers/v1/certs_controller.rb
new file mode 100644
index 0000000..64cfa7f
--- /dev/null
+++ b/app/controllers/v1/certs_controller.rb
@@ -0,0 +1,50 @@
+class V1::CertsController < ApplicationController
+
+  before_filter :require_login, :unless => :anonymous_certs_allowed?
+
+  # GET /cert
+  def show
+    @cert = ClientCertificate.new(:prefix => certificate_prefix)
+    render text: @cert.to_s, content_type: 'text/plain'
+  end
+
+  protected
+
+  def anonymous_certs_allowed?
+    APP_CONFIG[:allow_anonymous_certs]
+  end
+  #
+  # this is some temporary logic until we store the service level in the user db.
+  #
+  # better logic might look like this:
+  #
+  # if logged_in?
+  #   service_level = user.service_level
+  # elsif allow_anonymous?
+  #   service_level = service_levels[:anonymous]
+  # else
+  #   service_level = nil
+  # end
+  #
+  # if service_level.bandwidth == 'limited' && allow_limited?
+  #   prefix = limited
+  # elsif allow_unlimited?
+  #   prefix = unlimited
+  # else
+  #   prefix = nil
+  # end
+  #
+  def certificate_prefix
+    if logged_in?
+      if APP_CONFIG[:allow_unlimited_certs]
+        APP_CONFIG[:unlimited_cert_prefix]
+      elsif APP_CONFIG[:allow_limited_certs]
+        APP_CONFIG[:limited_cert_prefix]
+      end
+    elsif !APP_CONFIG[:allow_limited_certs]
+      APP_CONFIG[:unlimited_cert_prefix]
+    else
+      APP_CONFIG[:limited_cert_prefix]
+    end
+  end
+end
diff --git a/app/models/client_certificate.rb b/app/models/client_certificate.rb
new file mode 100644
index 0000000..76b07a2
--- /dev/null
+++ b/app/models/client_certificate.rb
@@ -0,0 +1,113 @@
+#
+# Model for certificates
+#
+# This file must be loaded after Config has been loaded.
+#
+require 'base64'
+require 'digest/md5'
+require 'openssl'
+require 'certificate_authority'
+require 'date'
+
+class ClientCertificate
+
+  attr_accessor :key                          # the client private RSA key
+  attr_accessor :cert                         # the client x509 certificate, signed by the CA
+
+  #
+  # generate the private key and client certificate
+  #
+  def initialize(options = {})
+    cert = CertificateAuthority::Certificate.new
+
+    # set subject
+    cert.subject.common_name = common_name(options[:prefix])
+
+    # set expiration
+    cert.not_before = yesterday
+    cert.not_after = months_from_yesterday(APP_CONFIG[:client_cert_lifespan])
+
+    # generate key
+    cert.serial_number.number = cert_serial_number
+    cert.key_material.generate_key(APP_CONFIG[:client_cert_bit_size])
+
+    # sign
+    cert.parent = ClientCertificate.root_ca
+    cert.sign! client_signing_profile
+
+    self.key = cert.key_material.private_key
+    self.cert = cert
+  end
+
+  def to_s
+    self.key.to_pem + self.cert.to_pem
+  end
+
+  private
+
+  def self.root_ca
+    @root_ca ||= begin
+                   crt = File.read(APP_CONFIG[:client_ca_cert])
+                   key = File.read(APP_CONFIG[:client_ca_key])
+                   openssl_cert = OpenSSL::X509::Certificate.new(crt)
+                   cert = CertificateAuthority::Certificate.from_openssl(openssl_cert)
+                   cert.key_material.private_key = OpenSSL::PKey::RSA.new(key, APP_CONFIG[:ca_key_password])
+                   cert
+                 end
+  end
+
+  #
+  # For cert serial numbers, we need a non-colliding number less than 160 bits.
+  # md5 will do nicely, since there is no need for a secure hash, just a short one.
+  # (md5 is 128 bits)
+  #
+  def cert_serial_number
+    Digest::MD5.hexdigest("#{rand(10**10)} -- #{Time.now}").to_i(16)
+  end
+
+  def common_name(prefix = nil)
+    [prefix, random_common_name].join
+  end
+
+  #
+  # for the random common name, we need a text string that will be unique across all certs.
+  # ruby 1.8 doesn't have a built-in uuid generator, or we would use SecureRandom.uuid
+  #
+  def random_common_name
+    cert_serial_number.to_s(36)
+  end
+
+  def client_signing_profile
+    {
+      "digest" => APP_CONFIG[:client_cert_hash],
+      "extensions" => {
+        "keyUsage" => {
+          "usage" => ["digitalSignature"]
+        },
+        "extendedKeyUsage" => {
+          "usage" => ["clientAuth"]
+        }
+      }
+    }
+  end
+
+  ##
+  ## TIME HELPERS
+  ##
+  ## note: we use 'yesterday' instead of 'today', because times are in UTC, and some people on the planet
+  ## are behind UTC.
+  ##
+
+  def yesterday
+    t = Time.now - 24*60*60
+    Time.utc t.year, t.month, t.day
+  end
+
+  def months_from_yesterday(num)
+    t = yesterday
+    date = Date.new t.year, t.month, t.day
+    date = date >> num # >> is months in the future operator
+    Time.utc date.year, date.month, date.day
+  end
+
+end
-- 
cgit v1.2.3