2019-12-26 22:10:19 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2019-12-04 20:38:33 +05:30
|
|
|
module SmimeHelper
|
|
|
|
INFINITE_EXPIRY = 1000.years
|
|
|
|
SHORT_EXPIRY = 30.minutes
|
|
|
|
|
|
|
|
def generate_root
|
2020-05-24 23:13:21 +05:30
|
|
|
issue(cn: 'RootCA', signed_by: nil, expires_in: INFINITE_EXPIRY, certificate_authority: true)
|
2019-12-04 20:38:33 +05:30
|
|
|
end
|
|
|
|
|
2020-05-24 23:13:21 +05:30
|
|
|
def generate_intermediate(signer_ca:)
|
|
|
|
issue(cn: 'IntermediateCA', signed_by: signer_ca, expires_in: INFINITE_EXPIRY, certificate_authority: true)
|
|
|
|
end
|
|
|
|
|
|
|
|
def generate_cert(signer_ca:, expires_in: SHORT_EXPIRY)
|
|
|
|
issue(signed_by: signer_ca, expires_in: expires_in, certificate_authority: false)
|
2019-12-04 20:38:33 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
# returns a hash { key:, cert: } containing a generated key, cert pair
|
2020-05-24 23:13:21 +05:30
|
|
|
def issue(email_address: 'test@example.com', cn: nil, signed_by:, expires_in:, certificate_authority:)
|
2019-12-04 20:38:33 +05:30
|
|
|
key = OpenSSL::PKey::RSA.new(4096)
|
|
|
|
public_key = key.public_key
|
|
|
|
|
|
|
|
subject = if certificate_authority
|
2020-05-24 23:13:21 +05:30
|
|
|
OpenSSL::X509::Name.parse("/CN=#{cn}")
|
2019-12-04 20:38:33 +05:30
|
|
|
else
|
2020-03-13 15:44:24 +05:30
|
|
|
OpenSSL::X509::Name.parse("/CN=#{email_address}")
|
2019-12-04 20:38:33 +05:30
|
|
|
end
|
|
|
|
|
2020-03-13 15:44:24 +05:30
|
|
|
cert = OpenSSL::X509::Certificate.new
|
2019-12-04 20:38:33 +05:30
|
|
|
cert.subject = subject
|
|
|
|
|
|
|
|
cert.issuer = signed_by&.fetch(:cert, nil)&.subject || subject
|
|
|
|
|
|
|
|
cert.not_before = Time.now
|
|
|
|
cert.not_after = expires_in.from_now
|
|
|
|
cert.public_key = public_key
|
|
|
|
cert.serial = 0x0
|
|
|
|
cert.version = 2
|
|
|
|
|
2020-03-13 15:44:24 +05:30
|
|
|
extension_factory = OpenSSL::X509::ExtensionFactory.new
|
2019-12-04 20:38:33 +05:30
|
|
|
if certificate_authority
|
|
|
|
extension_factory.subject_certificate = cert
|
|
|
|
extension_factory.issuer_certificate = cert
|
|
|
|
cert.add_extension(extension_factory.create_extension('subjectKeyIdentifier', 'hash'))
|
|
|
|
cert.add_extension(extension_factory.create_extension('basicConstraints', 'CA:TRUE', true))
|
|
|
|
cert.add_extension(extension_factory.create_extension('keyUsage', 'cRLSign,keyCertSign', true))
|
|
|
|
else
|
|
|
|
cert.add_extension(extension_factory.create_extension('subjectAltName', "email:#{email_address}", false))
|
|
|
|
cert.add_extension(extension_factory.create_extension('basicConstraints', 'CA:FALSE', true))
|
|
|
|
cert.add_extension(extension_factory.create_extension('keyUsage', 'digitalSignature,keyEncipherment', true))
|
|
|
|
cert.add_extension(extension_factory.create_extension('extendedKeyUsage', 'clientAuth,emailProtection', false))
|
|
|
|
end
|
|
|
|
|
2021-03-11 19:13:27 +05:30
|
|
|
cert.sign(signed_by&.fetch(:key, nil) || key, OpenSSL::Digest.new('SHA256'))
|
2019-12-04 20:38:33 +05:30
|
|
|
|
|
|
|
{ key: key, cert: cert }
|
|
|
|
end
|
|
|
|
end
|