Class: OpenSSL::Netscape::SPKI

Inherits:
Object
  • Object
show all
Defined in:
ossl_ns_spki.c,
ossl_ns_spki.c

Overview

A Simple Public Key Infrastructure implementation (pronounced “spookey”). The structure is defined as

PublicKeyAndChallenge ::= SEQUENCE {
  spki SubjectPublicKeyInfo,
  challenge IA5STRING
}

SignedPublicKeyAndChallenge ::= SEQUENCE {
  publicKeyAndChallenge PublicKeyAndChallenge,
  signatureAlgorithm AlgorithmIdentifier,
  signature BIT STRING
}

where the definitions of SubjectPublicKeyInfo and AlgorithmIdentifier can be found in RFC5280. SPKI is typically used in browsers for generating a public/private key pair and a subsequent certificate request, using the HTML <keygen> element.

Examples

Creating an SPKI

key = OpenSSL::PKey::RSA.new 2048
spki = OpenSSL::Netscape::SPKI.new
spki.challenge = "RandomChallenge"
spki.public_key = key.public_key
spki.sign(key, OpenSSL::Digest::SHA256.new)
#send a request containing this to a server generating a certificate

Verifiying an SPKI request

request = #...
spki = OpenSSL::Netscape::SPKI.new request
unless spki.verify(spki.public_key)
  # signature is invalid
end
#proceed

Instance Method Summary collapse

Constructor Details

#new([request]) ⇒ Object

Parameters

  • request - optional raw request, either in PEM or DER format.


78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# File 'ossl_ns_spki.c', line 78

static VALUE
ossl_spki_initialize(int argc, VALUE *argv, VALUE self)
{
    NETSCAPE_SPKI *spki;
    VALUE buffer;
    const unsigned char *p;

    if (rb_scan_args(argc, argv, "01", &buffer) == 0) {
	return self;
    }
    StringValue(buffer);
    if (!(spki = NETSCAPE_SPKI_b64_decode(RSTRING_PTR(buffer), -1))) {
	p = (unsigned char *)RSTRING_PTR(buffer);
	if (!(spki = d2i_NETSCAPE_SPKI(NULL, &p, RSTRING_LEN(buffer)))) {
	    ossl_raise(eSPKIError, NULL);
	}
    }
    NETSCAPE_SPKI_free(DATA_PTR(self));
    DATA_PTR(self) = spki;
    ERR_clear_error();

    return self;
}

Instance Method Details

#challengeString

Returns the challenge string associated with this SPKI.

Returns:

  • (String)

231
232
233
234
235
236
237
238
239
240
241
242
243
244
# File 'ossl_ns_spki.c', line 231

static VALUE
ossl_spki_get_challenge(VALUE self)
{
    NETSCAPE_SPKI *spki;

    GetSPKI(self, spki);
    if (spki->spkac->challenge->length <= 0) {
	OSSL_Debug("Challenge.length <= 0?");
	return rb_str_new(0, 0);
    }

    return rb_str_new((const char *)spki->spkac->challenge->data,
		      spki->spkac->challenge->length);
}

#challenge=(str) ⇒ String

Parameters

  • str - the challenge string to be set for this instance

Sets the challenge to be associated with the SPKI. May be used by the server, e.g. to prevent replay.

Returns:

  • (String)

256
257
258
259
260
261
262
263
264
265
266
267
268
269
# File 'ossl_ns_spki.c', line 256

static VALUE
ossl_spki_set_challenge(VALUE self, VALUE str)
{
    NETSCAPE_SPKI *spki;

    StringValue(str);
    GetSPKI(self, spki);
    if (!ASN1_STRING_set(spki->spkac->challenge, RSTRING_PTR(str),
			 RSTRING_LENINT(str))) {
	ossl_raise(eSPKIError, NULL);
    }

    return str;
}

#public_keyObject

Returns the public key associated with the SPKI, an instance of OpenSSL::PKey.


187
188
189
190
191
192
193
194
195
196
197
198
199
# File 'ossl_ns_spki.c', line 187

static VALUE
ossl_spki_get_public_key(VALUE self)
{
    NETSCAPE_SPKI *spki;
    EVP_PKEY *pkey;

    GetSPKI(self, spki);
    if (!(pkey = NETSCAPE_SPKI_get_pubkey(spki))) { /* adds an reference */
	ossl_raise(eSPKIError, NULL);
    }

    return ossl_pkey_new(pkey); /* NO DUP - OK */
}

#public_key=(pub) ⇒ Object

Parameters

  • pub - the public key to be set for this instance

Sets the public key to be associated with the SPKI, an instance of OpenSSL::PKey. This should be the public key corresponding to the private key used for signing the SPKI.


212
213
214
215
216
217
218
219
220
221
222
223
# File 'ossl_ns_spki.c', line 212

static VALUE
ossl_spki_set_public_key(VALUE self, VALUE key)
{
    NETSCAPE_SPKI *spki;

    GetSPKI(self, spki);
    if (!NETSCAPE_SPKI_set_pubkey(spki, GetPKeyPtr(key))) { /* NO NEED TO DUP */
	ossl_raise(eSPKIError, NULL);
    }

    return key;
}

#sign(key, digest) ⇒ Object

Parameters

  • key - the private key to be used for signing this instance

  • digest - the digest to be used for signing this instance

To sign an SPKI, the private key corresponding to the public key set for this instance should be used, in addition to a digest algorithm in the form of an OpenSSL::Digest. The private key should be an instance of OpenSSL::PKey.


284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
# File 'ossl_ns_spki.c', line 284

static VALUE
ossl_spki_sign(VALUE self, VALUE key, VALUE digest)
{
    NETSCAPE_SPKI *spki;
    EVP_PKEY *pkey;
    const EVP_MD *md;

    pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
    md = GetDigestPtr(digest);
    GetSPKI(self, spki);
    if (!NETSCAPE_SPKI_sign(spki, pkey, md)) {
	ossl_raise(eSPKIError, NULL);
    }

    return self;
}

#to_derObject

Returns the DER encoding of this SPKI.


108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# File 'ossl_ns_spki.c', line 108

static VALUE
ossl_spki_to_der(VALUE self)
{
    NETSCAPE_SPKI *spki;
    VALUE str;
    long len;
    unsigned char *p;

    GetSPKI(self, spki);
    if ((len = i2d_NETSCAPE_SPKI(spki, NULL)) <= 0)
        ossl_raise(eX509CertError, NULL);
    str = rb_str_new(0, len);
    p = (unsigned char *)RSTRING_PTR(str);
    if (i2d_NETSCAPE_SPKI(spki, &p) <= 0)
        ossl_raise(eX509CertError, NULL);
    ossl_str_adjust(str, p);

    return str;
}

#to_pemObject Also known as: to_s

Returns the PEM encoding of this SPKI.


134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# File 'ossl_ns_spki.c', line 134

static VALUE
ossl_spki_to_pem(VALUE self)
{
    NETSCAPE_SPKI *spki;
    char *data;
    VALUE str;

    GetSPKI(self, spki);
    if (!(data = NETSCAPE_SPKI_b64_encode(spki))) {
	ossl_raise(eSPKIError, NULL);
    }
    str = ossl_buf2str(data, rb_long2int(strlen(data)));

    return str;
}

#to_textString

Returns a textual representation of this SPKI, useful for debugging purposes.

Returns:

  • (String)

157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
# File 'ossl_ns_spki.c', line 157

static VALUE
ossl_spki_print(VALUE self)
{
    NETSCAPE_SPKI *spki;
    BIO *out;
    BUF_MEM *buf;
    VALUE str;

    GetSPKI(self, spki);
    if (!(out = BIO_new(BIO_s_mem()))) {
	ossl_raise(eSPKIError, NULL);
    }
    if (!NETSCAPE_SPKI_print(out, spki)) {
	BIO_free(out);
	ossl_raise(eSPKIError, NULL);
    }
    BIO_get_mem_ptr(out, &buf);
    str = rb_str_new(buf->data, buf->length);
    BIO_free(out);

    return str;
}

#verify(key) ⇒ Boolean

Parameters

  • key - the public key to be used for verifying the SPKI signature

Returns true if the signature is valid, false otherwise. To verify an SPKI, the public key contained within the SPKI should be used.

Returns:

  • (Boolean)

311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
# File 'ossl_ns_spki.c', line 311

static VALUE
ossl_spki_verify(VALUE self, VALUE key)
{
    NETSCAPE_SPKI *spki;

    GetSPKI(self, spki);
    switch (NETSCAPE_SPKI_verify(spki, GetPKeyPtr(key))) { /* NO NEED TO DUP */
    case 0:
	return Qfalse;
    case 1:
	return Qtrue;
    default:
	ossl_raise(eSPKIError, NULL);
    }
    return Qnil; /* dummy */
}