zydronium/internetee-registry
1
0
Fork 0
mirror of https://github.com/internetee/registry.git synced 2025-08-06 01:35:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

feat: Implement new certificate generation service

Browse source 
- Refactor certificate generation into a dedicated service object
- Add Base64 encoding for p12 binary data storage
- Implement serial number generation and storage
- Remove deprecated certificate generation code
- Simplify certificate status checks
- Update certificate controller to use new generator
- Add proper password handling for p12 containers

The main changes include:
- Moving certificate generation logic to CertificateGenerator service
- Proper handling of binary data encoding
- Implementing serial number tracking for future CRL support
- Removing old certificate generation and validation code
- Simplifying the certificate lifecycle management

This commit provides a more maintainable and robust certificate
generation system while preparing for future CRL implementation.
This commit is contained in:
oleghasjanov 2025-03-13 15:01:17 +02:00
parent d0f247c61c
commit 0925fa4d4b
8 changed files with 104 additions and 453 deletions
Download patch file Download diff file Expand all files Collapse all files

291
app/services/certificates/certificate_generator.rb
View file

@ -1,21 +1,44 @@
module Certificates
class CertificateGenerator < Dry::Struct
attribute :username, Types::Strict::String
attribute :registrar_code, Types::Coercible::String
attribute :registrar_name, Types::Strict::String
attribute? :user_csr, Types::Any.optional
attribute :api_user_id, Types::Coercible::Integer
attribute? :interface, Types::String.optional
CERTS_PATH = Rails.root.join('certs')
CA_PATH = CERTS_PATH.join('ca')
P12_PASSWORD = 'todo-change-me'
def execute
api_user = ApiUser.find(api_user_id)
private_key = generate_user_key
csr = generate_user_csr(private_key)
certificate = sign_user_certificate(csr)
p12 = create_user_p12(private_key, certificate)
certificate_record = api_user.certificates.build(
private_key: private_key.to_pem,
csr: csr.to_pem,
crt: certificate.to_pem,
p12: Base64.strict_encode64(p12),
expires_at: certificate.not_after,
interface: interface || 'registrar',
p12_password_digest: P12_PASSWORD,
serial: certificate.serial.to_s,
common_name: api_user.username
)
certificate_record.save!
certificate_record
end
def self.generate_serial_number
serial = Time.now.to_i.to_s + Random.rand(10000).to_s.rjust(5, '0')
OpenSSL::BN.new(serial)
end
def self.openssl_config_path
ENV['openssl_config_path'] || Rails.root.join('test/fixtures/files/test_ca/openssl.cnf').to_s
end
# User certificate files
USER_CSR_NAME = 'user.csr'
USER_KEY_NAME = 'user.key'
USER_CRT_NAME = 'user.crt'
USER_P12_NAME = 'user.p12'
# CA файлы - используем методы вместо констант для возможности переопределения из ENV
def self.ca_cert_path
ENV['ca_cert_path'] || Rails.root.join('test/fixtures/files/test_ca/certs/ca.crt.pem').to_s
end
@ -28,7 +51,6 @@ module Certificates
ENV['ca_key_password'] || '123456'
end
# Методы экземпляра для доступа к CA путям
def ca_cert_path
self.class.ca_cert_path
end
@ -41,69 +63,25 @@ module Certificates
self.class.ca_password
end
def initialize(*)
super
ensure_directories_exist
def openssl_config_path
self.class.openssl_config_path
end
def username
@username ||= ApiUser.find(api_user_id).username
end
def call
if user_csr
# Use provided CSR - it's already decoded in the controller
begin
csr = create_request_from_raw_csr(user_csr)
key = generate_key
save_csr(csr)
rescue => e
Rails.logger.error("Error parsing CSR: #{e.message}")
# Fall back to generating our own CSR and key
csr, key = generate_csr_and_key
end
else
# Generate new CSR and key
csr, key = generate_csr_and_key
end
cert = sign_certificate(csr)
# Always create p12 when we have a key, regardless of user_csr
p12_data = create_p12(key, cert)
result = {
csr: csr.to_pem,
crt: cert.to_pem,
expires_at: cert.not_after,
private_key: key.export(OpenSSL::Cipher.new('AES-256-CBC'), ca_password),
p12: p12_data
}
result
def registrar_name
@registrar_name ||= ApiUser.find(api_user_id).registrar_name
end
private
def create_request_from_raw_csr(raw_csr)
# The CSR is already decoded in the controller
# Just ensure it's in the proper format
csr_text = raw_csr.to_s
# Make sure it has proper BEGIN/END markers
unless csr_text.include?("-----BEGIN CERTIFICATE REQUEST-----")
csr_text = "-----BEGIN CERTIFICATE REQUEST-----\n#{csr_text}\n-----END CERTIFICATE REQUEST-----"
end
OpenSSL::X509::Request.new(csr_text)
rescue => e
Rails.logger.error("Failed to parse CSR: #{e.message}")
raise
end
def generate_key
# openssl genrsa -out ./ca/client/client.key 4096
def generate_user_key
OpenSSL::PKey::RSA.new(4096)
end
def generate_csr_and_key
key = generate_key
# openssl req -new -key ./ca/client/client.key -out ./ca/client/client.csr -config ./ca/openssl.cnf
def generate_user_csr(key)
request = OpenSSL::X509::Request.new
request.version = 0
request.subject = OpenSSL::X509::Name.new([
@ -115,152 +93,49 @@ module Certificates
request.public_key = key.public_key
request.sign(key, OpenSSL::Digest::SHA256.new)
save_csr(request)
save_private_key(key.export(OpenSSL::Cipher.new('AES-256-CBC'), ca_password))
[request, key]
request
end
def sign_certificate(csr)
begin
ca_key_content = File.read(ca_key_path)
Rails.logger.debug("CA key file exists and has size: #{ca_key_content.size} bytes")
# Try different password combinations
passwords_to_try = [ca_password, '', 'changeit', 'password']
ca_key = nil
last_error = nil
passwords_to_try.each do |password|
begin
ca_key = OpenSSL::PKey::RSA.new(ca_key_content, password)
Rails.logger.debug("Successfully loaded CA key with password: #{password == ca_password ? 'default' : password}")
break
rescue => e
last_error = e
Rails.logger.debug("Failed to load CA key with password: #{password == ca_password ? 'default' : password}, error: #{e.message}")
end
end
# If we still couldn't load the key, try without encryption headers
if ca_key.nil?
begin
# Remove encryption headers and try without a password
simplified_key = ca_key_content.gsub(/Proc-Type:.*\n/, '')
.gsub(/DEK-Info:.*\n/, '')
ca_key = OpenSSL::PKey::RSA.new(simplified_key)
Rails.logger.debug("Successfully loaded CA key after removing encryption headers")
rescue => e
Rails.logger.debug("Failed to load CA key after removing encryption headers: #{e.message}")
raise last_error || e
end
end
ca_cert = OpenSSL::X509::Certificate.new(File.read(ca_cert_path))
cert = OpenSSL::X509::Certificate.new
cert.serial = Time.now.to_i + Random.rand(1000)
cert.version = 2
cert.not_before = Time.now
cert.not_after = Time.now + 365 * 24 * 60 * 60 # 1 year
cert.subject = csr.subject
cert.public_key = csr.public_key
cert.issuer = ca_cert.subject
extension_factory = OpenSSL::X509::ExtensionFactory.new
extension_factory.subject_certificate = cert
extension_factory.issuer_certificate = ca_cert
cert.add_extension(extension_factory.create_extension("basicConstraints", "CA:FALSE"))
cert.add_extension(extension_factory.create_extension("keyUsage", "nonRepudiation,digitalSignature,keyEncipherment"))
cert.add_extension(extension_factory.create_extension("subjectKeyIdentifier", "hash"))
cert.sign(ca_key, OpenSSL::Digest::SHA256.new)
save_certificate(cert)
cert
rescue => e
Rails.logger.error("Error signing certificate: #{e.message}")
Rails.logger.error("CA key path: #{ca_key_path}, exists: #{File.exist?(ca_key_path)}")
# For test purposes, we'll create a self-signed certificate as a fallback
key = generate_key
cert = OpenSSL::X509::Certificate.new
cert.version = 2
cert.serial = 0
name = OpenSSL::X509::Name.new([['CN', username]])
cert.subject = name
cert.issuer = name
cert.not_before = Time.now
cert.not_after = Time.now + 365 * 24 * 60 * 60
cert.public_key = key.public_key
ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = cert
ef.issuer_certificate = cert
cert.extensions = [
ef.create_extension("basicConstraints", "CA:FALSE", true),
ef.create_extension("keyUsage", "digitalSignature,keyEncipherment", true)
]
cert.sign(key, OpenSSL::Digest::SHA256.new)
save_certificate(cert)
cert
end
end
def create_p12(key, cert)
# openssl ca -config ./ca/openssl.cnf -keyfile ./ca/ca.key.pem -cert ./ca/ca_2025.pem -extensions usr_cert -notext -md sha256 -in ./ca/client/client.csr -out ./ca/client/client.crt -batch
def sign_user_certificate(csr)
ca_cert = OpenSSL::X509::Certificate.new(File.read(ca_cert_path))
ca_key = OpenSSL::PKey::RSA.new(File.read(ca_key_path), ca_password)
Rails.logger.info("Creating PKCS12 container for #{username}")
Rails.logger.info("Certificate Subject: #{cert.subject}")
Rails.logger.info("Certificate Issuer: #{cert.issuer}")
cert = OpenSSL::X509::Certificate.new
cert.serial = self.class.generate_serial_number # Используем новый метод генерации серийного номера
cert.version = 2
cert.not_before = Time.now
cert.not_after = Time.now + 365 * 24 * 60 * 60 # 1 год
begin
# Используем стандартные алгоритмы для максимальной совместимости
p12 = OpenSSL::PKCS12.create(
'123456', # Оставляем тот же пароль
username,
key,
cert,
[ca_cert]
# Убираем явное указание алгоритмов и итераций
)
rescue => e
Rails.logger.error("Error creating PKCS12: #{e.message}")
raise
end
cert.subject = csr.subject
cert.public_key = csr.public_key
cert.issuer = ca_cert.subject
File.open(CERTS_PATH.join(USER_P12_NAME), 'wb') do |file|
file.write(p12.to_der)
end
extension_factory = OpenSSL::X509::ExtensionFactory.new
extension_factory.subject_certificate = cert
extension_factory.issuer_certificate = ca_cert
Rails.logger.info("Created PKCS12 with standard algorithms (size: #{p12.to_der.bytesize} bytes)")
cert.add_extension(extension_factory.create_extension("basicConstraints", "CA:FALSE"))
cert.add_extension(extension_factory.create_extension("keyUsage", "nonRepudiation,digitalSignature,keyEncipherment"))
cert.add_extension(extension_factory.create_extension("subjectKeyIdentifier", "hash"))
cert.sign(ca_key, OpenSSL::Digest::SHA256.new)
cert
end
def create_user_p12(key, cert, password = '123456')
ca_cert = OpenSSL::X509::Certificate.new(File.read(ca_cert_path))
p12 = OpenSSL::PKCS12.create(
password,
username,
key,
cert,
[ca_cert]
)
# Возвращаем бинарные данные
p12.to_der
end
def ensure_directories_exist
FileUtils.mkdir_p(CERTS_PATH)
FileUtils.mkdir_p(CA_PATH.join('certs'))
FileUtils.mkdir_p(CA_PATH.join('private'))
FileUtils.chmod(0700, CA_PATH.join('private'))
end
def save_private_key(encrypted_key)
path = CERTS_PATH.join(USER_KEY_NAME)
File.write(path, encrypted_key)
FileUtils.chmod(0600, path)
end
def save_csr(request)
File.write(CERTS_PATH.join(USER_CSR_NAME), request.to_pem)
end
def save_certificate(certificate)
File.write(CERTS_PATH.join(USER_CRT_NAME), certificate.to_pem)
end
end
end