zydronium/internetee-registry
1
0
Fork 0
mirror of https://github.com/internetee/registry.git synced 2025-08-03 00:12:03 +02:00
Code Issues Projects Releases Packages Wiki Activity

Added endpoints for creating and downloading api user certificates

Browse source
This commit is contained in:
Sergei Tsoganov 2023-06-28 15:48:40 +03:00
parent b558c80e83
commit 47b6a1b87a
18 changed files with 377 additions and 102 deletions
Download patch file Download diff file Expand all files Collapse all files

180
app/models/certificate.rb
View file

@ -17,6 +17,7 @@ class Certificate < ApplicationRecord
scope 'api', -> { where(interface: API) }
scope 'registrar', -> { where(interface: REGISTRAR) }
scope 'unrevoked', -> { where(revoked: false) }
validate :validate_csr_and_crt_presence
def validate_csr_and_crt_presence
@ -64,75 +65,49 @@ class Certificate < ApplicationRecord
status == REVOKED
end
def revokable?
interface == REGISTRAR && status != UNSIGNED
end
def status
return UNSIGNED if crt.blank?
return @cached_status if @cached_status
@cached_status = SIGNED
expired = parsed_crt.not_before > Time.zone.now.utc && parsed_crt.not_after < Time.zone.now.utc
@cached_status = EXPIRED if expired
crl = OpenSSL::X509::CRL.new(File.open("#{ENV['crl_dir']}/crl.pem").read)
return @cached_status unless crl.revoked.map(&:serial).include?(parsed_crt.serial)
@cached_status = REVOKED
end
def sign!
csr_file = Tempfile.new('client_csr')
csr_file.write(csr)
csr_file.rewind
crt_file = Tempfile.new('client_crt')
_out, err, _st = Open3.capture3('openssl', 'ca', '-config', ENV['openssl_config_path'],
'-keyfile', ENV['ca_key_path'], '-cert', ENV['ca_cert_path'],
'-extensions', 'usr_cert', '-notext', '-md', 'sha256',
'-in', csr_file.path, '-out', crt_file.path, '-key', ENV['ca_key_password'],
'-batch')
if err.match?(/Data Base Updated/)
crt_file.rewind
self.crt = crt_file.read
self.md5 = OpenSSL::Digest::MD5.new(parsed_crt.to_der).to_s
save!
else
logger.error('FAILED TO CREATE CLIENT CERTIFICATE')
if err.match?(/TXT_DB error number 2/)
errors.add(:base, I18n.t('failed_to_create_crt_csr_already_signed'))
logger.error('CSR ALREADY SIGNED')
else
errors.add(:base, I18n.t('failed_to_create_certificate'))
end
logger.error(err)
puts "Certificate sign issue: #{err.inspect}" if Rails.env.test?
false
end
end
def revoke!
crt_file = Tempfile.new('client_crt')
crt_file.write(crt)
crt_file.rewind
_out, err, _st = Open3.capture3("openssl ca -config #{ENV['openssl_config_path']} \
-keyfile #{ENV['ca_key_path']} \
-cert #{ENV['ca_cert_path']} \
-revoke #{crt_file.path} -key '#{ENV['ca_key_password']}' -batch")
if err.match(/Data Base Updated/) || err.match(/ERROR:Already revoked/)
self.revoked = true
save!
if certificate_expired?
@cached_status = EXPIRED
elsif certificate_revoked?
@cached_status = REVOKED
else
errors.add(:base, I18n.t('failed_to_revoke_certificate'))
logger.error('FAILED TO REVOKE CLIENT CERTIFICATE')
logger.error(err)
return false
end
self.class.update_crl
self
@cached_status
end
def sign!(password:)
csr_file = create_tempfile('client_csr', csr)
crt_file = Tempfile.new('client_crt')
err_output = execute_openssl_sign_command(password, csr_file.path, crt_file.path)
update_certificate_details(crt_file) and return true if err_output.match?(/Data Base Updated/)
log_failed_to_create_certificate(err_output)
false
end
def revoke!(password:)
crt_file = create_tempfile('client_crt', crt)
err_output = execute_openssl_revoke_command(password, crt_file.path)
if revocation_successful?(err_output)
update_revocation_status
self.class.update_crl
return self
end
handle_revocation_failure(err_output)
end
class << self
@ -157,4 +132,89 @@ class Certificate < ApplicationRecord
OpenSSL::Digest::MD5.new(cert.to_der).to_s
end
end
private
def create_tempfile(filename, content = '')
tempfile = Tempfile.new(filename)
tempfile.write(content)
tempfile.rewind
tempfile
end
def log_failed_to_create_certificate(err_output)
logger.error('FAILED TO CREATE CLIENT CERTIFICATE')
if err_output.match?(/TXT_DB error number 2/)
handle_csr_already_signed_error
else
errors.add(:base, I18n.t('failed_to_create_certificate'))
end
logger.error(err_output)
puts "Certificate sign issue: #{err_output.inspect}" if Rails.env.test?
end
def execute_openssl_sign_command(password, csr_path, crt_path)
openssl_command = [
'openssl', 'ca', '-config', ENV['openssl_config_path'],
'-keyfile', ENV['ca_key_path'], '-cert', ENV['ca_cert_path'],
'-extensions', 'usr_cert', '-notext', '-md', 'sha256',
'-in', csr_path, '-out', crt_path,
'-key', password,
'-batch'
]
_out, err, _st = Open3.capture3(*openssl_command)
err
end
def execute_openssl_revoke_command(password, crt_path)
openssl_command = [
'openssl', 'ca', '-config', ENV['openssl_config_path'],
'-keyfile', ENV['ca_key_path'], '-cert', ENV['ca_cert_path'],
'-revoke', crt_path,
'-key', password,
'-batch'
]
_out, err, _st = Open3.capture3(*openssl_command)
err
end
def update_certificate_details(crt_file)
crt_file.rewind
self.crt = crt_file.read
self.md5 = OpenSSL::Digest::MD5.new(parsed_crt.to_der).to_s
save!
end
def handle_csr_already_signed_error
errors.add(:base, I18n.t('failed_to_create_crt_csr_already_signed'))
logger.error('CSR ALREADY SIGNED')
end
def handle_revocation_failure(err_output)
errors.add(:base, I18n.t('failed_to_revoke_certificate'))
logger.error('FAILED TO REVOKE CLIENT CERTIFICATE')
logger.error(err_output)
false
end
def revocation_successful?(err_output)
err_output.match?(/Data Base Updated/) || err_output.match?(/ERROR:Already revoked/)
end
def update_revocation_status
self.revoked = true
save!
@cached_status = REVOKED
end
def certificate_expired?
parsed_crt.not_before > Time.zone.now.utc && parsed_crt.not_after < Time.zone.now.utc
end
def certificate_revoked?
crl = OpenSSL::X509::CRL.new(File.open("#{ENV['crl_dir']}/crl.pem").read)
crl.revoked.map(&:serial).include?(parsed_crt.serial)
end
end