Readme updates + tests for cert

2025-07-01 08:43:37 +02:00 · 2015-02-25 17:33:32 +02:00 · 2015-02-25 17:33:32 +02:00 · a6baf60e59
commit a6baf60e59
parent 5319db16b4
9 changed files with 154 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -97,6 +97,8 @@ With these lines:
  SSLVerifyClient require
  SSLVerifyDepth 1
  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
+  SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
+  SSLCARevocationCheck chain
  RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
 ```

@ -110,6 +112,8 @@ Add these lines:
  SSLVerifyClient none
  SSLVerifyDepth 1
  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
+  SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
+  SSLCARevocationCheck chain

  RequestHeader set SSL_CLIENT_S_DN_CN ""

@ -134,6 +138,7 @@ Configure registry and epp application.yml to match the CA settings:
 ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
 ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
 ca_key_password: 'registryalpha'
+crl_path: '/home/registry/registry/shared/ca/crl/crl.pem'
 webclient_ip: '54.154.91.240'
 ```

--- a/README.md
+++ b/README.md
@ -153,6 +153,9 @@ Be sure to update paths to match your system configuration.
    SSLVerifyClient require
    SSLVerifyDepth 1
    SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
+    SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
+    SSLCARevocationCheck chain
+
    RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"

    EPPEngine On
@ -192,6 +195,7 @@ mkdir certs crl newcerts private csrs
 chmod 700 private
 touch index.txt
 echo 1000 > serial
+echo 1000 > crlnumber
 ```

 Generate the root key (prompts for pass phrase): 
@ -257,12 +261,23 @@ Sign the request and create certificate:
 openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
 ```

-Certificates for API Users are generated via the user interface. CSR must be uploaded for each API User. Certificates are created automatically after saving the user.
+Create certificate revocation list (prompts for pass phrase):
+```
+openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
+```

-Private key and certificate must be packaged to pkcs12 and added to the browser's certificate bank.
+Certificates for API Users are generated via the user interface. CSR must be uploaded for each API User.
+
+Private key and certificate must be packaged to pkcs12 and added to the browser.

 Make sure application configuration files contain correct paths to certificates.

+In test environment it's important to set unique_subject option to false.  
+In CA directory:
+```
+echo "unique_subject = no" > index.txt.attr
+```
+
 ### EPP web client

 Please follow EPP web client readme:
--- a/app/models/certificate.rb
+++ b/app/models/certificate.rb
@ -1,4 +1,8 @@
 class Certificate < ActiveRecord::Base
+  include Versions
+
+  belongs_to :api_user
+
  SIGNED = 'signed'
  UNSIGNED = 'unsigned'
  EXPIRED = 'expired'
@ -69,6 +73,7 @@ class Certificate < ActiveRecord::Base

    if err.match(/Data Base Updated/) || err.match(/ERROR:Already revoked/)
      save!
+      @cached_status = REVOKED
    else
      errors.add(:base, I18n.t('failed_to_revoke_certificate'))
      logger.error('FAILED TO REVOKE CLIENT CERTIFICATE')
--- a/app/models/version/certificate_version.rb
+++ b/app/models/version/certificate_version.rb
@ -0,0 +1,4 @@
+class CertificateVersion < PaperTrail::Version
+  self.table_name    = :log_certificates
+  self.sequence_name = :log_certificates_id_seq
+end
--- a/config/application-example.yml
+++ b/config/application-example.yml
@ -10,6 +10,7 @@ defaults: &defaults
  ca_cert_path: ca-cert-path-here
  ca_key_path: ca-key-path-here
  ca_key_password: ca-key-pass-phrase-here
+  crl_path: crl-path-here

 development:
  <<: *defaults
--- a/db/migrate/20150223104842_create_certificates.rb
+++ b/db/migrate/20150223104842_create_certificates.rb
@ -4,10 +4,24 @@ class CreateCertificates < ActiveRecord::Migration
      t.integer :api_user_id
      t.text :csr
      t.text :crt
+      t.string :creator_str
+      t.string :updator_str

      t.timestamps
    end

+    create_table :log_certificates do |t|
+      t.string "item_type", null: false
+      t.integer "item_id", null: false
+      t.string "event", null: false
+      t.string "whodunnit"
+      t.json "object"
+      t.json "object_changes"
+      t.datetime "created_at"
+      t.string "session"
+      t.json "children"
+    end
+
    ApiUser.all.each do |x|
      x.certificates << Certificate.new(crt: x.crt, csr: x.csr)
    end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -57,6 +57,8 @@ ActiveRecord::Schema.define(version: 20150223104842) do
    t.integer  "api_user_id"
    t.text     "csr"
    t.text     "crt"
+    t.string   "creator_str"
+    t.string   "updator_str"
    t.datetime "created_at"
    t.datetime "updated_at"
  end
@ -283,6 +285,18 @@ ActiveRecord::Schema.define(version: 20150223104842) do
  add_index "log_api_users", ["item_type", "item_id"], name: "index_log_api_users_on_item_type_and_item_id", using: :btree
  add_index "log_api_users", ["whodunnit"], name: "index_log_api_users_on_whodunnit", using: :btree

+  create_table "log_certificates", force: :cascade do |t|
+    t.string   "item_type",      null: false
+    t.integer  "item_id",        null: false
+    t.string   "event",          null: false
+    t.string   "whodunnit"
+    t.json     "object"
+    t.json     "object_changes"
+    t.datetime "created_at"
+    t.string   "session"
+    t.json     "children"
+  end
+
  create_table "log_contact_disclosures", force: :cascade do |t|
    t.string   "item_type",      null: false
    t.integer  "item_id",        null: false
--- a/spec/fabricators/certificate_fabricator.rb
+++ b/spec/fabricators/certificate_fabricator.rb
@ -0,0 +1,33 @@
+# default fabricator should be reusable
+Fabricator(:certificate) do
+  api_user
+  csr "-----BEGIN CERTIFICATE REQUEST-----\n" \
+      "MIIE+DCCAuACAQAwgZ0xCzAJBgNVBAYTAkVFMREwDwYDVQQIDAhIYXJqdW1hYTEQ\n" \
+      "MA4GA1UEBwwHVGFsbGlubjEbMBkGA1UECgwSRWVzdGkgSW50ZXJuZXRpIFNBMRIw\n" \
+      "EAYDVQQLDAlSRUdJU1RSQVIxEjAQBgNVBAMMCXdlYmNsaWVudDEkMCIGCSqGSIb3\n" \
+      "DQEJARYVd2ViY2xpZW50QGludGVybmV0LmVlMIICIjANBgkqhkiG9w0BAQEFAAOC\n" \
+      "Ag8AMIICCgKCAgEAuXronFj8CxPWGkyUhXf+/WirkFGb8a/My2+7GvQWYE10Nq4C\n" \
+      "u9wDgjU3AuLw8qzwEeE3Z5uxHXWfwnshXOF6aJNCQWUsrs0odCxw69iIwCNGKhyF\n" \
+      "jljtx8uSH8RRSRc8BFIUkvUpmp8m7kZTlB4FDey+XaGy4p/rImiAiwfFMIJMjdE9\n" \
+      "9gk0EGDbomgP6KC3Ss/iQfuOFCQWSqjFuvp3mygr193YplaPgeLM1ERIW1LVFGDK\n" \
+      "jy6keZ3E/Vb4O4qUPDRgTMr2KWM3Auzh2hXCymHNWn3yRn5Q4KSjJbG/P7Kz5nfZ\n" \
+      "kY3eVRBIBll+1Q0VV7g+1B48zzjZX2qiY3iL77MV1oL17KeOO3PAxsEtptdqNgUa\n" \
+      "Fpp73dwPST1ZKvq8FSgDKcdTCziSeViGhXjJRpEMr8FoeKNO7nvd1maKN9HAOy75\n" \
+      "eSxatj6LoQ+JFN7Ci3IbwKFI7BnIHbEr9eP7O7Qbhljz2GE9+GWUqr3zwUEgpFSI\n" \
+      "crAnRHQI2ALakEMsryF416zg5yr/bJp8/IzgZLaKpBVLOL88sI6r+JRdM6QXvKYx\n" \
+      "XhamV6bH6CrR8ZYN4okaZH6sAcy8eyBnEmc05h/KsDzTNadwadeZe73F+PltoEXH\n" \
+      "XgtpTpQ8XarN1uLq99WD6gWilAx3LF/xetCO86+w/MkYBmfOrXge+WLUUW8CAwEA\n" \
+      "AaAVMBMGCSqGSIb3DQEJBzEGDAR0ZXN0MA0GCSqGSIb3DQEBCwUAA4ICAQAkTlU3\n" \
+      "RcI6UMRA7As2FJSph3QurPebQFoZhnhMD+hb6+hXip8MY77YxLwo/ihB9wghaZKL\n" \
+      "uV0BxjdZgjDt9GhA8dtPgaCp5LvB6kQYvcEzRvitN2CpJhtz39rlF3gxuy+RtpNf\n" \
+      "5KbC691FivoXur1qx9I7mc4snB3DTzLiJPIZ6nQzPYcSVpPCbns30N/i/sOdHO0o\n" \
+      "9hP5wlhCdYrOxad993m+InpMDyDWhB1+TA9ZO7gYpg8S4kBX3Cz9OXe80Pe56ZdK\n" \
+      "pcgjTXnUDjNSRRGamJib2lyZ/axMbb/etwyy3X+jBDuOQropkmgrPEFJHpgNlFah\n" \
+      "BuW7KEASqbw5YxpTSc0nDk5uxBw3voL8fk9M1sX64tbzGAEBRZnrWGeb1mOLM/YI\n" \
+      "K6ocAYSBhNmWUzpHTwL7qSeP9ztQUGzoGHyRjBdan+1U2G75Kpj+TjEm/X8wmtnq\n" \
+      "3/qVhUYNEavcZbgR1gSE45+mS8NsD7Oq0Xdc0UKsVDbUcCGIkGG9+ERAbRznfi3W\n" \
+      "qhChtUxySX8T3SmX5mviwlJ5OwQVjdUF1/2voPK0oFK7zV+wZqcuORzDKdqB8XV7\n" \
+      "MDcQjza4EOB78OmcHDgQ7nMXuY7/UL4F+bRZosxPy43X2JId5d+/GpgV8sP9dzK8\n" \
+      "UGJDNEZ2YsBbPuKZS+2eNZ8g3sjjFBeadvrQ1w==\n" \
+      "-----END CERTIFICATE REQUEST-----"
+end
--- a/spec/models/certificate_spec.rb
+++ b/spec/models/certificate_spec.rb
@ -0,0 +1,61 @@
+require 'rails_helper'
+
+describe Certificate do
+  it { should belong_to(:api_user) }
+
+  context 'with invalid attribute' do
+    before :all do
+      @certificate = Certificate.new
+    end
+
+    it 'should not be valid' do
+      @certificate.valid?
+      @certificate.errors.full_messages.should match_array([
+        "Csr is missing"
+      ])
+    end
+
+    it 'should not have any versions' do
+      @certificate.versions.should == []
+    end
+  end
+
+  context 'with valid attributes' do
+    before :all do
+      @certificate = Fabricate(:certificate)
+    end
+
+    it 'should be valid' do
+      @certificate.valid?
+      @certificate.errors.full_messages.should match_array([])
+    end
+
+    it 'should be valid twice' do
+      @certificate = Fabricate(:certificate)
+      @certificate.valid?
+      @certificate.errors.full_messages.should match_array([])
+    end
+
+    it 'should sign csr' do
+      @certificate.status.should == 'unsigned'
+      @certificate.sign!
+      @certificate.status.should == 'signed'
+      @certificate.crt.should_not be_blank
+    end
+
+    it 'should revoke crt' do
+      @certificate.revoke!
+      @certificate.status.should == 'revoked'
+    end
+
+    it 'should have one version' do
+      with_versioning do
+        @certificate.versions.should == []
+        @certificate.csr = 'new_request'
+        @certificate.save
+        @certificate.errors.full_messages.should match_array([])
+        @certificate.versions.size.should == 1
+      end
+    end
+  end
+end