File Coverage

blib/lib/Metabrik/Crypto/X509.pm
Criterion Covered Total %
statement 12 153 7.8
branch 0 88 0.0
condition 0 30 0.0
subroutine 4 15 26.6
pod 1 10 10.0
total 17 296 5.7


line stmt bran cond sub pod time code
1             #
2             # $Id$
3             #
4             # crypto::x509 Brik
5             #
6             package Metabrik::Crypto::X509;
7 1     1   656 use strict;
  1         2  
  1         29  
8 1     1   5 use warnings;
  1         2  
  1         29  
9              
10 1     1   5 use base qw(Metabrik::Shell::Command);
  1         2  
  1         1859  
11              
12             sub brik_properties {
13             return {
14 0     0 1   revision => '$Revision$',
15             tags => [ qw(unstable openssl ssl pki certificate) ],
16             author => 'GomoR ',
17             license => 'http://opensource.org/licenses/BSD-3-Clause',
18             attributes => {
19             datadir => [ qw(directory) ],
20             ca_name => [ qw(name) ],
21             ca_lc_name => [ qw(name) ],
22             ca_key => [ qw(key_file) ],
23             ca_cert => [ qw(cert_file) ],
24             ca_directory => [ qw(directory) ],
25             ca_conf => [ qw(conf_file) ],
26             use_passphrase => [ qw(0|1) ],
27             key_size => [ qw(bits) ],
28             },
29             attributes_default => {
30             capture_stderr => 1,
31             use_passphrase => 0,
32             key_size => 2048,
33             },
34             commands => {
35             ca_init => [ qw(name|OPTIONAL directory|OPTIONAL) ],
36             set_ca_attributes => [ qw(ca_name|OPTIONAL) ],
37             ca_show => [ qw(ca_name|OPTIONAL) ],
38             ca_sign_csr => [ qw(csr_file|OPTIONAL ca_name|OPTIONAL) ],
39             csr_new => [ qw(base_file use_passphrase|OPTIONAL) ],
40             cert_hash => [ qw(cert_file) ],
41             cert_verify => [ qw(cert_file ca_name|OPTIONAL) ],
42             cert_show => [ qw(cert_file) ],
43             parse_certificate_string => [ qw(string) ],
44             },
45             require_modules => {
46             'Crypt::X509' => [ ],
47             'Metabrik::File::Text' => [ ],
48             'Metabrik::System::File' => [ ],
49             },
50             require_binaries => {
51             'openssl', => [ ],
52             },
53             };
54             }
55              
56             sub set_ca_attributes {
57 0     0 0   my $self = shift;
58 0           my ($ca_name) = @_;
59              
60 0   0       $ca_name ||= $self->ca_name;
61 0 0         $self->brik_help_run_undef_arg('set_ca_attributes', $ca_name) or return;
62              
63 0           my $ca_lc_name = lc($ca_name);
64 0   0       my $ca_directory = $self->ca_directory || $self->datadir.'/'.$ca_lc_name;
65              
66 0           my $ca_conf = $ca_directory.'/'.$ca_lc_name.'.conf';
67 0           my $ca_cert = $ca_directory.'/'.$ca_lc_name.'.pem';
68 0           my $ca_key = $ca_directory.'/'.$ca_lc_name.'.key';
69 0           my $email = 'dummy@example.com';
70 0           my $organization = 'Dummy Org';
71              
72 0           $self->ca_name($ca_name);
73 0           $self->ca_lc_name($ca_lc_name);
74 0           $self->ca_conf($ca_conf);
75 0           $self->ca_directory($ca_directory);
76 0           $self->ca_cert($ca_cert);
77 0           $self->ca_key($ca_key);
78              
79 0           return 1;
80             }
81              
82             sub ca_init {
83 0     0 0   my $self = shift;
84 0           my ($ca_name, $ca_directory) = @_;
85              
86 0   0       $ca_name ||= $self->ca_name;
87 0   0       $ca_directory ||= $self->ca_directory;
88 0 0         $self->brik_help_run_undef_arg('ca_init', $ca_name) or return;
89 0 0         $self->brik_help_run_undef_arg('ca_init', $ca_directory) or return;
90              
91 0 0         $self->set_ca_attributes($ca_name)
92             or return $self->log->error("ca_init: set_ca_attributes failed");
93              
94 0 0         if (-d $ca_directory) {
95 0           return $self->log->error("ca_init: ca with name [$ca_name] already exists");
96             }
97             else {
98 0 0         mkdir($ca_directory)
99             or return $self->log->error("ca_init: mkdir1 failed with error [$!]");
100 0 0         mkdir($ca_directory.'/certs')
101             or return $self->log->error("ca_init: mkdir2 failed with error [$!]");
102 0 0         mkdir($ca_directory.'/csrs')
103             or return $self->log->error("ca_init: mkdir3 failed with error [$!]");
104              
105 0 0         my $ft = Metabrik::File::Text->new_from_brik_init($self) or return;
106 0 0         $ft->write('', $ca_directory.'/index.txt') or return;
107 0 0         $ft->write('01', $ca_directory.'/serial') or return;
108             }
109              
110 0           $self->log->verbose("ca_init: using directory [$ca_directory]");
111              
112 0           my $ca_conf = $self->ca_conf;
113 0           my $ca_cert = $self->ca_cert;
114 0           my $ca_key = $self->ca_key;
115 0           my $ca_lc_name = $self->ca_lc_name;
116 0           my $key_size = $self->key_size;
117              
118 0           my $email = 'dummy@example.com';
119 0           my $organization = 'Dummy Org';
120              
121 0           my $content = [
122             "[ ca ]",
123             "default_ca = $ca_lc_name",
124             "",
125             "[ $ca_lc_name ]",
126             "dir = $ca_directory",
127             "certificate = $ca_cert",
128             "database = \$dir/index.txt",
129             "#certs = \$dir/cert-csr",
130             "new_certs_dir = \$dir/certs",
131             "private_key = $ca_key",
132             "serial = \$dir/serial",
133             "default_crl_days = 7",
134             "default_days = 3650",
135             "#default_md = md5",
136             "default_md = sha1",
137             "policy = ${ca_lc_name}_policy",
138             "x509_extensions = certificate_extensions",
139             "",
140             "[ ${ca_lc_name}_policy ]",
141             "commonName = supplied",
142             "stateOrProvinceName = supplied",
143             "countryName = supplied",
144             "organizationName = supplied",
145             "organizationalUnitName = optional",
146             "emailAddress = optional",
147             "",
148             "[ certificate_extensions ]",
149             "basicConstraints = CA:false",
150             "",
151             "[ req ]",
152             "default_bits = $key_size",
153             "default_keyfile = $ca_key",
154             "#default_md = md5",
155             "default_days = 1800",
156             "default_md = sha1",
157             "prompt = no",
158             "distinguished_name = root_ca_distinguished_name",
159             "x509_extensions = root_ca_extensions",
160             "",
161             "[ root_ca_distinguished_name ]",
162             "commonName = $ca_name",
163             "stateOrProvinceName = Paris",
164             "countryName = FR",
165             "emailAddress = $email",
166             "organizationName = $organization",
167             "",
168             "[ root_ca_extensions ]",
169             "basicConstraints = CA:true",
170             ];
171              
172 0 0         my $ft = Metabrik::File::Text->new_from_brik_init($self) or return;
173 0           $ft->overwrite(1);
174 0 0         $ft->write($content, $ca_conf)
175             or return $self->log->error("ca_init: write failed");
176              
177 0           $self->log->verbose("ca_init: using conf file [$ca_conf] and cert [$ca_cert]");
178              
179 0           my $cmd = "openssl req -x509 -newkey rsa:$key_size ".
180             "-days 1800 -out $ca_cert -outform PEM -config $ca_conf";
181              
182 0 0         $self->system($cmd) or return;
183              
184 0 0         my $hash = $self->cert_hash($ca_cert) or return;
185              
186 0 0         my $sf = Metabrik::System::File->new_from_brik_init($self) or return;
187 0 0         $sf->link($ca_cert, $ca_directory.'/'.$hash.'.0') or return;
188              
189 0           return $ca_cert;
190             }
191              
192             sub ca_show {
193 0     0 0   my $self = shift;
194 0           my ($ca_name) = @_;
195              
196 0   0       $ca_name ||= $self->ca_name;
197 0 0         $self->brik_help_run_undef_arg('ca_show', $ca_name) or return;
198              
199 0 0         $self->set_ca_attributes($ca_name) or return;
200              
201 0           my $ca_cert = $self->ca_cert;
202 0           my $cmd = "openssl x509 -in $ca_cert -text -noout";
203 0           return $self->capture($cmd);
204             }
205              
206             sub csr_new {
207 0     0 0   my $self = shift;
208 0           my ($base_file, $use_passphrase) = @_;
209              
210 0   0       $use_passphrase ||= $self->use_passphrase;
211 0 0         $self->brik_help_run_undef_arg('csr_new', $base_file) or return;
212              
213 0           my $ca_directory = $self->ca_directory;
214 0           my $csr_cert = $ca_directory.'/csrs/'.$base_file.'.csr';
215 0           my $csr_key = $ca_directory.'/csrs/'.$base_file.'.key';
216 0           my $key_size = $self->key_size;
217              
218 0 0         if (-f $csr_cert) {
219 0           return $self->log->error("csr_new: file [$csr_cert] already exists");
220             }
221              
222 0           my $cmd = "openssl req -newkey rsa:$key_size -keyout $csr_key -keyform PEM ".
223             "-out $csr_cert -outform PEM";
224              
225 0 0         if (! $use_passphrase) {
226 0           $cmd .= " -nodes";
227             }
228              
229 0           $self->system($cmd);
230 0 0         if ($?) {
231 0           return $self->log->error("csr_new: system failed");
232             }
233              
234 0           return [ $csr_cert, $csr_key ];
235             }
236              
237             sub ca_sign_csr {
238 0     0 0   my $self = shift;
239 0           my ($csr_cert, $ca_name) = @_;
240              
241 0   0       $ca_name ||= $self->ca_name;
242 0 0         $self->brik_help_run_undef_arg('ca_sign_csr', $csr_cert) or return;
243 0 0         $self->brik_help_run_file_not_found('ca_sign_csr', $csr_cert) or return;
244 0 0         $self->brik_help_run_undef_arg('ca_sign_csr', $ca_name) or return;
245              
246 0 0         $self->set_ca_attributes($ca_name) or return;
247              
248 0           my $ca_directory = $self->ca_directory;
249 0           my $ca_conf = $self->ca_conf;
250              
251 0 0         my $sf = Metabrik::System::File->new_from_brik_init($self) or return;
252 0 0         my $base_file = $sf->basefile($csr_cert) or return;
253 0           $base_file =~ s/.[^\.]+$//; # Remove extension
254              
255 0           my $signed_cert = $ca_directory.'/certs/'.$base_file.'.signed.pem';
256 0           my $cmd = "openssl ca -in $csr_cert -out $signed_cert -config $ca_conf";
257 0           $self->log->verbose("ca_sign_csr: cmd[$cmd]");
258 0           $self->system($cmd);
259 0 0         if ($?) {
260 0           return $self->log->error("ca_sign_csr: system failed");
261             }
262              
263 0           return $signed_cert;
264             }
265              
266             #
267             # Returns hash ID of a certificate.
268             #
269             sub cert_hash {
270 0     0 0   my $self = shift;
271 0           my ($cert_file) = @_;
272              
273 0 0         $self->brik_help_run_undef_arg('cert_hash', $cert_file) or return;
274 0 0         $self->brik_help_run_file_not_found('cert_hash', $cert_file) or return;
275              
276 0           my $cmd = "openssl x509 -noout -hash -in \"$cert_file\"";
277 0 0         my $lines = $self->capture($cmd) or return;
278              
279 0 0         if (@$lines == 0) {
280 0           return $self->log->error('cert_hash: unable to get hash');
281             }
282              
283 0           return $lines->[0];
284             }
285              
286             sub cert_verify {
287 0     0 0   my $self = shift;
288 0           my ($cert_file, $ca_name) = @_;
289              
290 0   0       $ca_name ||= $self->ca_name;
291 0 0         $self->brik_help_run_undef_arg('cert_verify', $cert_file) or return;
292 0 0         $self->brik_help_run_file_not_found('cert_verify', $cert_file) or return;
293 0 0         $self->brik_help_run_undef_arg('cert_verify', $ca_name) or return;
294              
295 0 0         $self->set_ca_attributes($ca_name) or return;
296              
297 0           my $ca_directory = $self->ca_directory;
298              
299 0           my $cmd = "openssl verify -CApath $ca_directory $cert_file";
300              
301 0           return $self->capture($cmd);
302             }
303              
304             sub cert_show {
305 0     0 0   my $self = shift;
306 0           my ($cert_file) = @_;
307              
308 0   0       $cert_file ||= $self->cert_file;
309 0 0         $self->brik_help_run_undef_arg('cert_show', $cert_file) or return;
310 0 0         $self->brik_help_run_file_not_found('cert_show', $cert_file) or return;
311              
312 0           my $cmd = "openssl x509 -in $cert_file -text -noout";
313 0           return $self->capture($cmd);
314             }
315              
316             sub parse_certificate_string {
317 0     0 0   my $self = shift;
318 0           my ($string) = @_;
319              
320 0 0         $self->brik_help_run_undef_arg('parse_certificate_string', $string)
321             or return;
322              
323 0 0         if (! length($string)) {
324 0           return $self->log->error("parse_certificate_string: empty string found");
325             }
326              
327             # Patch fonction to add a defined() check.
328             {
329 1     1   9 no warnings 'redefine';
  1         2  
  1         237  
  0            
330              
331             *Crypt::X509::pubkey_components = sub {
332 0     0     my $self = shift;
333 0           my $pubkeyalg = $self->PubKeyAlg();
334 0 0 0       if (defined($pubkeyalg) && $pubkeyalg eq 'RSA') {
335 0           my $parser = Crypt::X509::_init('RSAPubKeyInfo');
336             my $values = $parser->decode(
337 0           $self->{tbsCertificate}{subjectPublicKeyInfo}{subjectPublicKey}[0]
338             );
339 0           return $values;
340             }
341             else {
342 0           return undef;
343             }
344 0           };
345             };
346              
347 0           my $decoded = Crypt::X509->new(cert => $string);
348 0 0         if ($decoded->error) {
349 0           return $self->log->error("parse_certificate_string: failed: ".
350             $decoded->error);
351             }
352              
353 0           return $decoded;
354             }
355              
356             1;
357              
358             __END__