class CertificateAuthority::CertificateRevocationList

Attributes

certificates[RW]
crl_body[RW]
last_update_skew_seconds[RW]
next_update[RW]
parent[RW]

Public Class Methods

new() click to toggle source
# File vendor/certificate_authority/lib/certificate_authority/certificate_revocation_list.rb, line 16
def initialize
  self.certificates = []
  self.next_update = 60 * 60 * 4 # 4 hour default
  self.last_update_skew_seconds = 0
end

Public Instance Methods

<<(revocable) click to toggle source
# File vendor/certificate_authority/lib/certificate_authority/certificate_revocation_list.rb, line 22
def <<(revocable)
  case revocable
  when Revocable
    raise "Only revoked entities can be added to a CRL" unless revocable.revoked?
    self.certificates << revocable
  when OpenSSL::X509::Certificate
    raise "Not implemented yet"
  else
    raise "#{revocable.class} cannot be included in a CRL"
  end
end
sign!(signing_profile={}) click to toggle source
# File vendor/certificate_authority/lib/certificate_authority/certificate_revocation_list.rb, line 34
def sign!(signing_profile={})
  raise "No parent entity has been set!" if self.parent.nil?
  raise "Invalid CRL" unless self.valid?

  revocations = self.certificates.collect do |revocable|
    revocation = OpenSSL::X509::Revoked.new

    ## We really just need a serial number, now we have to dig it out
    case revocable
    when Certificate
      x509_cert = OpenSSL::X509::Certificate.new(revocable.to_pem)
      revocation.serial = x509_cert.serial
    when SerialNumber
      revocation.serial = revocable.number
    end
    revocation.time = revocable.revoked_at
    revocation
  end

  crl = OpenSSL::X509::CRL.new
  revocations.each do |revocation|
    crl.add_revoked(revocation)
  end

  crl.version = 1
  crl.last_update = Time.now - self.last_update_skew_seconds
  crl.next_update = Time.now + self.next_update

  signing_cert = OpenSSL::X509::Certificate.new(self.parent.to_pem)
  if signing_profile["digest"].nil?
    digest = OpenSSL::Digest.new("SHA512")
  else
    digest = OpenSSL::Digest.new(signing_profile["digest"])
  end
  crl.issuer = signing_cert.subject
  self.crl_body = crl.sign(self.parent.key_material.private_key, digest)

  self.crl_body
end
to_pem() click to toggle source
# File vendor/certificate_authority/lib/certificate_authority/certificate_revocation_list.rb, line 74
def to_pem
  raise "No signed CRL body" if self.crl_body.nil?
  self.crl_body.to_pem
end
validate() click to toggle source
# File vendor/certificate_authority/lib/certificate_authority/certificate_revocation_list.rb, line 11
def validate
  errors.add :next_update, "Next update must be a positive value" if self.next_update < 0
  errors.add :parent, "A parent entity must be set" if self.parent.nil?
end