diff options
| author | NAKAMURA Hiroshi <nahi@keynauts.com> | 2003-07-06 03:45:57 +0000 |
|---|---|---|
| committer | NAKAMURA Hiroshi <nahi@keynauts.com> | 2003-07-06 03:45:57 +0000 |
| commit | cabb993e217d9e031d86ed2c1229f8248567e7eb (patch) | |
| tree | 4e05b5bfefbf573e70f9efc2b3ea2e33ca2b89fe | |
| parent | cc8d2d856e38b451a7f4d1ff7c5592cb1efad9bc (diff) | |
| download | ruby-openssl-history-cabb993e217d9e031d86ed2c1229f8248567e7eb.tar.gz | |
* examples/gen_csr.rb: DN parsing bug fix.
* examples/ca/gen_cert.rb:
- Check key length and DN of PKCS#10.
- Remove nsCertType extension.
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rwxr-xr-x | examples/ca/gen_cert.rb | 17 | ||||
| -rwxr-xr-x | examples/gen_csr.rb | 3 |
3 files changed, 22 insertions, 4 deletions
@@ -1,3 +1,9 @@ +Fri, 05 Jul 2003 12:45:24 +0900 -- NAKAMURA, Hiroshi <nahi@ruby-lang.org> + * examples/gen_csr.rb: DN parsing bug fix. + * examples/ca/gen_cert.rb: + - Check key length and DN of PKCS#10. + - Remove nsCertType extension. + Fri, 04 Jul 2003 23:56:09 +0900 -- NAKAMURA, Hiroshi <nahi@ruby-lang.org> * examples/c_rehash.rb: Run as a manager of cert store directory. * examples/gen_ca_cert.rb: Pass DN as a command line parameter. diff --git a/examples/ca/gen_cert.rb b/examples/ca/gen_cert.rb index ea5fe54..4063c9b 100755 --- a/examples/ca/gen_cert.rb +++ b/examples/ca/gen_cert.rb @@ -9,13 +9,14 @@ include OpenSSL def usage myname = File::basename($0) - $stderr.puts "Usage: #{myname} csr_file [--type (client|server|ca|ocsp)]" + $stderr.puts "Usage: #{myname} [--type (client|server|ca|ocsp)] csr_file" exit end getopts nil, 'type:client' cert_type = $OPT_type +p cert_type csr_file = ARGV.shift or usage ARGV.empty? or usage @@ -23,6 +24,16 @@ csr = X509::Request.new(File.open(csr_file).read) unless csr.verify(csr.public_key) raise "CSR sign verification failed." end +if csr.public_key.n.num_bits < CAConfig::CERT_KEY_LENGTH_MIN + raise "Key length too short" +end +if csr.public_key.n.num_bits > CAConfig::CERT_KEY_LENGTH_MAX + raise "Key length too long" +end +if csr.subject.to_a[0, CAConfig::NAME.size] != CAConfig::NAME + iraise "DN does not match" +end + # Only checks signature here. You must verify CSR according to your CP/CPS. $stdout.sync = true @@ -74,7 +85,7 @@ when "ocsp" when "client" basic_constraint = "CA:FALSE" key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment" - ext_key_usage << "clientAuth" << "codeSigning" << "emailProtection" + ext_key_usage << "clientAuth" << "emailProtection" else raise "unknonw cert type \"#{cert_type}\" is specified." end @@ -86,7 +97,7 @@ ex = [] ex << ef.create_extension("basicConstraints", basic_constraint, true) ex << ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate") ex << ef.create_extension("subjectKeyIdentifier", "hash") -ex << ef.create_extension("nsCertType", "client,email") +#ex << ef.create_extension("nsCertType", "client,email") ex << ef.create_extension("keyUsage", key_usage.join(",")) unless key_usage.empty? ex << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(",")) unless ext_key_usage.empty? diff --git a/examples/gen_csr.rb b/examples/gen_csr.rb index 1180b1a..f525f22 100755 --- a/examples/gen_csr.rb +++ b/examples/gen_csr.rb @@ -23,7 +23,8 @@ keypair_file = ARGV.shift $stdout.sync = true -name_ary = name_str.scan(/\/([^\/]+)/).collect { |i| i[0].split("=") } +name_ary = name_str.scan(/\s*([^\/,]+)\s*/).collect { |i| i[0].split("=") } +p name_ary name = X509::Name.new(name_ary) keypair = nil |