* ext/openssl: imported.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@4128 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

8 files changed, 434 insertions, 0 deletions

diff --git a/sample/c_rehash.rb b/sample/c_rehash.rb
new file mode 100644
index 0000000..386eef5
--- /dev/null
+++ b/sample/c_rehash.rb
@@ -0,0 +1,174 @@
+#!/usr/bin/env ruby
+
+require 'openssl'
+require 'md5'
+
+class CHashDir
+  include Enumerable
+
+  def initialize(dirpath)
+    @dirpath = dirpath
+    @fingerprint_cache = @cert_cache = @crl_cache = nil
+  end
+
+  def hash_dir(silent = false)
+    # ToDo: Should lock the directory...
+    @silent = silent
+    @fingerprint_cache = Hash.new
+    @cert_cache = Hash.new
+    @crl_cache = Hash.new
+    do_hash_dir
+  end
+
+  def get_certs(name = nil)
+    if name
+      @cert_cache[hash_name(name)]
+    else
+      @cert_cache.values.flatten
+    end
+  end
+
+  def get_crls(name = nil)
+    if name
+      @crl_cache[hash_name(name)]
+    else
+      @crl_cache.values.flatten
+    end
+  end
+
+  def delete_crl(crl)
+    File.unlink(crl_filename(crl))
+    hash_dir(true)
+  end
+
+  def add_crl(crl)
+    File.open(crl_filename(crl), "w") do |f|
+      f << crl.to_pem
+    end
+    hash_dir(true)
+  end
+
+  def load_pem_file(filepath)
+    str = File.read(filepath)
+    begin
+      OpenSSL::X509::Certificate.new(str)
+    rescue
+      begin
+	OpenSSL::X509::CRL.new(str)
+      rescue
+	begin
+	  OpenSSL::X509::Request.new(str)
+	rescue
+	  nil
+	end
+      end
+    end
+  end
+
+private
+
+  def crl_filename(crl)
+    path(hash_name(crl.issuer)) + '.pem'
+  end
+
+  def do_hash_dir
+    Dir.chdir(@dirpath) do
+      delete_symlink
+      Dir.glob('*.pem') do |pemfile|
+	cert = load_pem_file(pemfile)
+	case cert
+	when OpenSSL::X509::Certificate
+	  link_hash_cert(pemfile, cert)
+	when OpenSSL::X509::CRL
+	  link_hash_crl(pemfile, cert)
+	else
+	  STDERR.puts("WARNING: #{pemfile} does not contain a certificate or CRL: skipping") unless @silent
+	end
+      end
+    end
+  end
+
+  def delete_symlink
+    Dir.entries(".").each do |entry|
+      next unless /^[\da-f]+\.r{0,1}\d+$/ =~ entry
+      File.unlink(entry) if FileTest.symlink?(entry)
+    end
+  end
+
+  def link_hash_cert(org_filename, cert)
+    name_hash = hash_name(cert.subject)
+    fingerprint = fingerprint(cert.to_der)
+    filepath = link_hash(org_filename, name_hash, fingerprint) { |idx|
+      "#{name_hash}.#{idx}"
+    }
+    unless filepath
+      unless @silent
+	STDERR.puts("WARNING: Skipping duplicate certificate #{org_filename}")
+      end
+    else
+      (@cert_cache[name_hash] ||= []) << path(filepath)
+    end
+  end
+
+  def link_hash_crl(org_filename, crl)
+    name_hash = hash_name(crl.issuer)
+    fingerprint = fingerprint(crl.to_der)
+    filepath = link_hash(org_filename, name_hash, fingerprint) { |idx|
+      "#{name_hash}.r#{idx}"
+    }
+    unless filepath
+      unless @silent
+	STDERR.puts("WARNING: Skipping duplicate CRL #{org_filename}")
+      end
+    else
+      (@crl_cache[name_hash] ||= []) << path(filepath)
+    end
+  end
+
+  def link_hash(org_filename, name, fingerprint)
+    idx = 0
+    filepath = nil
+    while true
+      filepath = yield(idx)
+      break unless FileTest.symlink?(filepath) or FileTest.exist?(filepath)
+      if @fingerprint_cache[filepath] == fingerprint
+	return false
+      end
+      idx += 1
+    end
+    STDOUT.puts("#{org_filename} => #{filepath}") unless @silent
+    symlink(org_filename, filepath)
+    @fingerprint_cache[filepath] = fingerprint
+    filepath
+  end
+
+  def symlink(from, to)
+    begin
+      File.symlink(from, to)
+    rescue
+      File.open(to, "w") do |f|
+	f << File.read(from)
+      end
+    end
+  end
+
+  def path(filename)
+    File.join(@dirpath, filename)
+  end
+
+  def hash_name(name)
+    sprintf("%x", name.hash)
+  end
+
+  def fingerprint(der)
+    MD5.hexdigest(der).upcase
+  end
+end
+
+if $0 == __FILE__
+  dirlist = ARGV
+  dirlist << '/usr/ssl/certs' if dirlist.empty?
+  dirlist.each do |dir|
+    CHashDir.new(dir).hash_dir
+  end
+end
diff --git a/sample/cipher.rb b/sample/cipher.rb
new file mode 100644
index 0000000..844b6ee
--- /dev/null
+++ b/sample/cipher.rb
@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby
+require 'openssl'
+
+text = "abcdefghijklmnopqrstuvwxyz"
+key = "key"
+alg = "DES-EDE3-CBC"
+#alg = "AES-128-CBC"
+
+puts "--Setup--"
+puts %(clear text:    "#{text}")
+puts %(symmetric key: "#{key}")
+puts %(cipher alg:    "#{alg}")
+puts
+
+puts "--Encrypting--"
+des = OpenSSL::Cipher::Cipher.new(alg)
+des.encrypt(key) #, "iv12345678")
+cipher =  des.update(text)
+cipher << des.final
+puts %(encrypted text: #{cipher.inspect})
+puts
+
+puts "--Decrypting--"
+des = OpenSSL::Cipher::Cipher.new(alg)
+des.decrypt(key) #, "iv12345678")
+out =  des.update(cipher)
+out << des.final
+puts %(decrypted text: "#{out}")
+puts
diff --git a/sample/echo_cli.rb b/sample/echo_cli.rb
new file mode 100644
index 0000000..87dacaf
--- /dev/null
+++ b/sample/echo_cli.rb
@@ -0,0 +1,36 @@
+#!/usr/bin/env ruby
+
+require 'socket'
+require 'openssl'
+require 'getopts'
+
+getopts nil, "p:2000", "c:", "k:", "C:"
+
+host      = ARGV[0] || "localhost"
+port      = $OPT_p
+cert_file = $OPT_c
+key_file  = $OPT_k
+ca_path   = $OPT_C
+
+ctx = OpenSSL::SSL::SSLContext.new()
+if cert_file && key_file
+  ctx.cert = OpenSSL::X509::Certificate.new(File::read(cert_file))
+  ctx.key  = OpenSSL::PKey::RSA.new(File::read(key_file))
+end
+if ca_path
+  ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+  ctx.ca_path = ca_path
+else
+  $stderr.puts "!!! WARNING: PEER CERTIFICATE WON'T BE VERIFIED !!!"
+end
+
+s = TCPSocket.new(host, port)
+ssl = OpenSSL::SSL::SSLSocket.new(s, ctx)
+ssl.connect
+while line = $stdin.gets
+  ssl.write line
+  print ssl.gets
+end
+
+ssl.close
+s.close
diff --git a/sample/echo_svr.rb b/sample/echo_svr.rb
new file mode 100644
index 0000000..e35ad12
--- /dev/null
+++ b/sample/echo_svr.rb
@@ -0,0 +1,64 @@
+#!/usr/bin/env ruby
+
+require 'socket'
+require 'openssl'
+require 'getopts'
+
+getopts nil, "p:2000", "c:", "k:", "C:"
+
+port      = $OPT_p
+cert_file = $OPT_c
+key_file  = $OPT_k
+ca_path   = $OPT_C
+
+if cert_file && key_file
+  cert = OpenSSL::X509::Certificate.new(File::read(cert_file))
+  key  = OpenSSL::PKey::RSA.new(File::read(key_file))
+else
+  key = OpenSSL::PKey::RSA.new(512){ print "." }
+  puts
+  cert = OpenSSL::X509::Certificate.new
+  cert.version = 2
+  cert.serial = 0
+  name = OpenSSL::X509::Name.new([["C","JP"],["O","TEST"],["CN","localhost"]])
+  cert.subject = name
+  cert.issuer = name
+  cert.not_before = Time.now
+  cert.not_after = Time.now + 3600
+  cert.public_key = key.public_key
+  ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
+  cert.extensions = [
+    ef.create_extension("basicConstraints","CA:FALSE"),
+    ef.create_extension("subjectKeyIdentifier","hash"),
+    ef.create_extension("extendedKeyUsage","serverAuth"),
+    ef.create_extension("keyUsage",
+                        "keyEncipherment,dataEncipherment,digitalSignature")
+  ]
+  ef.issuer_certificate = cert
+  cert.add_extension ef.create_extension("authorityKeyIdentifier",
+                                         "keyid:always,issuer:always")
+  cert.sign(key, OpenSSL::Digest::SHA1.new)
+end
+
+ctx = OpenSSL::SSL::SSLContext.new()
+ctx.key = key
+ctx.cert = cert
+if ca_path
+  ctx.verify_mode =
+    OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+  ctx.ca_path = ca_path
+else
+  $stderr.puts "!!! WARNING: PEER CERTIFICATE WON'T BE VERIFIED !!!"
+end
+
+svr = TCPServer.new(port)
+loop do
+  ns = svr.accept
+  ssl = OpenSSL::SSL::SSLSocket.new(ns, ctx)
+  ssl.accept
+  while line = ssl.gets
+    ssl.write line
+  end
+  ssl.close
+  ns.close
+end
diff --git a/sample/gen_csr.rb b/sample/gen_csr.rb
new file mode 100644
index 0000000..c22073b
--- /dev/null
+++ b/sample/gen_csr.rb
@@ -0,0 +1,52 @@
+#!/usr/bin/env ruby
+
+require 'getopts'
+require 'openssl'
+
+include OpenSSL
+
+def usage
+  myname = File::basename($0)
+  $stderr.puts <<EOS
+Usage: #{myname} name [keypair_file]
+  name ... ex. /C=JP/O=RRR/OU=CA/CN=NaHi/emailAddress=nahi@example.org
+EOS
+  exit
+end
+
+getopts nil, "key:", "csrout:", "keyout:"
+keypair_file = $OPT_key
+csrout = $OPT_csrout || "csr.pem"
+keyout = $OPT_keyout || "keypair.pem"
+
+name_str = ARGV.shift or usage()
+
+$stdout.sync = true
+
+name_ary = name_str.scan(/\s*([^\/,]+)\s*/).collect { |i| i[0].split("=") }
+p name_ary
+name = X509::Name.new(name_ary)
+
+keypair = nil
+if keypair_file
+  keypair = PKey::RSA.new(File.read(keypair_file))
+else
+  keypair = PKey::RSA.new(1024) { putc "." }
+  puts
+  puts "Writing #{keyout}..."
+  File.open(keyout, "w", 0400) do |f|
+    f << keypair.to_pem
+  end
+end
+
+puts "Generating CSR for #{name_ary.inspect}"
+
+req = X509::Request.new
+req.subject = name
+req.public_key = keypair.public_key
+req.sign(keypair, Digest::SHA1.new)
+
+puts "Writing #{csrout}..."
+File.open(csrout, "w") do |f|
+  f << req.to_pem
+end
diff --git a/sample/smime_read.rb b/sample/smime_read.rb
new file mode 100644
index 0000000..0f08f54
--- /dev/null
+++ b/sample/smime_read.rb
@@ -0,0 +1,23 @@
+require 'getopts'
+require 'openssl'
+include OpenSSL
+
+getopts nil, "c:", "k:", "C:"
+
+cert_file = $OPT_c
+key_file  = $OPT_k
+ca_path   = $OPT_C
+
+data = $stdin.read
+
+cert = X509::Certificate.new(File::read(cert_file))
+key = PKey::RSA.new(File::read(key_file))
+p7enc = PKCS7::read_smime(data)
+data = p7enc.decrypt(key, cert)
+
+store = X509::Store.new
+store.add_path(ca_path)
+p7sig = PKCS7::read_smime(data)
+if p7sig.verify([], store)
+  puts p7sig.data
+end
diff --git a/sample/smime_write.rb b/sample/smime_write.rb
new file mode 100644
index 0000000..ce32cd8
--- /dev/null
+++ b/sample/smime_write.rb
@@ -0,0 +1,23 @@
+require 'openssl'
+require 'getopts'
+include OpenSSL
+
+getopts nil, "c:", "k:", "r:"
+
+cert_file = $OPT_c
+key_file  = $OPT_k
+rcpt_file = $OPT_r
+
+cert = X509::Certificate.new(File::read(cert_file))
+key = PKey::RSA.new(File::read(key_file))
+
+data  = "Content-Type: text/plain\r\n"
+data << "\r\n"
+data << "This is a clear-signed message.\r\n"
+
+p7sig  = PKCS7::sign(cert, key, data, [], PKCS7::DETACHED)
+smime0 = PKCS7::write_smime(p7sig)
+
+rcpt  = X509::Certificate.new(File::read(rcpt_file))
+p7enc = PKCS7::encrypt([rcpt], smime0)
+print PKCS7::write_smime(p7enc)   
diff --git a/sample/wget.rb b/sample/wget.rb
new file mode 100644
index 0000000..0362ab9
--- /dev/null
+++ b/sample/wget.rb
@@ -0,0 +1,33 @@
+#!/usr/bin/env ruby
+
+require 'net/https'
+require 'getopts'
+
+getopts nil, 'C:'
+
+ca_path = $OPT_C
+
+uri = URI.parse(ARGV[0])
+if proxy = ENV['HTTP_PROXY']
+  prx_uri = URI.parse(proxy)
+  prx_host = prx_uri.host
+  prx_port = prx_uri.port
+end
+
+h = Net::HTTP.new(uri.host, uri.port, prx_host, prx_port)
+h.set_debug_output($stderr) if $DEBUG
+if uri.scheme == "https"
+  h.use_ssl = true
+  if ca_path
+    h.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    h.ca_path = ca_path
+  else
+    $stderr.puts "!!! WARNING: PEER CERTIFICATE WON'T BE VERIFIED !!!"
+  end
+end
+
+path = uri.path.empty? ? "/" : uri.path
+h.get2(path){|resp|
+  STDERR.puts h.peer_cert.inspect if h.peer_cert
+  print resp.body
+}