Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
A wrapper around openssl to make creating and using X509 certs easier.
Ruby
Branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
lib
test
.document
.gitignore
Gemfile
Gemfile.lock
LICENSE
README.rdoc
Rakefile
cert_lib.gemspec

README.rdoc

cert_lib

Synopsis

Ruby has an excellent full-featured openssl library, but the documentation for it is sparse. This gem wraps ruby openssl and provides simple methods for creating public/private keys and X509 certificates. Use the public/private key pairs to sign/verify and encrypt/decrypt data. X509 certificates contain the public key as well as metadata about the key, and are used as a standard vehicle for distributing public keys.

Information on how to use ruby openssl was acquired from many sources, but I particularly recommend:

http://olabini.com/blog/2008/08/ruby-security-quick-guide/

There were also many useful examples in the Puppet code:

http://reductivelabs.com/products/puppet/

Setup

There needs to be a model present named CertLog that provides an increasing integer with each entry, for the cert serial number. Best would be to create one in an ORM such as DataMapper or ActiveRecord. It should have an Integer “id” field, and at least a String “subject” and a DateTime “expires_after” field.

Alternatively you could use the class provided in CertLib::CertSerial, which writes to a file, by defining a constant named CertLogRoot that is a Pathname instance for the location where you would like a “certlog” directory to be created.

For example, to put “certlog” inside the “db” directory in the Rails hierarchy, you would put this into config/environment.rb, or somewhere that loads before the gem:

CertLogRoot = Pathname.new(File.join(File.dirname(__FILE__), '..', 'db'))

Usage

Create a public/private key pair and a basic self-signed X509 cert like this:

cert, key = CertLib::Cert.create(:common_name => "example.com")

See the comments in CertLib::Cert for a list of other possible keys in the argument hash. Only :common_name is required.

Call #to_s on the above cert and key objects to get their string representations in the standard PEM format, suitable for saving away in a file or database field. If you wish to see what's in the cert or key, use #inspect.

You can then resurrect certs and keys with:

cert = CertLib::Cert.new(cert_pem_string)
key = CertLib::Pkey.new(key_pem_string)

Having instantiated cert and/or key as above:

Use key#sign to get a signature over a string:

signature = key.sign(data_to_sign) # => Base64 encoded signature

Use cert#verify_signature to prove that the signed data was signed by the private key corresponding to the certificate:

cert.verify_signature(signature, signed_text) # => true|false

Use cert#encrypt to return an encrypted string:

encrypted_string = cert.encrypt(text_to_encrypt) # => Base64 encoded encrypted string

Only key#decrypt can make the data plaintext again, assuming key represents the private key corresponding to the cert that did the encrypting:

decrypted_string = key.decrypt(encrypted_string) # => plaintext string

In all 4 of these methods, pass false as an additional last argument to accept or return raw bytes instead of Base64 encoded strings.

Install

git clone git://github.com/victorgrey/cert_lib.git

cd cert_lib

gem build cert_lib.gemspec

(sudo) gem install cert_lib-0.5.2.gem

Copyright

Copyright © 2010 Victor Grey. See LICENSE for details.

Something went wrong with that request. Please try again.