cchandler / certificate_authority

Ruby gem for managing the core functions outlined in RFC-3280 for PKI
https://github.com/cchandler/certificate_authority
194 stars 44 forks source link

Have certificates validate their extensions #26

Open jof opened 12 years ago

jof commented 12 years ago

Seems like each of the X509v3 extension classes support being validated. Perhaps checking the validity of a Certificate should also check the validity of any underlying extension instances.

For example, this script:

#!/usr/bin/env ruby

require 'rubygems'
require 'certificate_authority'

root = CertificateAuthority::Certificate.new
root.subject.common_name = 'test root cert'
root.serial_number.number = 1
root.key_material.generate_key 768

puts "Simple root cert validity: #{root.valid?}"

root.extensions['basicConstraints'].ca = 'waffles'

puts "Root cert validity with bunk CA string is: #{root.valid?}"
puts "basicConstraints extension with bunk CA string is: #{root.extensions['basicConstraints'].valid?}"

root.extensions['basicConstraints'].ca = 'true'

puts "Root cert validity with bunk CA string is: #{root.valid?}"
puts "basicConstraints extension with bunk CA string is: #{root.extensions['basicConstraints'].valid?}"```

Returns:

Simple root cert validity: true
Root cert validity with bunk CA string is: true
basicConstraints extension with bunk CA string is: false
Root cert validity with bunk CA string is: true
basicConstraints extension with bunk CA string is: false

Strangely, Extensions::BasicConstraints doesn't seem to recover from ever having been false, after it's switched to valid values.