search

crystal-lang / crystal

The Crystal Programming Language
https://crystal-lang.org
Apache License 2.0
19.5k stars 1.62k forks source link

Need to enhance the OpenSSL::X509 more features #7896

Open ghost opened 5 years ago

ghost commented 5 years ago

Summary

I need this feature to sign some X509 certificates. I don’t know much about OpenSSL. I looked at the Crystal API documentation, but I didn't see this feature. (e.g. OpenSSL::X509::Request, OpenSSL::PKey::RSA).

enhance: OpenSSL::X509::Certificate (e.g. version, serial, public_key, subject, issuer...)

and Need more documentation (preferably like ruby).

In Ruby (Example From StackOverflow)

ca     = OpenSSL::X509::Certificate.new( File.read( INTERCEPTOR_CA_CERTIFICATE ) )
ca_key = OpenSSL::PKey::RSA.new( File.read( INTERCEPTOR_CA_KEY ) )

keypair = OpenSSL::PKey::RSA.new( 4096 )

req            = OpenSSL::X509::Request.new
req.version    = 0
req.subject    = OpenSSL::X509::Name.parse(
    "CN=www.origin-server.com/O=Arachni/OU=Proxy/L=Athens/ST=Attika/C=GR"
)
req.public_key = keypair.public_key
req.sign( keypair, OpenSSL::Digest::SHA1.new )

cert            = OpenSSL::X509::Certificate.new
cert.version    = 2
cert.serial     = rand( 999999 )
cert.not_before = Time.new
cert.not_after  = cert.not_before + (60 * 60 * 24 * 365)
cert.public_key = req.public_key
cert.subject    = req.subject
cert.issuer     = ca.subject

ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = cert
ef.issuer_certificate  = ca

cert.extensions = [
    ef.create_extension( 'basicConstraints', 'CA:FALSE', true ),
    ef.create_extension( 'extendedKeyUsage', 'serverAuth', false ),
    ef.create_extension( 'subjectKeyIdentifier', 'hash' ),
    ef.create_extension( 'authorityKeyIdentifier', 'keyid:always,issuer:always' ),
    ef.create_extension( 'keyUsage',
        %w(nonRepudiation digitalSignature
        keyEncipherment dataEncipherment).join(","),
        true
    )
]
cert.sign( ca_key, OpenSSL::Digest::SHA1.new )

References

ghost commented 5 years ago

Please, if possible, please consider giving priority to this feature, I need to use this feature, I need to use it to make MITM proxy server, otherwise, I can only try to use Rust to rewrite this server... :(

ysbaddaden commented 5 years ago

This isnt trivial work. Nobody took the time to wrap OpenSSL functions. You can use them directly, thought, or tackle this, and open a pull request :)

ghost commented 5 years ago

@ysbaddaden

This isnt trivial work.

Yes, I guessed this possibility😟, but thanks for your reply😁.

You can use them directly, thought, or tackle this, and open a pull request :)

I may not be able to do this task (I don't know much about C language☹️), but I found another openssl.cr library, it seems a little old, I will try to use it🤔.

RX14 commented 5 years ago

there is https://github.com/randomstate/openssl_ext

crysbot commented 4 days ago

This issue has been mentioned on Crystal Forum. There might be relevant details there:

https://forum.crystal-lang.org/t/file-signatures-via-crystal-openssl-library/7440/4