lib/tasks/ca.rb
require 'r509'
require 'erb'
require_relative 'helper'
namespace :ca do
desc 'Generate all the certificates for testing'
task :all => %w{ good ocsp_only crl_only empty revoked }
task :clean do
Dir.chdir 'spec/support/ca' do
sh 'rm -f *.crt *.crl *.key *.txt *.yaml'
end
end
desc 'Generate a signing CA for testing certificates'
task :root => 'spec/support/ca/root.key'
file 'spec/support/ca/root.key' do |t|
subject = OpenSSL::X509::Name.new
'C=US/ST=Florida/L=Miami/O=r509-cert-validator/CN='.split('/').each do |s|
key, value = s.split '=', 2
subject.add_entry key, value
end
csr = CaHelper.csr
cert = R509::CertificateAuthority::Signer.selfsign(
csr: csr,
not_after: (Time.now.to_i + (86400 * 3650)),
message_digest: 'sha1'
)
csr.key.write_pem 'spec/support/ca/root.key'
cert.write_pem 'spec/support/ca/root.crt'
sh "touch spec/support/ca/rcv_spec_list.txt"
sh "touch spec/support/ca/rcv_spec_crlnumber.txt"
end
file 'spec/support/ca/root.crt' => 'spec/support/ca/root.key'
file 'spec/support/ca/rcv_spec_list.txt' => 'spec/support/ca/root.key'
file 'spec/support/ca/rcv_spec_crlnumber.txt' => 'spec/support/ca/root.key
'
file 'spec/support/ca/config.yaml' => 'spec/support/ca/config.yaml.erb' do |s|
erb = ERB.new File.read s.prerequisites.first
b = binding
cert_path = File.expand_path 'spec/support/ca/'
File.open s.name, 'w' do |f|
f.write erb.result b
end
end
desc 'Generate a valid certificate with CRL and OCSP data'
task :good => 'spec/support/ca/good.crt'
file 'spec/support/ca/good.crt' => [:root, 'spec/support/ca/config.yaml'] do
ca = CaHelper.ca
csr = CaHelper.options_builder.build_and_enforce(
csr: CaHelper.csr,
profile_name: 'good'
)
cert = ca.sign csr
cert.write_pem 'spec/support/ca/good.crt'
end
desc 'Generate a valid certificate with only CRL data'
task :crl_only => 'spec/support/ca/crl_only.crt'
file 'spec/support/ca/crl_only.crt' => [:root, 'spec/support/ca/config.yaml'] do |t|
ca = CaHelper.ca
csr = CaHelper.options_builder.build_and_enforce(
csr: CaHelper.csr,
profile_name: 'crl_only'
)
cert = ca.sign csr
cert.write_pem 'spec/support/ca/crl_only.crt'
end
desc 'Generate a valid certificate with only OCSP data'
task :ocsp_only => 'spec/support/ca/ocsp_only.crt'
file 'spec/support/ca/ocsp_only.crt' => [:root, 'spec/support/ca/config.yaml'] do |t|
ca = CaHelper.ca
csr = CaHelper.options_builder.build_and_enforce(
csr: CaHelper.csr,
profile_name: 'ocsp_only'
)
cert = ca.sign csr
cert.write_pem 'spec/support/ca/ocsp_only.crt'
end
desc 'Generate a certificate and revoke it in both CRL and OCSP'
task :revoked => 'spec/support/ca/revoked.crt'
file 'spec/support/ca/revoked.crt' => [:root, 'spec/support/ca/config.yaml'] do |t|
ca = CaHelper.ca
csr = CaHelper.options_builder.build_and_enforce(
csr: CaHelper.csr,
profile_name: 'good'
)
cert = ca.sign csr
cert.write_pem 'spec/support/ca/revoked.crt'
admin = R509::CRL::Administrator.new CaHelper.pool['rcv_spec_ca']
admin.revoke_cert cert.serial
crl = admin.generate_crl
crl.write_pem 'spec/support/ca/rcv_spec.crl'
end
desc 'Generate a valid certificate with no CRL or OCSP data'
task :empty => 'spec/support/ca/empty.crt'
file 'spec/support/ca/empty.crt' => [:root, 'spec/support/ca/config.yaml'] do
ca = CaHelper.ca
cert = ca.sign csr: CaHelper.csr
cert.write_pem 'spec/support/ca/empty.crt'
end
end