# Copyright, 2018, by Samuel G. D. Williams. <http://www.codeotaku.com># # Permission is hereby granted, free of charge, to any person obtaining a copy# of this software and associated documentation files (the "Software"), to deal# in the Software without restriction, including without limitation the rights# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell# copies of the Software, and to permit persons to whom the Software is# furnished to do so, subject to the following conditions:# # The above copyright notice and this permission notice shall be included in# all copies or substantial portions of the Software.# # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN# THE SOFTWARE.require'yaml'require'openssl'moduleLocalhostclassAuthoritydefself.pathFile.expand_path("~/.localhost")enddefself.fetch(*args)authority=self.new(*args)path=self.pathunlessauthority.load(path)Dir.mkdir(path,0700)unlessFile.directory?(path)authority.save(path)endreturnauthorityenddefinitialize(hostname="localhost")@hostname=hostname@key=nil@name=nil@certificate=nil@store=nilenddefkey@key||=OpenSSL::PKey::RSA.new(1024)enddefname@name||=OpenSSL::X509::Name.parse("O=Development/CN=#{@hostname}")enddefcertificate@certificate||=OpenSSL::X509::Certificate.new.tapdo|certificate|certificate.subject=self.name# We use the same issuer as the subject, which makes this certificate self-signed:certificate.issuer=self.namecertificate.public_key=self.key.public_keycertificate.serial=1certificate.not_before=Time.nowcertificate.not_after=Time.now+(3600*24*365*10)extension_factory=OpenSSL::X509::ExtensionFactory.newextension_factory.subject_certificate=certificateextension_factory.issuer_certificate=certificate# Because we are using a self-signed root certificate, we also need to make it a "pseudo-CA".# https://security.stackexchange.com/questions/143061/does-openssl-refuse-self-signed-certificates-without-basic-constraintscertificate.add_extensionextension_factory.create_extension("basicConstraints","CA:TRUE",true)certificate.add_extensionextension_factory.create_extension("keyUsage","keyCertSign, cRLSign, digitalSignature",true)certificate.add_extensionextension_factory.create_extension("subjectKeyIdentifier","hash")certificate.signself.key,OpenSSL::Digest::SHA256.newendend# The certificate store which is used for validating the server certificate:defstore@store||=OpenSSL::X509::Store.new.tapdo|store|store.add_cert(self.certificate)endenddefserver_context(*args)OpenSSL::SSL::SSLContext.new(*args).tapdo|context|context.key=self.keycontext.cert=self.certificatecontext.session_id_context="localhost"context.set_params(verify_hostname: false,)endenddefclient_context(*args)OpenSSL::SSL::SSLContext.new(*args).tapdo|context|context.cert_store=self.storecontext.set_params(verify_mode: OpenSSL::SSL::VERIFY_PEER,verify_hostname: false,)endenddefload(path)ifFile.directory?pathkey_path=File.join(path,"#{@hostname}.key")returnfalseunlessFile.exist?(key_path)@key=OpenSSL::PKey::RSA.new(File.read(key_path))certificate_path=File.join(path,"#{@hostname}.crt")@certificate=OpenSSL::X509::Certificate.new(File.read(certificate_path))returntrueendenddefsave(path)File.write(File.join(path,"#{@hostname}.crt"),self.certificate.to_pem)File.write(File.join(path,"#{@hostname}.key"),self.key.to_pem)endendend