ruby openssl

csr.rb

require 'openssl'

#
# Program to demonstrate Certificate Signing Request using openssl
#

# Create a new key
def gen_key(name)
  key = OpenSSL::PKey::RSA.new 1024
  file = File.new name, "w"
  file.write key
  file.close
end

# Load a existing key
def get_key(name)
  OpenSSL::PKey::RSA.new File.open(name)
end

# CA signs keys through CSR, CSR contains info necessary to identify the key
def csr(key)
  options = {
  :country      => 'US',
  :state        => 'C',
  :city         => 'FRM',
  :organization => 'CW',
  :department   => '',
  :common_name  => 'CW',
  :email        => ''
  }

  request = OpenSSL::X509::Request.new
  request.version = 0
  request.subject = OpenSSL::X509::Name.new([
  ['C',             options[:country],      OpenSSL::ASN1::PRINTABLESTRING],
  ['ST',            options[:state],        OpenSSL::ASN1::PRINTABLESTRING],
  ['L',             options[:city],         OpenSSL::ASN1::PRINTABLESTRING],
  ['O',             options[:organization], OpenSSL::ASN1::UTF8STRING],
  ['OU',            options[:department],   OpenSSL::ASN1::UTF8STRING],
  ['CN',            options[:common_name],  OpenSSL::ASN1::UTF8STRING],
  ['emailAddress',  options[:email],        OpenSSL::ASN1::UTF8STRING]
  ])
  request.public_key = key.public_key
  request.sign key, OpenSSL::Digest::SHA1.new
end

# Upon receiving a CSR the CA will verify it before signing it. A minimal verification would be to check
# the CSR’s signature.
def check_csr(request)
   csr = OpenSSL::X509::Request.new request
   rais 'CSR can not be verified' unless csr.verify csr.public_key
end

# Sign the CSR
def sign_csr(request, key)
  name = OpenSSL::X509::Name.parse 'CN=cw/DC=example'

  csr_cert = OpenSSL::X509::Certificate.new
  csr_cert.serial = 0
  csr_cert.version = 2
  csr_cert.not_before = Time.now
  csr_cert.not_after = Time.now + 600
  csr_cert.subject = request.subject
  csr_cert.public_key = request.public_key
  csr_cert.issuer = name
  csr_cert.sign key, OpenSSL::Digest::SHA1.new
end

def public_encrypt(cert,data)
  cert.public_encrypt data
end

def private_encrypt(cert,data)
  cert.private_encrypt data
end

def public_decrypt(cert,data)
  cert.public_decrypt data
end

def private_decrypt(cert,data)
  cert.private_decrypt data
end

def main
  puts "Create server and user key ..."
  gen_key 'server.key'
  gen_key 'user.key'

  puts "Load server and user key ..."
  user_key = get_key 'user.key'
  server_key = get_key 'server.key'

  puts "Create user csr..."
  user_csr = csr user_key

  puts "Verify user csr ..."
  check_csr user_csr

  puts "Sign user csr by server ..."
  signed_user_csr = sign_csr user_csr, server_key

  puts "Encrypt message by server ... "
  encrypted_data = public_encrypt signed_user_csr.public_key, "Top secret from server message"
  p encrypted_data
  puts "========== end ==========="

  puts "Decrypt messsage by user encrypted by server ... "
  p private_decrypt user_key, encrypted_data
  puts "========== end ==========="

  puts "Encrypt message by user ... "
  p encrypted_from_user = private_encrypt( user_key, "Top secret from user")
  puts "========== end ==========="

  puts "Decrypt message by server encrypted by server ... "
  p public_decrypt signed_user_csr.public_key, encrypted_from_user
  puts "========== end ==========="
end


main if __FILE__ == $0