Ruby + openssl + self signed certificates = confusion

Discussion in 'Ruby' started by Neumann, Aug 11, 2006.

  1. Neumann

    Neumann Guest

    I'm trying to work a bit of CA ability into some code that I'm writing,
    and I need to create a self-signed certificate. This is not going so
    well. I'm able to create the certificate, and it seems to work OK,
    until I save it. The sample code I use to create a test certificate is
    as follows:

    entries = {"countryName" => "USA", "stateOrProvinceName" => "New
    Mexico", "localityName" => "Albuquerque", "organizationName" => "That
    group of dudes", "organizationalUnitName" => "The cool dudes",
    "commonName" => "William D. Neumann"}
    keypair2048 = PKey::RSA.new(2048) { putc "." }
    name = X509::Name.new()
    entries.each { |_k,_v| name.add_entry(_k,_v) }
    cert = Certificate.new
    cert.public_key = keypair2048.public_key
    cert.subject = name
    cert.issuer = name
    cert.version = 2
    now = Time.now.utc
    next_year = now + (365 * 24 * 60 * 60)
    cert.not_before = now
    cert.not_after = next_year
    ef = ExtensionFactory.new
    bc = ef.create_extension("basicConstraints", "CA:TRUE")
    ku = ef.create_extension("keyUsage", "keyEncipherment,
    digitalSignature")
    cert.extensions = [bc, ku]
    cert.sign(keypair2048, Digest::SHA1.new)

    Now, when I test the signature on this certificate, all is well:
    irb(main):099:0> cert.verify cert.public_key
    => true

    But if I save the certificate and read it back in, I have no such luck:
    File.open("newcert.pem","w") do |_file|
    _file << cert.to_pem
    end

    newcert = Certificate.new(File.read "newcert.pem")
    irb(main):105:0> newcert.verify newcert.public_key
    => false
    irb(main):106:0> newcert.verify cert.public_key
    => false

    But oddly enough, this works.

    irb(main):107:0> cert.verify newcert.public_key
    => true

    Also, if I create a different certificate, and sign it using cert's
    key, I can save it, read it back in and verify it with cert's public
    key (and newcert's as well) just fine. Does anyone know what's going
    on here with the self signed certificate?
     
    Neumann, Aug 11, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew Thompson
    Replies:
    63
    Views:
    1,729
    Darren
    Sep 20, 2005
  2. Ralf W. Grosse-Kunstleve
    Replies:
    16
    Views:
    588
    Lonnie Princehouse
    Jul 11, 2005
  3. Richard Maher
    Replies:
    8
    Views:
    471
    Roedy Green
    Sep 28, 2007
  4. Jon Lim
    Replies:
    0
    Views:
    154
    Jon Lim
    Nov 21, 2005
  5. Richard Maher
    Replies:
    2
    Views:
    124
    Richard Maher
    Sep 6, 2007
Loading...

Share This Page