class R509::Cert::Extensions::KeyUsage
RFC 5280 Description (see: www.ietf.org/rfc/rfc5280.txt)
The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The usage restriction might be employed when a key that could be used for more than one operation is to be restricted. For example, when an RSA key should be used only to verify signatures on objects other than public key certificates and CRLs, the digitalSignature and/or nonRepudiation bits would be asserted. Likewise, when an RSA key should be used only for key management, the keyEncipherment bit would be asserted.
You can use this extension to parse an existing extension for easy access to the contents or create a new one.
Constants
- AU_CRL_SIGN
- AU_DATA_ENCIPHERMENT
OpenSSL
short name for Data Encipherment- AU_DECIPHER_ONLY
OpenSSL
short name for Decipher Only- AU_DIGITAL_SIGNATURE
OpenSSL
short name for Digital Signature- AU_ENCIPHER_ONLY
OpenSSL
short name for Encipher Only- AU_KEY_AGREEMENT
OpenSSL
short name for Key Agreement- AU_KEY_CERT_SIGN
OpenSSL
short name for Certificate Sign- AU_KEY_ENCIPHERMENT
OpenSSL
short name for Key Encipherment- AU_NON_REPUDIATION
OpenSSL
short name for Non Repudiation (also known as content commitment)- OID
Attributes
An array (of strings) of the key uses allowed. @return [Array,nil]
Public Class Methods
This method takes a hash or an existing Extension object to parse
The following types are known to r509 by default
digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly
@option arg :value [Array] @option arg :critical [Boolean] (false) @example
R509::Cert::Extensions::KeyUsage.new( :critical => false, :value => ['digitalSignature,'keyEncipherment'] )
# File lib/r509/cert/extensions/key_usage.rb, line 71 def initialize(arg) unless R509::Cert::Extensions.is_extension?(arg) arg = build_extension(arg) end super(arg) parse_extension end
Public Instance Methods
Returns true if the given use is allowed by this extension. @param [String] friendly_use_name key usage short name (e.g. digitalSignature, cRLSign, etc)
or one of the AU_* constants in this class
@return [Boolean]
# File lib/r509/cert/extensions/key_usage.rb, line 84 def allows?(friendly_use_name) @allowed_uses.include?(friendly_use_name) end
# File lib/r509/cert/extensions/key_usage.rb, line 112 def crl_sign? (@crl_sign == true) end
# File lib/r509/cert/extensions/key_usage.rb, line 100 def data_encipherment? (@data_encipherment == true) end
# File lib/r509/cert/extensions/key_usage.rb, line 120 def decipher_only? (@decipher_only == true) end
# File lib/r509/cert/extensions/key_usage.rb, line 88 def digital_signature? (@digital_signature == true) end
# File lib/r509/cert/extensions/key_usage.rb, line 116 def encipher_only? (@encipher_only == true) end
# File lib/r509/cert/extensions/key_usage.rb, line 104 def key_agreement? (@key_agreement == true) end
# File lib/r509/cert/extensions/key_usage.rb, line 108 def key_cert_sign? (@key_cert_sign == true) end
# File lib/r509/cert/extensions/key_usage.rb, line 96 def key_encipherment? (@key_encipherment == true) end
# File lib/r509/cert/extensions/key_usage.rb, line 92 def non_repudiation? (@non_repudiation == true) end
@return [Hash]
# File lib/r509/cert/extensions/key_usage.rb, line 125 def to_h { :value => @allowed_uses, :critical => self.critical? } end
@return [YAML]
# File lib/r509/cert/extensions/key_usage.rb, line 133 def to_yaml self.to_h.to_yaml end
Private Instance Methods
# File lib/r509/cert/extensions/key_usage.rb, line 139 def build_extension(arg) validate_usage(arg) ef = OpenSSL::X509::ExtensionFactory.new critical = R509::Cert::Extensions.calculate_critical(arg[:critical], false) ef.create_extension("keyUsage", arg[:value].join(","), critical) end
# File lib/r509/cert/extensions/key_usage.rb, line 146 def parse_extension @allowed_uses = [] data = R509::ASN1.get_extension_payload(self) # There are 9 possible bits, which means we need 2 bytes # to represent them all. When the last bit is not set # the second byte is not encoded. let's add it back so we can # have the full bitmask for comparison if data.size == 1 data += "\0" end bit_mask = data.unpack('n')[0] # treat it as a 16-bit unsigned big endian # KeyUsage ::= BIT STRING { # digitalSignature (0), # nonRepudiation (1), -- recent editions of X.509 have # -- renamed this bit to contentCommitment # keyEncipherment (2), # dataEncipherment (3), # keyAgreement (4), # keyCertSign (5), # cRLSign (6), # encipherOnly (7), # decipherOnly (8) } if bit_mask & 0b1000000000000000 > 0 @digital_signature = true @allowed_uses << AU_DIGITAL_SIGNATURE end if bit_mask & 0b0100000000000000 > 0 @non_repudiation = true @allowed_uses << AU_NON_REPUDIATION end if bit_mask & 0b0010000000000000 > 0 @key_encipherment = true @allowed_uses << AU_KEY_ENCIPHERMENT end if bit_mask & 0b0001000000000000 > 0 @data_encipherment = true @allowed_uses << AU_DATA_ENCIPHERMENT end if bit_mask & 0b0000100000000000 > 0 @key_agreement = true @allowed_uses << AU_KEY_AGREEMENT end if bit_mask & 0b0000010000000000 > 0 @key_cert_sign = true @allowed_uses << AU_KEY_CERT_SIGN end if bit_mask & 0b0000001000000000 > 0 @crl_sign = true @allowed_uses << AU_CRL_SIGN end if bit_mask & 0b0000000100000000 > 0 @encipher_only = true @allowed_uses << AU_ENCIPHER_ONLY end if bit_mask & 0b0000000010000000 > 0 @decipher_only = true @allowed_uses << AU_DECIPHER_ONLY end end