class R509::Cert::Extensions::ExtendedKeyUsage
RFC 5280 Description (see: www.ietf.org/rfc/rfc5280.txt)
This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates.
You can use this extension to parse an existing extension for easy access to the contents or create a new one.
Constants
- AU_ANY_EXTENDED_KEY_USAGE
The
OpenSSL
short name for Any Extended Key Usage- AU_CODE_SIGNING
The
OpenSSL
short name for Code Signing- AU_EMAIL_PROTECTION
The
OpenSSL
short name for E-mail Protection- AU_OCSP_SIGNING
- AU_TIME_STAMPING
The
OpenSSL
short name for Time Stamping- AU_WEB_CLIENT_AUTH
The
OpenSSL
short name for TLS Web Client Authentication- AU_WEB_SERVER_AUTH
The
OpenSSL
short name for TLS Web Server Authentication- OID
friendly name for EKU
OID
Attributes
an array (of strings) of the extended key uses allowed @return [Array,nil]
Public Class Methods
This method takes a hash or an existing Extension object to parse
The following types are known to r509
serverAuth clientAuth codeSigning emailProtection OCSPSigning timeStamping anyExtendedKeyUsage msCodeInd (not part of RFC 5280) msCodeCom (not part of RFC 5280) msCTLSign (not part of RFC 5280) msSGC (not part of RFC 5280) msEFS (not part of RFC 5280) nsSGC (not part of RFC 5280)
@option arg :value [Array] @option arg :critical [Boolean] (false) @example
R509::Cert::Extensions::ExtendedKeyUsage.new( :critical => false, :value => ['clientAuth','serverAuth'] )
# File lib/r509/cert/extensions/extended_key_usage.rb, line 66 def initialize(arg) unless R509::Cert::Extensions.is_extension?(arg) arg = build_extension(arg) end super(arg) parse_extension end
Public Instance Methods
Returns true if the given use is allowed by this extension. @param [string] friendly_use_name One of the AU_* constants in this class.
# File lib/r509/cert/extensions/extended_key_usage.rb, line 77 def allows?(friendly_use_name) @allowed_uses.include?(friendly_use_name) end
# File lib/r509/cert/extensions/extended_key_usage.rb, line 105 def any_extended_key_usage? (@any_extended_key_usage == true) end
# File lib/r509/cert/extensions/extended_key_usage.rb, line 89 def code_signing? (@code_signing == true) end
# File lib/r509/cert/extensions/extended_key_usage.rb, line 93 def email_protection? (@email_protection == true) end
# File lib/r509/cert/extensions/extended_key_usage.rb, line 97 def ocsp_signing? (@ocsp_signing == true) end
# File lib/r509/cert/extensions/extended_key_usage.rb, line 101 def time_stamping? (@time_stamping == true) end
@return [Hash]
# File lib/r509/cert/extensions/extended_key_usage.rb, line 110 def to_h { :value => @allowed_uses, :critical => self.critical? } end
@return [YAML]
# File lib/r509/cert/extensions/extended_key_usage.rb, line 115 def to_yaml self.to_h.to_yaml end
# File lib/r509/cert/extensions/extended_key_usage.rb, line 85 def web_client_authentication? (@web_client_authentication == true) end
# File lib/r509/cert/extensions/extended_key_usage.rb, line 81 def web_server_authentication? (@web_server_authentication == true) end
Private Instance Methods
# File lib/r509/cert/extensions/extended_key_usage.rb, line 180 def build_extension(arg) validate_usage(arg) ef = OpenSSL::X509::ExtensionFactory.new critical = R509::Cert::Extensions.calculate_critical(arg[:critical], false) ef.create_extension("extendedKeyUsage", arg[:value].join(","), critical) end
# File lib/r509/cert/extensions/extended_key_usage.rb, line 121 def parse_extension @allowed_uses = [] data = R509::ASN1.get_extension_payload(self) data.entries.each do |eku| # The following key usage purposes are defined: # # anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } # # id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } # id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } # -- TLS WWW server authentication # -- Key usage bits that may be consistent: digitalSignature, # -- keyEncipherment or keyAgreement # # id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } # -- TLS WWW client authentication # -- Key usage bits that may be consistent: digitalSignature # -- and/or keyAgreement # # id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } # -- Signing of downloadable executable code # -- Key usage bits that may be consistent: digitalSignature # # id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } # -- Email protection # -- Key usage bits that may be consistent: digitalSignature, # -- nonRepudiation, and/or (keyEncipherment or keyAgreement) # # id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } # -- Binding the hash of an object to a time # -- Key usage bits that may be consistent: digitalSignature # -- and/or nonRepudiation # # id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } # -- Signing OCSP responses # -- Key usage bits that may be consistent: digitalSignature # -- and/or nonRepudiation case eku.value when AU_WEB_SERVER_AUTH @web_server_authentication = true when AU_WEB_CLIENT_AUTH @web_client_authentication = true when AU_CODE_SIGNING @code_signing = true when AU_EMAIL_PROTECTION @email_protection = true when AU_OCSP_SIGNING @ocsp_signing = true when AU_TIME_STAMPING @time_stamping = true when AU_ANY_EXTENDED_KEY_USAGE @any_extended_key_usage = true end @allowed_uses << eku.value end end