class R509::Cert::Extensions::ExtendedKeyUsage

RFC 5280 Description (see: www.ietf.org/rfc/rfc5280.txt)

This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates.

You can use this extension to parse an existing extension for easy access to the contents or create a new one.

Constants

AU_ANY_EXTENDED_KEY_USAGE

The OpenSSL short name for Any Extended Key Usage

AU_CODE_SIGNING

The OpenSSL short name for Code Signing

AU_EMAIL_PROTECTION

The OpenSSL short name for E-mail Protection

AU_OCSP_SIGNING

The OpenSSL short name for OCSP Signing

AU_TIME_STAMPING

The OpenSSL short name for Time Stamping

AU_WEB_CLIENT_AUTH

The OpenSSL short name for TLS Web Client Authentication

AU_WEB_SERVER_AUTH

The OpenSSL short name for TLS Web Server Authentication

OID

friendly name for EKU OID

Attributes

allowed_uses[R]

an array (of strings) of the extended key uses allowed @return [Array,nil]

Public Class Methods

new(arg) click to toggle source

This method takes a hash or an existing Extension object to parse

The following types are known to r509

serverAuth
clientAuth
codeSigning
emailProtection
OCSPSigning
timeStamping
anyExtendedKeyUsage
msCodeInd (not part of RFC 5280)
msCodeCom (not part of RFC 5280)
msCTLSign (not part of RFC 5280)
msSGC (not part of RFC 5280)
msEFS (not part of RFC 5280)
nsSGC (not part of RFC 5280)

@option arg :value [Array] @option arg :critical [Boolean] (false) @example

R509::Cert::Extensions::ExtendedKeyUsage.new(
  :critical => false,
  :value => ['clientAuth','serverAuth']
)
Calls superclass method
# File lib/r509/cert/extensions/extended_key_usage.rb, line 66
def initialize(arg)
  unless R509::Cert::Extensions.is_extension?(arg)
    arg = build_extension(arg)
  end

  super(arg)
  parse_extension
end

Public Instance Methods

allows?(friendly_use_name) click to toggle source

Returns true if the given use is allowed by this extension. @param [string] friendly_use_name One of the AU_* constants in this class.

# File lib/r509/cert/extensions/extended_key_usage.rb, line 77
def allows?(friendly_use_name)
  @allowed_uses.include?(friendly_use_name)
end
any_extended_key_usage?() click to toggle source
# File lib/r509/cert/extensions/extended_key_usage.rb, line 105
def any_extended_key_usage?
  (@any_extended_key_usage == true)
end
code_signing?() click to toggle source
# File lib/r509/cert/extensions/extended_key_usage.rb, line 89
def code_signing?
  (@code_signing == true)
end
email_protection?() click to toggle source
# File lib/r509/cert/extensions/extended_key_usage.rb, line 93
def email_protection?
  (@email_protection == true)
end
ocsp_signing?() click to toggle source
# File lib/r509/cert/extensions/extended_key_usage.rb, line 97
def ocsp_signing?
  (@ocsp_signing == true)
end
time_stamping?() click to toggle source
# File lib/r509/cert/extensions/extended_key_usage.rb, line 101
def time_stamping?
  (@time_stamping == true)
end
to_h() click to toggle source

@return [Hash]

# File lib/r509/cert/extensions/extended_key_usage.rb, line 110
def to_h
  { :value => @allowed_uses, :critical => self.critical?  }
end
to_yaml() click to toggle source

@return [YAML]

# File lib/r509/cert/extensions/extended_key_usage.rb, line 115
def to_yaml
  self.to_h.to_yaml
end
web_client_authentication?() click to toggle source
# File lib/r509/cert/extensions/extended_key_usage.rb, line 85
def web_client_authentication?
  (@web_client_authentication == true)
end
web_server_authentication?() click to toggle source
# File lib/r509/cert/extensions/extended_key_usage.rb, line 81
def web_server_authentication?
  (@web_server_authentication == true)
end

Private Instance Methods

build_extension(arg) click to toggle source
# File lib/r509/cert/extensions/extended_key_usage.rb, line 180
def build_extension(arg)
  validate_usage(arg)
  ef = OpenSSL::X509::ExtensionFactory.new
  critical = R509::Cert::Extensions.calculate_critical(arg[:critical], false)
  ef.create_extension("extendedKeyUsage", arg[:value].join(","), critical)
end
parse_extension() click to toggle source
# File lib/r509/cert/extensions/extended_key_usage.rb, line 121
def parse_extension
  @allowed_uses = []
  data = R509::ASN1.get_extension_payload(self)

  data.entries.each do |eku|
    #   The following key usage purposes are defined:
    #
    #   anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
    #
    #   id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
    #   id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
    #   -- TLS WWW server authentication
    #   -- Key usage bits that may be consistent: digitalSignature,
    #   -- keyEncipherment or keyAgreement
    #
    #   id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
    #   -- TLS WWW client authentication
    #   -- Key usage bits that may be consistent: digitalSignature
    #   -- and/or keyAgreement
    #
    #   id-kp-codeSigning             OBJECT IDENTIFIER ::= { id-kp 3 }
    #   -- Signing of downloadable executable code
    #   -- Key usage bits that may be consistent: digitalSignature
    #
    #   id-kp-emailProtection         OBJECT IDENTIFIER ::= { id-kp 4 }
    #   -- Email protection
    #   -- Key usage bits that may be consistent: digitalSignature,
    #   -- nonRepudiation, and/or (keyEncipherment or keyAgreement)
    #
    #   id-kp-timeStamping            OBJECT IDENTIFIER ::= { id-kp 8 }
    #   -- Binding the hash of an object to a time
    #   -- Key usage bits that may be consistent: digitalSignature
    #   -- and/or nonRepudiation
    #
    #   id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
    #   -- Signing OCSP responses
    #   -- Key usage bits that may be consistent: digitalSignature
    #   -- and/or nonRepudiation

    case eku.value
    when AU_WEB_SERVER_AUTH
      @web_server_authentication = true
    when AU_WEB_CLIENT_AUTH
      @web_client_authentication = true
    when AU_CODE_SIGNING
      @code_signing = true
    when AU_EMAIL_PROTECTION
      @email_protection = true
    when AU_OCSP_SIGNING
      @ocsp_signing = true
    when AU_TIME_STAMPING
      @time_stamping = true
    when AU_ANY_EXTENDED_KEY_USAGE
      @any_extended_key_usage = true
    end
    @allowed_uses << eku.value
  end
end