OpenSSL in Ruby

∟Reference Citations in 2011

∟OpenSSL in Ruby

'Summary - Migrating OpenSSL Keys to keystore' tutorial was cited in an OpenSSL in Ruby source code in 2011.

The Summary - Migrating "OpenSSL" Keys to "keystore" tutorial was cited in an OpenSSL in Ruby source code in 2011.

Subject: OpenSSL in Ruby
Date: Jan 14, 2011
Author: Ian
Source: http://mathish.com/2011/01/14/openssl-in-ruby.html

The following code assumes that there is a subdirectory named certs
containing known certificates in PEM format, and a subdir keys
containing the client’s private RSA key. Further, there are lots of
comments specific to my actual needs, namely exporting keys generated
in Java using keytool for an Apache ActiveMQ message broker. Lastly,
to use the ca_path method, the certs directory needs to be properly
indexed using c_rehash (make sure the underlying version of openssl
matches the version Ruby’s OpenSSL extension was built against,
otherwise the hash algorithm may not be the same.)

The code that follow was written for my own benefit in understanding
the mapping between the OpenSSL C API and API available in Ruby. The
actual connection established is specific to my needs, but the OpenSSL
setup should be pretty common. The type of the private key will differ
depending upon the algorithm used during the generation of the
certificate.

#!/usr/bin/env ruby

require 'socket'
require 'openssl'

SSL_HOST = 'localhost'
SSL_PORT = 61612
SSL_CERT_DIR = File.expand_path('certs', File.dirname(__FILE__))
SSL_BROKER_CERT = File.expand_path('broker.pem', SSL_CERT_DIR)
SSL_CLIENT_CERT = File.expand_path('client.pem', SSL_CERT_DIR)
SSL_CLIENT_KEY = File.expand_path('keys/client.key', File.dirname(__FILE__))

USE_BROKER_CERT_FILE = false
USE_CLIENT_CERT = false
...

# Next, we need to get these keys into OpenSSL acceptable forms
# (see: http://conshell.net/wiki/index.php
# /Keytool_to_OpenSSL_Conversion_tips)
# Convert the broker keytool DER cert into a PEM cert
# > openssl x509 -out broker.pem -outform pem -in broker.der -inform der
# Convert the client keytool DER cert into a PEM cert
# > openssl x509 -out client.pem -outform pem -in client.der -inform der
# As I am using ActiveMQ, there isn't a need to generate anything more
# on the broker side.  The client just needs the PEM form for SSL trust.
# However, when the broker requires ssl authentication
# (needClientAuth=true on the transport URI), we will need the client's
# private key from the keystore as well. Unfortunately, there is no
# keytool command (as far as I've seen so far) that will export this
# from a java keystore.
#
# So, we make use of the DumpKey program copied from
# https://www.herongyang.com/crypto
# /Migrating_Keys_keytool_to_OpenSSL.html and found in
# examples/DumpKey.java to export the private key. Finally, we convert
# the private key output to a form usable by OpenSSL:
# > openssl enc -in client_bin.key -out client.key -a
# And wrap the output file with "-----BEGIN/END PRIVATE KEY-----" as
# outlined in https://www.herongyang.com/crypto
# /Migrating_Keys_keytool_to_OpenSSL_4.html
#
# Quite a bit of work... thanks Java!  Hopefully tests will require less
# work by using only OpenSSH within a stub broker.

tcp_sock = TCPSocket.new(SSL_HOST, SSL_PORT)
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
   |OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT

if USE_BROKER_CERT_FILE
  # Specify the cert file directly
  ctx.ca_file = SSL_BROKER_CERT
  ctx.ca_path = nil
else
...