Reference Citations - HerongYang.com - v2.91, by Dr. Herong Yang
OpenSSL in Ruby
'Summary - Migrating OpenSSL Keys to keystore' tutorial was cited in an OpenSSL in Ruby source code in 2011.
The Summary - Migrating "OpenSSL" Keys to "keystore" tutorial was cited in an OpenSSL in Ruby source code in 2011.
Subject: OpenSSL in Ruby Date: Jan 14, 2011 Author: Ian Source: http://mathish.com/2011/01/14/openssl-in-ruby.html The following code assumes that there is a subdirectory named certs containing known certificates in PEM format, and a subdir keys containing the clients private RSA key. Further, there are lots of comments specific to my actual needs, namely exporting keys generated in Java using keytool for an Apache ActiveMQ message broker. Lastly, to use the ca_path method, the certs directory needs to be properly indexed using c_rehash (make sure the underlying version of openssl matches the version Rubys OpenSSL extension was built against, otherwise the hash algorithm may not be the same.) The code that follow was written for my own benefit in understanding the mapping between the OpenSSL C API and API available in Ruby. The actual connection established is specific to my needs, but the OpenSSL setup should be pretty common. The type of the private key will differ depending upon the algorithm used during the generation of the certificate. #!/usr/bin/env ruby require 'socket' require 'openssl' SSL_HOST = 'localhost' SSL_PORT = 61612 SSL_CERT_DIR = File.expand_path('certs', File.dirname(__FILE__)) SSL_BROKER_CERT = File.expand_path('broker.pem', SSL_CERT_DIR) SSL_CLIENT_CERT = File.expand_path('client.pem', SSL_CERT_DIR) SSL_CLIENT_KEY = File.expand_path('keys/client.key', File.dirname(__FILE__)) USE_BROKER_CERT_FILE = false USE_CLIENT_CERT = false ... # Next, we need to get these keys into OpenSSL acceptable forms # (see: http://conshell.net/wiki/index.php # /Keytool_to_OpenSSL_Conversion_tips) # Convert the broker keytool DER cert into a PEM cert # > openssl x509 -out broker.pem -outform pem -in broker.der -inform der # Convert the client keytool DER cert into a PEM cert # > openssl x509 -out client.pem -outform pem -in client.der -inform der # As I am using ActiveMQ, there isn't a need to generate anything more # on the broker side. The client just needs the PEM form for SSL trust. # However, when the broker requires ssl authentication # (needClientAuth=true on the transport URI), we will need the client's # private key from the keystore as well. Unfortunately, there is no # keytool command (as far as I've seen so far) that will export this # from a java keystore. # # So, we make use of the DumpKey program copied from # http://www.herongyang.com/crypto # /Migrating_Keys_keytool_to_OpenSSL.html and found in # examples/DumpKey.java to export the private key. Finally, we convert # the private key output to a form usable by OpenSSL: # > openssl enc -in client_bin.key -out client.key -a # And wrap the output file with "-----BEGIN/END PRIVATE KEY-----" as # outlined in http://www.herongyang.com/crypto # /Migrating_Keys_keytool_to_OpenSSL_4.html # # Quite a bit of work... thanks Java! Hopefully tests will require less # work by using only OpenSSH within a stub broker. tcp_sock = TCPSocket.new(SSL_HOST, SSL_PORT) ctx = OpenSSL::SSL::SSLContext.new ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER |OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT if USE_BROKER_CERT_FILE # Specify the cert file directly ctx.ca_file = SSL_BROKER_CERT ctx.ca_path = nil else ...
Table of Contents