mikekelly · February 28, 2021 20:19 · Aug 30, 2016
diff --git a/ruby_cert.rb b/ruby_cert.rb
@@ -0,0 +1,102 @@
+#Reference
+#https://devnotcorp.wordpress.com/2012/08/21/usage-examples-of-rubys-openssl-lib/
+
+
+
+#!/usr/bin/ruby
+require 'openssl'
+require 'date'
+require 'time'
+
+# Create key
+key1 = OpenSSL::PKey::RSA.new(2048)
+open("private_key.pem", "w") do |io| io.write(key1.to_pem) end
+open("public_key.pem", "w") do |io| io.write(key1.public_key.to_pem) end
+puts("key1.private?=#{key1.private?}")
+
+# Export key
+cipher = OpenSSL::Cipher::Cipher.new("AES-128-CBC")
+pass_phrase = "this is my secure pass phrase"
+key1_secure = key1.export(cipher, pass_phrase)
+open("private_key.secure.pem", "w") do |io| io.write(key1_secure) end
+
+# Load key
+key2 = OpenSSL::PKey::RSA.new File.read("private_key.pem")
+puts("key2.private?=#{key2.private?}")
+
+key3 = OpenSSL::PKey::RSA.new(File.read("public_key.pem"))
+puts("key3.private?=#{key3.private?}")
+
+# Load encrypted key
+key4_pem = File.read("private_key.secure.pem")
+key4 = OpenSSL::PKey::RSA.new(key4_pem, pass_phrase)
+puts("key4.private?=#{key4.private?}")
+
+# Create cert
+name = OpenSSL::X509::Name.parse("CN=auralis/DC=topalis/DC=com")
+cert = OpenSSL::X509::Certificate.new()
+cert.version = 2
+cert.serial = 0
+cert.not_before = Time.new()
+cert.not_after = cert.not_before + (60*60*24*365)
+puts "cert.not_before=#{cert.not_before}"
+puts "cert.not_after=#{cert.not_after}"
+cert.public_key = key1.public_key
+cert.subject = name
+
+# Sign cert
+cert.issuer = name
+cert.sign key1, OpenSSL::Digest::SHA1.new()
+open("certificate.pem", "w") do |io| io.write(cert.to_pem) end
+
+# Load cert
+cert2 = OpenSSL::X509::Certificate.new(File.read("certificate.pem"))
+
+# Verify cert
+puts("cert2.verify key1=#{cert2.verify key1}")
+
+# Create CA key
+ca_key = OpenSSL::PKey::RSA.new(2048)
+open("ca_key.pem", "w") do |io| io.write(ca_key.export(cipher, pass_phrase)) end
+
+# Create CA cert
+ca_name = OpenSSL::X509::Name.parse("CN=ca/DC=topalis/DC=com")
+ca_cert = OpenSSL::X509::Certificate.new()
+ca_cert.serial = 0
+ca_cert.version = 2
+ca_cert.not_before = Time.new()
+ca_cert.not_after = ca_cert.not_before + (60*60*24*365)
+ca_cert.public_key = ca_key.public_key
+ca_cert.subject = ca_name
+ca_cert.issuer = ca_name
+extension_factory = OpenSSL::X509::ExtensionFactory.new()
+extension_factory.subject_certificate = ca_cert
+extension_factory.issuer_certificate = ca_cert
+extension_factory.create_extension("subjectKeyIdentifier", "hash")
+extension_factory.create_extension("basicConstraints", "CA:TRUE", true)
+extension_factory.create_extension("keyUsage", "cRLSign,keyCertSign", true)
+ca_cert.sign(ca_key, OpenSSL::Digest::SHA1.new())
+open("ca_cert.pem", "w") do |io| io.write(ca_cert.to_pem) end
+
+# Sign file
+# openssl smime -sign -in example.mobileconfig -out signed2.mobileconfig -signer ca_cert.pem -inkey ca_key.pem -outform der -nodetach
+profile = File.read("LBS_BausparApp.mobileprovision")
+profile_signed = OpenSSL::PKCS7.sign(ca_cert, ca_key, profile, [], OpenSSL::PKCS7::BINARY)
+open("signed.mobileconfig", "w") do |io| io.write(profile_signed.to_der) end
+
+# Encrypt file
+profile_encrypted = OpenSSL::PKCS7::encrypt([ca_cert], profile_signed.to_der, cipher, OpenSSL::PKCS7::BINARY)
+open("encrypted.mobileconfig", "w") do |io| io.write(profile_encrypted) end
+
+# Decrypt file
+profile_encrypted2 = OpenSSL::PKCS7.new(File.read("encrypted.mobileconfig"))
+profile_decrypted = profile_encrypted2.decrypt(ca_key, ca_cert)
+profile_signed2 = OpenSSL::PKCS7.new(profile_decrypted)
+puts "profile_signed2.signers()[0].name=#{profile_signed2.signers()[0].name}"
+
+# Verify
+# openssl smime -verify -inform der -in signed.mobileconfig -signer ca_cert.pem
+store = OpenSSL::X509::Store.new()
+store.add_cert(ca_cert)
+puts "profile_signed2.verify([ca_cert], store)=#{profile_signed2.verify([ca_cert], store)}"
+puts profile_signed2.data