Home Explore Help
Sign In
SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git
1
0
Fork 0
Files
Tree: 304d47d74b
Branches Tags
zammad
/
lib
/
certificate
/
x509
/
smime.rb

smime.rb 2.2 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576 
  1. # Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/
    2. 

  2. 

  3. class Certificate::X509::SMIME < Certificate::X509
    4. 

  4.   include Certificate::X509::SMIME::Attributes
    5. 

  5. 

  6.   attr_reader :email_addresses, :fingerprint, :issuer_hash, :uid, :subject_hash
    7. 

  7. 

  8.   def self.parse(pem)
    9. 

  9.     begin
    10. 

  10.       new(pem)
    11. 

  11.     rescue OpenSSL::X509::CertificateError
    12. 

  12.       raise Exceptions::UnprocessableEntity, __('The certificate is not valid for S/MIME usage. Please check the certificate format.')
    13. 

  13.     end
    14. 

  14.   end
    15. 

  15. 

  16.   def initialize(pem)
    17. 

  17.     super
    18. 

  18. 

  19.     @email_addresses = fetch_email_addresses
    20. 

  20.     @subject_hash    = subject.hash.to_s(16)
    21. 

  21.     @issuer_hash     = issuer.hash.to_s(16)
    22. 

  22. 

  23.     @uid = determine_uid
    24. 

  24.   end
    25. 

  25. 

  26.   def rsa?
    27. 

  27.     public_key.class.name.end_with?('RSA')
    28. 

  28.   end
    29. 

  29. 

  30.   def ec?
    31. 

  31.     public_key.class.name.end_with?('EC')
    32. 

  32.   end
    33. 

  33. 

  34.   def applicable?
    35. 

  35.     return false if ca?
    36. 

  36. 

  37.     # This is necessary because some legacy certificates may not have an extended key usage.
    38. 

  38.     extensions_as_hash.fetch('extendedKeyUsage', ['E-mail Protection']).include?('E-mail Protection')
    39. 

  39.   end
    40. 

  40. 

  41.   def signature?
    42. 

  42.     return false if ca? || !applicable?
    43. 

  43. 

  44.     # This is necessary because some legacy certificates may not have a key usage.
    45. 

  45.     extensions_as_hash.fetch('keyUsage', ['Digital Signature']).include?('Digital Signature')
    46. 

  46.   end
    47. 

  47. 

  48.   def encryption?
    49. 

  49.     return false if ca? || !applicable?
    50. 

  50. 

  51.     # This is necessary because some legacy certificates may not have a key usage.
    52. 

  52.     extensions_as_hash.fetch('keyUsage', ['Key Encipherment']).include?('Key Encipherment')
    53. 

  53.   end
    54. 

  54. 

  55.   def valid_smime_certificate?
    56. 

  56.     return true if ca?
    57. 

  57. 

  58.     return false if !applicable?
    59. 

  59.     return false if !signature? && !encryption?
    60. 

  60.     return false if @email_addresses.blank?
    61. 

  61.     return false if !rsa? && !ec?
    62. 

  62. 

  63.     true
    64. 

  64.   end
    65. 

  65. 

  66.   def valid_smime_certificate!
    67. 

  67.     return if valid_smime_certificate?
    68. 

  68. 

  69.     message = __('The certificate is not valid for S/MIME usage. Please check the key usage, subject alternative name and public key cryptographic algorithm.')
    70. 

  70. 

  71.     Rails.logger.error { "Certificate::X509::SMIME: #{message}" }
    72. 

  72.     Rails.logger.error { "Certificate::X509::SMIME:\n #{to_text}" }
    73. 

  73. 

  74.     raise Exceptions::UnprocessableEntity, message
    75. 

  75.   end
    76. 

  76. end
    77.