1 files changed, 56 insertions, 0 deletions

diff --git a/lib/gitlab/x509/certificate.rb b/lib/gitlab/x509/certificate.rb
new file mode 100644
index 00000000000..c7289a51b49
--- /dev/null
+++ b/lib/gitlab/x509/certificate.rb
@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module X509
+    class Certificate
+      CERT_REGEX = /-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/.freeze
+
+      attr_reader :key, :cert, :ca_certs
+
+      def key_string
+        key.to_s
+      end
+
+      def cert_string
+        cert.to_pem
+      end
+
+      def ca_certs_string
+        ca_certs.map(&:to_pem).join('\n') unless ca_certs.blank?
+      end
+
+      def self.from_strings(key_string, cert_string, ca_certs_string = nil)
+        key = OpenSSL::PKey::RSA.new(key_string)
+        cert = OpenSSL::X509::Certificate.new(cert_string)
+        ca_certs = load_ca_certs_bundle(ca_certs_string)
+
+        new(key, cert, ca_certs)
+      end
+
+      def self.from_files(key_path, cert_path, ca_certs_path = nil)
+        ca_certs_string = File.read(ca_certs_path) if ca_certs_path
+
+        from_strings(File.read(key_path), File.read(cert_path), ca_certs_string)
+      end
+
+      # Returns an array of OpenSSL::X509::Certificate objects, empty array if none found
+      #
+      # Ruby OpenSSL::X509::Certificate.new will only load the first
+      # certificate if a bundle is presented, this allows to parse multiple certs
+      # in the same file
+      def self.load_ca_certs_bundle(ca_certs_string)
+        return [] unless ca_certs_string
+
+        ca_certs_string.scan(CERT_REGEX).map do |ca_cert_string|
+          OpenSSL::X509::Certificate.new(ca_cert_string)
+        end
+      end
+
+      def initialize(key, cert, ca_certs = nil)
+        @key = key
+        @cert = cert
+        @ca_certs = ca_certs
+      end
+    end
+  end
+end