bullion 0.7.1 → 0.7.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/Rakefile +43 -6
- data/lib/bullion/services/ca.rb +2 -2
- data/lib/bullion/version.rb +1 -1
- data/lib/bullion.rb +5 -1
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ed105e14e1c8f595a9ea2479fad064e056c5fb72ef0b4f6ca55dadd14358ffa8
|
4
|
+
data.tar.gz: ac71877a3a20db90848ae7077ac7046261a23235a1b41b672d03779fe389255d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3555e2e3ec0c4fbfaba6b11cae8b9698cdc2a5ca39cef058adf07e1cf3b3a12ee77808548c0dddffac8cca9c4a5e3e77bb7ac49244488dc1f0940869f0d5fd5f
|
7
|
+
data.tar.gz: 780e372c5013f0ceda8ac8a171c8f37ebc288d2b9d9d502cf3c64aa7d34f66f3c7b89dc1776dd175923c718d8e6ddc4e9bc807cacc73320f526b5b48767afedd
|
data/Gemfile.lock
CHANGED
data/Rakefile
CHANGED
@@ -40,9 +40,9 @@ task :prep do
|
|
40
40
|
ENV["CA_SECRET"] = "SomeS3cret"
|
41
41
|
ENV["CA_DOMAINS"] = "test.domain"
|
42
42
|
|
43
|
-
|
44
|
-
File.write(File.join(File.expand_path("."), "tmp", "
|
45
|
-
|
43
|
+
root_key = OpenSSL::PKey::RSA.new(4096)
|
44
|
+
File.write(File.join(File.expand_path("."), "tmp", "root_tls.key"),
|
45
|
+
root_key.to_pem(OpenSSL::Cipher.new("aes-128-cbc"), ENV.fetch("CA_SECRET", nil)))
|
46
46
|
|
47
47
|
root_ca = OpenSSL::X509::Certificate.new
|
48
48
|
root_ca.version = 2
|
@@ -51,7 +51,7 @@ task :prep do
|
|
51
51
|
%w[test domain].reverse.map { |piece| "DC=#{piece}" }.join("/") + "/CN=bullion"
|
52
52
|
)
|
53
53
|
root_ca.issuer = root_ca.subject # root CA's are "self-signed"
|
54
|
-
root_ca.public_key =
|
54
|
+
root_ca.public_key = root_key.public_key
|
55
55
|
root_ca.not_before = Time.now
|
56
56
|
root_ca.not_after = root_ca.not_before + (5 * 365 * 24 * 60 * 60) # 5 years validity
|
57
57
|
ef = OpenSSL::X509::ExtensionFactory.new
|
@@ -69,8 +69,43 @@ task :prep do
|
|
69
69
|
root_ca.add_extension(
|
70
70
|
ef.create_extension("authorityKeyIdentifier", "keyid:always", false)
|
71
71
|
)
|
72
|
-
root_ca.sign(
|
73
|
-
File.write(File.join(File.expand_path("."), "tmp", "
|
72
|
+
root_ca.sign(root_key, OpenSSL::Digest.new("SHA256"))
|
73
|
+
File.write(File.join(File.expand_path("."), "tmp", "root_tls.crt"), root_ca.to_pem)
|
74
|
+
|
75
|
+
intermediate_key = OpenSSL::PKey::RSA.new(4096)
|
76
|
+
File.write(File.join(File.expand_path("."), "tmp", "tls.key"),
|
77
|
+
intermediate_key.to_pem(OpenSSL::Cipher.new("aes-128-cbc"), ENV.fetch("CA_SECRET")))
|
78
|
+
|
79
|
+
int_ca = OpenSSL::X509::Certificate.new
|
80
|
+
int_ca.version = 2
|
81
|
+
int_ca.serial = (2**rand(10..20)) - 1
|
82
|
+
int_ca.subject = OpenSSL::X509::Name.parse(
|
83
|
+
%w[intermediate test domain].reverse.map { |piece| "DC=#{piece}" }.join("/") + "/CN=bullion"
|
84
|
+
)
|
85
|
+
int_ca.issuer = root_ca.subject
|
86
|
+
int_ca.public_key = intermediate_key.public_key
|
87
|
+
int_ca.not_before = Time.now
|
88
|
+
int_ca.not_after = int_ca.not_before + (2 * 365 * 24 * 60 * 60) # 2 years validity
|
89
|
+
ef = OpenSSL::X509::ExtensionFactory.new
|
90
|
+
ef.subject_certificate = int_ca
|
91
|
+
ef.issuer_certificate = root_ca
|
92
|
+
int_ca.add_extension(
|
93
|
+
ef.create_extension("basicConstraints", "CA:TRUE", true)
|
94
|
+
)
|
95
|
+
int_ca.add_extension(
|
96
|
+
ef.create_extension("keyUsage", "keyCertSign, cRLSign", true)
|
97
|
+
)
|
98
|
+
int_ca.add_extension(
|
99
|
+
ef.create_extension("subjectKeyIdentifier", "hash", false)
|
100
|
+
)
|
101
|
+
int_ca.add_extension(
|
102
|
+
ef.create_extension("authorityKeyIdentifier", "keyid:always", false)
|
103
|
+
)
|
104
|
+
int_ca.sign(root_key, OpenSSL::Digest.new("SHA256"))
|
105
|
+
File.write(
|
106
|
+
File.join(File.expand_path("."), "tmp", "tls.crt"),
|
107
|
+
int_ca.to_pem + root_ca.to_pem
|
108
|
+
)
|
74
109
|
end
|
75
110
|
|
76
111
|
desc "Runs a backgrounded demo environment"
|
@@ -98,6 +133,8 @@ task :cleanup do
|
|
98
133
|
end
|
99
134
|
FileUtils.rm_f(File.join(File.expand_path("."), "tmp", "tls.crt"))
|
100
135
|
FileUtils.rm_f(File.join(File.expand_path("."), "tmp", "tls.key"))
|
136
|
+
FileUtils.rm_f(File.join(File.expand_path("."), "tmp", "root_tls.crt"))
|
137
|
+
FileUtils.rm_f(File.join(File.expand_path("."), "tmp", "root_tls.key"))
|
101
138
|
FileUtils.rm_rf(File.join(File.expand_path("."), "tmp", "db"))
|
102
139
|
ENV["CA_DIR"] = nil
|
103
140
|
ENV["CA_SECRET"] = nil
|
data/lib/bullion/services/ca.rb
CHANGED
@@ -95,7 +95,7 @@ module Bullion
|
|
95
95
|
content_type "application/x-pem-file"
|
96
96
|
|
97
97
|
attachment "cabundle.pem"
|
98
|
-
Bullion.
|
98
|
+
Bullion.ca_cert_file
|
99
99
|
end
|
100
100
|
|
101
101
|
# Retrieves a Nonce via a HEAD request
|
@@ -383,7 +383,7 @@ module Bullion
|
|
383
383
|
|
384
384
|
cert = Models::Certificate.find(params[:id])
|
385
385
|
|
386
|
-
cert.data + Bullion.
|
386
|
+
cert.data + Bullion.ca_cert_file
|
387
387
|
else
|
388
388
|
halt(422, { error: "Order not valid" }.to_json)
|
389
389
|
end
|
data/lib/bullion/version.rb
CHANGED
data/lib/bullion.rb
CHANGED
@@ -70,8 +70,12 @@ module Bullion
|
|
70
70
|
@ca_key ||= OpenSSL::PKey::RSA.new(File.read(config.ca.key_path), config.ca.secret)
|
71
71
|
end
|
72
72
|
|
73
|
+
def self.ca_cert_file
|
74
|
+
@ca_cert_file ||= File.read(config.ca.cert_path)
|
75
|
+
end
|
76
|
+
|
73
77
|
def self.ca_cert
|
74
|
-
@ca_cert ||= OpenSSL::X509::Certificate.new(
|
78
|
+
@ca_cert ||= OpenSSL::X509::Certificate.new(ca_cert_file)
|
75
79
|
end
|
76
80
|
|
77
81
|
def self.rotate_keys!
|