cert-auth 1.0.0

data/bin/cert-auth

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+if ARGV.first == 'init-ca'
+  require File.expand_path('../../scripts/init-ca.rb', __FILE__)
+else
+  require 'cert_auth/server'
+  require 'vegas'
+  CertAuth.ca_root = `pwd`.chomp
+  Vegas::Runner.new(CertAuth::Server, 'cert-auth')
+end

data/lib/cert_auth.rb

@@ -0,0 +1,85 @@
+require "rubygems"
+require "sinatra"
+require "haml"
+
+module CertAuth
+  class << self
+    
+    ## Return the root to the certificate authority
+    attr_accessor :ca_root
+    
+    ## Return the full path to the public folder for the 
+    ## certificate authority.
+    def public_root
+      File.expand_path("../../public", __FILE__)
+    end
+    
+    ## Return the CA Root
+    def ca_root
+      @ca_root || File.expand_path("../../exampleCA", __FILE__)
+    end
+    
+    ## Return an array of all keys on this certificate authority. This information
+    ## is taken from the index.txt file.
+    def keys
+      raw = File.read(File.join(ca_root, 'index.txt')).split(/\n/)
+      keys = Array.new
+      for key in raw
+        type, expiry_date, revoke_date, serial, filename, subject = key.split(/\t/)
+        keys << {:type => type, :expiry_date => expiry_date.to_i, :revoke_date => revoke_date.to_i, :serial => serial, :subject => subject}
+      end
+      keys
+    end
+    
+    ## Return the contents for a certificate
+    def certificate(serial)
+      path = File.join(ca_root, 'newcerts', "#{serial}.pem")
+      if File.exist?(path)
+        File.read(path)
+      else
+        false
+      end
+    end
+    
+    ## Return the certificate for the CA
+    def ca_certificate
+      File.read(File.join(ca_root, 'certs', 'ca.crt'))
+    end
+    
+    ## Save a new CSR file to the local machine and return the properties
+    def save_csr(contents)
+      FileUtils.mkdir_p(File.join(ca_root, 'csrs'))
+      key = Digest::SHA1.hexdigest([contents, Time.now.to_i].join)
+      File.open(File.join(ca_root, 'csrs', key), 'w') { |f| f.write(contents) }
+      key
+    end
+    
+    ## Return CSR information
+    def view_csr(key)
+      path = File.join(ca_root, 'csrs', key)
+      if File.exist?(path)
+        output = `openssl req -noout -text -in #{path}`
+        $?.success? ? output : false
+      else
+        false
+      end
+    end
+    
+    ## Sign a certificate and return the serial number
+    def sign(csr_key, passphrase)
+      csr_path = File.join(ca_root, 'csrs', csr_key)
+      if File.exist?(csr_path)
+        output = `cd #{ca_root} && openssl ca -passin pass:#{passphrase} -batch -config openssl.conf -policy policy_anything -infiles #{csr_path} 2>&1`
+        if $?.success?
+          [true, output]
+        else
+          [false, output]
+        end
+      else
+        false
+      end
+    end
+    
+    
+  end
+end

data/lib/cert_auth/server.rb

@@ -0,0 +1,57 @@
+require 'cert_auth'
+require 'sinatra/base'
+require 'haml'
+
+module CertAuth
+  class Server < Sinatra::Base
+    
+    set :public, File.join(CertAuth.public_root, 'static')
+    set :views, File.join(CertAuth.public_root, 'views')
+    set :static, true
+    
+    ## Generic view with a list of all signed certificates.
+    get '/' do
+      @certificates = CertAuth.keys
+      haml :index
+    end
+    
+    ## Return the certificate
+    get '/certificate' do
+      @certificate = CertAuth.ca_certificate
+      haml :view_certificate
+    end
+    
+    ## Return the certificate contents for a provided serial
+    get '/certificate/:serial' do
+      @certificate = CertAuth.certificate(params[:serial])
+      haml :view_certificate
+    end
+    
+    ## Accept a new CSR for upload do
+    get '/new' do
+      haml :new
+    end
+    
+    ## Save a CSR to the system and return the properties ready for signing
+    post '/new' do
+      @csr_key = CertAuth.save_csr(params[:csr])
+      if @csr_details = CertAuth.view_csr(@csr_key)
+        haml :preview
+      else
+        redirect "/new"
+      end
+    end
+    
+    post '/sign/:csr_key' do
+      @csr_key = params[:csr_key]
+      status, @output = CertAuth.sign(@csr_key, params[:passphrase])
+      if status
+        haml :done
+      else
+        @csr_details = CertAuth.view_csr(@csr_key)
+        haml :preview
+      end
+    end
+    
+  end
+end

data/public/static/style.css

@@ -0,0 +1,45 @@
+html { color: #000; background: #FFF; }
+body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blockquote,th,td { margin: 0; padding: 0; }
+li { list-style: none; }
+h1, h2, h3, h4, h5, h6 { font-size: 100%; font-weight: normal; }
+pre, form { font-style: normal; font-weight: normal; }
+fieldset { border: 0; }
+legend { color: #000; }
+input, textarea { margin: 0; padding: 0; font-family: inherit; font-size: inherit; font-weight: inherit; *font-size: 100%; }
+p, blockquote { margin: 0; padding: 0; }
+th { margin: 0; padding: 0; font-style: normal; font-weight: normal; text-align: left; }
+table { border-collapse: collapse; border-spacing: 0; }
+img { border: 0; }
+address { font-style: normal; font-weight: normal; }
+caption { font-style: normal; font-weight: normal; text-align: left; }
+cite, dfn, em, strong, var { font-style: normal; font-weight: normal; }
+q:before, q:after { content: ''; }
+abbr, acronym { border: 0; font-variant: normal; }
+sup { vertical-align: text-top; }
+sub { vertical-align: text-bottom; }
+select { font-family: inherit; font-size: inherit; font-weight: inherit; *font-size: 100%; }
+
+.hidden { display:none !important;}
+div.field_with_errors { display:inline !important;}
+
+/* disable safari input highlighting - we don't like this */
+input, textarea, div.editable {outline-style:none;outline-width:0px;}
+a:active { outline: none;}
+
+html { font-size:12px; font-family:"Helvetica Neue", Arial, sans-serif; background-color:#ccc;}
+body { -webkit-font-smoothing: antialiased; }
+#content { background:#fff; width:70%; margin:25px auto; padding:40px;}
+#content h3 { font-weight:bold; font-size:200%; margin-bottom:10px;}
+#content table { width:100%;}
+#content table td { border:1px solid #ccc; padding:5px; }
+#content table thead td { background:#efefef; font-weight:bold;}
+#content a { color:#333;}
+ul { margin:15px 0; margin-left:30px; line-height:1.5;}
+ul li { list-style:disc;}
+pre { background:#efefef; padding:10px;}
+p.pp { padding:15px; margin:10px 0; background:#efefef;  font-weight:bold; font-size:120%;}
+p { margin:10px 0;}
+.error { background:rgba(255,0,0,0.3); margin:10px 0; padding:10px;}
+.error pre { background:rgba(255,0,0,0.3); margin-top:10px;}
+.error h4 { font-size:120%; font-weight:bold; color:red;}
+textarea { font-family:Courier, monospace;}

data/public/views/done.haml

@@ -0,0 +1,4 @@
+%h3 Certificate has been signed successfully.
+%p
+  %a{:href => '/'} Back to certificate list
+%pre~ @output

data/public/views/index.haml

@@ -0,0 +1,25 @@
+%h3 Certificates Issued
+%table
+  %thead
+    %tr
+      %td Type
+      %td Expiry Date
+      %td Revoke Date
+      %td Serial
+      %td Subject
+      %td
+  %tbody
+    - for cert in @certificates
+      %tr
+        %td= cert[:type]
+        %td= cert[:expiry_date]
+        %td= cert[:revoke_date]
+        %td= cert[:serial]
+        %td= cert[:subject]
+        %td
+          %a{:href => '/certificate/' + cert[:serial]} View
+%ul
+  %li
+    %a{:href => '/certificate'} View CA Certificate
+  %li
+    %a{:href => '/new'} Upload CSR for Signing

data/public/views/layout.haml

@@ -0,0 +1,9 @@
+!!!
+%html
+  %head
+    %title CertAuth
+    %link{:href => "/style.css", :media => 'screen', :rel => 'stylesheet', :type => 'text/css'}
+  %body
+    #content
+      = yield
+    

data/public/views/new.haml

@@ -0,0 +1,9 @@
+%h3 Upload new CSR
+%p
+  %a{:href => '/'} Back to certificate list
+
+%form{:action => '/new', :method => 'post'}
+  %p
+    %textarea{:name => 'csr', :rows => 30, :cols => 120}
+  %p
+    %input{:type => 'submit', :name => 'go', :value => "Upload CSR"}

data/public/views/preview.haml

@@ -0,0 +1,17 @@
+%h3 Preview CSR
+%p
+  %a{:href => '/'} Back to certificate list
+
+%form{:action => '/sign/' + @csr_key, :method => 'post'}
+  - if @output
+    .error
+      %h4 An error occurred:
+      %pre~ @output
+      
+  %pre~ @csr_details
+
+  %p.pp
+    Enter the passphrase for the CA to sign this certificate:<br />
+    %input{:type => 'password', :name => 'passphrase'}
+    %input{:type => 'submit', :name => 'go', :value => "Send for signing"}
+    

data/public/views/view_certificate.haml

@@ -0,0 +1,6 @@
+%h3 View Certificate
+%p
+  %a{:href => '/'} Back to certificate list
+
+%pre~ @certificate
+  

data/scripts/init-ca.rb

@@ -0,0 +1,58 @@
+#!/usr/bin/env ruby
+## Initialize a new CA authority root.
+## Usage: init-ca.rb path/to/ca
+
+require 'fileutils'
+
+root = ARGV.last
+
+if root.nil?
+  $stderr.puts "Pass the directory to this script to create a CA."
+  Process.exit(1)
+end
+
+if File.exist?(root)
+  $stderr.puts "A directory already exists at '#{root}'. Please delete this before continuing."
+  Process.exit(1)
+end
+begin
+  puts "Creating new certificate authority in '#{root}'. Please answer any questions which are asked:"
+
+  %w{ certs crl newcerts private }.each do |dir|
+    path = File.join(root, dir)
+    puts "Creating directory '#{path}'"
+    FileUtils.mkdir_p(path)
+  end
+
+  File.open(File.join(root, 'serial'), 'w') { |f| f.write('01') }
+  puts "Set initial serial as 01"
+  File.open(File.join(root, 'index.txt'), 'w') { |f| f.write('') }
+  puts "Added empty file to use as database"
+
+  ca_key_path = File.join(root, 'private', 'ca.key')
+  ca_crt_path = File.join(root, 'certs', 'ca.crt')
+
+  years = 10
+  days  = 356 * years
+
+  puts "CA Certificate length is #{days} days (#{years} years)"
+  system("openssl req -new -x509 -extensions v3_ca -keyout #{ca_key_path} -out #{ca_crt_path} -days #{days}")
+  puts "Key & certificates generated"
+  
+  raise "CA key does not exist at #{ca_key_path}" unless File.exist?(ca_key_path)
+  raise "CA crt does not exist at #{ca_crt_path}" unless File.exist?(ca_crt_path)
+  
+  puts "Setting 0400 permission on #{ca_key_path}"
+  FileUtils.chmod(0400, ca_key_path)
+  
+  source = File.expand_path('../openssl.example.conf', __FILE__)
+  FileUtils.cp(source, File.join(root, 'openssl.conf'))
+  
+  puts
+  puts "CA has been setup successfully as #{root}. You can now start the SSL-CA webserver from this"
+  puts "directory to manage the CA."
+
+rescue
+  puts "An error occured. The CA has been removed from #{root}. Please try again..."
+  FileUtils.rm_rf(root)
+end

data/scripts/openssl.example.conf

@@ -0,0 +1,313 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME                    = .
+RANDFILE                = $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file               = $ENV::HOME/.oid
+oid_section             = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions            = 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca      = CA_default            # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir             = .                     # Where everything is kept
+certs           = $dir/certs            # Where the issued certs are kept
+crl_dir         = $dir/crl              # Where the issued crl are kept
+database        = $dir/index.txt        # database index file.
+#unique_subject = no                    # Set to 'no' to allow creation of
+                                        # several ctificates with same subject.
+new_certs_dir   = $dir/newcerts         # default place for new certs.
+
+certificate     = $dir/certs/ca.crt     # The CA certificate
+serial          = $dir/serial           # The current serial number
+#crlnumber       = $dir/crlnumber        # the current crl number
+                                        # must be commented out to leave a V1 CRL
+crl             = $dir/crl.pem          # The current CRL
+private_key     = $dir/private/ca.key   # The private key
+RANDFILE        = $dir/private/.rand    # private random number file
+
+x509_extensions = usr_cert              # The extentions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt        = ca_default            # Subject Name options
+cert_opt        = ca_default            # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions        = crl_ext
+
+default_days    = 730                   # how long to certify for
+default_crl_days= 30                    # how long before next CRL
+default_md      = sha1                  # which md to use.
+preserve        = no                    # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy          = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+####################################################################
+[ req ]
+default_bits            = 2048
+default_keyfile         = privkey.pem
+distinguished_name      = req_distinguished_name
+attributes              = req_attributes
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix   : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = AU
+countryName_min                 = 2
+countryName_max                 = 2
+
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = Some-State
+
+localityName                    = Locality Name (eg, city)
+
+0.organizationName              = Organization Name (eg, company)
+0.organizationName_default      = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName             = Second Organization Name (eg, company)
+#1.organizationName_default     = World Wide Web Pty Ltd
+
+organizationalUnitName          = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName                      = Common Name (eg, YOUR name)
+commonName_max                  = 64
+
+emailAddress                    = Email Address
+emailAddress_max                = 64
+
+# SET-ex3                       = SET extension number 3
+
+[ req_attributes ]
+challengePassword               = A challenge password
+challengePassword_min           = 4
+challengePassword_max           = 20
+
+unstructuredName                = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType                    = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment                       = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType                    = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment                       = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

metadata

@@ -0,0 +1,108 @@
+--- !ruby/object:Gem::Specification 
+name: cert-auth
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 1
+  - 0
+  - 0
+  version: 1.0.0
+platform: ruby
+authors: 
+- Adam Cooke
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-02-13 00:00:00 +00:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: sinatra
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: haml
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: vegas
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id003
+description: 
+email: adam@atechmedia.com
+executables: 
+- cert-auth
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- lib/cert_auth/server.rb
+- lib/cert_auth.rb
+- bin/cert-auth
+- public/static/style.css
+- public/views/done.haml
+- public/views/index.haml
+- public/views/layout.haml
+- public/views/new.haml
+- public/views/preview.haml
+- public/views/view_certificate.haml
+- scripts/init-ca.rb
+- scripts/openssl.example.conf
+has_rdoc: true
+homepage: http://atechmedia.com
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.6
+signing_key: 
+specification_version: 3
+summary: Web Interface for an OpenSSL Certificate Authority
+test_files: []
+