chef-vault-pki 0.1.0 → 0.2.0

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    YTNjZmU0Mzc0ZWZhYjdkNTgwMjlhODNhYjlkOTc5M2JjYWY0ZmY0MA==
+    MWIwYmEwMGNiYzY3NmY4NjFlNmFjMTE5ODY2ZTdjNmRhNTI0MTAzNA==
   data.tar.gz: !binary |-
-    ZWUwODczNDcxNzgyYzg5MjM5ZjlkOWVkNjExZjRmYzVjMzY3ZGUxZg==
+    MzIyYTUzNDIxNWYxNzcwZTA1YjlhZDhmZTg4NWM2YTFjN2ViYWRiZQ==
 SHA512:
   metadata.gz: !binary |-
-    ODA5NTVmYTgyOWRkZGRiNWQxZDhhNzRiYWNhOGM0YjZlMzE3YzczNTc3MDk0
-    ZTc3YTI1ZDViZTIyNTM5NzQwYzY2MjNjYzhhMzNiMTRhNTkxMWM2OTk2NTg5
-    MTMxNmM5ZGU5OGRkM2UxMGI5YjQ3OTNlZTM4NTliYTg1NGFhNjc=
+    MzExZjA1YzA0MGY1N2U2Y2IxYWQ1OTc2M2QyZDU3NDBjY2FmMzlkODIzYjcy
+    ZGJhYWI3ZTk3ZGFmMzdmMTNhNWIxNjg2NWI5NmYwZTA5ODUxZWFmMTIwMThm
+    MDY1MTM2MTIzZWU3N2JmNDIxM2JmZWY5ZDgwZjY5YTQzZjQ2NDg=
   data.tar.gz: !binary |-
-    NjI4OWQ2OTJiNzllYzI2NzJhZDhkMGJjZmMyZWY4OGMwYTQ5MzcwN2IwZTU4
-    NDI4YjkwZGYxNzRiNmEwY2Y2ZjExNmNmZmQ1YjA4YjBhY2U5MjVlYWZiNWQx
-    YzRjYWE0MDdmNzlmNzhlMjJjMWNkMWMzNjY2ZTk3ZDc5ZTUwN2E=
+    MjVhZjNjMjFjZGNlZTY3MDQ0NDQ0MDgwNzJhMjdmMzY0NWU1NWIyZGQ3NTVh
+    ODQ0YThiODJjY2NmYzM1ZTkzMzFkZjdiMzM2MzYxNGIwMjhjYzIyNzdhYzJh
+    ZDBhNGUzZDA3NjQzN2NlODBjOTUyN2ZhYzE5ZDQ3MTc4MTI0NDA=

data/bin/chef-vault-pki

@@ -1,23 +1,36 @@
 #!/usr/bin/env ruby
 
-require 'openssl'
+require 'chef-vault-pki'
 require 'base64'
 require 'optparse'
+require 'json'
 
-version = '0.1.0'
+version = '0.2.0'
 options = {
+  :key_size => 2048,
   :name => "chef_vault_pki_ca",
-  :expire => 3655,
+  :expires => 365,
   :output => 'json'
 }
 
+
 OptionParser.new do |opts|
-  opts.banner = "Usage chef-vault-pki [options]"
+  opts.banner = "Usage chef-vault-pki [command] [options]"
+  opts.separator ""
+  opts.separator "Commands:"
+  opts.separator "    ca - Creates a CA (default)"
+  opts.separator "    client - Creates a client (CA must be provided on STDIN as JSON)"
+  opts.separator ""
+  opts.separator "Common options:"
 
   opts.on("-n", "--name NAME", "NAME for SSL certificate. Defaults to #{options[:name]}") do |n|
     options[:name] = n
   end
 
+  opts.on("-k", "--key_size KEY_SIZE", "Use KEY_SIZE bits for the key. Defaults to #{options[:key_size]}") do |n|
+    options[:name] = n
+  end
+
   opts.on("-e", "--expires DAYS", "Certificate expires in DAYS days. Defaults to #{options[:expire]}") do |e|
     options[:expire] = e
   end
@@ -38,35 +51,26 @@ OptionParser.new do |opts|
 
 end.parse!
 
-key = OpenSSL::PKey::RSA.new 2048
-
-name = OpenSSL::X509::Name.parse "CN=#{options[:name]}"
-
-expires = Time.now + (options[:expire] * 3600 * 24)
-
-cert = OpenSSL::X509::Certificate.new
-cert.version = 3
-cert.serial = 0
-cert.not_before = Time.now
-cert.not_after = expires
-cert.public_key = key.public_key
-cert.subject = name
-cert.issuer = name
-#cert.sign key, OpenSSL::Digest::SHA1.new
-extension_factory = OpenSSL::X509::ExtensionFactory.new
-extension_factory.subject_certificate = cert
-extension_factory.issuer_certificate = cert
-extension_factory.create_extension 'subjectKeyIdentifier', 'hash'
-extension_factory.create_extension 'basicConstraints', 'CA:TRUE', true
-extension_factory.create_extension 'keyUsage', 'cRLSign,keyCertSign', true
-cert.sign key, OpenSSL::Digest::SHA1.new
+command = ARGV.shift || 'ca'
+
+case command
+when 'ca'
+  pki = ChefVaultPKI::CA.new options
+  pki.generate!
+when 'client'
+  ca_pems = JSON.parse(STDIN.read)
+  ca = ChefVaultPKI::CA.new
+  ca.load! ca_pems
+
+  pki = ChefVaultPKI::Client.new options
+  pki.generate! ca
+end
 
 case options[:output].downcase
 when 'json'
-  require 'json'
-  puts ({ :cert => cert.to_pem, :key => key.to_pem }.to_json)
+  puts ({ :cert => pki.cert.to_pem, :key => pki.key.to_pem }.to_json)
 else
-  puts cert.to_pem
-  puts key.to_pem
+  puts pki.cert.to_pem
+  puts pki.key.to_pem
 end
 

data/lib/chef-vault-pki.rb

@@ -0,0 +1,112 @@
+require 'openssl'
+
+module ChefVaultPKI
+
+  class CA
+    attr_accessor :key, :cert
+
+    def initialize(args = {})
+      @config = {
+        :key_size => 2048,
+        :expires => 10,
+        :expires_factor => 60 * 60 * 24,
+        :name => 'chef_vault_pki_ca'
+      }
+      @config.keys.each do |key|
+        if args.has_key? key
+          @config[key] = args[key]
+        end
+      end
+      self
+    end
+
+    def generate!
+      name = OpenSSL::X509::Name.parse "CN=#{@config[:name]}"
+      not_before = Time.now
+      not_after = not_before + (@config[:expires] * @config[:expires_factor])
+
+      @key = OpenSSL::PKey::RSA.new @config[:key_size]
+
+      @cert = OpenSSL::X509::Certificate.new
+      @cert.version = 3
+      @cert.serial = 0
+      @cert.not_before = not_before
+      @cert.not_after = not_after
+      @cert.public_key = key.public_key
+      @cert.subject = name
+      @cert.issuer = name
+      #cert.sign key, OpenSSL::Digest::SHA1.new
+      extension_factory = OpenSSL::X509::ExtensionFactory.new
+      extension_factory.subject_certificate = @cert
+      extension_factory.issuer_certificate = @cert
+      extension_factory.create_extension 'subjectKeyIdentifier', 'hash'
+      extension_factory.create_extension 'basicConstraints', 'CA:TRUE', true
+      extension_factory.create_extension 'keyUsage', 'cRLSign,keyCertSign', true
+      @cert.sign @key, OpenSSL::Digest::SHA1.new
+    end
+
+    def load!(hash)
+      @key = OpenSSL::PKey::RSA.new hash['key']
+      @cert = OpenSSL::X509::Certificate.new hash['cert']
+    end
+
+  end
+
+  class Client
+    attr_accessor :key, :csr, :cert
+
+    def initialize(args = {})
+      @config = {
+        :key_size => 2048,
+        :expires => 10,
+        :expires_factor => 60 * 60 * 24,
+        :name => 'chef_vault_pki_client'
+      }
+      @config.keys.each do |key|
+        if args.has_key? key
+          @config[key] = args[key]
+        end
+      end
+    end
+
+    def generate!(ca)
+      name = OpenSSL::X509::Name.parse "CN=#{@config[:name]}"
+      not_before = Time.now
+      not_after = not_before + (@config[:expires] * @config[:expires_factor])
+
+      @key = OpenSSL::PKey::RSA.new @config[:key_size]
+
+      @csr = OpenSSL::X509::Request.new
+      @csr.version = 0
+      @csr.subject = name
+      @csr.public_key = @key.public_key
+      @csr.sign @key, OpenSSL::Digest::SHA1.new
+
+      @cert = OpenSSL::X509::Certificate.new
+      @cert.serial = 0
+      @cert.version = 2
+      @cert.not_before = not_before
+      @cert.not_after = not_after
+
+      @cert.subject = @csr.subject
+      @cert.public_key = @csr.public_key
+      @cert.issuer = ca.cert.subject
+
+      extension_factory = OpenSSL::X509::ExtensionFactory.new
+      extension_factory.subject_certificate = @cert
+      extension_factory.issuer_certificate = ca.cert
+      extension_factory.create_extension 'basicConstraints', 'CA:FALSE'
+      extension_factory.create_extension 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature'
+      extension_factory.create_extension 'subjectKeyIdentifier', 'hash'
+
+      @cert.sign ca.key, OpenSSL::Digest::SHA1.new
+    end
+
+    def load!(hash)
+      @key = OpenSSL::PKey::RSA.new hash['key']
+      @cert = OpenSSL::X509::Certificate.new hash['cert']
+    end
+
+  end
+
+end

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: chef-vault-pki
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
-- Fraser Scott
+- zeroXten
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-02-21 00:00:00.000000000 Z
+date: 2014-03-14 00:00:00.000000000 Z
 dependencies: []
-description: Generate a CA for chef_vault_pki cookbook
+description: Tool for chef_vault_pki cookbook
 email: fraser.scott@gmail.com
 executables:
 - chef-vault-pki
@@ -18,6 +18,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - bin/chef-vault-pki
+- lib/chef-vault-pki.rb
 homepage: https://github.com/zeroXten/chef-vault-pki
 licenses:
 - MIT
@@ -41,5 +42,5 @@ rubyforge_project:
 rubygems_version: 2.2.1
 signing_key: 
 specification_version: 4
-summary: Generate a CA for chef_vault_pki cookbook
+summary: Tool for chef_vault_pki cookbook
 test_files: []