damnx509 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: c930cca3a5c52c5260e694f4971c4c5c7426089b
+  data.tar.gz: 818f5492500718a1f5cdad67fc759fd61189b58b
+SHA512:
+  metadata.gz: ec8b834cca14409ef2154c539a2e4cb9a91a4453a443abb7a03dff705ac5261ce282a0b8e5f7b925a0a2e1e152730457646e049e247137703422ca1cd9a35d8a
+  data.tar.gz: a201a8760c74a4aeb2d3f3a355a3406933849aca8ab628cd6b5277f1f8a230b70b43d9759a177c93ef5de2b23685aa64f2d43953c15d715cbcd1f686e28c49a3

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/damnx509.yaml
+/test_ca

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project owner at greg@unrelenting.technology. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project owner is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in damnx509.gemspec
+gemspec

data/README.md

@@ -0,0 +1,45 @@
+# damnx509 [![Unlicense](https://img.shields.io/badge/un-license-green.svg?style=flat)](http://unlicense.org)
+
+A simple CLI for managing a small X.509 Certificate Authority!
+
+- Screw the `openssl` binary, shell scripts, searching your command history for `openssl` invocations, this is just much cleaner.
+- damnx509 offers a nice interactive `issue` subcommand that lets you set:
+    - the extended usage thing (e.g. some WPA2 EAP-TLS clients absolutely require it to be set to `clientAuth`, now you don't have to worry about that)
+    - Subject Alternative Names (the `openssl` binary only sets that *from the openssl config file*, what the hell)
+    - the signature algorithm (RSA 2048/4096 and EC)
+    - the URI of the CRL
+- It also automatically offers default values from the CA (e.g. you want to default to the same country, city and CRL URI, right?)
+- And automatically builds a PKCS12 (`.p12`) key+cert bundle (useful for browser client certs and WPA2 EAP-TLS).
+- There's also a `revoke` subcommand to update the CRL (don't forget to upload it to the URI mentioned in the certificates).
+- DON'T FORGET TO [REMOVE](https://en.wikipedia.org/wiki/Srm_(Unix)) UNENCRYPTED KEYS IF YOU WRITE THEM
+
+You can use damnx509 to manage a personal CA to sign things like:
+
+- Your [home router](https://lede-project.org/start)'s admin interface (LuCI)
+- Your home router's [WPA2 EAP-TLS network](http://www.blog.10deam.com/2015/01/08/install-freeradius2-on-a-openwrt-router-for-eap-authentication/)
+- Your home NAS's web interface
+- Your personal OpenVPN network
+- Your home server's HTTPS services
+- Client certificates for accessing admin/monitoring/etc. interfaces on your servers
+- An [IndieCert](https://indiecert.net/faq) client certificate for [signing in with your domain](https://indieweb.org/Web_sign-in)
+
+## Installation
+
+You need Ruby [older than 2.4 for now](https://github.com/r509/r509/issues/122).
+
+```bash
+$ gem install damnx509
+```
+
+Run the command to see how to use it.
+
+## Contributing
+
+Please feel free to submit pull requests!
+
+By participating in this project you agree to follow the [Contributor Code of Conduct](http://contributor-covenant.org/version/1/4/).
+
+## License
+
+This is free and unencumbered software released into the public domain.  
+For more information, please refer to the `UNLICENSE` file or [unlicense.org](http://unlicense.org).

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+task :default => :spec

data/UNLICENSE

@@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <http://unlicense.org/>

data/damnx509.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'damnx509/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "damnx509"
+  spec.version       = Damnx509::VERSION
+  spec.authors       = ["Greg V"]
+  spec.email         = ["greg@unrelenting.technology"]
+
+  spec.summary       = %q{Easy interactive CLI for managing a small X.509 (TLS) Certificate Authority}
+  spec.homepage      = "https://github.com/myfreeweb/damnx509"
+  spec.license       = "Unlicense"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "thor", "~> 0.19"
+  spec.add_dependency "highline", "~> 1.7"
+  spec.add_dependency "chronic_duration", "~> 0.10"
+  spec.add_dependency "r509", "~> 1.0"
+  spec.add_development_dependency "bundler", "~> 1.14"
+  spec.add_development_dependency "rake", "~> 10.0"
+end

data/exe/damnx509

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require 'damnx509'
+Damnx509::CLI.start(ARGV)

data/lib/damnx509.rb

@@ -0,0 +1,202 @@
+require 'thor'
+require 'highline'
+require 'chronic_duration'
+require 'r509'
+#require 'damnx509/version'
+
+module Damnx509
+  class CLI < Thor
+    YAML_FILE = 'damnx509.yaml'
+    CAS = 'certificate_authorities'
+    CLI = HighLine.new
+
+    desc 'init CA', 'Create a new certificate authority named CA in the current directory'
+    def init(name)
+      if File.exist?(name)
+        puts "#{name} already exists in the current directory."
+        return false
+      end
+      Dir.mkdir(name)
+      subject = _ask_subject
+      csr = R509::CSR.new(
+        type: 'RSA',
+        bit_length: 4096,
+        subject: subject,
+        san_names: _to_san(subject) + _ask_san
+      )
+      key_filename = "#{name}/root.key.pem"
+      _write_with_password(key_filename, csr.key)
+      cert_filename = "#{name}/root.cert.pem"
+      ext = []
+      crl_uri = CLI.ask('CRL URI?')
+      ext << R509::Cert::Extensions::CRLDistributionPoints.new(value: [{type: 'URI', value: crl_uri}]) unless crl_uri.empty?
+      cert = R509::CertificateAuthority::Signer.selfsign(
+        csr: csr,
+        extensions: ext,
+        not_before: Time.now.to_i,
+        not_after: Time.now.to_i + _ask_duration
+      )
+      File.write(cert_filename, cert.to_pem)
+      crl_list_filename = "#{name}/crl.list.txt"
+      File.write(crl_list_filename, '')
+      crl_number_filename = "#{name}/crl.number.txt"
+      File.write(crl_number_filename , '')
+      conf = File.exist?(YAML_FILE) ? YAML.load_file(YAML_FILE) : {}
+      conf['default_ca'] ||= name
+      conf[CAS] ||= {}
+      conf[CAS][name] ||= {}
+      conf[CAS][name]['ca_cert'] = { 'cert' => cert_filename, 'key' => key_filename }
+      conf[CAS][name]['crl_md'] = 'SHA256'
+      conf[CAS][name]['crl_validity_hours'] = 24 * 365
+      conf[CAS][name]['crl_start_skew_seconds'] = 30
+      conf[CAS][name]['crl_list_file'] = crl_list_filename
+      conf[CAS][name]['crl_number_file'] = crl_number_filename
+      File.write(YAML_FILE, conf.to_yaml)
+    end
+
+    desc 'issue NAME [CA]', 'Issue a new certificate (interactively), saving to CA/issued/NAME.* files'
+    def issue(name, ca=nil)
+      ca ||= ca || _conf['default_ca']
+      ca_config = _ca_config(ca)
+      if !ca_config
+        puts "CA #{ca} not found."
+        return false
+      end
+      subj_defaults = Hash[ca_config.ca_cert.cert.subject.to_a.map { |e| [e[0], e[1]] }]
+      ext = []
+
+      ext << R509::Cert::Extensions::BasicConstraints.new(:ca => false)
+      CLI.choose do |menu|
+        menu.prompt = 'Certificate usage?'
+        menu.choice('TLS (HTTPS/SMTPS/IMAPS/OpenVPN/WPA2 EAP-TLS/etc.) Server') {
+          ext << R509::Cert::Extensions::ExtendedKeyUsage.new(value: ['serverAuth'])
+        }
+        menu.choice('TLS (HTTPS/SMTPS/IMAPS/OpenVPN/WPA2 EAP-TLS/etc.) Client') {
+          ext << R509::Cert::Extensions::ExtendedKeyUsage.new(value: ['clientAuth'])
+        }
+        menu.choice('Code Signing') {
+          ext << R509::Cert::Extensions::ExtendedKeyUsage.new(value: ['codeSigning'])
+        }
+        menu.choice('E-mail Protection') {
+          ext << R509::Cert::Extensions::ExtendedKeyUsage.new(value: ['emailProtection'])
+        }
+      end
+
+      cert_type = 'RSA'
+      CLI.choose do |menu|
+        menu.prompt = 'Signature algorithm?'
+        menu.choice('RSA') {}
+        menu.choice('EC') { cert_type = 'EC' }
+      end
+      bit_length = nil
+      CLI.choose do |menu|
+        menu.prompt = 'Key length?'
+        menu.choice('2048') { bit_length = 2048 }
+        menu.choice('4096') { bit_length = 4096 }
+      end if cert_type == 'RSA'
+
+      crl_ext_p = (ca_config.ca_cert.cert.extensions || []).find { |e| e.oid == 'crlDistributionPoints' }
+      crl_uri = CLI.ask('CRL URI?') { |q| q.default = crl_ext_p && crl_ext_p.value.gsub(/\n[^:]+:/, '').strip }
+      ext << R509::Cert::Extensions::CRLDistributionPoints.new(value: [{type: 'URI', value: crl_uri}]) unless crl_uri.empty?
+
+      subject = _ask_subject(subj_defaults)
+      csr = R509::CSR.new(
+        type: cert_type,
+        bit_length: bit_length,
+        subject: subject,
+        san_names: _to_san(subject) + _ask_san
+      )
+      ext << R509::Cert::Extensions::SubjectAlternativeName.new(value: csr.san)
+      Dir.mkdir("#{ca}/issued") unless File.directory?("#{ca}/issued")
+      key_filename = "#{ca}/issued/#{name}.key.pem"
+      password = _write_with_password(key_filename, csr.key)
+      signer = R509::CertificateAuthority::Signer.new(ca_config)
+      cert = signer.sign(
+        csr: csr,
+        extensions: ext,
+        not_before: Time.now.to_i,
+        not_after: Time.now.to_i + _ask_duration
+      )
+      cert_filename = "#{ca}/issued/#{name}.cert.pem"
+      File.write(cert_filename, cert.to_pem)
+      unless password.empty?
+        p12_filename = "#{ca}/issued/#{name}.p12"
+        cert.write_pkcs12(p12_filename, password, "#{name} cert+key signed by #{ca}")
+        puts "Wrote #{cert_filename}, #{key_filename}, #{p12_filename}."
+      else
+        puts "Wrote #{cert_filename}, #{key_filename}."
+      end
+    end
+
+    desc 'revoke SERIAL [CA]', 'Revoke a certificate with a given SERIAL'
+    def revoke(serial, ca=nil)
+      # TODO: revoke from file
+      ca ||= ca || _conf['default_ca']
+      ca_config = _ca_config(ca)
+      if !ca_config
+        puts "CA #{ca} not found."
+        return false
+      end
+      admin = R509::CRL::Administrator.new(ca_config)
+      ser = serial.gsub(':', '').to_i(16)
+      admin.revoke_cert(ser)
+      crl = admin.generate_crl
+      crl_filename = "#{ca}/crl.pem"
+      crl.write_pem(crl_filename)
+      puts "Wrote #{crl_filename}."
+    end
+
+    private
+    def _conf
+      @conf ||= YAML.load_file(YAML_FILE)
+    end
+
+    def _ca_config(ca_name)
+      @ca_config ||= R509::Config::CAConfig.load_from_hash(_conf[CAS][ca_name])
+    rescue ArgumentError
+      nil
+    end
+
+    def _ask_subject(defaults=nil)
+      [
+        ['C',  CLI.ask('C   - Country (2 letter code):') { |q| q.default = defaults && defaults['C'] }],
+        ['ST', CLI.ask('ST  - State or Province (full name):') { |q| q.default = defaults && defaults['ST'] }],
+        ['L',  CLI.ask('L   - Locality (e.g. city):') { |q| q.default = defaults && defaults['L'] }],
+        ['O',  CLI.ask('O   - Organization (e.g. company):') { |q| q.default = defaults && defaults['O'] }],
+        ['OU', CLI.ask('OU  - Organizational Unit (e.g. section):') { |q| q.default = defaults && defaults['OU'] }],
+        ['CN', CLI.ask('CN  - Common Name (e.g. fully qualified host name):')]
+      ]
+    end
+
+    def _ask_san
+      result = []
+      while cur = CLI.ask("SAN - Subject Alternative Name (enter one; type is automatically recognized, don't write 'DNS' etc.; empty to #{result.empty? ? 'skip' : 'stop'}):")
+        break if cur.empty?
+        result << cur
+      end
+      result
+    end
+
+    def _to_san(subject)
+      [Hash[subject]['CN']]
+    end
+
+    def _ask_duration
+      ChronicDuration.parse(CLI.ask('Expires in (natural input):') { |q| q.default = '365d'}, keep_zero: true)
+    end
+
+    def _ask_password
+      CLI.ask('Private key password (empty to skip key encryption):') { |q| q.echo = '*' }
+    end
+
+    def _write_with_password(key_filename, key)
+      password = _ask_password
+      if password.empty?
+        key.write_pem(key_filename)
+      else
+        key.write_encrypted_pem(key_filename, 'aes256', password)
+      end
+      password
+    end
+  end
+end

data/lib/damnx509/version.rb

@@ -0,0 +1,3 @@
+module Damnx509
+  VERSION = "0.1.0"
+end

metadata

@@ -0,0 +1,139 @@
+--- !ruby/object:Gem::Specification
+name: damnx509
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Greg V
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-03-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+- !ruby/object:Gem::Dependency
+  name: highline
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: chronic_duration
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+- !ruby/object:Gem::Dependency
+  name: r509
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: 
+email:
+- greg@unrelenting.technology
+executables:
+- damnx509
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- CODE_OF_CONDUCT.md
+- Gemfile
+- README.md
+- Rakefile
+- UNLICENSE
+- damnx509.gemspec
+- exe/damnx509
+- lib/damnx509.rb
+- lib/damnx509/version.rb
+homepage: https://github.com/myfreeweb/damnx509
+licenses:
+- Unlicense
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.10
+signing_key: 
+specification_version: 4
+summary: Easy interactive CLI for managing a small X.509 (TLS) Certificate Authority
+test_files: []