damnx509 0.1.0 → 0.1.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: c930cca3a5c52c5260e694f4971c4c5c7426089b
4
- data.tar.gz: 818f5492500718a1f5cdad67fc759fd61189b58b
2
+ SHA256:
3
+ metadata.gz: 4ade108be7ef2f65fb9a1387a4a8a6175ea99ce0774b65b616f32d330abd8758
4
+ data.tar.gz: 54277c411684be046d557f0875c5d79f7139dcb5955a8e52f32fe92589c3b449
5
5
  SHA512:
6
- metadata.gz: ec8b834cca14409ef2154c539a2e4cb9a91a4453a443abb7a03dff705ac5261ce282a0b8e5f7b925a0a2e1e152730457646e049e247137703422ca1cd9a35d8a
7
- data.tar.gz: a201a8760c74a4aeb2d3f3a355a3406933849aca8ab628cd6b5277f1f8a230b70b43d9759a177c93ef5de2b23685aa64f2d43953c15d715cbcd1f686e28c49a3
6
+ metadata.gz: 0e1c0ba31a8e4e5fdd9184fc3470e69f84b7442cf60ab82836c7c5b504974e2109742799cc52cb470017d91cfb99901b50748d82d976afd414fedf8eda70bb4d
7
+ data.tar.gz: 8867774b8f488e8b8360a7fa2985b1926a2774a765f75eac11802e0ce3b65710ed399e785a675951cf64b7cd8a26b9aafe2f19a025b73b25486c04c375728f4b
data/README.md CHANGED
@@ -1,4 +1,4 @@
1
- # damnx509 [![Unlicense](https://img.shields.io/badge/un-license-green.svg?style=flat)](http://unlicense.org)
1
+ # damnx509 [![Unlicense](https://img.shields.io/badge/un-license-green.svg?style=flat)](https://unlicense.org)
2
2
 
3
3
  A simple CLI for managing a small X.509 Certificate Authority!
4
4
 
@@ -7,6 +7,7 @@ A simple CLI for managing a small X.509 Certificate Authority!
7
7
  - the extended usage thing (e.g. some WPA2 EAP-TLS clients absolutely require it to be set to `clientAuth`, now you don't have to worry about that)
8
8
  - Subject Alternative Names (the `openssl` binary only sets that *from the openssl config file*, what the hell)
9
9
  - the signature algorithm (RSA 2048/4096 and EC)
10
+ - the digest algorithm (SHA256/384/512, note that WPA3-Enterprise 192-bit mode requires 384)
10
11
  - the URI of the CRL
11
12
  - It also automatically offers default values from the CA (e.g. you want to default to the same country, city and CRL URI, right?)
12
13
  - And automatically builds a PKCS12 (`.p12`) key+cert bundle (useful for browser client certs and WPA2 EAP-TLS).
@@ -15,31 +16,21 @@ A simple CLI for managing a small X.509 Certificate Authority!
15
16
 
16
17
  You can use damnx509 to manage a personal CA to sign things like:
17
18
 
18
- - Your [home router](https://lede-project.org/start)'s admin interface (LuCI)
19
- - Your home router's [WPA2 EAP-TLS network](http://www.blog.10deam.com/2015/01/08/install-freeradius2-on-a-openwrt-router-for-eap-authentication/)
20
- - Your home NAS's web interface
19
+ - Your various HTTPS, MQTT, etc. servers at home
20
+ - Your home [WPA2 EAP-TLS network](http://www.blog.10deam.com/2015/01/08/install-freeradius2-on-a-openwrt-router-for-eap-authentication/)
21
21
  - Your personal OpenVPN network
22
- - Your home server's HTTPS services
23
22
  - Client certificates for accessing admin/monitoring/etc. interfaces on your servers
24
- - An [IndieCert](https://indiecert.net/faq) client certificate for [signing in with your domain](https://indieweb.org/Web_sign-in)
23
+ - ~~An [IndieCert](https://indiecert.net/faq) client certificate for [signing in with your domain](https://indieweb.org/Web_sign-in)~~
25
24
 
26
25
  ## Installation
27
26
 
28
- You need Ruby [older than 2.4 for now](https://github.com/r509/r509/issues/122).
29
-
30
27
  ```bash
31
28
  $ gem install damnx509
32
29
  ```
33
30
 
34
31
  Run the command to see how to use it.
35
32
 
36
- ## Contributing
37
-
38
- Please feel free to submit pull requests!
39
-
40
- By participating in this project you agree to follow the [Contributor Code of Conduct](http://contributor-covenant.org/version/1/4/).
41
-
42
33
  ## License
43
34
 
44
35
  This is free and unencumbered software released into the public domain.
45
- For more information, please refer to the `UNLICENSE` file or [unlicense.org](http://unlicense.org).
36
+ For more information, please refer to the `UNLICENSE` file or [unlicense.org](https://unlicense.org).
data/damnx509.gemspec CHANGED
@@ -6,11 +6,11 @@ require 'damnx509/version'
6
6
  Gem::Specification.new do |spec|
7
7
  spec.name = "damnx509"
8
8
  spec.version = Damnx509::VERSION
9
- spec.authors = ["Greg V"]
10
- spec.email = ["greg@unrelenting.technology"]
9
+ spec.authors = ["unrelentingtech"]
10
+ spec.email = ["hello@unrelenting.technology"]
11
11
 
12
12
  spec.summary = %q{Easy interactive CLI for managing a small X.509 (TLS) Certificate Authority}
13
- spec.homepage = "https://github.com/myfreeweb/damnx509"
13
+ spec.homepage = "https://codeberg.org/unrelentingtech/damnx509"
14
14
  spec.license = "Unlicense"
15
15
 
16
16
  spec.files = `git ls-files -z`.split("\x0").reject do |f|
@@ -20,10 +20,10 @@ Gem::Specification.new do |spec|
20
20
  spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
21
21
  spec.require_paths = ["lib"]
22
22
 
23
- spec.add_dependency "thor", "~> 0.19"
24
- spec.add_dependency "highline", "~> 1.7"
23
+ spec.add_dependency "thor", "~> 1.2"
24
+ spec.add_dependency "highline", "~> 2.0"
25
25
  spec.add_dependency "chronic_duration", "~> 0.10"
26
- spec.add_dependency "r509", "~> 1.0"
27
- spec.add_development_dependency "bundler", "~> 1.14"
28
- spec.add_development_dependency "rake", "~> 10.0"
26
+ spec.add_dependency "r509", "~> 1.0.1"
27
+ spec.add_development_dependency "bundler", "~> 2.3"
28
+ spec.add_development_dependency "rake", "~> 13.0"
29
29
  end
@@ -1,3 +1,3 @@
1
1
  module Damnx509
2
- VERSION = "0.1.0"
2
+ VERSION = "0.1.1"
3
3
  end
data/lib/damnx509.rb CHANGED
@@ -17,21 +17,28 @@ module Damnx509
17
17
  return false
18
18
  end
19
19
  Dir.mkdir(name)
20
+ cert_type, bit_length, digest_alg = _ask_algo
20
21
  subject = _ask_subject
21
22
  csr = R509::CSR.new(
22
- type: 'RSA',
23
- bit_length: 4096,
23
+ type: cert_type,
24
+ bit_length: bit_length,
24
25
  subject: subject,
25
26
  san_names: _to_san(subject) + _ask_san
26
27
  )
27
28
  key_filename = "#{name}/root.key.pem"
28
29
  _write_with_password(key_filename, csr.key)
29
30
  cert_filename = "#{name}/root.cert.pem"
30
- ext = []
31
+ ext = [
32
+ R509::Cert::Extensions::BasicConstraints.new(critical: true, ca: true),
33
+ R509::Cert::Extensions::KeyUsage.new(critical: true, value: ['keyCertSign', 'cRLSign']),
34
+ R509::Cert::Extensions::SubjectKeyIdentifier.new(public_key: csr.public_key),
35
+ R509::Cert::Extensions::AuthorityKeyIdentifier.new(public_key: csr.public_key)
36
+ ]
31
37
  crl_uri = CLI.ask('CRL URI?')
32
38
  ext << R509::Cert::Extensions::CRLDistributionPoints.new(value: [{type: 'URI', value: crl_uri}]) unless crl_uri.empty?
33
39
  cert = R509::CertificateAuthority::Signer.selfsign(
34
40
  csr: csr,
41
+ message_digest: digest_alg,
35
42
  extensions: ext,
36
43
  not_before: Time.now.to_i,
37
44
  not_after: Time.now.to_i + _ask_duration
@@ -63,9 +70,10 @@ module Damnx509
63
70
  return false
64
71
  end
65
72
  subj_defaults = Hash[ca_config.ca_cert.cert.subject.to_a.map { |e| [e[0], e[1]] }]
66
- ext = []
73
+ ext = [
74
+ R509::Cert::Extensions::BasicConstraints.new(critical: true, ca: false)
75
+ ]
67
76
 
68
- ext << R509::Cert::Extensions::BasicConstraints.new(:ca => false)
69
77
  CLI.choose do |menu|
70
78
  menu.prompt = 'Certificate usage?'
71
79
  menu.choice('TLS (HTTPS/SMTPS/IMAPS/OpenVPN/WPA2 EAP-TLS/etc.) Server') {
@@ -82,18 +90,7 @@ module Damnx509
82
90
  }
83
91
  end
84
92
 
85
- cert_type = 'RSA'
86
- CLI.choose do |menu|
87
- menu.prompt = 'Signature algorithm?'
88
- menu.choice('RSA') {}
89
- menu.choice('EC') { cert_type = 'EC' }
90
- end
91
- bit_length = nil
92
- CLI.choose do |menu|
93
- menu.prompt = 'Key length?'
94
- menu.choice('2048') { bit_length = 2048 }
95
- menu.choice('4096') { bit_length = 4096 }
96
- end if cert_type == 'RSA'
93
+ cert_type, bit_length, digest_alg = _ask_algo
97
94
 
98
95
  crl_ext_p = (ca_config.ca_cert.cert.extensions || []).find { |e| e.oid == 'crlDistributionPoints' }
99
96
  crl_uri = CLI.ask('CRL URI?') { |q| q.default = crl_ext_p && crl_ext_p.value.gsub(/\n[^:]+:/, '').strip }
@@ -113,6 +110,7 @@ module Damnx509
113
110
  signer = R509::CertificateAuthority::Signer.new(ca_config)
114
111
  cert = signer.sign(
115
112
  csr: csr,
113
+ message_digest: digest_alg,
116
114
  extensions: ext,
117
115
  not_before: Time.now.to_i,
118
116
  not_after: Time.now.to_i + _ask_duration
@@ -157,6 +155,29 @@ module Damnx509
157
155
  nil
158
156
  end
159
157
 
158
+ def _ask_algo
159
+ cert_type = 'RSA'
160
+ CLI.choose do |menu|
161
+ menu.prompt = 'Signature algorithm?'
162
+ menu.choice('RSA') {}
163
+ menu.choice('EC') { cert_type = 'EC' }
164
+ end
165
+ bit_length = nil
166
+ CLI.choose do |menu|
167
+ menu.prompt = 'Key length?'
168
+ menu.choice('2048') { bit_length = 2048 }
169
+ menu.choice('4096') { bit_length = 4096 }
170
+ end if cert_type == 'RSA'
171
+ digest_alg = 'SHA384'
172
+ CLI.choose do |menu|
173
+ menu.prompt = 'Digest algorithm?'
174
+ menu.choice('SHA384') {}
175
+ menu.choice('SHA256') { digest_alg = 'SHA256' }
176
+ menu.choice('SHA512') { digest_alg = 'SHA512' }
177
+ end
178
+ [cert_type, bit_length, digest_alg]
179
+ end
180
+
160
181
  def _ask_subject(defaults=nil)
161
182
  [
162
183
  ['C', CLI.ask('C - Country (2 letter code):') { |q| q.default = defaults && defaults['C'] }],
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: damnx509
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.1.1
5
5
  platform: ruby
6
6
  authors:
7
- - Greg V
8
- autorequire:
7
+ - unrelentingtech
8
+ autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2017-03-06 00:00:00.000000000 Z
11
+ date: 2022-08-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: thor
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - "~>"
18
18
  - !ruby/object:Gem::Version
19
- version: '0.19'
19
+ version: '1.2'
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - "~>"
25
25
  - !ruby/object:Gem::Version
26
- version: '0.19'
26
+ version: '1.2'
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: highline
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - "~>"
32
32
  - !ruby/object:Gem::Version
33
- version: '1.7'
33
+ version: '2.0'
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - "~>"
39
39
  - !ruby/object:Gem::Version
40
- version: '1.7'
40
+ version: '2.0'
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: chronic_duration
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -58,52 +58,51 @@ dependencies:
58
58
  requirements:
59
59
  - - "~>"
60
60
  - !ruby/object:Gem::Version
61
- version: '1.0'
61
+ version: 1.0.1
62
62
  type: :runtime
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
66
  - - "~>"
67
67
  - !ruby/object:Gem::Version
68
- version: '1.0'
68
+ version: 1.0.1
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: bundler
71
71
  requirement: !ruby/object:Gem::Requirement
72
72
  requirements:
73
73
  - - "~>"
74
74
  - !ruby/object:Gem::Version
75
- version: '1.14'
75
+ version: '2.3'
76
76
  type: :development
77
77
  prerelease: false
78
78
  version_requirements: !ruby/object:Gem::Requirement
79
79
  requirements:
80
80
  - - "~>"
81
81
  - !ruby/object:Gem::Version
82
- version: '1.14'
82
+ version: '2.3'
83
83
  - !ruby/object:Gem::Dependency
84
84
  name: rake
85
85
  requirement: !ruby/object:Gem::Requirement
86
86
  requirements:
87
87
  - - "~>"
88
88
  - !ruby/object:Gem::Version
89
- version: '10.0'
89
+ version: '13.0'
90
90
  type: :development
91
91
  prerelease: false
92
92
  version_requirements: !ruby/object:Gem::Requirement
93
93
  requirements:
94
94
  - - "~>"
95
95
  - !ruby/object:Gem::Version
96
- version: '10.0'
97
- description:
96
+ version: '13.0'
97
+ description:
98
98
  email:
99
- - greg@unrelenting.technology
99
+ - hello@unrelenting.technology
100
100
  executables:
101
101
  - damnx509
102
102
  extensions: []
103
103
  extra_rdoc_files: []
104
104
  files:
105
105
  - ".gitignore"
106
- - CODE_OF_CONDUCT.md
107
106
  - Gemfile
108
107
  - README.md
109
108
  - Rakefile
@@ -112,11 +111,11 @@ files:
112
111
  - exe/damnx509
113
112
  - lib/damnx509.rb
114
113
  - lib/damnx509/version.rb
115
- homepage: https://github.com/myfreeweb/damnx509
114
+ homepage: https://codeberg.org/unrelentingtech/damnx509
116
115
  licenses:
117
116
  - Unlicense
118
117
  metadata: {}
119
- post_install_message:
118
+ post_install_message:
120
119
  rdoc_options: []
121
120
  require_paths:
122
121
  - lib
@@ -131,9 +130,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
131
130
  - !ruby/object:Gem::Version
132
131
  version: '0'
133
132
  requirements: []
134
- rubyforge_project:
135
- rubygems_version: 2.6.10
136
- signing_key:
133
+ rubygems_version: 3.0.8
134
+ signing_key:
137
135
  specification_version: 4
138
136
  summary: Easy interactive CLI for managing a small X.509 (TLS) Certificate Authority
139
137
  test_files: []
data/CODE_OF_CONDUCT.md DELETED
@@ -1,74 +0,0 @@
1
- # Contributor Covenant Code of Conduct
2
-
3
- ## Our Pledge
4
-
5
- In the interest of fostering an open and welcoming environment, we as
6
- contributors and maintainers pledge to making participation in our project and
7
- our community a harassment-free experience for everyone, regardless of age, body
8
- size, disability, ethnicity, gender identity and expression, level of experience,
9
- nationality, personal appearance, race, religion, or sexual identity and
10
- orientation.
11
-
12
- ## Our Standards
13
-
14
- Examples of behavior that contributes to creating a positive environment
15
- include:
16
-
17
- * Using welcoming and inclusive language
18
- * Being respectful of differing viewpoints and experiences
19
- * Gracefully accepting constructive criticism
20
- * Focusing on what is best for the community
21
- * Showing empathy towards other community members
22
-
23
- Examples of unacceptable behavior by participants include:
24
-
25
- * The use of sexualized language or imagery and unwelcome sexual attention or
26
- advances
27
- * Trolling, insulting/derogatory comments, and personal or political attacks
28
- * Public or private harassment
29
- * Publishing others' private information, such as a physical or electronic
30
- address, without explicit permission
31
- * Other conduct which could reasonably be considered inappropriate in a
32
- professional setting
33
-
34
- ## Our Responsibilities
35
-
36
- Project maintainers are responsible for clarifying the standards of acceptable
37
- behavior and are expected to take appropriate and fair corrective action in
38
- response to any instances of unacceptable behavior.
39
-
40
- Project maintainers have the right and responsibility to remove, edit, or
41
- reject comments, commits, code, wiki edits, issues, and other contributions
42
- that are not aligned to this Code of Conduct, or to ban temporarily or
43
- permanently any contributor for other behaviors that they deem inappropriate,
44
- threatening, offensive, or harmful.
45
-
46
- ## Scope
47
-
48
- This Code of Conduct applies both within project spaces and in public spaces
49
- when an individual is representing the project or its community. Examples of
50
- representing a project or community include using an official project e-mail
51
- address, posting via an official social media account, or acting as an appointed
52
- representative at an online or offline event. Representation of a project may be
53
- further defined and clarified by project maintainers.
54
-
55
- ## Enforcement
56
-
57
- Instances of abusive, harassing, or otherwise unacceptable behavior may be
58
- reported by contacting the project owner at greg@unrelenting.technology. All
59
- complaints will be reviewed and investigated and will result in a response that
60
- is deemed necessary and appropriate to the circumstances. The project owner is
61
- obligated to maintain confidentiality with regard to the reporter of an incident.
62
- Further details of specific enforcement policies may be posted separately.
63
-
64
- Project maintainers who do not follow or enforce the Code of Conduct in good
65
- faith may face temporary or permanent repercussions as determined by other
66
- members of the project's leadership.
67
-
68
- ## Attribution
69
-
70
- This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
71
- available at [http://contributor-covenant.org/version/1/4][version]
72
-
73
- [homepage]: http://contributor-covenant.org
74
- [version]: http://contributor-covenant.org/version/1/4/