RubyGems - damnx509 - Versions diffs - 0.1.0 → 0.1.1 - Mend

damnx509 0.1.0 → 0.1.1

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: c930cca3a5c52c5260e694f4971c4c5c7426089b
-  data.tar.gz: 818f5492500718a1f5cdad67fc759fd61189b58b
+SHA256:
+  metadata.gz: 4ade108be7ef2f65fb9a1387a4a8a6175ea99ce0774b65b616f32d330abd8758
+  data.tar.gz: 54277c411684be046d557f0875c5d79f7139dcb5955a8e52f32fe92589c3b449
 SHA512:
-  metadata.gz: ec8b834cca14409ef2154c539a2e4cb9a91a4453a443abb7a03dff705ac5261ce282a0b8e5f7b925a0a2e1e152730457646e049e247137703422ca1cd9a35d8a
-  data.tar.gz: a201a8760c74a4aeb2d3f3a355a3406933849aca8ab628cd6b5277f1f8a230b70b43d9759a177c93ef5de2b23685aa64f2d43953c15d715cbcd1f686e28c49a3
+  metadata.gz: 0e1c0ba31a8e4e5fdd9184fc3470e69f84b7442cf60ab82836c7c5b504974e2109742799cc52cb470017d91cfb99901b50748d82d976afd414fedf8eda70bb4d
+  data.tar.gz: 8867774b8f488e8b8360a7fa2985b1926a2774a765f75eac11802e0ce3b65710ed399e785a675951cf64b7cd8a26b9aafe2f19a025b73b25486c04c375728f4b

data/README.md CHANGED Viewed

@@ -1,4 +1,4 @@
-# damnx509 [![Unlicense](https://img.shields.io/badge/un-license-green.svg?style=flat)](http://unlicense.org)
+# damnx509 [![Unlicense](https://img.shields.io/badge/un-license-green.svg?style=flat)](https://unlicense.org)
 A simple CLI for managing a small X.509 Certificate Authority!
@@ -7,6 +7,7 @@ A simple CLI for managing a small X.509 Certificate Authority!
     - the extended usage thing (e.g. some WPA2 EAP-TLS clients absolutely require it to be set to `clientAuth`, now you don't have to worry about that)
     - Subject Alternative Names (the `openssl` binary only sets that *from the openssl config file*, what the hell)
     - the signature algorithm (RSA 2048/4096 and EC)
+    - the digest algorithm (SHA256/384/512, note that WPA3-Enterprise 192-bit mode requires 384)
     - the URI of the CRL
 - It also automatically offers default values from the CA (e.g. you want to default to the same country, city and CRL URI, right?)
 - And automatically builds a PKCS12 (`.p12`) key+cert bundle (useful for browser client certs and WPA2 EAP-TLS).
@@ -15,31 +16,21 @@ A simple CLI for managing a small X.509 Certificate Authority!
 You can use damnx509 to manage a personal CA to sign things like:
-- Your [home router](https://lede-project.org/start)'s admin interface (LuCI)
-- Your home router's [WPA2 EAP-TLS network](http://www.blog.10deam.com/2015/01/08/install-freeradius2-on-a-openwrt-router-for-eap-authentication/)
-- Your home NAS's web interface
+- Your various HTTPS, MQTT, etc. servers at home
+- Your home [WPA2 EAP-TLS network](http://www.blog.10deam.com/2015/01/08/install-freeradius2-on-a-openwrt-router-for-eap-authentication/)
 - Your personal OpenVPN network
-- Your home server's HTTPS services
 - Client certificates for accessing admin/monitoring/etc. interfaces on your servers
-- An [IndieCert](https://indiecert.net/faq) client certificate for [signing in with your domain](https://indieweb.org/Web_sign-in)
+- ~~An [IndieCert](https://indiecert.net/faq) client certificate for [signing in with your domain](https://indieweb.org/Web_sign-in)~~
 ## Installation
-You need Ruby [older than 2.4 for now](https://github.com/r509/r509/issues/122).
 ```bash
 $ gem install damnx509
 ```
 Run the command to see how to use it.
-## Contributing
-Please feel free to submit pull requests!
-By participating in this project you agree to follow the [Contributor Code of Conduct](http://contributor-covenant.org/version/1/4/).
 ## License
 This is free and unencumbered software released into the public domain.
-For more information, please refer to the `UNLICENSE` file or [unlicense.org](http://unlicense.org).
+For more information, please refer to the `UNLICENSE` file or [unlicense.org](https://unlicense.org).

data/damnx509.gemspec CHANGED Viewed

@@ -6,11 +6,11 @@ require 'damnx509/version'
 Gem::Specification.new do |spec|
   spec.name          = "damnx509"
   spec.version       = Damnx509::VERSION
-  spec.authors       = ["Greg V"]
-  spec.email         = ["greg@unrelenting.technology"]
+  spec.authors       = ["unrelentingtech"]
+  spec.email         = ["hello@unrelenting.technology"]
   spec.summary       = %q{Easy interactive CLI for managing a small X.509 (TLS) Certificate Authority}
-  spec.homepage      = "https://github.com/myfreeweb/damnx509"
+  spec.homepage      = "https://codeberg.org/unrelentingtech/damnx509"
   spec.license       = "Unlicense"
   spec.files         = `git ls-files -z`.split("\x0").reject do |f|
@@ -20,10 +20,10 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
-  spec.add_dependency "thor", "~> 0.19"
-  spec.add_dependency "highline", "~> 1.7"
+  spec.add_dependency "thor", "~> 1.2"
+  spec.add_dependency "highline", "~> 2.0"
   spec.add_dependency "chronic_duration", "~> 0.10"
-  spec.add_dependency "r509", "~> 1.0"
-  spec.add_development_dependency "bundler", "~> 1.14"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_dependency "r509", "~> 1.0.1"
+  spec.add_development_dependency "bundler", "~> 2.3"
+  spec.add_development_dependency "rake", "~> 13.0"
 end

data/lib/damnx509/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Damnx509
-  VERSION = "0.1.0"
+  VERSION = "0.1.1"
 end

data/lib/damnx509.rb CHANGED Viewed

@@ -17,21 +17,28 @@ module Damnx509
         return false
       end
       Dir.mkdir(name)
+      cert_type, bit_length, digest_alg = _ask_algo
       subject = _ask_subject
       csr = R509::CSR.new(
-        type: 'RSA',
-        bit_length: 4096,
+        type: cert_type,
+        bit_length: bit_length,
         subject: subject,
         san_names: _to_san(subject) + _ask_san
       )
       key_filename = "#{name}/root.key.pem"
       _write_with_password(key_filename, csr.key)
       cert_filename = "#{name}/root.cert.pem"
-      ext = []
+      ext = [
+        R509::Cert::Extensions::BasicConstraints.new(critical: true, ca: true),
+        R509::Cert::Extensions::KeyUsage.new(critical: true, value: ['keyCertSign', 'cRLSign']),
+        R509::Cert::Extensions::SubjectKeyIdentifier.new(public_key: csr.public_key),
+        R509::Cert::Extensions::AuthorityKeyIdentifier.new(public_key: csr.public_key)
+      ]
       crl_uri = CLI.ask('CRL URI?')
       ext << R509::Cert::Extensions::CRLDistributionPoints.new(value: [{type: 'URI', value: crl_uri}]) unless crl_uri.empty?
       cert = R509::CertificateAuthority::Signer.selfsign(
         csr: csr,
+        message_digest: digest_alg,
         extensions: ext,
         not_before: Time.now.to_i,
         not_after: Time.now.to_i + _ask_duration
@@ -63,9 +70,10 @@ module Damnx509
         return false
       end
       subj_defaults = Hash[ca_config.ca_cert.cert.subject.to_a.map { |e| [e[0], e[1]] }]
-      ext = []
+      ext = [
+        R509::Cert::Extensions::BasicConstraints.new(critical: true, ca: false)
+      ]
-      ext << R509::Cert::Extensions::BasicConstraints.new(:ca => false)
       CLI.choose do |menu|
         menu.prompt = 'Certificate usage?'
         menu.choice('TLS (HTTPS/SMTPS/IMAPS/OpenVPN/WPA2 EAP-TLS/etc.) Server') {
@@ -82,18 +90,7 @@ module Damnx509
         }
       end
-      cert_type = 'RSA'
-      CLI.choose do |menu|
-        menu.prompt = 'Signature algorithm?'
-        menu.choice('RSA') {}
-        menu.choice('EC') { cert_type = 'EC' }
-      end
-      bit_length = nil
-      CLI.choose do |menu|
-        menu.prompt = 'Key length?'
-        menu.choice('2048') { bit_length = 2048 }
-        menu.choice('4096') { bit_length = 4096 }
-      end if cert_type == 'RSA'
+      cert_type, bit_length, digest_alg = _ask_algo
       crl_ext_p = (ca_config.ca_cert.cert.extensions || []).find { |e| e.oid == 'crlDistributionPoints' }
       crl_uri = CLI.ask('CRL URI?') { |q| q.default = crl_ext_p && crl_ext_p.value.gsub(/\n[^:]+:/, '').strip }
@@ -113,6 +110,7 @@ module Damnx509
       signer = R509::CertificateAuthority::Signer.new(ca_config)
       cert = signer.sign(
         csr: csr,
+        message_digest: digest_alg,
         extensions: ext,
         not_before: Time.now.to_i,
         not_after: Time.now.to_i + _ask_duration
@@ -157,6 +155,29 @@ module Damnx509
       nil
     end
+    def _ask_algo
+      cert_type = 'RSA'
+      CLI.choose do |menu|
+        menu.prompt = 'Signature algorithm?'
+        menu.choice('RSA') {}
+        menu.choice('EC') { cert_type = 'EC' }
+      end
+      bit_length = nil
+      CLI.choose do |menu|
+        menu.prompt = 'Key length?'
+        menu.choice('2048') { bit_length = 2048 }
+        menu.choice('4096') { bit_length = 4096 }
+      end if cert_type == 'RSA'
+      digest_alg = 'SHA384'
+      CLI.choose do |menu|
+        menu.prompt = 'Digest algorithm?'
+        menu.choice('SHA384') {}
+        menu.choice('SHA256') { digest_alg = 'SHA256' }
+        menu.choice('SHA512') { digest_alg = 'SHA512' }
+      end
+      [cert_type, bit_length, digest_alg]
+    end
     def _ask_subject(defaults=nil)
       [
         ['C',  CLI.ask('C   - Country (2 letter code):') { |q| q.default = defaults && defaults['C'] }],

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: damnx509
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
-- Greg V
-autorequire:
+- unrelentingtech
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2017-03-06 00:00:00.000000000 Z
+date: 2022-08-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.19'
+        version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.19'
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: highline
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: chronic_duration
   requirement: !ruby/object:Gem::Requirement
@@ -58,52 +58,51 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: 1.0.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: 1.0.1
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: '2.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: '2.3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
-description:
+        version: '13.0'
+description:
 email:
-- greg@unrelenting.technology
+- hello@unrelenting.technology
 executables:
 - damnx509
 extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
-- CODE_OF_CONDUCT.md
 - Gemfile
 - README.md
 - Rakefile
@@ -112,11 +111,11 @@ files:
 - exe/damnx509
 - lib/damnx509.rb
 - lib/damnx509/version.rb
-homepage: https://github.com/myfreeweb/damnx509
+homepage: https://codeberg.org/unrelentingtech/damnx509
 licenses:
 - Unlicense
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -131,9 +130,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.6.10
-signing_key:
+rubygems_version: 3.0.8
+signing_key:
 specification_version: 4
 summary: Easy interactive CLI for managing a small X.509 (TLS) Certificate Authority
 test_files: []

data/CODE_OF_CONDUCT.md DELETED Viewed

@@ -1,74 +0,0 @@
-# Contributor Covenant Code of Conduct
-## Our Pledge
-In the interest of fostering an open and welcoming environment, we as
-contributors and maintainers pledge to making participation in our project and
-our community a harassment-free experience for everyone, regardless of age, body
-size, disability, ethnicity, gender identity and expression, level of experience,
-nationality, personal appearance, race, religion, or sexual identity and
-orientation.
-## Our Standards
-Examples of behavior that contributes to creating a positive environment
-include:
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
-Examples of unacceptable behavior by participants include:
-* The use of sexualized language or imagery and unwelcome sexual attention or
-advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic
-  address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-## Our Responsibilities
-Project maintainers are responsible for clarifying the standards of acceptable
-behavior and are expected to take appropriate and fair corrective action in
-response to any instances of unacceptable behavior.
-Project maintainers have the right and responsibility to remove, edit, or
-reject comments, commits, code, wiki edits, issues, and other contributions
-that are not aligned to this Code of Conduct, or to ban temporarily or
-permanently any contributor for other behaviors that they deem inappropriate,
-threatening, offensive, or harmful.
-## Scope
-This Code of Conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community. Examples of
-representing a project or community include using an official project e-mail
-address, posting via an official social media account, or acting as an appointed
-representative at an online or offline event. Representation of a project may be
-further defined and clarified by project maintainers.
-## Enforcement
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project owner at greg@unrelenting.technology. All
-complaints will be reviewed and investigated and will result in a response that
-is deemed necessary and appropriate to the circumstances. The project owner is
-obligated to maintain confidentiality with regard to the reporter of an incident.
-Further details of specific enforcement policies may be posted separately.
-Project maintainers who do not follow or enforce the Code of Conduct in good
-faith may face temporary or permanent repercussions as determined by other
-members of the project's leadership.
-## Attribution
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
-available at [http://contributor-covenant.org/version/1/4][version]
-[homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/