devpki 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 11f6846c98a3b3dbbe24f57d5fa4f4e619fa0587
+  data.tar.gz: b54ac7be253248ea001141cb5c501119b675b3f5
+SHA512:
+  metadata.gz: e2d7d58b4895f5b63b4e8f319eab48d3a60c9c2feabc7ac2b4242299af17f2a34e9831205e2ebee88ee95983b065fbadef3f569a4cd9eef8a9bc048eb0007b03
+  data.tar.gz: 59fc8a36ffa80468cd8beb76a43fbc386f5e1495e6830b51e02f854e8660d200c64d394304f304d1ddad9756e5d6d266377577c7ee5431253141b1289b0ff841

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in devpki.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2013 Jānis Kiršteins
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Jānis Kiršteins
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,29 @@
+# Devpki
+
+TODO: Write a gem description
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'devpki'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install devpki
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/bin/devpki

@@ -0,0 +1,12 @@
+#!/usr/bin/env ruby
+
+require 'devpki'
+require 'devpki/data_directory'
+
+if not DevPKI::DataDirectory::platform_supported?
+  puts "ERROR: currently only OS X is supported. The application will now terminate."
+  abort
+end
+
+DevPKI::CLI.start
+

data/devpki.gemspec

@@ -0,0 +1,25 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'devpki/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "devpki"
+  spec.version       = DevPKI::VERSION
+  spec.authors       = ["Jānis Kiršteins"]
+  spec.email         = ["janis@montadigital.com"]
+  spec.description   = "Tool for doing common PKI-related tasks"
+  spec.summary       = "Tool for doing common PKI-related tasks"
+  spec.homepage      = ""
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency "thor"
+  spec.add_runtime_dependency "sqlite3"
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rake"
+end

data/lib/devpki/ca.rb

@@ -0,0 +1,122 @@
+require 'devpki'
+require 'devpki/data_directory'
+require 'sqlite3'
+require 'rubygems'
+require 'openssl'
+
+module DevPKI
+  class CA
+
+    attr_accessor :sqlite_db
+    attr_accessor :id
+
+    def initialize(id=0)
+      raise CADBError.new("CA ##{id} does not exist. It must be initialized first.") if not DevPKI::CA.exists?(id)
+
+      @sqlite_db = SQLite3::Database.open(DevPKI::CA.db_path(id))
+      @id = id
+    end
+
+    def self.delete(id)
+      raise InvalidOption.new("CA with ID #{id} does not exist.") if not self.exists?(id)
+      File.delete self.db_path(id)
+    end
+
+    # Initializes an empty CA database and generates a certificate for self
+    def self.init(id, name=nil, parent_ca_id=nil)
+      raise InvalidOption.new("CA with ID #{id} already exists!") if self.exists?(id)
+      raise InvalidOption.new("Parent CA with ID #{id} does not exist!") if parent_ca_id != nil and not self.exists?(parent_ca_id)
+
+      db = SQLite3::Database.new(self.db_path(id))
+
+      sql = <<-SQL
+        create table certificates (
+          id integer primary key autoincrement,
+          private_key_id integer not null,
+          pem text,
+
+          FOREIGN KEY(private_key_id) REFERENCES private_keys(id)
+        );
+
+        create table private_keys (
+          id integer primary key autoincrement,
+          pem text
+        );
+      SQL
+
+      db.execute_batch(sql)
+
+      if parent_ca_id != nil
+        raise InvalidOption.new("Parent CA with ID #{id} does not exist!") if not self.exists?(parent_ca_id)
+        puts "Exists: #{self.exists?(parent_ca_id)}"
+        parent_db = SQLite3::Database.open(self.db_path(parent_ca_id))
+
+        parent_ca_raw = parent_db.get_first_value( "select pem from certificates" )
+        parent_key_raw = parent_db.get_first_value( "select pem from private_keys" )
+
+        parent_ca_cert = OpenSSL::X509::Certificate.new parent_ca_raw
+        parent_ca_key = OpenSSL::PKey::RSA.new parent_key_raw
+      end
+
+      key = OpenSSL::PKey::RSA.new(2048)
+      public_key = key.public_key
+
+      name ||= "Generic DevPKI CA ##{id}"
+      subject = "/CN=#{name}"
+
+      cert = OpenSSL::X509::Certificate.new
+      cert.subject = OpenSSL::X509::Name.parse(subject)
+      if parent_ca_id == nil
+        cert.issuer = cert.subject
+      else
+        cert.issuer = parent_ca_cert.subject
+      end
+      cert.not_before = Time.now
+      cert.not_after = Time.now + 2 * 365 * 24 * 60 * 60
+      cert.public_key = public_key
+      cert.serial = Random.rand(1..100000)
+      cert.version = 2
+
+      ef = OpenSSL::X509::ExtensionFactory.new
+      ef.subject_certificate = cert
+
+      if parent_ca_id == nil
+        ef.issuer_certificate = cert
+      else
+        ef.issuer_certificate = parent_ca_cert
+      end
+
+      cert.extensions = [
+        ef.create_extension("basicConstraints","CA:TRUE", true),
+        ef.create_extension("subjectKeyIdentifier", "hash"),
+      ]
+      cert.add_extension ef.create_extension("authorityKeyIdentifier",
+                                             "keyid:always,issuer:always")
+
+      if parent_ca_id == nil
+        cert.sign key, OpenSSL::Digest::SHA512.new
+      else
+        cert.sign parent_ca_key, OpenSSL::Digest::SHA512.new
+      end
+
+      db.execute( "INSERT INTO private_keys (pem) VALUES ( ? )", key.to_pem )
+      private_key_id = db.last_insert_row_id
+
+      db.execute( "INSERT INTO certificates (private_key_id, pem) VALUES ( ?, ? )", private_key_id, cert.to_pem)
+
+      puts key.to_pem
+      puts cert.to_pem
+    end
+
+    # Checks if CA with given ID exists
+    def self.exists?(id)
+      File.exists?(self.db_path(id))
+    end
+
+    # Returns the path to a CA database
+    def self.db_path(id)
+      DevPKI::DataDirectory::absolute_path_for("ca_#{id}.db")
+    end
+
+  end
+end

data/lib/devpki/cli/ca/_hack.rb

@@ -0,0 +1,17 @@
+require 'devpki'
+require 'thor'
+
+module DevPKI
+  module SUBCLI
+    class CA < Thor
+
+      # Hack to override the help message produced by Thor.
+      # https://github.com/wycats/thor/issues/261#issuecomment-16880836
+      def self.banner(command, namespace = nil, subcommand = nil)
+        "#{basename} ca #{command.usage}"
+      end
+
+    end
+  end
+end
+

data/lib/devpki/cli/ca/delete.rb

@@ -0,0 +1,28 @@
+require 'devpki'
+require 'thor'
+require 'devpki/ca'
+require 'devpki/data_directory'
+
+module DevPKI
+  module SUBCLI
+    class CA < Thor
+      desc "delete <id> [-all]", "Delete a CA"
+      long_desc <<-LONGDESC
+        Deletes a certification authority (CA) and its database.
+
+        If ID is not given, it is assumed to be 0.
+
+        With option --all, all CA databases will be deleted.
+      LONGDESC
+      option :all, :type => :boolean
+      def delete(id=0)
+        if options[:all]
+          DevPKI::DataDirectory::reset_to_empty
+        else
+          DevPKI::CA.delete(id)
+          puts "CA database deleted."
+        end
+      end
+    end
+  end
+end

data/lib/devpki/cli/ca/init.rb

@@ -0,0 +1,31 @@
+require 'devpki'
+require 'thor'
+require 'devpki/ca'
+
+module DevPKI
+  module SUBCLI
+    class CA < Thor
+      desc "init <id> [--name=<name>] [--with-parent=<id>]", "Create a new CA"
+      long_desc <<-LONGDESC
+        Initializes a new certification authority (CA) with given ID. The given ID must not already be in use
+        by another CA.
+
+        The ID provides a way to specify which CA you wish to target with other commands.
+        You may omit the <id> argument, if you wish, in which case it is assumed to be 'default'.
+
+        You only need to specify ID, if you plan to use multiple CAs.
+
+        If the --name option is given, the value will be included in the CA's commmon name.
+
+        If the option --with-parent is given, the CA will be created as a subordinate CA to the specified parent CA.
+        Without this option, the CA will be created as a root CA.
+      LONGDESC
+      option :name, :banner => "<name>", :desc => "Value to include in the CA's certificate common name"
+      option :"with-parent", :banner => "<id>", :desc => "ID of the parent CA. If ommitted, the CA will be created as a root CA"
+
+      def init(id="default")
+        DevPKI::CA.init(id, options[:name], options[:"with-parent"])
+      end
+    end
+  end
+end

data/lib/devpki/cli/ocsp.rb

@@ -0,0 +1,121 @@
+require 'devpki'
+require 'thor'
+require 'net/http'
+
+module DevPKI
+  class CLI < Thor
+    desc "ocsp [--method=get|post] --uri=<ocsp uri> ISSUER_CER_FILE:SUBJ_A.CER[,SUBJ_B.CER...]...", "Performs an OCSP query"
+    long_desc <<-LONGDESC
+        This command performs an OCSP query against the given OCSP URI, over HTTP. To perform
+        a query, at least 2 certificates are needed - the CA certificate and the subject certificate
+        file that is to be checked for revocation.
+
+        Only HTTP POST method is supported at the moment (RFC 2560).
+
+        EXAMPLE:
+
+        To test subj_a.cer (issuer certificate ca.cer) against http://ocsp.ca.com:
+
+        > $ devpki ocsp --uri=http://ocsp.ca.com ca.cer:subj_a.cer
+
+
+    LONGDESC
+    option :method, :default => "post", :banner => "get|post", :desc => "Method to use. GET as per RFC5019, or POST as per RFC2560. Defaults to POST."
+    option :uri, :banner => "<ocsp uri>", :required => true, :desc => "OCSP responder URI."
+
+    def ocsp(*cer_files)
+
+      raise InvalidOption.new("Please specify at least one CA and subject certificate file.") if cer_files.empty?
+
+      ca_subj_map = {}
+      cer_files.each do |ca_subj_pair|
+        raise InvalidOption.new("\"#{ca_subj_pair}\" is an invalid CA and subject pair. Please pass a pair with format similar to \"ca.cer:a.cer[,b.cer...]\"") if not ca_subj_pair.include?(":")
+
+        ca_subjlist_split = ca_subj_pair.split(":")
+
+        ca_file = ca_subjlist_split.first
+
+        raise InvalidOption.new("No subject certificates specified for CA file \"#{ca_file}\". Please pass a pair with format similar to \"ca.cer:a.cer[,b.cer...]\"") if ca_subjlist_split.length != 2
+        subj_files = ca_subjlist_split.last.split(",")
+
+        ca_subj_map[ca_file] = subj_files
+      end
+
+      ca_subj_map.each_pair do |ca_file,subj_file_list|
+        raise InvalidOption.new("CA certificate file \"#{ca_file}\" does not exist.") if not File.exist?(ca_file)
+        subj_file_list.each do |subj_file|
+          raise InvalidOption.new("Subject certificate file \"#{subj_file}\" does not exist.") if not File.exist?(subj_file)
+        end
+      end
+
+      method = options[:method].upcase
+      raise InvalidOption.new("GET method not implemented yet.") if method == "GET"
+
+      ###### -------------- move this to DevPKI::OCSP
+
+      cert_ids = []
+      store = OpenSSL::X509::Store.new
+
+      ca_subj_map.each_pair do |ca_file, subj_file_list|
+        ca_cert = OpenSSL::X509::Certificate.new File.read(ca_file)
+        store.add_cert(ca_cert)
+
+        subj_file_list.each do |subj_file|
+          subj_cert = OpenSSL::X509::Certificate.new File.read(subj_file)
+
+          cert_ids << OpenSSL::OCSP::CertificateId.new(subj_cert, ca_cert)
+        end
+      end
+
+      request = OpenSSL::OCSP::Request.new
+      cert_ids.each do |cert_id|
+        request.add_certid(cert_id)
+      end
+
+      request_uri = URI(options[:uri])
+
+      http_req = Net::HTTP::Post.new(request_uri.path)
+      http_req.content_type = "application/ocsp-request"
+      http_req.body = request.to_der
+
+      http_response = Net::HTTP.new(request_uri.host, request_uri.port).start do |http|
+        http.request(http_req)
+      end
+
+      ## ----
+
+      if http_response.code != "200"
+        raise StandardError, "Invalid response code from OCSP responder: #{http_response.code}"
+      end
+
+      response = OpenSSL::OCSP::Response.new(http_response.body)
+      puts "Status: #{response.status}"
+      puts "Status string: #{response.status_string}"
+
+      if response.status != 0
+        raise StandardError, "Not a successful status"
+      end
+      if response.basic[0][0].serial != cert.serial
+        raise StandardError, "Not the same serial"
+      end
+      if response.basic[0][1] != 0 # 0 is good, 1 is revoked, 2 is unknown.
+        raise StandardError, "Not a good status"
+      end
+      current_time = Time.now
+      if response.basic[0][4] > current_time or response.basic[0][5] < current_time
+        raise StandardError, "The response is not within its validity window"
+      end
+
+      # we also need to verify that the OCSP response is signed by
+      # a certificate that is allowed and chains up to a trusted root.
+      # To do this you'll need to build an OpenSSL::X509::Store object
+      # that contains the certificate you're checking + intermediates + root.
+
+      if response.basic.verify([],store) != true
+        raise StandardError, "Response not signed by a trusted certificate"
+      end
+
+    end
+  end
+
+end

data/lib/devpki/cli.rb

@@ -0,0 +1,15 @@
+require 'thor'
+
+require 'devpki'
+require 'devpki/cli/ca/init'
+require 'devpki/cli/ca/delete'
+require 'devpki/cli/ca/_hack'
+
+require 'devpki/cli/ocsp'
+
+module DevPKI
+  class CLI < Thor
+    desc "ca [<id>] <command> [<args>]", "PKI CA functionality"
+    subcommand "ca", DevPKI::SUBCLI::CA
+  end
+end

data/lib/devpki/data_directory.rb

@@ -0,0 +1,35 @@
+require 'devpki'
+require 'fileutils'
+
+Dir["lib/devpki/cli/**/*.rb"].each {|file| require file[4..-1] }
+
+module DevPKI
+  class DataDirectory
+
+    # Only support OSX atm
+    def self.platform_supported?
+      (/darwin/ =~ RUBY_PLATFORM) != nil
+    end
+
+    def self.reset_to_empty
+      FileUtils.rm_rf(self.absolute_path)
+      self.get
+    end
+
+    def self.absolute_path
+      File.expand_path("~/Library/Application Support/devpki")
+    end
+
+    def self.absolute_path_for(file_name)
+      File.expand_path(file_name, self.absolute_path)
+    end
+
+    def self.get
+      if not Dir.exists?(self.absolute_path)
+        Dir.mkdir(self.absolute_path)
+      end
+      Dir.new(self.absolute_path)
+    end
+
+  end
+end

data/lib/devpki/version.rb

@@ -0,0 +1,3 @@
+module DevPKI
+  VERSION = "0.0.1"
+end

data/lib/devpki.rb

@@ -0,0 +1,14 @@
+require "devpki/version"
+
+module DevPKI
+  autoload :CLI, 'devpki/cli'
+
+  class DevPKIError < StandardError
+    def self.status_code(code)
+      define_method(:status_code) { code }
+    end
+  end
+
+  class InvalidOption < DevPKIError; status_code(10) ; end
+  class CADBError < DevPKIError; status_code(11) ; end
+end

metadata

@@ -0,0 +1,124 @@
+--- !ruby/object:Gem::Specification
+name: devpki
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Jānis Kiršteins
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-10-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Tool for doing common PKI-related tasks
+email:
+- janis@montadigital.com
+executables:
+- devpki
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- LICENSE.txt
+- README.md
+- Rakefile
+- a.cer
+- b.cer
+- bin/devpki
+- c.cer
+- ca.crt
+- ca2.crt
+- d.cer
+- devpki.gemspec
+- lib/devpki.rb
+- lib/devpki/ca.rb
+- lib/devpki/cli.rb
+- lib/devpki/cli/ca/_hack.rb
+- lib/devpki/cli/ca/delete.rb
+- lib/devpki/cli/ca/init.rb
+- lib/devpki/cli/ocsp.rb
+- lib/devpki/data_directory.rb
+- lib/devpki/version.rb
+homepage: ''
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.1.9
+signing_key: 
+specification_version: 4
+summary: Tool for doing common PKI-related tasks
+test_files: []