easyrsa 0.8.7 → 0.8.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fe4035b45f24782945a5239477699a36ed66fb61
-  data.tar.gz: 842a58ec4aac111a191543e27833e53ec4f44426
+  metadata.gz: 7fa9cf5b884cc68b84ff21e52db1eaaafbb69b15
+  data.tar.gz: dd908e243b962cced5a44ec18a495500593318d5
 SHA512:
-  metadata.gz: 9aced2e1916541a1bbc0cd01f0e4fed34f2d3cf207c04d188b7f02481bd1673a01b75c0d2097a8a4fb43c383b3bbd87cc7a02f9269c6bb9f6287eef1f464eef3
-  data.tar.gz: c303daecc9a2192291abf343428984cc524a902279d729ae3bb5a7b83c824bdcdba614a3139ec9ca1531e45d482f6d8954158b0ca7602519fea2612b7fc2d247
+  metadata.gz: 14ea6fd8fdcfd844a899fa780dddde3dddffd404d7ef67eed87b8e0c8fa7d72987f42cdef25c644532b46bdf47ac560387173ccd6e1a806f5cf860b894d6afdc
+  data.tar.gz: 26efe7bb691969445ba2b1cb5d9d88babac9769bca72d60690813445e8c6f39541a3931d85fea72dd273fc84238715bd2b18a176068ad06084bb076f831e3957

data/README.md

@@ -44,7 +44,9 @@ EasyRSA.configure do |issuer|
 end
 ```
 
-then use the `EasyRSA::Certificate` class to generate the certificate:
+### Generate a Client Certificate
+
+Use the `EasyRSA::Certificate` class to generate the certificate:
 
 ```ruby
 cn = 'Users Common Name'
@@ -64,4 +66,19 @@ The following can be used to create a Certificate Authority:
 ca = EasyRSA::CA.new('CN=openvpn/DC=example/DC=com')
 g = ca.generate
  #=> [:key => '...RSA KEY...', :crt => '...CERTIFICATE...']
+```
+
+
+### Revoking Certificates
+
+The following can be used to create revoke a certificate:
+
+```ruby
+easyrsa = EasyRSA::Certificate.new(@ca_cert, @ca_key, 'mike', 'mike@ruby-easyrsa.gem')
+g = easyrsa.generate
+
+r = EasyRSA::Revoke.new g[:crt]
+crl = r.revoke! @ca_key
+ #=> -----BEGIN X509 CRL-----
+ #   MIIBjTCB9wIBATANBgkqhkiG9w0BAQsFADCBpDELMAkGA1UEBhMCVVMxETAPBgNV
 ```

data/easyrsa.gemspec

@@ -8,7 +8,7 @@ Gem::Specification.new do |s|
 
   s.name        = 'easyrsa'
   s.version     = EasyRSA::VERSION
-  s.date        = '2015-04-28'
+  s.date        = '2015-04-29'
   s.summary     = "EasyRSA interface for generating OpenVPN certificates"
   s.description = "Easily generate OpenVPN certificates without needing the easyrsa packaged scripts"
   s.authors     = ["Mike Mackintosh"]

data/lib/easyrsa.rb

@@ -5,7 +5,7 @@ require 'easyrsa/config'
 require 'easyrsa/certificate'
 require 'easyrsa/ca'
 #require 'easyrsa/cli'
-#require 'easyrsa/revoke'
+require 'easyrsa/revoke'
 
 module EasyRSA
 
@@ -30,4 +30,18 @@ module EasyRSA
     Time.now + i * 365 * 24 * 60 * 60
   end
 
+# Helper for issuer details
+  def gen_issuer
+    OpenSSL::X509::Name.parse("/C=#{EasyRSA::Config.country}/" \
+      "L=#{EasyRSA::Config.city}/O=#{EasyRSA::Config.company}/OU=#{EasyRSA::Config.orgunit}/" \
+      "CN=#{EasyRSA::Config.server}/name=#{EasyRSA::Config.orgunit}/" \
+      "emailAddress=#{EasyRSA::Config.email}")
+  end
+
+# Helper for generating serials
+  def gen_serial(id)
+    # Must always be unique, so we do date and id's chars
+    "#{Time.now.strftime("%Y%m%d%H%M%S")}#{id.unpack('c*').join.to_i}".to_i
+  end
+
 end

data/lib/easyrsa/certificate.rb

@@ -66,14 +66,14 @@ module EasyRSA
       @cert.public_key = @key.public_key
 
       # Generate and assign the serial
-      @cert.serial = gen_serial
+      @cert.serial = EasyRSA::gen_serial(@id)
       
+      # Generate issuer
+      @cert.issuer = EasyRSA::gen_issuer
+
       # Generate subject
       gen_subject
 
-      # Generate issuer
-      gen_issuer
-
       # Add extensions
       add_extensions
 
@@ -92,14 +92,6 @@ module EasyRSA
           "L=#{EasyRSA::Config.city}/O=#{EasyRSA::Config.company}/OU=#{EasyRSA::Config.orgunit}/CN=#{@id}/" \
           "name=#{@id}/emailAddress=#{@email}")
       end
-     
-      # Cert issuer details
-      def gen_issuer
-        @cert.issuer = OpenSSL::X509::Name.parse("/C=#{EasyRSA::Config.country}/" \
-          "L=#{EasyRSA::Config.city}/O=#{EasyRSA::Config.company}/OU=#{EasyRSA::Config.orgunit}/" \
-          "CN=#{EasyRSA::Config.server}/name=#{EasyRSA::Config.orgunit}/" \
-          "emailAddress=#{EasyRSA::Config.email}")
-      end
 
       def add_extensions
         ef = OpenSSL::X509::ExtensionFactory.new
@@ -119,11 +111,6 @@ module EasyRSA
                                                 'keyid,issuer:always')
       end
 
-      def gen_serial
-        # Must always be unique, so we do date and @id's chars
-        "#{Time.now.strftime("%Y%m%d%H%M%S")}#{@id.unpack('c*').join.to_i}".to_i
-      end
-
       def sign_cert_with_ca
         @cert.sign @ca_key, OpenSSL::Digest::SHA256.new
       end

data/lib/easyrsa/revoke.rb

@@ -0,0 +1,90 @@
+module EasyRSA
+  class Revoke
+
+    class InvalidCertificate < RuntimeError; end
+    class UnableToRevoke < RuntimeError; end
+    class MissingParameter < RuntimeError; end
+    class MissingCARootKey < RuntimeError; end
+    class InvalidCARootPrivateKey < RuntimeError; end
+    class InvalidCertificateRevocationList < RuntimeError; end
+
+  # Lets get revoking 
+    def initialize(revoke=nil, &block)
+      if revoke.nil?
+        fail EasyRSA::Revoke::InvalidCertificate, 
+          'Unable to revoke this cert because it is not a certificate'
+      end
+
+    # TODO: Make this a bit better in checking serial vs cert
+      if revoke.include?('BEGIN CERTIFICATE')
+        cert = OpenSSL::X509::Certificate.new(revoke)
+        serialToRevoke = cert.serial
+      else
+        serialToRevoke = revoke
+      end
+      
+    # Create the revoked object
+      @revoked = OpenSSL::X509::Revoked.new
+
+    # Add serial and timestamp of revocation
+      @revoked.serial = serialToRevoke
+      @revoked.time = Time.now
+
+    end
+
+    def revoke!(cakey=nil, crl=nil, next_update=36000)
+      if cakey.nil?
+        fail EasyRSA::Revoke::MissingCARootKey,
+          'Please provide the root CA cert for the CRL'
+      end
+
+    # Get cert details if it's in a file
+      unless cakey.is_a? OpenSSL::PKey::RSA
+        begin
+          cakey = OpenSSL::PKey::RSA.new File.read cakey
+        rescue OpenSSL::PKey::RSAError => e
+          fail EasyRSA::Revoke::InvalidCARootPrivateKey,
+            'This is not a valid Private key file.'
+        end
+      end
+
+    # This is not a private key
+      unless cakey.private?
+        fail EasyRSA::Revoke::InvalidCARootPrivateKey,
+          'This is not a valid Private key file.'
+      end
+
+    # Create or load the CRL
+      unless crl.nil?
+        begin
+          @crl = OpenSSL::X509::CRL.new crl
+        rescue
+          fail EasyRSA::Revoke::InvalidCertificateRevocationList,
+            'Invalid CRL provided.'
+        end
+      else
+        @crl = OpenSSL::X509::CRL.new
+      end
+
+    # Add the revoked cert
+      @crl.add_revoked(@revoked)
+
+    # Needed CRL options
+      @crl.last_update = @revoked.time
+      @crl.next_update = Time.now + next_update
+      @crl.version = 1
+
+    # Update the CRL issuer
+      @crl.issuer = EasyRSA::gen_issuer
+
+    # Sign the CRL
+      @updated_crl = @crl.sign(cakey, OpenSSL::Digest::SHA256.new)
+      @updated_crl
+    end
+
+    def to_pem
+      @updated_crl.to_pem
+    end
+
+  end
+end

data/lib/easyrsa/version.rb

@@ -1,3 +1,3 @@
 module EasyRSA
-  VERSION = '0.8.7'
+  VERSION = '0.8.9'
 end

data/spec/easyrsa/02_certificate_spec.rb

@@ -70,6 +70,13 @@ describe EasyRSA::Certificate, 'Should' do
 
   end
 
+  it 'gets generates a valid serial' do
+    easyrsa = EasyRSA::Certificate.new(@ca_cert, @ca_key, 'mike', 'mike@ruby-easyrsa.gem')
+    g = easyrsa.generate
+    r = OpenSSL::X509::Certificate.new g[:crt]
+    expect("#{r.serial}").to include("#{Time.now.year}")
+  end  
+
 end
 
 @client_id = "sexyhorse"

data/spec/easyrsa/04_revocation_spec.rb

@@ -0,0 +1,101 @@
+require File.join(File.dirname(__FILE__), '..', 'spec_helper')
+
+describe EasyRSA::Revoke, 'Should' do
+  include_context "shared environment"
+
+  before do
+    EasyRSA.configure do |issuer|
+      issuer.email = @email
+      issuer.server = @server
+      issuer.country = @country
+      issuer.city = @city
+      issuer.company = @company
+      issuer.orgunit = @orgunit
+    end
+  end
+
+  it 'throw error when arguments are missing' do
+    expect {
+      EasyRSA::Revoke.new
+    }.to raise_error(EasyRSA::Revoke::InvalidCertificate)
+  end
+
+  it 'gets serial of cert to revoke' do
+    easyrsa = EasyRSA::Certificate.new(@ca_cert, @ca_key, 'mike', 'mike@ruby-easyrsa.gem')
+    g = easyrsa.generate
+    r = OpenSSL::X509::Certificate.new g[:crt]
+    expect("#{r.serial}").to include("#{Time.now.year}")
+  end
+
+  it 'throw error if no CA root is provided' do
+
+    easyrsa = EasyRSA::Certificate.new(@ca_cert, @ca_key, 'mike', 'mike@ruby-easyrsa.gem')
+    g = easyrsa.generate
+
+    expect{
+      r = EasyRSA::Revoke.new g[:crt]
+      r.revoke!
+    }.to raise_error(EasyRSA::Revoke::MissingCARootKey)
+  end
+
+  it 'throw error if and invalid ca key is provided' do
+
+    easyrsa = EasyRSA::Certificate.new(@ca_cert, @ca_key, 'mike', 'mike@ruby-easyrsa.gem')
+    g = easyrsa.generate
+
+    expect{
+      r = EasyRSA::Revoke.new g[:crt]
+      crl = r.revoke! @ca_cert
+    }.to raise_error(EasyRSA::Revoke::InvalidCARootPrivateKey)
+
+  end
+
+  it 'should throw InvalidCertificateRevocationList if an invalid CRL is provided' do
+    existing_crl = <<CERT
+-----BEGIN asdfsd CRL-----
+CERT
+    easyrsa = EasyRSA::Certificate.new(@ca_cert, @ca_key, 'mike', 'mike@ruby-easyrsa.gem')
+    g = easyrsa.generate
+
+    expect{
+      r = EasyRSA::Revoke.new g[:crt]
+      crl = r.revoke! @ca_key, existing_crl
+    }.to raise_error(EasyRSA::Revoke::InvalidCertificateRevocationList)
+  end
+
+  it 'should successfully revoke certificate by cert pem format' do
+
+    easyrsa = EasyRSA::Certificate.new(@ca_cert, @ca_key, 'mike', 'mike@ruby-easyrsa.gem')
+    g = easyrsa.generate
+
+    r = EasyRSA::Revoke.new g[:crt]
+    crl = r.revoke! @ca_key
+    
+    expect(crl.to_pem).to include('BEGIN X509 CRL')
+  end
+
+  it 'should successfully revoke certificate with existing CRL' do
+    existing_crl = <<CERT
+-----BEGIN X509 CRL-----
+MIIBjTCB9wIBATANBgkqhkiG9w0BAQsFADCBpDELMAkGA1UEBhMCVVMxETAPBgNV
+BAcMCE5ldyBZb3JrMRgwFgYDVQQKDA9NaWtlIE1hY2tpbnRvc2gxGTAXBgNVBAsM
+EEVhc3lSU0EgR2VtIFRlc3QxGTAXBgNVBAMMEGVhc3lyc2EtZ2VtLXRlc3QxGTAX
+BgNVBCkMEEVhc3lSU0EgR2VtIFRlc3QxFzAVBgkqhkiG9w0BCQEWCG1AenlwLmlv
+Fw0xNTA0MjkxNDM4NTJaFw0xNTA0MzAwMDM4NTJaMB4wHAILEKsE81b0gfC2kJ0X
+DTE1MDQyOTE0Mzg1MlowDQYJKoZIhvcNAQELBQADgYEArJjrQAcaSYTHPZwpb5h4
+VQ47w5KkhWgA1moHelF8KnXwnoV9Cxkm3ztuaDQMMiPyiVB3WLBAqVkkq79SncLk
+YsBIP73qW2Hn5b8ZCw+RhlBHvigxKakGIywRGy3+u7P1Jc1s6TVzvSeP5OOzAxNP
+f8Tj/fu1lbvyRsPt+XHC+wY=
+-----END X509 CRL-----
+CERT
+    easyrsa = EasyRSA::Certificate.new(@ca_cert, @ca_key, 'mike', 'mike@ruby-easyrsa.gem')
+    g = easyrsa.generate
+
+    r = EasyRSA::Revoke.new g[:crt]
+    crl = r.revoke! @ca_key, existing_crl
+
+    expect(crl.to_pem).to include('BEGIN X509 CRL')
+    expect(existing_crl).to_not eql(crl.to_pem)
+  end
+
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: easyrsa
 version: !ruby/object:Gem::Version
-  version: 0.8.7
+  version: 0.8.9
 platform: ruby
 authors:
 - Mike Mackintosh
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-04-28 00:00:00.000000000 Z
+date: 2015-04-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: openssl
@@ -112,12 +112,14 @@ files:
 - lib/easyrsa/ca.rb
 - lib/easyrsa/certificate.rb
 - lib/easyrsa/config.rb
+- lib/easyrsa/revoke.rb
 - lib/easyrsa/version.rb
 - spec/cacert.pem
 - spec/cakey.pem
 - spec/easyrsa/01_config_spec.rb
 - spec/easyrsa/02_certificate_spec.rb
 - spec/easyrsa/03_ca_spec.rb
+- spec/easyrsa/04_revocation_spec.rb
 - spec/spec_helper.rb
 homepage: http://github.com/mikemackintosh/ruby-easyrsa
 licenses:
@@ -149,4 +151,5 @@ test_files:
 - spec/easyrsa/01_config_spec.rb
 - spec/easyrsa/02_certificate_spec.rb
 - spec/easyrsa/03_ca_spec.rb
+- spec/easyrsa/04_revocation_spec.rb
 - spec/spec_helper.rb