kybus-ssl 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e2bf5e7b4893134432a12134b41fb41b318b7ef6928e5690a4ec2a978b06cebe
-  data.tar.gz: 9576e4b32580447fc71678eec7ee7f56e5a7a5c6f34e8d6015aee3d846a00bb1
+  metadata.gz: fa8499e77ca6b86352e3e7bcbcd89080419ff5ebf9122b681aecbb189ef3bbd4
+  data.tar.gz: 52d7ec328216a409462fbf398c6d99eea73dd0db08e847d9d6a4b30b15affcb8
 SHA512:
-  metadata.gz: 726fae80d20e37cc77fe945a33cbee37f093d39e862bb1228c0397c624c476144e91a26ddfefae7e2200c5a05aeaafba483c60c3c3986d31b83dd63afe080a09
-  data.tar.gz: c7adaeedef2ea71b15c948eb79eb70c8a10082a550aceba4b9a0965b974b6005b26169bc259872d0f7c9342645c25b8ee1d7826158b5999d9d1bd218371423e0
+  metadata.gz: a3b5bce4e64ac747d0738b560cf0c0a5a853ca0fe843b8860baf72a1960644bebd397ff61f6fc6710fdf6f336a49e02ca662803277c89e8fc7be52f633dc1f00
+  data.tar.gz: 73a58d32976e8b016eec3986c1f0e7a4939a364237769b7fa9e76e88ae8b4e615fe96313b50b2bce1c551c318763678dc2c01432c993d79d891bb1193f55e79a

data/bin/kybssl

@@ -0,0 +1,90 @@
+require 'optimist'
+require 'yaml'
+require './lib/kybus/ssl/cli'
+
+def run_init(opts)
+  Kybus::SSL::CLI::Init.new(opts).run
+end
+
+def run_add_ca(opts)
+  Kybus::SSL::CLI::AddCA.new(opts).run
+end
+
+def run_add_certificate(opts) 
+  Kybus::SSL::CLI::AddCertificate.new(opts).run
+end
+
+def run_revoke_certificate(opts); end
+
+def run_build(opts); end
+
+# Define expected commands and options
+commands = %i[init add_ca add_certificate revoke_certificate build]
+cmd = ARGV.shift&.to_sym || :help
+abort "Invalid command. Valid commands are: #{commands.join(', ')}" unless commands.include?(cmd)
+
+def global_params(context, cmd)
+  context.instance_eval do 
+    opt :pki_file, 'PKI File', type: :string, required: true
+    opt :team, 'Organization Unit name', type: :string, required: cmd == :init
+    opt :country, 'Organization Unit name', type: :string, required: cmd == :init
+    opt :state, 'Organization Unit name', type: :string, required: cmd == :init
+    opt :city, 'Organization Unit name', type: :string, required: cmd == :init
+    opt :organization, 'Organization Unit name', type: :string, required: cmd == :init
+  end
+end
+
+opts = case cmd
+       when :init
+         Optimist.options do
+           banner 'Usage: kybssl init [options]'
+           opt :outputdir, 'Output Directory', type: :string, default: 'pki'
+           opt :force, 'Overwrite file if it already exists', type: :bool, default: false
+           global_params(self, cmd)
+          end
+        when :add_ca
+         Optimist.options do
+           banner 'Usage: kybssl add-ca [options]'
+           opt :caname, 'CA Name', type: :string, required: true
+           opt :name, 'Common Name', type: :string, required: true
+           opt :expiration, 'Validity Years', type: :integer, default: 10
+           opt :keysize, 'Key Size', type: :integer, default: 2048
+           opt :parent, 'Parent CA', type: :string, default: 'root'
+           global_params(self, cmd)
+          end
+        when :add_certificate
+         Optimist.options do
+           banner 'Usage: kybssl add-certificate [options]'
+           opt :name, 'Common Name', type: :string, required: true
+           opt :email, 'User Email', type: :string, require: true
+           opt :dns, 'Server DNS', type: :string
+           opt :ca, 'CA Name', type: :string, required: true
+           opt :expiration, 'Validity Years', type: :integer, default: 5
+           opt :type, 'Type of certificate client|server', type: :string, default: 'client'
+           global_params(self, cmd)
+          end
+        when :revoke_certificate
+          Optimist.options do
+            banner 'Usage: kybssl revoke-certificate [options]'
+            opt :serial, 'Certificate Serial', type: :string, required: true
+            global_params(self, cmd)
+          end
+        when :build
+          Optimist.options do
+            banner 'Usage: kybssl build [options]'
+            global_params(self, cmd)
+         end
+       end
+
+case cmd
+when :init
+  run_init(opts)
+when :add_ca
+  run_add_ca(opts)
+when :add_certificate
+  run_add_certificate(opts)
+when :revoke_certificate
+  run_revoke_certificate(opts)
+when :build
+  run_build(opts)
+end

data/lib/kybus/ssl/certificate.rb

@@ -39,7 +39,7 @@ module Kybus
 
       def sign!
         @cert.issuer = @ca.cert.subject
-        @cert.sign(@ca.key, OpenSSL::Digest::SHA256.new)
+        @cert.sign(@ca.key, OpenSSL::Digest.new('SHA256'))
       end
 
       def save!

data/lib/kybus/ssl/cli/add_ca.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Kybus
+  module SSL
+    module CLI
+      class AddCA < BaseCommand
+        def run
+          load_template
+          update_yaml_file
+        end
+
+        private
+
+        def update_yaml_file
+          new_ca = {
+            caname: @opts[:caname],
+            name: @opts[:name],
+            expiration: @opts[:expiration],
+            key_size: @opts[:key_size],
+            parent: @opts[:parent] || 'root',
+            serial: next_serial,
+            extensions: {
+              basicConstraints: {
+                details: 'CA:true, pathlen:0',
+                critical: true
+              }
+            }
+          }
+
+          @template['certificate_descriptions']['authorities']['certificates'] << new_ca
+
+          save_template
+        end
+      end
+    end
+  end
+end

data/lib/kybus/ssl/cli/add_certificate.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Kybus
+  module SSL
+    module CLI
+      class AddCertificate < BaseCommand
+        def run
+          load_template
+          update_yaml_file
+        end
+
+        private
+
+        def update_yaml_file
+          new_certificate = {
+            parent: @opts[:ca],
+            name: @opts[:name],
+            expiration: @opts[:expiration],
+            key_size: @opts[:key_size],
+            serial: next_serial,
+            organization: @opts[:org],
+            team: @opts[:team],
+            country: @opts[:country],
+            city: @opts[:city],
+            state: @opts[:state],
+            email: @opts[:email],
+            revoked: false
+          }.compact
+
+          @template['certificate_descriptions']['clients']['certificates'] << new_certificate
+
+          save_template
+        end
+      end
+    end
+  end
+end

data/lib/kybus/ssl/cli/base_command.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Kybus
+  module SSL
+    module CLI
+      class BaseCommand
+        def initialize(opts)
+          @opts = opts
+        end
+
+        def transform_keys_recursively(hash)
+          hash.each_with_object({}) do |(key, value), new_hash|
+            new_key = key.is_a?(Symbol) ? key.to_s : key
+            new_value = if value.is_a?(Hash)
+                          transform_keys_recursively(value)
+                        elsif value.is_a?(Array)
+                          value.map { |v| transform_keys_recursively(v) }
+                        else
+                          value
+                        end
+            new_hash[new_key] = new_value
+          end
+        end
+
+        def load_template
+          @template = YAML.load_file(@opts[:pki_file])
+        end
+
+        def save_template
+          @template = transform_keys_recursively(@template)
+          File.write(@opts[:pki_file], @template.to_yaml)
+        end
+
+        def next_serial
+          @template['serial_counter'] += 1
+        end
+
+        def pki_file_exist?
+          File.file?(@opts[:pki_file])
+        end
+      end
+    end
+  end
+end

data/lib/kybus/ssl/cli/init.rb

@@ -0,0 +1,191 @@
+# frozen_string_literal: true
+
+require_relative 'base_command'
+
+module Kybus
+  module SSL
+    module CLI
+      class Init < BaseCommand
+        def build_default_config
+          @template = {
+            serial_counter: 3,
+            certificate_descriptions: {
+              defaults: certificate_defaults,
+              authorities: default_authorities,
+              clients: default_clients_config,
+              servers: default_servers_config
+            }
+          }
+        end
+
+        def default_certificate_extensions
+          {
+            subjectKeyIdentifier: {
+              details: 'hash',
+              critical: false
+            },
+            authorityKeyIdentifier: {
+              details: 'keyid:always',
+              critical: false
+            },
+            basicConstraints: {
+              details: 'CA:false',
+              critical: false
+            }
+          }
+        end
+
+        def certificate_defaults
+          {
+            saving_directory: @opts[:outputdir],
+            country: @opts[:country],
+            state: @opts[:state],
+            city: @opts[:city],
+            organization: @opts[:organization],
+            team: @opts[:team],
+            key_size: @opts[:key_size],
+            expiration: 5,
+            extensions: default_certificate_extensions
+          }
+        end
+
+        def root_ca
+          {
+            name: "#{@opts[:organization]} Root CA",
+            expiration: 20,
+            serial: 1,
+            key_size: 4096,
+            ca: 'root',
+            parent: 'root'
+          }
+        end
+
+        def servers_ca
+          {
+            name: "#{@opts[:organization]} Servers CA",
+            parent: 'root',
+            expiration: 10,
+            serial: 2,
+            ca: 'servers',
+            key_size: 2048,
+            extensions: {
+              basicConstraints: {
+                details: 'CA:true, pathlen:0',
+                critical: true
+              }
+            }
+          }
+        end
+
+        def clients_ca
+          {
+            name: "#{@opts[:organization]} Clients CA",
+            parent: 'root',
+            expiration: 10,
+            serial: 3,
+            ca: 'clients',
+            key_size: 2048,
+            extensions: {
+              basicConstraints: {
+                details: 'CA:true, pathlen:0',
+                critical: true
+              }
+            }
+          }
+        end
+
+        def default_authorities
+          {
+            defaults: {
+              parent: 'root',
+              extensions: {
+                basicConstraints: {
+                  details: 'CA:true',
+                  critical: true
+                },
+                keyUsage: {
+                  details: 'Digital Signature, keyCertSign, cRLSign',
+                  critical: true
+                }
+              }
+            },
+            certificates: [root_ca, servers_ca, clients_ca]
+          }
+        end
+
+        def default_servers_config
+          {
+            defaults: {
+              parent: 'servers',
+              extensions: {
+                'Netscape Cert Type': {
+                  details: 'SSL Server',
+                  critical: false
+                },
+                'Netscape Comment': {
+                  details: 'Server certificate',
+                  critical: false
+                },
+                keyUsage: {
+                  details: 'Digital Signature, Key Encipherment',
+                  critical: true
+                },
+                extendedKeyUsage: {
+                  details: 'TLS Web Server Authentication',
+                  critical: false
+                },
+                authorityKeyIdentifier: {
+                  details: 'keyid, issuer:always',
+                  critical: false
+                },
+                subjectAltName: {
+                  details: '$dns',
+                  critical: false
+                }
+              }
+            },
+            certificates: []
+          }
+        end
+
+        def default_clients_config
+          {
+            defaults: {
+              parent: 'clients',
+              extensions: {
+                'Netscape Cert Type': {
+                  details: 'SSL Client, S/MIME',
+                  critical: false
+                },
+                'Netscape Comment': {
+                  details: 'Client certificate',
+                  critical: false
+                },
+                keyUsage: {
+                  details: 'Digital Signature, Non Repudiation, Key Encipherment',
+                  critical: true
+                },
+                extendedKeyUsage: {
+                  details: 'TLS Web Client Authentication, E-mail Protection',
+                  critical: false
+                },
+                subjectAltName: {
+                  details: '$email',
+                  critical: false
+                }
+              },
+              team: @opts[:team]
+            },
+            certificates: []
+          }
+        end
+
+        def run
+          abort 'File already exists. Use --force to overwrite.' if pki_file_exist? && !@opts[:force]
+          build_default_config
+          save_template
+        end
+      end
+    end
+  end
+end

data/lib/kybus/ssl/cli.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+require_relative 'cli/init'
+require_relative 'cli/add_ca'
+require_relative 'cli/add_certificate'
+require_relative 'cli/revoke_certificate'

data/lib/kybus/ssl/configuration.rb

@@ -26,8 +26,8 @@ module Kybus
 
       def subject_string
         "/C=#{@config['country']}/ST=#{@config['state']}" \
-        "/L=#{@config['city']}/O=#{@config['organization']}" \
-        "/OU=#{@config['team']}/CN=#{@config['name']}"
+          "/L=#{@config['city']}/O=#{@config['organization']}" \
+          "/OU=#{@config['team']}/CN=#{@config['name']}"
       end
 
       def configure_cert_details!(cert)
@@ -35,14 +35,23 @@ module Kybus
         cert.serial = @config['serial']
         cert.subject = OpenSSL::X509::Name.parse(subject_string)
         cert.not_before = Time.now
-        cert.not_after = cert.not_before + ONE_YEAR * @config['expiration']
+        cert.not_after = cert.not_before + (ONE_YEAR * @config['expiration'])
+      end
+
+      def apply_placeholders(description)
+        if description.include?('$')
+          description.gsub('$email', "email:#{@config['email']}").gsub('$dns', "DNS:#{@config['dns']}")
+        else
+          description
+        end
       end
 
       def configure_extensions!(cert, extension_factory)
         @config['extensions'].each do |name, details|
+          applied_description = apply_placeholders(details['details'])
           extension = extension_factory.create_extension(
             name,
-            details['details'],
+            applied_description,
             details['critical']
           )
           cert.add_extension(extension)

data/lib/kybus/ssl/inventory.rb

@@ -47,6 +47,8 @@ module Kybus
     # configurations.
     class SubInventory
       def initialize(configs, inventory)
+        raise 'Nil config' if configs.nil?
+
         defaults = configs['defaults']
         @parent = inventory
         @certificates = configs['certificates'].map do |cert|
@@ -64,7 +66,10 @@ module Kybus
       end
 
       def ca(name)
-        @certificates.find { |cert| cert.ca_name == name }
+        ca = @certificates.find { |cert| cert.ca_name == name }
+        raise "CA #{name} not found" if ca.nil?
+
+        ca
       end
     end
   end

data/lib/kybus/ssl/revocation_list.rb

@@ -4,7 +4,9 @@ module Kybus
   module SSL
     # Generates revocation list after revocating a list of certs
     # TODO: Implement CRL
+    # rubocop: disable Lint/EmptyClass
     class RevocationList
     end
+    # rubocop: enable Lint/EmptyClass
   end
 end

data/lib/kybus/ssl/version.rb

@@ -2,6 +2,6 @@
 
 module Kybus
   module SSL
-    VERSION = '0.1.0'
+    VERSION = '0.2.0'
   end
 end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: kybus-ssl
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Gilberto Vargas
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-06-15 00:00:00.000000000 Z
+date: 2024-07-03 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: optimist
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -97,12 +111,21 @@ dependencies:
 description: Package for creating self signed certificates for development purpose
 email:
 - tachoguitar@gmail.com
-executables: []
+executables:
+- kybssl
 extensions: []
 extra_rdoc_files: []
 files:
+- bin/kybssl
 - lib/kybus/ssl.rb
 - lib/kybus/ssl/certificate.rb
+- lib/kybus/ssl/cli.rb
+- lib/kybus/ssl/cli/add_ca.rb
+- lib/kybus/ssl/cli/add_certificate.rb
+- lib/kybus/ssl/cli/base_command.rb
+- lib/kybus/ssl/cli/build.rb
+- lib/kybus/ssl/cli/init.rb
+- lib/kybus/ssl/cli/revoke_certificate.rb
 - lib/kybus/ssl/configuration.rb
 - lib/kybus/ssl/inventory.rb
 - lib/kybus/ssl/revocation_list.rb
@@ -110,7 +133,8 @@ files:
 homepage: https://github.com/KueskiEngineering/ruby-kybus-server
 licenses:
 - MIT
-metadata: {}
+metadata:
+  rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -126,7 +150,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.5.14
 signing_key: 
 specification_version: 4
 summary: Kybus SSL tools