kybus-ssl 0.2.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fa8499e77ca6b86352e3e7bcbcd89080419ff5ebf9122b681aecbb189ef3bbd4
-  data.tar.gz: 52d7ec328216a409462fbf398c6d99eea73dd0db08e847d9d6a4b30b15affcb8
+  metadata.gz: 6b608e41afe35bae9646207f98879a12ab73e3754ccb344115729f2cb0a774c3
+  data.tar.gz: cc05b289a65b53859ff5b2f30579cd2bbf8d7195f12a28b601ab9aa45cc45f19
 SHA512:
-  metadata.gz: a3b5bce4e64ac747d0738b560cf0c0a5a853ca0fe843b8860baf72a1960644bebd397ff61f6fc6710fdf6f336a49e02ca662803277c89e8fc7be52f633dc1f00
-  data.tar.gz: 73a58d32976e8b016eec3986c1f0e7a4939a364237769b7fa9e76e88ae8b4e615fe96313b50b2bce1c551c318763678dc2c01432c993d79d891bb1193f55e79a
+  metadata.gz: 8bd173d87ad8ce311af2e4c35bd29a7a6376ce2805a0b308c7a8ac21509708a16965ef01134b3ac564a1541085858d851556fb488dd4a9bb17335603d0d786e5
+  data.tar.gz: 1a94c96c310f264110bd59dcf7eecf0063ac467de48a8de72c7c46c5779fe74d30109a11b00d142a576d925f03a32498ff0adf0faf873831a8b1314daed74158

data/lib/kybus/ssl/certificate.rb

@@ -1,16 +1,27 @@
 # frozen_string_literal: true
 
 require 'openssl'
+require 'securerandom'
 
 module Kybus
   module SSL
     # Stores a X509 certificate.
     class Certificate
-      attr_reader :cert, :key
+      attr_reader :cert, :key, :config
 
       def initialize(config, inventory)
         @config = config
         @inventory = inventory
+
+        if File.file?(@config.key_path) && File.file?(@config.crt_path)
+          load_key!
+        else
+          create_key!
+        end
+      end
+
+      def create_key!
+        puts @config.instance_variable_get(:@config)
         @key = OpenSSL::PKey::RSA.new(@config['key_size'])
         @cert = OpenSSL::X509::Certificate.new
         @cert.public_key = @key.public_key
@@ -18,8 +29,15 @@ module Kybus
         @extensions.subject_certificate = @cert
       end
 
+      def load_key!
+        @key = OpenSSL::PKey::RSA.new(File.read(@config.key_path))
+        @cert = OpenSSL::X509::Certificate.new(File.read(@config.crt_path))
+      end
+
       def create!
-        return if File.file?(@config.key_path)
+        if File.file?(@config.key_path) && File.file?(@config.crt_path)
+          return puts "Certificate already exists #{@config.key_path} #{@cert.subject}"
+        end
 
         @ca = @inventory.ca(@config['parent'])
         configure_details!
@@ -43,8 +61,18 @@ module Kybus
       end
 
       def save!
+        puts "Saving certificate #{@cert.subject}"
         File.write(@config.key_path, @key.to_s)
         File.write(@config.crt_path, @cert.to_s)
+        export_to_pfx!
+      end
+
+      def export_to_pfx!
+        passphrase = SecureRandom.alphanumeric(15)
+        chain = [@cert] + @inventory.ca_cert_chain(@config['parent'])
+        pkcs12 = OpenSSL::PKCS12.create(passphrase, @config['email'] || @config['name'], @key, @cert, chain)
+        File.write(@config.pfx_path, pkcs12.to_der)
+        puts "PFX certificate saved with passphrase: #{passphrase}"
       end
 
       def ca_name

data/lib/kybus/ssl/cli/add_ca.rb

@@ -11,21 +11,19 @@ module Kybus
 
         private
 
+        KEYS = %i[caname name expiration key_size].freeze
+
         def update_yaml_file
-          new_ca = {
-            caname: @opts[:caname],
-            name: @opts[:name],
-            expiration: @opts[:expiration],
-            key_size: @opts[:key_size],
-            parent: @opts[:parent] || 'root',
-            serial: next_serial,
-            extensions: {
-              basicConstraints: {
-                details: 'CA:true, pathlen:0',
-                critical: true
-              }
-            }
-          }
+          new_ca = opts_to_cert_config(KEYS,
+                                       parent: @opts[:ca] || 'root',
+                                       serial: next_serial,
+                                       name: @opts[:ca_name],
+                                       extensions: {
+                                         basicConstraints: {
+                                           details: 'CA:true, pathlen:0',
+                                           critical: true
+                                         }
+                                       })
 
           @template['certificate_descriptions']['authorities']['certificates'] << new_ca
 

data/lib/kybus/ssl/cli/add_certificate.rb

@@ -11,21 +11,15 @@ module Kybus
 
         private
 
+        KEYS = %i[name expiration key_size team country city state email].freeze
+
         def update_yaml_file
-          new_certificate = {
-            parent: @opts[:ca],
-            name: @opts[:name],
-            expiration: @opts[:expiration],
-            key_size: @opts[:key_size],
-            serial: next_serial,
-            organization: @opts[:org],
-            team: @opts[:team],
-            country: @opts[:country],
-            city: @opts[:city],
-            state: @opts[:state],
-            email: @opts[:email],
-            revoked: false
-          }.compact
+          new_certificate = opts_to_cert_config(KEYS, {
+                                                  parent: @opts[:ca],
+                                                  serial: next_serial,
+                                                  organization: @opts[:org],
+                                                  revoked: false
+                                                })
 
           @template['certificate_descriptions']['clients']['certificates'] << new_certificate
 

data/lib/kybus/ssl/cli/base_command.rb

@@ -22,6 +22,12 @@ module Kybus
           end
         end
 
+        def opts_to_cert_config(keys, extra_args)
+          cert = {}
+          keys.each { |key| cert[key] = @opts[key] }
+          cert.merge(extra_args).compact
+        end
+
         def load_template
           @template = YAML.load_file(@opts[:pki_file])
         end

data/lib/kybus/ssl/cli/build.rb

@@ -0,0 +1,12 @@
+module Kybus
+  module SSL
+    module CLI
+      class Build < BaseCommand
+        def run
+          inv = Kybus::SSL::Inventory.load_inventory(@opts[:pki_file])
+          inv.create_certificates!
+        end
+      end
+    end
+  end
+end

data/lib/kybus/ssl/cli/init.rb

@@ -5,6 +5,16 @@ require_relative 'base_command'
 module Kybus
   module SSL
     module CLI
+      DEFAULT_EXPIRATION = 5
+      ROOT_CA_EXPIRATION = 20
+      SUB_CA_EXPIRATION = 10
+      ROOT_CA_SERIAL = 1
+      SERVERS_CA_SERIAL = 2
+      CLIENTS_CA_SERIAL = 3
+      ROOT_CA_KEY_SIZE = 4096
+      SUB_CA_KEY_SIZE = 2048
+      SERVERS_CA_EXPIRATION = 5
+
       class Init < BaseCommand
         def build_default_config
           @template = {
@@ -20,78 +30,51 @@ module Kybus
 
         def default_certificate_extensions
           {
-            subjectKeyIdentifier: {
-              details: 'hash',
-              critical: false
-            },
-            authorityKeyIdentifier: {
-              details: 'keyid:always',
-              critical: false
-            },
-            basicConstraints: {
-              details: 'CA:false',
-              critical: false
-            }
+            subjectKeyIdentifier: extension_details('hash'),
+            authorityKeyIdentifier: extension_details('keyid:always'),
+            basicConstraints: extension_details('CA:false')
           }
         end
 
+        def extension_details(details, critical: false)
+          { details:, critical: }
+        end
+
         def certificate_defaults
           {
-            saving_directory: @opts[:outputdir],
+            saving_directory: @opts[:path],
             country: @opts[:country],
             state: @opts[:state],
             city: @opts[:city],
             organization: @opts[:organization],
             team: @opts[:team],
             key_size: @opts[:key_size],
-            expiration: 5,
+            expiration: DEFAULT_EXPIRATION,
             extensions: default_certificate_extensions
           }
         end
 
         def root_ca
-          {
-            name: "#{@opts[:organization]} Root CA",
-            expiration: 20,
-            serial: 1,
-            key_size: 4096,
-            ca: 'root',
-            parent: 'root'
-          }
+          ca_config("#{@opts[:organization]} Root CA", ROOT_CA_EXPIRATION, ROOT_CA_SERIAL, ROOT_CA_KEY_SIZE, 'root',
+                    'root')
         end
 
         def servers_ca
-          {
-            name: "#{@opts[:organization]} Servers CA",
-            parent: 'root',
-            expiration: 10,
-            serial: 2,
-            ca: 'servers',
-            key_size: 2048,
-            extensions: {
-              basicConstraints: {
-                details: 'CA:true, pathlen:0',
-                critical: true
-              }
-            }
-          }
+          sub_ca_config("#{@opts[:organization]} Servers CA", SERVERS_CA_EXPIRATION, SERVERS_CA_SERIAL, 'servers')
         end
 
         def clients_ca
-          {
-            name: "#{@opts[:organization]} Clients CA",
-            parent: 'root',
-            expiration: 10,
-            serial: 3,
-            ca: 'clients',
-            key_size: 2048,
-            extensions: {
-              basicConstraints: {
-                details: 'CA:true, pathlen:0',
-                critical: true
-              }
-            }
-          }
+          sub_ca_config("#{@opts[:organization]} Clients CA", SUB_CA_EXPIRATION, CLIENTS_CA_SERIAL, 'clients')
+        end
+
+        def ca_config(name, expiration, serial, key_size, ca, parent, extensions: {}) # rubocop: disable Metrics/ParameterLists:
+          { name:, expiration:, serial:, key_size:, ca:, parent:, extensions: }
+        end
+
+        def sub_ca_config(name, expiration, serial, ca)
+          ca_config(name, expiration, serial, SUB_CA_KEY_SIZE, ca, 'root', extensions: {
+                      basicConstraints: extension_details('CA:true, pathlen:0', critical: true)
+                    })
         end
 
         def default_authorities
@@ -99,90 +82,51 @@ module Kybus
             defaults: {
               parent: 'root',
               extensions: {
-                basicConstraints: {
-                  details: 'CA:true',
-                  critical: true
-                },
-                keyUsage: {
-                  details: 'Digital Signature, keyCertSign, cRLSign',
-                  critical: true
-                }
+                basicConstraints: extension_details('CA:true', critical: true),
+                keyUsage: extension_details('Digital Signature, keyCertSign, cRLSign', critical: true)
               }
             },
             certificates: [root_ca, servers_ca, clients_ca]
           }
         end
 
-        def default_servers_config
+        def default_config(parent, extensions, extra_defaults = {})
           {
             defaults: {
-              parent: 'servers',
-              extensions: {
-                'Netscape Cert Type': {
-                  details: 'SSL Server',
-                  critical: false
-                },
-                'Netscape Comment': {
-                  details: 'Server certificate',
-                  critical: false
-                },
-                keyUsage: {
-                  details: 'Digital Signature, Key Encipherment',
-                  critical: true
-                },
-                extendedKeyUsage: {
-                  details: 'TLS Web Server Authentication',
-                  critical: false
-                },
-                authorityKeyIdentifier: {
-                  details: 'keyid, issuer:always',
-                  critical: false
-                },
-                subjectAltName: {
-                  details: '$dns',
-                  critical: false
-                }
-              }
-            },
+              parent:,
+              extensions:
+            }.merge(extra_defaults),
             certificates: []
           }
         end
 
+        def default_servers_config
+          extensions = {
+            'Netscape Cert Type': extension_details('SSL Server'),
+            'Netscape Comment': extension_details('Server certificate'),
+            keyUsage: extension_details('Digital Signature, Key Encipherment', critical: true),
+            extendedKeyUsage: extension_details('TLS Web Server Authentication'),
+            authorityKeyIdentifier: extension_details('keyid, issuer:always'),
+            subjectAltName: extension_details('$dns')
+          }
+          default_config('servers', extensions)
+        end
+
         def default_clients_config
-          {
-            defaults: {
-              parent: 'clients',
-              extensions: {
-                'Netscape Cert Type': {
-                  details: 'SSL Client, S/MIME',
-                  critical: false
-                },
-                'Netscape Comment': {
-                  details: 'Client certificate',
-                  critical: false
-                },
-                keyUsage: {
-                  details: 'Digital Signature, Non Repudiation, Key Encipherment',
-                  critical: true
-                },
-                extendedKeyUsage: {
-                  details: 'TLS Web Client Authentication, E-mail Protection',
-                  critical: false
-                },
-                subjectAltName: {
-                  details: '$email',
-                  critical: false
-                }
-              },
-              team: @opts[:team]
-            },
-            certificates: []
+          extensions = {
+            'Netscape Cert Type': extension_details('SSL Client, S/MIME'),
+            'Netscape Comment': extension_details('Client certificate'),
+            keyUsage: extension_details('Digital Signature, Non Repudiation, Key Encipherment', critical: true),
+            extendedKeyUsage: extension_details('TLS Web Client Authentication, E-mail Protection'),
+            subjectAltName: extension_details('$email')
           }
+          default_config('clients', extensions, team: @opts[:team])
         end
 
         def run
           abort 'File already exists. Use --force to overwrite.' if pki_file_exist? && !@opts[:force]
           build_default_config
+          FileUtils.mkdir_p(@opts[:path])
           save_template
         end
       end

data/lib/kybus/ssl/cli/update_crl.rb

@@ -0,0 +1,12 @@
+module Kybus
+  module SSL
+    module CLI
+      class UpdateCRL < BaseCommand
+        def run
+          inv = Kybus::SSL::Inventory.load_inventory(@opts[:pki_file])
+          inv.update_crl!
+        end
+      end
+    end
+  end
+end

data/lib/kybus/ssl/cli.rb

@@ -3,4 +3,4 @@
 require_relative 'cli/init'
 require_relative 'cli/add_ca'
 require_relative 'cli/add_certificate'
-require_relative 'cli/revoke_certificate'
+require_relative 'cli/build'

data/lib/kybus/ssl/configuration.rb

@@ -11,8 +11,6 @@ module Kybus
       end
 
       def saving_directory(type)
-        path = @config['saving_directory']
-        serial = @config['serial']
         "#{path}/#{serial}.#{type}.pem"
       end
 
@@ -24,6 +22,10 @@ module Kybus
         saving_directory('key')
       end
 
+      def pfx_path
+        "#{path}/#{serial}-#{@config['email'] || @config['name']}.pfx"
+      end
+
       def subject_string
         "/C=#{@config['country']}/ST=#{@config['state']}" \
           "/L=#{@config['city']}/O=#{@config['organization']}" \
@@ -61,6 +63,15 @@ module Kybus
       def [](key)
         @config[key]
       end
+      private
+
+      def path
+        @config['saving_directory']
+      end
+
+      def serial
+        @config['serial']
+      end
     end
   end
 end

data/lib/kybus/ssl/inventory.rb

@@ -3,6 +3,7 @@
 require_relative 'configuration'
 require_relative 'certificate'
 require_relative 'revocation_list'
+require 'yaml'
 
 require 'fileutils'
 
@@ -23,17 +24,31 @@ module Kybus
         @servers = SubInventory.new(servers, self)
       end
 
+      def self.load_inventory(path)
+        inventory = YAML.load_file(path)
+        data = inventory['certificate_descriptions']
+        new(data['defaults'], data['authorities'], data['clients'], data['servers'])
+      end
+
       def create_certificates!
         validate_inventories!
         create_directory!
         [@authorities, @clients, @servers].each(&:create_certificates!)
       end
 
+      def ca_cert_chain(parent)
+        @authorities.ca_cert_chain(parent)
+      end
+
       # TODO: Implement validation of inventories
       def validate_inventories!
         true
       end
 
+      def update_crl
+        @authorities.update_crl
+      end
+
       def create_directory!
         FileUtils.mkdir_p(@defaults['saving_directory'])
       end
@@ -61,6 +76,21 @@ module Kybus
         end
       end
 
+      def ca_cert_chain(name)
+        chain = []
+        cert = ca(name)
+
+        while cert && cert.ca_name != 'root'
+          puts cert.ca_name
+          chain << cert.cert
+          cert = @certificates.find { |c| c.ca_name == cert.config['parent'] }
+        end
+        chain
+      end
+
+      def update_crl
+      end
+
       def create_certificates!
         @certificates.each(&:create!)
       end

data/lib/kybus/ssl/version.rb

@@ -2,6 +2,6 @@
 
 module Kybus
   module SSL
-    VERSION = '0.2.0'
+    VERSION = '0.3.1'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kybus-ssl
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Gilberto Vargas
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-07-03 00:00:00.000000000 Z
+date: 2025-03-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: optimist
@@ -24,99 +24,13 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
-- !ruby/object:Gem::Dependency
-  name: minitest
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '5.11'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '5.11'
-- !ruby/object:Gem::Dependency
-  name: pry
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.12'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.12'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '12.3'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '12.3'
-- !ruby/object:Gem::Dependency
-  name: rdoc
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '6.1'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '6.1'
-- !ruby/object:Gem::Dependency
-  name: simplecov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.16'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.16'
-- !ruby/object:Gem::Dependency
-  name: webmock
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.5'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.5'
 description: Package for creating self signed certificates for development purpose
 email:
-- tachoguitar@gmail.com
-executables:
-- kybssl
+- tachomexgems@gmail.com
+executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- bin/kybssl
 - lib/kybus/ssl.rb
 - lib/kybus/ssl/certificate.rb
 - lib/kybus/ssl/cli.rb
@@ -125,17 +39,17 @@ files:
 - lib/kybus/ssl/cli/base_command.rb
 - lib/kybus/ssl/cli/build.rb
 - lib/kybus/ssl/cli/init.rb
-- lib/kybus/ssl/cli/revoke_certificate.rb
+- lib/kybus/ssl/cli/update_crl.rb
 - lib/kybus/ssl/configuration.rb
 - lib/kybus/ssl/inventory.rb
 - lib/kybus/ssl/revocation_list.rb
 - lib/kybus/ssl/version.rb
-homepage: https://github.com/KueskiEngineering/ruby-kybus-server
+homepage: https://github.com/tachomex/kybus
 licenses:
 - MIT
 metadata:
   rubygems_mfa_required: 'true'
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -150,8 +64,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.14
-signing_key: 
+rubygems_version: 3.5.9
+signing_key:
 specification_version: 4
 summary: Kybus SSL tools
 test_files: []

data/bin/kybssl

@@ -1,90 +0,0 @@
-require 'optimist'
-require 'yaml'
-require './lib/kybus/ssl/cli'
-
-def run_init(opts)
-  Kybus::SSL::CLI::Init.new(opts).run
-end
-
-def run_add_ca(opts)
-  Kybus::SSL::CLI::AddCA.new(opts).run
-end
-
-def run_add_certificate(opts) 
-  Kybus::SSL::CLI::AddCertificate.new(opts).run
-end
-
-def run_revoke_certificate(opts); end
-
-def run_build(opts); end
-
-# Define expected commands and options
-commands = %i[init add_ca add_certificate revoke_certificate build]
-cmd = ARGV.shift&.to_sym || :help
-abort "Invalid command. Valid commands are: #{commands.join(', ')}" unless commands.include?(cmd)
-
-def global_params(context, cmd)
-  context.instance_eval do 
-    opt :pki_file, 'PKI File', type: :string, required: true
-    opt :team, 'Organization Unit name', type: :string, required: cmd == :init
-    opt :country, 'Organization Unit name', type: :string, required: cmd == :init
-    opt :state, 'Organization Unit name', type: :string, required: cmd == :init
-    opt :city, 'Organization Unit name', type: :string, required: cmd == :init
-    opt :organization, 'Organization Unit name', type: :string, required: cmd == :init
-  end
-end
-
-opts = case cmd
-       when :init
-         Optimist.options do
-           banner 'Usage: kybssl init [options]'
-           opt :outputdir, 'Output Directory', type: :string, default: 'pki'
-           opt :force, 'Overwrite file if it already exists', type: :bool, default: false
-           global_params(self, cmd)
-          end
-        when :add_ca
-         Optimist.options do
-           banner 'Usage: kybssl add-ca [options]'
-           opt :caname, 'CA Name', type: :string, required: true
-           opt :name, 'Common Name', type: :string, required: true
-           opt :expiration, 'Validity Years', type: :integer, default: 10
-           opt :keysize, 'Key Size', type: :integer, default: 2048
-           opt :parent, 'Parent CA', type: :string, default: 'root'
-           global_params(self, cmd)
-          end
-        when :add_certificate
-         Optimist.options do
-           banner 'Usage: kybssl add-certificate [options]'
-           opt :name, 'Common Name', type: :string, required: true
-           opt :email, 'User Email', type: :string, require: true
-           opt :dns, 'Server DNS', type: :string
-           opt :ca, 'CA Name', type: :string, required: true
-           opt :expiration, 'Validity Years', type: :integer, default: 5
-           opt :type, 'Type of certificate client|server', type: :string, default: 'client'
-           global_params(self, cmd)
-          end
-        when :revoke_certificate
-          Optimist.options do
-            banner 'Usage: kybssl revoke-certificate [options]'
-            opt :serial, 'Certificate Serial', type: :string, required: true
-            global_params(self, cmd)
-          end
-        when :build
-          Optimist.options do
-            banner 'Usage: kybssl build [options]'
-            global_params(self, cmd)
-         end
-       end
-
-case cmd
-when :init
-  run_init(opts)
-when :add_ca
-  run_add_ca(opts)
-when :add_certificate
-  run_add_certificate(opts)
-when :revoke_certificate
-  run_revoke_certificate(opts)
-when :build
-  run_build(opts)
-end