ovpn-key 0.4

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 87d20925cbb4231873b06d213c5cb1b3e47f428d5c349449288b778b0b1fcf38
+  data.tar.gz: fbd4b0f7700bc6c103728b412478a0cbaf7adb5c80cbefa7178ccc00abb9e47b
+SHA512:
+  metadata.gz: 8e90c6313d933c5298c9c170b7eedeb06fbe5045575aae3dd985c6aad38bb6e7a6b83d2375247d5946bab40aa408c057b18e9d2a1fa474f04fbd60929f8d0db0
+  data.tar.gz: b9d7a14f848837c59c6810985211d9f43c89a7d79b5a4d7bd4305c84f60bf3c3adf119178eb3836c2d9ea56e562235cdf7264201e8e4aaa2b49920df05e59f25

data/NOTICE

@@ -0,0 +1,15 @@
+ovpn-key: https://github.com/chillum/ovpn-key
+
+Copyright 2018 Vasily Korytov
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this software except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,46 @@
+## ovpn-key: key management for OpenVPN [![Gem Version](https://badge.fury.io/rb/ovpn-key.svg)](http://badge.fury.io/rb/ovpn-key)
+
+This utility is designed as [easy-rsa](https://github.com/OpenVPN/easy-rsa) replacement suitable for one exact use case.
+
+It's basically a wrapper around `openssl` to:
+* create a self-signed CA
+* create client and server certificates and pack them to ZIP files along with the OpenVPN config
+* revoke the certificates
+* create a DH keyfile
+
+It supports encrypting `.key` files with a passphrase (there is an option to disable that).
+
+It can be used with a non-self signed CA, just place your `ca.key` and `ca.crt` in the keys directory and skip the `--ca` step.
+
+For now it should be considered experimental and rather undocumented.  
+If you're brave, [let me know](https://github.com/chillum/ovpn-key/issues), where the problems are.
+
+### Installation
+
+1. Get [Ruby](https://www.ruby-lang.org/en/documentation/installation/)
+2. Run `gem install ovpn-key`
+
+### Usage
+
+1. `ovpn-key --init`
+2. edit `ovpn-key.yml` and `openssl.ini`
+3. `ovpn-key --ca --dh --server --nopass`
+4. add a file with `.ovpn` extension to the directory  
+   it should contain every setting except for `cert` and `key`
+5. `ovpn-key --client somebody`
+6. `ovpn-key --revoke somebody`
+
+### Configuration
+
+Most of configuration is done in `open-vpn.key` and `openssl.ini` files in the directory.
+
+ovpn-key also processes `~/.ovpn-key.yml` file, for now it has only one possible setting:
+```yaml
+dir: ~/some/path
+```
+
+This setting is used as a default directory if:
+1. current directory does not have a `ovpn-key.yml`
+2. `--init` is not specified
+
+If you specify the default directory, you don't need to travel to it every time you want to launch `ovpn-key`, i.e. you can use it from your home directory or any other, as long as requirements above are met.

data/bin/ovpn-key

@@ -0,0 +1,133 @@
+#! /usr/bin/env ruby
+require 'optparse'
+require 'fileutils'
+require 'yaml'
+require 'zip'
+require_relative '../lib/version.rb'
+require_relative '../lib/functions.rb'
+
+SSL_CONF = 'openssl.ini'
+APP_CONF = 'ovpn-key.yml'
+
+options = {}
+OptionParser.new do |opts|
+  opts.banner = "Usage: #{File.basename $0} <options> [--nopass]"
+  opts.on("--init [directory]", "Init a CA directory (defaults to current)") do |v|
+    if v
+      options[:init] = v
+    else
+      options[:init] = "."
+    end
+  end
+  opts.on("--ca", "Generate a CA (ca.crt)") do |v|
+    check_crt('ca')
+    options[:generate_ca] = v
+  end
+  opts.on("--dh", "Generate a DH keyfile (dh.pem)") do |v|
+    options[:generate_dh] = v
+  end
+  opts.on("--server [name]", "Generate a server key (defaults to 'server')") do |v|
+    if v
+      options[:generate_server] = v
+    else
+      options[:generate_server] = "server"
+    end
+    check_crt(options[:generate_server])
+  end
+  opts.on("--client [name]", "Generate a client key and pack it to ZIP") do |v|
+    abort "Error: client should have an alphanumeric name" unless v
+    check_crt(v)
+    options[:generate_client] = v
+  end
+  opts.on("--revoke [name]", "Revoke a certificate (using crl.pem) and delete it") do |v|
+    abort "Please specify what certificate to revoke" unless v
+    options[:revoke] = v
+  end
+  opts.on("--nopass", "Don't protect .key files with a password") do |v|
+    options[:no_password] = v
+  end
+end.parse!
+if ARGV.length > 0
+  abort "Error: invalid args: #{ARGV.join ' '}\nSee `#{File.basename $0} -h` for help"
+end
+unless options[:init] || options[:generate_ca] || options[:generate_dh] \
+  || options[:generate_server] || options[:generate_client] || options[:revoke]
+  abort "See `#{File.basename $0} -h` for usage"
+end
+File.umask 0077
+
+if options[:init]
+  unless options[:init] == '.'
+    create_dir options[:init]
+    Dir.chdir options[:init]
+  end
+  ['certs', 'meta'].each {|dir| create_dir dir}
+  ['meta/index.txt', 'meta/index.txt.attr', 'meta/serial', SSL_CONF, APP_CONF].each {|file|
+    unless File.exist? file
+      FileUtils.copy_file(File.expand_path("defaults/#{file}", "#{__dir__}/.."), "./#{file}")
+      puts "Created file: #{file}"
+    end
+  }
+elsif !File.exist? 'ovpn-key.yml'
+  begin
+    rc = YAML.load_file(File.expand_path '~/.ovpn-key.yml')
+  rescue Errno::ENOENT
+  end
+  Dir.chdir File.expand_path(rc['dir']) if rc && rc['dir']
+end
+
+begin
+  settings = YAML.load_file(APP_CONF)
+rescue Errno::ENOENT
+  abort "Run `#{File.basename $0} --init` before generating certificates"
+end
+ZIP_DIR  = settings['zip_dir'] || '~'
+OPENSSL  = settings['openssl'] || 'openssl'
+KEY_SIZE = settings['key_size'] || 2048
+ENCRYPT  = settings['encrypt'] || 'aes128'
+REQ      = settings['req']
+CN_CA    = settings['cn_ca'] || 'Certification Authority'
+
+if options[:generate_ca]
+  genrsa('ca', 'ca', options[:no_password])
+  req('ca', 'ca', CN_CA)
+  gen_crl
+end
+if options[:generate_dh]
+  exe "#{OPENSSL} dhparam -out dh.pem #{KEY_SIZE}"
+end
+if options[:generate_server]
+  genrsa('server', options[:generate_server], options[:no_password])
+  req('server', options[:generate_server], options[:generate_server])
+end
+if options[:generate_client]
+  ovpn_files = Dir['*.ovpn']
+  case ovpn_files.length
+  when 1
+    ovpn_file = ovpn_files.first
+  when 0
+    abort "No .ovpn file in current directory, please add one"
+  else
+    abort "More than one .ovpn files in current directory, aborting"
+  end
+
+  genrsa('client', options[:generate_client], options[:no_password])
+  req('client', options[:generate_client], options[:generate_client])
+
+  zip_file = File.join(File.expand_path(ZIP_DIR), "#{File.basename ovpn_file, '.ovpn'}.tblk.zip")
+  File.delete(zip_file) if File.exist?(zip_file)
+  Zip::File.open(zip_file, Zip::File::CREATE) do |zip|
+    zip.get_output_stream(ovpn_file) {|f|
+      File.open(ovpn_file).each {|line| f.write line}
+      f.write "cert #{options[:generate_client]}.crt\nkey #{options[:generate_client]}.key\n"
+    }
+    [ 'ca.crt', "#{options[:generate_client]}.crt", "#{options[:generate_client]}.key"].each {|i|
+      zip.add(i, i)
+    }
+  end
+end
+if options[:revoke]
+  exe "#{OPENSSL} ca -revoke '#{options[:revoke]}.crt' -config #{SSL_CONF}"
+  gen_crl
+  ['crt', 'key'].each {|ext| File.delete "#{options[:revoke]}.#{ext}"}
+end

data/defaults/meta/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = yes

data/defaults/meta/serial

@@ -0,0 +1 @@
+01

data/defaults/openssl.ini

@@ -0,0 +1,49 @@
+[req]
+default_md = sha256
+distinguished_name = dn.ovpn
+days = 3650
+
+[dn.ovpn]
+CN          = Certificate name (required)
+
+[ca]
+default_ca  = ca.ovpn
+
+[ca.ovpn]
+default_md  = sha256
+private_key = ca.key
+certificate = ca.crt
+database    = meta/index.txt
+serial      = meta/serial
+crl         = crl.pem
+policy      = policy.ovpn
+# create this directory if changing this value
+new_certs_dir    = certs
+default_days     = 3650
+default_crl_days = 3650
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid,issuer:always
+
+[ext.ca]
+basicConstraints = CA:true
+
+[ext.server]
+basicConstraints = CA:false
+nsCertType       = server
+extendedKeyUsage = serverAuth
+keyUsage         = digitalSignature, keyEncipherment
+
+[ext.client]
+basicConstraints = CA:false
+extendedKeyUsage = clientAuth
+keyUsage         = digitalSignature
+
+[policy.ovpn]
+commonName             = supplied
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = optional
+name                   = optional
+emailAddress           = optional

data/defaults/ovpn-key.yml

@@ -0,0 +1,6 @@
+zip_dir:  '~'
+openssl:  openssl
+key_size: 2048
+encrypt:  aes128
+req:      /C=US/L=San Francisco/O=Dva Debila/OU=OpenVPN
+cn_ca:    Certification Authority

data/lib/functions.rb

@@ -0,0 +1,38 @@
+def check_crt filename
+  ['key', 'crt'].each {|ext|
+    abort "#{filename}.#{ext} already exists, exiting" if File.exist? "#{filename}.#{ext}"
+  }
+end
+
+def exe cmd
+  system(cmd) or abort "error executing: #{cmd}"
+end
+
+def genrsa type, certname, no_password
+  if no_password
+    exe "#{OPENSSL} genrsa -out '#{certname}.key' #{KEY_SIZE} -config #{SSL_CONF} -extensions ext.#{type}"
+  else
+    exe "#{OPENSSL} genrsa -#{ENCRYPT} -out '#{certname}.key' #{KEY_SIZE} -config #{SSL_CONF} -extensions ext.#{type}"
+  end
+end
+
+def req type, certname, cn
+  if certname == 'ca'
+    exe "#{OPENSSL} req -new -x509 -key '#{certname}.key' -out '#{certname}.crt' -config #{SSL_CONF} -subj '/CN=#{cn}#{REQ}' -extensions ext.#{type}"
+  else
+    exe "#{OPENSSL} req -new -key '#{certname}.key' -out '#{certname}.csr' -config #{SSL_CONF} -subj '/CN=#{cn}#{REQ}' -extensions ext.#{type}"
+    exe "#{OPENSSL} ca -in '#{certname}.csr' -out '#{certname}.crt' -config #{SSL_CONF} -extensions ext.#{type} -batch"
+    File.delete "#{certname}.csr"
+  end
+end
+
+def gen_crl
+  exe "#{OPENSSL} ca -gencrl -out crl.pem -config #{SSL_CONF}"
+end
+
+def create_dir name
+  unless Dir.exist? name
+    Dir.mkdir name
+    puts "Created directory: #{name}"
+  end
+end

data/lib/version.rb

@@ -0,0 +1 @@
+::Version = '0.4'

metadata

@@ -0,0 +1,68 @@
+--- !ruby/object:Gem::Specification
+name: ovpn-key
+version: !ruby/object:Gem::Version
+  version: '0.4'
+platform: ruby
+authors:
+- Vasily Korytov
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-08-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rubyzip
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+description: ''
+email: vasily.korytov@icloud.com
+executables:
+- ovpn-key
+extensions: []
+extra_rdoc_files: []
+files:
+- NOTICE
+- README.md
+- bin/ovpn-key
+- defaults/meta/index.txt
+- defaults/meta/index.txt.attr
+- defaults/meta/serial
+- defaults/openssl.ini
+- defaults/ovpn-key.yml
+- lib/functions.rb
+- lib/version.rb
+homepage: https://github.com/chillum/ovpn-key
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: Key management utility for OpenVPN
+test_files: []