ovpn-key 0.7.1 → 0.7.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: da769c59267c3c1bc605a2da314d55b0599e56de6e48dc25ef17ea56ed1af960
-  data.tar.gz: eb106210d91f8e5ba367d20d94e72e74f27e1a53a8abd3cf58cf61fc7580f0fb
+  metadata.gz: 13681f4cf8c6abc0badce3feceacf4ce489daab4ff9ea7b177bdca7c3fe983ed
+  data.tar.gz: 621ad232db5032b90b1b631f7765dc15aca7b8131465bb2658408c13a7c1d8b0
 SHA512:
-  metadata.gz: 44b34a49e1730f3c9bff11022fa63e8cf1426c85a6f737c84b68cafa50be8c4e05110202d40dc1e1bfbfda36d29df02003b6ebd07c489fa21a76dcd8afea8d94
-  data.tar.gz: c4370cde04518bc151c64f2fb329718d68eed360080987807ed201103d55f999a84b0fcfd4d96634bc1124e96f419956b2c497046ab9bf957e55590e2882724c
+  metadata.gz: cc2d031bd9f8a595fa1efd862c2e5e371643928d34c7d7398db179466b655e48d412dd5494cfc6d705e614114846acbcce717b1117026df685bac5a4eb6e65b7
+  data.tar.gz: d31fd3d8936ab9bbd94daed1db9f2334925e073dfb9319d6d96aabfa1db566bd2f340144dd0190ee27ee2652d64ef70d59e6c0a6a1c63af6392dfdba0191073e

data/README.md

@@ -12,9 +12,12 @@ It supports encrypting `.key` files with a passphrase (there is an option to dis
 
 It can be used with a non-self signed CA, just place your `ca.key` and `ca.crt` in the keys directory and skip the `--ca` step.
 
-It can be used to manage a non-OpenVPN CA, in that case `--zip` step will be useless, but all others will work.
+It can be used to manage a non-OpenVPN CA, in that case `--zip` and `--static` steps will be useless, but all others will work.
 
-For now it should be considered experimental and rather undocumented.  
+OpenVPN static keys are supported partially, as they should be used for `tls-auth`/`tls-crypt` only.
+Please note that they are not encrypted regardless of `--nopass` option.
+
+For now this utility should be considered experimental and rather undocumented.  
 If you're brave, [let me know](https://github.com/chillum/ovpn-key/issues), where the problems are.
 
 ### Installation
@@ -26,12 +29,14 @@ If you're brave, [let me know](https://github.com/chillum/ovpn-key/issues), wher
 
 1. `ovpn-key --init`
 2. edit `ovpn-key.yml` and `openssl.ini`
-3. `ovpn-key --ca --dh --server --nopass`
-4. `ovpn-key --client somebody`
-5. `ovpn-key --revoke somebody`
-6. add a file with `.ovpn` extension to the directory  
+3. `ovpn-key --ca --dh`
+4. `ovpn-key --server --nopass`
+5. `ovpn-key --client somebody [--nopass]`
+6. `ovpn-key --revoke somebody`
+7. `ovpn-key --static` (generates `ta.key`)
+8. add a file with `.ovpn` extension to the directory  
    it should contain every setting except for `cert` and `key`
-7. `ovpn-key --zip somebody-else`
+9. `ovpn-key --zip somebody-else [--nopass]`
 
 ### Configuration
 

data/bin/ovpn-key

@@ -1,76 +1,82 @@
 #! /usr/bin/env ruby
+# frozen_string_literal: true
+
 require 'optparse'
 require 'fileutils'
 require 'yaml'
 require 'zip'
-require_relative '../lib/version.rb'
-require_relative '../lib/functions.rb'
+require_relative '../lib/version'
+require_relative '../lib/functions'
 
 SSL_CONF = 'openssl.ini'
 APP_CONF = 'ovpn-key.yml'
 
 options = {}
 OptionParser.new do |opts|
-  opts.banner = "Usage: #{File.basename $0} <options> [--nopass]"
-  opts.on("--init [directory]", "Init a CA directory (defaults to current)") do |v|
-    options[:init] = v ? v : "."
+  opts.banner = "Usage: #{File.basename $PROGRAM_NAME} <options> [--nopass]"
+  opts.on('--init [directory]', 'Init a CA directory (defaults to current)') do |v|
+    options[:init] = v || '.'
   end
-  opts.on("--ca", "Generate a CA (ca.crt)") do |v|
+  opts.on('--ca', 'Generate a CA (ca.crt)') do |v|
     check_crt('ca')
     options[:generate_ca] = v
   end
-  opts.on("--dh", "Generate a DH keyfile (dh.pem)") do |v|
-    # it's safe to rewrite this file
+  opts.on('--dh', 'Generate a DH keyfile (dh.pem)') do |v|
+    # it's safe to overwrite this file
     options[:generate_dh] = v
   end
-  opts.on("--server [name]", "Generate a server key (defaults to 'server')") do |v|
-    options[:generate_server] = v ? v : "server"
+  opts.on('--static', 'Generate OpenVPN static key (ta.key)') do |v|
+    options[:generate_static] = v
+    check_crt('ta')
+  end
+  opts.on('--server [name]', "Generate a server key (defaults to 'server')") do |v|
+    options[:generate_server] = v || 'server'
     check_crt(options[:generate_server])
   end
-  opts.on("--client [name]", "Generate a client key and sign it") do |v|
+  opts.on('--client [name]', 'Generate a client key and sign it') do |v|
     check_client(v)
     options[:generate_client] = v
   end
-  opts.on("--zip    [name]", "Ditto plus pack it to ZIP with OpenVPN config") do |v|
+  opts.on('--zip    [name]', 'Ditto plus pack it to ZIP with OpenVPN config') do |v|
     check_client(v)
     options[:generate_zip] = v
   end
-  opts.on("--revoke [name]", "Revoke a certificate (using crl.pem) and delete it") do |v|
-    abort "Please specify what certificate to revoke" unless v
+  opts.on('--revoke [name]', 'Revoke a certificate (using crl.pem) and delete it') do |v|
+    abort 'Please specify what certificate to revoke' unless v
     options[:revoke] = v
   end
-  opts.on("--nopass", "Don't protect .key files with a password") do |v|
+  opts.on('--nopass', "Don't protect .key files with a password") do |v|
     options[:no_password] = v
   end
 end.parse!
-if ARGV.length > 0
-  abort "Error: invalid args: #{ARGV.join ' '}\nSee `#{File.basename $0} -h` for help"
+if ARGV.length.positive?
+  abort "Error: invalid args: #{ARGV.join ' '}\nSee `#{File.basename $PROGRAM_NAME} -h` for help"
 end
-unless options[:init] || options[:generate_ca] || options[:generate_dh] || options[:generate_server] \
-  || options[:generate_client] || options[:generate_zip] || options[:revoke]
-  abort "See `#{File.basename $0} -h` for usage"
+unless options[:init] || options[:generate_ca] || options[:generate_dh] || options[:generate_static] \
+  || options[:generate_server] || options[:generate_client] || options[:generate_zip] || options[:revoke]
+  abort "See `#{File.basename $PROGRAM_NAME} -h` for usage"
 end
-if options[:generate_client] and options[:generate_zip]
+if options[:generate_client] && options[:generate_zip]
   # I assume that user likely wants one of them and is confused with usage
-  abort "There can be only one: --client or --zip"
+  abort 'There can be only one: --client or --zip'
 end
-File.umask 0077
+umask = File.umask 0o077
 
 if options[:init]
   unless options[:init] == '.'
     create_dir options[:init]
     Dir.chdir options[:init]
   end
-  ['certs', 'meta'].each {|dir| create_dir dir}
+  %w[certs meta].each {|dir| create_dir dir}
   ['meta/index.txt', 'meta/index.txt.attr', 'meta/serial', SSL_CONF, APP_CONF].each {|file|
     unless File.exist? file
       FileUtils.copy_file(File.expand_path("defaults/#{file}", "#{__dir__}/.."), "./#{file}")
       puts "Created file: #{file}"
     end
   }
-elsif !File.exist? 'ovpn-key.yml'
+elsif !File.exist? APP_CONF
   begin
-    rc = YAML.load_file(File.expand_path '~/.ovpn-key.yml')
+    rc = YAML.load_file(File.expand_path("~/.#{APP_CONF}"))
   rescue Errno::ENOENT
     # no configuration file in home directory is not an error
   end
@@ -80,23 +86,28 @@ end
 begin
   settings = YAML.load_file(APP_CONF)
 rescue Errno::ENOENT
-  abort "Run `#{File.basename $0} --init` before generating certificates"
+  abort "Run `#{File.basename $PROGRAM_NAME} --init` before generating certificates"
 end
 ZIP_DIR  = settings['zip_dir']  || '~'
+OPENVPN  = settings['openvpn']  || 'openvpn'
 OPENSSL  = settings['openssl']  || 'openssl'
-KEY_SIZE = settings['key_size'] || 2048
 ENCRYPT  = settings['encrypt']  || 'aes128'
+KEY_SIZE = settings['key_size'] || 2048
+CA_DAYS  = settings['ca_days']  || 3650
 CN_CA    = settings['ca_name']  || 'Certification Authority'
 REQ      = settings['details']
 
 if options[:generate_ca]
-  gen_key('ca', 'ca', options[:no_password])
+  gen_key('ca', options[:no_password])
   sign_key('ca', 'ca', CN_CA)
   gen_crl
 end
 if options[:generate_dh]
   exe "#{OPENSSL} dhparam -out dh.pem #{KEY_SIZE}"
 end
+if options[:generate_static]
+  exe "#{OPENVPN} --genkey --secret ta.key"
+end
 if options[:generate_server]
   gen_and_sign('server', options[:generate_server], options[:no_password])
 end
@@ -109,27 +120,29 @@ if options[:generate_zip]
   when 1
     ovpn_file = ovpn_files.first
   when 0
-    abort "No .ovpn file in current directory, please add one"
+    abort 'No .ovpn file in current directory, please add one'
   else
-    abort "More than one .ovpn files in current directory, aborting"
+    abort 'More than one .ovpn files in current directory, aborting'
   end
 
   gen_and_sign('client', options[:generate_zip], options[:no_password])
 
   zip_file = File.join(File.expand_path(ZIP_DIR), "#{File.basename ovpn_file, '.ovpn'}.tblk.zip")
   File.delete(zip_file) if File.exist?(zip_file)
+  File.umask umask
   Zip::File.open(zip_file, Zip::File::CREATE) do |zip|
     zip.get_output_stream(ovpn_file) {|f|
       File.open(ovpn_file).each {|line| f.write line}
       f.write "cert #{options[:generate_zip]}.crt\nkey #{options[:generate_zip]}.key\n"
     }
-    [ 'ca.crt', "#{options[:generate_zip]}.crt", "#{options[:generate_zip]}.key"].each {|i|
+    ['ca.crt', "#{options[:generate_zip]}.crt", "#{options[:generate_zip]}.key"].each {|i|
       zip.add(i, i)
     }
+    zip.add('ta.key', 'ta.key') if File.exist? 'ta.key'
   end
 end
 if options[:revoke]
   exe "#{OPENSSL} ca -revoke '#{options[:revoke]}.crt' -config #{SSL_CONF}"
   gen_crl
-  ['crt', 'key'].each {|ext| File.delete "#{options[:revoke]}.#{ext}"}
+  %w[crt key].each {|ext| File.delete "#{options[:revoke]}.#{ext}"}
 end

data/defaults/meta/serial

@@ -1 +1 @@
-01
+00

data/defaults/openssl.ini

@@ -1,7 +1,6 @@
 [req]
 default_md = sha256
 distinguished_name = dn.ovpn
-days = 3650
 
 [dn.ovpn]
 CN          = Certificate name (required)

data/defaults/ovpn-key.yml

@@ -1,6 +1,8 @@
 zip_dir:  '~'
+openvpn:  openvpn
 openssl:  openssl
-key_size: 2048
 encrypt:  aes128
+key_size: 2048
+ca_days:  3650
 ca_name:  Certification Authority
 details:  /C=US/ST=CA/L=San Francisco/O=Dva Debila/OU=OpenVPN

data/lib/functions.rb

@@ -1,34 +1,36 @@
-def check_crt filename
-  ['key', 'crt'].each {|ext|
+# frozen_string_literal: true
+
+def check_crt(filename)
+  %w[key crt].each {|ext|
     abort "#{filename}.#{ext} already exists, exiting" if File.exist? "#{filename}.#{ext}"
   }
 end
 
-def check_client name
-  abort "Error: client should have an alphanumeric name" unless name
+def check_client(name)
+  abort 'Error: client should have an alphanumeric name' unless name
   check_crt(name)
 end
 
-def exe cmd
+def exe(cmd)
   system(cmd) or abort "error executing: #{cmd}"
 end
 
-def gen_and_sign type, certname, no_password
-  gen_key(type, certname, no_password)
+def gen_and_sign(type, certname, no_password)
+  gen_key(certname, no_password)
   sign_key(type, certname, certname)
 end
 
-def gen_key type, certname, no_password
+def gen_key(certname, no_password)
   if no_password
-    exe "#{OPENSSL} genrsa -out '#{certname}.key' #{KEY_SIZE} -config #{SSL_CONF} -extensions ext.#{type}"
+    exe "#{OPENSSL} genrsa -out '#{certname}.key' #{KEY_SIZE}"
   else
-    exe "#{OPENSSL} genrsa -#{ENCRYPT} -out '#{certname}.key' #{KEY_SIZE} -config #{SSL_CONF} -extensions ext.#{type}"
+    exe "#{OPENSSL} genrsa -#{ENCRYPT} -out '#{certname}.key' #{KEY_SIZE}"
   end
 end
 
-def sign_key type, certname, cn
+def sign_key(type, certname, cn)
   if certname == 'ca'
-    exe "#{OPENSSL} req -new -x509 -key '#{certname}.key' -out '#{certname}.crt' -config #{SSL_CONF} -subj '/CN=#{cn}#{REQ}' -extensions ext.#{type}"
+    exe "#{OPENSSL} req -new -x509 -key '#{certname}.key' -out '#{certname}.crt' -config #{SSL_CONF} -subj '/CN=#{cn}#{REQ}' -extensions ext.#{type} -days #{CA_DAYS}"
   else
     exe "#{OPENSSL} req -new -key '#{certname}.key' -out '#{certname}.csr' -config #{SSL_CONF} -subj '/CN=#{cn}#{REQ}' -extensions ext.#{type}"
     exe "#{OPENSSL} ca -in '#{certname}.csr' -out '#{certname}.crt' -config #{SSL_CONF} -extensions ext.#{type} -batch"
@@ -40,9 +42,9 @@ def gen_crl
   exe "#{OPENSSL} ca -gencrl -out crl.pem -config #{SSL_CONF}"
 end
 
-def create_dir name
-  unless Dir.exist? name
-    Dir.mkdir name
-    puts "Created directory: #{name}"
-  end
+def create_dir(name)
+  return if Dir.exist? name
+
+  Dir.mkdir name
+  puts "Created directory: #{name}"
 end

data/lib/version.rb

@@ -1 +1,3 @@
-::Version = '0.7.1'
+# frozen_string_literal: true
+
+::VERSION = '0.7.7'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ovpn-key
 version: !ruby/object:Gem::Version
-  version: 0.7.1
+  version: 0.7.7
 platform: ruby
 authors:
 - Vasily Korytov
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-08-09 00:00:00.000000000 Z
+date: 2021-03-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubyzip
@@ -16,16 +16,17 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
-description: ''
-email: vasily.korytov@icloud.com
+        version: '2.0'
+description: Generates and revokes certificates, also packs them to ZIP files with
+  OpenVPN configuration
+email: v.korytov@outlook.com
 executables:
 - ovpn-key
 extensions: []
@@ -45,7 +46,7 @@ homepage: https://github.com/chillum/ovpn-key
 licenses:
 - Apache-2.0
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -53,16 +54,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.0'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
-signing_key: 
+rubygems_version: 3.2.3
+signing_key:
 specification_version: 4
 summary: Key management utility for OpenVPN
 test_files: []