ovpn-key 0.7.7 → 0.8.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 13681f4cf8c6abc0badce3feceacf4ce489daab4ff9ea7b177bdca7c3fe983ed
-  data.tar.gz: 621ad232db5032b90b1b631f7765dc15aca7b8131465bb2658408c13a7c1d8b0
+  metadata.gz: 0ae3146e987d293da8fbf2880e9696e94d7d51c06db2f63fd2c021d63158dea5
+  data.tar.gz: fbac8d69275b82527304e063db26bdea596186a7dee71acd98d9a3da282a6f59
 SHA512:
-  metadata.gz: cc2d031bd9f8a595fa1efd862c2e5e371643928d34c7d7398db179466b655e48d412dd5494cfc6d705e614114846acbcce717b1117026df685bac5a4eb6e65b7
-  data.tar.gz: d31fd3d8936ab9bbd94daed1db9f2334925e073dfb9319d6d96aabfa1db566bd2f340144dd0190ee27ee2652d64ef70d59e6c0a6a1c63af6392dfdba0191073e
+  metadata.gz: 2dfbae985471d80c40a7ea2ada9b8dfdd237b3973027c737640e782f0dc8503cc466ee5560d0f3f0456a20c2199fba2407a59202a4bf4c08291ec2a820b02333
+  data.tar.gz: 5451ceb967404146948d348bd63deb7d2bc2e73df9ed93c840c4cf160a1cb6048b923e48ad96b1c121efd64cd5386da6bdca20606dbfa9c69f5bd85b484710a8

data/NOTICE

@@ -1,6 +1,6 @@
 ovpn-key: https://github.com/chillum/ovpn-key
 
-Copyright 2018 Vasily Korytov
+Copyright 2018-2021 Vasily Korytov
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this software except in compliance with the License.

data/README.md

@@ -2,7 +2,7 @@
 
 This utility is designed as [easy-rsa](https://github.com/OpenVPN/easy-rsa) replacement suitable for one exact use case.
 
-It's basically a wrapper around `openssl` to:
+It's basically a wrapper around OpenSSL API to:
 * create a self-signed CA
 * create client and server certificates and pack them to ZIP files along with the OpenVPN config
 * revoke the certificates
@@ -28,7 +28,7 @@ If you're brave, [let me know](https://github.com/chillum/ovpn-key/issues), wher
 ### Usage
 
 1. `ovpn-key --init`
-2. edit `ovpn-key.yml` and `openssl.ini`
+2. edit `ovpn-key.yml`
 3. `ovpn-key --ca --dh`
 4. `ovpn-key --server --nopass`
 5. `ovpn-key --client somebody [--nopass]`

data/bin/ovpn-key

@@ -1,18 +1,23 @@
-#! /usr/bin/env ruby
+#! /usr/bin/env ruby -w
 # frozen_string_literal: true
 
-require 'optparse'
 require 'fileutils'
+require 'io/console'
+require 'openssl'
+require 'optparse'
 require 'yaml'
 require 'zip'
 require_relative '../lib/version'
 require_relative '../lib/functions'
 
-SSL_CONF = 'openssl.ini'
 APP_CONF = 'ovpn-key.yml'
+CRL_FILE = 'crl.pem'
+SERIAL_FILE = 'serial'
 
 options = {}
+# rubocop:disable Metrics/BlockLength
 OptionParser.new do |opts|
+  # rubocop:enable Metrics/BlockLength
   opts.banner = "Usage: #{File.basename $PROGRAM_NAME} <options> [--nopass]"
   opts.on('--init [directory]', 'Init a CA directory (defaults to current)') do |v|
     options[:init] = v || '.'
@@ -41,7 +46,7 @@ OptionParser.new do |opts|
     check_client(v)
     options[:generate_zip] = v
   end
-  opts.on('--revoke [name]', 'Revoke a certificate (using crl.pem) and delete it') do |v|
+  opts.on('--revoke [name]', "Revoke a certificate (using #{CRL_FILE}) and delete it") do |v|
     abort 'Please specify what certificate to revoke' unless v
     options[:revoke] = v
   end
@@ -67,13 +72,10 @@ if options[:init]
     create_dir options[:init]
     Dir.chdir options[:init]
   end
-  %w[certs meta].each {|dir| create_dir dir}
-  ['meta/index.txt', 'meta/index.txt.attr', 'meta/serial', SSL_CONF, APP_CONF].each {|file|
-    unless File.exist? file
-      FileUtils.copy_file(File.expand_path("defaults/#{file}", "#{__dir__}/.."), "./#{file}")
-      puts "Created file: #{file}"
-    end
-  }
+  unless File.exist? APP_CONF
+    FileUtils.copy_file(File.expand_path("defaults/#{APP_CONF}", "#{__dir__}/.."), "./#{APP_CONF}")
+    puts "Created file: #{APP_CONF}"
+  end
 elsif !File.exist? APP_CONF
   begin
     rc = YAML.load_file(File.expand_path("~/.#{APP_CONF}"))
@@ -90,29 +92,78 @@ rescue Errno::ENOENT
 end
 ZIP_DIR  = settings['zip_dir']  || '~'
 OPENVPN  = settings['openvpn']  || 'openvpn'
-OPENSSL  = settings['openssl']  || 'openssl'
 ENCRYPT  = settings['encrypt']  || 'aes128'
+DIGEST   = settings['digest']   || 'sha256'
 KEY_SIZE = settings['key_size'] || 2048
-CA_DAYS  = settings['ca_days']  || 3650
 CN_CA    = settings['ca_name']  || 'Certification Authority'
-REQ      = settings['details']
+
+unless settings['ca_days'].nil?
+  if settings['expire'].nil?
+    puts 'Migrating pre-0.8 configuration to new format: ca_days'
+    puts "WARNING: if you tweaked `default_days` or `default_days_crl` in #{SSL_CONF}, edit #{APP_CONF}"
+    File.open(APP_CONF, 'a') do |f|
+      f.write "# ca_days is not used anymore, you can remove it\nexpire:\n"
+      f.write "  ca:     #{settings['ca_days']}\n  crl:    3650\n  server: 3650\n  client: 3650\n"
+    end
+  else
+    puts "WARNING: `ca_days` setting is deprecated, remove it from #{APP_CONF}"
+  end
+end
+
+settings['expire']           ||= {}
+settings['expire']['ca']     ||= settings['ca_days'] || 3650
+settings['expire']['crl']    ||= 3650
+settings['expire']['server'] ||= 3650
+settings['expire']['client'] ||= 3650
+EXPIRE = settings['expire']
+
+if settings['x509'].nil? && !settings['details'].nil?
+  puts 'Migrating pre-0.8 configuration to new format: details'
+  REQ = OpenSSL::X509::Name.parse(settings['details']).to_a
+  File.open(APP_CONF, 'a') do |f|
+    f.write "# details is not used anymore, you can remove it\nx509:\n"
+    REQ.map {|i, j| f.write "  #{i}: #{j}\n" }
+  end
+else
+  REQ = settings['x509']
+  puts "WARNING: `details` section is deprecated, remove it from #{APP_CONF}" unless settings['details'].nil?
+end
+if settings['openssl']
+  puts "WARNING: `openssl` setting is deprecated, remove it from #{APP_CONF}"
+end
+
+if !File.exist?(SERIAL_FILE) && File.exist?('meta/serial')
+  FileUtils.copy_file('meta/serial', SERIAL_FILE)
+  puts 'Copied meta/serial to serial'
+end
+%w[certs meta].each {|dir|
+  puts "WARNING: #{dir} directory is not used anymore. you can remove it" if File.exist? dir
+}
+if File.exist? 'openssl.ini'
+  puts 'WARNING: openssl.ini file is not used anymore. you can remove it'
+end
 
 if options[:generate_ca]
-  gen_key('ca', options[:no_password])
-  sign_key('ca', 'ca', CN_CA)
-  gen_crl
+  ca_pass = options[:no_password] ? nil : ask_password('ca')
+  gen_key('ca', ca_pass)
+  sign_key('ca', CN_CA, ca_pass)
+  gen_crl(ca_pass)
 end
 if options[:generate_dh]
-  exe "#{OPENSSL} dhparam -out dh.pem #{KEY_SIZE}"
+  File.open('dh.pem', 'w') do |f|
+    print 'Generating dh.pem. This will take a while'
+    f.write OpenSSL::PKey::DH.new(KEY_SIZE)
+    puts '. Done'
+  end
 end
 if options[:generate_static]
   exe "#{OPENVPN} --genkey --secret ta.key"
 end
 if options[:generate_server]
-  gen_and_sign('server', options[:generate_server], options[:no_password])
+  gen_and_sign('server', options[:generate_server], options[:no_password] ? nil : ask_password(options[:generate_server]))
 end
 if options[:generate_client]
-  gen_and_sign('client', options[:generate_client], options[:no_password])
+  gen_and_sign('client', options[:generate_client], options[:no_password] ? nil : ask_password(options[:generate_client]))
 end
 if options[:generate_zip]
   ovpn_files = Dir['*.ovpn']
@@ -125,14 +176,14 @@ if options[:generate_zip]
     abort 'More than one .ovpn files in current directory, aborting'
   end
 
-  gen_and_sign('client', options[:generate_zip], options[:no_password])
+  gen_and_sign('client', options[:generate_zip], options[:no_password] ? nil : ask_password(options[:generate_zip]))
 
   zip_file = File.join(File.expand_path(ZIP_DIR), "#{File.basename ovpn_file, '.ovpn'}.tblk.zip")
   File.delete(zip_file) if File.exist?(zip_file)
   File.umask umask
   Zip::File.open(zip_file, Zip::File::CREATE) do |zip|
     zip.get_output_stream(ovpn_file) {|f|
-      File.open(ovpn_file).each {|line| f.write line}
+      f.write File.read(ovpn_file)
       f.write "cert #{options[:generate_zip]}.crt\nkey #{options[:generate_zip]}.key\n"
     }
     ['ca.crt', "#{options[:generate_zip]}.crt", "#{options[:generate_zip]}.key"].each {|i|
@@ -142,7 +193,5 @@ if options[:generate_zip]
   end
 end
 if options[:revoke]
-  exe "#{OPENSSL} ca -revoke '#{options[:revoke]}.crt' -config #{SSL_CONF}"
-  gen_crl
-  %w[crt key].each {|ext| File.delete "#{options[:revoke]}.#{ext}"}
+  revoke(options[:revoke])
 end

data/defaults/ovpn-key.yml

@@ -1,8 +1,17 @@
 zip_dir:  '~'
 openvpn:  openvpn
-openssl:  openssl
-encrypt:  aes128
+encrypt:  AES128
+digest:   SHA256
 key_size: 2048
-ca_days:  3650
+expire: # days
+  ca:     3650
+  crl:    3650
+  server: 3650
+  client: 3650
 ca_name:  Certification Authority
-details:  /C=US/ST=CA/L=San Francisco/O=Dva Debila/OU=OpenVPN
+x509:
+  C:  US
+  ST: CA
+  L:  San Francisco
+  O:  Dva Debila
+  OU: OpenVPN

data/lib/functions.rb

@@ -12,34 +12,143 @@ def check_client(name)
 end
 
 def exe(cmd)
-  system(cmd) or abort "error executing: #{cmd}"
+  system(cmd) || abort("error executing: #{cmd}")
 end
 
-def gen_and_sign(type, certname, no_password)
-  gen_key(certname, no_password)
-  sign_key(type, certname, certname)
+def ask_password(name)
+  password = ''
+  loop do
+    print "Enter password for #{name}.key: "
+    password = $stdin.noecho(&:gets).chomp
+    puts # trailing newline
+    break unless password.empty?
+  end
+  password
 end
 
-def gen_key(certname, no_password)
-  if no_password
-    exe "#{OPENSSL} genrsa -out '#{certname}.key' #{KEY_SIZE}"
-  else
-    exe "#{OPENSSL} genrsa -#{ENCRYPT} -out '#{certname}.key' #{KEY_SIZE}"
+def unencrypt_ca_key(pass = '')
+  begin
+    OpenSSL::PKey::RSA.new File.read('ca.key'), pass
+  rescue OpenSSL::PKey::RSAError
+    # this means pass is wrong, so ask for it
+    OpenSSL::PKey::RSA.new File.read('ca.key'), ask_password('ca')
   end
+rescue OpenSSL::PKey::RSAError
+  retry
+end
+
+def gen_and_sign(type, certname, password)
+  gen_key(certname, password)
+  sign_key(type, certname, password)
 end
 
-def sign_key(type, certname, cn)
-  if certname == 'ca'
-    exe "#{OPENSSL} req -new -x509 -key '#{certname}.key' -out '#{certname}.crt' -config #{SSL_CONF} -subj '/CN=#{cn}#{REQ}' -extensions ext.#{type} -days #{CA_DAYS}"
-  else
-    exe "#{OPENSSL} req -new -key '#{certname}.key' -out '#{certname}.csr' -config #{SSL_CONF} -subj '/CN=#{cn}#{REQ}' -extensions ext.#{type}"
-    exe "#{OPENSSL} ca -in '#{certname}.csr' -out '#{certname}.crt' -config #{SSL_CONF} -extensions ext.#{type} -batch"
-    File.delete "#{certname}.csr"
+def gen_key(certname, password)
+  key = OpenSSL::PKey::RSA.new(KEY_SIZE)
+  File.open("#{certname}.key", 'w') do |f|
+    f.write password ? key.to_pem(OpenSSL::Cipher.new(ENCRYPT), password) : key
   end
 end
 
-def gen_crl
-  exe "#{OPENSSL} ca -gencrl -out crl.pem -config #{SSL_CONF}"
+# type is one of: 'ca', 'server', 'client'
+def sign_key(type, cn, password)
+  certname = type == 'ca' ? 'ca' : cn
+  key = OpenSSL::PKey::RSA.new File.read("#{certname}.key"), password
+  serial = new_serial
+  cert = gen_cert(type, cn, key.public_key, serial)
+
+  ca_key = type == 'ca' ? key : unencrypt_ca_key
+  cert.sign ca_key, OpenSSL::Digest.new(DIGEST)
+
+  File.open(SERIAL_FILE, 'w') {|f| f.write serial }
+  File.open("#{certname}.crt", 'w') {|f| f.write cert.to_pem }
+end
+
+def gen_cert(type, cn, pubkey, serial)
+  cert = basic_cert(type, cn)
+  cert.public_key = pubkey
+  cert.serial = serial
+
+  customize_cert(type, cert)
+end
+
+def basic_cert(type, cn)
+  cert = OpenSSL::X509::Certificate.new
+
+  cert.version = 2
+  cert.subject = OpenSSL::X509::Name.new([['CN', cn]] + REQ.to_a)
+  cert.issuer = OpenSSL::X509::Name.new([['CN', CN_CA]] + REQ.to_a)
+  cert.not_before = Time.now
+  cert.not_after = time_after_days(EXPIRE[type])
+
+  cert
+end
+
+def time_after_days(days)
+  Time.now + days * 86_400 # days to seconds
+end
+
+# rubocop:disable Metrics/MethodLength
+# rubocop:disable Metrics/AbcSize
+def customize_cert(type, cert)
+  # rubocop:enable Metrics/AbcSize
+  # rubocop:enable Metrics/MethodLength
+
+  ef = OpenSSL::X509::ExtensionFactory.new nil, cert
+  ef.issuer_certificate = cert
+
+  cert.add_extension ef.create_extension('subjectKeyIdentifier', 'hash')
+  cert.add_extension ef.create_extension('authorityKeyIdentifier', 'keyid,issuer:always')
+  cert.add_extension ef.create_extension('basicConstraints', type == 'ca' ? 'CA:true' : 'CA:false')
+
+  case type
+  when 'ca'
+    cert.add_extension ef.create_extension('keyUsage', 'cRLSign,keyCertSign')
+  when 'server'
+    cert.add_extension ef.create_extension('keyUsage', 'keyEncipherment,digitalSignature')
+    cert.add_extension ef.create_extension('extendedKeyUsage', 'serverAuth')
+  when 'client'
+    cert.add_extension ef.create_extension('keyUsage', 'digitalSignature')
+    cert.add_extension ef.create_extension('extendedKeyUsage', 'clientAuth')
+  end
+
+  cert
+end
+
+# rubocop:disable Metrics/AbcSize
+def revoke(certname)
+  # rubocop:enable Metrics/AbcSize
+  crl = OpenSSL::X509::CRL.new(File.read(CRL_FILE))
+  cert = OpenSSL::X509::Certificate.new(File.read("#{certname}.crt"))
+  revoke = OpenSSL::X509::Revoked.new.tap {|rev|
+    rev.serial = cert.serial
+    rev.time = Time.now
+  }
+  crl.next_update = time_after_days(EXPIRE['crl'])
+  crl.add_revoked(revoke)
+  update_crl(crl, '')
+  %w[crt key].each {|ext| File.delete "#{certname}.#{ext}" }
+end
+
+def gen_crl(ca_pass)
+  return if File.exist? CRL_FILE
+
+  crl = OpenSSL::X509::CRL.new
+  crl.issuer = OpenSSL::X509::Name.new([['CN', CN_CA]] + REQ.to_a)
+  update_crl(crl, ca_pass)
+end
+
+def update_crl(crl, ca_pass)
+  ca_key = unencrypt_ca_key(ca_pass)
+  crl.last_update = Time.now
+  crl.next_update = time_after_days(EXPIRE['crl'])
+  crl.sign(ca_key, OpenSSL::Digest.new(DIGEST))
+  File.open(CRL_FILE, 'w') {|f| f.write crl.to_pem }
+end
+
+def new_serial
+  File.read(SERIAL_FILE).to_i + 1
+rescue Errno::ENOENT
+  0
 end
 
 def create_dir(name)

data/lib/version.rb

@@ -1,3 +1,3 @@
 # frozen_string_literal: true
 
-::VERSION = '0.7.7'
+::VERSION = '0.8.4'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ovpn-key
 version: !ruby/object:Gem::Version
-  version: 0.7.7
+  version: 0.8.4
 platform: ruby
 authors:
 - Vasily Korytov
@@ -35,10 +35,6 @@ files:
 - NOTICE
 - README.md
 - bin/ovpn-key
-- defaults/meta/index.txt
-- defaults/meta/index.txt.attr
-- defaults/meta/serial
-- defaults/openssl.ini
 - defaults/ovpn-key.yml
 - lib/functions.rb
 - lib/version.rb

data/defaults/meta/index.txt.attr

@@ -1 +0,0 @@
-unique_subject = yes

data/defaults/meta/serial

@@ -1 +0,0 @@
-00

data/defaults/openssl.ini

@@ -1,48 +0,0 @@
-[req]
-default_md = sha256
-distinguished_name = dn.ovpn
-
-[dn.ovpn]
-CN          = Certificate name (required)
-
-[ca]
-default_ca  = ca.ovpn
-
-[ca.ovpn]
-default_md  = sha256
-private_key = ca.key
-certificate = ca.crt
-database    = meta/index.txt
-serial      = meta/serial
-crl         = crl.pem
-policy      = policy.ovpn
-# create this directory if changing this value
-new_certs_dir    = certs
-default_days     = 3650
-default_crl_days = 3650
-subjectKeyIdentifier   = hash
-authorityKeyIdentifier = keyid,issuer:always
-
-[ext.ca]
-basicConstraints = CA:true
-
-[ext.server]
-basicConstraints = CA:false
-nsCertType       = server
-extendedKeyUsage = serverAuth
-keyUsage         = digitalSignature, keyEncipherment
-
-[ext.client]
-basicConstraints = CA:false
-extendedKeyUsage = clientAuth
-keyUsage         = digitalSignature
-
-[policy.ovpn]
-commonName             = supplied
-countryName            = optional
-stateOrProvinceName    = optional
-localityName           = optional
-organizationName       = optional
-organizationalUnitName = optional
-name                   = optional
-emailAddress           = optional