ovpn-key 0.8 → 0.8.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ecf480dc290e372a3b081ebc12dceb82e2f0ca22ea508cbbe622e8e1ce80b58f
-  data.tar.gz: 585a28ba43b652afd0add8b912a8ff0590ad99ffcb96abcb9929c8ca488c03b1
+  metadata.gz: 7416051f932e40fb29c714599ad2ae7090b33dd0cf90ac31d3186993adc5a29a
+  data.tar.gz: 85b35e1706fd1ea6892363cb01caf734b7c6bf84614aac5a31d3d31c1f10bf8d
 SHA512:
-  metadata.gz: 47783d3b02d6948cb19fc4434dff11a980c0fc9f22675a66d2cc6fc34423be7e7b2dc6b4e46f420eaa85755ef14ca8e787dddaa30eacd707837033138239753f
-  data.tar.gz: 405a4389cf9b26a8a8cf6e4e615a04dc2bcf80b6fe71ed7b22c3380c3e5d215e70bab5d3ef8ba78eab20e94e19e74d1dd3c58fe47e118760cae842fbfc1e7c40
+  metadata.gz: 4c6baffe4fe1c9340cc4a2cff365eb82ea5a63aa4e943ea4aecd3bb629459558363f6fcd4621b97f287427a91f05562689ab4451915bf84b2dfde192970a6d1e
+  data.tar.gz: 4759d340ff8f701aa5f1ea2e084070dd55a9511ddd9ee0583feb6d1c51a62187661207022a6e401010f89c9435dff71df767e34bbfef5c0c42f03aec1a67e2e7

data/README.md

@@ -40,7 +40,7 @@ If you're brave, [let me know](https://github.com/chillum/ovpn-key/issues), wher
 
 ### Configuration
 
-Most of configuration is done in `open-vpn.key` and `openssl.ini` files in the directory.
+It's just a single simple YAML file named [`ovpn-key.yml`](https://github.com/chillum/ovpn-key/blob/master/defaults/ovpn-key.yml).
 
 ovpn-key also processes `~/.ovpn-key.yml` file, for now it has only one possible setting:
 ```yaml

data/bin/ovpn-key

@@ -15,7 +15,9 @@ CRL_FILE = 'crl.pem'
 SERIAL_FILE = 'serial'
 
 options = {}
+# rubocop:disable Metrics/BlockLength
 OptionParser.new do |opts|
+  # rubocop:enable Metrics/BlockLength
   opts.banner = "Usage: #{File.basename $PROGRAM_NAME} <options> [--nopass]"
   opts.on('--init [directory]', 'Init a CA directory (defaults to current)') do |v|
     options[:init] = v || '.'
@@ -44,7 +46,7 @@ OptionParser.new do |opts|
     check_client(v)
     options[:generate_zip] = v
   end
-  opts.on("--revoke [name]', 'Revoke a certificate (using #{CRL_FILE}) and delete it") do |v|
+  opts.on('--revoke [name]', "Revoke a certificate (using #{CRL_FILE}) and delete it") do |v|
     abort 'Please specify what certificate to revoke' unless v
     options[:revoke] = v
   end
@@ -63,7 +65,6 @@ if options[:generate_client] && options[:generate_zip]
   # I assume that user likely wants one of them and is confused with usage
   abort 'There can be only one: --client or --zip'
 end
-umask = File.umask 0o077
 
 if options[:init]
   unless options[:init] == '.'
@@ -178,7 +179,6 @@ if options[:generate_zip]
 
   zip_file = File.join(File.expand_path(ZIP_DIR), "#{File.basename ovpn_file, '.ovpn'}.tblk.zip")
   File.delete(zip_file) if File.exist?(zip_file)
-  File.umask umask
   Zip::File.open(zip_file, Zip::File::CREATE) do |zip|
     zip.get_output_stream(ovpn_file) {|f|
       f.write File.read(ovpn_file)

data/lib/functions.rb

@@ -26,6 +26,17 @@ def ask_password(name)
   password
 end
 
+def unencrypt_ca_key(pass = '')
+  begin
+    OpenSSL::PKey::RSA.new File.read('ca.key'), pass
+  rescue OpenSSL::PKey::RSAError
+    # this means pass is wrong, so ask for it
+    OpenSSL::PKey::RSA.new File.read('ca.key'), ask_password('ca')
+  end
+rescue OpenSSL::PKey::RSAError
+  retry
+end
+
 def gen_and_sign(type, certname, password)
   gen_key(certname, password)
   sign_key(type, certname, password)
@@ -39,36 +50,48 @@ def gen_key(certname, password)
 end
 
 # type is one of: 'ca', 'server', 'client'
-# rubocop:disable Naming/MethodParameterName
 def sign_key(type, cn, password)
-  # rubocop:enable Naming/MethodParameterName
   certname = type == 'ca' ? 'ca' : cn
   key = OpenSSL::PKey::RSA.new File.read("#{certname}.key"), password
-  subj = OpenSSL::X509::Name.new([['CN', cn]] + REQ.to_a)
-  serial = begin
-    File.read(SERIAL_FILE).to_i
-  rescue Errno::ENOENT
-    0
-  end + 1
+  serial = new_serial
+  cert = gen_cert(type, cn, key.public_key, serial)
 
+  ca_key = type == 'ca' ? key : unencrypt_ca_key
+  cert.sign ca_key, OpenSSL::Digest.new(DIGEST)
+
+  File.open(SERIAL_FILE, 'w') {|f| f.write serial }
+  File.open("#{certname}.crt", 'w') {|f| f.write cert.to_pem }
+end
+
+def gen_cert(type, cn, pubkey, serial)
+  cert = basic_cert(type, cn)
+  cert.public_key = pubkey
+  cert.serial = serial
+
+  customize_cert(type, cert)
+end
+
+def basic_cert(type, cn)
   cert = OpenSSL::X509::Certificate.new
+
   cert.version = 2
-  cert.serial = serial
-  cert.not_before = Time.now
-  cert.not_after =
-    Time.now +
-    case type
-    when 'ca'
-      EXPIRE['ca']
-    when 'server'
-      EXPIRE['server']
-    when 'client'
-      EXPIRE['client']
-      # days to seconds
-    end * 86_400
-  cert.public_key = key.public_key
-  cert.subject = subj
+  cert.subject = OpenSSL::X509::Name.new([['CN', cn]] + REQ.to_a)
   cert.issuer = OpenSSL::X509::Name.new([['CN', CN_CA]] + REQ.to_a)
+  cert.not_before = Time.now
+  cert.not_after = time_after_days(EXPIRE[type])
+
+  cert
+end
+
+def time_after_days(days)
+  Time.now + days * 86_400 # days to seconds
+end
+
+# rubocop:disable Metrics/MethodLength
+# rubocop:disable Metrics/AbcSize
+def customize_cert(type, cert)
+  # rubocop:enable Metrics/AbcSize
+  # rubocop:enable Metrics/MethodLength
 
   ef = OpenSSL::X509::ExtensionFactory.new nil, cert
   ef.issuer_certificate = cert
@@ -80,7 +103,6 @@ def sign_key(type, cn, password)
   case type
   when 'ca'
     cert.add_extension ef.create_extension('keyUsage', 'cRLSign,keyCertSign')
-    cert.sign key, OpenSSL::Digest.new(DIGEST)
   when 'server'
     cert.add_extension ef.create_extension('keyUsage', 'keyEncipherment,digitalSignature')
     cert.add_extension ef.create_extension('extendedKeyUsage', 'serverAuth')
@@ -88,34 +110,21 @@ def sign_key(type, cn, password)
     cert.add_extension ef.create_extension('keyUsage', 'digitalSignature')
     cert.add_extension ef.create_extension('extendedKeyUsage', 'clientAuth')
   end
-  unless type == 'ca'
-    ca_key = begin
-      OpenSSL::PKey::RSA.new File.read('ca.key'), ask_password('ca')
-    rescue OpenSSL::PKey::RSAError
-      retry
-    end
-    cert.sign ca_key, OpenSSL::Digest.new(DIGEST)
-  end
-
-  File.open(SERIAL_FILE, 'w') {|f| f.write serial }
-  File.open("#{certname}.crt", 'w') {|f| f.write cert.to_pem }
+  cert
 end
 
+# rubocop:disable Metrics/AbcSize
 def revoke(certname)
+  # rubocop:enable Metrics/AbcSize
   crl = OpenSSL::X509::CRL.new(File.read(CRL_FILE))
   cert = OpenSSL::X509::Certificate.new(File.read("#{certname}.crt"))
   revoke = OpenSSL::X509::Revoked.new.tap {|rev|
     rev.serial = cert.serial
     rev.time = Time.now
   }
-  crl.next_update = Time.now + EXPIRE['crl'] * 86_400 # days to seconds
+  crl.next_update = time_after_days(EXPIRE['crl'])
   crl.add_revoked(revoke)
-  begin
-    update_crl(crl, ask_password('ca'))
-  rescue OpenSSL::PKey::RSAError
-    retry
-  end
-
+  update_crl(crl, '')
   %w[crt key].each {|ext| File.delete "#{certname}.#{ext}" }
 end
 
@@ -128,14 +137,19 @@ def gen_crl(ca_pass)
 end
 
 def update_crl(crl, ca_pass)
-  ca_key = OpenSSL::PKey::RSA.new File.read('ca.key'), ca_pass
+  ca_key = unencrypt_ca_key(ca_pass)
   crl.last_update = Time.now
-  crl.next_update = Time.now + EXPIRE['crl'] * 86_400 # days to seconds
-  crl.version = crl.version + 1
+  crl.next_update = time_after_days(EXPIRE['crl'])
   crl.sign(ca_key, OpenSSL::Digest.new(DIGEST))
   File.open(CRL_FILE, 'w') {|f| f.write crl.to_pem }
 end
 
+def new_serial
+  File.read(SERIAL_FILE).to_i + 1
+rescue Errno::ENOENT
+  0
+end
+
 def create_dir(name)
   return if Dir.exist? name
 

data/lib/version.rb

@@ -1,3 +1,3 @@
 # frozen_string_literal: true
 
-::VERSION = '0.8'
+::VERSION = '0.8.5'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ovpn-key
 version: !ruby/object:Gem::Version
-  version: '0.8'
+  version: 0.8.5
 platform: ruby
 authors:
 - Vasily Korytov
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-08 00:00:00.000000000 Z
+date: 2021-03-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubyzip