RubyGems - ovpn-key - Versions diffs - 0.7.7 → 0.8 - Mend

ovpn-key 0.7.7 → 0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 13681f4cf8c6abc0badce3feceacf4ce489daab4ff9ea7b177bdca7c3fe983ed
-  data.tar.gz: 621ad232db5032b90b1b631f7765dc15aca7b8131465bb2658408c13a7c1d8b0
+  metadata.gz: ecf480dc290e372a3b081ebc12dceb82e2f0ca22ea508cbbe622e8e1ce80b58f
+  data.tar.gz: 585a28ba43b652afd0add8b912a8ff0590ad99ffcb96abcb9929c8ca488c03b1
 SHA512:
-  metadata.gz: cc2d031bd9f8a595fa1efd862c2e5e371643928d34c7d7398db179466b655e48d412dd5494cfc6d705e614114846acbcce717b1117026df685bac5a4eb6e65b7
-  data.tar.gz: d31fd3d8936ab9bbd94daed1db9f2334925e073dfb9319d6d96aabfa1db566bd2f340144dd0190ee27ee2652d64ef70d59e6c0a6a1c63af6392dfdba0191073e
+  metadata.gz: 47783d3b02d6948cb19fc4434dff11a980c0fc9f22675a66d2cc6fc34423be7e7b2dc6b4e46f420eaa85755ef14ca8e787dddaa30eacd707837033138239753f
+  data.tar.gz: 405a4389cf9b26a8a8cf6e4e615a04dc2bcf80b6fe71ed7b22c3380c3e5d215e70bab5d3ef8ba78eab20e94e19e74d1dd3c58fe47e118760cae842fbfc1e7c40

data/NOTICE CHANGED Viewed

@@ -1,6 +1,6 @@
 ovpn-key: https://github.com/chillum/ovpn-key
-Copyright 2018 Vasily Korytov
+Copyright 2018-2021 Vasily Korytov
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this software except in compliance with the License.

data/README.md CHANGED Viewed

@@ -2,7 +2,7 @@
 This utility is designed as [easy-rsa](https://github.com/OpenVPN/easy-rsa) replacement suitable for one exact use case.
-It's basically a wrapper around `openssl` to:
+It's basically a wrapper around OpenSSL API to:
 * create a self-signed CA
 * create client and server certificates and pack them to ZIP files along with the OpenVPN config
 * revoke the certificates
@@ -28,7 +28,7 @@ If you're brave, [let me know](https://github.com/chillum/ovpn-key/issues), wher
 ### Usage
 1. `ovpn-key --init`
-2. edit `ovpn-key.yml` and `openssl.ini`
+2. edit `ovpn-key.yml`
 3. `ovpn-key --ca --dh`
 4. `ovpn-key --server --nopass`
 5. `ovpn-key --client somebody [--nopass]`

data/bin/ovpn-key CHANGED Viewed

@@ -1,15 +1,18 @@
-#! /usr/bin/env ruby
+#! /usr/bin/env ruby -w
 # frozen_string_literal: true
-require 'optparse'
 require 'fileutils'
+require 'io/console'
+require 'openssl'
+require 'optparse'
 require 'yaml'
 require 'zip'
 require_relative '../lib/version'
 require_relative '../lib/functions'
-SSL_CONF = 'openssl.ini'
 APP_CONF = 'ovpn-key.yml'
+CRL_FILE = 'crl.pem'
+SERIAL_FILE = 'serial'
 options = {}
 OptionParser.new do |opts|
@@ -41,7 +44,7 @@ OptionParser.new do |opts|
     check_client(v)
     options[:generate_zip] = v
   end
-  opts.on('--revoke [name]', 'Revoke a certificate (using crl.pem) and delete it') do |v|
+  opts.on("--revoke [name]', 'Revoke a certificate (using #{CRL_FILE}) and delete it") do |v|
     abort 'Please specify what certificate to revoke' unless v
     options[:revoke] = v
   end
@@ -67,13 +70,10 @@ if options[:init]
     create_dir options[:init]
     Dir.chdir options[:init]
   end
-  %w[certs meta].each {|dir| create_dir dir}
-  ['meta/index.txt', 'meta/index.txt.attr', 'meta/serial', SSL_CONF, APP_CONF].each {|file|
-    unless File.exist? file
-      FileUtils.copy_file(File.expand_path("defaults/#{file}", "#{__dir__}/.."), "./#{file}")
-      puts "Created file: #{file}"
-    end
-  }
+  unless File.exist? APP_CONF
+    FileUtils.copy_file(File.expand_path("defaults/#{APP_CONF}", "#{__dir__}/.."), "./#{APP_CONF}")
+    puts "Created file: #{APP_CONF}"
+  end
 elsif !File.exist? APP_CONF
   begin
     rc = YAML.load_file(File.expand_path("~/.#{APP_CONF}"))
@@ -90,29 +90,78 @@ rescue Errno::ENOENT
 end
 ZIP_DIR  = settings['zip_dir']  || '~'
 OPENVPN  = settings['openvpn']  || 'openvpn'
-OPENSSL  = settings['openssl']  || 'openssl'
 ENCRYPT  = settings['encrypt']  || 'aes128'
+DIGEST   = settings['digest']   || 'sha256'
 KEY_SIZE = settings['key_size'] || 2048
-CA_DAYS  = settings['ca_days']  || 3650
 CN_CA    = settings['ca_name']  || 'Certification Authority'
-REQ      = settings['details']
+unless settings['ca_days'].nil?
+  if settings['expire'].nil?
+    puts 'Migrating pre-0.8 configuration to new format: ca_days'
+    puts "WARNING: if you tweaked `default_days` or `default_days_crl` in #{SSL_CONF}, edit #{APP_CONF}"
+    File.open(APP_CONF, 'a') do |f|
+      f.write "# ca_days is not used anymore, you can remove it\nexpire:\n"
+      f.write "  ca:     #{settings['ca_days']}\n  crl:    3650\n  server: 3650\n  client: 3650\n"
+    end
+  else
+    puts "WARNING: `ca_days` setting is deprecated, remove it from #{APP_CONF}"
+  end
+end
+settings['expire']           ||= {}
+settings['expire']['ca']     ||= settings['ca_days'] || 3650
+settings['expire']['crl']    ||= 3650
+settings['expire']['server'] ||= 3650
+settings['expire']['client'] ||= 3650
+EXPIRE = settings['expire']
+if settings['x509'].nil? && !settings['details'].nil?
+  puts 'Migrating pre-0.8 configuration to new format: details'
+  REQ = OpenSSL::X509::Name.parse(settings['details']).to_a
+  File.open(APP_CONF, 'a') do |f|
+    f.write "# details is not used anymore, you can remove it\nx509:\n"
+    REQ.map {|i, j| f.write "  #{i}: #{j}\n" }
+  end
+else
+  REQ = settings['x509']
+  puts "WARNING: `details` section is deprecated, remove it from #{APP_CONF}" unless settings['details'].nil?
+end
+if settings['openssl']
+  puts "WARNING: `openssl` setting is deprecated, remove it from #{APP_CONF}"
+end
+if !File.exist?(SERIAL_FILE) && File.exist?('meta/serial')
+  FileUtils.copy_file('meta/serial', SERIAL_FILE)
+  puts 'Copied meta/serial to serial'
+end
+%w[certs meta].each {|dir|
+  puts "WARNING: #{dir} directory is not used anymore. you can remove it" if File.exist? dir
+}
+if File.exist? 'openssl.ini'
+  puts 'WARNING: openssl.ini file is not used anymore. you can remove it'
+end
 if options[:generate_ca]
-  gen_key('ca', options[:no_password])
-  sign_key('ca', 'ca', CN_CA)
-  gen_crl
+  ca_pass = options[:no_password] ? nil : ask_password('ca')
+  gen_key('ca', ca_pass)
+  sign_key('ca', CN_CA, ca_pass)
+  gen_crl(ca_pass)
 end
 if options[:generate_dh]
-  exe "#{OPENSSL} dhparam -out dh.pem #{KEY_SIZE}"
+  File.open('dh.pem', 'w') do |f|
+    print 'Generating dh.pem. This will take a while'
+    f.write OpenSSL::PKey::DH.new(KEY_SIZE)
+    puts '. Done'
+  end
 end
 if options[:generate_static]
   exe "#{OPENVPN} --genkey --secret ta.key"
 end
 if options[:generate_server]
-  gen_and_sign('server', options[:generate_server], options[:no_password])
+  gen_and_sign('server', options[:generate_server], options[:no_password] ? nil : ask_password(options[:generate_server]))
 end
 if options[:generate_client]
-  gen_and_sign('client', options[:generate_client], options[:no_password])
+  gen_and_sign('client', options[:generate_client], options[:no_password] ? nil : ask_password(options[:generate_client]))
 end
 if options[:generate_zip]
   ovpn_files = Dir['*.ovpn']
@@ -125,14 +174,14 @@ if options[:generate_zip]
     abort 'More than one .ovpn files in current directory, aborting'
   end
-  gen_and_sign('client', options[:generate_zip], options[:no_password])
+  gen_and_sign('client', options[:generate_zip], options[:no_password] ? nil : ask_password(options[:generate_zip]))
   zip_file = File.join(File.expand_path(ZIP_DIR), "#{File.basename ovpn_file, '.ovpn'}.tblk.zip")
   File.delete(zip_file) if File.exist?(zip_file)
   File.umask umask
   Zip::File.open(zip_file, Zip::File::CREATE) do |zip|
     zip.get_output_stream(ovpn_file) {|f|
-      File.open(ovpn_file).each {|line| f.write line}
+      f.write File.read(ovpn_file)
       f.write "cert #{options[:generate_zip]}.crt\nkey #{options[:generate_zip]}.key\n"
     }
     ['ca.crt', "#{options[:generate_zip]}.crt", "#{options[:generate_zip]}.key"].each {|i|
@@ -142,7 +191,5 @@ if options[:generate_zip]
   end
 end
 if options[:revoke]
-  exe "#{OPENSSL} ca -revoke '#{options[:revoke]}.crt' -config #{SSL_CONF}"
-  gen_crl
-  %w[crt key].each {|ext| File.delete "#{options[:revoke]}.#{ext}"}
+  revoke(options[:revoke])
 end

data/defaults/ovpn-key.yml CHANGED Viewed

@@ -1,8 +1,17 @@
 zip_dir:  '~'
 openvpn:  openvpn
-openssl:  openssl
-encrypt:  aes128
+encrypt:  AES128
+digest:   SHA256
 key_size: 2048
-ca_days:  3650
+expire: # days
+  ca:     3650
+  crl:    3650
+  server: 3650
+  client: 3650
 ca_name:  Certification Authority
-details:  /C=US/ST=CA/L=San Francisco/O=Dva Debila/OU=OpenVPN
+x509:
+  C:  US
+  ST: CA
+  L:  San Francisco
+  O:  Dva Debila
+  OU: OpenVPN

data/lib/functions.rb CHANGED Viewed

@@ -12,34 +12,128 @@ def check_client(name)
 end
 def exe(cmd)
-  system(cmd) or abort "error executing: #{cmd}"
+  system(cmd) || abort("error executing: #{cmd}")
 end
-def gen_and_sign(type, certname, no_password)
-  gen_key(certname, no_password)
-  sign_key(type, certname, certname)
+def ask_password(name)
+  password = ''
+  loop do
+    print "Enter password for #{name}.key: "
+    password = $stdin.noecho(&:gets).chomp
+    puts # trailing newline
+    break unless password.empty?
+  end
+  password
+end
+def gen_and_sign(type, certname, password)
+  gen_key(certname, password)
+  sign_key(type, certname, password)
 end
-def gen_key(certname, no_password)
-  if no_password
-    exe "#{OPENSSL} genrsa -out '#{certname}.key' #{KEY_SIZE}"
-  else
-    exe "#{OPENSSL} genrsa -#{ENCRYPT} -out '#{certname}.key' #{KEY_SIZE}"
+def gen_key(certname, password)
+  key = OpenSSL::PKey::RSA.new(KEY_SIZE)
+  File.open("#{certname}.key", 'w') do |f|
+    f.write password ? key.to_pem(OpenSSL::Cipher.new(ENCRYPT), password) : key
   end
 end
-def sign_key(type, certname, cn)
-  if certname == 'ca'
-    exe "#{OPENSSL} req -new -x509 -key '#{certname}.key' -out '#{certname}.crt' -config #{SSL_CONF} -subj '/CN=#{cn}#{REQ}' -extensions ext.#{type} -days #{CA_DAYS}"
-  else
-    exe "#{OPENSSL} req -new -key '#{certname}.key' -out '#{certname}.csr' -config #{SSL_CONF} -subj '/CN=#{cn}#{REQ}' -extensions ext.#{type}"
-    exe "#{OPENSSL} ca -in '#{certname}.csr' -out '#{certname}.crt' -config #{SSL_CONF} -extensions ext.#{type} -batch"
-    File.delete "#{certname}.csr"
+# type is one of: 'ca', 'server', 'client'
+# rubocop:disable Naming/MethodParameterName
+def sign_key(type, cn, password)
+  # rubocop:enable Naming/MethodParameterName
+  certname = type == 'ca' ? 'ca' : cn
+  key = OpenSSL::PKey::RSA.new File.read("#{certname}.key"), password
+  subj = OpenSSL::X509::Name.new([['CN', cn]] + REQ.to_a)
+  serial = begin
+    File.read(SERIAL_FILE).to_i
+  rescue Errno::ENOENT
+    0
+  end + 1
+  cert = OpenSSL::X509::Certificate.new
+  cert.version = 2
+  cert.serial = serial
+  cert.not_before = Time.now
+  cert.not_after =
+    Time.now +
+    case type
+    when 'ca'
+      EXPIRE['ca']
+    when 'server'
+      EXPIRE['server']
+    when 'client'
+      EXPIRE['client']
+      # days to seconds
+    end * 86_400
+  cert.public_key = key.public_key
+  cert.subject = subj
+  cert.issuer = OpenSSL::X509::Name.new([['CN', CN_CA]] + REQ.to_a)
+  ef = OpenSSL::X509::ExtensionFactory.new nil, cert
+  ef.issuer_certificate = cert
+  cert.add_extension ef.create_extension('subjectKeyIdentifier', 'hash')
+  cert.add_extension ef.create_extension('authorityKeyIdentifier', 'keyid,issuer:always')
+  cert.add_extension ef.create_extension('basicConstraints', type == 'ca' ? 'CA:true' : 'CA:false')
+  case type
+  when 'ca'
+    cert.add_extension ef.create_extension('keyUsage', 'cRLSign,keyCertSign')
+    cert.sign key, OpenSSL::Digest.new(DIGEST)
+  when 'server'
+    cert.add_extension ef.create_extension('keyUsage', 'keyEncipherment,digitalSignature')
+    cert.add_extension ef.create_extension('extendedKeyUsage', 'serverAuth')
+  when 'client'
+    cert.add_extension ef.create_extension('keyUsage', 'digitalSignature')
+    cert.add_extension ef.create_extension('extendedKeyUsage', 'clientAuth')
   end
+  unless type == 'ca'
+    ca_key = begin
+      OpenSSL::PKey::RSA.new File.read('ca.key'), ask_password('ca')
+    rescue OpenSSL::PKey::RSAError
+      retry
+    end
+    cert.sign ca_key, OpenSSL::Digest.new(DIGEST)
+  end
+  File.open(SERIAL_FILE, 'w') {|f| f.write serial }
+  File.open("#{certname}.crt", 'w') {|f| f.write cert.to_pem }
+end
+def revoke(certname)
+  crl = OpenSSL::X509::CRL.new(File.read(CRL_FILE))
+  cert = OpenSSL::X509::Certificate.new(File.read("#{certname}.crt"))
+  revoke = OpenSSL::X509::Revoked.new.tap {|rev|
+    rev.serial = cert.serial
+    rev.time = Time.now
+  }
+  crl.next_update = Time.now + EXPIRE['crl'] * 86_400 # days to seconds
+  crl.add_revoked(revoke)
+  begin
+    update_crl(crl, ask_password('ca'))
+  rescue OpenSSL::PKey::RSAError
+    retry
+  end
+  %w[crt key].each {|ext| File.delete "#{certname}.#{ext}" }
+end
+def gen_crl(ca_pass)
+  return if File.exist? CRL_FILE
+  crl = OpenSSL::X509::CRL.new
+  crl.issuer = OpenSSL::X509::Name.new([['CN', CN_CA]] + REQ.to_a)
+  update_crl(crl, ca_pass)
 end
-def gen_crl
-  exe "#{OPENSSL} ca -gencrl -out crl.pem -config #{SSL_CONF}"
+def update_crl(crl, ca_pass)
+  ca_key = OpenSSL::PKey::RSA.new File.read('ca.key'), ca_pass
+  crl.last_update = Time.now
+  crl.next_update = Time.now + EXPIRE['crl'] * 86_400 # days to seconds
+  crl.version = crl.version + 1
+  crl.sign(ca_key, OpenSSL::Digest.new(DIGEST))
+  File.open(CRL_FILE, 'w') {|f| f.write crl.to_pem }
 end
 def create_dir(name)

data/lib/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 # frozen_string_literal: true
-::VERSION = '0.7.7'
+::VERSION = '0.8'

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ovpn-key
 version: !ruby/object:Gem::Version
-  version: 0.7.7
+  version: '0.8'
 platform: ruby
 authors:
 - Vasily Korytov
@@ -35,10 +35,6 @@ files:
 - NOTICE
 - README.md
 - bin/ovpn-key
-- defaults/meta/index.txt
-- defaults/meta/index.txt.attr
-- defaults/meta/serial
-- defaults/openssl.ini
 - defaults/ovpn-key.yml
 - lib/functions.rb
 - lib/version.rb

data/defaults/meta/index.txt DELETED Viewed

File without changes

data/defaults/meta/index.txt.attr DELETED Viewed

	@@ -1 +0,0 @@
1	- unique_subject = yes

data/defaults/meta/serial DELETED Viewed

	@@ -1 +0,0 @@
1	- 00

data/defaults/openssl.ini DELETED Viewed

@@ -1,48 +0,0 @@
-[req]
-default_md = sha256
-distinguished_name = dn.ovpn
-[dn.ovpn]
-CN          = Certificate name (required)
-[ca]
-default_ca  = ca.ovpn
-[ca.ovpn]
-default_md  = sha256
-private_key = ca.key
-certificate = ca.crt
-database    = meta/index.txt
-serial      = meta/serial
-crl         = crl.pem
-policy      = policy.ovpn
-# create this directory if changing this value
-new_certs_dir    = certs
-default_days     = 3650
-default_crl_days = 3650
-subjectKeyIdentifier   = hash
-authorityKeyIdentifier = keyid,issuer:always
-[ext.ca]
-basicConstraints = CA:true
-[ext.server]
-basicConstraints = CA:false
-nsCertType       = server
-extendedKeyUsage = serverAuth
-keyUsage         = digitalSignature, keyEncipherment
-[ext.client]
-basicConstraints = CA:false
-extendedKeyUsage = clientAuth
-keyUsage         = digitalSignature
-[policy.ovpn]
-commonName             = supplied
-countryName            = optional
-stateOrProvinceName    = optional
-localityName           = optional
-organizationName       = optional
-organizationalUnitName = optional
-name                   = optional
-emailAddress           = optional