ovpn-key 0.8.1 → 0.8.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/ovpn-key +2 -0
- data/lib/functions.rb +59 -33
- data/lib/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: af60a802bc319338bb17b74b6add7c6cd78d7bdc7a96021ad105a0928a59d491
|
4
|
+
data.tar.gz: 3b9aef64a304187f18a963ebf703a360f5790c9705af15864372796abdb353c8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bf1d15c25d12102fa3ac5429e40fae565e6ebeb2bc4fe32edea884eca9e9ffbe58bb5a15ce979a7d5403ef0ce67ceca28e38d7da5ea54f0890d1938e4ef6015a
|
7
|
+
data.tar.gz: 5855147ac84b0a8dc29b02b65d730a39caa46ad755ed69f92b845770d115478956045b99f40159abdb221ec2e5799abca1abd75c698a236612cfe4c10cf78421
|
data/bin/ovpn-key
CHANGED
@@ -15,7 +15,9 @@ CRL_FILE = 'crl.pem'
|
|
15
15
|
SERIAL_FILE = 'serial'
|
16
16
|
|
17
17
|
options = {}
|
18
|
+
# rubocop:disable Metrics/BlockLength
|
18
19
|
OptionParser.new do |opts|
|
20
|
+
# rubocop:enable Metrics/BlockLength
|
19
21
|
opts.banner = "Usage: #{File.basename $PROGRAM_NAME} <options> [--nopass]"
|
20
22
|
opts.on('--init [directory]', 'Init a CA directory (defaults to current)') do |v|
|
21
23
|
options[:init] = v || '.'
|
data/lib/functions.rb
CHANGED
@@ -26,6 +26,17 @@ def ask_password(name)
|
|
26
26
|
password
|
27
27
|
end
|
28
28
|
|
29
|
+
def unencrypt_ca_key
|
30
|
+
begin
|
31
|
+
OpenSSL::PKey::RSA.new File.read('ca.key'), ''
|
32
|
+
rescue OpenSSL::PKey::RSAError
|
33
|
+
# this means the file is encrypted
|
34
|
+
OpenSSL::PKey::RSA.new File.read('ca.key'), ask_password('ca')
|
35
|
+
end
|
36
|
+
rescue OpenSSL::PKey::RSAError
|
37
|
+
retry
|
38
|
+
end
|
39
|
+
|
29
40
|
def gen_and_sign(type, certname, password)
|
30
41
|
gen_key(certname, password)
|
31
42
|
sign_key(type, certname, password)
|
@@ -39,36 +50,47 @@ def gen_key(certname, password)
|
|
39
50
|
end
|
40
51
|
|
41
52
|
# type is one of: 'ca', 'server', 'client'
|
42
|
-
# rubocop:disable Naming/MethodParameterName
|
43
53
|
def sign_key(type, cn, password)
|
44
|
-
# rubocop:enable Naming/MethodParameterName
|
45
54
|
certname = type == 'ca' ? 'ca' : cn
|
46
55
|
key = OpenSSL::PKey::RSA.new File.read("#{certname}.key"), password
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
56
|
+
serial = new_serial
|
57
|
+
cert = gen_cert(type, cn, key, serial)
|
58
|
+
|
59
|
+
ca_key = type == 'ca' ? key : unencrypt_ca_key
|
60
|
+
cert.sign ca_key, OpenSSL::Digest.new(DIGEST)
|
61
|
+
|
62
|
+
File.open(SERIAL_FILE, 'w') {|f| f.write serial }
|
63
|
+
File.open("#{certname}.crt", 'w') {|f| f.write cert.to_pem }
|
64
|
+
end
|
65
|
+
|
66
|
+
def gen_cert(type, cn, key, serial)
|
67
|
+
cert = basic_cert(type, cn)
|
68
|
+
cert.public_key = key.public_key
|
69
|
+
cert.serial = serial
|
70
|
+
|
71
|
+
customize_cert(type, cert)
|
72
|
+
end
|
53
73
|
|
74
|
+
# rubocop:disable Metrics/AbcSize
|
75
|
+
def basic_cert(type, cn)
|
76
|
+
# rubocop:enable Metrics/AbcSize
|
77
|
+
subj = OpenSSL::X509::Name.new([['CN', cn]] + REQ.to_a)
|
54
78
|
cert = OpenSSL::X509::Certificate.new
|
79
|
+
|
55
80
|
cert.version = 2
|
56
|
-
cert.serial = serial
|
57
|
-
cert.not_before = Time.now
|
58
|
-
cert.not_after =
|
59
|
-
Time.now +
|
60
|
-
case type
|
61
|
-
when 'ca'
|
62
|
-
EXPIRE['ca']
|
63
|
-
when 'server'
|
64
|
-
EXPIRE['server']
|
65
|
-
when 'client'
|
66
|
-
EXPIRE['client']
|
67
|
-
# days to seconds
|
68
|
-
end * 86_400
|
69
|
-
cert.public_key = key.public_key
|
70
81
|
cert.subject = subj
|
71
82
|
cert.issuer = OpenSSL::X509::Name.new([['CN', CN_CA]] + REQ.to_a)
|
83
|
+
cert.not_before = Time.now
|
84
|
+
cert.not_after = Time.now + EXPIRE[type] * 86_400 # days to seconds
|
85
|
+
|
86
|
+
cert
|
87
|
+
end
|
88
|
+
|
89
|
+
# rubocop:disable Metrics/MethodLength
|
90
|
+
# rubocop:disable Metrics/AbcSize
|
91
|
+
def customize_cert(type, cert)
|
92
|
+
# rubocop:enable Metrics/AbcSize
|
93
|
+
# rubocop:enable Metrics/MethodLength
|
72
94
|
|
73
95
|
ef = OpenSSL::X509::ExtensionFactory.new nil, cert
|
74
96
|
ef.issuer_certificate = cert
|
@@ -80,7 +102,6 @@ def sign_key(type, cn, password)
|
|
80
102
|
case type
|
81
103
|
when 'ca'
|
82
104
|
cert.add_extension ef.create_extension('keyUsage', 'cRLSign,keyCertSign')
|
83
|
-
cert.sign key, OpenSSL::Digest.new(DIGEST)
|
84
105
|
when 'server'
|
85
106
|
cert.add_extension ef.create_extension('keyUsage', 'keyEncipherment,digitalSignature')
|
86
107
|
cert.add_extension ef.create_extension('extendedKeyUsage', 'serverAuth')
|
@@ -88,20 +109,15 @@ def sign_key(type, cn, password)
|
|
88
109
|
cert.add_extension ef.create_extension('keyUsage', 'digitalSignature')
|
89
110
|
cert.add_extension ef.create_extension('extendedKeyUsage', 'clientAuth')
|
90
111
|
end
|
91
|
-
unless type == 'ca'
|
92
|
-
ca_key = begin
|
93
|
-
OpenSSL::PKey::RSA.new File.read('ca.key'), ask_password('ca')
|
94
|
-
rescue OpenSSL::PKey::RSAError
|
95
|
-
retry
|
96
|
-
end
|
97
|
-
cert.sign ca_key, OpenSSL::Digest.new(DIGEST)
|
98
|
-
end
|
99
112
|
|
100
|
-
|
101
|
-
File.open("#{certname}.crt", 'w') {|f| f.write cert.to_pem }
|
113
|
+
cert
|
102
114
|
end
|
103
115
|
|
116
|
+
# rubocop:disable Metrics/AbcSize
|
117
|
+
# rubocop:disable Metrics/MethodLength
|
104
118
|
def revoke(certname)
|
119
|
+
# rubocop:enable Metrics/AbcSize
|
120
|
+
# rubocop:enable Metrics/MethodLength
|
105
121
|
crl = OpenSSL::X509::CRL.new(File.read(CRL_FILE))
|
106
122
|
cert = OpenSSL::X509::Certificate.new(File.read("#{certname}.crt"))
|
107
123
|
revoke = OpenSSL::X509::Revoked.new.tap {|rev|
|
@@ -127,7 +143,9 @@ def gen_crl(ca_pass)
|
|
127
143
|
update_crl(crl, ca_pass)
|
128
144
|
end
|
129
145
|
|
146
|
+
# rubocop:disable Metrics/AbcSize
|
130
147
|
def update_crl(crl, ca_pass)
|
148
|
+
# rubocop:enable Metrics/AbcSize
|
131
149
|
ca_key = OpenSSL::PKey::RSA.new File.read('ca.key'), ca_pass
|
132
150
|
crl.last_update = Time.now
|
133
151
|
crl.next_update = Time.now + EXPIRE['crl'] * 86_400 # days to seconds
|
@@ -136,6 +154,14 @@ def update_crl(crl, ca_pass)
|
|
136
154
|
File.open(CRL_FILE, 'w') {|f| f.write crl.to_pem }
|
137
155
|
end
|
138
156
|
|
157
|
+
def new_serial
|
158
|
+
begin
|
159
|
+
File.read(SERIAL_FILE).to_i
|
160
|
+
rescue Errno::ENOENT
|
161
|
+
0
|
162
|
+
end + 1
|
163
|
+
end
|
164
|
+
|
139
165
|
def create_dir(name)
|
140
166
|
return if Dir.exist? name
|
141
167
|
|
data/lib/version.rb
CHANGED