tls-cookbook-cli 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f229793f288565888b208f802076074a4f17c3de
+  data.tar.gz: 222c9728bc5b935a0d4c737596a5f91b70d99c41
+SHA512:
+  metadata.gz: b534f591efd00f47c6e3ba21be967f59747bf9da57a4e0f42cfc0c979395ab8473057987c8ebbfa35477e16301a840574c1ae6de5dfb1f20006b4fc1894ceb42
+  data.tar.gz: dee4a11547884ca1f1450589529f2db457388240c03e17e55b0e4e377463273c4795503d38a9806e8a3e89bb28ada83d6da021bdc9848a1a1065e7a53458b569

data/bin/tls-cookbook-cli

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require 'tls/cli'
+::ChefCookbook::TLS::CLI::Main.start(ARGV)

data/lib/tls/cli.rb

@@ -0,0 +1 @@
+require 'tls/cli/main'

data/lib/tls/cli/helpers.rb

@@ -0,0 +1,195 @@
+require 'thor'
+require 'openssl'
+require 'date'
+require 'digest'
+require 'base64'
+
+module ChefCookbook
+  module TLS
+    module CLI
+      module Helpers
+        def self.valid_key_file?(key_file)
+          key = nil
+          if ::File.exist?(key_file)
+            begin
+              key = ::OpenSSL::PKey.read(::IO.read(key_file))
+            rescue ::OpenSSL::PKey::PKeyError
+              key = nil
+            end
+          end
+
+          !key.nil?
+        end
+
+        def self.valid_certificate_file?(cert_file)
+          cert = nil
+          if ::File.exist?(cert_file)
+            cert = ::OpenSSL::X509::Certificate.new(::IO.read(cert_file))
+          end
+
+          !cert.nil?
+        end
+
+        def self.valid_certificate_directory?(path)
+          valid_key_file?(::File.join(path, 'server.key')) &&
+          valid_certificate_file?(::File.join(path, 'server.crt')) &&
+          ::File.exist?(::File.join(path, 'server.chain.crt')) &&
+          ::File.exist?(::File.join(path, 'server.fullchain.crt'))
+        end
+
+        def self.valid_next_directory?(path)
+          valid_key_file?(::File.join(path, 'server.key'))
+        end
+
+        def self.valid_directory?(path)
+          certificate_dir_regexp = /^\d{4}-\d{2}-\d{2}$/
+          has_next_dir = false
+          has_certificate_dir = false
+          dir = ::Dir.new(path)
+          dir.each do |x|
+            subdir_path = ::File.join(path, x)
+            if ::File.directory?(subdir_path)
+              if x == 'next'
+                has_next_dir = valid_next_directory?(subdir_path)
+              end
+
+              if !has_certificate_dir && !certificate_dir_regexp.match(x).nil?
+                has_certificate_dir = valid_certificate_directory?(subdir_path)
+              end
+            end
+          end
+
+          has_next_dir && has_certificate_dir
+        end
+
+        def self.list_entries(pwd)
+          dir = ::Dir.new(pwd)
+          stop_list = %w(
+            .
+            ..
+            .emergency
+          )
+          dir.select do |x|
+            path = ::File.join(pwd, x)
+            !stop_list.include?(x) && ::File.directory?(path) && valid_directory?(path)
+          end
+        end
+
+        def self.get_possible_items(path)
+          dir = ::Dir.new(path)
+          certificate_dir_regexp = /^\d{4}-\d{2}-\d{2}$/
+          dir.select do |x|
+            subdir_path = ::File.join(path, x)
+            ::File.directory?(subdir_path) && !certificate_dir_regexp.match(x).nil? && valid_certificate_directory?(subdir_path)
+          end
+        end
+
+        def self.find_valid_item(path)
+          get_possible_items(path).max_by do |x|
+            ::Date.parse(x)
+          end
+        end
+
+        def self.get_private_key(pwd, entry_name, item_name)
+          path = ::File.join(pwd, entry_name, item_name, 'server.key')
+          return ::IO.read(path).strip
+        end
+
+        def self.get_certificates(path)
+          certificates = []
+          ::IO.readlines(path).each do |ln|
+            if ln == "-----BEGIN CERTIFICATE-----\n"
+              certificates << ln
+            else
+              certificates[-1] += ln
+            end
+          end
+
+          certificates.map { |x| x.strip }
+        end
+
+        def self.get_fullchain(pwd, entry_name, item_name)
+          fullchain_file = ::File.join(pwd, entry_name, item_name, 'server.fullchain.crt')
+          get_certificates(fullchain_file)
+        end
+
+        def self.get_domain_list(pwd, entry_name, item_name)
+          cert_file = ::File.join(pwd, entry_name, item_name, 'server.crt')
+          cert = ::OpenSSL::X509::Certificate.new(::IO.read(cert_file))
+          domains = []
+
+          cert.extensions.each do |x|
+            if x.oid == 'subjectAltName'
+              domains += x.value.split(',').map { |x| x.split(':')[1] }
+            end
+          end
+
+          domains
+        end
+
+        def self.get_hpkp_pin(key_file)
+          key = ::OpenSSL::PKey.read(::IO.read(key_file))
+          public_key = nil
+          if key.class == ::OpenSSL::PKey::RSA
+            public_key = key.public_key
+          elsif key.class == ::OpenSSL::PKey::EC
+            public_key = ::OpenSSL::PKey::EC.new(key.group.curve_name)
+            public_key.public_key = key.public_key
+          end
+
+          ::Digest::SHA256.base64digest(public_key.to_der)
+        end
+
+        def self.get_hpkp_pin_list(pwd, entry_name, item_name)
+          pin_list = []
+          main_key_file = ::File.join(pwd, entry_name, item_name, 'server.key')
+          pin_list << get_hpkp_pin(main_key_file)
+
+          emergency_key_file = nil
+          key = ::OpenSSL::PKey.read(::IO.read(main_key_file))
+          if key.class == ::OpenSSL::PKey::RSA
+            emergency_key_file = ::File.join(pwd, '.emergency', 'rsa', 'server.key')
+          elsif key.class == ::OpenSSL::PKey::EC
+            emergency_key_file = ::File.join(pwd, '.emergency', 'ec', 'server.key')
+          end
+          if !emergency_key_file.nil? && ::File.file?(emergency_key_file)
+            pin_list.unshift(get_hpkp_pin(emergency_key_file))
+          end
+
+          next_key_file = ::File.join(pwd, entry_name, 'next', 'server.key')
+          pin_list << get_hpkp_pin(next_key_file)
+
+          pin_list
+        end
+
+        def self.get_scts(pwd, entry_name, item_name)
+          scts_dir = ::File.join(pwd, entry_name, item_name, 'scts')
+          h = {}
+          if ::File.directory?(scts_dir)
+            ::Dir.new(scts_dir).each do |x|
+              path = ::File.join(scts_dir, x)
+              if ::File.file?(path) && ::File.extname(path) == '.sct'
+                log_name = ::File.basename(path, '.sct')
+                h[log_name] = ::Base64.strict_encode64(::IO.read(path))
+              end
+            end
+          end
+
+          h
+        end
+
+        def self.jsonify_entry(pwd, entry_name)
+          item_name = find_valid_item(::File.join(pwd, entry_name))
+          {
+            name: entry_name,
+            domains: get_domain_list(pwd, entry_name, item_name),
+            chain: get_fullchain(pwd, entry_name, item_name),
+            private_key: get_private_key(pwd, entry_name, item_name),
+            hpkp_pins: get_hpkp_pin_list(pwd, entry_name, item_name),
+            scts: get_scts(pwd, entry_name, item_name)
+          }
+        end
+      end
+    end
+  end
+end

data/lib/tls/cli/main.rb

@@ -0,0 +1,30 @@
+require 'thor'
+require 'json'
+require 'tls/cli/helpers'
+
+module ChefCookbook
+  module TLS
+    module CLI
+      class Main < ::Thor
+        desc 'list', 'List directory'
+        option :pwd
+        def list
+          pwd = options[:pwd] || ::Dir.pwd
+          puts ::ChefCookbook::TLS::CLI::Helpers.list_entries(pwd)
+        end
+
+        desc 'jsonify ENTRY_NAME', 'Present ENTRY_NAME in JSON format'
+        option :pwd
+        def jsonify(entry_name)
+          pwd = options[:pwd] || ::Dir.pwd
+          puts ::JSON.pretty_generate(
+            ::ChefCookbook::TLS::CLI::Helpers.jsonify_entry(
+              pwd,
+              entry_name
+            )
+          )
+        end
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,90 @@
+--- !ruby/object:Gem::Specification
+name: tls-cookbook-cli
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Alexander Pyatkin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-06-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.19.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.19.1
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: TLS Cookbook CLI
+email: aspyatkin@gmail.com
+executables:
+- tls-cookbook-cli
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/tls-cookbook-cli
+- lib/tls/cli.rb
+- lib/tls/cli/helpers.rb
+- lib/tls/cli/main.rb
+homepage: https://github.com/aspyatkin/tls-cookbook-cli
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.3'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.11
+signing_key: 
+specification_version: 4
+summary: TLS Cookbook CLI
+test_files: []