trocla 0.1.2 → 0.2.0

data/lib/trocla.rb

@@ -2,9 +2,9 @@ require 'trocla/version'
 require 'trocla/util'
 require 'trocla/formats'
 require 'trocla/encryptions'
+require 'trocla/stores'
 
 class Trocla
-
   def initialize(config_file=nil)
     if config_file
       @config_file = File.expand_path(config_file)
@@ -14,7 +14,14 @@ class Trocla
   end
 
   def password(key,format,options={})
+    # respect a default profile, but let the
+    # profiles win over the default options
+    options['profiles'] ||= config['options']['profiles']
+    if options['profiles']
+      options = merge_profiles(options['profiles']).merge(options)
+    end
     options = config['options'].merge(options)
+
     raise "Format #{format} is not supported! Supported formats: #{Trocla::Formats.all.join(', ')}" unless Trocla::Formats::available?(format)
 
     unless (password=get_password(key,format)).nil?
@@ -24,39 +31,36 @@ class Trocla
     plain_pwd = get_password(key,'plain')
     if options['random'] && plain_pwd.nil?
       plain_pwd = Trocla::Util.random_str(options['length'].to_i,options['charset'])
-      set_password(key,'plain',plain_pwd) unless format == 'plain'
+      set_password(key,'plain',plain_pwd,options) unless format == 'plain'
     elsif !options['random'] && plain_pwd.nil?
       raise "Password must be present as plaintext if you don't want a random password"
     end
-    set_password(key,format,self.formats(format).format(plain_pwd,options))
+    set_password(key,format,self.formats(format).format(plain_pwd,options),options)
   end
 
   def get_password(key, format)
-    decrypt(cache.fetch(key, {})[format])
+    decrypt(store.get(key,format))
   end
 
   def reset_password(key,format,options={})
-    set_password(key,format,nil)
+    set_password(key,format,nil,options)
     password(key,format,options)
   end
 
   def delete_password(key,format=nil)
-    if format.nil?
-      decrypt(cache.delete(key))
+    v = store.delete(key,format)
+    if v.is_a?(Hash)
+      Hash[*v.map do |f,encrypted_value|
+        [f,decrypt(encrypted_value)]
+      end.flatten]
     else
-      old_val = (h = cache.fetch(key,{})).delete(format)
-      h.empty? ? cache.delete(key) : cache[key] = h
-      decrypt(old_val)
+      decrypt(v)
     end
   end
 
-  def set_password(key,format,password)
-    if (format == 'plain')
-      h = (cache[key] = { 'plain' => encrypt(password) })
-    else
-      h = (cache[key] = cache.fetch(key,{}).merge({ format => encrypt(password) }))
-    end
-    decrypt h[format]
+  def set_password(key,format,password,options={})
+    store.set(key,format,encrypt(password),options)
+    password
   end
 
   def formats(format)
@@ -64,10 +68,7 @@ class Trocla
   end
 
   def encryption
-    enc = config['encryption']
-    enc ||= :none
-    @encryption ||= Trocla::Encryptions[enc].new(self)
-    @encryption
+    @encryption ||= Trocla::Encryptions[config['encryption']].new(config['encryption_options'],self)
   end
 
   def config
@@ -75,14 +76,19 @@ class Trocla
   end
 
   private
-  def cache
-    @cache ||= build_cache
+  def store
+    @store ||= build_store
   end
 
-  def build_cache
-    require 'moneta'
-    lconfig = config
-    Moneta.new(lconfig['adapter'], lconfig['adapter_options']||{})
+  def build_store
+    s = config['store']
+    clazz = if s.is_a?(Symbol)
+      Trocla::Stores[s]
+    else
+      require config['store_require'] if config['store_require']
+      eval(s)
+    end
+    clazz.new(config['store_options'],self)
   end
 
   def read_config
@@ -90,7 +96,14 @@ class Trocla
       default_config
     else
       raise "Configfile #{@config_file} does not exist!" unless File.exists?(@config_file)
-      default_config.merge(YAML.load(File.read(@config_file)))
+      c = default_config.merge(YAML.load(File.read(@config_file)))
+      c['profiles'] = default_config['profiles'].merge(c['profiles'])
+      # migrate all options to new store options
+      # TODO: remove workaround in 0.3.0
+      c['store_options']['adapter'] = c['adapter'] if c['adapter']
+      c['store_options']['adapter_options'] = c['adapter_options'] if c['adapter_options']
+      c['encryption_options'] = c['ssl_options'] if c['ssl_options']
+      c
     end
   end
 
@@ -108,4 +121,11 @@ class Trocla
     YAML.load(File.read(File.expand_path(File.join(File.dirname(__FILE__),'trocla','default_config.yaml'))))
   end
 
+  def merge_profiles(profiles)
+    Array(profiles).inject({}) do |res,profile|
+      raise "No such profile #{profile} defined" unless profile_hash = config['profiles'][profile]
+      profile_hash.merge(res)
+    end
+  end
+
 end

data/lib/trocla/default_config.yaml

@@ -1,8 +1,37 @@
 ---
+store: :moneta
+store_options:
+  adapter: :YAML
+  adapter_options:
+    :file: '/tmp/trocla.yaml'
+
+encryption: :none
 options:
     random: true
-    length: 12
+    length: 16
     charset: default
-adapter: :YAML
-adapter_options:
-    :file: '/tmp/trocla.yaml'
+
+profiles:
+  rootpw:
+    charset: consolesafe
+    length: 32
+  mysql:
+    charset: shellsafe
+    length: 32
+  login:
+    charset: consolesafe
+    length: 16
+  x509long:
+    # 5 years
+    days: 1825
+    # 1800 days
+    expires: 155520000
+  x509auto:
+    days: 40
+    # 30 days
+    expires: 2592000
+  x509short:
+    days: 2
+    # 1 day
+    expires: 86400
+

data/lib/trocla/encryptions.rb

@@ -1,9 +1,10 @@
 class Trocla::Encryptions
 
   class Base
-    attr_reader :trocla
-    def initialize(trocla)
+    attr_reader :trocla, :config
+    def initialize(config, trocla)
       @trocla = trocla
+      @config = config
     end
 
     def encrypt(value)

data/lib/trocla/encryptions/ssl.rb

@@ -25,19 +25,17 @@ class Trocla::Encryptions::Ssl < Trocla::Encryptions::Base
   end
 
   def private_key
-      pass = nil
-      file = require_option(:private_key)
-      @private_key ||= OpenSSL::PKey::RSA.new(File.read(file), nil)
+      @private_key ||= begin
+        file = require_option(:private_key)
+        OpenSSL::PKey::RSA.new(File.read(file), nil)
+      end
   end
 
   def public_key
-      file = require_option(:public_key)
-      @public_key ||= OpenSSL::PKey::RSA.new(File.read(file), nil)
-  end
-
-  def config
-    @config = @trocla.config['ssl_options']
-    @config ||= Hash.new
+      @public_key ||= begin
+        file = require_option(:public_key)
+        OpenSSL::PKey::RSA.new(File.read(file), nil)
+      end
   end
 
   def option(key)

data/lib/trocla/formats/x509.rb

@@ -1,5 +1,5 @@
+require 'openssl'
 class Trocla::Formats::X509 < Trocla::Formats::Base
-  require 'openssl'
   def format(plain_password,options={})
 
     if plain_password.match(/-----BEGIN RSA PRIVATE KEY-----.*-----END RSA PRIVATE KEY-----.*-----BEGIN CERTIFICATE-----.*-----END CERTIFICATE-----/m)
@@ -7,10 +7,15 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
       return plain_password
     end
 
+    cn = nil
     if options['subject']
       subject = options['subject']
+      if cna = OpenSSL::X509::Name.parse(subject).to_a.find{|e| e[0] == 'CN' }
+        cn = cna[1]
+      end
     elsif options['CN']
       subject = ''
+      cn = options['CN']
       ['C','ST','L','O','OU','CN','emailAddress'].each do |field|
         subject << "/#{field}=#{options[field]}" if options[field]
       end
@@ -18,24 +23,38 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
       raise "You need to pass \"subject\" or \"CN\" as an option to use this format"
     end
     hash = options['hash'] || 'sha2'
-    sign_with = options['ca'] || nil
-    keysize = options['keysize'] || 2048
-    serial = options['serial'] || 1
-    days = options['days'].to_i || 365
-    altnames = options['altnames'] || nil
-    altnames.collect { |v| "DNS:#{v}" }.join(', ') if altnames
+    sign_with = options['ca']
+    become_ca = options['become_ca'] || false
+    keysize = options['keysize'] || 4096
+    days = options['days'].nil? ? 365 : options['days'].to_i
+    name_constraints = Array(options['name_constraints'])
+
+    altnames = if become_ca || (an = options['altnames']) && Array(an).empty?
+      []
+    else
+      # ensure that we have the CN with us, but only if it
+      # it's like a hostname.
+      # This might have to be improved.
+      if cn.include?(' ')
+        Array(an).collect { |v| "DNS:#{v}" }.join(', ')
+      else
+        (["DNS:#{cn}"] + Array(an).collect { |v| "DNS:#{v}" }).uniq.join(', ')
+      end
+    end
 
     begin
       key = mkkey(keysize)
     rescue Exception => e
+      puts e.backtrace
       raise "Private key for #{subject} creation failed: #{e.message}"
     end
 
     if sign_with # certificate signed with CA
       begin
-        ca = OpenSSL::X509::Certificate.new(getca(sign_with))
-        cakey = OpenSSL::PKey::RSA.new(getca(sign_with))
-        caserial = getserial(sign_with, serial)
+        ca_str = trocla.get_password(sign_with,'x509')
+        ca = OpenSSL::X509::Certificate.new(ca_str)
+        cakey = OpenSSL::PKey::RSA.new(ca_str)
+        caserial = getserial(sign_with)
       rescue Exception => e
         raise "Value of #{sign_with} can't be loaded as CA: #{e.message}"
       end
@@ -49,24 +68,24 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
       end
 
       begin
-        csr_cert = mkcert(caserial, request.subject, ca, request.public_key, days, altnames)
+        csr_cert = mkcert(caserial, request.subject, ca, request.public_key, days, altnames, name_constraints, become_ca)
         csr_cert.sign(cakey, signature(hash))
-        setserial(sign_with, caserial)
+        addserial(sign_with, caserial)
       rescue Exception => e
         raise "Certificate #{subject} signing failed: #{e.message}"
       end
 
-      key.send("to_pem") + csr_cert.send("to_pem")
+      key.to_pem + csr_cert.to_pem
     else # self-signed certificate
       begin
         subj = OpenSSL::X509::Name.parse(subject)
-        cert = mkcert(serial, subj, nil, key.public_key, days, altnames)
+        cert = mkcert(getserial(subj), subj, nil, key.public_key, days, altnames, name_constraints, become_ca)
         cert.sign(key, signature(hash))
       rescue Exception => e
         raise "Self-signed certificate #{subject} creation failed: #{e.message}"
       end
 
-      key.send("to_pem") + cert.send("to_pem")
+      key.to_pem + cert.to_pem
     end
   end
   private
@@ -95,14 +114,13 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
 
   def mkreq(subject,public_key)
     request = OpenSSL::X509::Request.new
-    request.version = 0
     request.subject = subject
     request.public_key = public_key
 
     request
   end
 
-  def mkcert(serial,subject,issuer,public_key,days,altnames)
+  def mkcert(serial,subject,issuer,public_key,days,altnames, name_constraints = [], become_ca = false)
     cert = OpenSSL::X509::Certificate.new
     issuer = cert if issuer == nil
     cert.subject = subject
@@ -117,29 +135,38 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
     ef.subject_certificate = cert
     ef.issuer_certificate = issuer
     cert.extensions = [ ef.create_extension("subjectKeyIdentifier", "hash") ]
-    cert.add_extension ef.create_extension("basicConstraints","CA:TRUE", true) if subject == issuer
-    cert.add_extension ef.create_extension("basicConstraints","CA:FALSE", true) if subject != issuer
-    cert.add_extension ef.create_extension("keyUsage", "nonRepudiation, digitalSignature, keyEncipherment", true)
-    cert.add_extension ef.create_extension("subjectAltName", altnames, true) if altnames
+
+    if become_ca
+      cert.add_extension ef.create_extension("basicConstraints","CA:TRUE", true)
+      cert.add_extension ef.create_extension("keyUsage", "keyCertSign, cRLSign, nonRepudiation, digitalSignature, keyEncipherment", true)
+      if name_constraints && !name_constraints.empty?
+        cert.add_extension ef.create_extension("nameConstraints","permitted;DNS:#{name_constraints.join(',permitted;DNS:')}",true)
+      end
+    else
+      cert.add_extension ef.create_extension("subjectAltName", altnames, true) unless altnames.empty?
+      cert.add_extension ef.create_extension("basicConstraints","CA:FALSE", true)
+      cert.add_extension ef.create_extension("keyUsage", "nonRepudiation, digitalSignature, keyEncipherment", true)
+    end
     cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
 
     cert
   end
 
-  def getca(ca)
-    trocla.get_password(ca,'x509')
+  def getserial(ca)
+    newser = Trocla::Util.random_str(20,'hexadecimal').to_i(16)
+    all_serials(ca).include?(newser) ? getserial(ca) : newser
   end
 
-  def getserial(ca,serial)
-    newser = trocla.get_password("#{ca}_serial",'plain')
-    if newser
-      newser + 1
+  def all_serials(ca)
+    if allser = trocla.get_password("#{ca}_all_serials",'plain')
+      YAML.load(allser)
     else
-      serial
+      []
     end
   end
 
-  def setserial(ca,serial)
-    trocla.set_password("#{ca}_serial",'plain',serial)
+  def addserial(ca,serial)
+    serials = all_serials(ca) << serial
+    trocla.set_password("#{ca}_all_serials",'plain',YAML.dump(serials))
   end
 end

data/lib/trocla/store.rb

@@ -0,0 +1,74 @@
+# implements the default store behavior
+class Trocla::Store
+  attr_reader :store_config, :trocla
+  def initialize(config,trocla)
+    @store_config = config
+    @trocla = trocla
+  end
+
+  # should return value for key & format
+  # returns nil if nothing or a nil value
+  # was found.
+  # If a key is expired it must return nil.
+  def get(key,format)
+    raise 'not implemented'
+  end
+
+  # sets value for key & format
+  # setting the plain format must invalidate
+  # all other formats as they should either
+  # be derived from plain or set directly.
+  # options is a hash containing further
+  # information for the store. e.g. expiration
+  # of a key. Keys can have an expiration /
+  # timeout by setting `expires` within
+  # the options hashs. Value of `expires`
+  # must be an integer indicating the
+  # amount of seconds a key can live with.
+  # This mechanism is expected to be
+  # be implemented by the backend.
+  def set(key,format,value,options={})
+    if format == 'plain'
+      set_plain(key,value,options)
+    else
+      set_format(key,format,value,options)
+    end
+  end
+
+  # deletes the value for format
+  # if format is nil everything is deleted
+  # returns value of format or hash of
+  # format => value # if everything is
+  # deleted.
+  def delete(key,format=nil)
+    format.nil? ? (delete_all(key)||{}) : delete_format(key,format)
+  end
+
+  private
+  # sets a new plain value
+  # *must* invalidate all
+  # other formats
+  def set_plain(key,value,options)
+    raise 'not implemented'
+  end
+
+  # sets a value of a format
+  def set_format(key,format,value,options)
+    raise 'not implemented'
+  end
+
+  # deletes all entries of this key
+  # and returns a hash with all
+  # formats and values
+  # or nil if nothing is found
+  def delete_all(key)
+    raise 'not implemented'
+  end
+
+  # deletes the value of the passed
+  # key & format and returns the
+  # value.
+  def delete_format(key,format)
+    raise 'not implemented'
+  end
+end