trocla 0.2.2 → 0.2.3

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 2e1b4a70e3f5d9a045b4c945df80608031e28494
4
- data.tar.gz: 00399faf99af08b4b59692436ce47393c92f965e
3
+ metadata.gz: edc9de388cf60d7294f3d350f9e147dbb51d3d75
4
+ data.tar.gz: 571e88bacaabda8a8e20a0297ad10e9eb5de67a8
5
5
  SHA512:
6
- metadata.gz: e49851f86f6cef4a4bb949395cfccf7dd51a607c5a244f6a5cdb34df73102cb56f20046c9bb9fd78e972ae75d616564d47cad7164ce49a35303b895e6d4f4844
7
- data.tar.gz: 2479cafecbaa81311a1fdba714dc4b176cd8d0962a854ef0779e9ac435a2014ebdfcf1c8bb18df1befefe6ba1e39f26d036e62840a70682e918f31d4d336f342
6
+ metadata.gz: f250ac0166aee34d55830d21d519023770b30add412e357b48849aa33add62a79507d0c4fe870ec7511f34f5b61fdaf14de37bd437bb0b0d9ffb1eeed0f63a06
7
+ data.tar.gz: 72d47d4291ab1875b8c376068838bb6b5c86ce58ae1ddd267c8ce9863dfb1c1eee8981d4bf71aca54b25b74c3f3cc564b700d6001bf8e29546c87d69bd6fd992
data/CHANGELOG.md CHANGED
@@ -1,5 +1,10 @@
1
1
  # Changelog
2
2
 
3
+ ## to 0.2.3
4
+
5
+ 1. Add extended CA validity profiles
6
+ 1. Make it possible to define keyUsage
7
+
3
8
  ## to 0.2.2
4
9
 
5
10
  1. Bugfix to render output correctly also on an already existing set
data/README.md CHANGED
@@ -192,6 +192,9 @@ Additional options are:
192
192
  O instead within the subject string
193
193
  OU instead within the subject string
194
194
  emailAddress instead within the subject string
195
+ key_usages Any specific key_usages different than the default ones. If you specify
196
+ any, you must specify all that you want. If you don't want to have any,
197
+ you must specify an empty array.
195
198
  altnames An array of subjectAltNames. By default for non CA certificates we
196
199
  ensure that the CN ends up here as well. If you don't want that.
197
200
  You need to pass an empty array.
@@ -2,7 +2,7 @@
2
2
  %global gem_name trocla
3
3
 
4
4
  Name: rubygem-%{gem_name}
5
- Version: 0.2.1
5
+ Version: 0.2.2
6
6
  Release: 1%{?dist}
7
7
  Summary: Trocla a simple password generator and storage
8
8
  Group: Development/Languages
@@ -98,7 +98,7 @@ popd
98
98
  %exclude %{gem_cache}
99
99
  %{gem_spec}
100
100
  %config(noreplace) %{_sysconfdir}/%{gem_name}rc.yaml
101
- %dir %attr(755, root, root) %{_sharedstatedir}/%{gem_name}
101
+ %dir %attr(-, -, -) %{_sharedstatedir}/%{gem_name}
102
102
  %config(noreplace) %attr(660, root, root) %{_sharedstatedir}/%{gem_name}/%{gem_name}_data.yaml
103
103
 
104
104
  %files doc
data/lib/VERSION CHANGED
@@ -1,4 +1,4 @@
1
1
  major:0
2
2
  minor:2
3
- patch:2
3
+ patch:3
4
4
  build:
@@ -21,6 +21,16 @@ profiles:
21
21
  login:
22
22
  charset: consolesafe
23
23
  length: 16
24
+ x509veryverylong:
25
+ # 15 years
26
+ days: 5475
27
+ # 5475 days
28
+ expires: 466560000
29
+ x509verylong:
30
+ # 10 years
31
+ days: 3650
32
+ # 3600 days
33
+ expires: 311040000
24
34
  x509long:
25
35
  # 5 years
26
36
  days: 1825
@@ -28,6 +28,8 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
28
28
  keysize = options['keysize'] || 4096
29
29
  days = options['days'].nil? ? 365 : options['days'].to_i
30
30
  name_constraints = Array(options['name_constraints'])
31
+ key_usages = options['key_usages']
32
+ key_usages = Array(key_usages) if key_usages
31
33
 
32
34
  altnames = if become_ca || (an = options['altnames']) && Array(an).empty?
33
35
  []
@@ -69,7 +71,8 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
69
71
  end
70
72
 
71
73
  begin
72
- cert = mkcert(caserial, request.subject, ca, request.public_key, days, altnames, name_constraints, become_ca)
74
+ cert = mkcert(caserial, request.subject, ca, request.public_key, days,
75
+ altnames, key_usages, name_constraints, become_ca)
73
76
  cert.sign(cakey, signature(hash))
74
77
  addserial(sign_with, caserial)
75
78
  rescue Exception => e
@@ -78,7 +81,8 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
78
81
  else # self-signed certificate
79
82
  begin
80
83
  subj = OpenSSL::X509::Name.parse(subject)
81
- cert = mkcert(getserial(subj), subj, nil, key.public_key, days, altnames, name_constraints, become_ca)
84
+ cert = mkcert(getserial(subj), subj, nil, key.public_key, days,
85
+ altnames, key_usages, name_constraints, become_ca)
82
86
  cert.sign(key, signature(hash))
83
87
  rescue Exception => e
84
88
  raise "Self-signed certificate #{subject} creation failed: #{e.message}"
@@ -128,7 +132,7 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
128
132
  request
129
133
  end
130
134
 
131
- def mkcert(serial,subject,issuer,public_key,days,altnames, name_constraints = [], become_ca = false)
135
+ def mkcert(serial,subject,issuer,public_key,days,altnames, key_usages = nil, name_constraints = [], become_ca = false)
132
136
  cert = OpenSSL::X509::Certificate.new
133
137
  issuer = cert if issuer == nil
134
138
  cert.subject = subject
@@ -146,14 +150,18 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
146
150
 
147
151
  if become_ca
148
152
  cert.add_extension ef.create_extension("basicConstraints","CA:TRUE", true)
149
- cert.add_extension ef.create_extension("keyUsage", "keyCertSign, cRLSign, nonRepudiation, digitalSignature, keyEncipherment", true)
153
+ unless (ku = key_usages || ca_key_usages).empty?
154
+ cert.add_extension ef.create_extension("keyUsage", ku.join(', '), true)
155
+ end
150
156
  if name_constraints && !name_constraints.empty?
151
157
  cert.add_extension ef.create_extension("nameConstraints","permitted;DNS:#{name_constraints.join(',permitted;DNS:')}",true)
152
158
  end
153
159
  else
154
160
  cert.add_extension ef.create_extension("subjectAltName", altnames, true) unless altnames.empty?
155
161
  cert.add_extension ef.create_extension("basicConstraints","CA:FALSE", true)
156
- cert.add_extension ef.create_extension("keyUsage", "nonRepudiation, digitalSignature, keyEncipherment", true)
162
+ unless (ku = key_usages || cert_key_usages).empty?
163
+ cert.add_extension ef.create_extension("keyUsage", ku.join(', '), true)
164
+ end
157
165
  end
158
166
  cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
159
167
 
@@ -177,4 +185,12 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
177
185
  serials = all_serials(ca) << serial
178
186
  trocla.set_password("#{ca}_all_serials",'plain',YAML.dump(serials))
179
187
  end
188
+
189
+ def cert_key_usages
190
+ ['nonRepudiation', 'digitalSignature', 'keyEncipherment']
191
+ end
192
+ def ca_key_usages
193
+ ['keyCertSign', 'cRLSign', 'nonRepudiation',
194
+ 'digitalSignature', 'keyEncipherment' ]
195
+ end
180
196
  end
@@ -69,6 +69,47 @@ describe "Trocla::Format::X509" do
69
69
  expect(ku).to match(/Certificate Sign/)
70
70
  expect(ku).to match(/CRL Sign/)
71
71
  end
72
+ it "is able to create a self signed cert without any keyUsage restrictions" do
73
+ cert_str = @trocla.password('my_shiny_selfsigned_without restrictions', 'x509', {
74
+ 'CN' => 'This is my self-signed certificate',
75
+ 'key_usages' => [],
76
+ })
77
+ cert = OpenSSL::X509::Certificate.new(cert_str)
78
+ # selfsigned?
79
+ expect(cert.issuer.to_s).to eq(cert.subject.to_s)
80
+ # default size
81
+ # https://stackoverflow.com/questions/13747212/determine-key-size-from-public-key-pem-format
82
+ expect(cert.public_key.n.num_bytes * 8).to eq(4096)
83
+ expect((Date.parse(cert.not_after.localtime.to_s) - Date.today).to_i).to eq(365)
84
+ # it's a self signed cert and NOT a CA, but has no keyUsage limitation
85
+ expect(verify(cert,cert)).to be true
86
+
87
+ v = cert.extensions.find{|e| e.oid == 'basicConstraints' }.value
88
+ expect(v).to_not eq('CA:TRUE')
89
+ expect(cert.extensions.find{|e| e.oid == 'keyUsage' }).to be_nil
90
+ end
91
+
92
+ it "is able to create a self signed cert with custom keyUsage restrictions" do
93
+ cert_str = @trocla.password('my_shiny_selfsigned_without restrictions', 'x509', {
94
+ 'CN' => 'This is my self-signed certificate',
95
+ 'key_usages' => [ 'cRLSign', ],
96
+ })
97
+ cert = OpenSSL::X509::Certificate.new(cert_str)
98
+ # selfsigned?
99
+ expect(cert.issuer.to_s).to eq(cert.subject.to_s)
100
+ # default size
101
+ # https://stackoverflow.com/questions/13747212/determine-key-size-from-public-key-pem-format
102
+ expect(cert.public_key.n.num_bytes * 8).to eq(4096)
103
+ expect((Date.parse(cert.not_after.localtime.to_s) - Date.today).to_i).to eq(365)
104
+ # it's a self signed cert and NOT a CA, as it's key is restricted to only CRL Sign
105
+ expect(verify(cert,cert)).to be false
106
+
107
+ v = cert.extensions.find{|e| e.oid == 'basicConstraints' }.value
108
+ expect(v).to_not eq('CA:TRUE')
109
+ ku = cert.extensions.find{|e| e.oid == 'keyUsage' }.value
110
+ expect(ku).to match(/CRL Sign/)
111
+ expect(ku).not_to match(/Certificate Sign/)
112
+ end
72
113
 
73
114
  end
74
115
  describe "x509 signed by a ca" do
@@ -310,5 +351,23 @@ describe "Trocla::Format::X509" do
310
351
  expect((Date.parse(cert.not_after.localtime.to_s) - Date.today).to_i).to eq(365)
311
352
  expect(verify(@ca,cert)).to be true
312
353
  end
354
+ it "is able to create a signed cert with custom keyUsage restrictions" do
355
+ cert_str = @trocla.password('mycert_without_restrictions', 'x509', cert_options.merge({
356
+ 'CN' => 'sign only test',
357
+ 'key_usages' => [ ],
358
+ }))
359
+ cert = OpenSSL::X509::Certificate.new(cert_str)
360
+ # default size
361
+ # https://stackoverflow.com/questions/13747212/determine-key-size-from-public-key-pem-format
362
+ expect(cert.public_key.n.num_bytes * 8).to eq(4096)
363
+ expect((Date.parse(cert.not_after.localtime.to_s) - Date.today).to_i).to eq(365)
364
+ expect(cert.issuer.to_s).to eq(@ca.subject.to_s)
365
+ expect(verify(@ca,cert)).to be true
366
+
367
+ v = cert.extensions.find{|e| e.oid == 'basicConstraints' }.value
368
+ expect(v).to_not eq('CA:TRUE')
369
+ expect(cert.extensions.find{|e| e.oid == 'keyUsage' }).to be_nil
370
+ end
371
+
313
372
  end
314
373
  end
data/trocla.gemspec CHANGED
@@ -2,16 +2,16 @@
2
2
  # DO NOT EDIT THIS FILE DIRECTLY
3
3
  # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
4
4
  # -*- encoding: utf-8 -*-
5
- # stub: trocla 0.2.2 ruby lib
5
+ # stub: trocla 0.2.3 ruby lib
6
6
 
7
7
  Gem::Specification.new do |s|
8
8
  s.name = "trocla"
9
- s.version = "0.2.2"
9
+ s.version = "0.2.3"
10
10
 
11
11
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
12
12
  s.require_paths = ["lib"]
13
13
  s.authors = ["mh"]
14
- s.date = "2016-01-27"
14
+ s.date = "2016-02-15"
15
15
  s.description = "Trocla helps you to generate random passwords and to store them in various formats (plain, MD5, bcrypt) for later retrival."
16
16
  s.email = "mh+trocla@immerda.ch"
17
17
  s.executables = ["trocla"]
@@ -66,7 +66,7 @@ Gem::Specification.new do |s|
66
66
  ]
67
67
  s.homepage = "https://tech.immerda.ch/2011/12/trocla-get-hashed-passwords-out-of-puppet-manifests/"
68
68
  s.licenses = ["GPLv3"]
69
- s.rubygems_version = "2.3.0"
69
+ s.rubygems_version = "2.2.2"
70
70
  s.summary = "Trocla a simple password generator and storage"
71
71
 
72
72
  if s.respond_to? :specification_version then
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: trocla
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.2
4
+ version: 0.2.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - mh
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-01-27 00:00:00.000000000 Z
11
+ date: 2016-02-15 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: moneta
@@ -181,7 +181,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
181
181
  version: '0'
182
182
  requirements: []
183
183
  rubyforge_project:
184
- rubygems_version: 2.3.0
184
+ rubygems_version: 2.2.2
185
185
  signing_key:
186
186
  specification_version: 4
187
187
  summary: Trocla a simple password generator and storage