trocla 0.2.2 → 0.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/README.md +3 -0
- data/ext/redhat/rubygem-trocla.spec +2 -2
- data/lib/VERSION +1 -1
- data/lib/trocla/default_config.yaml +10 -0
- data/lib/trocla/formats/x509.rb +21 -5
- data/spec/trocla/formats/x509_spec.rb +59 -0
- data/trocla.gemspec +4 -4
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: edc9de388cf60d7294f3d350f9e147dbb51d3d75
|
4
|
+
data.tar.gz: 571e88bacaabda8a8e20a0297ad10e9eb5de67a8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f250ac0166aee34d55830d21d519023770b30add412e357b48849aa33add62a79507d0c4fe870ec7511f34f5b61fdaf14de37bd437bb0b0d9ffb1eeed0f63a06
|
7
|
+
data.tar.gz: 72d47d4291ab1875b8c376068838bb6b5c86ce58ae1ddd267c8ce9863dfb1c1eee8981d4bf71aca54b25b74c3f3cc564b700d6001bf8e29546c87d69bd6fd992
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
@@ -192,6 +192,9 @@ Additional options are:
|
|
192
192
|
O instead within the subject string
|
193
193
|
OU instead within the subject string
|
194
194
|
emailAddress instead within the subject string
|
195
|
+
key_usages Any specific key_usages different than the default ones. If you specify
|
196
|
+
any, you must specify all that you want. If you don't want to have any,
|
197
|
+
you must specify an empty array.
|
195
198
|
altnames An array of subjectAltNames. By default for non CA certificates we
|
196
199
|
ensure that the CN ends up here as well. If you don't want that.
|
197
200
|
You need to pass an empty array.
|
@@ -2,7 +2,7 @@
|
|
2
2
|
%global gem_name trocla
|
3
3
|
|
4
4
|
Name: rubygem-%{gem_name}
|
5
|
-
Version: 0.2.
|
5
|
+
Version: 0.2.2
|
6
6
|
Release: 1%{?dist}
|
7
7
|
Summary: Trocla a simple password generator and storage
|
8
8
|
Group: Development/Languages
|
@@ -98,7 +98,7 @@ popd
|
|
98
98
|
%exclude %{gem_cache}
|
99
99
|
%{gem_spec}
|
100
100
|
%config(noreplace) %{_sysconfdir}/%{gem_name}rc.yaml
|
101
|
-
%dir %attr(
|
101
|
+
%dir %attr(-, -, -) %{_sharedstatedir}/%{gem_name}
|
102
102
|
%config(noreplace) %attr(660, root, root) %{_sharedstatedir}/%{gem_name}/%{gem_name}_data.yaml
|
103
103
|
|
104
104
|
%files doc
|
data/lib/VERSION
CHANGED
@@ -21,6 +21,16 @@ profiles:
|
|
21
21
|
login:
|
22
22
|
charset: consolesafe
|
23
23
|
length: 16
|
24
|
+
x509veryverylong:
|
25
|
+
# 15 years
|
26
|
+
days: 5475
|
27
|
+
# 5475 days
|
28
|
+
expires: 466560000
|
29
|
+
x509verylong:
|
30
|
+
# 10 years
|
31
|
+
days: 3650
|
32
|
+
# 3600 days
|
33
|
+
expires: 311040000
|
24
34
|
x509long:
|
25
35
|
# 5 years
|
26
36
|
days: 1825
|
data/lib/trocla/formats/x509.rb
CHANGED
@@ -28,6 +28,8 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
|
|
28
28
|
keysize = options['keysize'] || 4096
|
29
29
|
days = options['days'].nil? ? 365 : options['days'].to_i
|
30
30
|
name_constraints = Array(options['name_constraints'])
|
31
|
+
key_usages = options['key_usages']
|
32
|
+
key_usages = Array(key_usages) if key_usages
|
31
33
|
|
32
34
|
altnames = if become_ca || (an = options['altnames']) && Array(an).empty?
|
33
35
|
[]
|
@@ -69,7 +71,8 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
|
|
69
71
|
end
|
70
72
|
|
71
73
|
begin
|
72
|
-
cert = mkcert(caserial, request.subject, ca, request.public_key, days,
|
74
|
+
cert = mkcert(caserial, request.subject, ca, request.public_key, days,
|
75
|
+
altnames, key_usages, name_constraints, become_ca)
|
73
76
|
cert.sign(cakey, signature(hash))
|
74
77
|
addserial(sign_with, caserial)
|
75
78
|
rescue Exception => e
|
@@ -78,7 +81,8 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
|
|
78
81
|
else # self-signed certificate
|
79
82
|
begin
|
80
83
|
subj = OpenSSL::X509::Name.parse(subject)
|
81
|
-
cert = mkcert(getserial(subj), subj, nil, key.public_key, days,
|
84
|
+
cert = mkcert(getserial(subj), subj, nil, key.public_key, days,
|
85
|
+
altnames, key_usages, name_constraints, become_ca)
|
82
86
|
cert.sign(key, signature(hash))
|
83
87
|
rescue Exception => e
|
84
88
|
raise "Self-signed certificate #{subject} creation failed: #{e.message}"
|
@@ -128,7 +132,7 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
|
|
128
132
|
request
|
129
133
|
end
|
130
134
|
|
131
|
-
def mkcert(serial,subject,issuer,public_key,days,altnames, name_constraints = [], become_ca = false)
|
135
|
+
def mkcert(serial,subject,issuer,public_key,days,altnames, key_usages = nil, name_constraints = [], become_ca = false)
|
132
136
|
cert = OpenSSL::X509::Certificate.new
|
133
137
|
issuer = cert if issuer == nil
|
134
138
|
cert.subject = subject
|
@@ -146,14 +150,18 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
|
|
146
150
|
|
147
151
|
if become_ca
|
148
152
|
cert.add_extension ef.create_extension("basicConstraints","CA:TRUE", true)
|
149
|
-
|
153
|
+
unless (ku = key_usages || ca_key_usages).empty?
|
154
|
+
cert.add_extension ef.create_extension("keyUsage", ku.join(', '), true)
|
155
|
+
end
|
150
156
|
if name_constraints && !name_constraints.empty?
|
151
157
|
cert.add_extension ef.create_extension("nameConstraints","permitted;DNS:#{name_constraints.join(',permitted;DNS:')}",true)
|
152
158
|
end
|
153
159
|
else
|
154
160
|
cert.add_extension ef.create_extension("subjectAltName", altnames, true) unless altnames.empty?
|
155
161
|
cert.add_extension ef.create_extension("basicConstraints","CA:FALSE", true)
|
156
|
-
|
162
|
+
unless (ku = key_usages || cert_key_usages).empty?
|
163
|
+
cert.add_extension ef.create_extension("keyUsage", ku.join(', '), true)
|
164
|
+
end
|
157
165
|
end
|
158
166
|
cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
|
159
167
|
|
@@ -177,4 +185,12 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
|
|
177
185
|
serials = all_serials(ca) << serial
|
178
186
|
trocla.set_password("#{ca}_all_serials",'plain',YAML.dump(serials))
|
179
187
|
end
|
188
|
+
|
189
|
+
def cert_key_usages
|
190
|
+
['nonRepudiation', 'digitalSignature', 'keyEncipherment']
|
191
|
+
end
|
192
|
+
def ca_key_usages
|
193
|
+
['keyCertSign', 'cRLSign', 'nonRepudiation',
|
194
|
+
'digitalSignature', 'keyEncipherment' ]
|
195
|
+
end
|
180
196
|
end
|
@@ -69,6 +69,47 @@ describe "Trocla::Format::X509" do
|
|
69
69
|
expect(ku).to match(/Certificate Sign/)
|
70
70
|
expect(ku).to match(/CRL Sign/)
|
71
71
|
end
|
72
|
+
it "is able to create a self signed cert without any keyUsage restrictions" do
|
73
|
+
cert_str = @trocla.password('my_shiny_selfsigned_without restrictions', 'x509', {
|
74
|
+
'CN' => 'This is my self-signed certificate',
|
75
|
+
'key_usages' => [],
|
76
|
+
})
|
77
|
+
cert = OpenSSL::X509::Certificate.new(cert_str)
|
78
|
+
# selfsigned?
|
79
|
+
expect(cert.issuer.to_s).to eq(cert.subject.to_s)
|
80
|
+
# default size
|
81
|
+
# https://stackoverflow.com/questions/13747212/determine-key-size-from-public-key-pem-format
|
82
|
+
expect(cert.public_key.n.num_bytes * 8).to eq(4096)
|
83
|
+
expect((Date.parse(cert.not_after.localtime.to_s) - Date.today).to_i).to eq(365)
|
84
|
+
# it's a self signed cert and NOT a CA, but has no keyUsage limitation
|
85
|
+
expect(verify(cert,cert)).to be true
|
86
|
+
|
87
|
+
v = cert.extensions.find{|e| e.oid == 'basicConstraints' }.value
|
88
|
+
expect(v).to_not eq('CA:TRUE')
|
89
|
+
expect(cert.extensions.find{|e| e.oid == 'keyUsage' }).to be_nil
|
90
|
+
end
|
91
|
+
|
92
|
+
it "is able to create a self signed cert with custom keyUsage restrictions" do
|
93
|
+
cert_str = @trocla.password('my_shiny_selfsigned_without restrictions', 'x509', {
|
94
|
+
'CN' => 'This is my self-signed certificate',
|
95
|
+
'key_usages' => [ 'cRLSign', ],
|
96
|
+
})
|
97
|
+
cert = OpenSSL::X509::Certificate.new(cert_str)
|
98
|
+
# selfsigned?
|
99
|
+
expect(cert.issuer.to_s).to eq(cert.subject.to_s)
|
100
|
+
# default size
|
101
|
+
# https://stackoverflow.com/questions/13747212/determine-key-size-from-public-key-pem-format
|
102
|
+
expect(cert.public_key.n.num_bytes * 8).to eq(4096)
|
103
|
+
expect((Date.parse(cert.not_after.localtime.to_s) - Date.today).to_i).to eq(365)
|
104
|
+
# it's a self signed cert and NOT a CA, as it's key is restricted to only CRL Sign
|
105
|
+
expect(verify(cert,cert)).to be false
|
106
|
+
|
107
|
+
v = cert.extensions.find{|e| e.oid == 'basicConstraints' }.value
|
108
|
+
expect(v).to_not eq('CA:TRUE')
|
109
|
+
ku = cert.extensions.find{|e| e.oid == 'keyUsage' }.value
|
110
|
+
expect(ku).to match(/CRL Sign/)
|
111
|
+
expect(ku).not_to match(/Certificate Sign/)
|
112
|
+
end
|
72
113
|
|
73
114
|
end
|
74
115
|
describe "x509 signed by a ca" do
|
@@ -310,5 +351,23 @@ describe "Trocla::Format::X509" do
|
|
310
351
|
expect((Date.parse(cert.not_after.localtime.to_s) - Date.today).to_i).to eq(365)
|
311
352
|
expect(verify(@ca,cert)).to be true
|
312
353
|
end
|
354
|
+
it "is able to create a signed cert with custom keyUsage restrictions" do
|
355
|
+
cert_str = @trocla.password('mycert_without_restrictions', 'x509', cert_options.merge({
|
356
|
+
'CN' => 'sign only test',
|
357
|
+
'key_usages' => [ ],
|
358
|
+
}))
|
359
|
+
cert = OpenSSL::X509::Certificate.new(cert_str)
|
360
|
+
# default size
|
361
|
+
# https://stackoverflow.com/questions/13747212/determine-key-size-from-public-key-pem-format
|
362
|
+
expect(cert.public_key.n.num_bytes * 8).to eq(4096)
|
363
|
+
expect((Date.parse(cert.not_after.localtime.to_s) - Date.today).to_i).to eq(365)
|
364
|
+
expect(cert.issuer.to_s).to eq(@ca.subject.to_s)
|
365
|
+
expect(verify(@ca,cert)).to be true
|
366
|
+
|
367
|
+
v = cert.extensions.find{|e| e.oid == 'basicConstraints' }.value
|
368
|
+
expect(v).to_not eq('CA:TRUE')
|
369
|
+
expect(cert.extensions.find{|e| e.oid == 'keyUsage' }).to be_nil
|
370
|
+
end
|
371
|
+
|
313
372
|
end
|
314
373
|
end
|
data/trocla.gemspec
CHANGED
@@ -2,16 +2,16 @@
|
|
2
2
|
# DO NOT EDIT THIS FILE DIRECTLY
|
3
3
|
# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
|
4
4
|
# -*- encoding: utf-8 -*-
|
5
|
-
# stub: trocla 0.2.
|
5
|
+
# stub: trocla 0.2.3 ruby lib
|
6
6
|
|
7
7
|
Gem::Specification.new do |s|
|
8
8
|
s.name = "trocla"
|
9
|
-
s.version = "0.2.
|
9
|
+
s.version = "0.2.3"
|
10
10
|
|
11
11
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
12
12
|
s.require_paths = ["lib"]
|
13
13
|
s.authors = ["mh"]
|
14
|
-
s.date = "2016-
|
14
|
+
s.date = "2016-02-15"
|
15
15
|
s.description = "Trocla helps you to generate random passwords and to store them in various formats (plain, MD5, bcrypt) for later retrival."
|
16
16
|
s.email = "mh+trocla@immerda.ch"
|
17
17
|
s.executables = ["trocla"]
|
@@ -66,7 +66,7 @@ Gem::Specification.new do |s|
|
|
66
66
|
]
|
67
67
|
s.homepage = "https://tech.immerda.ch/2011/12/trocla-get-hashed-passwords-out-of-puppet-manifests/"
|
68
68
|
s.licenses = ["GPLv3"]
|
69
|
-
s.rubygems_version = "2.
|
69
|
+
s.rubygems_version = "2.2.2"
|
70
70
|
s.summary = "Trocla a simple password generator and storage"
|
71
71
|
|
72
72
|
if s.respond_to? :specification_version then
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: trocla
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- mh
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-
|
11
|
+
date: 2016-02-15 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: moneta
|
@@ -181,7 +181,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
181
181
|
version: '0'
|
182
182
|
requirements: []
|
183
183
|
rubyforge_project:
|
184
|
-
rubygems_version: 2.
|
184
|
+
rubygems_version: 2.2.2
|
185
185
|
signing_key:
|
186
186
|
specification_version: 4
|
187
187
|
summary: Trocla a simple password generator and storage
|