trocla 0.2.2 → 0.2.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2e1b4a70e3f5d9a045b4c945df80608031e28494
-  data.tar.gz: 00399faf99af08b4b59692436ce47393c92f965e
+  metadata.gz: edc9de388cf60d7294f3d350f9e147dbb51d3d75
+  data.tar.gz: 571e88bacaabda8a8e20a0297ad10e9eb5de67a8
 SHA512:
-  metadata.gz: e49851f86f6cef4a4bb949395cfccf7dd51a607c5a244f6a5cdb34df73102cb56f20046c9bb9fd78e972ae75d616564d47cad7164ce49a35303b895e6d4f4844
-  data.tar.gz: 2479cafecbaa81311a1fdba714dc4b176cd8d0962a854ef0779e9ac435a2014ebdfcf1c8bb18df1befefe6ba1e39f26d036e62840a70682e918f31d4d336f342
+  metadata.gz: f250ac0166aee34d55830d21d519023770b30add412e357b48849aa33add62a79507d0c4fe870ec7511f34f5b61fdaf14de37bd437bb0b0d9ffb1eeed0f63a06
+  data.tar.gz: 72d47d4291ab1875b8c376068838bb6b5c86ce58ae1ddd267c8ce9863dfb1c1eee8981d4bf71aca54b25b74c3f3cc564b700d6001bf8e29546c87d69bd6fd992

data/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## to 0.2.3
+
+1. Add extended CA validity profiles
+1. Make it possible to define keyUsage
+
 ## to 0.2.2
 
 1. Bugfix to render output correctly also on an already existing set

data/README.md

@@ -192,6 +192,9 @@ Additional options are:
     O                 instead within the subject string
     OU                instead within the subject string
     emailAddress      instead within the subject string
+    key_usages        Any specific key_usages different than the default ones. If you specify
+                      any, you must specify all that you want. If you don't want to have any,
+                      you must specify an empty array.
     altnames          An array of subjectAltNames. By default for non CA certificates we
                       ensure that the CN ends up here as well. If you don't want that.
                       You need to pass an empty array.

data/ext/redhat/rubygem-trocla.spec

@@ -2,7 +2,7 @@
 %global gem_name trocla
 
 Name: rubygem-%{gem_name}
-Version: 0.2.1
+Version: 0.2.2
 Release: 1%{?dist}
 Summary: Trocla a simple password generator and storage
 Group: Development/Languages
@@ -98,7 +98,7 @@ popd
 %exclude %{gem_cache}
 %{gem_spec}
 %config(noreplace) %{_sysconfdir}/%{gem_name}rc.yaml
-%dir %attr(755, root, root) %{_sharedstatedir}/%{gem_name}
+%dir %attr(-, -, -) %{_sharedstatedir}/%{gem_name}
 %config(noreplace) %attr(660, root, root) %{_sharedstatedir}/%{gem_name}/%{gem_name}_data.yaml
 
 %files doc

data/lib/VERSION

@@ -1,4 +1,4 @@
 major:0
 minor:2
-patch:2
+patch:3
 build:

data/lib/trocla/default_config.yaml

@@ -21,6 +21,16 @@ profiles:
   login:
     charset: consolesafe
     length: 16
+  x509veryverylong:
+    # 15 years
+    days: 5475
+    # 5475 days
+    expires: 466560000
+  x509verylong:
+    # 10 years
+    days: 3650
+    # 3600 days
+    expires: 311040000
   x509long:
     # 5 years
     days: 1825

data/lib/trocla/formats/x509.rb

@@ -28,6 +28,8 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
     keysize = options['keysize'] || 4096
     days = options['days'].nil? ? 365 : options['days'].to_i
     name_constraints = Array(options['name_constraints'])
+    key_usages = options['key_usages']
+    key_usages = Array(key_usages) if key_usages
 
     altnames = if become_ca || (an = options['altnames']) && Array(an).empty?
       []
@@ -69,7 +71,8 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
       end
 
       begin
-        cert = mkcert(caserial, request.subject, ca, request.public_key, days, altnames, name_constraints, become_ca)
+        cert = mkcert(caserial, request.subject, ca, request.public_key, days,
+                        altnames, key_usages, name_constraints, become_ca)
         cert.sign(cakey, signature(hash))
         addserial(sign_with, caserial)
       rescue Exception => e
@@ -78,7 +81,8 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
     else # self-signed certificate
       begin
         subj = OpenSSL::X509::Name.parse(subject)
-        cert = mkcert(getserial(subj), subj, nil, key.public_key, days, altnames, name_constraints, become_ca)
+        cert = mkcert(getserial(subj), subj, nil, key.public_key, days,
+                        altnames, key_usages, name_constraints, become_ca)
         cert.sign(key, signature(hash))
       rescue Exception => e
         raise "Self-signed certificate #{subject} creation failed: #{e.message}"
@@ -128,7 +132,7 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
     request
   end
 
-  def mkcert(serial,subject,issuer,public_key,days,altnames, name_constraints = [], become_ca = false)
+  def mkcert(serial,subject,issuer,public_key,days,altnames, key_usages = nil, name_constraints = [], become_ca = false)
     cert = OpenSSL::X509::Certificate.new
     issuer = cert if issuer == nil
     cert.subject = subject
@@ -146,14 +150,18 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
 
     if become_ca
       cert.add_extension ef.create_extension("basicConstraints","CA:TRUE", true)
-      cert.add_extension ef.create_extension("keyUsage", "keyCertSign, cRLSign, nonRepudiation, digitalSignature, keyEncipherment", true)
+      unless (ku = key_usages || ca_key_usages).empty?
+        cert.add_extension ef.create_extension("keyUsage", ku.join(', '), true)
+      end
       if name_constraints && !name_constraints.empty?
         cert.add_extension ef.create_extension("nameConstraints","permitted;DNS:#{name_constraints.join(',permitted;DNS:')}",true)
       end
     else
       cert.add_extension ef.create_extension("subjectAltName", altnames, true) unless altnames.empty?
       cert.add_extension ef.create_extension("basicConstraints","CA:FALSE", true)
-      cert.add_extension ef.create_extension("keyUsage", "nonRepudiation, digitalSignature, keyEncipherment", true)
+      unless (ku = key_usages || cert_key_usages).empty?
+        cert.add_extension ef.create_extension("keyUsage", ku.join(', '), true)
+      end
     end
     cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
 
@@ -177,4 +185,12 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
     serials = all_serials(ca) << serial
     trocla.set_password("#{ca}_all_serials",'plain',YAML.dump(serials))
   end
+
+  def cert_key_usages
+    ['nonRepudiation', 'digitalSignature', 'keyEncipherment']
+  end
+  def ca_key_usages
+    ['keyCertSign', 'cRLSign', 'nonRepudiation',
+      'digitalSignature', 'keyEncipherment' ]
+  end
 end

data/spec/trocla/formats/x509_spec.rb

@@ -69,6 +69,47 @@ describe "Trocla::Format::X509" do
       expect(ku).to match(/Certificate Sign/)
       expect(ku).to match(/CRL Sign/)
     end
+    it "is able to create a self signed cert without any keyUsage restrictions" do
+      cert_str = @trocla.password('my_shiny_selfsigned_without restrictions', 'x509', {
+        'CN'         => 'This is my self-signed certificate',
+        'key_usages' => [],
+      })
+      cert = OpenSSL::X509::Certificate.new(cert_str)
+      # selfsigned?
+      expect(cert.issuer.to_s).to eq(cert.subject.to_s)
+      # default size
+      # https://stackoverflow.com/questions/13747212/determine-key-size-from-public-key-pem-format
+      expect(cert.public_key.n.num_bytes * 8).to eq(4096)
+      expect((Date.parse(cert.not_after.localtime.to_s) - Date.today).to_i).to eq(365)
+      # it's a self signed cert and NOT a CA, but has no keyUsage limitation
+      expect(verify(cert,cert)).to be true
+
+      v = cert.extensions.find{|e| e.oid == 'basicConstraints' }.value
+      expect(v).to_not eq('CA:TRUE')
+      expect(cert.extensions.find{|e| e.oid == 'keyUsage' }).to be_nil
+    end
+
+    it "is able to create a self signed cert with custom keyUsage restrictions" do
+      cert_str = @trocla.password('my_shiny_selfsigned_without restrictions', 'x509', {
+        'CN'         => 'This is my self-signed certificate',
+        'key_usages' => [ 'cRLSign', ],
+      })
+      cert = OpenSSL::X509::Certificate.new(cert_str)
+      # selfsigned?
+      expect(cert.issuer.to_s).to eq(cert.subject.to_s)
+      # default size
+      # https://stackoverflow.com/questions/13747212/determine-key-size-from-public-key-pem-format
+      expect(cert.public_key.n.num_bytes * 8).to eq(4096)
+      expect((Date.parse(cert.not_after.localtime.to_s) - Date.today).to_i).to eq(365)
+      # it's a self signed cert and NOT a CA, as it's key is restricted to only CRL Sign
+      expect(verify(cert,cert)).to be false
+
+      v = cert.extensions.find{|e| e.oid == 'basicConstraints' }.value
+      expect(v).to_not eq('CA:TRUE')
+      ku = cert.extensions.find{|e| e.oid == 'keyUsage' }.value
+      expect(ku).to match(/CRL Sign/)
+      expect(ku).not_to match(/Certificate Sign/)
+    end
 
   end
   describe "x509 signed by a ca" do
@@ -310,5 +351,23 @@ describe "Trocla::Format::X509" do
       expect((Date.parse(cert.not_after.localtime.to_s) - Date.today).to_i).to eq(365)
       expect(verify(@ca,cert)).to be true
     end
+    it "is able to create a signed cert with custom keyUsage restrictions" do
+      cert_str = @trocla.password('mycert_without_restrictions', 'x509', cert_options.merge({
+        'CN'           => 'sign only test',
+        'key_usages' => [ ],
+      }))
+      cert = OpenSSL::X509::Certificate.new(cert_str)
+      # default size
+      # https://stackoverflow.com/questions/13747212/determine-key-size-from-public-key-pem-format
+      expect(cert.public_key.n.num_bytes * 8).to eq(4096)
+      expect((Date.parse(cert.not_after.localtime.to_s) - Date.today).to_i).to eq(365)
+      expect(cert.issuer.to_s).to eq(@ca.subject.to_s)
+      expect(verify(@ca,cert)).to be true
+
+      v = cert.extensions.find{|e| e.oid == 'basicConstraints' }.value
+      expect(v).to_not eq('CA:TRUE')
+      expect(cert.extensions.find{|e| e.oid == 'keyUsage' }).to be_nil
+    end
+
   end
 end

data/trocla.gemspec

@@ -2,16 +2,16 @@
 # DO NOT EDIT THIS FILE DIRECTLY
 # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: trocla 0.2.2 ruby lib
+# stub: trocla 0.2.3 ruby lib
 
 Gem::Specification.new do |s|
   s.name = "trocla"
-  s.version = "0.2.2"
+  s.version = "0.2.3"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib"]
   s.authors = ["mh"]
-  s.date = "2016-01-27"
+  s.date = "2016-02-15"
   s.description = "Trocla helps you to generate random passwords and to store them in various formats (plain, MD5, bcrypt) for later retrival."
   s.email = "mh+trocla@immerda.ch"
   s.executables = ["trocla"]
@@ -66,7 +66,7 @@ Gem::Specification.new do |s|
   ]
   s.homepage = "https://tech.immerda.ch/2011/12/trocla-get-hashed-passwords-out-of-puppet-manifests/"
   s.licenses = ["GPLv3"]
-  s.rubygems_version = "2.3.0"
+  s.rubygems_version = "2.2.2"
   s.summary = "Trocla a simple password generator and storage"
 
   if s.respond_to? :specification_version then

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: trocla
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.2.3
 platform: ruby
 authors:
 - mh
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-27 00:00:00.000000000 Z
+date: 2016-02-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: moneta
@@ -181,7 +181,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.3.0
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Trocla a simple password generator and storage