watobo 0.9.9.pre3 → 0.9.9

data/lib/watobo/core/simple_ca.rb

@@ -1,393 +0,0 @@
-# .
-# simple_ca.rb
-# 
-# Copyright 2012 by siberas, http://www.siberas.de
-# 
-# This file is part of WATOBO (Web Application Tool Box)
-#        http://watobo.sourceforge.com
-# 
-# WATOBO is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation version 2 of the License.
-# 
-# WATOBO is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-# 
-# You should have received a copy of the GNU General Public License
-# along with WATOBO; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-# .
-require 'openssl'
-require 'digest/md5'
-
-module Watobo
-
-    # SimpleCA is based on QuickCert
-    # http://segment7.net/projects/ruby/QuickCert/index.html
-    
-    class SimpleCA
-      
-      def initialize(ca_config)
-        @ca_config = ca_config
-        create_ca()
-      end
-      
-      def create_cert(cert_config)
-        puts " ... keypair ..."
-        cert_keypair = create_key(cert_config)
-        puts "... csr ..."
-        cert_csr = create_csr(cert_config, cert_keypair)
-        puts "... signing ..."
-        sign_cert(cert_config, cert_keypair, cert_csr)
-      end
-      
-      
-      def create_ca
-        if not File.exists? @ca_config[:CA_dir] then        
-          Dir.mkdir(@ca_config[:CA_dir]) 
-          Dir.mkdir File.join(@ca_config[:CA_dir], 'private') #, 0700
-          Dir.mkdir File.join(@ca_config[:CA_dir], 'newcerts')
-          Dir.mkdir File.join(@ca_config[:CA_dir], 'crl')
-        end
-        
-        File.open @ca_config[:serial_file], 'w' do |f| f << '1' end
-        
-        print "Generating CA keypair ..." if $DEBUG
-        puts " - rsa_key_length: " + @ca_config[:ca_rsa_key_length].to_s
-        keypair = OpenSSL::PKey::RSA.new(@ca_config[:ca_rsa_key_length])
-        puts "done!"
-        
-        print "Create Certificate ..."
-        cert = OpenSSL::X509::Certificate.new
-        puts "done!"
-        name = @ca_config[:name].dup << ['CN', 'CA']
-        cert.subject = cert.issuer = OpenSSL::X509::Name.new(name)
-        cert.not_before = Time.now
-        cert.not_after = Time.now + @ca_config[:ca_cert_days] * 24 * 60 * 60
-        cert.public_key = keypair.public_key
-        cert.serial = 0x0
-        cert.version = 2 # X509v3
-        
-        ef = OpenSSL::X509::ExtensionFactory.new
-        ef.subject_certificate = cert
-        ef.issuer_certificate = cert
-        cert.extensions = [
-        ef.create_extension("basicConstraints","CA:TRUE", true),
-        ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate"),
-        ef.create_extension("subjectKeyIdentifier", "hash"),
-        ef.create_extension("keyUsage", "cRLSign,keyCertSign", true),
-        ]
-        cert.add_extension ef.create_extension("authorityKeyIdentifier",
-                                           "keyid:always,issuer:always")
-        cert.sign keypair, OpenSSL::Digest::SHA1.new
-        
-        cb = proc do @ca_config[:password] end
-        keypair_export = keypair.export OpenSSL::Cipher::DES.new(:EDE3, :CBC),
-        &cb
-        
-        puts "Writing keypair to #{@ca_config[:keypair_file]}" if $DEBUG
-        begin
-          fh = File.open(@ca_config[:keypair_file], "w+") 
-          
-          fh.puts keypair_export
-          fh.close
-        rescue => bang
-          puts "! Could not write keypair"
-          puts bang
-        end
-        
-        
-        puts "Writing cert to #{@ca_config[:cert_file]}" if $DEBUG
-        File.open @ca_config[:cert_file], "w", 0644 do |f|
-          f << cert.to_pem
-        end
-        
-        puts "Done generating certificate for #{cert.subject}" if $DEBUG
-      end
-      
-      ##
-      # Creates a new RSA key from +cert_config+.
-      
-      def create_key(cert_config)
-        passwd_cb = nil
-        target = cert_config[:hostname] || cert_config[:user]
-        dest = @ca_config[:CA_dir]
-        keypair_file = File.join(dest, (target + "_keypair.pem"))
-        
-        puts "create_key: #{keypair_file}"
-        begin
-          Dir.mkdir dest #, 0700
-        rescue Errno::EEXIST
-          puts "directory exists"
-        end
-        
-        if not File.exists?(keypair_file) then
-        puts "Generating RSA keypair" if $DEBUG
-        keypair = OpenSSL::PKey::RSA.new 1024
-        puts keypair.to_pem.class
-        
-        if cert_config[:password].nil? then
-          puts "no password for cert"
-           puts "Writing keypair to #{keypair_file}" if $DEBUG
-          begin
-            dummy = keypair.to_pem.split("\n")
-            dummy.each do |line|
-              line.strip!
-            end
-            fh = File.open( keypair_file, "wb" )
-            fh.write dummy.join("\n")
-            fh.close
-          rescue => bang
-            puts "! Could not write keypair"
-          end
-        else
-          passwd_cb = proc do cert_config[:password] end
-          keypair_export = keypair.export OpenSSL::Cipher::DES.new(:EDE3, :CBC),
-          cert_config[:password]
-          
-          puts "Writing keypair to #{keypair_file}" if $DEBUG
-          #File.open keypair_file, "w" do |f|
-          #  f << keypair_export
-          #end
-          begin
-            fh = File.open( keypair_file, "w" )
-            fh.puts keypair_export
-            fh.close
-          rescue => bang
-            puts "! Could not write keypair"
-          end
-          
-        end
-        end
-        return keypair_file
-      end
-      
-      ##
-      # Creates a new Certificate Signing Request for the keypair in
-      # +keypair_file+, generating and saving new keypair if nil.
-      
-      def create_csr(cert_config, keypair_file = nil)
-        keypair = nil
-        target = cert_config[:hostname] || cert_config[:user]
-         dest = @ca_config[:CA_dir]
-        csr_file = File.join dest, "csr_#{target}.pem"
-        
-        name = @ca_config[:name].dup 
-        case cert_config[:type]
-          when 'server' then
-          name << ['OU', 'CA']
-          name << ['CN', cert_config[:hostname]]
-          when 'client' then
-          name << ['CN', cert_config[:user]]
-          name << ['emailAddress', cert_config[:email]]
-        end
-        puts "Create Certificate Signing Request ..."
-        puts "Keypair File: " + keypair_file
-      #  puts name
-        name = OpenSSL::X509::Name.new(name)
-        puts "- - -"
-        
-        if File.exists? keypair_file then
-          puts "Get Keypair from file #{keypair_file}"
-          keypair = OpenSSL::PKey::RSA.new(File.read(keypair_file), cert_config[:password])
-        else
-          puts "Create Certificate KeyPair ..."
-          keypair = create_key(cert_config)
-        end
-        
-        puts "Generating CSR for #{name}" if $DEBUG
-        
-        req = OpenSSL::X509::Request.new
-        req.version = 0
-        req.subject = name
-        req.public_key = keypair.public_key
-        req.sign keypair, OpenSSL::Digest::MD5.new
-        
-        puts "Writing CSR to #{csr_file}" if $DEBUG
-        File.open csr_file, "w" do |f|
-          f << req.to_pem
-        end
-        
-        return csr_file
-      end
-      
-      ##
-      # Signs the certificate described in +cert_config+ and
-      # +csr_file+, saving it to +cert_file+.
-      
-      def sign_cert(cert_config, cert_file, csr_file)
-        csr = OpenSSL::X509::Request.new File.read(csr_file)
-        
-        raise "CSR sign verification failed." unless csr.verify csr.public_key
-        
-        if csr.public_key.n.num_bits < @ca_config[:cert_key_length_min] then
-          raise "Key length too short"
-        end
-        
-        if csr.public_key.n.num_bits > @ca_config[:cert_key_length_max] then
-          raise "Key length too long"
-        end
-        
-        if csr.subject.to_a[0, @ca_config[:name].size] != @ca_config[:name] then
-          raise "DN does not match"
-        end
-        
-        # Only checks signature here.  You must verify CSR according to your
-        # CP/CPS.
-        
-        # CA setup
-        
-        puts "Reading CA cert from #{@ca_config[:cert_file]}" if $DEBUG
-        ca = OpenSSL::X509::Certificate.new File.read(@ca_config[:cert_file])
-        
-        puts "Reading CA keypair from #{@ca_config[:keypair_file]}" if $DEBUG
-        ca_keypair = OpenSSL::PKey::RSA.new File.read(@ca_config[:keypair_file]),
-        @ca_config[:password]
-        
-        serial = File.read(@ca_config[:serial_file]).chomp.hex
-        File.open @ca_config[:serial_file], "w" do |f|
-          f << "%04X" % (serial + 1)
-        end
-        
-        puts "Generating cert" if $DEBUG
-        
-        cert = OpenSSL::X509::Certificate.new
-        from = Time.now
-        cert.subject = csr.subject
-        cert.issuer = ca.subject
-        cert.not_before = from
-        cert.not_after = from + @ca_config[:cert_days] * 24 * 60 * 60
-        cert.public_key = csr.public_key
-        cert.serial = serial
-        cert.version = 2 # X509v3
-        
-        basic_constraint = nil
-        key_usage = []
-        ext_key_usage = []
-        
-        case cert_config[:type]
-          when "ca" then
-          basic_constraint = "CA:TRUE"
-          key_usage << "cRLSign" << "keyCertSign"
-          when "terminalsubca" then
-          basic_constraint = "CA:TRUE,pathlen:0"
-          key_usage << "cRLSign" << "keyCertSign"
-          when "server" then
-          basic_constraint = "CA:FALSE"
-          key_usage << "digitalSignature" << "keyEncipherment"
-          ext_key_usage << "serverAuth"
-          when "ocsp" then
-          basic_constraint = "CA:FALSE"
-          key_usage << "nonRepudiation" << "digitalSignature"
-          ext_key_usage << "serverAuth" << "OCSPSigning"
-          when "client" then
-          basic_constraint = "CA:FALSE"
-          key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment"
-          ext_key_usage << "clientAuth" << "emailProtection"
-        else
-          raise "unknonw cert type \"#{cert_config[:type]}\""
-        end
-        
-        ef = OpenSSL::X509::ExtensionFactory.new
-        ef.subject_certificate = cert
-        ef.issuer_certificate = ca
-        ex = []
-        ex << ef.create_extension("basicConstraints", basic_constraint, true)
-        ex << ef.create_extension("nsComment",
-                              "Ruby/OpenSSL Generated Certificate")
-        ex << ef.create_extension("subjectKeyIdentifier", "hash")
-        #ex << ef.create_extension("nsCertType", "client,email")
-        unless key_usage.empty? then
-          ex << ef.create_extension("keyUsage", key_usage.join(","))
-        end
-        #ex << ef.create_extension("authorityKeyIdentifier",
-        #                          "keyid:always,issuer:always")
-        #ex << ef.create_extension("authorityKeyIdentifier", "keyid:always")
-        unless ext_key_usage.empty? then
-          ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(","))
-        end
-        
-        if @ca_config[:cdp_location] then
-          ex << ef.create_extension("crlDistributionPoints",
-          @ca_config[:cdp_location])
-        end
-        
-        if @ca_config[:ocsp_location] then
-          ex << ef.create_extension("authorityInfoAccess",
-                                "OCSP;" << @ca_config[:ocsp_location])
-        end
-        cert.extensions = ex
-        cert.sign ca_keypair, OpenSSL::Digest::SHA1.new
-        
-        backup_cert_file = @ca_config[:new_certs_dir] + "/cert_#{cert.serial}.pem"
-        puts "Writing backup cert to #{backup_cert_file}" if $DEBUG
-        File.open backup_cert_file, "w", 0644 do |f|
-          f << cert.to_pem
-        end
-        
-        # Write cert
-        target = cert_config[:hostname] || cert_config[:user]
-         dest = @ca_config[:CA_dir]
-        cert_file = File.join dest, "cert_#{target}.pem"
-        puts "Writing cert to #{cert_file}" 
-        File.open cert_file, "w", 0644 do |f|
-          f << cert.to_pem
-        end
-        
-        return cert_file
-      end
-      
-    end # class QuickCert
-    
-  end
-
-if __FILE__ == $0 then
-  
-  
-  cadir = File.join(Dir.pwd, "CA")
-  crl_dir= File.join(cadir, "crl")
-  hostname = "watobo"
-  domainname = "watobo.local"
-  ca = {
-    :CA_dir => cadir,
-    :password => '1234',
-    
-    :keypair_file => File.join(cadir, "private/cakeypair.pem"),
-    :cert_file => File.join(cadir, "cacert.pem"),
-    :serial_file => File.join(cadir, "serial"),
-    :new_certs_dir => File.join(cadir, "newcerts"),
-    :new_keypair_dir => File.join(cadir, "private/keypair_backup"),
-    
-    
-    :ca_cert_days => 5 * 365, # five years
-    :ca_rsa_key_length => 2048,
-    
-    :cert_days => 365, # one year
-    :cert_key_length_min => 1024,
-    :cert_key_length_max => 2048,
-    
-    :crl_file => File.join(crl_dir, "#{hostname}.crl"),
-    :crl_pem_file => File.join(crl_dir, "#{hostname}.pem"),
-    :crl_days => 14,
-    :name => [
-    ['C', 'DE', OpenSSL::ASN1::PRINTABLESTRING],
-    ['O', domainname, OpenSSL::ASN1::UTF8STRING],
-    ['OU',hostname, OpenSSL::ASN1::UTF8STRING],
-    ]
-  }
-  
-  
-  
-  
-  cert = {
-    :type => 'server',
-    :user => 'watobo',
-    :email => 'a.schmidt@siberas.de',
-  }
-  
-  qc = QuickCert.new(ca)
-  qc.create_cert(cert)
-  
-end