summaryrefslogtreecommitdiff
path: root/lib/leap_cli/commands/ca.rb
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2012-11-16 14:30:20 -0800
committerelijah <elijah@riseup.net>2012-11-16 14:30:20 -0800
commit76a3a736cfb50cb1c6d926d1e3afb0f504818157 (patch)
tree95df178ce78ba5220eea267bdb21a04f2f975c75 /lib/leap_cli/commands/ca.rb
parentbeb6496309b3640d957428b52b4906a1279457ce (diff)
added CSR ability (and vendored certificate_authority gem, so we can get the unreleased fixes we need).
Diffstat (limited to 'lib/leap_cli/commands/ca.rb')
-rw-r--r--lib/leap_cli/commands/ca.rb90
1 files changed, 88 insertions, 2 deletions
diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb
index 5b556a3..1763ba3 100644
--- a/lib/leap_cli/commands/ca.rb
+++ b/lib/leap_cli/commands/ca.rb
@@ -50,6 +50,7 @@ module LeapCli; module Commands
c.action do |global_options,options,args|
assert_files_exist! :ca_cert, :ca_key, :msg => 'Run init-ca to create them'
assert_config! 'provider.ca.server_certificates.bit_size'
+ assert_config! 'provider.ca.server_certificates.digest'
assert_config! 'provider.ca.server_certificates.life_span'
assert_config! 'common.x509.use'
@@ -82,6 +83,72 @@ module LeapCli; module Commands
end
end
+ #
+ # hints:
+ #
+ # inspect CSR:
+ # openssl req -noout -text -in files/cert/x.csr
+ #
+ # generate CSR with openssl to see how it compares:
+ # openssl req -sha256 -nodes -newkey rsa:2048 -keyout example.key -out example.csr
+ #
+ # validate a CSR:
+ # http://certlogik.com/decoder/
+ #
+ # nice details about CSRs:
+ # http://www.redkestrel.co.uk/Articles/CSR.html
+ #
+ desc 'Creates a Certificate Signing Request for use in purchasing a commercial x509 certificate'
+ command :'init-csr' do |c|
+ c.switch 'sign', :desc => 'additionally creates a cert that is signed by your own CA (recommended only for testing)', :negatable => false
+ c.action do |global_options,options,args|
+ assert_config! 'provider.domain'
+ assert_config! 'provider.name'
+ assert_config! 'provider.default_language'
+ assert_config! 'provider.ca.server_certificates.bit_size'
+ assert_config! 'provider.ca.server_certificates.digest'
+ assert_files_missing! [:commercial_key, manager.provider.domain], [:commercial_csr, manager.provider.domain], :msg => 'If you really want to create a new key and CSR, remove these files first.'
+ if options[:sign]
+ assert_files_exist! :ca_cert, :ca_key, :msg => 'Run init-ca to create them'
+ end
+
+ # RSA key
+ keypair = CertificateAuthority::MemoryKeyMaterial.new
+ log :generating, "%s bit RSA key" % manager.provider.ca.server_certificates.bit_size do
+ keypair.generate_key(manager.provider.ca.server_certificates.bit_size)
+ write_file! [:commercial_key, manager.provider.domain], keypair.private_key.to_pem
+ end
+
+ # CSR
+ dn = CertificateAuthority::DistinguishedName.new
+ csr = CertificateAuthority::SigningRequest.new
+ dn.common_name = manager.provider.domain
+ dn.organization = manager.provider.name[manager.provider.default_language]
+ log :generating, "CSR with commonName => '%s', organization => '%s'" % [dn.common_name, dn.organization] do
+ csr.distinguished_name = dn
+ csr.key_material = keypair
+ csr.digest = manager.provider.ca.server_certificates.digest
+ request = csr.to_x509_csr
+ write_file! [:commercial_csr, manager.provider.domain], csr.to_pem
+ end
+
+ # Sign using our own CA, for use in testing but hopefully not production.
+ # It is not that commerical CAs are so secure, it is just that signing your own certs is
+ # a total drag for the user because they must click through dire warnings.
+ if options[:sign]
+ log :generating, "x509 server certificate for testing purposes" do
+ cert = csr.to_cert
+ cert.serial_number.number = cert_serial_number(manager.provider.domain)
+ cert.not_before = today
+ cert.not_after = years_from_today(1)
+ cert.parent = ca_root
+ cert.sign! test_cert_signing_profile
+ write_file! [:commercial_cert, manager.provider.domain], cert.to_pem
+ end
+ end
+ end
+ end
+
private
def cert_needs_updating?(node)
@@ -182,11 +249,11 @@ module LeapCli; module Commands
# for keyusage, openvpn server certs can have keyEncipherment or keyAgreement. I am not sure which is preferable.
# going with keyAgreement for now.
#
- # digest options: SHA512, SHA1
+ # digest options: SHA512, SHA256, SHA1
#
def server_signing_profile(node)
{
- "digest" => "SHA256",
+ "digest" => manager.provider.ca.server_certificates.digest,
"extensions" => {
"keyUsage" => {
"usage" => ["digitalSignature", "keyAgreement"]
@@ -202,6 +269,25 @@ module LeapCli; module Commands
}
end
+ #
+ # This is used when signing the main cert for the provider's domain
+ # with our own CA (for testing purposes). Typically, this cert would
+ # be purchased from a commercial CA, and not signed this way.
+ #
+ def test_cert_signing_profile
+ {
+ "digest" => "SHA256",
+ "extensions" => {
+ "keyUsage" => {
+ "usage" => ["digitalSignature", "keyAgreement"]
+ },
+ "extendedKeyUsage" => {
+ "usage" => ["serverAuth"]
+ }
+ }
+ }
+ end
+
def dns_names_for_node(node)
names = [node.domain.internal]
if node['dns'] && node.dns['aliases'] && node.dns.aliases.any?