summaryrefslogtreecommitdiff
path: root/lib/leap_cli/commands
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2012-12-12 13:10:46 -0800
committerelijah <elijah@riseup.net>2012-12-12 13:10:46 -0800
commitcf236b4d253bcd779753acc1694f73ef13b56c95 (patch)
tree55c15b18ff8111a9c58f85b77cac514774bff2e7 /lib/leap_cli/commands
parentaa2482f9a82af624a9af544b198c9adf654f0f6f (diff)
improved key usage parameters for x509 cert generation
Diffstat (limited to 'lib/leap_cli/commands')
-rw-r--r--lib/leap_cli/commands/ca.rb34
1 files changed, 23 insertions, 11 deletions
diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb
index c87dcea..63749ca 100644
--- a/lib/leap_cli/commands/ca.rb
+++ b/lib/leap_cli/commands/ca.rb
@@ -58,14 +58,15 @@ module LeapCli; module Commands
assert_config! 'provider.ca.server_certificates.life_span'
assert_config! 'common.x509.use'
- if args.first == 'all' || args.empty?
- manager.each_node do |node|
+ nodes = manager.filter!(args)
+ if nodes.size == 1
+ generate_cert_for_node(nodes.values.first)
+ else
+ nodes.each_node do |node|
if cert_needs_updating?(node)
generate_cert_for_node(node)
end
end
- else
- generate_cert_for_node(get_node_from_args(args))
end
end
end
@@ -269,13 +270,24 @@ module LeapCli; module Commands
#
# For keyusage, openvpn server certs can have keyEncipherment or keyAgreement.
# Web browsers seem to break without keyEncipherment.
+ # For now, I am using digitalSignature + keyEncipherment
+ #
+ # * digitalSignature -- for (EC)DHE cipher suites
+ # "The digitalSignature bit is asserted when the subject public key is used
+ # with a digital signature mechanism to support security services other
+ # than certificate signing (bit 5), or CRL signing (bit 6). Digital
+ # signature mechanisms are often used for entity authentication and data
+ # origin authentication with integrity."
#
- # * digitalSignature ==> for (EC)DHE cipher suites
# * keyEncipherment ==> for plain RSA cipher suites
- # * keyAgreement ==> for used with DH, not RSA.
+ # "The keyEncipherment bit is asserted when the subject public key is used for
+ # key transport. For example, when an RSA key is to be used for key management,
+ # then this bit is set."
#
- # I am including all three because that seems to work in all cases. I am not sure if this
- # is the right thing to do.
+ # * keyAgreement ==> for used with DH, not RSA.
+ # "The keyAgreement bit is asserted when the subject public key is used for key
+ # agreement. For example, when a Diffie-Hellman key is to be used for key
+ # management, then this bit is set."
#
# digest options: SHA512, SHA256, SHA1
#
@@ -284,7 +296,7 @@ module LeapCli; module Commands
"digest" => manager.provider.ca.server_certificates.digest,
"extensions" => {
"keyUsage" => {
- "usage" => ["digitalSignature", "keyEncipherment", "keyAgreement"]
+ "usage" => ["digitalSignature", "keyEncipherment"]
},
"extendedKeyUsage" => {
"usage" => ["serverAuth", "clientAuth"]
@@ -307,7 +319,7 @@ module LeapCli; module Commands
"digest" => "SHA256",
"extensions" => {
"keyUsage" => {
- "usage" => ["digitalSignature", "keyAgreement"]
+ "usage" => ["digitalSignature", "keyEncipherment"]
},
"extendedKeyUsage" => {
"usage" => ["serverAuth"]
@@ -325,7 +337,7 @@ module LeapCli; module Commands
"digest" => "SHA256",
"extensions" => {
"keyUsage" => {
- "usage" => ["digitalSignature", "keyAgreement"]
+ "usage" => ["digitalSignature", "keyEncipherment"]
},
"extendedKeyUsage" => {
"usage" => ["clientAuth"]