diff options
| author | elijah <elijah@riseup.net> | 2012-11-16 14:30:20 -0800 |
|---|---|---|
| committer | elijah <elijah@riseup.net> | 2012-11-16 14:30:20 -0800 |
| commit | 76a3a736cfb50cb1c6d926d1e3afb0f504818157 (patch) | |
| tree | 95df178ce78ba5220eea267bdb21a04f2f975c75 /lib/leap_cli/commands/ca.rb | |
| parent | beb6496309b3640d957428b52b4906a1279457ce (diff) | |
| download | leap_cli-76a3a736cfb50cb1c6d926d1e3afb0f504818157.tar.gz leap_cli-76a3a736cfb50cb1c6d926d1e3afb0f504818157.tar.bz2 | |
added CSR ability (and vendored certificate_authority gem, so we can get the unreleased fixes we need).
Diffstat (limited to 'lib/leap_cli/commands/ca.rb')
| -rw-r--r-- | lib/leap_cli/commands/ca.rb | 90 |
1 files changed, 88 insertions, 2 deletions
diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb index 5b556a3..1763ba3 100644 --- a/lib/leap_cli/commands/ca.rb +++ b/lib/leap_cli/commands/ca.rb @@ -50,6 +50,7 @@ module LeapCli; module Commands c.action do |global_options,options,args| assert_files_exist! :ca_cert, :ca_key, :msg => 'Run init-ca to create them' assert_config! 'provider.ca.server_certificates.bit_size' + assert_config! 'provider.ca.server_certificates.digest' assert_config! 'provider.ca.server_certificates.life_span' assert_config! 'common.x509.use' @@ -82,6 +83,72 @@ module LeapCli; module Commands end end + # + # hints: + # + # inspect CSR: + # openssl req -noout -text -in files/cert/x.csr + # + # generate CSR with openssl to see how it compares: + # openssl req -sha256 -nodes -newkey rsa:2048 -keyout example.key -out example.csr + # + # validate a CSR: + # http://certlogik.com/decoder/ + # + # nice details about CSRs: + # http://www.redkestrel.co.uk/Articles/CSR.html + # + desc 'Creates a Certificate Signing Request for use in purchasing a commercial x509 certificate' + command :'init-csr' do |c| + c.switch 'sign', :desc => 'additionally creates a cert that is signed by your own CA (recommended only for testing)', :negatable => false + c.action do |global_options,options,args| + assert_config! 'provider.domain' + assert_config! 'provider.name' + assert_config! 'provider.default_language' + assert_config! 'provider.ca.server_certificates.bit_size' + assert_config! 'provider.ca.server_certificates.digest' + assert_files_missing! [:commercial_key, manager.provider.domain], [:commercial_csr, manager.provider.domain], :msg => 'If you really want to create a new key and CSR, remove these files first.' + if options[:sign] + assert_files_exist! :ca_cert, :ca_key, :msg => 'Run init-ca to create them' + end + + # RSA key + keypair = CertificateAuthority::MemoryKeyMaterial.new + log :generating, "%s bit RSA key" % manager.provider.ca.server_certificates.bit_size do + keypair.generate_key(manager.provider.ca.server_certificates.bit_size) + write_file! [:commercial_key, manager.provider.domain], keypair.private_key.to_pem + end + + # CSR + dn = CertificateAuthority::DistinguishedName.new + csr = CertificateAuthority::SigningRequest.new + dn.common_name = manager.provider.domain + dn.organization = manager.provider.name[manager.provider.default_language] + log :generating, "CSR with commonName => '%s', organization => '%s'" % [dn.common_name, dn.organization] do + csr.distinguished_name = dn + csr.key_material = keypair + csr.digest = manager.provider.ca.server_certificates.digest + request = csr.to_x509_csr + write_file! [:commercial_csr, manager.provider.domain], csr.to_pem + end + + # Sign using our own CA, for use in testing but hopefully not production. + # It is not that commerical CAs are so secure, it is just that signing your own certs is + # a total drag for the user because they must click through dire warnings. + if options[:sign] + log :generating, "x509 server certificate for testing purposes" do + cert = csr.to_cert + cert.serial_number.number = cert_serial_number(manager.provider.domain) + cert.not_before = today + cert.not_after = years_from_today(1) + cert.parent = ca_root + cert.sign! test_cert_signing_profile + write_file! [:commercial_cert, manager.provider.domain], cert.to_pem + end + end + end + end + private def cert_needs_updating?(node) @@ -182,11 +249,11 @@ module LeapCli; module Commands # for keyusage, openvpn server certs can have keyEncipherment or keyAgreement. I am not sure which is preferable. # going with keyAgreement for now. # - # digest options: SHA512, SHA1 + # digest options: SHA512, SHA256, SHA1 # def server_signing_profile(node) { - "digest" => "SHA256", + "digest" => manager.provider.ca.server_certificates.digest, "extensions" => { "keyUsage" => { "usage" => ["digitalSignature", "keyAgreement"] @@ -202,6 +269,25 @@ module LeapCli; module Commands } end + # + # This is used when signing the main cert for the provider's domain + # with our own CA (for testing purposes). Typically, this cert would + # be purchased from a commercial CA, and not signed this way. + # + def test_cert_signing_profile + { + "digest" => "SHA256", + "extensions" => { + "keyUsage" => { + "usage" => ["digitalSignature", "keyAgreement"] + }, + "extendedKeyUsage" => { + "usage" => ["serverAuth"] + } + } + } + end + def dns_names_for_node(node) names = [node.domain.internal] if node['dns'] && node.dns['aliases'] && node.dns.aliases.any? |