examples/ca/gen_cert.rb: Follow examples/gen_cert.rb

3 files changed, 109 insertions, 157 deletions

diff --git a/examples/ca/gen_cert.rb b/examples/ca/gen_cert.rb
new file mode 100755
index 0000000..ea5fe54
--- /dev/null
+++ b/examples/ca/gen_cert.rb
@@ -0,0 +1,109 @@
+#!/usr/bin/env ruby
+
+require 'openssl'
+require 'ca_config'
+require 'fileutils'
+require 'getopts'
+
+include OpenSSL
+
+def usage
+  myname = File::basename($0)
+  $stderr.puts "Usage: #{myname} csr_file [--type (client|server|ca|ocsp)]"
+  exit
+end
+
+getopts nil, 'type:client'
+
+cert_type = $OPT_type
+csr_file = ARGV.shift or usage
+ARGV.empty? or usage
+
+csr = X509::Request.new(File.open(csr_file).read)
+unless csr.verify(csr.public_key)
+  raise "CSR sign verification failed."
+end
+# Only checks signature here.  You must verify CSR according to your CP/CPS.
+
+$stdout.sync = true
+
+# CA setup
+
+ca_file = CAConfig::CERT_FILE
+puts "Reading CA cert (from #{ca_file})"
+ca = X509::Certificate.new(File.read(ca_file))
+
+ca_keypair_file = CAConfig::KEYPAIR_FILE
+puts "Reading CA keypair (from #{ca_keypair_file})"
+ca_keypair = PKey::RSA.new(File.read(ca_keypair_file), &CAConfig::PASSWD_CB)
+
+serial = File.open(CAConfig::SERIAL_FILE, "r").read.chomp.hex
+File.open(CAConfig::SERIAL_FILE, "w") do |f|
+  f << sprintf("%04X", serial + 1)
+end
+
+# Generate new cert
+
+cert = X509::Certificate.new
+from = Time.now # + 30 * 60	# Wait 30 minutes.
+cert.subject = csr.subject
+cert.issuer = ca.subject
+cert.not_before = from
+cert.not_after = from + CAConfig::CERT_DAYS * 24 * 60 * 60
+cert.public_key = csr.public_key
+cert.serial = serial
+cert.version = 2 # X509v3
+
+basic_constraint = nil
+key_usage = []
+ext_key_usage = []
+case cert_type
+when "ca"
+  basic_constraint = "CA:TRUE,pathlen:0"
+  key_usage << "cRLSign" << "keyCertSign"
+when "server"
+  basic_constraint = "CA:FALSE"
+  key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment"
+  key_usage << "dataEncipherment"
+  ext_key_usage << "serverAuth"
+when "ocsp"
+  basic_constraint = "CA:FALSE"
+  key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment"
+  key_usage << "dataEncipherment"
+  ext_key_usage << "serverAuth" << "OCSPSigning"
+when "client"
+  basic_constraint = "CA:FALSE"
+  key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment"
+  ext_key_usage << "clientAuth" << "codeSigning" << "emailProtection"
+else
+  raise "unknonw cert type \"#{cert_type}\" is specified."
+end
+
+ef = X509::ExtensionFactory.new
+ef.subject_certificate = cert
+ef.issuer_certificate = ca
+ex = []
+ex << ef.create_extension("basicConstraints", basic_constraint, true)
+ex << ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate")
+ex << ef.create_extension("subjectKeyIdentifier", "hash")
+ex << ef.create_extension("nsCertType", "client,email")
+ex << ef.create_extension("keyUsage", key_usage.join(",")) unless key_usage.empty?
+ex << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
+ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(",")) unless ext_key_usage.empty?
+
+ex << ef.create_extension("crlDistributionPoints", CAConfig::CDP_LOCATION) if CAConfig::CDP_LOCATION
+ex << ef.create_extension("authorityInfoAccess", "OCSP;" << CAConfig::OCSP_LOCATION) if CAConfig::OCSP_LOCATION
+cert.extensions = ex
+cert.sign(ca_keypair, Digest::SHA1.new)
+
+# For backup
+
+cert_file = CAConfig::NEW_CERTS_DIR + "/#{cert.serial}_cert.pem"
+File.open(cert_file, "w", 0644) do |f|
+  f << cert.to_pem
+end
+
+puts "Writing cert.pem..."
+FileUtils.copy(cert_file, "cert.pem")
+
+puts "DONE. (Generated certificate for '#{cert.subject}')"
diff --git a/examples/ca/gen_clientee_from_csr.rb b/examples/ca/gen_clientee_from_csr.rb
deleted file mode 100755
index 60b87e3..0000000
--- a/examples/ca/gen_clientee_from_csr.rb
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'openssl'
-require 'ca_config'
-require 'fileutils'
-
-include OpenSSL
-
-def usage
-  myname = File::basename($0)
-  $stderr.puts "Usage: #{myname} csr_file"
-  exit
-end
-
-csr_file = ARGV.shift or usage()
-csr = X509::Request.new(File.open(csr_file).read)
-unless csr.verify(csr.public_key)
-  raise "CSR sign verification failed."
-end
-# Only checks signature here.  You must verify CSR according to your CP/CSP.
-
-$stdout.sync = true
-
-# CA setup
-
-ca_file = CAConfig::CERT_FILE
-puts "Reading CA cert (from #{ca_file})"
-ca = X509::Certificate.new(File.read(ca_file))
-
-ca_keypair_file = CAConfig::KEYPAIR_FILE
-puts "Reading CA keypair (from #{ca_keypair_file})"
-ca_keypair = PKey::RSA.new(File.read(ca_keypair_file), &CAConfig::PASSWD_CB)
-
-serial = File.open(CAConfig::SERIAL_FILE, "r").read.chomp.hex
-File.open(CAConfig::SERIAL_FILE, "w") do |f|
-  f << sprintf("%04X", serial + 1)
-end
-
-# Generate new cert
-
-cert = X509::Certificate.new
-from = Time.now # + 30 * 60	# Wait 30 minutes.
-cert.subject = csr.subject
-cert.issuer = ca.subject
-cert.not_before = from
-cert.not_after = from + CAConfig::CERT_DAYS * 24 * 60 * 60
-cert.public_key = csr.public_key
-cert.serial = serial
-cert.version = 2 # X509v3
-
-# Should check CSR's attribute?
-ef = X509::ExtensionFactory.new
-ef.subject_certificate = cert
-ef.issuer_certificate = ca
-ext1 = ef.create_extension("basicConstraints","CA:FALSE")
-ext2 = ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate")
-ext3 = ef.create_extension("subjectKeyIdentifier", "hash")
-ext4 = ef.create_extension("nsCertType", "client,email")
-ext5 = ef.create_extension("keyUsage", "digitalSignature,keyEncipherment")
-ext6 = ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
-cert.extensions = [ext1, ext2, ext3, ext4, ext5, ext6]
-cert.sign(ca_keypair, Digest::SHA1.new)
-
-# For backup
-
-cert_file = CAConfig::NEW_CERTS_DIR + "/#{cert.serial}_cert.pem"
-File.open(cert_file, "w", 0644) do |f|
-  f << cert.to_pem
-end
-
-puts "Writing cert.pem..."
-FileUtils.copy(cert_file, "cert.pem")
-
-puts "DONE. (Generated certificate for '#{cert.subject}')"
diff --git a/examples/ca/gen_clientee_from_scratch.rb b/examples/ca/gen_clientee_from_scratch.rb
deleted file mode 100755
index 5869516..0000000
--- a/examples/ca/gen_clientee_from_scratch.rb
+++ /dev/null
@@ -1,83 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'openssl'
-require 'ca_config'
-require 'fileutils'
-
-include OpenSSL
-
-def usage
-  myname = File::basename($0)
-  $stderr.puts "Usage: #{myname} name(cn) email(emailAddress)"
-  exit
-end
-
-cn = ARGV.shift or usage()
-email = ARGV.shift or usage()
-name = CAConfig::NAME.dup << ['CN', cn] << ['emailAddress', email]
-
-$stdout.sync = true
-
-# CA setup
-
-ca_file = CAConfig::CERT_FILE
-puts "Reading CA cert (from #{ca_file})"
-ca = X509::Certificate.new(File.read(ca_file))
-
-ca_keypair_file = CAConfig::KEYPAIR_FILE
-puts "Reading CA keypair (from #{ca_keypair_file})"
-ca_keypair = PKey::RSA.new(File.read(ca_keypair_file), &CAConfig::PASSWD_CB)
-
-serial = File.open(CAConfig::SERIAL_FILE, "r").read.chomp.hex
-File.open(CAConfig::SERIAL_FILE, "w") do |f|
-  f << sprintf("%04X", serial + 1)
-end
-
-# Generate keypair
-
-print "Generating RSA 1024 bit keypair: "
-keypair = PKey::RSA.new(1024){ putc "." }
-putc "\n"
-
-# Generate new cert
-
-cert = X509::Certificate.new
-from = Time.now # + 30 * 60	# Wait 30 minutes.
-cert.subject = X509::Name.new(name)
-cert.issuer = ca.subject
-cert.not_before = from
-cert.not_after = from + CAConfig::CERT_DAYS * 24 * 60 * 60
-cert.public_key = keypair.public_key
-cert.serial = serial
-cert.version = 2 # X509v3
-
-ef = X509::ExtensionFactory.new
-ef.subject_certificate = cert
-ef.issuer_certificate = ca
-ext1 = ef.create_extension("basicConstraints","CA:FALSE")
-ext2 = ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate")
-ext3 = ef.create_extension("subjectKeyIdentifier", "hash")
-ext4 = ef.create_extension("nsCertType", "client,email")
-ext5 = ef.create_extension("keyUsage", "digitalSignature,keyEncipherment")
-ext6 = ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
-cert.extensions = [ext1, ext2, ext3, ext4, ext5, ext6]
-cert.sign(ca_keypair, Digest::SHA1.new)
-
-# For backup
-
-cert_file = CAConfig::NEW_CERTS_DIR + "/#{cert.serial}_cert.pem"
-File.open(cert_file, "w", 0644) do |f|
-  f << cert.to_pem
-end
-
-keypair_file = CAConfig::NEW_KEYPAIR_DIR + "/#{cert.serial}_keypair.pem"
-File.open(keypair_file, "w", 0400) do |f|
-  f << keypair.export(Cipher::DES.new(:EDE3, :CBC), &CAConfig::PASSWD_CB)
-end
-
-puts "Writing cert.pem..."
-FileUtils.copy(cert_file, "cert.pem")
-puts "Writing keypair.pem..."
-FileUtils.copy(keypair_file, "keypair.pem")
-
-puts "DONE. (Generated certificate for '#{cert.subject}')"