examples/ca/: Added gen_cert.rb and gen_crl.rb.

3 files changed, 76 insertions, 7 deletions

diff --git a/ChangeLog b/ChangeLog
index 14bb1de..ade6e80 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+Fri, 04 Jul 2003 23:43:14 +0900 -- NAKAMURA, Hiroshi <nahi@ruby-lang.org>
+	* examples/ca/: Added gen_cert.rb and gen_crl.rb.
+
 Fri, 04 Jul 2003 04:00:13 +0900 -- GOTOU Yuuzou <gotoyuzo@notwork.org>
 	* ossl_x509name.c: use CLASS_OF() instead of TYPE().
 	* test/tc_x509name.rb: add test_eql?
diff --git a/examples/ca/ca_config.rb b/examples/ca/ca_config.rb
index 267a4bc..fb74c4a 100644
--- a/examples/ca/ca_config.rb
+++ b/examples/ca/ca_config.rb
@@ -1,4 +1,12 @@
 class CAConfig
+  BASE_DIR = "/home/ca/ruby"
+  KEYPAIR_FILE = "#{BASE_DIR}/private/cakeypair.pem"
+  CERT_FILE = "#{BASE_DIR}/cacert.pem"
+  SERIAL_FILE = "#{BASE_DIR}/serial"
+  NEW_CERTS_DIR = "#{BASE_DIR}/newcerts"
+  NEW_KEYPAIR_DIR = "#{BASE_DIR}/private/keypair_backup"
+  CRL_DIR = "#{BASE_DIR}/crl"
+
   NAME = [['C','JP'],['O', 'JIN.GR.JP'], ['OU', 'RRR']]
   CA_CERT_DAYS = 5 * 365
   CA_RSA_KEY_LENGTH = 2048
@@ -6,15 +14,12 @@ class CAConfig
   CERT_DAYS = 365
   CERT_KEY_LENGTH_MIN = 1024
   CERT_KEY_LENGTH_MAX = 2048
-  CDP_LOCATION = 'URI:http://rrr.jin.gr.jp/crl/client.crl'
+  CDP_LOCATION = 'URI:http://rrr.jin.gr.jp/crl/rrr.crl'
   OCSP_LOCATION = 'URI:http://rrr.jin.gr.jp/ocsp'
 
-  BASE_DIR = "/home/ca/ruby"
-  KEYPAIR_FILE = "#{BASE_DIR}/private/cakeypair.pem"
-  CERT_FILE = "#{BASE_DIR}/cacert.pem"
-  SERIAL_FILE = "#{BASE_DIR}/serial"
-  NEW_CERTS_DIR = "#{BASE_DIR}/newcerts"
-  NEW_KEYPAIR_DIR = "#{BASE_DIR}/private/keypair_backup"
+  CRL_FILE = "#{CRL_DIR}/rrr.crl"
+  CRL_PEM_FILE = "#{CRL_DIR}/rrr.pem"
+  CRL_DAYS = 14
 
   PASSWD_CB = Proc.new { |flag|
     print "Enter password: "
diff --git a/examples/ca/gen_crl.rb b/examples/ca/gen_crl.rb
new file mode 100755
index 0000000..04b1e1a
--- /dev/null
+++ b/examples/ca/gen_crl.rb
@@ -0,0 +1,61 @@
+#!/usr/bin/env ruby
+
+require 'openssl'
+require 'ca_config'
+require 'getopts'
+
+include OpenSSL
+
+def usage
+  myname = File::basename($0)
+  $stderr.puts 
+  $stderr.puts "Warning: You're publishing empty CRL."
+  $stderr.puts "For revoking certificates use it like this:"
+  $stderr.puts "\t$ #{myname} Cert_to_revoke1.pem*"
+  $stderr.puts 
+end
+
+ARGV.empty? && usage()
+
+# CA setup
+
+ca_file = CAConfig::CERT_FILE
+puts "Reading CA cert (from #{ca_file})"
+ca = X509::Certificate.new(File.read(ca_file))
+
+ca_keypair_file = CAConfig::KEYPAIR_FILE
+puts "Reading CA keypair (from #{ca_keypair_file})"
+ca_keypair = PKey::RSA.new(File.read(ca_keypair_file), &CAConfig::PASSWD_CB)
+
+# CRL setting
+
+crl = if FileTest.exist?(CAConfig::CRL_FILE)
+    X509::CRL.new(File.read(CAConfig::CRL_FILE))
+  else
+    X509::CRL.new
+  end
+
+crl.issuer = ca.issuer
+crl.last_update = Time.now
+crl.next_update = Time.now + CAConfig::CRL_DAYS * 24 * 60 * 60
+
+ARGV.each do |file|
+  cert = X509::Certificate.new(File.read(file))
+  re = X509::Revoked.new
+  re.serial = cert.serial
+  re.time = Time.now
+  crl.add_revoked(re)
+  puts "+ Serial ##{re.serial} - revoked at #{re.time}"
+end
+
+crl.sign(ca_keypair, Digest::SHA1.new)
+
+puts "Writing #{CAConfig::CRL_FILE}."
+File.open(CAConfig::CRL_FILE, "w") do |f|
+  f << crl.to_der
+end
+File.open(CAConfig::CRL_PEM_FILE, "w") do |f|
+  f << crl.to_pem
+end
+
+puts "DONE. (Generated CRL for '#{ca.subject}')"