diff options
author | NAKAMURA Hiroshi <nahi@keynauts.com> | 2003-07-04 14:44:21 +0000 |
---|---|---|
committer | NAKAMURA Hiroshi <nahi@keynauts.com> | 2003-07-04 14:44:21 +0000 |
commit | c9cd6ba8d6e6c5bf68b62b3886d1b8c65d4762bd (patch) | |
tree | 54b9561c479296a6b5cb8d5c55d6221e24d56619 | |
parent | 2ae58dc884f773585484d792fee4e1735492b476 (diff) | |
download | ruby-openssl-history-c9cd6ba8d6e6c5bf68b62b3886d1b8c65d4762bd.tar.gz |
examples/ca/: Added gen_cert.rb and gen_crl.rb.
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | examples/ca/ca_config.rb | 19 | ||||
-rwxr-xr-x | examples/ca/gen_crl.rb | 61 |
3 files changed, 76 insertions, 7 deletions
@@ -1,3 +1,6 @@ +Fri, 04 Jul 2003 23:43:14 +0900 -- NAKAMURA, Hiroshi <nahi@ruby-lang.org> + * examples/ca/: Added gen_cert.rb and gen_crl.rb. + Fri, 04 Jul 2003 04:00:13 +0900 -- GOTOU Yuuzou <gotoyuzo@notwork.org> * ossl_x509name.c: use CLASS_OF() instead of TYPE(). * test/tc_x509name.rb: add test_eql? diff --git a/examples/ca/ca_config.rb b/examples/ca/ca_config.rb index 267a4bc..fb74c4a 100644 --- a/examples/ca/ca_config.rb +++ b/examples/ca/ca_config.rb @@ -1,4 +1,12 @@ class CAConfig + BASE_DIR = "/home/ca/ruby" + KEYPAIR_FILE = "#{BASE_DIR}/private/cakeypair.pem" + CERT_FILE = "#{BASE_DIR}/cacert.pem" + SERIAL_FILE = "#{BASE_DIR}/serial" + NEW_CERTS_DIR = "#{BASE_DIR}/newcerts" + NEW_KEYPAIR_DIR = "#{BASE_DIR}/private/keypair_backup" + CRL_DIR = "#{BASE_DIR}/crl" + NAME = [['C','JP'],['O', 'JIN.GR.JP'], ['OU', 'RRR']] CA_CERT_DAYS = 5 * 365 CA_RSA_KEY_LENGTH = 2048 @@ -6,15 +14,12 @@ class CAConfig CERT_DAYS = 365 CERT_KEY_LENGTH_MIN = 1024 CERT_KEY_LENGTH_MAX = 2048 - CDP_LOCATION = 'URI:http://rrr.jin.gr.jp/crl/client.crl' + CDP_LOCATION = 'URI:http://rrr.jin.gr.jp/crl/rrr.crl' OCSP_LOCATION = 'URI:http://rrr.jin.gr.jp/ocsp' - BASE_DIR = "/home/ca/ruby" - KEYPAIR_FILE = "#{BASE_DIR}/private/cakeypair.pem" - CERT_FILE = "#{BASE_DIR}/cacert.pem" - SERIAL_FILE = "#{BASE_DIR}/serial" - NEW_CERTS_DIR = "#{BASE_DIR}/newcerts" - NEW_KEYPAIR_DIR = "#{BASE_DIR}/private/keypair_backup" + CRL_FILE = "#{CRL_DIR}/rrr.crl" + CRL_PEM_FILE = "#{CRL_DIR}/rrr.pem" + CRL_DAYS = 14 PASSWD_CB = Proc.new { |flag| print "Enter password: " diff --git a/examples/ca/gen_crl.rb b/examples/ca/gen_crl.rb new file mode 100755 index 0000000..04b1e1a --- /dev/null +++ b/examples/ca/gen_crl.rb @@ -0,0 +1,61 @@ +#!/usr/bin/env ruby + +require 'openssl' +require 'ca_config' +require 'getopts' + +include OpenSSL + +def usage + myname = File::basename($0) + $stderr.puts + $stderr.puts "Warning: You're publishing empty CRL." + $stderr.puts "For revoking certificates use it like this:" + $stderr.puts "\t$ #{myname} Cert_to_revoke1.pem*" + $stderr.puts +end + +ARGV.empty? && usage() + +# CA setup + +ca_file = CAConfig::CERT_FILE +puts "Reading CA cert (from #{ca_file})" +ca = X509::Certificate.new(File.read(ca_file)) + +ca_keypair_file = CAConfig::KEYPAIR_FILE +puts "Reading CA keypair (from #{ca_keypair_file})" +ca_keypair = PKey::RSA.new(File.read(ca_keypair_file), &CAConfig::PASSWD_CB) + +# CRL setting + +crl = if FileTest.exist?(CAConfig::CRL_FILE) + X509::CRL.new(File.read(CAConfig::CRL_FILE)) + else + X509::CRL.new + end + +crl.issuer = ca.issuer +crl.last_update = Time.now +crl.next_update = Time.now + CAConfig::CRL_DAYS * 24 * 60 * 60 + +ARGV.each do |file| + cert = X509::Certificate.new(File.read(file)) + re = X509::Revoked.new + re.serial = cert.serial + re.time = Time.now + crl.add_revoked(re) + puts "+ Serial ##{re.serial} - revoked at #{re.time}" +end + +crl.sign(ca_keypair, Digest::SHA1.new) + +puts "Writing #{CAConfig::CRL_FILE}." +File.open(CAConfig::CRL_FILE, "w") do |f| + f << crl.to_der +end +File.open(CAConfig::CRL_PEM_FILE, "w") do |f| + f << crl.to_pem +end + +puts "DONE. (Generated CRL for '#{ca.subject}')" |