blob: 30a97d5a6e87d4cfac104c5667c0c836c7c91947 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
#!/usr/bin/env ruby
require 'openssl'
require 'getopts'
include OpenSSL
passwd_cb = Proc.new{|flag|
print "Enter password: "
pass = $stdin.gets.chop!
# when the flag is true, this passphrase
# will be used to perform encryption; otherwise it will
# be used to perform decryption.
if flag
print "Verify password: "
pass2 = $stdin.gets.chop!
raise "verify failed." if pass != pass2
end
pass
}
def usage
myname = File::basename($0)
$stderr.puts
$stderr.puts "Warning: You're publishing empty CRL."
$stderr.puts "For revoking certificates use it like this:"
$stderr.puts "\t$ #{myname} Cert_to_revoke1.pem [... Cert_to_revokeN.pem]"
$stderr.puts
end
getopts nil, "c:", "k:"
ARGV.empty? && usage()
ca_file = $OPT_c || "./0cert.pem"
puts "Reading CA cert (from #{ca_file})"
ca = X509::Certificate.new(File.read(ca_file))
ca_key_file = $OPT_k || "./0key-plain.pem"
puts "Reading CA key (from #{ca_key_file})"
ca_key = PKey::RSA.new(File.read(ca_key_file), &passwd_cb)
crl = X509::CRL.new
crl.issuer = ca.issuer
crl.last_update = Time.now
crl.next_update = Time.now + 14 * 24 * 60 * 60
ARGV.each do |file|
cert = X509::Certificate.new(File.read(file))
re = X509::Revoked.new
re.serial = cert.serial
re.time = Time.now
crl.add_revoked(re)
puts "+ Serial ##{re.serial} - revoked at #{re.time}"
end
crl.sign(ca_key, Digest::MD5.new)
crl_file = "./#{ca.serial}crl.pem"
puts "Writing #{crl_file}."
File.open(crl_file, "w") do |f|
f << crl.to_pem
end
puts "DONE. (Generated CRL for '#{ca.subject}')"
|