Class: Ronin::CLI::Commands::CertGen Private

Inherits:

Ronin::CLI::Command

• Object
• Core::CLI::Command
• Ronin::CLI::Command
• Ronin::CLI::Commands::CertGen

Includes:

Core::CLI::Logging

Defined in:

lib/ronin/cli/commands/cert_gen.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Generates a new X509 certificate.

Usage

ronin cert-gen [options]

Options

    --version NUM                The certificate version number (Default: 2)
    --serial NUM                 The certificate serial number (Default: 0)
    --not-before TIME            When the certificate becomes valid. Defaults to the current time.
    --not-after TIME             When the certificate becomes no longer valid. Defaults to one year from now.
-c, --common-name DOMAIN         The Common Name (CN) for the certificate
-A, --subject-alt-name HOST|IP   Adds HOST or IP to subjectAltName
-O, --organization NAME          The Organization (O) for the certificate
-U, --organizational-unit NAME   The Organizational Unit (OU)
-L, --locality NAME              The locality for the certificate
-S, --state XX                   The two-letter State (ST) code for the certificate
-C, --country XX                 The two-letter Country (C) code for the certificate
-t, --key-type rsa|ec            The signing key type
    --generate-key PATH          Generates and saves a random key (Default: key.pem)
-k, --key-file FILE              Loads the signing key from the FILE
-H sha256|sha1|md5,              The hash algorithm to use for signing (Default: sha256)
    --signing-hash
    --ca-key FILE                The Certificate Authority (CA) key
    --ca-cert FILE               The Certificate Authority (CA) certificate
    --ca                         Generates a CA certificate
-o, --output FILE                The output file (Default: cert.crt)
-h, --help                       Print help information

Examples

ronin cert_gen -c test.com -O "Test Co" -U "Test Dept" -L "Test City" -S NY -C US
ronin cert_gen -c test.com -O "Test Co" -U "Test Dept" -L "Test City" -S NY -C US --key-file private.key
ronin cert_gen -c test.com -A www.test.com -O "Test Co" -U "Test Dept" -L "Test City" -S NY -C US
ronin cert_gen --ca -c "Test CA" -O "Test Co" -U "Test Dept" -L "Test City" -S NY -C US
ronin cert_gen -c test.com -O "Test Co" -U "Test Dept" -L "Test City" -S NY -C US --ca-key ca.key --ca-cert ca.crt

Since:

• 2.0.0

Constant Summary

IP_REGEXP =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Since:

• 2.0.0

Support::Text::Patterns::IP

Instance Method Summary

• #basic_constraints_ext ⇒ (String, Boolean)^? private

  Builds the basicConstraints extension.

• #ca_cert ⇒ Ronin::Support::Crypto::Cert^? private

  Loads the --ca-cert certificate file.

• #ca_key ⇒ Ronin::Support::Key::RSA^? private

  Loads the --ca-key key file.

• #extensions ⇒ Hash{String => Object}^? private

  Builds the extensions.

• #initialize(**kwargs) ⇒ CertGen constructor private

  Initializes the ronin cert-gen command.

• #key_class ⇒ Class<Ronin::Support::Key::RSA>, ... private

  The --key-type key class.

• #not_after ⇒ Time private

  The parsed --not-after time or one year from now.

• #not_before ⇒ Time private

  The parsed --not-before time or now.

• #run ⇒ Object private

  Runs the ronin cert-gen command.

• #signing_key ⇒ Ronin::Support::Key::RSA, ... private

  Loads the --key-file key file or generates a new signing key.

• #subject_alt_name_ext ⇒ String^? private

  Builds the subjectAltName extension.

Constructor Details

#initialize(**kwargs) ⇒ CertGen

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Initializes the ronin cert-gen command.

Parameters:

• kwargs (Hash{Symbol => Object}) —

  Additional keyword arguments.

Since:

• 2.0.0

# File 'lib/ronin/cli/commands/cert_gen.rb', line 217

def initialize(**kwargs)
  super(**kwargs)

  @subject_alt_names = []
end

Instance Method Details

#basic_constraints_ext ⇒ (String, Boolean)^?

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Builds the basicConstraints extension.

Returns:

• ((String, Boolean), nil)

Since:

• 2.0.0

# File 'lib/ronin/cli/commands/cert_gen.rb', line 367

def basic_constraints_ext
  if options[:ca]
    ['CA:TRUE', true]
  elsif options[:ca_key] || options[:ca_cert]
    ['CA:FALSE', true]
  end
end

#ca_cert ⇒ Ronin::Support::Crypto::Cert^?

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Loads the --ca-cert certificate file.

Returns:

• (Ronin::Support::Crypto::Cert, nil)

Since:

• 2.0.0

# File 'lib/ronin/cli/commands/cert_gen.rb', line 337

def ca_cert
  if options[:ca_cert]
    Support::Crypto::Cert.load_file(options[:ca_cert])
  end
end

#ca_key ⇒ Ronin::Support::Key::RSA^?

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Loads the --ca-key key file.

Returns:

• (Ronin::Support::Key::RSA, nil)

Since:

• 2.0.0

# File 'lib/ronin/cli/commands/cert_gen.rb', line 326

def ca_key
  if options[:ca_key]
    Support::Crypto::Key::RSA.load_file(options[:ca_key])
  end
end

#extensions ⇒ Hash{String => Object}^?

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Builds the extensions.

Returns:

• (Hash{String => Object}, nil)

Since:

• 2.0.0

# File 'lib/ronin/cli/commands/cert_gen.rb', line 348

def extensions
  exts = {}

  if (ext = basic_constraints_ext)
    exts['basicConstraints'] = ext
  end

  if (ext = subject_alt_name_ext)
    exts['subjectAltName'] = ext
  end

  exts unless exts.empty?
end

#key_class ⇒ Class<Ronin::Support::Key::RSA>, ...

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

The --key-type key class.

Returns:

• (Class<Ronin::Support::Key::RSA>, Class<Ronin::Support::Key::EC>, nil)

Since:

• 2.0.0

# File 'lib/ronin/cli/commands/cert_gen.rb', line 292

def key_class
  case options[:key_type]
  when :rsa then Support::Crypto::Key::RSA
  when :ec  then Support::Crypto::Key::EC
  end
end

#not_after ⇒ Time

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

The parsed --not-after time or one year from now.

Returns:

• (Time)

Since:

• 2.0.0

# File 'lib/ronin/cli/commands/cert_gen.rb', line 278

def not_after
  @not_after ||= if options[:not_after]
                   Time.parse(options[:not_after])
                 else
                   not_before + Support::Crypto::Cert::ONE_YEAR
                 end
end

#not_before ⇒ Time

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

The parsed --not-before time or now.

Returns:

• (Time)

Since:

• 2.0.0

# File 'lib/ronin/cli/commands/cert_gen.rb', line 265

def not_before
  @not_before ||= if options[:not_before]
                    Time.parse(options[:not_before])
                  else
                    Time.now
                  end
end

#run ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Runs the ronin cert-gen command.

Since:

• 2.0.0

# File 'lib/ronin/cli/commands/cert_gen.rb', line 226

def run
  if options[:generate_key]
    log_info "Generating new #{options.fetch(:key_type,:rsa).upcase} key ..."
  end

  key  = signing_key
  cert = Ronin::Support::Crypto::Cert.generate(
    version:    options[:version],
    serial:     options[:serial],
    not_before: not_before,
    not_after:  not_after,
    key:        key,
    ca_key:     ca_key,
    ca_cert:    ca_cert,
    subject: {
      common_name:         options[:common_name],
      organization:        options[:organization],
      organizational_unit: options[:organizational_unit],
      locality:            options[:locality],
      state:               options[:state],
      country:             options[:country]
    },
    extensions: extensions
  )

  if options[:generate_key]
    log_info "Saving key to #{options[:generate_key]} ..."
    key.save(options[:generate_key])
  end

  log_info "Saving certificate to #{options[:output]} ..."
  cert.save(options[:output])
end

#signing_key ⇒ Ronin::Support::Key::RSA, ...

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Loads the --key-file key file or generates a new signing key.

Returns:

• (Ronin::Support::Key::RSA, Ronin::Support::Key::EC, nil)

Since:

• 2.0.0

# File 'lib/ronin/cli/commands/cert_gen.rb', line 304

def signing_key
  if options[:key_file]
    if options[:key_type]
      key_class.load_file(options[:key_file])
    else
      begin
        Support::Crypto::Key.load_file(options[:key_file])
      rescue ArgumentError => error
        print_error(error.message)
        exit(-1)
      end
    end
  else
    (key_class || Support::Crypto::Key::RSA).random
  end
end

#subject_alt_name_ext ⇒ String^?

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Builds the subjectAltName extension.

Returns:

• (String, nil)

Since:

• 2.0.0

# File 'lib/ronin/cli/commands/cert_gen.rb', line 382

def subject_alt_name_ext
  unless @subject_alt_names.empty?
    @subject_alt_names.map { |name|
      if name =~ IP_REGEXP
        "IP: #{name}"
      else
        "DNS: #{name}"
      end
    }.join(', ')
  end
end