diff options
52 files changed, 1744 insertions, 134 deletions
diff --git a/config_files/certificate-authority/certs/root.crt b/config_files/certificate-authority/certs/root.crt new file mode 100644 index 0000000..9bbdff0 --- /dev/null +++ b/config_files/certificate-authority/certs/root.crt @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICYDCCAeagAwIBAgIUKzrohjd0kem8ZlOdZ3Z/WCacRW4wCgYIKoZIzj0EAwQw +XzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UE +CwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENB +MB4XDTI0MTExMjE5Mjg1OFoXDTM0MTExMDE5Mjg1OFowXzELMAkGA1UEBhMCc2cx +CzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UECwwYaGkgQ2VydGlmaWNh +dGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENBMHYwEAYHKoZIzj0CAQYF +K4EEACIDYgAEDu8tCkFEHPtSprQKEp+QNUxEMQHPPYAqOtLFYLQrgZV862d/tCms +2ZN610YgJ4Q2jzPoG+OT75/cA66bqfRik0GY6Uc/YIzXVjFIdnLPv36w0gUnazdZ +7J3U95JZ9006o2MwYTAdBgNVHQ4EFgQUNSN4SMcTIdbae4OEkVZowIMhGqUwHwYD +VR0jBBgwFoAUNSN4SMcTIdbae4OEkVZowIMhGqUwDwYDVR0TAQH/BAUwAwEB/zAO +BgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDaAAwZQIwDwyap3b/a6em5Q2AOCf7 +sWJfyC1WW/6UAZ3smu5LT5zd+nBeuiQ5OinIWm8xAXUDAjEAxjDUWD1avBtFV6sw +FHb91laAakaee7EgVkEng1kqEkzza9cNGghek2aIPV5nHXH+ +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/config/create_intermediate_csr.ini b/config_files/certificate-authority/config/create_intermediate_csr.ini new file mode 100644 index 0000000..1929141 --- /dev/null +++ b/config_files/certificate-authority/config/create_intermediate_csr.ini @@ -0,0 +1,22 @@ +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no + +# SHA-1 is deprecated, so use SHA-2 instead. +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign +default_md = sha512 + +[ req_distinguished_name ] +C = SG +ST = singapore +O = company name +OU = companyname Certificate Authority +CN = hi Intermediate CA diff --git a/config_files/certificate-authority/config/create_root_cert.ini b/config_files/certificate-authority/config/create_root_cert.ini new file mode 100644 index 0000000..3321dd4 --- /dev/null +++ b/config_files/certificate-authority/config/create_root_cert.ini @@ -0,0 +1,55 @@ +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = /opt/certificate-authority +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha512 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_strict + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha512 + +[ req_distinguished_name ] +C = sg +ST = hi +O = hi +OU = hi Certificate Authority +CN = hi Root CA + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign diff --git a/config_files/certificate-authority/config/fullchain.crt b/config_files/certificate-authority/config/fullchain.crt new file mode 100644 index 0000000..d17d14e --- /dev/null +++ b/config_files/certificate-authority/config/fullchain.crt @@ -0,0 +1,55 @@ +-----BEGIN CERTIFICATE----- +MIIEEzCCA5mgAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA4wCgYIKoZIzj0EAwQw +gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv +bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0 +aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMTk0 +ODE3WhcNMjUxMTIyMTk0ODE3WjBoMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91 +clN0YXRlMREwDwYDVQQHDAhZb3VyQ2l0eTEZMBcGA1UECgwQWW91ck9yZ2FuaXph +dGlvbjEXMBUGA1UEAwwOeW91cmRvbWFpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCSxTDiQWEArAFdVLF8fYnY5jqCUiYo4CPE1GLL/vI2t/0u +8a//yWWuZaOK0z3Mj0FRuUofXEJGGXB2fFs1qStuyYBEpwJaJm7uhm1zNLakC4I7 +V12Bs5/edw8qMQLmGu7kqQ0PiOMTuS2GS2EhPUnKIErqhiQBgv56hW4o86SGjnYb +rGSBCAys6NpaqPC8oMOXjJs5T0bbyHaT8ga2zaLlD4pBcho+2sWITWtv9eMZFuva +kE8vHNR48mbR5FuZ1CJenxU62NHZcfIaMChYN5KjGdHGqCFbPXzxehaX0Ofhghc6 +Z28KiP+AbQwaMEAqRrvU0V7GTLmE6DAWvmYJslGxAgMBAAGjggE6MIIBNjAJBgNV +HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNT +TCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBScPhckKM30 +e6q7bJiXfbXIk6qhSzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKTR5XT +w6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEh +MB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBS +b290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCBaAwEwYD +VR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0EAwQDaAAwZQIwEwNmLeDtForhC2WY +JCcijzNBlKLGvKRP0KXGh3Uhfl+ZZOhmTYM5lnbZ1XDrZG2YAjEA9oU5b7AEqtIO +5uYkFrKJ49qA8crVH84thHvfYrOMMJNO8v1fgDtiKayzHnQq+61V +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIChjCCAgygAwIBAgIUN8pLGOtNN18GelqT7+gb5TTERtcwCgYIKoZIzj0EAwQw +XzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UE +CwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENB +MB4XDTI0MTExMjE5MzYwNVoXDTI5MTExMTE5MzYwNVowgYExCzAJBgNVBAYTAlNH +MRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNvbXBhbnkgbmFtZTEqMCgG +A1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQD +DBJoaSBJbnRlcm1lZGlhdGUgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQHjbSZ +S/10AselloIpzwY56f1pntc622qiJ/lB3O9WDkSEt5UpdXumtehRVKHkTCK2U6Wc +ldyBA5aVkj4DpSFgLgfWI/+23WzI5bzYtyEW7VuwsEwWTq6y2PpWVULZzUijZjBk +MB0GA1UdDgQWBBQSutLIyJsePNmzX9GhghKTR5XTwzAfBgNVHSMEGDAWgBQ1I3hI +xxMh1tp7g4SRVmjAgyEapTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE +AwIBhjAKBggqhkjOPQQDBANoADBlAjBpqaP5p29kRuZrdmjTJq/laWpenSZiXK4m +rJVaBV2V0ajCB4eqTnS4KJORjTfLVOMCMQCf6T3ZH5TN+f1QkHxDM9DUOkyOqOzv +FXvgRTHcWckPqceCIgO4IWFS7WxgyvEmlr4= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICYDCCAeagAwIBAgIUKzrohjd0kem8ZlOdZ3Z/WCacRW4wCgYIKoZIzj0EAwQw +XzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UE +CwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENB +MB4XDTI0MTExMjE5Mjg1OFoXDTM0MTExMDE5Mjg1OFowXzELMAkGA1UEBhMCc2cx +CzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UECwwYaGkgQ2VydGlmaWNh +dGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENBMHYwEAYHKoZIzj0CAQYF +K4EEACIDYgAEDu8tCkFEHPtSprQKEp+QNUxEMQHPPYAqOtLFYLQrgZV862d/tCms +2ZN610YgJ4Q2jzPoG+OT75/cA66bqfRik0GY6Uc/YIzXVjFIdnLPv36w0gUnazdZ +7J3U95JZ9006o2MwYTAdBgNVHQ4EFgQUNSN4SMcTIdbae4OEkVZowIMhGqUwHwYD +VR0jBBgwFoAUNSN4SMcTIdbae4OEkVZowIMhGqUwDwYDVR0TAQH/BAUwAwEB/zAO +BgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDaAAwZQIwDwyap3b/a6em5Q2AOCf7 +sWJfyC1WW/6UAZ3smu5LT5zd+nBeuiQ5OinIWm8xAXUDAjEAxjDUWD1avBtFV6sw +FHb91laAakaee7EgVkEng1kqEkzza9cNGghek2aIPV5nHXH+ +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/config/normalcli/client.crt b/config_files/certificate-authority/config/normalcli/client.crt new file mode 100755 index 0000000..e7bcb9a --- /dev/null +++ b/config_files/certificate-authority/config/normalcli/client.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEBDCCA4mgAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuBAwCgYIKoZIzj0EAwQw +gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv +bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0 +aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMjIw +MjQ0WhcNMjUxMTIyMjIwMjQ0WjBYMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91 +clN0YXRlMREwDwYDVQQHDAhZb3VyQ2l0eTEQMA4GA1UECgwHWW91ck9yZzEQMA4G +A1UEAwwHY2xpZW50MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANik +xK/PaOCf2ewyWsZ2paKGWTBmu+72qDDIIJHYAT+7vp/n7m91K0+MhzOsDwdJH/vH +oT1Wy30Q6eGRG6EgiL6oHbWWp+Rp6zDHAHXc+IYDWqs6ipUOYBbaXllHirnlkG3z +XJ11d05gxWPsXjDw96O91CKJPtSIC0kyVU4E22SM0Qcv0IaHsBG1+bYOtOT0wNE5 +v/pvNJYP7Oe4H+8s6rZZr+S5AT+JdU7B4+tyzI40M+4cjrVi987C3Y1qZ80MN4L6 +IWSjSVOwe8I1Ktj7fJ11GBGsWrxeOu4G9KtpVTyI+TNyg6UMR805J6c+BR6t7C5Z +aUdsAaqX66Nsw3pNDo8CAwEAAaOCATowggE2MAkGA1UdEwQCMAAwEQYJYIZIAYb4 +QgEBBAQDAgeAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGll +bnQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNh/IRK0n80go6/SriULim3nGAkKMIGc +BgNVHSMEgZQwgZGAFBK60sjImx482bNf0aGCEpNHldPDoWOkYTBfMQswCQYDVQQG +EwJzZzELMAkGA1UECAwCaGkxCzAJBgNVBAoMAmhpMSEwHwYDVQQLDBhoaSBDZXJ0 +aWZpY2F0ZSBBdXRob3JpdHkxEzARBgNVBAMMCmhpIFJvb3QgQ0GCFDfKSxjrTTdf +Bnpak+/oG+U0xEbXMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD +AjAKBggqhkjOPQQDBANpADBmAjEA6gSZO2a0iijgvcYOm9fB8vIgwYDlrEytmIt4 +DWSRP7k9/a+CW6CfNf8IWNDmfNOmAjEAsbP8DRJ3Bb5iEwE3XAACAHANnMNWCJ05 +1FLmX4pIQee05665Uao7HcTCPAGNJpRY +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/config/normalcli/client.csr b/config_files/certificate-authority/config/normalcli/client.csr new file mode 100755 index 0000000..356b308 --- /dev/null +++ b/config_files/certificate-authority/config/normalcli/client.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICnTCCAYUCAQAwWDELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTER +MA8GA1UEBwwIWW91ckNpdHkxEDAOBgNVBAoMB1lvdXJPcmcxEDAOBgNVBAMMB2Ns +aWVudDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYpMSvz2jgn9ns +MlrGdqWihlkwZrvu9qgwyCCR2AE/u76f5+5vdStPjIczrA8HSR/7x6E9Vst9EOnh +kRuhIIi+qB21lqfkaeswxwB13PiGA1qrOoqVDmAW2l5ZR4q55ZBt81yddXdOYMVj +7F4w8PejvdQiiT7UiAtJMlVOBNtkjNEHL9CGh7ARtfm2DrTk9MDROb/6bzSWD+zn +uB/vLOq2Wa/kuQE/iXVOwePrcsyONDPuHI61YvfOwt2NamfNDDeC+iFko0lTsHvC +NSrY+3yddRgRrFq8XjruBvSraVU8iPkzcoOlDEfNOSenPgUerewuWWlHbAGql+uj +bMN6TQ6PAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAwj/+j8IWQZ99yV/qE2us +/YK7VJWCZgRpYbmrUTOH67evwiRlPEj1reXdyTBHISJ9tnE57mcXn0nbvAWI9tpk +4/KMJx9g1Jfuid5SgD74ShsFiHn0SP+9O9OEHTZIL5nyQIDu8L6X3KwsB6TsodbH +pYGBp/jnhz46LBynsTTDIoxa5i+M0dz43oYpLlJqXZE8Srgm/uR8ye2AS/QPvcuC +bVgw52YgAGNu3PlE3hf0ORtwWasekl6uCTRVTzIf2qptkx3AuUGgSy0biPotyHxt +rf0NGodVZyb0L4lF/t+4Wk7SyP9zuxq0sA938kLQb3Ob9hTM2i0T4msJplz5He37 +eA== +-----END CERTIFICATE REQUEST----- diff --git a/config_files/certificate-authority/config/normalcli/client.key b/config_files/certificate-authority/config/normalcli/client.key new file mode 100755 index 0000000..4dd0ac4 --- /dev/null +++ b/config_files/certificate-authority/config/normalcli/client.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYpMSvz2jgn9ns +MlrGdqWihlkwZrvu9qgwyCCR2AE/u76f5+5vdStPjIczrA8HSR/7x6E9Vst9EOnh +kRuhIIi+qB21lqfkaeswxwB13PiGA1qrOoqVDmAW2l5ZR4q55ZBt81yddXdOYMVj +7F4w8PejvdQiiT7UiAtJMlVOBNtkjNEHL9CGh7ARtfm2DrTk9MDROb/6bzSWD+zn +uB/vLOq2Wa/kuQE/iXVOwePrcsyONDPuHI61YvfOwt2NamfNDDeC+iFko0lTsHvC +NSrY+3yddRgRrFq8XjruBvSraVU8iPkzcoOlDEfNOSenPgUerewuWWlHbAGql+uj +bMN6TQ6PAgMBAAECggEAUkh2id3plBMypnLTpnhu3aVQX8FNVOwrImgIcsxLYSUS +OFLTbVLf0dVqjpYlmRtNgggm9hCutgBEDI/cIh0kwuFAc3VWrDsMgJi81IdKfz/r +4ogYFZgBp/xlhFxXVNbbvd8GSKnSWBsKLbMbbVRAglj5pupgykEnpDPxUXInz+63 +Ccmwcz82mYw5oAXwGbFWF9P0wfCbBkr13uH7l4yk9jawm2DNC7IlBQ/TzFv8qI0I +kUM/JB3/LIgqAL/9tniMt5uGJd5WUTagICJCI+bCRKMJVvjq37096gjbLG2LCPn3 +iQ6/0Or202hlpIBWZBcyXW4d2/0EvI5Rz8C0aV0K+QKBgQDyB10vEFUVKqub+AVu +VEJJSscuhNH/5PpDV2uOycx9bWwIeofcUFyiDCvorJmCtlU8hvyTjdaBbWR8UhEr +qewf0ZYfO1WVUP1egz5u5Ralph1IYHUoxwStR2knp+JHtuIHuCSnal2Vu8p57uoZ +i3nNTzadof0XJq2uiSPWGAxYGQKBgQDlJkUA8eZLb4JVrTcOch3OAHlmxizPgJPJ +SxsGsaQn/636fk9GHiCtRt2oD7tgGpxzBrf6i0Bs1K0wzBbmPtb6JhE+z5nhKirk +CPXbb/6XN8svQHkIqKlHOqaSTQ96mHfEfcOurpeuYzQDt09Rppgo4eXExRXig1lI +g0KN4+gQ5wKBgERKh6SL+zXpwFpV9VJYPAvqKaGaoJaPyX3O4O59SlHp2h3aVRN5 +KWof/RO9/+K+B/b4L7SCxQ/oCf56OZYUcCfaP324hEGJhLRyW992jJlY8dJGRUio +P02VZLpnyJVrqQN8lfsXLCjfwBX/r9ZdYJTp0QNRfdRWeZNR5ua2CmWhAoGBAMRG +hl5r1K2SotnOF1WJS5wy7cmpP6Kw6GVHrquKJyiXqSbhX/eYQLcK9ztH1mBYCt+/ +xoCVHCbb+EjO12J6OttjFexuF8k0vC48upIuGKzf/mrH16QiC3TWeOzhkruYsyWb +76vFImkd0eTI8+jlQHnsHEnx4m/1v9kLjUtKBnHLAoGAXyAN75ZRy69QOvrXpjPI +8Rq48hwCrwwUtIMWNKZFHUA+SlT6fYACfKDwajdkNQjTqJ/KpA/oDVA7He8K2wlM +2RnYraXx1eivGXIfQvUWcuHOq6CmcJEp+WiVUbLlyKMyPS7hB3PYuWrnYpAwaiBn +uWGX6LvdsBajP4hpEDM6o7o= +-----END PRIVATE KEY----- diff --git a/config_files/certificate-authority/config/server.crt b/config_files/certificate-authority/config/server.crt new file mode 100644 index 0000000..84447b1 --- /dev/null +++ b/config_files/certificate-authority/config/server.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEEzCCA5mgAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA4wCgYIKoZIzj0EAwQw +gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv +bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0 +aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMTk0 +ODE3WhcNMjUxMTIyMTk0ODE3WjBoMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91 +clN0YXRlMREwDwYDVQQHDAhZb3VyQ2l0eTEZMBcGA1UECgwQWW91ck9yZ2FuaXph +dGlvbjEXMBUGA1UEAwwOeW91cmRvbWFpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCSxTDiQWEArAFdVLF8fYnY5jqCUiYo4CPE1GLL/vI2t/0u +8a//yWWuZaOK0z3Mj0FRuUofXEJGGXB2fFs1qStuyYBEpwJaJm7uhm1zNLakC4I7 +V12Bs5/edw8qMQLmGu7kqQ0PiOMTuS2GS2EhPUnKIErqhiQBgv56hW4o86SGjnYb +rGSBCAys6NpaqPC8oMOXjJs5T0bbyHaT8ga2zaLlD4pBcho+2sWITWtv9eMZFuva +kE8vHNR48mbR5FuZ1CJenxU62NHZcfIaMChYN5KjGdHGqCFbPXzxehaX0Ofhghc6 +Z28KiP+AbQwaMEAqRrvU0V7GTLmE6DAWvmYJslGxAgMBAAGjggE6MIIBNjAJBgNV +HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNT +TCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBScPhckKM30 +e6q7bJiXfbXIk6qhSzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKTR5XT +w6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEh +MB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBS +b290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCBaAwEwYD +VR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0EAwQDaAAwZQIwEwNmLeDtForhC2WY +JCcijzNBlKLGvKRP0KXGh3Uhfl+ZZOhmTYM5lnbZ1XDrZG2YAjEA9oU5b7AEqtIO +5uYkFrKJ49qA8crVH84thHvfYrOMMJNO8v1fgDtiKayzHnQq+61V +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/config/server.csr b/config_files/certificate-authority/config/server.csr new file mode 100644 index 0000000..9e5e167 --- /dev/null +++ b/config_files/certificate-authority/config/server.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICrTCCAZUCAQAwaDELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTER +MA8GA1UEBwwIWW91ckNpdHkxGTAXBgNVBAoMEFlvdXJPcmdhbml6YXRpb24xFzAV +BgNVBAMMDnlvdXJkb21haW4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAksUw4kFhAKwBXVSxfH2J2OY6glImKOAjxNRiy/7yNrf9LvGv/8llrmWj +itM9zI9BUblKH1xCRhlwdnxbNakrbsmARKcCWiZu7oZtczS2pAuCO1ddgbOf3ncP +KjEC5hru5KkND4jjE7kthkthIT1JyiBK6oYkAYL+eoVuKPOkho52G6xkgQgMrOja +WqjwvKDDl4ybOU9G28h2k/IGts2i5Q+KQXIaPtrFiE1rb/XjGRbr2pBPLxzUePJm +0eRbmdQiXp8VOtjR2XHyGjAoWDeSoxnRxqghWz188XoWl9Dn4YIXOmdvCoj/gG0M +GjBAKka71NFexky5hOgwFr5mCbJRsQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEB +ABrlYpipRamlAk0zMYb2J/Yk/sw6T41OzWhG4Z6n6V5KSmCbTO/KgUIjeRMmIilE +yE2LTJL1aUFDkAib7SJu02U4iZquRDsGSzQbT4xnhzTz4esOowkXEZGFdCV/qhDK +lN34yFV+oNGT9nO3TjKE2SJPiDlfgMdRikoYPNWo6yv+0l3a4jWiTqq7Xn0derEu +ZHPBhAuJvWzrD3ixap4BOlSKNp9C0dFuLhbnu9SAuy4uL/rjWsOH+KZVW388MlzA +CibAN3GHmm7xzNUTrXrX3w5w3mU1O3IKKWu1u/EQTPq8/WfmRcvOg+xhqlOEvCGx +YrwlWlETn28qAuq0WTa3+Gg= +-----END CERTIFICATE REQUEST----- diff --git a/config_files/certificate-authority/config/sign_intermediate_csr.ini b/config_files/certificate-authority/config/sign_intermediate_csr.ini new file mode 100644 index 0000000..09a20f7 --- /dev/null +++ b/config_files/certificate-authority/config/sign_intermediate_csr.ini @@ -0,0 +1,43 @@ +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = /opt/certificate-authority +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial + +# The root key and root certificate. +private_key = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104964;token=SmartCard-HSM%20%28UserPIN%29;id=%BA%6C%1F%2B%2B%16%E9%7B%4F%31%B0%91%19%73%2F%C8%DF%78%3A%FD;object=root;type=private +certificate = ../certs/root.crt + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha512 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_loose + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign diff --git a/config_files/certificate-authority/config/sign_server_and_client_csrs.ini b/config_files/certificate-authority/config/sign_server_and_client_csrs.ini new file mode 100644 index 0000000..0cffc13 --- /dev/null +++ b/config_files/certificate-authority/config/sign_server_and_client_csrs.ini @@ -0,0 +1,45 @@ +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = /opt/certificate-authority/intermediate +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial +private_key = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104964;token=SmartCard-HSM%20%28UserPIN%29;id=%D6%0E%28%C8%ED%2B%D5%FF%87%6B%88%06%4F%5B%70%1A%E5%F7%B4%99;object=intermediate;type=private +certificate = $dir/certs/intermediate.crt +default_md = sha512 +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_loose + +[ policy_loose ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ server_cert ] +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + +[ client_cert ] +basicConstraints = CA:FALSE +nsCertType = client +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature +extendedKeyUsage = clientAuth diff --git a/config_files/certificate-authority/config/yubikey/yubi.crt b/config_files/certificate-authority/config/yubikey/yubi.crt new file mode 100644 index 0000000..7cd308b --- /dev/null +++ b/config_files/certificate-authority/config/yubikey/yubi.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID5zCCA2ygAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA8wCgYIKoZIzj0EAwQw +gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv +bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0 +aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMjAw +NDQ4WhcNMjUxMTIyMjAwNDQ4WjA7MQswCQYDVQQGEwJVUzEVMBMGA1UECgwMRXhh +bXBsZSBDb3JwMRUwEwYDVQQDDAxoaWkgVXNlbmFtZXIwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDJUjjRY+PpNWuR7Zt81ZLtAzTLSP0BwRhOtUB0JM2Y +sYm/xaxHDvVORIrn58y7SLEo+k2mWdC5CfyelN7hQEw8BakW2n4ka3BMef7Cd+Hp +ICTIBvRdecYd5Swl3BB22Pus+WuuY9AP1c1+sMUJ5fRp9TG6MdmyYXDbmNmIUvbU +1NYhaUS9BmE8+Tgcg5BQvvArofk9sR8GVmrfeWRdCIh+Ma+X08UoZLGtkJG3Z51c +qTUoNBgU61CiRqAEH4PZ5V7zaXgYOpUrr8/ql2e7/WCpn4qmjWDd7DnUCC1VR58z +lUjFYw9OPPmPZ30IB8fp48Z3tgwynLVX0/iw2o7nPRQtAgMBAAGjggE6MIIBNjAJ +BgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIHgDAzBglghkgBhvhCAQ0EJhYkT3Bl +blNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBQiJrOh +Pna4bxHGNpRqmaV/IC/jxzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKT +R5XTw6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJo +aTEhMB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApo +aSBSb290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCB4Aw +EwYDVR0lBAwwCgYIKwYBBQUHAwIwCgYIKoZIzj0EAwQDaQAwZgIxAI0V54UBZJqA +SWYihKikCdS6S6PB9F0OgibPPgWWSVztbImzZsFGAdVpwS8SDp8JMQIxAMVFxqBk +29UXxX1SvENRXPKZO6a7iMh6E8VmOd/ZXDVkstuL6sUWTRVuiv3YoBPK3A== +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/config/yubikey/yubi.crt.pem b/config_files/certificate-authority/config/yubikey/yubi.crt.pem new file mode 100644 index 0000000..7cd308b --- /dev/null +++ b/config_files/certificate-authority/config/yubikey/yubi.crt.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID5zCCA2ygAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA8wCgYIKoZIzj0EAwQw +gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv +bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0 +aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMjAw +NDQ4WhcNMjUxMTIyMjAwNDQ4WjA7MQswCQYDVQQGEwJVUzEVMBMGA1UECgwMRXhh +bXBsZSBDb3JwMRUwEwYDVQQDDAxoaWkgVXNlbmFtZXIwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDJUjjRY+PpNWuR7Zt81ZLtAzTLSP0BwRhOtUB0JM2Y +sYm/xaxHDvVORIrn58y7SLEo+k2mWdC5CfyelN7hQEw8BakW2n4ka3BMef7Cd+Hp +ICTIBvRdecYd5Swl3BB22Pus+WuuY9AP1c1+sMUJ5fRp9TG6MdmyYXDbmNmIUvbU +1NYhaUS9BmE8+Tgcg5BQvvArofk9sR8GVmrfeWRdCIh+Ma+X08UoZLGtkJG3Z51c +qTUoNBgU61CiRqAEH4PZ5V7zaXgYOpUrr8/ql2e7/WCpn4qmjWDd7DnUCC1VR58z +lUjFYw9OPPmPZ30IB8fp48Z3tgwynLVX0/iw2o7nPRQtAgMBAAGjggE6MIIBNjAJ +BgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIHgDAzBglghkgBhvhCAQ0EJhYkT3Bl +blNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBQiJrOh +Pna4bxHGNpRqmaV/IC/jxzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKT +R5XTw6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJo +aTEhMB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApo +aSBSb290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCB4Aw +EwYDVR0lBAwwCgYIKwYBBQUHAwIwCgYIKoZIzj0EAwQDaQAwZgIxAI0V54UBZJqA +SWYihKikCdS6S6PB9F0OgibPPgWWSVztbImzZsFGAdVpwS8SDp8JMQIxAMVFxqBk +29UXxX1SvENRXPKZO6a7iMh6E8VmOd/ZXDVkstuL6sUWTRVuiv3YoBPK3A== +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/config/yubikey/yubi.csr b/config_files/certificate-authority/config/yubikey/yubi.csr new file mode 100644 index 0000000..f001530 --- /dev/null +++ b/config_files/certificate-authority/config/yubikey/yubi.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICgDCCAWgCAQAwOzEVMBMGA1UEAwwMaGlpIFVzZW5hbWVyMRUwEwYDVQQKDAxF +eGFtcGxlIENvcnAxCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAyVI40WPj6TVrke2bfNWS7QM0y0j9AcEYTrVAdCTNmLGJv8WsRw71 +TkSK5+fMu0ixKPpNplnQuQn8npTe4UBMPAWpFtp+JGtwTHn+wnfh6SAkyAb0XXnG +HeUsJdwQdtj7rPlrrmPQD9XNfrDFCeX0afUxujHZsmFw25jZiFL21NTWIWlEvQZh +PPk4HIOQUL7wK6H5PbEfBlZq33lkXQiIfjGvl9PFKGSxrZCRt2edXKk1KDQYFOtQ +okagBB+D2eVe82l4GDqVK6/P6pdnu/1gqZ+Kpo1g3ew51AgtVUefM5VIxWMPTjz5 +j2d9CAfH6ePGd7YMMpy1V9P4sNqO5z0ULQIDAQABoAAwDQYJKoZIhvcNAQELBQAD +ggEBADcx0k7zRU4d9F8yQ7aBLhraIDJ9ZURvEptoUTuzFUu95ACZWOoiATSeLoiJ +6nnHGksOQjYWCRUNu7lYuyE0SfxeFGCKEH8J2jkX8Z5JhKyc+VZeuaD+pu8gH3gz +RIl2Dz8L9npMQGSQrdAwJyyohHERYNSrW0OWwHP38yqqpA4rRUGHDmZtPRUjirnq +zABvt5rJAM7nx1Q+OGYupdzrg5fFtlN3JNWl2EZpe2e65A13k+nBNSSBt2aLyfVV +9GXblWRhei/OAIJTThXW+dex5aU8ujDgeGnHrtR5r7OqkL72+4TI3UZie+k2NOBZ +zD2XpFWYvUMcvi1oLaTyQ4fulLE= +-----END CERTIFICATE REQUEST----- diff --git a/config_files/certificate-authority/config/yubikey/yubi_pubkey.pem b/config_files/certificate-authority/config/yubikey/yubi_pubkey.pem new file mode 100644 index 0000000..4979331 --- /dev/null +++ b/config_files/certificate-authority/config/yubikey/yubi_pubkey.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyVI40WPj6TVrke2bfNWS +7QM0y0j9AcEYTrVAdCTNmLGJv8WsRw71TkSK5+fMu0ixKPpNplnQuQn8npTe4UBM +PAWpFtp+JGtwTHn+wnfh6SAkyAb0XXnGHeUsJdwQdtj7rPlrrmPQD9XNfrDFCeX0 +afUxujHZsmFw25jZiFL21NTWIWlEvQZhPPk4HIOQUL7wK6H5PbEfBlZq33lkXQiI +fjGvl9PFKGSxrZCRt2edXKk1KDQYFOtQokagBB+D2eVe82l4GDqVK6/P6pdnu/1g +qZ+Kpo1g3ew51AgtVUefM5VIxWMPTjz5j2d9CAfH6ePGd7YMMpy1V9P4sNqO5z0U +LQIDAQAB +-----END PUBLIC KEY----- diff --git a/config_files/certificate-authority/index.txt b/config_files/certificate-authority/index.txt new file mode 100644 index 0000000..f389103 --- /dev/null +++ b/config_files/certificate-authority/index.txt @@ -0,0 +1 @@ +V 291111193605Z 37CA4B18EB4D375F067A5A93EFE81BE534C446D7 unknown /C=SG/ST=singapore/O=company name/OU=companyname Certificate Authority/CN=hi Intermediate CA diff --git a/config_files/certificate-authority/index.txt.attr b/config_files/certificate-authority/index.txt.attr new file mode 100644 index 0000000..8f7e63a --- /dev/null +++ b/config_files/certificate-authority/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/config_files/certificate-authority/index.txt.old b/config_files/certificate-authority/index.txt.old new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/config_files/certificate-authority/index.txt.old diff --git a/config_files/certificate-authority/intermediate/certs/intermediate.crt b/config_files/certificate-authority/intermediate/certs/intermediate.crt new file mode 100644 index 0000000..544c552 --- /dev/null +++ b/config_files/certificate-authority/intermediate/certs/intermediate.crt @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIIChjCCAgygAwIBAgIUN8pLGOtNN18GelqT7+gb5TTERtcwCgYIKoZIzj0EAwQw +XzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UE +CwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENB +MB4XDTI0MTExMjE5MzYwNVoXDTI5MTExMTE5MzYwNVowgYExCzAJBgNVBAYTAlNH +MRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNvbXBhbnkgbmFtZTEqMCgG +A1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQD +DBJoaSBJbnRlcm1lZGlhdGUgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQHjbSZ +S/10AselloIpzwY56f1pntc622qiJ/lB3O9WDkSEt5UpdXumtehRVKHkTCK2U6Wc +ldyBA5aVkj4DpSFgLgfWI/+23WzI5bzYtyEW7VuwsEwWTq6y2PpWVULZzUijZjBk +MB0GA1UdDgQWBBQSutLIyJsePNmzX9GhghKTR5XTwzAfBgNVHSMEGDAWgBQ1I3hI +xxMh1tp7g4SRVmjAgyEapTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE +AwIBhjAKBggqhkjOPQQDBANoADBlAjBpqaP5p29kRuZrdmjTJq/laWpenSZiXK4m +rJVaBV2V0ajCB4eqTnS4KJORjTfLVOMCMQCf6T3ZH5TN+f1QkHxDM9DUOkyOqOzv +FXvgRTHcWckPqceCIgO4IWFS7WxgyvEmlr4= +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/intermediate/csr/intermediate.csr b/config_files/certificate-authority/intermediate/csr/intermediate.csr new file mode 100644 index 0000000..b9d5e3f --- /dev/null +++ b/config_files/certificate-authority/intermediate/csr/intermediate.csr @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBezCCAQECAQAwgYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUx +FTATBgNVBAoMDGNvbXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2Vy +dGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0Ew +djAQBgcqhkjOPQIBBgUrgQQAIgNiAAQHjbSZS/10AselloIpzwY56f1pntc622qi +J/lB3O9WDkSEt5UpdXumtehRVKHkTCK2U6WcldyBA5aVkj4DpSFgLgfWI/+23WzI +5bzYtyEW7VuwsEwWTq6y2PpWVULZzUigADAKBggqhkjOPQQDBANoADBlAjAwViQS +f1Bk2z0kdYI5RVorbdJ0nDgxIJ61NmqO0zAB6Rozpgpz13V4G0ozK9D3J68CMQDl +KAr4P5yRuN8yzKUb+kl4WwnAu5NRtly7xc/uzlqhNOyUcHPRnr8YygbqhjKujBg= +-----END CERTIFICATE REQUEST----- diff --git a/config_files/certificate-authority/intermediate/index.txt b/config_files/certificate-authority/intermediate/index.txt new file mode 100644 index 0000000..248f6f5 --- /dev/null +++ b/config_files/certificate-authority/intermediate/index.txt @@ -0,0 +1,3 @@ +V 251122194817Z 74F214909A4F244A2352A2851BCC0F13109CB80E unknown /C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=yourdomain.com +V 251122200448Z 74F214909A4F244A2352A2851BCC0F13109CB80F unknown /C=US/O=Example Corp/CN=hii Usenamer +V 251122220244Z 74F214909A4F244A2352A2851BCC0F13109CB810 unknown /C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client2 diff --git a/config_files/certificate-authority/intermediate/index.txt.attr b/config_files/certificate-authority/intermediate/index.txt.attr new file mode 100644 index 0000000..8f7e63a --- /dev/null +++ b/config_files/certificate-authority/intermediate/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/config_files/certificate-authority/intermediate/index.txt.attr.old b/config_files/certificate-authority/intermediate/index.txt.attr.old new file mode 100644 index 0000000..8f7e63a --- /dev/null +++ b/config_files/certificate-authority/intermediate/index.txt.attr.old @@ -0,0 +1 @@ +unique_subject = yes diff --git a/config_files/certificate-authority/intermediate/index.txt.old b/config_files/certificate-authority/intermediate/index.txt.old new file mode 100644 index 0000000..a701b7b --- /dev/null +++ b/config_files/certificate-authority/intermediate/index.txt.old @@ -0,0 +1,2 @@ +V 251122194817Z 74F214909A4F244A2352A2851BCC0F13109CB80E unknown /C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=yourdomain.com +V 251122200448Z 74F214909A4F244A2352A2851BCC0F13109CB80F unknown /C=US/O=Example Corp/CN=hii Usenamer diff --git a/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80E.pem b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80E.pem new file mode 100644 index 0000000..84447b1 --- /dev/null +++ b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80E.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEEzCCA5mgAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA4wCgYIKoZIzj0EAwQw +gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv +bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0 +aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMTk0 +ODE3WhcNMjUxMTIyMTk0ODE3WjBoMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91 +clN0YXRlMREwDwYDVQQHDAhZb3VyQ2l0eTEZMBcGA1UECgwQWW91ck9yZ2FuaXph +dGlvbjEXMBUGA1UEAwwOeW91cmRvbWFpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCSxTDiQWEArAFdVLF8fYnY5jqCUiYo4CPE1GLL/vI2t/0u +8a//yWWuZaOK0z3Mj0FRuUofXEJGGXB2fFs1qStuyYBEpwJaJm7uhm1zNLakC4I7 +V12Bs5/edw8qMQLmGu7kqQ0PiOMTuS2GS2EhPUnKIErqhiQBgv56hW4o86SGjnYb +rGSBCAys6NpaqPC8oMOXjJs5T0bbyHaT8ga2zaLlD4pBcho+2sWITWtv9eMZFuva +kE8vHNR48mbR5FuZ1CJenxU62NHZcfIaMChYN5KjGdHGqCFbPXzxehaX0Ofhghc6 +Z28KiP+AbQwaMEAqRrvU0V7GTLmE6DAWvmYJslGxAgMBAAGjggE6MIIBNjAJBgNV +HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNT +TCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBScPhckKM30 +e6q7bJiXfbXIk6qhSzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKTR5XT +w6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEh +MB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBS +b290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCBaAwEwYD +VR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0EAwQDaAAwZQIwEwNmLeDtForhC2WY +JCcijzNBlKLGvKRP0KXGh3Uhfl+ZZOhmTYM5lnbZ1XDrZG2YAjEA9oU5b7AEqtIO +5uYkFrKJ49qA8crVH84thHvfYrOMMJNO8v1fgDtiKayzHnQq+61V +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80F.pem b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80F.pem new file mode 100644 index 0000000..7cd308b --- /dev/null +++ b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80F.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID5zCCA2ygAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA8wCgYIKoZIzj0EAwQw +gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv +bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0 +aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMjAw +NDQ4WhcNMjUxMTIyMjAwNDQ4WjA7MQswCQYDVQQGEwJVUzEVMBMGA1UECgwMRXhh +bXBsZSBDb3JwMRUwEwYDVQQDDAxoaWkgVXNlbmFtZXIwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDJUjjRY+PpNWuR7Zt81ZLtAzTLSP0BwRhOtUB0JM2Y +sYm/xaxHDvVORIrn58y7SLEo+k2mWdC5CfyelN7hQEw8BakW2n4ka3BMef7Cd+Hp +ICTIBvRdecYd5Swl3BB22Pus+WuuY9AP1c1+sMUJ5fRp9TG6MdmyYXDbmNmIUvbU +1NYhaUS9BmE8+Tgcg5BQvvArofk9sR8GVmrfeWRdCIh+Ma+X08UoZLGtkJG3Z51c +qTUoNBgU61CiRqAEH4PZ5V7zaXgYOpUrr8/ql2e7/WCpn4qmjWDd7DnUCC1VR58z +lUjFYw9OPPmPZ30IB8fp48Z3tgwynLVX0/iw2o7nPRQtAgMBAAGjggE6MIIBNjAJ +BgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIHgDAzBglghkgBhvhCAQ0EJhYkT3Bl +blNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBQiJrOh +Pna4bxHGNpRqmaV/IC/jxzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKT +R5XTw6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJo +aTEhMB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApo +aSBSb290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCB4Aw +EwYDVR0lBAwwCgYIKwYBBQUHAwIwCgYIKoZIzj0EAwQDaQAwZgIxAI0V54UBZJqA +SWYihKikCdS6S6PB9F0OgibPPgWWSVztbImzZsFGAdVpwS8SDp8JMQIxAMVFxqBk +29UXxX1SvENRXPKZO6a7iMh6E8VmOd/ZXDVkstuL6sUWTRVuiv3YoBPK3A== +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB810.pem b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB810.pem new file mode 100644 index 0000000..e7bcb9a --- /dev/null +++ b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB810.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEBDCCA4mgAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuBAwCgYIKoZIzj0EAwQw +gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv +bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0 +aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMjIw +MjQ0WhcNMjUxMTIyMjIwMjQ0WjBYMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91 +clN0YXRlMREwDwYDVQQHDAhZb3VyQ2l0eTEQMA4GA1UECgwHWW91ck9yZzEQMA4G +A1UEAwwHY2xpZW50MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANik +xK/PaOCf2ewyWsZ2paKGWTBmu+72qDDIIJHYAT+7vp/n7m91K0+MhzOsDwdJH/vH +oT1Wy30Q6eGRG6EgiL6oHbWWp+Rp6zDHAHXc+IYDWqs6ipUOYBbaXllHirnlkG3z +XJ11d05gxWPsXjDw96O91CKJPtSIC0kyVU4E22SM0Qcv0IaHsBG1+bYOtOT0wNE5 +v/pvNJYP7Oe4H+8s6rZZr+S5AT+JdU7B4+tyzI40M+4cjrVi987C3Y1qZ80MN4L6 +IWSjSVOwe8I1Ktj7fJ11GBGsWrxeOu4G9KtpVTyI+TNyg6UMR805J6c+BR6t7C5Z +aUdsAaqX66Nsw3pNDo8CAwEAAaOCATowggE2MAkGA1UdEwQCMAAwEQYJYIZIAYb4 +QgEBBAQDAgeAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGll +bnQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNh/IRK0n80go6/SriULim3nGAkKMIGc +BgNVHSMEgZQwgZGAFBK60sjImx482bNf0aGCEpNHldPDoWOkYTBfMQswCQYDVQQG +EwJzZzELMAkGA1UECAwCaGkxCzAJBgNVBAoMAmhpMSEwHwYDVQQLDBhoaSBDZXJ0 +aWZpY2F0ZSBBdXRob3JpdHkxEzARBgNVBAMMCmhpIFJvb3QgQ0GCFDfKSxjrTTdf +Bnpak+/oG+U0xEbXMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD +AjAKBggqhkjOPQQDBANpADBmAjEA6gSZO2a0iijgvcYOm9fB8vIgwYDlrEytmIt4 +DWSRP7k9/a+CW6CfNf8IWNDmfNOmAjEAsbP8DRJ3Bb5iEwE3XAACAHANnMNWCJ05 +1FLmX4pIQee05665Uao7HcTCPAGNJpRY +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/intermediate/serial b/config_files/certificate-authority/intermediate/serial new file mode 100644 index 0000000..0d3c40b --- /dev/null +++ b/config_files/certificate-authority/intermediate/serial @@ -0,0 +1 @@ +74F214909A4F244A2352A2851BCC0F13109CB811 diff --git a/config_files/certificate-authority/intermediate/serial.old b/config_files/certificate-authority/intermediate/serial.old new file mode 100644 index 0000000..85ab993 --- /dev/null +++ b/config_files/certificate-authority/intermediate/serial.old @@ -0,0 +1 @@ +74F214909A4F244A2352A2851BCC0F13109CB810 diff --git a/config_files/certificate-authority/newcerts/37CA4B18EB4D375F067A5A93EFE81BE534C446D7.pem b/config_files/certificate-authority/newcerts/37CA4B18EB4D375F067A5A93EFE81BE534C446D7.pem new file mode 100644 index 0000000..544c552 --- /dev/null +++ b/config_files/certificate-authority/newcerts/37CA4B18EB4D375F067A5A93EFE81BE534C446D7.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIIChjCCAgygAwIBAgIUN8pLGOtNN18GelqT7+gb5TTERtcwCgYIKoZIzj0EAwQw +XzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UE +CwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENB +MB4XDTI0MTExMjE5MzYwNVoXDTI5MTExMTE5MzYwNVowgYExCzAJBgNVBAYTAlNH +MRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNvbXBhbnkgbmFtZTEqMCgG +A1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQD +DBJoaSBJbnRlcm1lZGlhdGUgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQHjbSZ +S/10AselloIpzwY56f1pntc622qiJ/lB3O9WDkSEt5UpdXumtehRVKHkTCK2U6Wc +ldyBA5aVkj4DpSFgLgfWI/+23WzI5bzYtyEW7VuwsEwWTq6y2PpWVULZzUijZjBk +MB0GA1UdDgQWBBQSutLIyJsePNmzX9GhghKTR5XTwzAfBgNVHSMEGDAWgBQ1I3hI +xxMh1tp7g4SRVmjAgyEapTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE +AwIBhjAKBggqhkjOPQQDBANoADBlAjBpqaP5p29kRuZrdmjTJq/laWpenSZiXK4m +rJVaBV2V0ajCB4eqTnS4KJORjTfLVOMCMQCf6T3ZH5TN+f1QkHxDM9DUOkyOqOzv +FXvgRTHcWckPqceCIgO4IWFS7WxgyvEmlr4= +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/serial b/config_files/certificate-authority/serial new file mode 100644 index 0000000..0e25be1 --- /dev/null +++ b/config_files/certificate-authority/serial @@ -0,0 +1 @@ +37CA4B18EB4D375F067A5A93EFE81BE534C446D8 diff --git a/config_files/nginx.conf b/config_files/nginx.conf new file mode 100644 index 0000000..0f292af --- /dev/null +++ b/config_files/nginx.conf @@ -0,0 +1,88 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +ssl_engine pkcs11; + +http { + types_hash_max_size 4096; + include /etc/nginx/mime.types; + default_type application/octet-stream; + + + sendfile on; + keepalive_timeout 65; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # Server block for non-SSL routes + server { + listen 80; + server_name localhost; + + # Allow specific routes without SSL + location = / { + proxy_pass http://localhost:5000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } + + location = /c { + proxy_pass http://localhost:5000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } + + location ~ ^/v/ { + proxy_pass http://localhost:5000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } + + # Redirect all other routes to HTTPS + location / { + return 301 https://$host$request_uri; + } + } + + # Server block for SSL routes + server { + listen 443 ssl; + server_name localhost; + +# ssl_certificate /etc/nginx/certs/server.crt; +# ssl_certificate_key /etc/nginx/certs/server.key; +# ssl_client_certificate /etc/nginx/certs/ca.pem; +# ssl_verify_client on; + + ssl_certificate /etc/nginx/certs/hsm_server.crt; + ssl_certificate_key "engine:pkcs11:pkcs11:serial=DENK0104964;object=serverkey;type=private"; + ssl_client_certificate /etc/nginx/certs/hsm_chain.crt; + ssl_verify_client on; + # Add these debugging settings temporarily + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_verify_depth 3; + ssl_prefer_server_ciphers on; + + # Add error logging for SSL + error_log /var/log/nginx/error.log debug; + + location / { + proxy_pass http://localhost:5000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + } +} diff --git a/config_files/nginx.service b/config_files/nginx.service new file mode 100644 index 0000000..7b5a697 --- /dev/null +++ b/config_files/nginx.service @@ -0,0 +1,23 @@ +[Unit] +Description=The nginx HTTP and reverse proxy server +After=network-online.target remote-fs.target nss-lookup.target +Wants=network-online.target + +[Service] +Type=forking +PIDFile=/run/nginx.pid +# Nginx will fail to start if /run/nginx.pid already exists but has the wrong +# SELinux context. This might happen when running `nginx -t` from the cmdline. +# https://bugzilla.redhat.com/show_bug.cgi?id=1268621 +ExecStartPre=/usr/bin/rm -f /run/nginx.pid +ExecStartPre=/usr/sbin/nginx -t +ExecStart=/usr/sbin/nginx +ExecReload=/usr/sbin/nginx -s reload +KillSignal=SIGQUIT +TimeoutStopSec=5 +KillMode=mixed +PrivateTmp=true +Environment="OPENSSL_CONF=/etc/pki/tls/openssl.pkcs11.cnf" + +[Install] +WantedBy=multi-user.target diff --git a/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action new file mode 100644 index 0000000..562ebf5 --- /dev/null +++ b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action @@ -0,0 +1,147 @@ + +sudo apt install pcscd pcsc-tools opensc openssl gnutls-bin +sudo dnf install -y opensc openssl openssl-pkcs11 yubico-piv-tool yubikey-manager usbutils gnutls-utils #try this first. then sc-hsm-tool and pkcs11-tool. +sudo dnf install -y pcsc-lite pcsc-lite-ccid +sudo systemctl start pcscd +sudo systemctl enable pcscd +sudo opensc-tool -l + +so-pin 3537363231383830 +userpin 648219 + +7535439178124602 + +pkcs11-tool --login --login-type so --so-pin 1234123412341234 --change-pin --new-pin 3537363231383830 +opensc-tool -l # to list devices +sc-hsm-tool -X -r 1 # -r is device number. to reset the device, you need so pin and userpin +sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 -r 1 +ykman piv reset #reset yubikey piv + +find / -name opensc-pkcs11.so + +TESTING BEFORE OPERATION + ubuntu ONLY UBUNTU PKCS11 WORKS TO DISPLAY ALL THE REQUIRED DATA AND PASSES ALL TESTS +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --test +/usr/lib64/opensc-pkcs11.so +/usr/lib64/pkcs11/opensc-pkcs11.so on fedora +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --list-objects +OPENSSL_CONF=./hsm.conf openssl engine +the following should be printed for openssl +(dynamic) Dynamic engine loading support +(pkcs11) pkcs11 engine + + +DOCUMNETATION FOR CA + nginx + +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 03 --label "serverkey" +openssl req -engine pkcs11 -keyform engine -new -key "pkcs11:serial=DENK0302043;object=serverkey;type=private;pin-value=648219" -subj "/C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=yourdomain.com" -out server.csr + openssl req -text -noout -verify -in server.csr # to verify the certificate +openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions server_cert -days 375 -notext -md sha512 -create_serial -in server.csr -out server.crt +openssl x509 -in server.crt -text -noout | grep -A 1 "Extended Key Usage" # output web server authentication + +010203040506070801020304050607080102030405060708 yubikey manageemnt, normal key 123456 +brew install gnutls +yubico-piv-tool -a generate -s 9a -k -A RSA2048 -o yubi_pubkey.pem +yubico-piv-tool -a verify-pin -a request-certificate -s 9a -i yubi_pubkey.pem -S '/CN=hii Usenamer/O=Example Corp/C=US/' -o yubi.csr +openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in yubi.csr -out yubi.crt +openssl x509 -in yubi.crt -text -noout | grep -A 1 "Extended Key Usage" # output web client authentication +cp yubi.crt yubi.crt.pem +yubico-piv-tool -a import-certificate -s 9a -k -i yubi.crt.pem -K PEM +p11tool --list-tokens +curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer' https://127.0.0.1 -k +curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1 -k +can do curl -v xxxxxxxx as well for more verbose. + +openssl genrsa -out client.key 2048 +openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client2" +openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in client.csr -out client.crt +openssl x509 -in client.crt -text -noout | grep -A 1 "Extended Key Usage" # output web client authentication +curl https://127.0.0.1 --cacert ../../intermediate/certs/chain.crt --cert client.crt --key client.key -k + +STILL WILL HAVE ERROR BECAUSE URL REQUEST IS 127.0.0.1, if this is a public domain, curl checks the url in the cert and the requested url and if they both match, there should be no error when curling without -k + +openssl version -d # to find the default config file dir +copy hsm.conf to the directory +sudo nano /lib/systemd/system/nginx.service + add this to under service +Environment=LANG=C +Environment="OPENSSL_CONF=/usr/lib/ssl/hsm.conf" +sudo systemctl daemon-reload + +pkcs15-tool --list-info + to get the serial number value of the device for the key +p11tool --list-all +p11tool --login --list-all pkcs11:model= + +ssl_engine pkcs11; # put this after events section, before http. + ssl_certificate /home/x/auths2/config/signing_area/server_cert.crt; + ssl_certificate_key "engine:pkcs11:pkcs11:serial=DENK0302043;object=serverkey;type=private"; + ssl_client_certificate /home/x/auths2/intermediate/certs/chain.crt; + ssl_verify_client on; + +cat server.crt ../intermediate/certs/intermediate.crt ../certs/root.crt > fullchain.crt + +curl -X POST http://127.0.0.1/generate_verification -k +curl -X POST -d "verify=wrIFRSJZ" -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/verify -k +curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/check?string=wrIFRSJZ -k + +#change the check to not require authentication + +https://www.entrust.com/sites/default/files/documentation/integration-guides/nginx-server-nhield-v12-60-11_ig.pdf +https://docs.nitrokey.com/hsm/linux/certificate-authority +https://github.com/OpenSC/libp11/blob/5c99a1467e624981181ada75f41315cd1cf13e37/src/eng_parse.c + ^ is the pkcs uri for openssl -key + +DOCUMNETATION FOR CA + nginx END + + + yubico +yubico-piv-tool -a unblock-pin -P 12345678 -N 123456 +123456 pin default +12345678 pin unlock key default +010203040506070801020304050607080102030405060708 management key default +ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so user@ip #then enter the userpin for yubikey + + +should work +openssl dgst -engine pkcs11 -keyform engine -sha256 -sign "pkcs11:id=%01" -out signature.bin txt +openssl dgst -engine pkcs11 -keyform engine -sha256 -verify "pkcs11:id=%01" -signature signature.bin txt +openssl dgst -engine pkcs11 -keyform engine -sha256 -verify 01 -signature signature.bin txt #sign should work as well +pkcs15-tool --read-public-key 01 > pubkey +openssl dgst -sha256 -verify pubkey -signature signature.bin txt + + +openssl genrsa -out rootCA.key 2048 +openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -subj "/CN=Root CA" +openssl genrsa -out client.key 2048 +openssl req -new -key client.key -out client.csr -subj "/CN=Client" +openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 500 -sha256 +openssl verify -CAfile rootCA.pem client.crt +#$client.crt: OK + + +untested +pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -L #list +yubico-piv-tool -astatus #list +pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so --slot-index 1 --login --pin 648219 --list-objects + + + generate the key +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 01 --label "foo" + + sign the file and create an output +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --id 01 --input-file <input-file> --output-file <signature-file> +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --label "foo" --input-file <input-file> --output-file <signature-file> + + +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --id 01 --input-file <input-file> --signature-file <signature-file> +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --label "foo" --input-file <input-file> --signature-file <signature-file> + +# Example test command sequence +echo "Test data" > testdata.txt +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type privkey --sign -i testdata.txt -o signeddata.bin +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type pubkey --verify -i testdata.txt -s signeddata.bin + + +pkcs11-tool --module $MODULE --login --pin YOUR_PIN --list-objects + diff --git a/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs new file mode 100644 index 0000000..a627ad9 --- /dev/null +++ b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs @@ -0,0 +1,507 @@ +pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label root +or +pkcs11-tool -l --keypairgen --key-type EC:secp256r1 --label root +pkcs11-tool -l --keypairgen --key-type rsa:4096 --label root + +pki_dir=/opt/certificate-authority +mkdir $pki_dir +cd $pki_dir +mkdir certs config crl newcerts intermediate intermediate/certs intermediate/crl intermediate/csr intermediate/newcerts +touch index.txt intermediate/index.txt +cd config + +# Arch Linux +pacman -S community/opensc community/libp11 + +# Ubuntu +sudo apt-get install opensc gnutls-bin + +# Generate private key on HSM +$ pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label root +Using slot 0 with a present token (0x0) +Logging in to "SmartCard-HSM (UserPIN)". +Please enter User PIN: +Key pair generated: +Private Key Object; EC + label: root + ID: e0161cc8b6f5d66ac6835ecdecb623fc0506a675 + Usage: sign, derive + Access: none +Public Key Object; EC EC_POINT 384 bits + EC_POINT: 046104c1e7b40e1ef9e5d47399aeeda695026c9eb626462059eb696e8f2b647b42d64ac3b7fc7a5b31aa3edf9bce46b2cdcf8e5d190b13601d3d14ffb119c8cf60033c6b78ba579b85113ca536eef1cf85ba418ff0110a56ec881b329e0562e090a3e7 + EC_PARAMS: 06052b81040022 + label: root + ID: e0161cc8b6f5d66ac6835ecdecb623fc0506a675 + Usage: verify, derive + Access: none + + +#to get the id +pkcs11-tool -O + +vim create_root_cert.ini +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = /opt/certificate-authority +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha512 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_strict + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha512 + +[ req_distinguished_name ] +C = <two lettter country> +ST = <full state name> +O = <your company> +OU = <your company> Certificate Authority +CN = <your company> Root CA + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + + +#Generate the self-signed public certificate from the private key. Use the private key id value from earlier. +$ openssl req -config create_root_cert.ini -engine pkcs11 -keyform engine -key e0161cc8b6f5d66ac6835ecdecb623fc0506a675 -new -x509 -days 3650 -sha512 -extensions v3_ca -out ../certs/root.crt +engine "pkcs11" set. +Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN): + +#verify stuff matches +$ openssl x509 -noout -text -in ../certs/root.crt +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 25:ac:e1:36:75:67:26:1d:bb:96:4b:84:c2:2d:83:25:7b:cc:e0:e5 + Signature Algorithm: ecdsa-with-SHA512 + Issuer: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Root CA + Validity + Not Before: Aug 18 20:13:20 2020 GMT + Not After : Aug 16 20:13:20 2030 GMT + Subject: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Root CA + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:c1:e7:b4:0e:1e:f9:e5:d4:73:99:ae:ed:a6:95: + 02:6c:9e:b6:26:46:20:59:eb:69:6e:8f:2b:64:7b: + 42:d6:4a:c3:b7:fc:7a:5b:31:aa:3e:df:9b:ce:46: + b2:cd:cf:8e:5d:19:0b:13:60:1d:3d:14:ff:b1:19: + c8:cf:60:03:3c:6b:78:ba:57:9b:85:11:3c:a5:36: + ee:f1:cf:85:ba:41:8f:f0:11:0a:56:ec:88:1b:32: + 9e:05:62:e0:90:a3:e7 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Key Identifier: + F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41 + X509v3 Authority Key Identifier: + keyid:F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: ecdsa-with-SHA512 + 30:64:02:30:53:b8:b6:5a:41:4b:4f:6a:d1:a6:76:88:df:13: + d6:da:c7:48:aa:8b:aa:ff:13:6c:d1:00:53:90:92:b5:71:57: + eb:d0:bf:3e:5d:2e:62:c0:3e:40:0f:64:25:a5:92:0f:02:30: + 15:0a:19:d5:a2:09:86:d8:9d:07:67:71:c3:84:f2:6b:90:20: + 2d:29:10:9e:4c:73:7a:55:56:4b:dc:fe:8d:3f:f0:9c:20:e1: + 5a:74:fb:41:86:ad:a4:66:61:74:d7:fd + + + + +intermediate authority + +# Generate private key on HSM +$ pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label intermediate +Using slot 0 with a present token (0x0) +Logging in to "SmartCard-HSM (UserPIN)". +Please enter User PIN: +Key pair generated: +Private Key Object; EC + label: intermediate + ID: bcb48fe9b566ae61891aabbfde6a23d4ff3ab639 + Usage: sign, derive + Access: none +Public Key Object; EC EC_POINT 384 bits + EC_POINT: 046104d0fb5c0cd10c0b6e4d0f6986755824b624ec9fcd8ff9ae5f0109fe6ff3ad887ca760717da894f3ff84dc8c24fe8c93b0cd840a6aa941bb2866c061cef60e47b893d71852b50d6762af10c951426e55ec8925a6cd83aeae1730311108afdbcdee + EC_PARAMS: 06052b81040022 + label: intermediate + ID: bcb48fe9b566ae61891aabbfde6a23d4ff3ab639 + Usage: verify, derive + Access: none + +pkcs11-tool -O + +vim create_intermediate_csr.ini + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no + +# SHA-1 is deprecated, so use SHA-2 instead. +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign +default_md = sha512 + +[ req_distinguished_name ] +C = <two lettter country> +ST = <full state name> +O = <your company> +OU = <your company> Certificate Authority +CN = <your company> Intermediate CA + +#generate csr +$ openssl req -config create_intermediate_csr.ini -engine pkcs11 -keyform engine -key bcb48fe9b566ae61891aabbfde6a23d4ff3ab639 -new -sha512 -out ../intermediate/csr/intermediate.csr +engine "pkcs11" set. +Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN): + + +$ openssl req -text -noout -verify -in ../intermediate/csr/intermediate.csr +verify OK +Certificate Request: + Data: + Version: 1 (0x0) + Subject: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Intermediate CA + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:d0:fb:5c:0c:d1:0c:0b:6e:4d:0f:69:86:75:58: + 24:b6:24:ec:9f:cd:8f:f9:ae:5f:01:09:fe:6f:f3: + ad:88:7c:a7:60:71:7d:a8:94:f3:ff:84:dc:8c:24: + fe:8c:93:b0:cd:84:0a:6a:a9:41:bb:28:66:c0:61: + ce:f6:0e:47:b8:93:d7:18:52:b5:0d:67:62:af:10: + c9:51:42:6e:55:ec:89:25:a6:cd:83:ae:ae:17:30: + 31:11:08:af:db:cd:ee + ASN1 OID: secp384r1 + NIST CURVE: P-384 + Attributes: + a0:00 + Signature Algorithm: ecdsa-with-SHA512 + 30:64:02:30:6a:1d:75:8b:59:99:2c:a8:5d:a0:7f:02:7d:9a: + aa:40:74:7a:65:20:03:6b:bc:65:fb:7d:d1:7f:5b:24:ae:6f: + 40:16:ac:82:0b:80:9b:81:f9:d9:64:ea:0f:41:4c:d7:02:30: + 4d:28:7f:e3:76:52:c7:10:e1:bd:b7:2e:ea:65:78:41:0c:96: + 50:5f:e9:1f:be:18:ac:14:ba:65:3f:b0:2a:f4:0f:d0:56:ab: + d0:8c:bf:d0:92:9e:f6:e5:f6:8a:af:a5 + + +find the fully qualified PKCS#11 URI for your private key, this is an example +pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private + +$ p11tool --list-all +warning: no token URL was provided for this operation; the available tokens are: + +pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00 + +$ p11tool --login --list-all pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00 +Token 'SmartCard-HSM (UserPIN)' with URL 'pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00' requires user PIN +Enter PIN: +Object 0: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private + Type: Private key (EC/ECDSA-SECP384R1) + Label: root + Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; + ID: e0:16:1c:c8:b6:f5:d6:6a:c6:83:5e:cd:ec:b6:23:fc:05:06:a6:75 + +Object 1: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=public + Type: Public key (EC/ECDSA-SECP384R1) + Label: root + ID: e0:16:1c:c8:b6:f5:d6:6a:c6:83:5e:cd:ec:b6:23:fc:05:06:a6:75 + +Object 2: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%BC%B4%8F%E9%B5%66%AE%61%89%1A%AB%BF%DE%6A%23%D4%FF%3A%B6%39;object=intermediate;type=private + Type: Private key (EC/ECDSA-SECP384R1) + Label: intermediate + Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; + ID: bc:b4:8f:e9:b5:66:ae:61:89:1a:ab:bf:de:6a:23:d4:ff:3a:b6:39 + +Object 3: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%BC%B4%8F%E9%B5%66%AE%61%89%1A%AB%BF%DE%6A%23%D4%FF%3A%B6%39;object=intermediate;type=public + Type: Public key (EC/ECDSA-SECP384R1) + Label: intermediate + ID: bc:b4:8f:e9:b5:66:ae:61:89:1a:ab:bf:de:6a:23:d4:ff:3a:b6:39 + + +vim sign_intermediate_csr.ini + +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = /opt/certificate-authority +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial + +# The root key and root certificate. +private_key = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private +certificate = ../certs/root.crt + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha512 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_loose + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + + +sign intermediate with root +$ openssl ca -config sign_intermediate_csr.ini -engine pkcs11 -keyform engine -extensions v3_intermediate_ca -days 1825 -notext -md sha512 -create_serial -in ../intermediate/csr/intermediate.csr -out ../intermediate/certs/intermediate.crt +engine "pkcs11" set. +Using configuration from sign_intermediate_csr.ini +Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN): +Check that the request matches the signature +Signature ok +Certificate Details: + Serial Number: + 35:47:4d:05:12:cc:e1:a8:b6:bf:dd:3e:c8:29:7b:18:c0:a1:5c:68 + Validity + Not Before: Aug 18 20:44:17 2020 GMT + Not After : Aug 17 20:44:17 2025 GMT + Subject: + countryName = US + stateOrProvinceName = My State + organizationName = My Company + organizationalUnitName = My Company Certificate Authority + commonName = My Company Intermediate CA + X509v3 extensions: + X509v3 Subject Key Identifier: + 1D:4F:E5:ED:11:42:9A:AC:25:E4:51:A3:42:67:97:39:A0:10:AE:82 + X509v3 Authority Key Identifier: + keyid:F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41 + + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:0 + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +Certificate is to be certified until Aug 17 20:44:17 2025 GMT (1825 days) +Sign the certificate? [y/n]:y + + +1 out of 1 certificate requests certified, commit? [y/n]y +Write out database with 1 new entries +Data Base Updated + +# to verify +$ openssl x509 -noout -text -in ../intermediate/certs/intermediate.crt +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 35:47:4d:05:12:cc:e1:a8:b6:bf:dd:3e:c8:29:7b:18:c0:a1:5c:68 + Signature Algorithm: ecdsa-with-SHA512 + Issuer: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Root CA + Validity + Not Before: Aug 18 20:44:17 2020 GMT + Not After : Aug 17 20:44:17 2025 GMT + Subject: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Intermediate CA + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:d0:fb:5c:0c:d1:0c:0b:6e:4d:0f:69:86:75:58: + 24:b6:24:ec:9f:cd:8f:f9:ae:5f:01:09:fe:6f:f3: + ad:88:7c:a7:60:71:7d:a8:94:f3:ff:84:dc:8c:24: + fe:8c:93:b0:cd:84:0a:6a:a9:41:bb:28:66:c0:61: + ce:f6:0e:47:b8:93:d7:18:52:b5:0d:67:62:af:10: + c9:51:42:6e:55:ec:89:25:a6:cd:83:ae:ae:17:30: + 31:11:08:af:db:cd:ee + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Key Identifier: + 1D:4F:E5:ED:11:42:9A:AC:25:E4:51:A3:42:67:97:39:A0:10:AE:82 + X509v3 Authority Key Identifier: + keyid:F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41 + + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:0 + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: ecdsa-with-SHA512 + 30:66:02:31:00:9a:6e:08:d2:d6:3a:29:f6:ba:0c:4c:3a:f4: + af:40:5e:e0:71:f2:bc:e4:47:f5:b4:ee:10:d7:27:b1:25:0b: + 4b:09:78:a1:b8:f2:b8:71:c5:4e:41:33:8e:64:db:ec:eb:02: + 31:00:fc:39:26:c2:ad:7b:3c:ab:75:06:34:02:47:79:40:31: + 1d:eb:17:ad:32:10:67:97:37:6f:7f:3c:ce:3e:12:3c:e9:7c: + fa:43:3e:34:5d:5e:f4:f3:2f:fd:6a:2f:14:da + + +$ openssl verify -CAfile ../certs/root.crt ../intermediate/certs/intermediate.crt +../intermediate/certs/intermediate.crt: OK + +#certificate chain +cat ../intermediate/certs/intermediate.crt ../certs/root.crt > ../intermediate/certs/chain.crt + +####################setup ca done, to use the private key of the intermediate certificate to sign the CSRs of your servers + +vim sign_server_csrs.ini + +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = /opt/certificate-authority/intermediate +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial + +# The root key and root certificate. +private_key = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%BC%B4%8F%E9%B5%66%AE%61%89%1A%AB%BF%DE%6A%23%D4%FF%3A%B6%39;object=intermediate;type=private +certificate = $dir/certs/intermediate.crt + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha512 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_loose + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + + +$ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -extensions server_cert -days 375 -notext -md sha512 -create_serial -in server_cert.csr -out server_cert.crt +engine "pkcs11" set. +Using configuration from sign_server_csrs.ini +Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN): +Check that the request matches the signature +Signature ok +Certificate Details: + Serial Number: + 40:7f:dc:90:b0:3a:1b:fb:d3:e2:74:8d:40:28:a8:12:f7:7e:c3:74 + Validity + Not Before: Aug 18 21:32:42 2020 GMT + Not After : Aug 28 21:32:42 2021 GMT + Subject: + countryName = US + stateOrProvinceName = My State + organizationName = My Company + organizationalUnitName = media + commonName = media + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Cert Type: + SSL Server + Netscape Comment: + OpenSSL Generated Server Certificate + X509v3 Subject Key Identifier: + 26:89:19:95:6C:93:8C:DD:6E:AA:61:D5:C0:E6:78:CC:F1:47:64:FC + X509v3 Authority Key Identifier: + keyid:1D:4F:E5:ED:11:42:9A:AC:25:E4:51:A3:42:67:97:39:A0:10:AE:82 + DirName:/C=US/ST=My State/O=My Company/OU=My Company Certificate Authority/CN=My Company Root CA + serial:35:47:4D:05:12:CC:E1:A8:B6:BF:DD:3E:C8:29:7B:18:C0:A1:5C:68 + + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication +Certificate is to be certified until Aug 28 21:32:42 2021 GMT (375 days) +Sign the certificate? [y/n]:y + + +1 out of 1 certificate requests certified, commit? [y/n]y +Write out database with 1 new entries +Data Base Updated + + +https://docs.nitrokey.com/nitrokeys/features/openpgp-card/certificate-authority +there is older document that may not be the same but it looks the same diff --git a/hsm.conf b/config_files/openssl.pkcs11.cnf index af27cf0..403c7ae 100644 --- a/hsm.conf +++ b/config_files/openssl.pkcs11.cnf @@ -15,8 +15,8 @@ pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 -dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so #ubuntu -#MODULE_PATH = /usr/lib64/pkcs11/opensc-pkcs11.so #fedora/rocky +dynamic_path = /usr/lib64/engines-3/libpkcs11.so +#MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so #ubuntu +MODULE_PATH = /usr/lib64/pkcs11/opensc-pkcs11.so #fedora/rocky PIN = 648219 init = 0 diff --git a/config_files/org.debian.pcsc-lite.policy b/config_files/org.debian.pcsc-lite.policy new file mode 100644 index 0000000..fc24b62 --- /dev/null +++ b/config_files/org.debian.pcsc-lite.policy @@ -0,0 +1,30 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE policyconfig PUBLIC + "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" + "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd"> +<policyconfig> + <vendor>The PCSC-lite Project</vendor> + <vendor_url>https://pcsclite.apdu.fr/</vendor_url> +<!-- <icon_name>smart-card</icon_name> --> + + <action id="org.debian.pcsc-lite.access_pcsc"> + <description>Access to the PC/SC daemon</description> + <message>Authentication is required to access the PC/SC daemon</message> + <defaults> + <allow_any>yes</allow_any> + <allow_inactive>yes</allow_inactive> + <allow_active>yes</allow_active> + </defaults> + </action> + + <action id="org.debian.pcsc-lite.access_card"> + <description>Access to the smart card</description> + <message>Authentication is required to access the smart card</message> + <defaults> + <allow_any>yes</allow_any> + <allow_inactive>yes</allow_inactive> + <allow_active>yes</allow_active> + </defaults> + </action> + +</policyconfig> @@ -1,31 +1,10 @@ -nginx handles mtls, and allows connection to local gunicorn instance. If mTLS fails, connection fails and event is logged - - - ubuntu -sudo pip install Flask gunicorn # to install for all users, especially www-data so that the service runs - nginx -install nginx -sudo systemctl enable --now nginx - # cat /var/log/nginx/access.log - # /etc/nginx/nginx.conf - gunicorn -gunicorn --bind localhost:5000 app:app # for testing -sudo nano /etc/systemd/system/gunicorn1.service # as a service -sudo systemctl enable --now gunicorn1 # as a service - python -app1.py -sudo mkdir /var/www -sudo chown -R www-data:www-data /var/www -sudo cp app1.py /var/www - - - test + + # private key openssl genrsa -out ca.key 2048 # public certificate openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=YourCA" - # server private key openssl genrsa -out server.key 2048 # generate certificate signing request @@ -39,46 +18,56 @@ openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out c openssl genrsa -out wrong_client.key 2048 openssl req -new -x509 -key wrong_client.key -out wrong_client.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=incorrectclient" - curl https://127.0.0.1 --cacert ca.pem --cert wrong_client.crt --key wrong_client.key -k curl https://127.0.0.1 --cacert ca.pem --cert client.crt --key client.key -k - untested -sudo cp /path/to/ca.pem /usr/local/share/ca-certificates/your-ca.crt -sudo update-ca-certificates - nginx configuration - ocsp server to check that the server is valid - crl to check if a client is revoked -server { - listen 443 ssl; - server_name yourdomain.com; +# Allow nginx to connect to any network port for nginx to go through selinux +also turn off selinux permanently +sudo setsebool -P httpd_can_network_connect 1 +sudo mkdir -p /etc/nginx/certs +sudo cp /flask/v1/keys/* /etc/nginx/certs/ +sudo chown -R nginx:nginx /etc/nginx/certs + +# no yubikey verification +curl https://127.0.0.1/v/0ty2 --cacert ca.pem --cert client.crt --key client.key -k + +# to activate hsm, move these over +cat server.crt ../intermediate/certs/intermediate.crt ../certs/root.crt > fullchain.crt +cp fullchain.crt /etc/nginx/certs/hsm_chain.crt +cp server.crt /etc/nginx/certs/hsm_server.crt +sudo pkcs11-tool -L # for denk serial number + + +openssl version -d + +edit the openssl.conf file +/etc/nginx/nginx.conf + +then edit the nginx service file +Environment="OPENSSL_CONF=/etc/pki/tls/openssl.pkcs11.cnf" + +add under service + systemctl daemon-reload + sudo systemctl restart nginx + + + openssl s_client -connect localhost:443 -cert client.crt -key client.key -CAfile /etc/nginx/certs/hsm_chain.crt + + curl --cert client.crt --key client.key --cacert /etc/nginx/certs/hsm_chain.crt https://localhost:443/ -k + - ssl_certificate /path/to/your/server.crt; - ssl_certificate_key /path/to/your/server.key; + sudo -u nginx pkcs11-tool --module /usr/lib64/opensc-pkcs11.so --list-objects --login - # Client certificate verification - ssl_client_certificate /path/to/your/ca.pem; - ssl_verify_client on; +tail -f /var/log/nginx/error.log # to see ssl errors - # Enable OCSP stapling and strict verification - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate /path/to/your/ca.pem; +/usr/share/polkit-1/actions/org.debian.pcsc-lite.policy +change all to yes then restart systemctl pcscd +if nginx cannot access pcscd(can also prove this by doing a pkcs11-tool list), systemctl pcscd will have error logs) - # Specify resolver for OCSP stapling - resolver 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 10s; - # Enforce OCSP response checking strictly - ssl_ocsp on; - ssl_ocsp_fail closed; - # Specify CRL file for client certificate revocation checking - ssl_crl /etc/nginx/ssl/crl.pem; + https://www.redhat.com/en/blog/controlling-access-smart-cards - location / { - try_files $uri $uri/ =404; - } -} +sudo curl -vvv -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=user2;pin-value=123456' --cacert fullchain2.crt https://p.0nom.ch/c diff --git a/flask1.py b/flask1.py new file mode 100644 index 0000000..eb9ff28 --- /dev/null +++ b/flask1.py @@ -0,0 +1,38 @@ +from flask import Flask +from flask import Flask, request, jsonify +from tfa import * + +app = Flask(__name__) +store = customstore() + +@app.route('/') +def hello_world(): + return """Hello, World! +This is an authentication server +Available directories are: +/c to create a key +/a to authorise a key +/v to verify that a key is authorised + +""" + +@app.route('/c', methods=['GET']) +def create(): + return store.create() + +@app.route('/a/<code>', methods=['GET']) +def authenticate(code): + if store.authenticate(code): + return "True" + else: + return "False" + +@app.route('/v/<code>', methods=['GET']) +def verify(code): + if store.check(code): + return "True" + else: + return "False" + +if __name__ == '__main__': + app.run(host='0.0.0.0', port=5000, debug=True) diff --git a/gunicorn1.service b/gunicorn1.service deleted file mode 100644 index 425c453..0000000 --- a/gunicorn1.service +++ /dev/null @@ -1,14 +0,0 @@ - -[Unit] -Description=gunicorn1 -After=network.target - -[Service] -User=www-data -Group=www-data -WorkingDirectory=/var/www -ExecStart=/usr/local/bin/gunicorn --workers 3 --bind 0.0.0.0:5000 app1:app - -[Install] -WantedBy=multi-user.target - diff --git a/keys/ca.key b/keys/ca.key new file mode 100644 index 0000000..7c3e69b --- /dev/null +++ b/keys/ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDj9RaVE/qG2WMx +6FGzLkdiUtVxHY7Fv2kBQ7CYLdW3DQZDMQlV+a51yBcQ+p/mnrruj6PBKjsNdBla +gTIyeuDysN2Ikw32ifL6c/sfwsZDDyik8tfHMBSWmFJ9K2Ra0nHsfLl58282C1wd +ti03qb4Hrg8oj9NHd9eJIZSD8sZZCFwbZ3zwh7ZhIGQSwk6LDOCrK7VMeV3bmoYO +swBWc3hG/sV/jSsUBSYRw+slyluPLappfNvWk9FrvEsNTBWEJz6pSkaBJXQB8now +8nbFrjTXfTOznxZpUXq5/FvxC1P0cmGsBQxeOJUlQu/asZ7Oyn5xWA6qLdfOtDfm +kGCby3a9AgMBAAECggEAPkL2xAkM6D//4+W8SuBdBvHw8lBMap55I6tFVItQUAry +pu+ByUXE7M6V3kFV4zt/eyEobN4H+wi21A1tlHQTdLXyDBd+PNQ41UdQU8BzPmWp +iEP7w5/SP7+i6CUt59CK5Ti7wB9JRM2df0/+0bE/AgH8ieuenWqSKBZP5iotGqu1 +1rcidAZ2a5fFzaYF2ezK24m0jPKDTiQeAEu258yT4xofwlro2p9EJUFIyMdbbOLZ +uF8lQx3b7zT1stmV0e/h6qpxTF2O0D5qjFHDPyt/t//UmYPUZd9A5+pKIyOj7sQ4 +m6je2RrGKaT3i2+2budpcWdAs57dlKnuElmPTRMS0QKBgQD5AbiKF5u38NVFf2Jd +PsPPSjUOs6VkWCAtUo+TUeOp6KWWS0SGLPQNcjATBfMF140OEZVQXvTZ8fcG+bq4 +tu0hBgihtSth5HCp31OjVDub+R4Rng+eMAo/uInUdClTa323DoftFZdo6HD1rSJa +/RdJ8BFGsJE+q2lFAcBxnSEwtwKBgQDqXAd85i5C8WCqmO0iyFQ2RbmcJb3VAaCA +X42rjTxnOryu4ft7zmiygH5rdZeL43jt38INELf6x0XaiGTnP6xcEizSLcJrnjRf +hnmXMO+5XoVlVw5TpPI9IlpNLHti9Ati79hjY35YKpVvgM5WURKtmZRSxk2xZnXf +Ne/GKzH4KwKBgQCb9Rb27rhqKZ36TEF4c3JCp5C5p4zEX2mv2VDxjU2RQpRLoNLH +Uup8bXNsxsIie5HuKNcjIoYq5yC4LrtjK7czgsrvNUB5rJFf4+9Hkd9P3mSV1jCj +/CS/Kj6xYRvtEpsHh0NdG7PcUhFF3m1xHalzdrfrVXVzEfr57JHy1t5N2wKBgGkT +qifN7KAHKZhTyL73owpSaM4h/eMrP5NPRG3OfW6rXz3qBJ+WBEtEYWo85x3Jd8bv +tEm3XUYLYr6AuP0WB2mgnIgADFPEMydBW/L19gXe42B0j+/g3NucM3C2qPvM/+30 +K8kkKtnM/gNodRsubnl3ipEyaFNJ5T+XJ1Jqu5TRAoGAP5Qlo5mS15z4ZauIfBnS +DAjFIGGsE8SG5mRpRumDuQUqKHjhjJeSLMMk50s7e0csSZZkcKucjJC+Kzz3NnTi +vbVI9wK+RKAOVaxZC/TVy/e581CE0ucIY3hmLnHNSVWC2Dd2uQ724kzSh6/BaKd7 +/3duDwAZloiYguwb4WOFWug= +-----END PRIVATE KEY----- diff --git a/keys/ca.pem b/keys/ca.pem new file mode 100644 index 0000000..e1512e4 --- /dev/null +++ b/keys/ca.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDjzCCAnegAwIBAgIUZYpUQVHNHS4qmeYqjIndm0qfL6QwDQYJKoZIhvcNAQEL +BQAwVzELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTERMA8GA1UEBwwI +WW91ckNpdHkxEDAOBgNVBAoMB1lvdXJPcmcxDzANBgNVBAMMBllvdXJDQTAeFw0y +NDExMTIwNzQ5MDVaFw0yNzA5MDIwNzQ5MDVaMFcxCzAJBgNVBAYTAlVTMRIwEAYD +VQQIDAlZb3VyU3RhdGUxETAPBgNVBAcMCFlvdXJDaXR5MRAwDgYDVQQKDAdZb3Vy +T3JnMQ8wDQYDVQQDDAZZb3VyQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDj9RaVE/qG2WMx6FGzLkdiUtVxHY7Fv2kBQ7CYLdW3DQZDMQlV+a51yBcQ ++p/mnrruj6PBKjsNdBlagTIyeuDysN2Ikw32ifL6c/sfwsZDDyik8tfHMBSWmFJ9 +K2Ra0nHsfLl58282C1wdti03qb4Hrg8oj9NHd9eJIZSD8sZZCFwbZ3zwh7ZhIGQS +wk6LDOCrK7VMeV3bmoYOswBWc3hG/sV/jSsUBSYRw+slyluPLappfNvWk9FrvEsN +TBWEJz6pSkaBJXQB8now8nbFrjTXfTOznxZpUXq5/FvxC1P0cmGsBQxeOJUlQu/a +sZ7Oyn5xWA6qLdfOtDfmkGCby3a9AgMBAAGjUzBRMB0GA1UdDgQWBBTbW+YSpuO7 +G1gTQqIyqUhPvKl7CDAfBgNVHSMEGDAWgBTbW+YSpuO7G1gTQqIyqUhPvKl7CDAP +BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCfInNclCK6wBmAK4yz +X6rWzcTPu1diEpdK73BLKyeHBHKyiNwQMOrzB7c7XO/h8lwcxFYNl7YpFPbbCr// +sLH0PmwM40At++zVtMl1VTCTeEHeEP+DTXWn8fZZ7ayg2+mSC5wr35V86rTODys3 +6GqWPOKacGIPlUJoByjIH/Z/Z8tezhtlOlLSp69ge2BMKAcGFl/OCT7WE4XUf3Nq +o1mwjxlss9TQgeN+oDEM7RTyJebYxiCW6Q9LcAefMSOjfoHyeKKHaMK51aA4ezKW +bM7AbUv4sNd3o8Wk0kEDjVNfqQeDqiKHir468UVqZuckXToeDgqMQiJ+bAtb+kwQ +vA0T +-----END CERTIFICATE----- diff --git a/keys/ca.srl b/keys/ca.srl new file mode 100644 index 0000000..9c39350 --- /dev/null +++ b/keys/ca.srl @@ -0,0 +1 @@ +5D7525ED04BB4002114F8199CB0C6C6C2DAFC0B9 diff --git a/keys/client.crt b/keys/client.crt new file mode 100644 index 0000000..1998c53 --- /dev/null +++ b/keys/client.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDfjCCAmagAwIBAgIUXXUl7QS7QAIRT4GZywxsbC2vwLkwDQYJKoZIhvcNAQEL +BQAwVzELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTERMA8GA1UEBwwI +WW91ckNpdHkxEDAOBgNVBAoMB1lvdXJPcmcxDzANBgNVBAMMBllvdXJDQTAeFw0y +NDExMTIwNzQ5MDZaFw0yNTExMTIwNzQ5MDZaMFcxCzAJBgNVBAYTAlVTMRIwEAYD +VQQIDAlZb3VyU3RhdGUxETAPBgNVBAcMCFlvdXJDaXR5MRAwDgYDVQQKDAdZb3Vy +T3JnMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC8QJ6jSkHaHA13txsZokZxd/h0ITuOWeTCwTsETUT6f4qPdEYovWrSpUzH +Zf8O1DvPkJNpRClKn577kKqD3MPlTo6lbFYdiEU/fB1OOVOTQDrp+RHkJxWGUjIf +iR6p5XgB7dGe+F40vXvcYacxE1VqkxkCkE8KwPRMG4HDXyG7l0DMWg3UmqyH+Xrt +wQkO4/CKQB8wjoIGUvbKmmCy7oybogyj79wRXJ/87WWJlIUx04J9r7Sv10ld7O1o +4e+T7FuTs0e4MIdcbAC/WyIUONnBatVrTdVLxcWF4o49kkJsAyAt+Znz5n7w7O1H +qPmXi8mFQgOLVjd00e/EmJfCw2HHAgMBAAGjQjBAMB0GA1UdDgQWBBRuzoPzreMR +pQZcPLcVNbFT0q+tVDAfBgNVHSMEGDAWgBTbW+YSpuO7G1gTQqIyqUhPvKl7CDAN +BgkqhkiG9w0BAQsFAAOCAQEAhJN1+zYuceZxbPUeN3b8NtYALarLY+hXDVRANo33 +ZpjOocaR/P9EyCpYCgtMM6pmB1iSkMCgyD4tnZ1i1hrYYkwcx89X3IuEum9U3BJF +P74eW+UO6PtHfxeAPCpzPrWyPkvv1A7yL4mwP2LjYq7MyvMrTcQpFRQNfUY+nKsa +I4i68gERLRj5aYNg/QgkXD28rMnTXj9p33St1F5b9wiU9XW18hz4lR4s78FTkNMS ++oEHdmSzjyrIAXRcJkGicdi8n0ckYwe7VuTpDVg6qQUomMZMA0ktV4DsCMd42UU9 +NW2dNm27ny+U3DI6U4TPWOv4+/a37le9eIpwvOx0q+xjvQ== +-----END CERTIFICATE----- diff --git a/keys/client.csr b/keys/client.csr new file mode 100644 index 0000000..51939ec --- /dev/null +++ b/keys/client.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICnDCCAYQCAQAwVzELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTER +MA8GA1UEBwwIWW91ckNpdHkxEDAOBgNVBAoMB1lvdXJPcmcxDzANBgNVBAMMBmNs +aWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALxAnqNKQdocDXe3 +GxmiRnF3+HQhO45Z5MLBOwRNRPp/io90Rii9atKlTMdl/w7UO8+Qk2lEKUqfnvuQ +qoPcw+VOjqVsVh2IRT98HU45U5NAOun5EeQnFYZSMh+JHqnleAHt0Z74XjS9e9xh +pzETVWqTGQKQTwrA9EwbgcNfIbuXQMxaDdSarIf5eu3BCQ7j8IpAHzCOggZS9sqa +YLLujJuiDKPv3BFcn/ztZYmUhTHTgn2vtK/XSV3s7Wjh75PsW5OzR7gwh1xsAL9b +IhQ42cFq1WtN1UvFxYXijj2SQmwDIC35mfPmfvDs7Ueo+ZeLyYVCA4tWN3TR78SY +l8LDYccCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAM146JcUP3Yz3mApBFPKE2 +94EjzIA0GU9kU4+75D7oR1rpOQ4OVZW2myNKhetPEtwwMaB9grxwxlODR3rTw0jq +iLzIhJw5eOx8Hjdnv7BnpU4HAU2Z+OKN6IlbetbBfga0WNvfNn9efZWrSiavTE5C +tN/oUrqoJFWp2m/5XuwmxSFSoFF47yREP3wNN9+7ciGne77SHxDG1347lXTCsMYU +4COcvpjHLDJkOq6DXdlXKpdCD/X16eE/n6UNTIkp3ops2Yj6KYrohsWMNQvzwKlB +TGMib7DwXADNC9aVHaGc3sW7Ngt5W6MibNaWGnLdtZu/o+xhuyBEjZoofDrV3o/X +-----END CERTIFICATE REQUEST----- diff --git a/keys/client.key b/keys/client.key new file mode 100644 index 0000000..6743847 --- /dev/null +++ b/keys/client.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC8QJ6jSkHaHA13 +txsZokZxd/h0ITuOWeTCwTsETUT6f4qPdEYovWrSpUzHZf8O1DvPkJNpRClKn577 +kKqD3MPlTo6lbFYdiEU/fB1OOVOTQDrp+RHkJxWGUjIfiR6p5XgB7dGe+F40vXvc +YacxE1VqkxkCkE8KwPRMG4HDXyG7l0DMWg3UmqyH+XrtwQkO4/CKQB8wjoIGUvbK +mmCy7oybogyj79wRXJ/87WWJlIUx04J9r7Sv10ld7O1o4e+T7FuTs0e4MIdcbAC/ +WyIUONnBatVrTdVLxcWF4o49kkJsAyAt+Znz5n7w7O1HqPmXi8mFQgOLVjd00e/E +mJfCw2HHAgMBAAECggEAQ+o+MSPbkQ/4zd1J0hwotMv23xKUNV15+ccTfxBPV94G +g42LuCvp63fGNNO3ykZIE7CRdfMowGrIxPIiijLtm38VWFm20a21adthiTSGUcPk +3T9FtJ1jFxP1UEo8PUfzXSLKssLg3b8UfePfGQXkFXBfH/0m/vawy/pKfM0H0vB2 +e1nyc265mswgvMIWP7e/jkQIzJiG8loE5T8T7oG/DyXyVClXCLG00VtUUIXAoeYP +yiTOegnE6MF8G6+lwjCvVpNHdzLF/az3QzgKgoaPJLN11trbjldbhMeCIMmTwIAQ +NsQio6u5bdE8bqLf3zrhPKqE5n//6+MFgw6w1yu0HQKBgQDfsjjb7opq5JuSKzCp +CXi1Yzr2WQbbyuUJ2YND+KU/QNTB2aanxKtQ4BDiPLx4VFGCFc3qBYuRDgEv5Hrb +UQk+E1qE9RpnC/A73BehzAvZozrgjdleyE7WVv/t8alrnlyECxv+RdeY5y99hyED +L+oxK7s60CxR7Bqwy42MKYtvdQKBgQDXcBWk5LlyTrnKf5ZCfycJWIRgZXr0IcTC +afPZvK1irNjk4W2LcF3bH1mg0q0xfjlFby2+ygSHnB149KNDr/8aoRZ61G3zkf7o +MxuYCAWoKzII8lgutteOFgfK5OT7603OS+MkWiWEIqWY2so14qPFlMLPoMXQP5fI +SUy/aCoAywKBgQDVnCS7sAAxrvf4DpI6+LZxz74gPEdWX1tzmmfE4o0557jDHAoO +rrlBU5YL1B/NcAcdh6DIVl8+NvdfOnkvMST4SBbqW/vIZxgSsUtHz8eJHlw8znfC +ENlnyFBAccJs6B5EYS9sElmcwzcQUZduqbSjG7WApgWMfT/Hj7ktHQbveQKBgCgW +mEB1uzhVA+d1dF1tUbNAgGl7mLSC8B0JIDIdFNputXFprTusLhrPK5tseIPkK/4K +oSWGa+9cEnPmedbnkf2/ifJTQx52xUsp73GL1JmlaAsYJWaT6WpsGQkdLKrf7zt7 +DYo/KAn9dHkMBWKfiMAEXXfLP+PvYWwIj7pyRJafAoGAVK38BToOMnGJKiToLsnQ +xV6RMnF/lkoCWt+CBhQ6j4S4SZV/qBuJ75bWcXlJkj2JePsAHDkzTl40hR66dB03 +ShVyMafj+4CJlLv52snhoonWnZB62PyHAdFjahYpEPXxEqMhk8+cYhEo7wjbYzv+ +hwq9+NrsKo0Le+TSKfx0qpw= +-----END PRIVATE KEY----- diff --git a/keys/server.crt b/keys/server.crt new file mode 100644 index 0000000..e52661c --- /dev/null +++ b/keys/server.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgTCCAmmgAwIBAgIUXXUl7QS7QAIRT4GZywxsbC2vwLgwDQYJKoZIhvcNAQEL +BQAwVzELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTERMA8GA1UEBwwI +WW91ckNpdHkxEDAOBgNVBAoMB1lvdXJPcmcxDzANBgNVBAMMBllvdXJDQTAeFw0y +NDExMTIwNzQ5MDZaFw0yNTExMTIwNzQ5MDZaMFoxCzAJBgNVBAYTAlVTMRIwEAYD +VQQIDAlZb3VyU3RhdGUxETAPBgNVBAcMCFlvdXJDaXR5MRAwDgYDVQQKDAdZb3Vy +T3JnMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQDHEVL5OtqgU5zy1cS8Ppbmb5x18flXIDHkViDUmcvckhtedr+NoZ7X +G04PzU8s0oA9nz/DsPGRDE1QkLIKt3UX2h4UjfSeoZHkTf+nNwLgmMLr6eJ2iq/M ++4l9A3gq8nMXVAgFeHwAiT7KK/S/NMl7mQE9K2i6xhyVhtKkNiHUM99RwIYorMlj +/oQ/XAgJRUheqidOMxpGi2REAfLUkVjU1HhD3+1FOfo+VGc4Tk7W93QOysrgcDcc +xuJSSLevlwn9N1SdDGYzHNPyAwRJwp2VtmBt7ef9TCJirp1I/r3bn9rG5KiIkH7c +IezNVD7S89E8+/DAUFG8qynWcjCh9Hv3AgMBAAGjQjBAMB0GA1UdDgQWBBRB5rzo +M3A4qowzysRedTT/FPaaXzAfBgNVHSMEGDAWgBTbW+YSpuO7G1gTQqIyqUhPvKl7 +CDANBgkqhkiG9w0BAQsFAAOCAQEAotcKajxy8Q4v5KZLx0Nk1kq+s885ZLwEWXIU +P4YDbddTCWKkhrJPpZmgUVbX3ghaihbkoUBIGyRmlSS8TAhbLmkZnEeGYp9xYCKY +BfBuYvaBqoy2/XoaW6dD5sQhOEG0tKySWiZwwy8QUGaaeGS+XKmN7OVQRpynI3d/ +AvnYxP7jZobzKWzMBYPMXmAuGj5U+RxyZYA+92oNTIJ849E8GXzY9pN2jiBN723E +Ng3L+93DhhGG0J4HtIwM9K7J39CErq9kOmdPvWc0FTV2nhIMVX6tLxxBrMpDrfTP +cjVGe3F3j9/7gWzTeTbWmX9ctl72VHNK5KQgNw9KJ6y25IzuEA== +-----END CERTIFICATE----- diff --git a/keys/server.csr b/keys/server.csr new file mode 100644 index 0000000..f360791 --- /dev/null +++ b/keys/server.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICnzCCAYcCAQAwWjELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTER +MA8GA1UEBwwIWW91ckNpdHkxEDAOBgNVBAoMB1lvdXJPcmcxEjAQBgNVBAMMCWxv +Y2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcRUvk62qBT +nPLVxLw+luZvnHXx+VcgMeRWINSZy9ySG152v42hntcbTg/NTyzSgD2fP8Ow8ZEM +TVCQsgq3dRfaHhSN9J6hkeRN/6c3AuCYwuvp4naKr8z7iX0DeCrycxdUCAV4fACJ +Psor9L80yXuZAT0raLrGHJWG0qQ2IdQz31HAhiisyWP+hD9cCAlFSF6qJ04zGkaL +ZEQB8tSRWNTUeEPf7UU5+j5UZzhOTtb3dA7KyuBwNxzG4lJIt6+XCf03VJ0MZjMc +0/IDBEnCnZW2YG3t5/1MImKunUj+vduf2sbkqIiQftwh7M1UPtLz0Tz78MBQUbyr +KdZyMKH0e/cCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCHq5i2D3EvMXH1dEei +Lin++lTSj9GKY3cD6ig42C4pHepkHM3dGDmGP0MI7eh3BDTXYt2xvyVW25Q/nj4V +HQoXcY8WlTvdXYc8ZzmyJIMSOWQCIGP9lPIairEJiigi3Wbg5MZr1k/wDV0bDgTY +iaA+OYedAkVUzNYdcUVSG70frMj542C6dXR/oe8OOb7FjD2hkrb+L1yY2hkoMGc/ +MdCy5vX7RA4xlzku1PM10iQTyBpVwAhcuoe2BF5xSTEBkawVLNiYX1ypfGaQVFjo +QCducJcNNIfZXKHTQVsDhO34hVQSpD4EM3eDx9NIeH4qjXBr9o55/LopfXKi9zmN +R9fb +-----END CERTIFICATE REQUEST----- diff --git a/keys/server.key b/keys/server.key new file mode 100644 index 0000000..c4a0abf --- /dev/null +++ b/keys/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDHEVL5OtqgU5zy +1cS8Ppbmb5x18flXIDHkViDUmcvckhtedr+NoZ7XG04PzU8s0oA9nz/DsPGRDE1Q +kLIKt3UX2h4UjfSeoZHkTf+nNwLgmMLr6eJ2iq/M+4l9A3gq8nMXVAgFeHwAiT7K +K/S/NMl7mQE9K2i6xhyVhtKkNiHUM99RwIYorMlj/oQ/XAgJRUheqidOMxpGi2RE +AfLUkVjU1HhD3+1FOfo+VGc4Tk7W93QOysrgcDccxuJSSLevlwn9N1SdDGYzHNPy +AwRJwp2VtmBt7ef9TCJirp1I/r3bn9rG5KiIkH7cIezNVD7S89E8+/DAUFG8qynW +cjCh9Hv3AgMBAAECggEAHKjAAdVOdr44PnZhNwVpyIOGtSz2Npa80sCa7xC0mqzx +l3AlfsNRxhU5GqmhEvURSmMxamqAigneiFFJ7foLN7kKve8mqb8ywk7VFg1OSD3Q +njyTV86lUFphqRJaoWWQr+nvUl5ODUO1EE/eEg22+NOGgU3NFkqsVdNNuHTPT6iQ +0dULUDVRzlOG/eqvb73K5gZ9Mf3Q6+GB4QHDzMt+LPpxcBCw6tmas5DlstsUwC0s +kOfWTRyezYPAmJb0jhAkzxmaeMlFPfzOygxA+F2GRv2aZlwLBAyQH3iFktqUYYnI +EUqeK5VXxwq1hzBpSOJC2A/QbpRbhF/C/zL6UuOZhQKBgQD50xaVU4+RAqlEireI +1Jq1Nmd2bH2K/XYN2tvSSRuz2CgF1nhJoKVPuzkSy669WV/B84aARnu1SbNr99Tb +MT/DSlHP5RrdL3Zi4mlUSzpfX8269U42RcynzsOv/mV4+qCMa1tp0NOuErmcVU1Y +JsXxinRsBoI7BvrEXcf004dAlQKBgQDL/Qq1otDcHwDEgLljbtwAgscXe+BAJxHz +1n05KVFXibgI7BnrJkqwFCeU/QUEvPQe40JAOFWZRJQ3fdT/Eszc7fiSk8PFWZrM +fhG9Sl4m7QneXVbNL5yPa1B/EaARhLFImn38bEbwAX/1XE29hKC0wqs/ZolWNi+J +1aPLJYmrWwKBgDNY3YVnnVRytZOu5zYqbHnearl+ZvdQTRlf6Fp6SEVYojFA+Yw4 +hoGyu3JPhuTIH9RfVz+6PObv9P61+3vpzW84MUSHlFPt02lTm86Ff8PmjwRkMuUY +x42eA76CjRymdqUl064WC8v1cUzeg30gywJwMKmbVN0I/DWsCNMbPutZAoGBALdy +14DF7cMn9o7BnPe5KQ0kj1ulQeUvvctmJ7OSXt60sdcETcLV6vEzDu3EJhE+xORK +SLhscT6nGAxXk4fZJnfBY3yeer8ueDJTZiyvhsDHB8r8ciWRHeE1B21fMm7OwIik +t4yc66bIEoVb/2XisowdTdh0pCnuDQ6OHQGCvq5lAoGBAJxi8gJ8roDgj3wQVN5R +gwTCXae+aYAsVl7+FX4YTjIzryNDvCdNH/9+0fO6pFWQRcKbcT+zspb5DVkH++vT +rNEGwzoJ+Z0Q/6CtqQbYOAG2eWYqhJ1WBV2n/yjLSk62n8iEZ3kIM7QETpd4Ti5f +1uHlMIURqgpCfg1/PUmSbaQO +-----END PRIVATE KEY----- diff --git a/nginx.conf b/nginx.conf deleted file mode 100644 index fc11627..0000000 --- a/nginx.conf +++ /dev/null @@ -1,63 +0,0 @@ - -user nginx; -worker_processes auto; - -error_log /var/log/nginx/error.log notice; -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for" ' - 'ssl_protocol:$ssl_protocol ssl_cipher:$ssl_cipher ' - 'ssl_client_verify:$ssl_client_verify ' - 'ssl_client_s_dn:$ssl_client_s_dn'; - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - -# include /etc/nginx/conf.d/*.conf; - - server { - location / { - return 301 https://$host$request_uri; - #root /data/www; - #autoindex on; - #autoindex_exact_size off; - } - } - server { - listen 443 ssl; - server_name localhost; - - ssl_certificate /home/x/auths1/server.crt; - ssl_certificate_key /home/x/auths1/server.key; - ssl_client_certificate /home/x/auths1/ca.pem; - ssl_verify_client on; - - location / { - proxy_pass http://localhost:5000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - } - } - -} @@ -0,0 +1,71 @@ +import time +from typing import Dict, List +import random +import string + +class customstore: + def __init__(self, ttl=300, maxsize=200): + self.store: Dict[str, List] = {} # key -> [expiry_time, verified_status] + self.ttl = ttl + #self.maxsize = maxsize, now dont need this + + def create(self): + self.clean() + keylength = 4 + key_added = False + while not key_added: + current_time = int(time.time()) + key = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(keylength)) + if key not in self.store: + self.store[key] = [current_time + self.ttl, False] + key_added = True + return key + + def authenticate(self, key): + current_time = int(time.time()) + if key in self.store and current_time <= self.store[key][0]: + self.store[key][1] = True + return True + else: + return False + + def check(self, key): + current_time = int(time.time()) + if key in self.store and current_time <= self.store[key][0] and self.store[key][1] == True: + return True + else: + return False + + def clean(self): + current_time = int(time.time()) + expired_keys = [k for k, [expiry_time, _] in self.store.items() if current_time > expiry_time] + for key in expired_keys: + self.store.pop(key, None) + return + +if __name__ == "__main__": + s1 = customstore(ttl=7) + + # Create and verify first key + k = s1.create() + print("Store state:", s1.store) + print("Created key:", k) + print("First verification:", "yeppy" if s1.authenticate(k) else "nopey") + print("Second verification:", "yeppy" if s1.check(k) else "nopey") + # Wait and try again + time.sleep(5) + k2 = s1.create() + print("\nStore state after 5 seconds:", s1.store) + print("First key:", k) + print("First key verification:", "yeppy" if s1.check(k) else "nopey") + + # Wait and try again + time.sleep(5) + print("\nStore state after 5 seconds:", s1.store) + print("First key:", k) + print("First key verification:", "yeppy" if s1.check(k) else "nopey") + k = s1.create() + print("Store state:", s1.store) + print("Created key:", k) + print("First verification:", "yeppy" if s1.authenticate(k) else "nopey") + print("Second verification:", "yeppy" if s1.check(k) else "nopey") diff --git a/untested-docs/gunicorn1.service b/untested-docs/gunicorn1.service new file mode 100644 index 0000000..f0b1b60 --- /dev/null +++ b/untested-docs/gunicorn1.service @@ -0,0 +1,71 @@ +<!DOCTYPE html> +<html lang='en'> +<head> +<title>gunicorn1.service - authserver - 2fa server using pkcs11 on nitrokey hsm2 and yubikey +</title> +<meta name='generator' content='cgit v1.2.3'/> +<meta name='robots' content='index, nofollow'/> +<link rel='stylesheet' type='text/css' href='/assets/cgit.css'/> +<link rel='shortcut icon' href='/favicon.ico'/> +<link rel='alternate' title='Atom feed' href='https://git.0nom.ch/authserver/atom/gunicorn1.service?h=main' type='application/atom+xml'/> +<link rel='vcs-git' href='https://git.0nom.ch/authserver' title='authserver Git repository'/> +</head> +<body> +<div id='cgit'><table id='header'> +<tr> +<td class='logo' rowspan='2'><a href='/'><img src='/assets/cgit.png' alt='cgit logo'/></a></td> +<td class='main'><a href='/'>index</a> : <a title='authserver' href='/authserver/'>authserver</a></td><td class='form'><form method='get'> +<select name='h' onchange='this.form.submit();'> +<option value='main' selected='selected'>main</option> +</select> <input type='submit' value='switch'/></form></td></tr> +<tr><td class='sub'>2fa server using pkcs11 on nitrokey hsm2 and yubikey +</td><td class='sub right'>root</td></tr></table> +<table class='tabs'><tr><td> +<a href='/authserver/'>summary</a><a href='/authserver/refs/'>refs</a><a href='/authserver/log/gunicorn1.service'>log</a><a class='active' href='/authserver/tree/gunicorn1.service'>tree</a><a href='/authserver/commit/gunicorn1.service'>commit</a><a href='/authserver/diff/gunicorn1.service'>diff</a></td><td class='form'><form class='right' method='get' action='/authserver/log/gunicorn1.service'> +<select name='qt'> +<option value='grep'>log msg</option> +<option value='author'>author</option> +<option value='committer'>committer</option> +<option value='range'>range</option> +</select> +<input class='txt' type='search' size='10' name='q' value=''/> +<input type='submit' value='search'/> +</form> +</td></tr></table> +<div class='path'>path: <a href='/authserver/tree/'>root</a>/<a href='/authserver/tree/gunicorn1.service'>gunicorn1.service</a></div><div class='content'>blob: 425c45395070686ed7654b9ccb9b677e5c1eb60d (<a href='/authserver/plain/gunicorn1.service'>plain</a>) +<table summary='blob content' class='blob'> +<tr><td class='linenumbers'><pre><a id='n1' href='#n1'>1</a> +<a id='n2' href='#n2'>2</a> +<a id='n3' href='#n3'>3</a> +<a id='n4' href='#n4'>4</a> +<a id='n5' href='#n5'>5</a> +<a id='n6' href='#n6'>6</a> +<a id='n7' href='#n7'>7</a> +<a id='n8' href='#n8'>8</a> +<a id='n9' href='#n9'>9</a> +<a id='n10' href='#n10'>10</a> +<a id='n11' href='#n11'>11</a> +<a id='n12' href='#n12'>12</a> +<a id='n13' href='#n13'>13</a> +<a id='n14' href='#n14'>14</a> +</pre></td> +<td class='lines'><pre><code> +[Unit] +Description=gunicorn1 +After=network.target + +[Service] +User=www-data +Group=www-data +WorkingDirectory=/var/www +ExecStart=/usr/local/bin/gunicorn --workers 3 --bind 0.0.0.0:5000 app1:app + +[Install] +WantedBy=multi-user.target + +</code></pre></td></tr></table> +</div> <!-- class=content --> +<div class='footer'>generated by <a href='https://git.zx2c4.com/cgit/about/'>cgit v1.2.3</a> (<a href='https://git-scm.com/'>git 2.25.1</a>) at 2024-11-12 08:12:47 +0000</div> +</div> <!-- id=cgit --> +</body> +</html> |