~poptart/hosaka-pki

568ad52b84e681ed2551cd8b2196dd4636cb629c — terrorbyte 1 year, 11 months ago 7695551
Add the basic shell script based CA. Needs a ton of testing
A ssh/add_host.sh => ssh/add_host.sh +17 -0
@@ 0,0 1,17 @@
#!/bin/sh
mkdir -pm 755 "/etc/ssh/host/$1/"
mkdir -pm 755 "/home/ca/incoming"
mkdir -pm 755 "/home/ca/outgoing"
cp "/home/ca/incoming/$1.pub" "/etc/ssh/host/$1/ssh_host_ed25519.pub" 
ssh-keygen \
   -s "/etc/ssh/ca/ssh_ca_ed25519" \
   -h \
   -I "$1" \
   -z "$(bc -e "$(cat /etc/ssh/ca/serial)+1" -e quit)" \
   -f "/etc/ssh/host/$1/ssh_host_ed25519-cert.pub" \
   -n "$1" \
   "/etc/ssh/host/$1/ssh_host_ed25519.pub"
ssh-keygen -L -f "/etc/ssh/host/$1/ssh_host_ed25519-cert.pub"
printf "$(bc -e "$(cat /etc/ssh/ca/serial)+1" -e quit)" > /etc/ssh/ca/serial 
cp "/etc/ssh/host/$1/ssh_host_ed25519-cert.pub" "/home/ca/outgoing/$1-cert.pub"
cp "/etc/ssh/ca/ssh_ca_ed25519.pub" "/home/ca/outgoing/"

A ssh/add_principal.sh => ssh/add_principal.sh +4 -0
@@ 0,0 1,4 @@
#!/bin/sh
mkdir -pm 755 "/etc/ssh/ca/"
mkdir -pm 755 "/etc/ssh/principals/"
touch "/etc/ssh/principals/$1"

A ssh/add_user.sh => ssh/add_user.sh +16 -0
@@ 0,0 1,16 @@
#!/bin/sh
mkdir -pm 755 "/home/ca/incoming"
mkdir -pm 755 "/home/ca/outgoing"
export USER="$(printf "$1" | cut -d@ -f1)"
mkdir -pm 755 "/etc/ssh/user/$USER/"
cp "/home/ca/incoming/$USER.pub" "/etc/ssh/user/$USER/ssh_ed25519.pub" 
ssh-keygen \
   -s "/etc/ssh/ca/ssh_ca_ed25519" \
   -I "$1" \
   -z "$(bc -e "$(cat /etc/ssh/ca/serial)+1" -e quit)" \
   -f "/etc/ssh/user/$USER/ssh_ed25519-cert.pub" \
   -n "$USER" \
   "/etc/ssh/user/$USER/ssh_ed25519.pub"
ssh-keygen -L -f "/etc/ssh/user/$USER/ssh_ed25519-cert.pub"
cp "/etc/ssh/user/$USER/ssh_ed25519-cert.pub" "/home/ca/outgoing/$USER-cert.pub"
cp "/etc/ssh/ca/ssh_ca_ed25519.pub" "/home/ca/outgoing/"

A ssh/add_user_restricted.sh => ssh/add_user_restricted.sh +17 -0
@@ 0,0 1,17 @@
#!/bin/sh
mkdir -pm 755 "/home/ca/incoming"
mkdir -pm 755 "/home/ca/outgoing"
export USER="$(printf "$1" | cut -d@ -f1)"
mkdir -pm 755 "/etc/ssh/user/$USER/"
cp "/home/ca/incoming/$USER.pub" "/etc/ssh/user/$USER/ssh_ed25519.pub" 
ssh-keygen \
   -s "/etc/ssh/ca/ssh_ca_ed25519" \
   -I "$1" \
   -z "$(bc -e "$(cat /etc/ssh/ca/serial)+1" -e quit)" \
   -f "/etc/ssh/user/$USER/ssh_ed25519-cert.pub" \
   -n "$USER" \
   -O no-agent-forwarding -O no-port-forwarding -O no-user-rc -O no-x11-forwarding \
   "/etc/ssh/user/$USER/ssh_ed25519.pub"
ssh-keygen -L -f "/etc/ssh/user/$USER/ssh_ed25519-cert.pub"
cp "/etc/ssh/user/$USER/ssh_ed25519-cert.pub" "/home/ca/outgoing/$USER-cert.pub"
cp "/etc/ssh/ca/ssh_ca_ed25519.pub" "/home/ca/outgoing/"

A ssh/gen_host.sh => ssh/gen_host.sh +9 -0
@@ 0,0 1,9 @@
#!/bin/sh
SERIAL="$(cat /etc/ssh/ca/serial)"
ssh-keygen -s /etc/ssh/ca/ssh_ca_ed25519 \
   -h \
   -I "$1" \
   -n "$1" \
   -V always:forever \
   -z "$(bc -e "$SERIAL+1" -e exit)" \
   /etc/ssh/ca/host/$1/ssh/ssh_host_ed25519.pub

A ssh/setup_host.sh => ssh/setup_host.sh +3 -0
@@ 0,0 1,3 @@
#!/bin/sh
mkdir -pm 755 "/etc/ssh/ca/"
mkdir -pm 755 "/etc/ssh/principals/"

A ssl/index.txt => ssl/index.txt +1 -0
@@ 0,0 1,1 @@
V	290620192940Z		1000	unknown	/C=HX/ST=Cyberspace/O=Hosaka Corporation/OU=Crypto Munitions Bureau/CN=Hosaka Corp Intermediate CA

A ssl/index.txt.attr => ssl/index.txt.attr +1 -0
@@ 0,0 1,1 @@
unique_subject = yes

A ssl/intermediate/crlnumber => ssl/intermediate/crlnumber +1 -0
@@ 0,0 1,1 @@
1000

A ssl/intermediate/index.txt => ssl/intermediate/index.txt +2 -0
@@ 0,0 1,2 @@
V	200627195121Z		1000	unknown	/C=HX/ST=Cyberspace/L=NULL/O=Hosaka Corporation/OU=Crypto Munitions Bureau/CN=ashpool.hosakacorp.net
V	200627205030Z		1001	unknown	/C=HX/ST=Cyberspace/L=NULL/O=Hosaka Corporation/OU=Crypto Munitions Bureau/CN=perhonen.hosakacorp.net

A ssl/intermediate/index.txt.attr => ssl/intermediate/index.txt.attr +1 -0
@@ 0,0 1,1 @@
unique_subject = yes

A ssl/intermediate/openssl.cnf => ssl/intermediate/openssl.cnf +93 -0
@@ 0,0 1,93 @@
[ ca ]
default_ca = CA_default

[ CA_default ]
dir = /home/ca/ssl/intermediate
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem
crlnumber         = $dir/crlnumber
crl               = $dir/crl/intermediate.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30
default_md        = sha256
name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_loose

[ policy_strict ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
distinguished_name  = req_distinguished_name
string_mask         = utf8only
default_md          = sha256
x509_extensions     = v3_ca

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name

countryName_default             = HX 
stateOrProvinceName_default     = Cyberspace 
localityName_default            = NULL
0.organizationName_default      = Hosaka Corporation 
organizationalUnitName_default = Crypto Munitions Bureau

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
authorityKeyIdentifier=keyid:always

A ssl/intermediate/serial => ssl/intermediate/serial +1 -0
@@ 0,0 1,1 @@
1002

A ssl/notes.txt => ssl/notes.txt +11 -0
@@ 0,0 1,11 @@
Generating Intermediate ECC Keys
================================
root@ca:~ca/ssl # openssl ecparam -genkey -name secp521r1 -out intermediate/private/intermediate.key.pem.tmp
root@ca:~ca/ssl # openssl ec -aes-256-cbc -in intermediate/private/intermediate.key.pem.tmp -out intermediate/private/intermediate.key.pem
root@ca:~ca/ssl # openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem

Generating a CSR
================

Signing a CSR
=============

A ssl/openssl.cnf => ssl/openssl.cnf +93 -0
@@ 0,0 1,93 @@
[ ca ]
default_ca = CA_default

[ CA_default ]
dir = /home/ca/ssl
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/new
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
private_key = $dir/private/ca.key.pem
certificate = $dir/certs/ca.cert.pem
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30
default_md        = sha256
name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_strict

[ policy_strict ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
distinguished_name  = req_distinguished_name
string_mask         = utf8only
default_md          = sha256
x509_extensions     = v3_ca

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name

countryName_default             = HX 
stateOrProvinceName_default     = Cyberspace 
localityName_default            = NULL
0.organizationName_default      = Hosaka Corporation 
organizationalUnitName_default = Crypto Munitions Bureau

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
authorityKeyIdentifier=keyid:always

A ssl/serial => ssl/serial +1 -0
@@ 0,0 1,1 @@
1001

A ssl/serial.old => ssl/serial.old +1 -0
@@ 0,0 1,1 @@
1000