misc/firestuff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

New stories, tooling

Browse Source
This commit is contained in:
Ian Gulliver
2019-04-14 23:49:51 +00:00
parent 5796878203
commit 7d9e90b36d
13 changed files with 785 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

264
markdown/2016-03-21-elliptic-curve-certificate-authority.md Normal file
View File

@@ -0,0 +1,264 @@
<!--# set var="title" value="Elliptic Curve Certificate Authority" -->
<!--# set var="date" value="March 21, 2016" -->
<!--# include file="include/top.html" -->
Notes from setting up a two-level (root and intermediate) CA using EC certs, combined from two decent sets of instructions [here](https://jamielinux.com/docs/openssl-certificate-authority/introduction.html) and [here](https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations). This is the CliffsNotes version; see those two docs for more detail. XXXX is used as a placeholder here; search for it and replace.
### Create directory structure
mkdir ca
cd ca
mkdir -p {root,intermediate}/{certs,crl,csr,newcerts,private}
mkdir -p {client,server}/{certs,csr,pfx,private}
touch {root,intermediate}/database
echo 1000 | tee {root,intermediate}/{serial,crlnumber}
chmod 700 {root,intermediate,client,server}/private
Create openssl.cnf
cat > openssl.cnf <<'END'
[ ca ]
default_ca = ca_intermediate
[ ca_root ]
dir = root
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/database
serial = $dir/serial
crlnumber = $dir/crlnumber
private_key = $dir/private/root.key.pem
certificate = $dir/certs/root.cert.pem
crl = $dir/crl/root.crl.pem
crl_extensions = ext_crl
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_crl_days = 30
default_days = 3650
preserve = no
policy = policy_strict
[ ca_intermediate ]
dir = intermediate
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/database
serial = $dir/serial
crlnumber = $dir/crlnumber
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem
crl = $dir/crl/intermediate.crl.pem
crl_extensions = ext_crl
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_crl_days = 30
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
string_mask = utf8only
default_md = sha256
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
[ ext_root ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ ext_intermediate ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ ext_client ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ ext_server ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ ext_crl ]
authorityKeyIdentifier = keyid:always
[ ext_ocsp ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
END
### Create a root key
openssl ecparam -name secp384r1 -genkey | openssl ec -aes-256-cbc -out root/private/root.key.pem
# Create strong root key password
chmod 400 root/private/root.key.pem
### Create a self-signed root cert
openssl req -config openssl.cnf -key root/private/root.key.pem -new -extensions ext_root -out root/certs/root.cert.pem -x509 -subj '/C=US/ST=California/O=XXXX/OU=XXXX Certificate Authority/CN=XXXX Root CA' -days 7300
# Enter root key password
chmod 444 root/certs/root.cert.pem
### Verify root cert
openssl x509 -noout -text -in root/certs/root.cert.pem
Check:
* Expiration date (20 years in future)
* Signature algorithm (ecdsa-with-SHA256)
* Public key size (384 bit)
* CA:TRUE
### Create an intermediate key
openssl ecparam -name secp384r1 -genkey | openssl ec -aes-256-cbc -out intermediate/private/intermediate.key.pem
# Create strong intermediate key password
chmod 400 intermediate/private/intermediate.key.pem
### Create an intermediate certificate signing request (CSR)
openssl req -config openssl.cnf -new -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem -subj '/C=US/ST=California/O=XXXX/OU=XXXX Certificate Authority/CN=XXXX Intermediate'
# Enter intermediate key password
### Sign intermediate cert with root key
openssl ca -config openssl.cnf -name ca_root -extensions ext_intermediate -notext -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
# Enter root key password
chmod 444 intermediate/certs/intermediate.cert.pem
### Verify intermediate cert
openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem
openssl verify -CAfile root/certs/root.cert.pem intermediate/certs/intermediate.cert.pem
Check:
* Expiration date (10 years in future)
* Signature algorithm (ecdsa-with-SHA256)
* Public key size (384 bit)
* CA:TRUE
* OK
### Create a chain certificate file
cat intermediate/certs/intermediate.cert.pem root/certs/root.cert.pem > intermediate/certs/chain.cert.pem
chmod 444 intermediate/certs/chain.cert.pem
### Create a client key
You can substitute “server” for “client” for a server cert.
openssl ecparam -name secp384r1 -genkey | openssl ec -aes-256-cbc -out client/private/test1.key.pem
# Create client key password
chmod 400 client/private/test1.key.pem
### Create a client certificate signing request (CSR)
openssl req -config openssl.cnf -new -key client/private/test1.key.pem -out client/csr/test1.csr.pem -subj '/C=US/ST=California/O=XXXX/OU=XXXX Test/CN=XXXX Test 1'
### Sign client cert with intermediate key
openssl ca -config openssl.cnf -extensions ext_client -notext -in client/csr/test1.csr.pem -out client/certs/test1.cert.pem
# Enter intermediate key password
chmod 444 client/certs/test1.cert.pem
### Verify client cert
openssl x509 -noout -text -in client/certs/test1.cert.pem
openssl verify -CAfile intermediate/certs/chain.cert.pem client/certs/test1.cert.pem
Check:
* Expiration date (1 year in future)
* Signature algorithm (ecdsa-with-SHA256)
* Public key size (384 bit)
* CA:FALSE
* OK
### Create a PKCS#12 bundle for the client
This is an easy(er) way to get all the necessary keys & certs to the client in one package.
openssl pkcs12 -export -out client/pfx/test1.pfx -inkey client/private/test1.key.pem -in client/certs/test1.cert.pem -certfile intermediate/certs/chain.cert.pem
# Enter both the client key password, and a new password for the export; you'll need to give the latter to the client
### Generate a certificate revocation list (CRL)
Initially empty. You can also do this for your root CA.
openssl ca -config openssl.cnf -gencrl -out intermediate/crl/intermediate.crl.pem
### Verify certificate revocation list
openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text
Check:
* Expiration date (30 days in future)
* Signature algorithm (ecdsa-with-SHA256)
### Revoke a certificate
Only do this if you need to. Find the certificate:
cat intermediate/database
# You'll need the hex-formatted serial number, in the third field.
# Substitute serial number for YYYY below.
Revoke it:
openssl ca -config openssl.cnf -revoke intermediate/newcerts/YYYY.pem
# Enter intermediate key password
Generate a new CRL file:
openssl ca -config openssl.cnf -gencrl -out intermediate/crl/intermediate.crl.pem
# Enter intermediate key password
<!--# include file="include/bottom.html" -->

96
markdown/2016-03-26-nitrokey-hsm-ec-setup.md Normal file
View File

@@ -0,0 +1,96 @@
<!--# set var="title" value="Nitrokey HSM EC setup" -->
<!--# set var="date" value="March 26, 2016" -->
<!--# include file="include/top.html" -->
Following up from my previous writeup on [creating an EC CA](https://medium.com/where-the-flamingcow-roams/elliptic-curve-certificate-authority-bbdb9c3855f7#.wv19mvxse), lets talk about key security.
[Hardware security modules](https://en.wikipedia.org/wiki/Hardware_security_module) are physical devices that manage keys. Generally, the rule is that they let you use the keys for operations (e.g. signing) given correct authentication, but dont let you extract the raw key material. This means that if youre holding the HSM, you know that no one else is currently abusing your key (though they may have done so in the past).
Searching for reasonably-priced options, I found the [Nitrokey HSM](https://shop.nitrokey.com/shop/product/nitrokey-hsm-7). Open source hardware, firmware, and software. Supports EC keys. Supports lots of keys. Supports Linux. Awesome.
<rant>Open source gets a bad rap sometimes, for the same reason PHP does: it has a low barrier to entry (thats a simplification in pretty much all directions, but roll with it). That means theres a lot of crap out there, because its so easy to start things without a significant audience and not hold to rigorous standards. Open source hardware, however, doesnt have this excuse. Youre selling it. The fact that you publish the designs and the firmware is secondary; youre still making money from it, and theres no excuse for shipping shit that you havent actually finished turning into a product.</rant>
Below are the steps to get the Nitrokey HSM to a working state where it can generate an EC key pair, and (self-)sign a cert with it. Hopefully many of these go away in the future, as support percolates into release versions and distribution packages.
### Hardware & setup
These instructions were developed and tested on a Raspberry Pi. Base setup instructions are here. Youll also need a Nitrokey HSM, obviously.
### Install prerequisites
sudo apt-get install pcscd libpcsclite-dev libssl-dev libreadline-dev autoconf automake build-essential docbook-xsl xsltproc libtool pkg-config git
### libccid
Youll need a [newer version of libccid](https://www.nitrokey.com/documentation/frequently-asked-questions#which-gnupg,-opensc-and-libccid-versions-are-required) than currently exists in Raspbian Jessie (1.4.22 > 1.4.18). You can download it for your platform here, or use the commands below for an RPi.
wget http://http.us.debian.org/debian/pool/main/c/ccid/libccid_1.4.22-1_armhf.deb
sudo dpkg -i libccid_1.4.22-1_armhf.deb
### Install libp11
engine\_pkcs11 requires >= 0.3.1. Raspbian Jessie has 0.2.8. Debian sid [has a package](https://packages.debian.org/sid/libp11-2), but you need the dev package as well, so you might as well build it.
git clone https://github.com/OpenSC/libp11.git
cd libp11
./bootstrap
./configure
make
sudo make install
cd ..
### Install engine\_pkcs11
EC [requires engine\_pkcs11 >= 0.2.0](https://www.nitrokey.com/forum/viewtopic.php?t=1549). Raspbian Jessie has 0.1.8. Debian [sid also has a package](https://packages.debian.org/sid/libengine-pkcs11-openssl) that I havent tested.
git clone https://github.com/OpenSC/engine_pkcs11.git
cd engine_pkcs11
./bootstrap
./configure
make
sudo make install
cd ..
### Install OpenSC
As of writing (2016/Mar/26), working support for the Nitrokey HSM [requires a build of OpenSC](https://www.nitrokey.com/documentation/frequently-asked-questions#which-gnupg,-opensc-and-libccid-versions-are-required) that hasnt made it into a package yet (0.16.0). Theyve also screwed up their repository branching, so master is behind the release branch and wont work.
git clone — branch opensc-0.16.0 https://github.com/OpenSC/OpenSC.git
cd OpenSC
./bootstrap
./configure
make
sudo make install
cd ..
### Misc
sudo ldconfig
### Initialize the device
/usr/local/bin/sc-hsm-tool --initialize
If this tells you that it cant find the device, you probably forgot to update libccid, and need to start over. Youll need to set an SO PIN and PIN the first time. The SO PIN should be 16 characters, and the PIN 6. Both should be all digits. They can technically be hex, but some apps get confused if they see letters.
### Generate a test EC key pair
/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so---login --keypairgen --key-type EC:prime256v1 --label test
### Generate a self-signed cert
openssl
OpenSSL> engine -t -pre SO_PATH:/usr/lib/arm-linux-gnueabihf/openssl-1.0.0/engines/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/pkcs11/opensc-pkcs11.so dynamic
...
OpenSSL> req -engine pkcs11 -new -keyform engine -out cert.pem -text -x509 -days 3640 -key label_test -subj '/CN=test'
If you now have a cert.pem file, youre golden. If you see “error in req”, you probably have a [bad version of OpenSC](https://www.nitrokey.com/forum/viewtopic.php?t=1549).
Now, delete the file, re-initialize the device, and youre good to go.
More instructions on various Nitrokey HSM operations can be found [here](https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM#init).
Instructions for running a complete certificate authority (CA) with your Nitrokey are [here](https://medium.com/where-the-flamingcow-roams/ec-ca-redux-now-with-more-nitrokey-729061e1b7c9#.d7igz5dhv).
<!--# include file="include/bottom.html" -->

2
markdown/2016-03-27-ec-ca-redux-now-with-more-nitrokey.md
View File

@@ -1,5 +1,5 @@
<!--# set var="title" value="EC CA redux: now with more Nitrokey" -->
<!--# set var="date" value="May 27, 2016" -->
<!--# set var="date" value="March 27, 2016" -->
<!--# include file="include/top.html" -->

2
markdown/2019-04-14-reboot.md
View File

@@ -5,6 +5,6 @@
Previous generations of "where the flamingcow roams" have existed on Blogger and Medium, but have been dormant for some time. Tired of my posts there being "decorated" by the hosting provider without approval and inspired by [Fabien Sanglard](https://fabiensanglard.net/bloated/index.html), I'm rebooting here.
Posts prior to this one are copied from Blogger or Medium. Forgive me for all their historical naiveté. Posts after this are new here, and I'm sure will look equally silly in ten years.
Posts prior to this one are copied from Blogger or Medium. Forgive me for all their historical naiveté. Posts after this are new here, and I'm sure will look equally silly in ten years. The historical posts have been hand-translated to markdown and likely contain translation errors.
<!--# include file="include/bottom.html" -->

3
markdown/build-html.sh
View File

@@ -4,6 +4,9 @@ BASEDIR=$(dirname $0)
for FILE in $BASEDIR/*.md; do
BASENAME=$(basename $FILE)
if [[ $BASENAME == 'template.md' ]]; then
continue
fi
OUTNAME=${BASENAME%.md}.html
echo "$BASENAME -> $OUTNAME"
TEMP=$(tempfile --dir=$BASEDIR --mode=0644 --suffix=.tmp)

12
markdown/index.md Normal file
View File

@@ -0,0 +1,12 @@
<!--# set var="class" value="index" -->
<!--# include file="include/top.html" -->
1. 2019-Apr-14: [Reboot](2019-04-14-reboot.html)
1. 2016-May-17: [WiFi bridging redux](2016-05-17-wifi-bridging-redux.html)
1. 2016-Apr-02: [apt caching for debootstrap](2016-04-02-apt-caching-for-debootstrap.html)
1. 2016-Mar-27: [EC CA redux: now with more Nitrokey](2016-03-27-ec-ca-redux-now-with-more-nitrokey.html)
1. 2016-Mar-26: [Nitrokey HSM EC setup](2016-03-26-nitrokey-hsm-ec-setup.html)
1. 2016-Mar-21: [Elliptic Curve Certificate Authority](2016-03-21-elliptic-curve-certificate-authority.html)
<!--# include file="include/bottom.html" -->

8
markdown/template.md Normal file
View File

@@ -0,0 +1,8 @@
<!--# set var="title" value="X" -->
<!--# set var="date" value="X" -->
<!--# include file="include/top.html" -->
X
<!--# include file="include/bottom.html" -->