mirror of https://github.com/trailofbits/algo
Local openssl tasks (#169)
* Draft works with ECDSA RSA support for Windows * update-users with local_openssl_tasks * move prompts to the algo script * additional directory for SSH keys * move easyrsa_p12_export_password to pre_tasks * update-users testing * Fix hardcoded vars * Delete the CA key * Hardcoded IP. Fixes #219 * Some fixespull/235/head
parent
257be0f395
commit
35faf4bca7
@ -1,202 +0,0 @@
|
|||||||
# Easy-RSA 3 parameter settings
|
|
||||||
|
|
||||||
# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
|
|
||||||
# this file in place -- instead, you should copy the entire easy-rsa directory
|
|
||||||
# to another location so future upgrades don't wipe out your changes.
|
|
||||||
|
|
||||||
# HOW TO USE THIS FILE
|
|
||||||
#
|
|
||||||
# vars.example contains built-in examples to Easy-RSA settings. You MUST name
|
|
||||||
# this file 'vars' if you want it to be used as a configuration file. If you do
|
|
||||||
# not, it WILL NOT be automatically read when you call easyrsa commands.
|
|
||||||
#
|
|
||||||
# It is not necessary to use this config file unless you wish to change
|
|
||||||
# operational defaults. These defaults should be fine for many uses without the
|
|
||||||
# need to copy and edit the 'vars' file.
|
|
||||||
#
|
|
||||||
# All of the editable settings are shown commented and start with the command
|
|
||||||
# 'set_var' -- this means any set_var command that is uncommented has been
|
|
||||||
# modified by the user. If you're happy with a default, there is no need to
|
|
||||||
# define the value to its default.
|
|
||||||
|
|
||||||
# NOTES FOR WINDOWS USERS
|
|
||||||
#
|
|
||||||
# Paths for Windows *MUST* use forward slashes, or optionally double-esscaped
|
|
||||||
# backslashes (single forward slashes are recommended.) This means your path to
|
|
||||||
# the openssl binary might look like this:
|
|
||||||
# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
|
|
||||||
|
|
||||||
# A little housekeeping: DON'T EDIT THIS SECTION
|
|
||||||
#
|
|
||||||
# Easy-RSA 3.x doesn't source into the environment directly.
|
|
||||||
# Complain if a user tries to do this:
|
|
||||||
if [ -z "$EASYRSA_CALLER" ]; then
|
|
||||||
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
|
|
||||||
echo "This is no longer necessary and is disallowed. See the section called" >&2
|
|
||||||
echo "'How to use this file' near the top comments for more details." >&2
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# DO YOUR EDITS BELOW THIS POINT
|
|
||||||
|
|
||||||
# This variable should point to the top level of the easy-rsa tree. By default,
|
|
||||||
# this is taken to be the directory you are currently in.
|
|
||||||
|
|
||||||
set_var EASYRSA "{{ easyrsa_dir }}/easyrsa3/"
|
|
||||||
|
|
||||||
# If your OpenSSL command is not in the system PATH, you will need to define the
|
|
||||||
# path to it here. Normally this means a full path to the executable, otherwise
|
|
||||||
# you could have left it undefined here and the shown default would be used.
|
|
||||||
#
|
|
||||||
# Windows users, remember to use paths with forward-slashes (or escaped
|
|
||||||
# back-slashes.) Windows users should declare the full path to the openssl
|
|
||||||
# binary here if it is not in their system PATH.
|
|
||||||
|
|
||||||
#set_var EASYRSA_OPENSSL "openssl"
|
|
||||||
#
|
|
||||||
# This sample is in Windows syntax -- edit it for your path if not using PATH:
|
|
||||||
#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
|
|
||||||
|
|
||||||
# Edit this variable to point to your soon-to-be-created key directory.
|
|
||||||
#
|
|
||||||
# WARNING: init-pki will do a rm -rf on this directory so make sure you define
|
|
||||||
# it correctly! (Interactive mode will prompt before acting.)
|
|
||||||
|
|
||||||
set_var EASYRSA_PKI "$EASYRSA/pki"
|
|
||||||
|
|
||||||
# Define X509 DN mode.
|
|
||||||
# This is used to adjust what elements are included in the Subject field as the DN
|
|
||||||
# (this is the "Distinguished Name.")
|
|
||||||
# Note that in cn_only mode the Organizational fields further below aren't used.
|
|
||||||
#
|
|
||||||
# Choices are:
|
|
||||||
# cn_only - use just a CN value
|
|
||||||
# org - use the "traditional" Country/Province/City/Org/OU/email/CN format
|
|
||||||
|
|
||||||
set_var EASYRSA_DN "cn_only"
|
|
||||||
|
|
||||||
# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
|
|
||||||
# These are the default values for fields which will be placed in the
|
|
||||||
# certificate. Don't leave any of these fields blank, although interactively
|
|
||||||
# you may omit any specific field by typing the "." symbol (not valid for
|
|
||||||
# email.)
|
|
||||||
|
|
||||||
#set_var EASYRSA_REQ_COUNTRY "US"
|
|
||||||
#set_var EASYRSA_REQ_PROVINCE "California"
|
|
||||||
#set_var EASYRSA_REQ_CITY "San Francisco"
|
|
||||||
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
|
|
||||||
#set_var EASYRSA_REQ_EMAIL "me@example.net"
|
|
||||||
#set_var EASYRSA_REQ_OU "My Organizational Unit"
|
|
||||||
|
|
||||||
# Choose a size in bits for your keypairs. The recommended value is 2048. Using
|
|
||||||
# 2048-bit keys is considered more than sufficient for many years into the
|
|
||||||
# future. Larger keysizes will slow down TLS negotiation and make key/DH param
|
|
||||||
# generation take much longer. Values up to 4096 should be accepted by most
|
|
||||||
# software. Only used when the crypto alg is rsa (see below.)
|
|
||||||
|
|
||||||
# set_var EASYRSA_KEY_SIZE 2048
|
|
||||||
|
|
||||||
# The default crypto mode is rsa; ec can enable elliptic curve support.
|
|
||||||
# Note that not all software supports ECC, so use care when enabling it.
|
|
||||||
# Choices for crypto alg are: (each in lower-case)
|
|
||||||
# * rsa
|
|
||||||
# * ec
|
|
||||||
|
|
||||||
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
|
|
||||||
set_var EASYRSA_ALGO rsa
|
|
||||||
{% else %}
|
|
||||||
set_var EASYRSA_ALGO ec
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
# Define the named curve, used in ec mode only:
|
|
||||||
|
|
||||||
set_var EASYRSA_CURVE prime256v1
|
|
||||||
|
|
||||||
# In how many days should the root CA key expire?
|
|
||||||
|
|
||||||
set_var EASYRSA_CA_EXPIRE {{ easyrsa_ca_expire }}
|
|
||||||
|
|
||||||
# In how many days should certificates expire?
|
|
||||||
|
|
||||||
set_var EASYRSA_CERT_EXPIRE {{ easyrsa_cert_expire }}
|
|
||||||
|
|
||||||
# How many days until the next CRL publish date? Note that the CRL can still be
|
|
||||||
# parsed after this timeframe passes. It is only used for an expected next
|
|
||||||
# publication date.
|
|
||||||
|
|
||||||
#set_var EASYRSA_CRL_DAYS 180
|
|
||||||
|
|
||||||
# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
|
|
||||||
# is "no" to discourage use of deprecated extensions. If you require this
|
|
||||||
# feature to use with --ns-cert-type, set this to "yes" here. This support
|
|
||||||
# should be replaced with the more modern --remote-cert-tls feature. If you do
|
|
||||||
# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
|
|
||||||
# this defined to "no". When set to "yes", server-signed certs get the
|
|
||||||
# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
|
|
||||||
# nsComment field.
|
|
||||||
|
|
||||||
#set_var EASYRSA_NS_SUPPORT "no"
|
|
||||||
|
|
||||||
# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
|
|
||||||
# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
|
|
||||||
|
|
||||||
#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate"
|
|
||||||
|
|
||||||
# A temp file used to stage cert extensions during signing. The default should
|
|
||||||
# be fine for most users; however, some users might want an alternative under a
|
|
||||||
# RAM-based FS, such as /dev/shm or /tmp on some systems.
|
|
||||||
|
|
||||||
#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"
|
|
||||||
|
|
||||||
# !!
|
|
||||||
# NOTE: ADVANCED OPTIONS BELOW THIS POINT
|
|
||||||
# PLAY WITH THEM AT YOUR OWN RISK
|
|
||||||
# !!
|
|
||||||
|
|
||||||
# Broken shell command aliases: If you have a largely broken shell that is
|
|
||||||
# missing any of these POSIX-required commands used by Easy-RSA, you will need
|
|
||||||
# to define an alias to the proper path for the command. The symptom will be
|
|
||||||
# some form of a 'command not found' error from your shell. This means your
|
|
||||||
# shell is BROKEN, but you can hack around it here if you really need. These
|
|
||||||
# shown values are not defaults: it is up to you to know what you're doing if
|
|
||||||
# you touch these.
|
|
||||||
#
|
|
||||||
#alias awk="/alt/bin/awk"
|
|
||||||
#alias cat="/alt/bin/cat"
|
|
||||||
|
|
||||||
# X509 extensions directory:
|
|
||||||
# If you want to customize the X509 extensions used, set the directory to look
|
|
||||||
# for extensions here. Each cert type you sign must have a matching filename,
|
|
||||||
# and an optional file named 'COMMON' is included first when present. Note that
|
|
||||||
# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
|
|
||||||
# fallback to $EASYRSA for the 'x509-types' dir. You may override this
|
|
||||||
# detection with an explicit dir here.
|
|
||||||
#
|
|
||||||
#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
|
|
||||||
|
|
||||||
# OpenSSL config file:
|
|
||||||
# If you need to use a specific openssl config file, you can reference it here.
|
|
||||||
# Normally this file is auto-detected from a file named openssl-1.0.cnf from the
|
|
||||||
# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
|
|
||||||
# specific and you cannot just use a standard config file, so this is an
|
|
||||||
# advanced feature.
|
|
||||||
|
|
||||||
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
|
|
||||||
|
|
||||||
# Default CN:
|
|
||||||
# This is best left alone. Interactively you will set this manually, and BATCH
|
|
||||||
# callers are expected to set this themselves.
|
|
||||||
|
|
||||||
set_var EASYRSA_REQ_CN "{{ IP_subject_alt_name }}"
|
|
||||||
|
|
||||||
# Cryptographic digest to use.
|
|
||||||
# Do not change this default unless you understand the security implications.
|
|
||||||
# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
|
|
||||||
|
|
||||||
#set_var EASYRSA_DIGEST "sha256"
|
|
||||||
|
|
||||||
# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
|
|
||||||
# in batch mode without any user input, confirmation on dangerous operations,
|
|
||||||
# or most output. Setting this to any non-blank string enables batch mode.
|
|
||||||
|
|
||||||
set_var EASYRSA_BATCH "{{ IP_subject_alt_name }}"
|
|
@ -0,0 +1,143 @@
|
|||||||
|
# For use with Easy-RSA 3.0 and OpenSSL 1.0.*
|
||||||
|
|
||||||
|
RANDFILE = .rnd
|
||||||
|
|
||||||
|
####################################################################
|
||||||
|
[ ca ]
|
||||||
|
default_ca = CA_default # The default ca section
|
||||||
|
|
||||||
|
####################################################################
|
||||||
|
[ CA_default ]
|
||||||
|
|
||||||
|
dir = . # Where everything is kept
|
||||||
|
certs = $dir # Where the issued certs are kept
|
||||||
|
crl_dir = $dir # Where the issued crl are kept
|
||||||
|
database = $dir/index.txt # database index file.
|
||||||
|
new_certs_dir = $dir/certs # default place for new certs.
|
||||||
|
|
||||||
|
certificate = $dir/cacert.pem # The CA certificate
|
||||||
|
serial = $dir/serial # The current serial number
|
||||||
|
crl = $dir/crl.pem # The current CRL
|
||||||
|
private_key = $dir/private/cakey.pem # The private key
|
||||||
|
RANDFILE = $dir/private/.rand # private random number file
|
||||||
|
|
||||||
|
x509_extensions = basic_exts # The extentions to add to the cert
|
||||||
|
|
||||||
|
# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
|
||||||
|
# is designed for will. In return, we get the Issuer attached to CRLs.
|
||||||
|
crl_extensions = crl_ext
|
||||||
|
|
||||||
|
default_days = 3650 # how long to certify for
|
||||||
|
default_crl_days= 3650 # how long before next CRL
|
||||||
|
default_md = sha256 # use public key default MD
|
||||||
|
preserve = no # keep passed DN ordering
|
||||||
|
|
||||||
|
# A few difference way of specifying how similar the request should look
|
||||||
|
# For type CA, the listed attributes must be the same, and the optional
|
||||||
|
# and supplied fields are just that :-)
|
||||||
|
policy = policy_anything
|
||||||
|
|
||||||
|
# For the 'anything' policy, which defines allowed DN fields
|
||||||
|
[ policy_anything ]
|
||||||
|
countryName = optional
|
||||||
|
stateOrProvinceName = optional
|
||||||
|
localityName = optional
|
||||||
|
organizationName = optional
|
||||||
|
organizationalUnitName = optional
|
||||||
|
commonName = supplied
|
||||||
|
name = optional
|
||||||
|
emailAddress = optional
|
||||||
|
|
||||||
|
####################################################################
|
||||||
|
# Easy-RSA request handling
|
||||||
|
# We key off $DN_MODE to determine how to format the DN
|
||||||
|
[ req ]
|
||||||
|
default_bits = 2048
|
||||||
|
default_keyfile = privkey.pem
|
||||||
|
default_md = sha256
|
||||||
|
distinguished_name = cn_only
|
||||||
|
x509_extensions = easyrsa_ca # The extentions to add to the self signed cert
|
||||||
|
|
||||||
|
# A placeholder to handle the $EXTRA_EXTS feature:
|
||||||
|
#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
|
||||||
|
|
||||||
|
####################################################################
|
||||||
|
# Easy-RSA DN (Subject) handling
|
||||||
|
|
||||||
|
# Easy-RSA DN for cn_only support:
|
||||||
|
[ cn_only ]
|
||||||
|
commonName = Common Name (eg: your user, host, or server name)
|
||||||
|
commonName_max = 64
|
||||||
|
commonName_default = {{ IP_subject_alt_name }}
|
||||||
|
|
||||||
|
# Easy-RSA DN for org support:
|
||||||
|
[ org ]
|
||||||
|
countryName = Country Name (2 letter code)
|
||||||
|
countryName_default = US
|
||||||
|
countryName_min = 2
|
||||||
|
countryName_max = 2
|
||||||
|
|
||||||
|
stateOrProvinceName = State or Province Name (full name)
|
||||||
|
stateOrProvinceName_default = California
|
||||||
|
|
||||||
|
localityName = Locality Name (eg, city)
|
||||||
|
localityName_default = San Francisco
|
||||||
|
|
||||||
|
0.organizationName = Organization Name (eg, company)
|
||||||
|
0.organizationName_default = Copyleft Certificate Co
|
||||||
|
|
||||||
|
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||||
|
organizationalUnitName_default = My Organizational Unit
|
||||||
|
|
||||||
|
commonName = Common Name (eg: your user, host, or server name)
|
||||||
|
commonName_max = 64
|
||||||
|
commonName_default = {{ IP_subject_alt_name }}
|
||||||
|
|
||||||
|
emailAddress = Email Address
|
||||||
|
emailAddress_default = me@example.net
|
||||||
|
emailAddress_max = 64
|
||||||
|
|
||||||
|
####################################################################
|
||||||
|
# Easy-RSA cert extension handling
|
||||||
|
|
||||||
|
# This section is effectively unused as the main script sets extensions
|
||||||
|
# dynamically. This core section is left to support the odd usecase where
|
||||||
|
# a user calls openssl directly.
|
||||||
|
[ basic_exts ]
|
||||||
|
basicConstraints = CA:FALSE
|
||||||
|
subjectKeyIdentifier = hash
|
||||||
|
authorityKeyIdentifier = keyid,issuer:always
|
||||||
|
|
||||||
|
extendedKeyUsage = serverAuth,1.3.6.1.5.5.7.3.17
|
||||||
|
keyUsage = digitalSignature, keyEncipherment
|
||||||
|
subjectAltName = ${ENV::subjectAltName}
|
||||||
|
|
||||||
|
# The Easy-RSA CA extensions
|
||||||
|
[ easyrsa_ca ]
|
||||||
|
|
||||||
|
# PKIX recommendations:
|
||||||
|
|
||||||
|
subjectKeyIdentifier=hash
|
||||||
|
authorityKeyIdentifier=keyid:always,issuer:always
|
||||||
|
|
||||||
|
# This could be marked critical, but it's nice to support reading by any
|
||||||
|
# broken clients who attempt to do so.
|
||||||
|
basicConstraints = CA:true
|
||||||
|
|
||||||
|
# Limit key usage to CA tasks. If you really want to use the generated pair as
|
||||||
|
# a self-signed cert, comment this out.
|
||||||
|
keyUsage = cRLSign, keyCertSign
|
||||||
|
|
||||||
|
# nsCertType omitted by default. Let's try to let the deprecated stuff die.
|
||||||
|
# nsCertType = sslCA
|
||||||
|
|
||||||
|
# CRL extensions.
|
||||||
|
[ crl_ext ]
|
||||||
|
|
||||||
|
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||||
|
|
||||||
|
# issuerAltName=issuer:copy
|
||||||
|
authorityKeyIdentifier=keyid:always,issuer:always
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -0,0 +1,27 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
CAPW=`cat /tmp/ca_password`
|
||||||
|
|
||||||
|
sed -i 's/- jack$/- jack_test/' config.cfg
|
||||||
|
|
||||||
|
ansible-playbook users.yml -e "server_ip=$LXC_IP server_user=root ssh_tunneling_enabled=y IP_subject=$LXC_IP easyrsa_CA_password=$CAPW"
|
||||||
|
|
||||||
|
cd configs/$LXC_IP/pki/
|
||||||
|
|
||||||
|
if openssl crl -inform pem -noout -text -in crl/jack.crt | grep CRL
|
||||||
|
then
|
||||||
|
echo "The CRL check passed"
|
||||||
|
else
|
||||||
|
echo "The CRL check failed"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if openssl x509 -inform pem -noout -text -in certs/jack_test.crt | grep CN=jack_test
|
||||||
|
then
|
||||||
|
echo "The new user exist"
|
||||||
|
else
|
||||||
|
echo "The new user does not exist"
|
||||||
|
exit 1
|
||||||
|
fi
|
Loading…
Reference in New Issue