diff --git a/CertifikacnaAutorita/README.txt b/CertifikacnaAutorita/README.txt new file mode 100644 index 0000000..b119048 --- /dev/null +++ b/CertifikacnaAutorita/README.txt @@ -0,0 +1,63 @@ +Author: Jozef Simko +School year: 5., Master study, 2023/24 +Study program: Computer Networks +Organization: Technical University of Kosice (TUKE), Faculty of Electrical Engineering and Informatics (FEI) + +Tento priecinok obsahuje demo skript na generovanie hlavnej a sekundarnej +certifikacnej autority a generovanie overenych certifikatov pre server a klient. +Priecinok tiez obsahuje dva konfiguracne subory, ktore sa vyuzivaju v prikazoch +pri samotnom generovani. +Cely balik tiez obsahuje samostatny skritp gen_client_certificate.bat +s podrobnym priblizenim pre generovanie certifikatov pre koncovych pouzivatelov. + +POUZITIE +Na automaticke generovanie vsetkych suborov bol vytvoreny skript gen_CA.bat. +Spustenim tohto skriptu sa vytvori cela struktura priecinkov, vygeneruju sa +privatne kluce, certifikaty ktore sa nasledne podpisu a dodatocne overia. + +Skript obsahuje aj vzorove prikazy na vytvorenie zretazenych certifikatov aj +priklad zneplatnenia odpisaneho certifikatu. + +Pouzitie skriptu by malo byt JEDNORAZOVE - v pripade viacnasobneho spustenia +skriptu dojde k prepisaniu a strate povodne vygenerovanych suborov. Zaroven +moze dojst k prepisaniu dodatocne vygenerovanych a podpisanych certifikatov. +Skript preto obsahuje prikaz, ktorym sa sam zmaze po vytvoreni vsetkych +potrebnych struktur a suborov. + +STRUKTURA PRIECINKOV +Skript vytvori nasledovnu strukturu priecinkov a suborov: + +myCA + | + |_ rootCA + | |_certs -> priecinok s CA certikatom + | |_newcerts -> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu + | |_private -> priecinok pre privatne kluce (mal by mat obmedzeny pristup) + | |_index/index.txt -> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch + | |_serial -> pocitadlo podpisanych certifikatov + | |_crlnumber -> pocitadlo zneplatnenych certifikatov + | |_root.cnf -> konfiguracny subor pre hlavnu CA + | + |_ intermediateCA + | |_certs -> priecinok s CA certikatom + | |_newcerts -> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu + | |_private -> priecinok pre privatne kluce (mal by mat obmedzeny pristup) + | |_index/index.txt -> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch + | |_serial -> pocitadlo podpisanych certifikatov + | |_crlnumber -> pocitadlo zneplatnenych certifikatov + | |_intermediateCA.cnf -> konfiguracny subor pre sekundarnu CA + + +GEN_CLIENT + + + +Priklad chyby: + +ERROR:There is already a certificate for /CN=www.testclient.com +The matching entry has the following details +Type :Valid +Expires on :250421105929Z +Serial Number :01 +File name :unknown +Subject Name :/CN=www.testclient.com \ No newline at end of file diff --git a/CertifikacnaAutorita/gen_CA.bat b/CertifikacnaAutorita/gen_CA.bat new file mode 100644 index 0000000..8971353 --- /dev/null +++ b/CertifikacnaAutorita/gen_CA.bat @@ -0,0 +1,109 @@ +:: Demo script for creating CA structure as part of masters thesis +:: Author: Jozef Simko +:: School year: 5., Master study, 2023/24 +:: Study program: Computer Networks +:: Organization: Technical University of Kosice (TUKE), Faculty of Electrical Engineering and Informatics (FEI) + +:: STRUKTURA PRIECINKOV +:: Tento skript vytvori nasledovnu strukturu priecinkov a suborov: + +:: myCA +:: | +:: |_ rootCA +:: | |_certs -> priecinok s CA certikatom +:: | |_newcerts -> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu +:: | |_private -> priecinok pre privatne kluce (mal by mat obmedzeny pristup) +:: | |_index/index.txt -> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch +:: | |_serial -> pocitadlo podpisanych certifikatov +:: | |_crlnumber -> pocitadlo zneplatnenych certifikatov +:: | |_root.cnf -> konfiguracny subor pre hlavnu CA +:: | +:: |_ intermediateCA +:: | |_certs -> priecinok s CA certikatom +:: | |_newcerts -> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu +:: | |_private -> priecinok pre privatne kluce (mal by mat obmedzeny pristup) +:: | |_index/index.txt -> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch +:: | |_serial -> pocitadlo podpisanych certifikatov +:: | |_crlnumber -> pocitadlo zneplatnenych certifikatov +:: | |_intermediateCA.cnf -> konfiguracny subor pre sekundarnu CA + +:: --------------------------------------------------------------------------------------------------------------------------- + +:: Vytvorenie struktury priecinkov +mkdir .\myCA\rootCA\certs , .\myCA\rootCA\private , .\myCA\rootCA\newcerts , .\myCA\rootCA\index +mkdir .\myCA\intermediateCA\certs , .\myCA\intermediateCA\private , .\myCA\intermediateCA\newcerts , .\myCA\intermediateCA\index , .\myCA\intermediateCA\csr + +:: PowerShell prikazy - prikaz 'echo' vytvara v PS subory s UTF-16 kodovanim +::"00" | Out-File -encoding ascii -NoNewline ".\myCA\rootCA\serial" +::"0100" | Out-File -encoding ascii -NoNewline ".\myCA\rootCA\crlnumber" +::New-Item -Path ".\myCA\rootCA\index" -Name "index.txt" -ItemType File + +::"00" | Out-File -encoding ascii -NoNewline ".\myCA\intermediateCA\serial" +::"0100" | Out-File -encoding ascii -NoNewline ".\myCA\intermediateCA\crlnumber" +::New-Item -Path ".\myCA\intermediateCA\index" -Name "index.txt" -ItemType File + +:: Vytvorenie dodatocnych suborov pre rootCA a intermediateCA +:: @serial - zaznamenava aktualne seriove cislo, ktore bude pouzite pre novy certifikatov +:: kazdy certifikat je mozne identifikovat pomocou serioveho cisla - zaznam sa nachadza v subore index.txt +:: @ crlnumber - pocitadlo zrusenych/zneplatnenych certifikatov +:: zneplatnenie moze nastat ak doslo k prezradeniu privatneho kluca, ide o podvodny certifikat alebo sa zmenili informacie ziadatela certifikatu +:: @ index.txt - subory pouzity ako databaza vsetkych podpisanych certifikatov +:: databaza v indexe zaznamenava tieto informacie: status certifikatu, datum platnosti, seriove cislo a doplnkove informacie +echo 00 > .\myCA\rootCA\serial +echo 0100 > .\myCA\rootCA\crlnumber +type NUL > .\myCA\rootCA\index\index.txt + +echo 00 > .\myCA\intermediateCA\serial +echo 0100 > .\myCA\intermediateCA\crlnumber +type NUL > .\myCA\intermediateCA\index\index.txt + +:: Skopirovanie konfiguracnych suborov do prislusnych zloziek +:: Pre presunutie suborov staci pouzit nahradit prikaz copy prikazom move +copy .\root.cnf .\myCA\rootCA\ +copy .\intermediate.cnf .\myCA\intermediateCA\ + +:: ROOT CA +:: Vygenerovanie sukromneho kluca a certifikatu pre root CA +:: Pouzity algoritmus - PQ algoritmus falcon512 +openssl req -config ./myCA/rootCA/root.cnf -new -x509 -days 365 -newkey falcon512 -keyout ./myCA/rootCA/private/falcon512_CA.key -out ./myCA/rootCA/certs/falcon512_CA.crt -nodes + +:: INT CA +:: Vygenerovanie sukromneho kluca a certifikatu pre intermediate CA +:: Podpisanie vygenerovaneho certifikatu pre intCA sukromnym klucom root CA +:: Overenie podpisu +openssl req -config ./myCA/intermediateCA/intermediate.cnf -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_intCA.key -out ./myCA/intermediateCA/certs/falcon512_intCA.csr -nodes +openssl ca -batch -config ./myCA/rootCA/root.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in ./myCA/intermediateCA/certs/falcon512_intCA.csr -out ./myCA/intermediateCA/certs/falcon512_intCA.crt +openssl verify -CAfile ./myCA/rootCA/certs/falcon512_CA.crt ./myCA/intermediateCA/certs/falcon512_intCA.crt + +:: CERT-CHAIN +:: Vytvorenie zretazeneho certifikatu z certifikatov root CA a int CA +:: Overenie vygenerovaneho zretazeneho certifikatu +type .\myCA\rootCA\certs\falcon512_CA.crt , .\myCA\intermediateCA\certs\falcon512_intCA.crt > .\myCA\intermediateCA\certs\falcon512_certchain.pem +openssl verify -CAfile ./myCA/intermediateCA/certs/falcon512_certchain.pem ./myCA/intermediateCA/certs/falcon512_intCA.crt + + +:: SERVER CERTIFICATE +:: Vygenerovanie sukromneho kluca a certifikatu pre server +:: Overenie podpisu vysledneho certifikatu +openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_server.key -out ./myCA/intermediateCA/csr/falcon512_server.csr -nodes -subj "/CN=test server" +openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_server.csr -out ./myCA/intermediateCA/csr/falcon512_server.crt +openssl verify -CAfile .\myCA\intermediateCA\certs\falcon512_certchain.pem ./myCA/intermediateCA/csr/falcon512_server.crt + +:: CLIENT CERTIFICATE +:: Vygenerovanie sukromneho kluca a certifikatu pre klienta +:: Overenie podpisu vysledneho certifikatu +openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_client.key -out ./myCA/intermediateCA/csr/falcon512_client.csr -nodes -subj "/CN=www.testclient.com" +openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions client_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_client.csr -out ./myCA/intermediateCA/csr/falcon512_client.crt +openssl verify -CAfile .\myCA\intermediateCA\certs\falcon512_certchain.pem ./myCA/intermediateCA/csr/falcon512_client.crt + + +:: REVOKE CERTIFICATE +:: Vygenerovanie dalsieho certifikatu pre "fake" server +:: Podpisanie vygenerovaneho certifikatu +:: Zneplatnenie vytvoreného certifikátu s dôvodom "affiliationChanged" (zmena vlastnosti koncoveho serveru) +::openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_fakeserver.key -out ./myCA/intermediateCA/csr/falcon512_fakeserver.csr -nodes -subj "/CN=fake server" +::openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_fakeserver.csr -out ./myCA/intermediateCA/csr/falcon512_fakeserver.crt +::openssl ca -config ./myCA/intermediateCA/intermediate.cnf -revoke ./myCA/intermediateCA/csr/falcon512_fakeserver.crt -crl_reason affiliationChanged + +:: REMOVE SCRIPT +:: del ./gen_CA.bat diff --git a/CertifikacnaAutorita/gen_client_certificate.bat b/CertifikacnaAutorita/gen_client_certificate.bat new file mode 100644 index 0000000..a8ad87b --- /dev/null +++ b/CertifikacnaAutorita/gen_client_certificate.bat @@ -0,0 +1,34 @@ +:: CLIENT CERTIFICATE +:: Vygenerovanie sukromneho kluca a certifikatu pre klienta +:: Overenie podpisu vysledneho certifikatu + +:: Nasledujuce prikazy su nazorovnou ukazkou toho ako je mozne vygenerovat +:: sukromny kluc a certifikat urceny koncovemu pouzivatelovi - klientovi + +:: Tento prikaz je zlozeny z viacerych vstupov a generuje sukromny kluc a certifikat sucasne +:: @-newkey : nazov algoritmu pouziteho pre generovanie sukromneho kluca, napr. falcon512 alebo dilithium3 +:: @-keyout : cesta k priecinku do ktoreho bude vygenerovany kluc ulozeny +:: @-out : cesta k priecinku do ktoreho bude vygenerovany certifikat pre klienta +:: @-subj : doplnujuce informacie, ktore musia byt urcene v zavislosti od poziadavok certifikacnej autority +:: priklad: -subj "/C=US/ST=California/L=San Francisco/O=Example Corp/OU=IT Department/CN=Root CA" +:: doplnujuce informacie su: C (country), ST (state), L (location), O (organization), OU (organization unit), CN (common name) + +openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_client.key -out ./myCA/intermediateCA/csr/falcon512_client.csr -nodes -subj "/CN=www.master-thesis-client.com" + +:: Tento prikaz sluzi na podpis certifikatu +:: Podpis certifikatu je realizovany sukromnym klucom CA ktory je definovany priamo v konfiguracnom subore +:: @-batch : automaticke potvrdenie realizacie podpisu, bez tohto prepinacu musi pouzivatel rucne potvrdit operaciu podpisu +:: @-config : konfiguracny subor pouzity na podpis, okrem sukromneho kluca CA obsahuje aj podmienky pre realizaciu podpisu, napr. pritomnost doplnujucich informacii v certifikate +:: @-extensions : rozsirenie 'client_cert' je modul, ktory je sucastou konfiguracneho suboru a je rovnaky iba pre certifikaty koncovych pouzivatelov, napr. certifikat bude oznaceny ako client/email certificate +:: @-days : oznacuje dlzku platnosti podpisu v dnoch +:: @-md : pouzity hash +:: @-in : cesta k vstupnemu certifikatu ako .csr alebo .crt +:: @-out : cesta k priecinku do ktoreho bude zapisany podpisany certifikat + +openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions client_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_client.csr -out ./myCA/intermediateCA/csr/falcon512_client.crt + +:: Posledny prikaz sluzi na overenie podpisu +:: @-CAfile : zretazeny certifikat intCA + +openssl verify -CAfile .\myCA\intermediateCA\certs\falcon512_certchain.pem ./myCA/intermediateCA/csr/falcon512_client.crt + diff --git a/CertifikacnaAutorita/intermediate.cnf b/CertifikacnaAutorita/intermediate.cnf new file mode 100644 index 0000000..77857c2 --- /dev/null +++ b/CertifikacnaAutorita/intermediate.cnf @@ -0,0 +1,108 @@ +# OpenSSL intermediate CA configuration file. + +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = ./myCA/intermediateCA +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index/index.txt +serial = $dir/serial +RANDFILE = $dir/private/.rand + +# The root key and root certificate. +private_key = $dir/private/falcon512_intCA.key +certificate = $dir/certs/falcon512_intCA.crt + +# For certificate revocation lists. +crlnumber = $dir/crl/crlnumber +crl = $dir/crl/intermediate.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_loose + +copy_extensions = copy + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only +default_md = sha256 +prompt = no + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +commonName = JS_master_thesis +countryName = SK +stateOrProvinceName = Kosice +#localityName = Locality Name +0.organizationName = TUKE +#organizationalUnitName = Organizational Unit Name +#emailAddress = Email Address + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ server_cert ] +basicConstraints = CA:FALSE +nsCertType = server +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + +[ client_cert ] +basicConstraints = CA:FALSE +nsCertType = client, email +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection \ No newline at end of file diff --git a/CertifikacnaAutorita/root.cnf b/CertifikacnaAutorita/root.cnf new file mode 100644 index 0000000..2698ee0 --- /dev/null +++ b/CertifikacnaAutorita/root.cnf @@ -0,0 +1,79 @@ +# OpenSSL root CA configuration file. + +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = ./myCA/rootCA +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index/index.txt +serial = $dir/serial +RANDFILE = $dir/private/.rand + +# The root key and root certificate. +private_key = $dir/private/falcon512_CA.key +certificate = $dir/certs/falcon512_CA.crt + +# For certificate revocation lists. +crlnumber = $dir/crlnumber +crl = $dir/crl/ca.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +default_md = sha256 +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_strict + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only +default_md = sha256 +prompt = no + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +commonName = JS_master_thesis +countryName = SK +stateOrProvinceName = Kosice +#localityName = Locality Name +0.organizationName = TUKE +#organizationalUnitName = Organizational Unit Name +#emailAddress = Email Address + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always,issuer