js331zc/MastersThesis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

pridane subory k CA

Browse Source
This commit is contained in:
Jozef Šimko 2024-04-14 08:43:58 +00:00
parent 1088bd6d0a
commit e05eede82f
5 changed files with 393 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
CertifikacnaAutorita/README.txt Normal file
View File

@ -0,0 +1,63 @@
Author: Jozef Simko
School year: 5., Master study, 2023/24
Study program: Computer Networks
Organization: Technical University of Kosice (TUKE), Faculty of Electrical Engineering and Informatics (FEI)
Tento priecinok obsahuje demo skript na generovanie hlavnej a sekundarnej
certifikacnej autority a generovanie overenych certifikatov pre server a klient.
Priecinok tiez obsahuje dva konfiguracne subory, ktore sa vyuzivaju v prikazoch
pri samotnom generovani.
Cely balik tiez obsahuje samostatny skritp gen_client_certificate.bat
s podrobnym priblizenim pre generovanie certifikatov pre koncovych pouzivatelov.
POUZITIE
Na automaticke generovanie vsetkych suborov bol vytvoreny skript gen_CA.bat.
Spustenim tohto skriptu sa vytvori cela struktura priecinkov, vygeneruju sa
privatne kluce, certifikaty ktore sa nasledne podpisu a dodatocne overia.
Skript obsahuje aj vzorove prikazy na vytvorenie zretazenych certifikatov aj
priklad zneplatnenia odpisaneho certifikatu.
Pouzitie skriptu by malo byt JEDNORAZOVE - v pripade viacnasobneho spustenia
skriptu dojde k prepisaniu a strate povodne vygenerovanych suborov. Zaroven
moze dojst k prepisaniu dodatocne vygenerovanych a podpisanych certifikatov.
Skript preto obsahuje prikaz, ktorym sa sam zmaze po vytvoreni vsetkych
potrebnych struktur a suborov.
STRUKTURA PRIECINKOV
Skript vytvori nasledovnu strukturu priecinkov a suborov:
myCA
|
|_ rootCA
| |_certs -> priecinok s CA certikatom
| |_newcerts -> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu
| |_private -> priecinok pre privatne kluce (mal by mat obmedzeny pristup)
| |_index/index.txt -> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch
| |_serial -> pocitadlo podpisanych certifikatov
| |_crlnumber -> pocitadlo zneplatnenych certifikatov
| |_root.cnf -> konfiguracny subor pre hlavnu CA
|
|_ intermediateCA
| |_certs -> priecinok s CA certikatom
| |_newcerts -> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu
| |_private -> priecinok pre privatne kluce (mal by mat obmedzeny pristup)
| |_index/index.txt -> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch
| |_serial -> pocitadlo podpisanych certifikatov
| |_crlnumber -> pocitadlo zneplatnenych certifikatov
| |_intermediateCA.cnf -> konfiguracny subor pre sekundarnu CA
GEN_CLIENT
Priklad chyby:
ERROR:There is already a certificate for /CN=www.testclient.com
The matching entry has the following details
Type :Valid
Expires on :250421105929Z
Serial Number :01
File name :unknown
Subject Name :/CN=www.testclient.com

109
CertifikacnaAutorita/gen_CA.bat Normal file
View File

@ -0,0 +1,109 @@
:: Demo script for creating CA structure as part of masters thesis
:: Author: Jozef Simko
:: School year: 5., Master study, 2023/24
:: Study program: Computer Networks
:: Organization: Technical University of Kosice (TUKE), Faculty of Electrical Engineering and Informatics (FEI)
:: STRUKTURA PRIECINKOV
:: Tento skript vytvori nasledovnu strukturu priecinkov a suborov:
:: myCA
:: |
:: |_ rootCA
:: | |_certs -> priecinok s CA certikatom
:: | |_newcerts -> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu
:: | |_private -> priecinok pre privatne kluce (mal by mat obmedzeny pristup)
:: | |_index/index.txt -> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch
:: | |_serial -> pocitadlo podpisanych certifikatov
:: | |_crlnumber -> pocitadlo zneplatnenych certifikatov
:: | |_root.cnf -> konfiguracny subor pre hlavnu CA
:: |
:: |_ intermediateCA
:: | |_certs -> priecinok s CA certikatom
:: | |_newcerts -> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu
:: | |_private -> priecinok pre privatne kluce (mal by mat obmedzeny pristup)
:: | |_index/index.txt -> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch
:: | |_serial -> pocitadlo podpisanych certifikatov
:: | |_crlnumber -> pocitadlo zneplatnenych certifikatov
:: | |_intermediateCA.cnf -> konfiguracny subor pre sekundarnu CA
:: ---------------------------------------------------------------------------------------------------------------------------
:: Vytvorenie struktury priecinkov
mkdir .\myCA\rootCA\certs , .\myCA\rootCA\private , .\myCA\rootCA\newcerts , .\myCA\rootCA\index
mkdir .\myCA\intermediateCA\certs , .\myCA\intermediateCA\private , .\myCA\intermediateCA\newcerts , .\myCA\intermediateCA\index , .\myCA\intermediateCA\csr
:: PowerShell prikazy - prikaz 'echo' vytvara v PS subory s UTF-16 kodovanim
::"00" | Out-File -encoding ascii -NoNewline ".\myCA\rootCA\serial"
::"0100" | Out-File -encoding ascii -NoNewline ".\myCA\rootCA\crlnumber"
::New-Item -Path ".\myCA\rootCA\index" -Name "index.txt" -ItemType File
::"00" | Out-File -encoding ascii -NoNewline ".\myCA\intermediateCA\serial"
::"0100" | Out-File -encoding ascii -NoNewline ".\myCA\intermediateCA\crlnumber"
::New-Item -Path ".\myCA\intermediateCA\index" -Name "index.txt" -ItemType File
:: Vytvorenie dodatocnych suborov pre rootCA a intermediateCA
:: @serial - zaznamenava aktualne seriove cislo, ktore bude pouzite pre novy certifikatov
:: kazdy certifikat je mozne identifikovat pomocou serioveho cisla - zaznam sa nachadza v subore index.txt
:: @ crlnumber - pocitadlo zrusenych/zneplatnenych certifikatov
:: zneplatnenie moze nastat ak doslo k prezradeniu privatneho kluca, ide o podvodny certifikat alebo sa zmenili informacie ziadatela certifikatu
:: @ index.txt - subory pouzity ako databaza vsetkych podpisanych certifikatov
:: databaza v indexe zaznamenava tieto informacie: status certifikatu, datum platnosti, seriove cislo a doplnkove informacie
echo 00 > .\myCA\rootCA\serial
echo 0100 > .\myCA\rootCA\crlnumber
type NUL > .\myCA\rootCA\index\index.txt
echo 00 > .\myCA\intermediateCA\serial
echo 0100 > .\myCA\intermediateCA\crlnumber
type NUL > .\myCA\intermediateCA\index\index.txt
:: Skopirovanie konfiguracnych suborov do prislusnych zloziek
:: Pre presunutie suborov staci pouzit nahradit prikaz copy prikazom move
copy .\root.cnf .\myCA\rootCA\
copy .\intermediate.cnf .\myCA\intermediateCA\
:: ROOT CA
:: Vygenerovanie sukromneho kluca a certifikatu pre root CA
:: Pouzity algoritmus - PQ algoritmus falcon512
openssl req -config ./myCA/rootCA/root.cnf -new -x509 -days 365 -newkey falcon512 -keyout ./myCA/rootCA/private/falcon512_CA.key -out ./myCA/rootCA/certs/falcon512_CA.crt -nodes
:: INT CA
:: Vygenerovanie sukromneho kluca a certifikatu pre intermediate CA
:: Podpisanie vygenerovaneho certifikatu pre intCA sukromnym klucom root CA
:: Overenie podpisu
openssl req -config ./myCA/intermediateCA/intermediate.cnf -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_intCA.key -out ./myCA/intermediateCA/certs/falcon512_intCA.csr -nodes
openssl ca -batch -config ./myCA/rootCA/root.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in ./myCA/intermediateCA/certs/falcon512_intCA.csr -out ./myCA/intermediateCA/certs/falcon512_intCA.crt
openssl verify -CAfile ./myCA/rootCA/certs/falcon512_CA.crt ./myCA/intermediateCA/certs/falcon512_intCA.crt
:: CERT-CHAIN
:: Vytvorenie zretazeneho certifikatu z certifikatov root CA a int CA
:: Overenie vygenerovaneho zretazeneho certifikatu
type .\myCA\rootCA\certs\falcon512_CA.crt , .\myCA\intermediateCA\certs\falcon512_intCA.crt > .\myCA\intermediateCA\certs\falcon512_certchain.pem
openssl verify -CAfile ./myCA/intermediateCA/certs/falcon512_certchain.pem ./myCA/intermediateCA/certs/falcon512_intCA.crt
:: SERVER CERTIFICATE
:: Vygenerovanie sukromneho kluca a certifikatu pre server
:: Overenie podpisu vysledneho certifikatu
openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_server.key -out ./myCA/intermediateCA/csr/falcon512_server.csr -nodes -subj "/CN=test server"
openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_server.csr -out ./myCA/intermediateCA/csr/falcon512_server.crt
openssl verify -CAfile .\myCA\intermediateCA\certs\falcon512_certchain.pem ./myCA/intermediateCA/csr/falcon512_server.crt
:: CLIENT CERTIFICATE
:: Vygenerovanie sukromneho kluca a certifikatu pre klienta
:: Overenie podpisu vysledneho certifikatu
openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_client.key -out ./myCA/intermediateCA/csr/falcon512_client.csr -nodes -subj "/CN=www.testclient.com"
openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions client_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_client.csr -out ./myCA/intermediateCA/csr/falcon512_client.crt
openssl verify -CAfile .\myCA\intermediateCA\certs\falcon512_certchain.pem ./myCA/intermediateCA/csr/falcon512_client.crt
:: REVOKE CERTIFICATE
:: Vygenerovanie dalsieho certifikatu pre "fake" server
:: Podpisanie vygenerovaneho certifikatu
:: Zneplatnenie vytvoreného certifikátu s dôvodom "affiliationChanged" (zmena vlastnosti koncoveho serveru)
::openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_fakeserver.key -out ./myCA/intermediateCA/csr/falcon512_fakeserver.csr -nodes -subj "/CN=fake server"
::openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_fakeserver.csr -out ./myCA/intermediateCA/csr/falcon512_fakeserver.crt
::openssl ca -config ./myCA/intermediateCA/intermediate.cnf -revoke ./myCA/intermediateCA/csr/falcon512_fakeserver.crt -crl_reason affiliationChanged
:: REMOVE SCRIPT
:: del ./gen_CA.bat

34
CertifikacnaAutorita/gen_client_certificate.bat Normal file
View File

@ -0,0 +1,34 @@
:: CLIENT CERTIFICATE
:: Vygenerovanie sukromneho kluca a certifikatu pre klienta
:: Overenie podpisu vysledneho certifikatu
:: Nasledujuce prikazy su nazorovnou ukazkou toho ako je mozne vygenerovat
:: sukromny kluc a certifikat urceny koncovemu pouzivatelovi - klientovi
:: Tento prikaz je zlozeny z viacerych vstupov a generuje sukromny kluc a certifikat sucasne
:: @-newkey : nazov algoritmu pouziteho pre generovanie sukromneho kluca, napr. falcon512 alebo dilithium3
:: @-keyout : cesta k priecinku do ktoreho bude vygenerovany kluc ulozeny
:: @-out : cesta k priecinku do ktoreho bude vygenerovany certifikat pre klienta
:: @-subj : doplnujuce informacie, ktore musia byt urcene v zavislosti od poziadavok certifikacnej autority
:: priklad: -subj "/C=US/ST=California/L=San Francisco/O=Example Corp/OU=IT Department/CN=Root CA"
:: doplnujuce informacie su: C (country), ST (state), L (location), O (organization), OU (organization unit), CN (common name)
openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_client.key -out ./myCA/intermediateCA/csr/falcon512_client.csr -nodes -subj "/CN=www.master-thesis-client.com"
:: Tento prikaz sluzi na podpis certifikatu
:: Podpis certifikatu je realizovany sukromnym klucom CA ktory je definovany priamo v konfiguracnom subore
:: @-batch : automaticke potvrdenie realizacie podpisu, bez tohto prepinacu musi pouzivatel rucne potvrdit operaciu podpisu
:: @-config : konfiguracny subor pouzity na podpis, okrem sukromneho kluca CA obsahuje aj podmienky pre realizaciu podpisu, napr. pritomnost doplnujucich informacii v certifikate
:: @-extensions : rozsirenie 'client_cert' je modul, ktory je sucastou konfiguracneho suboru a je rovnaky iba pre certifikaty koncovych pouzivatelov, napr. certifikat bude oznaceny ako client/email certificate
:: @-days : oznacuje dlzku platnosti podpisu v dnoch
:: @-md : pouzity hash
:: @-in : cesta k vstupnemu certifikatu ako .csr alebo .crt
:: @-out : cesta k priecinku do ktoreho bude zapisany podpisany certifikat
openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions client_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_client.csr -out ./myCA/intermediateCA/csr/falcon512_client.crt
:: Posledny prikaz sluzi na overenie podpisu
:: @-CAfile : zretazeny certifikat intCA
openssl verify -CAfile .\myCA\intermediateCA\certs\falcon512_certchain.pem ./myCA/intermediateCA/csr/falcon512_client.crt

108
CertifikacnaAutorita/intermediate.cnf Normal file
View File

@ -0,0 +1,108 @@
# OpenSSL intermediate CA configuration file.
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = ./myCA/intermediateCA
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/falcon512_intCA.key
certificate = $dir/certs/falcon512_intCA.crt
# For certificate revocation lists.
crlnumber = $dir/crl/crlnumber
crl = $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
copy_extensions = copy
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
prompt = no
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
commonName = JS_master_thesis
countryName = SK
stateOrProvinceName = Kosice
#localityName = Locality Name
0.organizationName = TUKE
#organizationalUnitName = Organizational Unit Name
#emailAddress = Email Address
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ client_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

79
CertifikacnaAutorita/root.cnf Normal file
View File

@ -0,0 +1,79 @@
# OpenSSL root CA configuration file.
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = ./myCA/rootCA
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/falcon512_CA.key
certificate = $dir/certs/falcon512_CA.crt
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
prompt = no
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
commonName = JS_master_thesis
countryName = SK
stateOrProvinceName = Kosice
#localityName = Locality Name
0.organizationName = TUKE
#organizationalUnitName = Organizational Unit Name
#emailAddress = Email Address
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always,issuer