pridane subory k CA

2024-04-14 08:43:58 +00:00 · 2024-04-14 08:43:58 +00:00 · e05eede82f
commit e05eede82f
parent 1088bd6d0a
5 changed files with 393 additions and 0 deletions
--- a/CertifikacnaAutorita/README.txt
+++ b/CertifikacnaAutorita/README.txt
@ -0,0 +1,63 @@
+Author: Jozef Simko
+School year: 5., Master study, 2023/24
+Study program: Computer Networks
+Organization: Technical University of Kosice (TUKE), Faculty of Electrical Engineering and Informatics (FEI)
+
+Tento priecinok obsahuje demo skript na generovanie hlavnej a sekundarnej 
+certifikacnej autority a generovanie overenych certifikatov pre server a klient.
+Priecinok tiez obsahuje dva konfiguracne subory, ktore sa vyuzivaju v prikazoch
+pri samotnom generovani.
+Cely balik tiez obsahuje samostatny skritp gen_client_certificate.bat
+s podrobnym priblizenim pre generovanie certifikatov pre koncovych pouzivatelov.
+
+POUZITIE
+Na automaticke generovanie vsetkych suborov bol vytvoreny skript gen_CA.bat.
+Spustenim tohto skriptu sa vytvori cela struktura priecinkov, vygeneruju sa 
+privatne kluce, certifikaty ktore sa nasledne podpisu a dodatocne overia.
+
+Skript obsahuje aj vzorove prikazy na vytvorenie zretazenych certifikatov aj
+priklad zneplatnenia odpisaneho certifikatu.
+
+Pouzitie skriptu by malo byt JEDNORAZOVE - v pripade viacnasobneho spustenia 
+skriptu dojde k prepisaniu a strate povodne vygenerovanych suborov. Zaroven
+moze dojst k prepisaniu dodatocne vygenerovanych a podpisanych certifikatov.
+Skript preto obsahuje prikaz, ktorym sa sam zmaze po vytvoreni vsetkych 
+potrebnych struktur a suborov.
+
+STRUKTURA PRIECINKOV
+Skript vytvori nasledovnu strukturu priecinkov a suborov:
+
+myCA
+ |
+ |_ rootCA
+ |	|_certs			-> priecinok s CA certikatom
+ |	|_newcerts		-> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu
+ |	|_private		-> priecinok pre privatne kluce (mal by mat obmedzeny pristup)
+ |	|_index/index.txt	-> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch
+ |	|_serial		-> pocitadlo podpisanych certifikatov
+ |	|_crlnumber		-> pocitadlo zneplatnenych certifikatov
+ |	|_root.cnf		-> konfiguracny subor pre hlavnu CA
+ |
+ |_ intermediateCA
+ |	|_certs			-> priecinok s CA certikatom
+ |	|_newcerts		-> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu
+ |	|_private		-> priecinok pre privatne kluce (mal by mat obmedzeny pristup)
+ |	|_index/index.txt	-> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch
+ |	|_serial		-> pocitadlo podpisanych certifikatov
+ |	|_crlnumber		-> pocitadlo zneplatnenych certifikatov
+ |	|_intermediateCA.cnf	-> konfiguracny subor pre sekundarnu CA
+
+
+GEN_CLIENT
+
+
+
+Priklad chyby:
+
+ERROR:There is already a certificate for /CN=www.testclient.com
+The matching entry has the following details
+Type          :Valid
+Expires on    :250421105929Z
+Serial Number :01
+File name     :unknown
+Subject Name  :/CN=www.testclient.com
--- a/CertifikacnaAutorita/gen_CA.bat
+++ b/CertifikacnaAutorita/gen_CA.bat
@ -0,0 +1,109 @@
+:: Demo script for creating CA structure as part of masters thesis
+:: Author: Jozef Simko
+:: School year: 5., Master study, 2023/24
+:: Study program: Computer Networks
+:: Organization: Technical University of Kosice (TUKE), Faculty of Electrical Engineering and Informatics (FEI)
+
+:: STRUKTURA PRIECINKOV
+:: Tento skript vytvori nasledovnu strukturu priecinkov a suborov:
+
+:: myCA
+::  |
+::  |_ rootCA
+::  |	|_certs			-> priecinok s CA certikatom
+::  |	|_newcerts		-> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu
+::  |	|_private		-> priecinok pre privatne kluce (mal by mat obmedzeny pristup)
+::  |	|_index/index.txt	-> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch
+::  |	|_serial		-> pocitadlo podpisanych certifikatov
+::  |	|_crlnumber		-> pocitadlo zneplatnenych certifikatov
+::  |	|_root.cnf		-> konfiguracny subor pre hlavnu CA
+::  |
+::  |_ intermediateCA
+::  |	|_certs			-> priecinok s CA certikatom
+::  |	|_newcerts		-> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu
+::  |	|_private		-> priecinok pre privatne kluce (mal by mat obmedzeny pristup)
+::  |	|_index/index.txt	-> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch
+::  |	|_serial		-> pocitadlo podpisanych certifikatov
+::  |	|_crlnumber		-> pocitadlo zneplatnenych certifikatov
+::  |	|_intermediateCA.cnf	-> konfiguracny subor pre sekundarnu CA
+
+:: ---------------------------------------------------------------------------------------------------------------------------
+
+:: Vytvorenie struktury priecinkov
+mkdir .\myCA\rootCA\certs , .\myCA\rootCA\private , .\myCA\rootCA\newcerts , .\myCA\rootCA\index
+mkdir .\myCA\intermediateCA\certs , .\myCA\intermediateCA\private , .\myCA\intermediateCA\newcerts , .\myCA\intermediateCA\index , .\myCA\intermediateCA\csr
+
+:: PowerShell prikazy - prikaz 'echo' vytvara v PS subory s UTF-16 kodovanim
+::"00" | Out-File -encoding ascii -NoNewline ".\myCA\rootCA\serial"
+::"0100" | Out-File -encoding ascii -NoNewline ".\myCA\rootCA\crlnumber"
+::New-Item -Path ".\myCA\rootCA\index" -Name "index.txt" -ItemType File
+
+::"00" | Out-File -encoding ascii -NoNewline ".\myCA\intermediateCA\serial"
+::"0100" | Out-File -encoding ascii -NoNewline ".\myCA\intermediateCA\crlnumber"
+::New-Item -Path ".\myCA\intermediateCA\index" -Name "index.txt" -ItemType File
+
+:: Vytvorenie dodatocnych suborov pre rootCA a intermediateCA
+:: @serial - zaznamenava aktualne seriove cislo, ktore bude pouzite pre novy certifikatov
+:: kazdy certifikat je mozne identifikovat pomocou serioveho cisla - zaznam sa nachadza v subore index.txt
+:: @ crlnumber - pocitadlo zrusenych/zneplatnenych certifikatov
+:: zneplatnenie moze nastat ak doslo k prezradeniu privatneho kluca, ide o podvodny certifikat alebo sa zmenili informacie ziadatela certifikatu
+:: @ index.txt - subory pouzity ako databaza vsetkych podpisanych certifikatov
+:: databaza v indexe zaznamenava tieto informacie: status certifikatu, datum platnosti, seriove cislo a doplnkove informacie
+echo 00 > .\myCA\rootCA\serial
+echo 0100 > .\myCA\rootCA\crlnumber
+type NUL > .\myCA\rootCA\index\index.txt
+
+echo 00 > .\myCA\intermediateCA\serial
+echo 0100 > .\myCA\intermediateCA\crlnumber
+type NUL > .\myCA\intermediateCA\index\index.txt
+
+:: Skopirovanie konfiguracnych suborov do prislusnych zloziek
+:: Pre presunutie suborov staci pouzit nahradit prikaz copy prikazom move
+copy .\root.cnf .\myCA\rootCA\
+copy .\intermediate.cnf .\myCA\intermediateCA\
+
+:: ROOT CA
+:: Vygenerovanie sukromneho kluca a certifikatu pre root CA
+:: Pouzity algoritmus - PQ algoritmus falcon512
+openssl req -config ./myCA/rootCA/root.cnf -new -x509 -days 365 -newkey falcon512 -keyout ./myCA/rootCA/private/falcon512_CA.key -out ./myCA/rootCA/certs/falcon512_CA.crt -nodes
+
+:: INT CA
+:: Vygenerovanie sukromneho kluca a certifikatu pre intermediate CA
+:: Podpisanie vygenerovaneho certifikatu pre intCA sukromnym klucom root CA
+:: Overenie podpisu
+openssl req -config ./myCA/intermediateCA/intermediate.cnf -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_intCA.key -out ./myCA/intermediateCA/certs/falcon512_intCA.csr -nodes
+openssl ca -batch -config ./myCA/rootCA/root.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in ./myCA/intermediateCA/certs/falcon512_intCA.csr -out ./myCA/intermediateCA/certs/falcon512_intCA.crt
+openssl verify -CAfile ./myCA/rootCA/certs/falcon512_CA.crt ./myCA/intermediateCA/certs/falcon512_intCA.crt
+
+:: CERT-CHAIN
+:: Vytvorenie zretazeneho certifikatu z certifikatov root CA a int CA
+:: Overenie vygenerovaneho zretazeneho certifikatu
+type .\myCA\rootCA\certs\falcon512_CA.crt , .\myCA\intermediateCA\certs\falcon512_intCA.crt > .\myCA\intermediateCA\certs\falcon512_certchain.pem
+openssl verify -CAfile ./myCA/intermediateCA/certs/falcon512_certchain.pem ./myCA/intermediateCA/certs/falcon512_intCA.crt
+
+
+:: SERVER CERTIFICATE
+:: Vygenerovanie sukromneho kluca a certifikatu pre server
+:: Overenie podpisu vysledneho certifikatu
+openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_server.key -out ./myCA/intermediateCA/csr/falcon512_server.csr -nodes -subj "/CN=test server" 
+openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_server.csr -out ./myCA/intermediateCA/csr/falcon512_server.crt
+openssl verify -CAfile .\myCA\intermediateCA\certs\falcon512_certchain.pem ./myCA/intermediateCA/csr/falcon512_server.crt
+
+:: CLIENT CERTIFICATE
+:: Vygenerovanie sukromneho kluca a certifikatu pre klienta
+:: Overenie podpisu vysledneho certifikatu
+openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_client.key -out ./myCA/intermediateCA/csr/falcon512_client.csr -nodes -subj "/CN=www.testclient.com" 
+openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions client_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_client.csr -out ./myCA/intermediateCA/csr/falcon512_client.crt
+openssl verify -CAfile .\myCA\intermediateCA\certs\falcon512_certchain.pem ./myCA/intermediateCA/csr/falcon512_client.crt
+
+
+:: REVOKE CERTIFICATE
+:: Vygenerovanie dalsieho certifikatu pre "fake" server
+:: Podpisanie vygenerovaneho certifikatu
+:: Zneplatnenie vytvoreného certifikátu s dôvodom "affiliationChanged" (zmena vlastnosti koncoveho serveru)
+::openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_fakeserver.key -out ./myCA/intermediateCA/csr/falcon512_fakeserver.csr -nodes -subj "/CN=fake server"
+::openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_fakeserver.csr -out ./myCA/intermediateCA/csr/falcon512_fakeserver.crt
+::openssl ca -config ./myCA/intermediateCA/intermediate.cnf -revoke ./myCA/intermediateCA/csr/falcon512_fakeserver.crt -crl_reason affiliationChanged
+
+:: REMOVE SCRIPT
+:: del ./gen_CA.bat
--- a/CertifikacnaAutorita/gen_client_certificate.bat
+++ b/CertifikacnaAutorita/gen_client_certificate.bat
@ -0,0 +1,34 @@
+:: CLIENT CERTIFICATE
+:: Vygenerovanie sukromneho kluca a certifikatu pre klienta
+:: Overenie podpisu vysledneho certifikatu
+
+:: Nasledujuce prikazy su nazorovnou ukazkou toho ako je mozne vygenerovat
+:: sukromny kluc a certifikat urceny koncovemu pouzivatelovi - klientovi
+
+:: Tento prikaz je zlozeny z viacerych vstupov a generuje sukromny kluc a certifikat sucasne
+:: @-newkey :	nazov algoritmu pouziteho pre generovanie sukromneho kluca, napr. falcon512 alebo dilithium3
+:: @-keyout :	cesta k priecinku do ktoreho bude vygenerovany kluc ulozeny
+:: @-out    :	cesta k priecinku do ktoreho bude vygenerovany certifikat pre klienta
+:: @-subj   :	doplnujuce informacie, ktore musia byt urcene v zavislosti od poziadavok certifikacnej autority
+:: 		priklad: -subj "/C=US/ST=California/L=San Francisco/O=Example Corp/OU=IT Department/CN=Root CA"
+::		doplnujuce informacie su: C (country), ST (state), L (location), O (organization), OU (organization unit), CN (common name)
+
+openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_client.key -out ./myCA/intermediateCA/csr/falcon512_client.csr -nodes -subj "/CN=www.master-thesis-client.com" 
+
+:: Tento prikaz sluzi na podpis certifikatu
+:: Podpis certifikatu je realizovany sukromnym klucom CA ktory je definovany priamo v konfiguracnom subore
+:: @-batch 	: automaticke potvrdenie realizacie podpisu, bez tohto prepinacu musi pouzivatel rucne potvrdit operaciu podpisu
+:: @-config	: konfiguracny subor pouzity na podpis, okrem sukromneho kluca CA obsahuje aj podmienky pre realizaciu podpisu, napr. pritomnost doplnujucich informacii v certifikate
+:: @-extensions : rozsirenie 'client_cert' je modul, ktory je sucastou konfiguracneho suboru a je rovnaky iba pre certifikaty koncovych pouzivatelov, napr. certifikat bude oznaceny ako client/email certificate
+:: @-days 	: oznacuje dlzku platnosti podpisu v dnoch
+:: @-md 	: pouzity hash
+:: @-in 	: cesta k vstupnemu certifikatu ako .csr alebo .crt
+:: @-out	: cesta k priecinku do ktoreho bude zapisany podpisany certifikat
+
+openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions client_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_client.csr -out ./myCA/intermediateCA/csr/falcon512_client.crt
+
+:: Posledny prikaz sluzi na overenie podpisu
+:: @-CAfile 	: zretazeny certifikat intCA
+
+openssl verify -CAfile .\myCA\intermediateCA\certs\falcon512_certchain.pem ./myCA/intermediateCA/csr/falcon512_client.crt
+
--- a/CertifikacnaAutorita/intermediate.cnf
+++ b/CertifikacnaAutorita/intermediate.cnf
@ -0,0 +1,108 @@
+# OpenSSL intermediate CA configuration file.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = ./myCA/intermediateCA
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/private/falcon512_intCA.key
+certificate       = $dir/certs/falcon512_intCA.crt
+
+# For certificate revocation lists.
+crlnumber         = $dir/crl/crlnumber
+crl               = $dir/crl/intermediate.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_loose
+
+copy_extensions   = copy
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]                                         
+countryName             = optional                       
+stateOrProvinceName     = optional                       
+localityName            = optional                       
+organizationName        = optional                       
+organizationalUnitName  = optional                       
+commonName              = supplied                       
+emailAddress            = optional                      
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+default_md          = sha256
+prompt		    = no
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+commonName                      = JS_master_thesis
+countryName                     = SK
+stateOrProvinceName             = Kosice
+#localityName                    = Locality Name
+0.organizationName              = TUKE
+#organizationalUnitName          = Organizational Unit Name
+#emailAddress                    = Email Address
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ server_cert ]
+basicConstraints = CA:FALSE
+nsCertType = server
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ client_cert ]
+basicConstraints = CA:FALSE
+nsCertType = client, email
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
--- a/CertifikacnaAutorita/root.cnf
+++ b/CertifikacnaAutorita/root.cnf
@ -0,0 +1,79 @@
+# OpenSSL root CA configuration file.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = ./myCA/rootCA
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/private/falcon512_CA.key
+certificate       = $dir/certs/falcon512_CA.crt
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+default_md        = sha256
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+default_md          = sha256
+prompt 		    = no
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+commonName                      = JS_master_thesis
+countryName                     = SK
+stateOrProvinceName             = Kosice
+#localityName                    = Locality Name
+0.organizationName              = TUKE
+#organizationalUnitName          = Organizational Unit Name
+#emailAddress                    = Email Address
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always,issuer