From ab056455ec4d861cf6b0c7457ae988f8d4b2ee37 Mon Sep 17 00:00:00 2001 From: JohnE Date: Fri, 14 Sep 2018 09:29:17 -0700 Subject: [PATCH] NEW: new p12 extractor application, doc updates --- README | 10 +++-- docs/ccc_ss | 52 ++++++++++++++++++++++++++ docs/pki_agile | 9 +++-- docs/ss_cfg | 28 ++++++++++++++ src/pki_bootstrap/pki_bootstrap.sh | 12 +++--- src/pki_bootstrap/res/libs/gen_ca-i.sh | 1 + src/sandbox/p12ext.sh | 37 ++++++++++++++++++ 7 files changed, 137 insertions(+), 12 deletions(-) create mode 100644 docs/ccc_ss create mode 100644 docs/ss_cfg create mode 100644 src/sandbox/p12ext.sh diff --git a/README b/README index d01af26..8264702 100644 --- a/README +++ b/README @@ -31,13 +31,17 @@ There are two main applications contained in this project. VERSIONS --------------------- -Ver 3.2 - MOB Hub PKI Lifecycle +ver 3.3 - MOB Hub CA-I Package + * updated applications to be more modular + * each CA-I package has + +ver 3.2 - MOB Hub PKI Lifecycle * PKI Lifecycle - generate certificates during the CA's lifecycle -Ver 3.1 - MOB Hub PKI Bootstrap +ver 3.1 - MOB Hub PKI Bootstrap * PKI Bootstrap - generate an entire chain-of-trust -Ver 3.0 - CA Intermediate Support +ver 3.0 - CA Intermediate Support * requires openssl (does not require ipsec) * CA Intermediate support -root CA can be generated with 5-10yr expiration, put into cold-storage diff --git a/docs/ccc_ss b/docs/ccc_ss new file mode 100644 index 0000000..6bae478 --- /dev/null +++ b/docs/ccc_ss @@ -0,0 +1,52 @@ +[[[ StrongSwan Code Command & Control ]]] + + + +[[ Networking ]] +# VPN UDP service (StrongSwan ipsec) +$ nc -zuv 192.168.123.129 500 +$ nc -zuv 192.168.123.129 4500 + +# view all network services +$ netstat -pntul + + +# openconnect VPN client (only works for https, cisco style VPN (not IKEv2) ) +$ openconnect -v -c clients/porkypig\@acme.xyz_2018-04-23.21_48_11/porkypig\@acme.xyz.p12 192.168.123.129:500 + + +[[ Service ]] + +$ sudo ipsec statusall | start | stop + + +[[ Android ]] + +# install certificates +Settings -> Security -> Credential Storage -> Install from SD + "ca.crt.pem", "client_s.p12" + +# alias the multi-connections +alias adb1='adb -s 192.168.123.131' +alias adb2='adb -s 192.168.123.132' + +# connect to android IP +$ adb connect 192.168.123.131 +$ adb connect 192.168.123.132 + +# execute commands to the connected android +$ adb -s 192.168.123.131 shell +$ adb -s 192.168.123.132 push client_s.p12 /data/media/0/Download/ + +# restarting adb as root +$ adb -s 192.168.123.132 root +$ adb -s 192.168.123.132 shell + +# push the .p12 file to the Downloads folder of the user storage +$ adb push client_s.p12 /data/media/0/Download/ +$ adb push ca_i.crt.pem /data/media/0/Download/ + +# using the alias, push the apk, then install +$ adb2 push strongSwan-1.9.6.apk /data/local/tmp/ss.apk +$ adb2 shell pm install "/data/local/tmp/ss.apk" + diff --git a/docs/pki_agile b/docs/pki_agile index b03314a..b0a26df 100644 --- a/docs/pki_agile +++ b/docs/pki_agile @@ -3,9 +3,10 @@ [[ WORKING ]] -* PKI Bootstrap: cp lifecycle functions -* PKI Lifecycle - +* discover process that pulls the cert file + -modify to pull from CA-I server certs +* gen PKI Lifecycle, gen CA-I package, copy CA-I package to cert share (on NAS) +* push latest source code [[ BACKLOG ]] @@ -49,6 +50,8 @@ * auto-increment SERIAL * CA FQDN saved to config file * CA-I FQDN saved to config file +* added certificate generation count to PKI Bootstrap application +* added certificate generation count to cai_gen application [ ver 3.2 ] diff --git a/docs/ss_cfg b/docs/ss_cfg new file mode 100644 index 0000000..f098453 --- /dev/null +++ b/docs/ss_cfg @@ -0,0 +1,28 @@ +j3g@ubuntu-16:~$ sudo ipsec statusall +[sudo] password for j3g: +Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-116-generic, x86_64): + uptime: 9 hours, since Sep 11 14:12:51 2018 + malloc: sbrk 1486848, mmap 0, used 370000, free 1116848 + worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 + loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown +Virtual IP pools (size/online/offline): + 10.10.10.0/30: 2/0/0 + 10.10.11.0/30: 2/0/0 +Listening IP addresses: + 192.168.123.129 +Connections: + standard: 192.168.123.129...%any IKEv2, dpddelay=300s + standard: local: [s.acme.xyz] uses public key authentication + standard: cert: "C=OO, O=ACME, OU=ACME Standard, CN=s.acme.xyz" + standard: remote: uses public key authentication + standard: ca: "C=OO, O=ACME, OU=ACME Standard, CN=s.i.acme.xyz" + standard: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear + maintenance: 192.168.123.129...%any IKEv2, dpddelay=300s + maintenance: local: [s.acme.xyz] uses public key authentication + maintenance: cert: "C=OO, O=ACME, OU=ACME Maintenance, CN=s.acme.xyz" + maintenance: remote: uses public key authentication + maintenance: ca: "C=OO, O=ACME, OU=ACME Maintenance, CN=m.i.acme.xyz" + maintenance: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear +Security Associations (0 up, 0 connecting): + none + diff --git a/src/pki_bootstrap/pki_bootstrap.sh b/src/pki_bootstrap/pki_bootstrap.sh index 770e055..70f688d 100755 --- a/src/pki_bootstrap/pki_bootstrap.sh +++ b/src/pki_bootstrap/pki_bootstrap.sh @@ -11,6 +11,7 @@ . res/libs/pki_funcs.sh PARAM1=$1 +PARAM2=$2 usage() { echo @@ -73,7 +74,7 @@ app_init() { # # IN: UNIQ_ID_CA, SERIAL # -gen_lifecycle() { +mk_lifecycle_pkg() { get_serial_ca # Organize @@ -120,20 +121,19 @@ cp_lifecycle_docs() { # # Generate Lifecycle CA Intermediates # -gen_lc_ca_i() { +gen_lc_cai() { cd $FQ_DIR_LC if [[ -n $PARAM2 ]]; then COUNT=$(($PARAM2-1)) else - COUNT=2 + COUNT=1 fi for NUM in $(seq 0 $COUNT) do ca-i_gen_pki $ORG_URL 5 done - } # ***** ***** ***** ***** ***** @@ -172,11 +172,11 @@ main() { # generate new CA # create new PKI Lifecycle Package app_init - gen_lifecycle + mk_lifecycle_pkg cp_lifecycle_docs # gen some CAs - gen_lc_ca_i + gen_lc_cai # make sure we return to root execution path cd "${CD_ROOT}" diff --git a/src/pki_bootstrap/res/libs/gen_ca-i.sh b/src/pki_bootstrap/res/libs/gen_ca-i.sh index af46bd3..f1b8d16 100755 --- a/src/pki_bootstrap/res/libs/gen_ca-i.sh +++ b/src/pki_bootstrap/res/libs/gen_ca-i.sh @@ -22,6 +22,7 @@ usage() { echo echo " example: gen_ca-i.sh skunkworks.acme.xyz \\" echo " 10 (optional) \\" + echo exit 1 } diff --git a/src/sandbox/p12ext.sh b/src/sandbox/p12ext.sh new file mode 100644 index 0000000..645429e --- /dev/null +++ b/src/sandbox/p12ext.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# +# Extract the ca certificate, user certificate, user keys from the p12 package +# +# +# -clcerts (only output client certificates (not CA certificates)) +# -cacerts (only output CA certificates (not client certificates)) +# -nocerts (no certificates at all will be output) +# -nokeys (no private keys will be output) +# +# +if [[ -n $1 ]]; then + echo +else + echo + echo "This script will copy the certificates and keys to the strongswan configuration paths" + echo + echo "Usage: p12ext [password]" + echo + echo "Example: p12ext file.p12" + echo + exit 1 +fi + +# create a unique path for the server certificate +UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S` +UNIQ_DIR_LC="p12ext_${UNIQ_DIR_LC}" +mkdir $UNIQ_DIR_LC + +# keys +openssl pkcs12 -nodes -nocerts -password "pass:password" -in $1 -out $UNIQ_DIR_LC/user.keys.pem + +# certificate +openssl pkcs12 -nodes -clcerts -nokeys -password "pass:password" -in $1 -out $UNIQ_DIR_LC/user.crt.pem + +# CA +openssl pkcs12 -nodes -cacerts -nokeys -password "pass:password" -in $1 -out $UNIQ_DIR_LC/ca-chain.crt.pem