j3g
/
pki-bootstrap_pub
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

NEW: new p12 extractor application, doc updates

This commit is contained in:
JohnE 2018-09-14 09:29:17 -07:00
parent fdfb893a5f
commit ab056455ec
7 changed files with 137 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
README
View File

@ -31,13 +31,17 @@ There are two main applications contained in this project.
VERSIONS VERSIONS
--------------------- ---------------------
Ver 3.2 - MOB Hub PKI Lifecycle ver 3.3 - MOB Hub CA-I Package
* updated applications to be more modular
* each CA-I package has
ver 3.2 - MOB Hub PKI Lifecycle
* PKI Lifecycle * PKI Lifecycle
- generate certificates during the CA's lifecycle - generate certificates during the CA's lifecycle
Ver 3.1 - MOB Hub PKI Bootstrap ver 3.1 - MOB Hub PKI Bootstrap
* PKI Bootstrap * PKI Bootstrap
- generate an entire chain-of-trust - generate an entire chain-of-trust
Ver 3.0 - CA Intermediate Support ver 3.0 - CA Intermediate Support
* requires openssl (does not require ipsec) * requires openssl (does not require ipsec)
* CA Intermediate support * CA Intermediate support
-root CA can be generated with 5-10yr expiration, put into cold-storage -root CA can be generated with 5-10yr expiration, put into cold-storage

52
docs/ccc_ss Normal file
View File

@ -0,0 +1,52 @@
[[[ StrongSwan Code Command & Control ]]]
[[ Networking ]]
# VPN UDP service (StrongSwan ipsec)
$ nc -zuv 192.168.123.129 500
$ nc -zuv 192.168.123.129 4500
# view all network services
$ netstat -pntul
# openconnect VPN client (only works for https, cisco style VPN (not IKEv2) )
$ openconnect -v -c clients/porkypig\@acme.xyz_2018-04-23.21_48_11/porkypig\@acme.xyz.p12 192.168.123.129:500
[[ Service ]]
$ sudo ipsec statusall | start | stop
[[ Android ]]
# install certificates
Settings -> Security -> Credential Storage -> Install from SD
"ca.crt.pem", "client_s.p12"
# alias the multi-connections
alias adb1='adb -s 192.168.123.131'
alias adb2='adb -s 192.168.123.132'
# connect to android IP
$ adb connect 192.168.123.131
$ adb connect 192.168.123.132
# execute commands to the connected android
$ adb -s 192.168.123.131 shell
$ adb -s 192.168.123.132 push client_s.p12 /data/media/0/Download/
# restarting adb as root
$ adb -s 192.168.123.132 root
$ adb -s 192.168.123.132 shell
# push the .p12 file to the Downloads folder of the user storage
$ adb push client_s.p12 /data/media/0/Download/
$ adb push ca_i.crt.pem /data/media/0/Download/
# using the alias, push the apk, then install
$ adb2 push strongSwan-1.9.6.apk /data/local/tmp/ss.apk
$ adb2 shell pm install "/data/local/tmp/ss.apk"

9
docs/pki_agile
View File

@ -3,9 +3,10 @@
[[ WORKING ]] [[ WORKING ]]
* PKI Bootstrap: cp lifecycle functions * discover process that pulls the cert file
* PKI Lifecycle -modify to pull from CA-I server certs
* gen PKI Lifecycle, gen CA-I package, copy CA-I package to cert share (on NAS)
* push latest source code
[[ BACKLOG ]] [[ BACKLOG ]]
@ -49,6 +50,8 @@
* auto-increment SERIAL * auto-increment SERIAL
* CA FQDN saved to config file * CA FQDN saved to config file
* CA-I FQDN saved to config file * CA-I FQDN saved to config file
* added certificate generation count to PKI Bootstrap application
* added certificate generation count to cai_gen application
[ ver 3.2 ] [ ver 3.2 ]

28
docs/ss_cfg Normal file
View File

@ -0,0 +1,28 @@
j3g@ubuntu-16:~$ sudo ipsec statusall
[sudo] password for j3g:
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-116-generic, x86_64):
uptime: 9 hours, since Sep 11 14:12:51 2018
malloc: sbrk 1486848, mmap 0, used 370000, free 1116848
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
10.10.10.0/30: 2/0/0
10.10.11.0/30: 2/0/0
Listening IP addresses:
192.168.123.129
Connections:
standard: 192.168.123.129...%any IKEv2, dpddelay=300s
standard: local: [s.acme.xyz] uses public key authentication
standard: cert: "C=OO, O=ACME, OU=ACME Standard, CN=s.acme.xyz"
standard: remote: uses public key authentication
standard: ca: "C=OO, O=ACME, OU=ACME Standard, CN=s.i.acme.xyz"
standard: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
maintenance: 192.168.123.129...%any IKEv2, dpddelay=300s
maintenance: local: [s.acme.xyz] uses public key authentication
maintenance: cert: "C=OO, O=ACME, OU=ACME Maintenance, CN=s.acme.xyz"
maintenance: remote: uses public key authentication
maintenance: ca: "C=OO, O=ACME, OU=ACME Maintenance, CN=m.i.acme.xyz"
maintenance: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
none

12
src/pki_bootstrap/pki_bootstrap.sh
View File

@ -11,6 +11,7 @@
. res/libs/pki_funcs.sh . res/libs/pki_funcs.sh
PARAM1=$1 PARAM1=$1
PARAM2=$2
usage() { usage() {
echo echo
@ -73,7 +74,7 @@ app_init() {
# #
# IN: UNIQ_ID_CA, SERIAL # IN: UNIQ_ID_CA, SERIAL
# #
gen_lifecycle() { mk_lifecycle_pkg() {
get_serial_ca get_serial_ca
# Organize # Organize
@ -120,20 +121,19 @@ cp_lifecycle_docs() {
# #
# Generate Lifecycle CA Intermediates # Generate Lifecycle CA Intermediates
# #
gen_lc_ca_i() { gen_lc_cai() {
cd $FQ_DIR_LC cd $FQ_DIR_LC
if [[ -n $PARAM2 ]]; then if [[ -n $PARAM2 ]]; then
COUNT=$(($PARAM2-1)) COUNT=$(($PARAM2-1))
else else
COUNT=2 COUNT=1
fi fi
for NUM in $(seq 0 $COUNT) for NUM in $(seq 0 $COUNT)
do do
ca-i_gen_pki $ORG_URL 5 ca-i_gen_pki $ORG_URL 5
done done
} }
# ***** ***** ***** ***** ***** # ***** ***** ***** ***** *****
@ -172,11 +172,11 @@ main() {
# generate new CA # generate new CA
# create new PKI Lifecycle Package # create new PKI Lifecycle Package
app_init app_init
gen_lifecycle mk_lifecycle_pkg
cp_lifecycle_docs cp_lifecycle_docs
# gen some CAs # gen some CAs
gen_lc_ca_i gen_lc_cai
# make sure we return to root execution path # make sure we return to root execution path
cd "${CD_ROOT}" cd "${CD_ROOT}"

1
src/pki_bootstrap/res/libs/gen_ca-i.sh
View File

@ -22,6 +22,7 @@ usage() {
echo echo
echo " example: gen_ca-i.sh skunkworks.acme.xyz \\" echo " example: gen_ca-i.sh skunkworks.acme.xyz \\"
echo " 10 (optional) \\" echo " 10 (optional) \\"
echo
exit 1 exit 1
} }

37
src/sandbox/p12ext.sh Normal file
View File

@ -0,0 +1,37 @@
#!/bin/bash
#
# Extract the ca certificate, user certificate, user keys from the p12 package
#
#
# -clcerts (only output client certificates (not CA certificates))
# -cacerts (only output CA certificates (not client certificates))
# -nocerts (no certificates at all will be output)
# -nokeys (no private keys will be output)
#
#
if [[ -n $1 ]]; then
echo
else
echo
echo "This script will copy the certificates and keys to the strongswan configuration paths"
echo
echo "Usage: p12ext <file> [password]"
echo
echo "Example: p12ext file.p12"
echo
exit 1
fi
# create a unique path for the server certificate
UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S`
UNIQ_DIR_LC="p12ext_${UNIQ_DIR_LC}"
mkdir $UNIQ_DIR_LC
# keys
openssl pkcs12 -nodes -nocerts -password "pass:password" -in $1 -out $UNIQ_DIR_LC/user.keys.pem
# certificate
openssl pkcs12 -nodes -clcerts -nokeys -password "pass:password" -in $1 -out $UNIQ_DIR_LC/user.crt.pem
# CA
openssl pkcs12 -nodes -cacerts -nokeys -password "pass:password" -in $1 -out $UNIQ_DIR_LC/ca-chain.crt.pem