NEW: new p12 extractor application, doc updates

2018-09-14 09:29:17 -07:00 · 2018-09-14 09:29:17 -07:00 · ab056455ec
parent fdfb893a5f
commit ab056455ec
7 changed files with 137 additions and 12 deletions
--- a/10
+++ b/10
@ -31,13 +31,17 @@ There are two main applications contained in this project.
  VERSIONS
 ---------------------

-Ver 3.2 - MOB Hub PKI Lifecycle
+ver 3.3 - MOB Hub CA-I Package
+  * updated applications to be more modular
+  * each CA-I package has 
+  
+ver 3.2 - MOB Hub PKI Lifecycle
  * PKI Lifecycle
    - generate certificates during the CA's lifecycle
-Ver 3.1 - MOB Hub PKI Bootstrap
+ver 3.1 - MOB Hub PKI Bootstrap
  * PKI Bootstrap
    - generate an entire chain-of-trust
-Ver 3.0 - CA Intermediate Support
+ver 3.0 - CA Intermediate Support
  * requires openssl  (does not require ipsec)
  * CA Intermediate support
    -root CA can be generated with 5-10yr expiration, put into cold-storage
--- a/docs/ccc_ss
+++ b/docs/ccc_ss
@ -0,0 +1,52 @@
+[[[ StrongSwan Code Command & Control ]]]
+
+
+
+[[ Networking ]]
+# VPN UDP service (StrongSwan ipsec)
+$ nc -zuv  192.168.123.129 500
+$ nc -zuv  192.168.123.129 4500
+
+# view all network services
+$ netstat -pntul
+
+
+# openconnect VPN client (only works for https, cisco style VPN (not IKEv2) )
+$ openconnect -v -c clients/porkypig\@acme.xyz_2018-04-23.21_48_11/porkypig\@acme.xyz.p12  192.168.123.129:500
+
+
+[[ Service ]]
+
+$ sudo ipsec statusall | start | stop
+
+
+[[ Android ]]
+
+# install certificates
+Settings -> Security -> Credential Storage -> Install from SD
+  "ca.crt.pem", "client_s.p12"
+
+# alias the multi-connections
+alias adb1='adb -s 192.168.123.131'
+alias adb2='adb -s 192.168.123.132'
+
+# connect to android IP
+$ adb connect 192.168.123.131
+$ adb connect 192.168.123.132
+
+# execute commands to the connected android
+$ adb -s 192.168.123.131 shell
+$ adb -s 192.168.123.132 push client_s.p12  /data/media/0/Download/
+
+# restarting adb as root
+$ adb -s 192.168.123.132 root
+$ adb -s 192.168.123.132 shell
+
+# push the .p12 file to the Downloads folder of the user storage
+$ adb push client_s.p12  /data/media/0/Download/
+$ adb push ca_i.crt.pem  /data/media/0/Download/
+
+# using the alias, push the apk, then install
+$ adb2 push strongSwan-1.9.6.apk  /data/local/tmp/ss.apk
+$ adb2 shell pm install "/data/local/tmp/ss.apk"
+
--- a/docs/pki_agile
+++ b/docs/pki_agile
@ -3,9 +3,10 @@

 [[ WORKING ]]

-* PKI Bootstrap:  cp lifecycle functions
-* PKI Lifecycle
-
+* discover process that pulls the cert file
+  -modify to pull from CA-I server certs
+* gen PKI Lifecycle, gen CA-I package, copy CA-I package to cert share (on NAS)
+* push latest source code


 [[ BACKLOG ]]
@ -49,6 +50,8 @@
 * auto-increment SERIAL
 * CA FQDN saved to config file
 * CA-I FQDN saved to config file
+* added certificate generation count to PKI Bootstrap application
+* added certificate generation count to cai_gen application


 [ ver 3.2 ]
--- a/docs/ss_cfg
+++ b/docs/ss_cfg
@ -0,0 +1,28 @@
+j3g@ubuntu-16:~$ sudo ipsec statusall
+[sudo] password for j3g: 
+Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-116-generic, x86_64):
+  uptime: 9 hours, since Sep 11 14:12:51 2018
+  malloc: sbrk 1486848, mmap 0, used 370000, free 1116848
+  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
+  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
+Virtual IP pools (size/online/offline):
+  10.10.10.0/30: 2/0/0
+  10.10.11.0/30: 2/0/0
+Listening IP addresses:
+  192.168.123.129
+Connections:
+    standard:  192.168.123.129...%any  IKEv2, dpddelay=300s
+    standard:   local:  [s.acme.xyz] uses public key authentication
+    standard:    cert:  "C=OO, O=ACME, OU=ACME Standard, CN=s.acme.xyz"
+    standard:   remote: uses public key authentication
+    standard:    ca:    "C=OO, O=ACME, OU=ACME Standard, CN=s.i.acme.xyz"
+    standard:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
+ maintenance:  192.168.123.129...%any  IKEv2, dpddelay=300s
+ maintenance:   local:  [s.acme.xyz] uses public key authentication
+ maintenance:    cert:  "C=OO, O=ACME, OU=ACME Maintenance, CN=s.acme.xyz"
+ maintenance:   remote: uses public key authentication
+ maintenance:    ca:    "C=OO, O=ACME, OU=ACME Maintenance, CN=m.i.acme.xyz"
+ maintenance:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
+Security Associations (0 up, 0 connecting):
+  none
+
--- a/src/pki_bootstrap/pki_bootstrap.sh
+++ b/src/pki_bootstrap/pki_bootstrap.sh
@ -11,6 +11,7 @@
 . res/libs/pki_funcs.sh

 PARAM1=$1
+PARAM2=$2

 usage() {
  echo
@ -73,7 +74,7 @@ app_init() {
 # 
 # IN: UNIQ_ID_CA, SERIAL
 #
-gen_lifecycle() {
+mk_lifecycle_pkg() {
  get_serial_ca

  # Organize
@ -120,20 +121,19 @@ cp_lifecycle_docs() {
 #
 # Generate Lifecycle CA Intermediates
 #
-gen_lc_ca_i() {
+gen_lc_cai() {
  cd $FQ_DIR_LC

  if [[ -n $PARAM2 ]]; then
    COUNT=$(($PARAM2-1))
  else
-    COUNT=2
+    COUNT=1
  fi

  for NUM in $(seq 0 $COUNT)
  do
    ca-i_gen_pki $ORG_URL 5
  done
-
 }

 # ***** ***** ***** ***** *****
@ -172,11 +172,11 @@ main() {
  # generate new CA
  # create new PKI Lifecycle Package
  app_init
-  gen_lifecycle
+  mk_lifecycle_pkg
  cp_lifecycle_docs

  # gen some CAs
-  gen_lc_ca_i  
+  gen_lc_cai  
  
  # make sure we return to root execution path
  cd "${CD_ROOT}"
--- a/src/pki_bootstrap/res/libs/gen_ca-i.sh
+++ b/src/pki_bootstrap/res/libs/gen_ca-i.sh
@ -22,6 +22,7 @@ usage() {
  echo
  echo "  example: gen_ca-i.sh  skunkworks.acme.xyz \\"
  echo "                        10  (optional) \\"
+  echo
  exit 1
 }

--- a/src/sandbox/p12ext.sh
+++ b/src/sandbox/p12ext.sh
@ -0,0 +1,37 @@
+#!/bin/bash
+#
+# Extract the ca certificate, user certificate, user keys from the p12 package
+#
+#
+# -clcerts    (only output client certificates (not CA certificates))
+# -cacerts    (only output CA certificates (not client certificates))
+# -nocerts    (no certificates at all will be output)
+# -nokeys     (no private keys will be output)
+# 
+# 
+if [[ -n $1 ]]; then
+  echo
+else
+  echo
+  echo "This script will copy the certificates and keys to the strongswan configuration paths"
+  echo 
+  echo "Usage: p12ext  <file>  [password]"
+  echo
+  echo "Example: p12ext  file.p12"
+  echo
+  exit 1
+fi
+
+# create a unique path for the server certificate
+UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S`
+UNIQ_DIR_LC="p12ext_${UNIQ_DIR_LC}"
+mkdir $UNIQ_DIR_LC
+
+# keys
+openssl pkcs12 -nodes -nocerts -password "pass:password"  -in $1  -out $UNIQ_DIR_LC/user.keys.pem
+
+# certificate
+openssl pkcs12 -nodes -clcerts -nokeys -password "pass:password"  -in $1  -out $UNIQ_DIR_LC/user.crt.pem
+
+# CA
+openssl pkcs12 -nodes -cacerts -nokeys -password "pass:password"  -in $1  -out $UNIQ_DIR_LC/ca-chain.crt.pem