WIP: bugs exist...arrrg

docs/ipsec_conf

@@ -0,0 +1,63 @@
+# ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+  # uniqueids=never
+  charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"
+
+ca acme
+  cacert=ca.crt.pem
+  auto=add
+
+# this is the default rekey time
+# rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz))  authby=pubkey
+# https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#ipseconf-Formula
+conn %default
+  # crypto settings
+  keyexchange=ikev2
+  authby=pubkey
+  ike=aes128-sha256-modp2048,aes256-sha256-modp4096,aes256-sha256-modp2048!
+  esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes128-sha256-modp1024,aes256-sha256-modp1536!
+  # tunnel processing info
+  type=tunnel
+  fragmentation=yes
+  forceencaps=yes     # force to encrypt UDP also
+  dpdaction=clear     # dead-peer detection to clear any "dangling" connections
+  dpddelay=300s
+  rekey=no            #TODO check this out
+  # ikelifetime=60m
+  # keylife=20m
+  # rekeymargin=3m
+  # keyingtries=1
+  # 
+  # tunneling config
+  # If left|rightcert is configured the identity has to be confirmed by the
+  #  certificate, that is, it has to match the full subject DN or one of the 
+  #  subjectAltName extensions contained in the certificate
+  left=192.168.123.129   # attempting to bind to this specific IP
+  leftid=@s.acme.xyz     # the client needs to be configured for the "server id" of this string
+  leftsubnet=0.0.0.0/0   # required or the right IP's aren't routing to each other...
+
+
+# standard user connection
+conn mob-standard
+  # tunneling config
+  leftcert=server_s.acme.xyz_s.crt.pem
+  right=%any
+  rightca="C=OO, O=ACME, OU=ACME Standard, CN=s.i.acme.xyz"
+  # virstual IP address pool
+  rightsourceip=10.10.10.0/24
+  rightdns=192.168.123.129
+  auto=add
+
+
+# maintenance role connection that will have elevated priveledges
+# this configuration can be used with a "maintenance tablet" to update a MOB Hub
+conn mob-maintenance
+  # tunneling config
+  leftcert=server_s.acme.xyz_m.crt.pem
+  right=%any
+  rightca="C=OO, O=ACME, OU=ACME Maintenance, CN=m.i.acme.xyz"
+  # virstual IP address pool
+  rightsourceip=10.10.11.0/24
+  rightdns=192.168.123.129
+  auto=add

src/pki_bootstrap/pki_bootstrap.sh

@@ -81,27 +81,29 @@ gen_lifecycle() {
   # create a unique path for the server certificate
   UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S`
   UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}"
-  mkdir -p "${UNIQ_DIR_LC}"
-  cd "${UNIQ_DIR_LC}"
   FQ_DIR_LC=`pwd`
+  FQ_DIR_LC="${FQ_DIR_LC}/${UNIQ_DIR_LC}"
 
   # create CA unique dir
   UNIQ_ID_CA="${SERIAL}.${ORG_URL}"
   CA_DIR="ca_${UNIQ_ID_CA}"
-  mkdir $CA_DIR
-  cd $CA_DIR
-  FQ_CA_DIR=`pwd`
-  FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
-  FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
+  # cd $CA_DIR
+  # FQ_CA_DIR=`pwd`
+  # FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
+  # FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
+
+  # mkdir -p "${UNIQ_DIR_LC}/${CA_DIR}"
+  mkdir -p "${UNIQ_DIR_LC}/ca"
+  cd "${UNIQ_DIR_LC}"
 
   # initialize the functions lib
-  pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/res/cnf"
+  # pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/res/cnf"
   # generate a new CA
   gen_ca $UNIQ_ID_CA $SERIAL
 
   # go back to original dir
   cd ..
-  cd ..
+  # cd ..
 }
 
 #
@@ -111,6 +113,7 @@ cp_lifecycle_docs() {
   RES="${CD_ROOT}/res"
 
   mkdir -p "${UNIQ_DIR_LC}/cfg"
+  echo $UNIQ_ID_CA > $CD_ROOT/$UNIQ_DIR_LC/cfg/UNIQ_ID_CA
   cp -r $CD_ROOT/res        $CD_ROOT/$UNIQ_DIR_LC/
   cp $RES/libs/gen_ca-i.sh  $CD_ROOT/$UNIQ_DIR_LC/
   cp $RES/docs/README_LC    $CD_ROOT/$UNIQ_DIR_LC/README
@@ -118,8 +121,8 @@ cp_lifecycle_docs() {
   cp $RES/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/cfg/
   cp "${RES}/cnf/${ORG_URL}.cnf"  $CD_ROOT/$UNIQ_DIR_LC/cfg/
   cp "${RES}/cnf/ca.cnf"          $CD_ROOT/$UNIQ_DIR_LC/cfg/
-  cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.crt.pem    $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem
-  cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.keys.pem   $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
+  cp $CD_ROOT/$UNIQ_DIR_LC/ca/ca_*.crt.pem    $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem
+  cp $CD_ROOT/$UNIQ_DIR_LC/ca/ca_*.keys.pem   $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
 }
 
 #
@@ -133,6 +136,36 @@ gen_lc_ca_i() {
   # ca-i_gen_pki $ORG_URL 3001 8
 }
 
+# ***** ***** ***** ***** *****
+# 
+# CERTIFICATE AUTHORITY (CA)
+# 
+# ***** ***** ***** ***** *****
+# This function will generate a CA Intermediate
+# IN: UNIQ_ID_CA, SERIAL
+#
+gen_ca() {
+  UNIQ_ID_CA=$1
+  SERIAL=$2
+
+  echo_block "Create CA (${UNIQ_ID_CA})"
+
+  # encrypt the key
+  #openssl genrsa -aes256 -out ca.keys.pem 4096
+  #openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096 
+
+  # key un-protected
+  openssl genrsa -out "ca/ca_${UNIQ_ID_CA}.keys.pem" 4096
+  # 
+  # Create Certificate   (valid for 10 years, after the entire chain of trust expires)
+  openssl req -config $CD_ROOT/res/cnf/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \
+              -subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
+              -key ca/ca_${UNIQ_ID_CA}.keys.pem -out ca/ca_${UNIQ_ID_CA}.crt.pem
+
+  # verify certificate (output to text file for review)
+  openssl x509 -noout -text -in ca/ca_${UNIQ_ID_CA}.crt.pem > ca/ca_${UNIQ_ID_CA}_cert.info.txt
+}
+
 
 main() {
   CD_ROOT=`pwd`

src/pki_bootstrap/res/libs/gen_ca-i.sh

@@ -32,7 +32,7 @@ usage() {
 main() {
   # uses global variables: $PARAM1 $PARAM2 $PARAM3
   check_params
-  ca-i_gen_pki 
+  ca-i_gen_pki $PARAM1 $PARAM2 $PARAM3
 }
 
 main

src/pki_bootstrap/res/libs/pki_funcs.sh

@@ -48,6 +48,9 @@ get_serial() {
 
 #
 # check the three parameters: $PARAM1, $PARAM2, $PARAM3
+# PARAM1 : ORG_URL
+# PARAM2 : SERIAL
+# PARAM3 : Num Certs
 # the parameters are expected to be global
 # 
 check_params() {
@@ -94,35 +97,6 @@ check_params() {
   fi
 }
 
-# ***** ***** ***** ***** *****
-# 
-# CERTIFICATE AUTHORITY (CA)
-# 
-# ***** ***** ***** ***** *****
-# This function will generate a CA Intermediate
-# IN: UNIQ_ID_CA, SERIAL
-#
-gen_ca() {
-  UNIQ_ID_CA=$1
-  SERIAL=$2
-
-  echo_block "Create CA (${UNIQ_ID_CA})"
-
-  # encrypt the key
-  #openssl genrsa -aes256 -out ca.keys.pem 4096
-  #openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096 
-
-  # key un-protected
-  openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096
-  # 
-  # Create Certificate   (valid for 10 years, after the entire chain of trust expires)
-  openssl req -config $CNF_PATH/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \
-              -subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
-              -key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem
-
-  # verify certificate (output to text file for review)
-  openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt
-}
 
 #
 # Create CA Intermediate PKI
@@ -140,8 +114,9 @@ gen_ca() {
 # 
 ca-i_gen_pki() {
   CDD=`pwd`
-  ORG_URL=$PARAM1
-  NUM_CERTS=$(($PARAM3-1))
+  ORG_URL=$1
+  SERIAL=$2
+  NUM_CERTS=$(($3-1))
 
   # create unique directory
   UNIQ_ID="${SERIAL}.${ORG_URL}" 
@@ -207,7 +182,7 @@ ca-i_create_shell() {
 
   DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID}"
 
-  echo $UNIQ_ID > UNIQ_ID
+  echo $UNIQ_ID > UNIQ_ID_CA-I
 
   # client
   mkdir -p $DEST_DIR/clients/cfg
@@ -220,10 +195,8 @@ ca-i_create_shell() {
   cp ca_i*.crt.pem      $DEST_DIR/clients/cfg/ca-i.crt.pem
   cp ca_i*.keys.pem     $DEST_DIR/clients/cfg/ca-i.keys.pem
   cp ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem
+  cp cfg/UNIQ_ID_CA-I   $DEST_DIR/clients/cfg/
   cp UNIQ_ID            $DEST_DIR/clients/cfg/
-  # cp $DEST_DIR/ca_i*.crt.pem      $DEST_DIR/clients/cfg/ca-i.crt.pem
-  # cp $DEST_DIR/ca_i*.keys.pem     $DEST_DIR/clients/cfg/ca-i.keys.pem
-  # cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem
 
   # server
   mkdir -p $DEST_DIR/servers/cfg
@@ -236,27 +209,21 @@ ca-i_create_shell() {
   cp ca_i*.crt.pem      $DEST_DIR/servers/cfg/ca-i.crt.pem
   cp ca_i*.keys.pem     $DEST_DIR/servers/cfg/ca-i.keys.pem
   cp ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem
+  cp cfg/UNIQ_ID_CA-I   $DEST_DIR/servers/cfg/
   cp UNIQ_ID            $DEST_DIR/servers/cfg/
-  # cp $DEST_DIR/ca_i*.crt.pem      $DEST_DIR/servers/cfg/ca-i.crt.pem
-  # cp $DEST_DIR/ca_i*.keys.pem     $DEST_DIR/servers/cfg/ca-i.keys.pem
-  # cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem
 
   # CA-I
   mkdir -p $DEST_DIR/ca-i/data
   mkdir -p $DEST_DIR/ca-i/docs
   mkdir -p $DEST_DIR/ca-i/distro
   cp $CDD/res/docs/README_CAI       $DEST_DIR/README
-  cp $CDD/ca_*/ca_*.crt.pem         $DEST_DIR/ca-i/data/
-  cp $CDD/ca_*/ca_*.info.txt        $DEST_DIR/ca-i/docs/
+  cp $CDD/ca/ca_*.crt.pem         $DEST_DIR/ca-i/data/
+  cp $CDD/ca/ca_*.info.txt        $DEST_DIR/ca-i/docs/
   # generated files
   mv ca_i*.pem            $DEST_DIR/ca-i/data/
   mv ca_i*.info.txt       $DEST_DIR/ca-i/docs/
   mv ca_i*.p12            $DEST_DIR/ca-i/distro
   mv ca_cert-chain*.pem   $DEST_DIR/ca-i/distro
-  # mv $DEST_DIR/ca_i*.pem            $DEST_DIR/ca-i/data/
-  # mv $DEST_DIR/ca_i*.info.txt       $DEST_DIR/ca-i/docs/
-  # mv $DEST_DIR/ca_i*.p12            $DEST_DIR/ca-i/distro
-  # mv $DEST_DIR/ca_cert-chain*.pem   $DEST_DIR/ca-i/distro
 }
 
 # This function will generate a CA Intermediate
@@ -300,12 +267,13 @@ ca-i_gen_cert() {
   cat cfg/ca.crt.pem "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_cert-chain_${UNIQ_ID}.crts.pem"
 }
 
-get_org_url() {
-  ORG_URL=`head cfg/UNIQ_ID`
-  if [[ -z $ORG_URL ]]; then
-    echo_block "WARN: no file 'UNIQ_ID' found, using default 11111 as the serial # for CA"
-    exit 1
-  fi  
+get_uniq_ids() {
+  UNIQ_ID_CA=`head cfg/UNIQ_ID_CA`
+  UNIQ_ID_CA-I=`head cfg/UNIQ_ID_CA-I`
+  # if [[ -z $ORG_URL ]]; then
+  #   echo_block "WARN: no file 'UNIQ_ID' found, using default 11111 as the serial # for CA"
+  #   exit 1
+  # fi  
 }
 
 gen_client() {
@@ -321,28 +289,30 @@ gen_client_cert() {
   ORG_URL=$1 
   SERIAL=$2
 
-  UNIQ_ID="${SERIAL}.${ORG_URL}"
+  get_uniq_ids
+
+  UNIQ_ID="${SERIAL}_${ORG_URL}"
   CERT_CHAIN="cfg/ca_cert-chain.crts.pem"
 
   echo_block "Generate Client Certificates  (${UNIQ_ID})"
 
-  openssl genrsa -out "data/client_${UNIQ_ID}.keys.pem" 4096
+  openssl genrsa -out "data/client-${UNIQ_ID}.keys.pem" 4096
 
-  openssl req -new -key "data/client_${UNIQ_ID}.keys.pem" \
-              -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \
-              -out "data/client_${UNIQ_ID}.csr.pem"
+  openssl req -new -key "data/client-${UNIQ_ID}.keys.pem" \
+              -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client-${UNIQ_ID}" \
+              -out "data/client-${UNIQ_ID}.csr.pem"
   # CA Intermediate signs Client
   openssl x509 -req -days 365 \
                -CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \
-               -in "data/client_${UNIQ_ID}.csr.pem" -out "data/client_${UNIQ_ID}.crt.pem"
+               -in "data/client-${UNIQ_ID}.csr.pem" -out "data/client-${UNIQ_ID}.crt.pem"
 
   # Package the Certificates
-  openssl pkcs12 -export -password "pass:password" -inkey "data/client_${UNIQ_ID}.keys.pem" \
-                 -name "Client ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "client_${UNIQ_ID}@acme.xyz" \
-                 -in "data/client_${UNIQ_ID}.crt.pem" -out "distro/client_${UNIQ_ID}.p12"
+  openssl pkcs12 -export -password "pass:password" -inkey "data/client-${UNIQ_ID}.keys.pem" \
+                 -name "Client ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "client-${UNIQ_ID}@acme.xyz" \
+                 -in "data/client-${UNIQ_ID}.crt.pem" -out "distro/client-${UNIQ_ID}.p12"
 
   # verify certificate (output to text file for review)
-  openssl x509 -noout -text -in "data/client_${UNIQ_ID}.crt.pem" > "docs/client_${UNIQ_ID}.info.txt"
+  openssl x509 -noout -text -in "data/client-${UNIQ_ID}.crt.pem" > "docs/client-${UNIQ_ID}.info.txt"
 }
 
 #