WIP: bugs exist...arrrg

2018-08-29 01:17:34 -07:00 · 2018-08-29 01:17:34 -07:00 · ffd416b5d1
parent 23ea416acf
commit ffd416b5d1
4 changed files with 138 additions and 72 deletions
--- a/docs/ipsec_conf
+++ b/docs/ipsec_conf
@ -0,0 +1,63 @@
 # ipsec.conf - strongSwan IPsec configuration file
 config setup
  # uniqueids=never
  charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"
 ca acme
  cacert=ca.crt.pem
  auto=add
 # this is the default rekey time
 # rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz))  authby=pubkey
 # https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#ipseconf-Formula
 conn %default
  # crypto settings
  keyexchange=ikev2
  authby=pubkey
  ike=aes128-sha256-modp2048,aes256-sha256-modp4096,aes256-sha256-modp2048!
  esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes128-sha256-modp1024,aes256-sha256-modp1536!
  # tunnel processing info
  type=tunnel
  fragmentation=yes
  forceencaps=yes     # force to encrypt UDP also
  dpdaction=clear     # dead-peer detection to clear any "dangling" connections
  dpddelay=300s
  rekey=no            #TODO check this out
  # ikelifetime=60m
  # keylife=20m
  # rekeymargin=3m
  # keyingtries=1
  # 
  # tunneling config
  # If left|rightcert is configured the identity has to be confirmed by the
  #  certificate, that is, it has to match the full subject DN or one of the 
  #  subjectAltName extensions contained in the certificate
  left=192.168.123.129   # attempting to bind to this specific IP
  leftid=@s.acme.xyz     # the client needs to be configured for the "server id" of this string
  leftsubnet=0.0.0.0/0   # required or the right IP's aren't routing to each other...
 # standard user connection
 conn mob-standard
  # tunneling config
  leftcert=server_s.acme.xyz_s.crt.pem
  right=%any
  rightca="C=OO, O=ACME, OU=ACME Standard, CN=s.i.acme.xyz"
  # virstual IP address pool
  rightsourceip=10.10.10.0/24
  rightdns=192.168.123.129
  auto=add
 # maintenance role connection that will have elevated priveledges
 # this configuration can be used with a "maintenance tablet" to update a MOB Hub
 conn mob-maintenance
  # tunneling config
  leftcert=server_s.acme.xyz_m.crt.pem
  right=%any
  rightca="C=OO, O=ACME, OU=ACME Maintenance, CN=m.i.acme.xyz"
  # virstual IP address pool
  rightsourceip=10.10.11.0/24
  rightdns=192.168.123.129
  auto=add
--- a/src/pki_bootstrap/pki_bootstrap.sh
+++ b/src/pki_bootstrap/pki_bootstrap.sh
@ -81,27 +81,29 @@ gen_lifecycle() {
  # create a unique path for the server certificate
  UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S`
  UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}"
  mkdir -p "${UNIQ_DIR_LC}"
  cd "${UNIQ_DIR_LC}"
  FQ_DIR_LC=`pwd`
  FQ_DIR_LC="${FQ_DIR_LC}/${UNIQ_DIR_LC}"
  # create CA unique dir
  UNIQ_ID_CA="${SERIAL}.${ORG_URL}"
  CA_DIR="ca_${UNIQ_ID_CA}"
-  mkdir $CA_DIR
+  # cd $CA_DIR
-  cd $CA_DIR
+  # FQ_CA_DIR=`pwd`
-  FQ_CA_DIR=`pwd`
+  # FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
-  FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
+  # FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
-  FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
+
  # mkdir -p "${UNIQ_DIR_LC}/${CA_DIR}"
  mkdir -p "${UNIQ_DIR_LC}/ca"
  cd "${UNIQ_DIR_LC}"
  # initialize the functions lib
-  pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/res/cnf"
+  # pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/res/cnf"
  # generate a new CA
  gen_ca $UNIQ_ID_CA $SERIAL
  # go back to original dir
  cd ..
-  cd ..
+  # cd ..
 }
 #
@ -111,6 +113,7 @@ cp_lifecycle_docs() {
  RES="${CD_ROOT}/res"
  mkdir -p "${UNIQ_DIR_LC}/cfg"
  echo $UNIQ_ID_CA > $CD_ROOT/$UNIQ_DIR_LC/cfg/UNIQ_ID_CA
  cp -r $CD_ROOT/res        $CD_ROOT/$UNIQ_DIR_LC/
  cp $RES/libs/gen_ca-i.sh  $CD_ROOT/$UNIQ_DIR_LC/
  cp $RES/docs/README_LC    $CD_ROOT/$UNIQ_DIR_LC/README
@ -118,8 +121,8 @@ cp_lifecycle_docs() {
  cp $RES/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/cfg/
  cp "${RES}/cnf/${ORG_URL}.cnf"  $CD_ROOT/$UNIQ_DIR_LC/cfg/
  cp "${RES}/cnf/ca.cnf"          $CD_ROOT/$UNIQ_DIR_LC/cfg/
-  cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.crt.pem    $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem
+  cp $CD_ROOT/$UNIQ_DIR_LC/ca/ca_*.crt.pem    $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem
-  cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.keys.pem   $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
+  cp $CD_ROOT/$UNIQ_DIR_LC/ca/ca_*.keys.pem   $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
 }
 #
@ -133,6 +136,36 @@ gen_lc_ca_i() {
  # ca-i_gen_pki $ORG_URL 3001 8
 }
 # ***** ***** ***** ***** *****
 # 
 # CERTIFICATE AUTHORITY (CA)
 # 
 # ***** ***** ***** ***** *****
 # This function will generate a CA Intermediate
 # IN: UNIQ_ID_CA, SERIAL
 #
 gen_ca() {
  UNIQ_ID_CA=$1
  SERIAL=$2
  echo_block "Create CA (${UNIQ_ID_CA})"
  # encrypt the key
  #openssl genrsa -aes256 -out ca.keys.pem 4096
  #openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096 
  # key un-protected
  openssl genrsa -out "ca/ca_${UNIQ_ID_CA}.keys.pem" 4096
  # 
  # Create Certificate   (valid for 10 years, after the entire chain of trust expires)
  openssl req -config $CD_ROOT/res/cnf/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \
              -subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
              -key ca/ca_${UNIQ_ID_CA}.keys.pem -out ca/ca_${UNIQ_ID_CA}.crt.pem
  # verify certificate (output to text file for review)
  openssl x509 -noout -text -in ca/ca_${UNIQ_ID_CA}.crt.pem > ca/ca_${UNIQ_ID_CA}_cert.info.txt
 }
 main() {
  CD_ROOT=`pwd`
--- a/src/pki_bootstrap/res/libs/gen_ca-i.sh
+++ b/src/pki_bootstrap/res/libs/gen_ca-i.sh
@ -32,7 +32,7 @@ usage() {
 main() {
  # uses global variables: $PARAM1 $PARAM2 $PARAM3
  check_params
-  ca-i_gen_pki 
+  ca-i_gen_pki $PARAM1 $PARAM2 $PARAM3
 }
 main
--- a/src/pki_bootstrap/res/libs/pki_funcs.sh
+++ b/src/pki_bootstrap/res/libs/pki_funcs.sh
@ -48,6 +48,9 @@ get_serial() {
 #
 # check the three parameters: $PARAM1, $PARAM2, $PARAM3
 # PARAM1 : ORG_URL
 # PARAM2 : SERIAL
 # PARAM3 : Num Certs
 # the parameters are expected to be global
 # 
 check_params() {
@ -94,35 +97,6 @@ check_params() {
  fi
 }
 # ***** ***** ***** ***** *****
 # 
 # CERTIFICATE AUTHORITY (CA)
 # 
 # ***** ***** ***** ***** *****
 # This function will generate a CA Intermediate
 # IN: UNIQ_ID_CA, SERIAL
 #
 gen_ca() {
  UNIQ_ID_CA=$1
  SERIAL=$2
  echo_block "Create CA (${UNIQ_ID_CA})"
  # encrypt the key
  #openssl genrsa -aes256 -out ca.keys.pem 4096
  #openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096 
  # key un-protected
  openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096
  # 
  # Create Certificate   (valid for 10 years, after the entire chain of trust expires)
  openssl req -config $CNF_PATH/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \
              -subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
              -key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem
  # verify certificate (output to text file for review)
  openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt
 }
 #
 # Create CA Intermediate PKI
@ -140,8 +114,9 @@ gen_ca() {
 # 
 ca-i_gen_pki() {
  CDD=`pwd`
-  ORG_URL=$PARAM1
+  ORG_URL=$1
-  NUM_CERTS=$(($PARAM3-1))
+  SERIAL=$2
  NUM_CERTS=$(($3-1))
  # create unique directory
  UNIQ_ID="${SERIAL}.${ORG_URL}" 
@ -207,7 +182,7 @@ ca-i_create_shell() {
  DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID}"
-  echo $UNIQ_ID > UNIQ_ID
+  echo $UNIQ_ID > UNIQ_ID_CA-I
  # client
  mkdir -p $DEST_DIR/clients/cfg
@ -220,10 +195,8 @@ ca-i_create_shell() {
  cp ca_i*.crt.pem      $DEST_DIR/clients/cfg/ca-i.crt.pem
  cp ca_i*.keys.pem     $DEST_DIR/clients/cfg/ca-i.keys.pem
  cp ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem
  cp cfg/UNIQ_ID_CA-I   $DEST_DIR/clients/cfg/
  cp UNIQ_ID            $DEST_DIR/clients/cfg/
  # cp $DEST_DIR/ca_i*.crt.pem      $DEST_DIR/clients/cfg/ca-i.crt.pem
  # cp $DEST_DIR/ca_i*.keys.pem     $DEST_DIR/clients/cfg/ca-i.keys.pem
  # cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem
  # server
  mkdir -p $DEST_DIR/servers/cfg
@ -236,27 +209,21 @@ ca-i_create_shell() {
  cp ca_i*.crt.pem      $DEST_DIR/servers/cfg/ca-i.crt.pem
  cp ca_i*.keys.pem     $DEST_DIR/servers/cfg/ca-i.keys.pem
  cp ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem
  cp cfg/UNIQ_ID_CA-I   $DEST_DIR/servers/cfg/
  cp UNIQ_ID            $DEST_DIR/servers/cfg/
  # cp $DEST_DIR/ca_i*.crt.pem      $DEST_DIR/servers/cfg/ca-i.crt.pem
  # cp $DEST_DIR/ca_i*.keys.pem     $DEST_DIR/servers/cfg/ca-i.keys.pem
  # cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem
  # CA-I
  mkdir -p $DEST_DIR/ca-i/data
  mkdir -p $DEST_DIR/ca-i/docs
  mkdir -p $DEST_DIR/ca-i/distro
  cp $CDD/res/docs/README_CAI       $DEST_DIR/README
-  cp $CDD/ca_*/ca_*.crt.pem         $DEST_DIR/ca-i/data/
+  cp $CDD/ca/ca_*.crt.pem         $DEST_DIR/ca-i/data/
-  cp $CDD/ca_*/ca_*.info.txt        $DEST_DIR/ca-i/docs/
+  cp $CDD/ca/ca_*.info.txt        $DEST_DIR/ca-i/docs/
  # generated files
  mv ca_i*.pem            $DEST_DIR/ca-i/data/
  mv ca_i*.info.txt       $DEST_DIR/ca-i/docs/
  mv ca_i*.p12            $DEST_DIR/ca-i/distro
  mv ca_cert-chain*.pem   $DEST_DIR/ca-i/distro
  # mv $DEST_DIR/ca_i*.pem            $DEST_DIR/ca-i/data/
  # mv $DEST_DIR/ca_i*.info.txt       $DEST_DIR/ca-i/docs/
  # mv $DEST_DIR/ca_i*.p12            $DEST_DIR/ca-i/distro
  # mv $DEST_DIR/ca_cert-chain*.pem   $DEST_DIR/ca-i/distro
 }
 # This function will generate a CA Intermediate
@ -300,12 +267,13 @@ ca-i_gen_cert() {
  cat cfg/ca.crt.pem "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_cert-chain_${UNIQ_ID}.crts.pem"
 }
-get_org_url() {
+get_uniq_ids() {
-  ORG_URL=`head cfg/UNIQ_ID`
+  UNIQ_ID_CA=`head cfg/UNIQ_ID_CA`
-  if [[ -z $ORG_URL ]]; then
+  UNIQ_ID_CA-I=`head cfg/UNIQ_ID_CA-I`
-    echo_block "WARN: no file 'UNIQ_ID' found, using default 11111 as the serial # for CA"
+  # if [[ -z $ORG_URL ]]; then
-    exit 1
+  #   echo_block "WARN: no file 'UNIQ_ID' found, using default 11111 as the serial # for CA"
-  fi  
+  #   exit 1
  # fi  
 }
 gen_client() {
@ -321,28 +289,30 @@ gen_client_cert() {
  ORG_URL=$1 
  SERIAL=$2
-  UNIQ_ID="${SERIAL}.${ORG_URL}"
+  get_uniq_ids
  UNIQ_ID="${SERIAL}_${ORG_URL}"
  CERT_CHAIN="cfg/ca_cert-chain.crts.pem"
  echo_block "Generate Client Certificates  (${UNIQ_ID})"
-  openssl genrsa -out "data/client_${UNIQ_ID}.keys.pem" 4096
+  openssl genrsa -out "data/client-${UNIQ_ID}.keys.pem" 4096
-  openssl req -new -key "data/client_${UNIQ_ID}.keys.pem" \
+  openssl req -new -key "data/client-${UNIQ_ID}.keys.pem" \
-              -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \
+              -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client-${UNIQ_ID}" \
-              -out "data/client_${UNIQ_ID}.csr.pem"
+              -out "data/client-${UNIQ_ID}.csr.pem"
  # CA Intermediate signs Client
  openssl x509 -req -days 365 \
               -CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \
-               -in "data/client_${UNIQ_ID}.csr.pem" -out "data/client_${UNIQ_ID}.crt.pem"
+               -in "data/client-${UNIQ_ID}.csr.pem" -out "data/client-${UNIQ_ID}.crt.pem"
  # Package the Certificates
-  openssl pkcs12 -export -password "pass:password" -inkey "data/client_${UNIQ_ID}.keys.pem" \
+  openssl pkcs12 -export -password "pass:password" -inkey "data/client-${UNIQ_ID}.keys.pem" \
-                 -name "Client ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "client_${UNIQ_ID}@acme.xyz" \
+                 -name "Client ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "client-${UNIQ_ID}@acme.xyz" \
-                 -in "data/client_${UNIQ_ID}.crt.pem" -out "distro/client_${UNIQ_ID}.p12"
+                 -in "data/client-${UNIQ_ID}.crt.pem" -out "distro/client-${UNIQ_ID}.p12"
  # verify certificate (output to text file for review)
-  openssl x509 -noout -text -in "data/client_${UNIQ_ID}.crt.pem" > "docs/client_${UNIQ_ID}.info.txt"
+  openssl x509 -noout -text -in "data/client-${UNIQ_ID}.crt.pem" > "docs/client-${UNIQ_ID}.info.txt"
 }
 #