From 91795c6f87a88ed1c1cd893dd926d823c197b647 Mon Sep 17 00:00:00 2001 From: "Schanzenbach, Martin" Date: Fri, 21 Jun 2019 22:48:27 +0200 Subject: fix #5675 --- src/gns/Makefile.am | 2 +- src/gns/gnunet-gns-proxy-ca.template | 303 +++++++++++++++++++++++++++++++++++ src/gns/gnunet-gns-proxy-setup-ca.in | 24 +-- 3 files changed, 318 insertions(+), 11 deletions(-) create mode 100644 src/gns/gnunet-gns-proxy-ca.template diff --git a/src/gns/Makefile.am b/src/gns/Makefile.am index 0a68e7cba..932b8d218 100644 --- a/src/gns/Makefile.am +++ b/src/gns/Makefile.am @@ -81,7 +81,7 @@ noinst_PROGRAMS = \ gnunet-gns-benchmark pkgdata_DATA = \ - openssl.cnf + gnunet-gns-proxy-ca.template if HAVE_MHD if LINUX diff --git a/src/gns/gnunet-gns-proxy-ca.template b/src/gns/gnunet-gns-proxy-ca.template new file mode 100644 index 000000000..32ee27fcd --- /dev/null +++ b/src/gns/gnunet-gns-proxy-ca.template @@ -0,0 +1,303 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "GNU" + +# The organizational unit of the subject. +unit = "GNUnet" + +# The locality of the subject. +locality = World + +# The state of the certificate owner. +# state = "Attiki" + +# The country of the subject. Two letter code. +country = ZZ + +# The common name of the certificate owner. +cn = "GNS Proxy CA" + +# A user id of the certificate owner. +#uid = "clauper" + +# Set domain components +#dc = "name" +#dc = "domain" + +# If the supported DN OIDs are not adequate you can set +# any OID here. +# For example set the X.520 Title and the X.520 Pseudonym +# by using OID and string pairs. +#dn_oid = "2.5.4.12 Dr." +#dn_oid = "2.5.4.65 jackal" + +# This is deprecated and should not be used in new +# certificates. +# pkcs9_email = "none@none.org" + +# An alternative way to set the certificate's distinguished name directly +# is with the "dn" option. The attribute names allowed are: +# C (country), street, O (organization), OU (unit), title, CN (common name), +# L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship, +# countryOfResidence, serialNumber, telephoneNumber, surName, initials, +# generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name, +# businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName, +# jurisdictionOfIncorporationStateOrProvinceName, +# jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs. + +#dn = "cn = Nikos,st = New\, Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias" + +# The serial number of the certificate +# The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab). +# Comment the field for a random serial number. +#serial = 007 + +# In how many days, counting from today, this certificate will expire. +# Use -1 if there is no expiration date. +expiration_days = 3650 + +# Alternatively you may set concrete dates and time. The GNU date string +# formats are accepted. See: +# https://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html + +#activation_date = "2004-02-29 16:21:42" +#expiration_date = "2025-02-29 16:24:41" + +# X.509 v3 extensions + +# A dnsname in case of a WWW server. +#dns_name = "www.none.org" +#dns_name = "www.morethanone.org" + +# An othername defined by an OID and a hex encoded string +#other_name = "1.3.6.1.5.2.2 302ca00d1b0b56414e5245494e2e4f5247a11b3019a006020400000002a10f300d1b047269636b1b0561646d696e" +#other_name_utf8 = "1.2.4.5.6 A UTF8 string" +#other_name_octet = "1.2.4.5.6 A string that will be encoded as ASN.1 octet string" + +# Allows writing an XmppAddr Identifier +#xmpp_name = juliet@im.example.com + +# Names used in PKINIT +#krb5_principal = user@REALM.COM +#krb5_principal = HTTP/user@REALM.COM + +# A subject alternative name URI +#uri = "https://www.example.com" + +# An IP address in case of a server. +#ip_address = "192.168.1.1" + +# An email in case of a person +email = "bounce@gnunet.org" + +# TLS feature (rfc7633) extension. That can is used to indicate mandatory TLS +# extension features to be provided by the server. In practice this is used +# to require the Status Request (extid: 5) extension from the server. That is, +# to require the server holding this certificate to provide a stapled OCSP response. +# You can have multiple lines for multiple TLS features. + +# To ask for OCSP status request use: +#tls_feature = 5 + +# Challenge password used in certificate requests +challenge_password = 123456 + +# Password when encrypting a private key +#password = secret + +# An URL that has CRLs (certificate revocation lists) +# available. Needed in CA certificates. +#crl_dist_points = "https://www.getcrl.crl/getcrl/" + +# Whether this is a CA certificate or not +ca + +# Subject Unique ID (in hex) +#subject_unique_id = 00153224 + +# Issuer Unique ID (in hex) +#issuer_unique_id = 00153225 + +#### Key usage + +# The following key usage flags are used by CAs and end certificates + +# Whether this certificate will be used to sign data (needed +# in TLS DHE ciphersuites). This is the digitalSignature flag +# in RFC5280 terminology. +signing_key + +# Whether this certificate will be used to encrypt data (needed +# in TLS RSA ciphersuites). Note that it is preferred to use different +# keys for encryption and signing. This is the keyEncipherment flag +# in RFC5280 terminology. +encryption_key + +# Whether this key will be used to sign other certificates. The +# keyCertSign flag in RFC5280 terminology. +cert_signing_key + +# Whether this key will be used to sign CRLs. The +# cRLSign flag in RFC5280 terminology. +#crl_signing_key + +# The keyAgreement flag of RFC5280. It's purpose is loosely +# defined. Not use it unless required by a protocol. +#key_agreement + +# The dataEncipherment flag of RFC5280. It's purpose is loosely +# defined. Not use it unless required by a protocol. +#data_encipherment + +# The nonRepudiation flag of RFC5280. It's purpose is loosely +# defined. Not use it unless required by a protocol. +#non_repudiation + +#### Extended key usage (key purposes) + +# The following extensions are used in an end certificate +# to clarify its purpose. Some CAs also use it to indicate +# the types of certificates they are purposed to sign. + + +# Whether this certificate will be used for a TLS client; +# this sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of +# extended key usage. +#tls_www_client + +# Whether this certificate will be used for a TLS server; +# this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of +# extended key usage. +tls_www_server + +# Whether this key will be used to sign code. This sets the +# id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage +# extension. +#code_signing_key + +# Whether this key will be used to sign OCSP data. This sets the +# id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension. +#ocsp_signing_key + +# Whether this key will be used for time stamping. This sets the +# id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension. +#time_stamping_key + +# Whether this key will be used for email protection. This sets the +# id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension. +#email_protection_key + +# Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17). +#ipsec_ike_key + +## adding custom key purpose OIDs + +# for microsoft smart card logon +# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2 + +# for email protection +# key_purpose_oid = 1.3.6.1.5.5.7.3.4 + +# for any purpose (must not be used in intermediate CA certificates) +# key_purpose_oid = 2.5.29.37.0 + +### end of key purpose OIDs + +### Adding arbitrary extensions +# This requires to provide the extension OIDs, as well as the extension data in +# hex format. The following two options are available since GnuTLS 3.5.3. +#add_extension = "1.2.3.4 0x0AAB01ACFE" + +# As above but encode the data as an octet string +#add_extension = "1.2.3.4 octet_string(0x0AAB01ACFE)" + +# For portability critical extensions shouldn't be set to certificates. +#add_critical_extension = "5.6.7.8 0x1AAB01ACFE" + +# When generating a certificate from a certificate +# request, then honor the extensions stored in the request +# and store them in the real certificate. +#honor_crq_extensions + +# Alternatively only specific extensions can be copied. +#honor_crq_ext = 2.5.29.17 +#honor_crq_ext = 2.5.29.15 + +# Path length contraint. Sets the maximum number of +# certificates that can be used to certify this certificate. +# (i.e. the certificate chain length) +#path_len = -1 +#path_len = 2 + +# OCSP URI +# ocsp_uri = https://my.ocsp.server/ocsp + +# CA issuers URI +# ca_issuers_uri = https://my.ca.issuer + +# Certificate policies +#policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0 +#policy1_txt = "This is a long policy to summarize" +#policy1_url = https://www.example.com/a-policy-to-read + +#policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1 +#policy2_txt = "This is a short policy" +#policy2_url = https://www.example.com/another-policy-to-read + +# The number of additional certificates that may appear in a +# path before the anyPolicy is no longer acceptable. +#inhibit_anypolicy_skip_certs 1 + +# Name constraints + +# DNS +#nc_permit_dns = example.com +#nc_exclude_dns = test.example.com + +# EMAIL +#nc_permit_email = "nmav@ex.net" + +# Exclude subdomains of example.com +#nc_exclude_email = .example.com + +# Exclude all e-mail addresses of example.com +#nc_exclude_email = example.com + +# IP +#nc_permit_ip = 192.168.0.0/16 +#nc_exclude_ip = 192.168.5.0/24 +#nc_permit_ip = fc0a:eef2:e7e7:a56e::/64 + + +# Options for proxy certificates +#proxy_policy_language = 1.3.6.1.5.5.7.21.1 + + +# Options for generating a CRL + +# The number of days the next CRL update will be due. +# next CRL update will be in 43 days +#crl_next_update = 43 + +# this is the 5th CRL by this CA +# The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab). +# Comment the field for a time-based number. +# Time-based CRL numbers generated in GnuTLS 3.6.3 and later +# are significantly larger than those generated in previous +# versions. Since CRL numbers need to be monotonic, you need +# to specify the CRL number here manually if you intend to +# downgrade to an earlier version than 3.6.3 after publishing +# the CRL as it is not possible to specify CRL numbers greater +# than 2**63-2 using hex notation in those versions. +#crl_number = 5 + +# Specify the update dates more precisely. +#crl_this_update_date = "2004-02-29 16:21:42" +#crl_next_update_date = "2025-02-29 16:24:41" + +# The date that the certificates will be made seen as +# being revoked. +#crl_revocation_date = "2025-02-29 16:24:41" diff --git a/src/gns/gnunet-gns-proxy-setup-ca.in b/src/gns/gnunet-gns-proxy-setup-ca.in index cd5d8c70f..931971cb0 100644 --- a/src/gns/gnunet-gns-proxy-setup-ca.in +++ b/src/gns/gnunet-gns-proxy-setup-ca.in @@ -133,13 +133,20 @@ generate_ca() # ------------- openssl - OPENSSLCFG=@pkgdatadir@/openssl.cnf - if test -z "`openssl version`" > /dev/null + GNUTLS_CA_TEMPLATE=@pkgdatadir@/gnunet-gns-proxy-ca.template + CERTTOOL="" + if test -z "`gnutls-certtool --version`" > /dev/null then - warningmsg "'openssl' command not found. Please install it." + if test -z "`certtool --versionn`" > /dev/null + then + warningmsg "'gnutls-certtool' or 'certtool' command not found. Please install it." infomsg "Cleaning up." - rm -f $GNSCAKY $GNSCANO $GNSCERT + rm -f $GNSCAKY $GNSCERT exit 1 + fi + CERTTOOL="certtool" + else + CERTTOOL="gnutls-certtool" fi if [ -n "${GNUNET_CONFIG_FILE}" ]; then GNUNET_CONFIG="-c ${GNUNET_CONFIG_FILE}" @@ -149,13 +156,10 @@ generate_ca() GNS_CA_CERT_PEM=`gnunet-config ${GNUNET_CONFIG} -s gns-proxy -o PROXY_CACERT -f ${options}` mkdir -p `dirname $GNS_CA_CERT_PEM` - openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" - - infomsg "Removing passphrase from key" - openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO - + $CERTTOOL --generate-privkey --outfile $GNSCAKY + $CERTTOOL --template $GNUTLS_CA_TEMPLATE --generate-self-signed --load-privkey $GNSCAKY --outfile $GNSCERT infomsg "Making private key available to gnunet-gns-proxy" - cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM + cat $GNSCERT $GNSCAKY > $GNS_CA_CERT_PEM } importbrowsers() -- cgit v1.2.3