Starship/node-radius-server
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix: a lot of bug fixes, first running version for windows and android :)

Browse Source 
code is super ugly right now.. please don't judge
This commit is contained in:
simon 2020-02-22 02:32:12 +01:00
parent 7e28c60d81
commit 0cb807a555
21 changed files with 449 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
config.js Normal file
View File

@ -0,0 +1,33 @@
import * as fs from 'fs';
module.exports = {
// radius secret
secret: 'testing123',
certificate: {
cert: fs.readFileSync('./ssl/cert/server.crt'),
key: [
{
pem: fs.readFileSync('./ssl/cert/server.key'),
passphrase: 'whatever2020'
}
]
},
// authentication
authentication: 'ldap',
authenticationOptions: {
url: 'ldap://127.0.0.1:1636',
base: 'dc=hokify,dc=com',
tlsOptions2: {
key: fs.readFileSync('ldap.gsuite.hokify.com.40567.key'),
cert: fs.readFileSync('ldap.gsuite.hokify.com.40567.crt'),
// This is necessary only if using the client certificate authentication.
requestCert: true,
// This is necessary only if the client uses the self-signed certificate.
ca: [fs.readFileSync('ldap.gsuite.hokify.com.40567.key')]
}
}
};

5
package.json
View File

@ -3,7 +3,7 @@
"description": "radius server for google LDAP and TTLT",
"version": "0.0.1",
"scripts": {
"start": "node dist/app.js",
"start": "/home/simon/Dev/others/node/node dist/app.js",
"build": "tsc",
"dev": "ts-node src/app.ts",
"test-ttls-pap": "eapol_test -c ./ttls-pap.conf -s testing123",
@ -17,7 +17,8 @@
"ts-node": "^8.6.2",
"type-cacheable": "^4.0.0",
"yargs": "~15.1.0",
"md5": "^2.2.1"
"md5": "^2.2.1",
"passport-ldapauth": "^2.1.3"
},
"devDependencies": {
"@types/ldapjs": "^1.0.5",

100
src/app.ts
View File

@ -3,27 +3,15 @@ import * as radius from 'radius';
// import * as dgram from "dgram";
// import * as fs from 'fs';
import { EAPHandler } from './eap';
import { makeid } from './helpers';
import { IDeferredPromise, makeid, MAX_RADIUS_ATTRIBUTE_SIZE, newDeferredPromise } from './helpers';
import { LDAPAuth } from './ldap';
import { GoogleLDAPAuth } from './auth/google-ldap';
import { AdditionalAuthHandler } from './types/Handler';
const server = dgram.createSocket('udp4');
// not used right now, using stunnel to connect to ldap
/* const tlsOptions = {
key: fs.readFileSync('ldap.gsuite.hokify.com.40567.key'),
cert: fs.readFileSync('ldap.gsuite.hokify.com.40567.crt'),
// This is necessary only if using the client certificate authentication.
requestCert: true,
// This is necessary only if the client uses the self-signed certificate.
ca: [fs.readFileSync('ldap.gsuite.hokify.com.40567.key')]
}; */
const { argv } = require('yargs')
.usage('Simple Google LDAP <> RADIUS Server\nUsage: $0')
.usage('RADIUS Server\nUsage: $0')
.example('$0 --port 1812 -s radiussecret')
.default({
port: 1812,
@ -46,9 +34,39 @@ console.log(`LDAP Server: ${argv.ldapServer}`);
// const ldap = new LDAPAuth({url: 'ldap://ldap.google.com', base: 'dc=hokify,dc=com', uid: 'uid', tlsOptions});
const ldap = new LDAPAuth(argv.ldapServer, argv.baseDN);
const ldap = new GoogleLDAPAuth(argv.ldapServer, argv.baseDN);
const eapHandler = new EAPHandler();
const timeout: { [key: string]: NodeJS.Timeout } = {};
const waitForNextMsg: { [key: string]: IDeferredPromise } = {};
function sendToClient(
msg: string | Uint8Array,
offset: number,
length: number,
port?: number,
address?: string,
callback?: (error: Error | null, bytes: number) => void,
stateForRetry?: string
): void {
let retried = 0;
function sendResponse() {
console.log(`sending response... (try: ${retried})`);
server.send(msg, offset, length, port, address, (error: Error | null, bytes: number) => {
// all good
if (callback) callback(error, bytes);
});
if (stateForRetry && retried < 3) {
// timeout[stateForRetry] = setTimeout(sendResponse, 600 * (retried+1));
}
retried++;
}
sendResponse();
}
server.on('message', async function(msg, rinfo) {
const packet = radius.decode({ packet: msg, secret: argv.secret });
@ -57,7 +75,6 @@ server.on('message', async function(msg, rinfo) {
console.log('unknown packet type: ', packet.code);
return;
}
// console.log('packet.attributes', packet.attributes);
// console.log('rinfo', rinfo);
@ -90,7 +107,7 @@ server.on('message', async function(msg, rinfo) {
});
console.log(`Sending ${success ? 'accept' : 'reject'} for user ${username}`);
server.send(response, 0, response.length, rinfo.port, rinfo.address, function(err, _bytes) {
sendToClient(response, 0, response.length, rinfo.port, rinfo.address, function(err, _bytes) {
if (err) {
console.log('Error sending response to ', rinfo);
}
@ -99,15 +116,22 @@ server.on('message', async function(msg, rinfo) {
if (packet.attributes['EAP-Message']) {
const state = (packet.attributes.State && packet.attributes.State.toString()) || makeid(16);
// EAP MESSAGE
eapHandler.handleEAPMessage(packet.attributes['EAP-Message'], state, {
if (timeout[state]) {
clearTimeout(timeout[state]);
}
const handlers = {
response: (EAPMessage: Buffer) => {
const attributes: any = [['State', Buffer.from(state)]];
let sentDataSize = 0;
do {
if (EAPMessage.length > 0) {
attributes.push(['EAP-Message', EAPMessage.slice(sentDataSize, sentDataSize + 253)]);
sentDataSize += 253;
attributes.push([
'EAP-Message',
EAPMessage.slice(sentDataSize, sentDataSize + MAX_RADIUS_ATTRIBUTE_SIZE)
]);
sentDataSize += MAX_RADIUS_ATTRIBUTE_SIZE;
}
} while (sentDataSize < EAPMessage.length);
@ -118,14 +142,34 @@ server.on('message', async function(msg, rinfo) {
attributes
});
server.send(response, 0, response.length, rinfo.port, rinfo.address, function(err, _bytes) {
if (err) {
console.log('Error sending response to ', rinfo);
}
});
waitForNextMsg[state] = newDeferredPromise();
sendToClient(
response,
0,
response.length,
rinfo.port,
rinfo.address,
function(err, _bytes) {
if (err) {
console.log('Error sending response to ', rinfo);
}
},
state
);
return waitForNextMsg[state].promise;
},
checkAuth
});
};
if (waitForNextMsg[state]) {
const identifier = packet.attributes['EAP-Message'].slice(1, 2).readUInt8(0); // .toString('hex');
waitForNextMsg[state].resolve({ response: handlers.response, identifier });
}
// EAP MESSAGE
eapHandler.handleEAPMessage(packet.attributes['EAP-Message'], state, handlers);
} else {
const username = packet.attributes['User-Name'];
const password = packet.attributes['User-Password'];

7
src/ldap.ts → src/auth/google-ldap.ts
View File

@ -1,13 +1,14 @@
import * as NodeCache from 'node-cache';
import { createClient, Client } from 'ldapjs';
import { IAuthentication } from '../types/Authentication';
const usernameFields = ['posixUid', 'mail'];
// TLS:
// https://github.com/ldapjs/node-ldapjs/issues/307
export class LDAPAuth {
export class GoogleLDAPAuth implements IAuthentication {
cache = new NodeCache();
ldap: Client;
@ -24,7 +25,7 @@ export class LDAPAuth {
this.fetchDNs();
}
async fetchDNs() {
private async fetchDNs() {
const dns: { [key: string]: string } = {};
await new Promise((resolve, reject) => {
@ -119,6 +120,6 @@ export class LDAPAuth {
this.cache.set(cacheKey, true, 86400);
return true;
return username;
}
}

80
src/eap.ts
View File

@ -4,6 +4,7 @@
// https://tools.ietf.org/html/draft-funk-eap-ttls-v1-00 TTLS v1 (not implemented)
import { IResponseHandlers, ResponseHandler } from './types/Handler';
import { EAPTTLS } from './eap/eap-ttls';
import { MAX_RADIUS_ATTRIBUTE_SIZE } from './helpers';
export class EAPHandler {
eapTTLS: EAPTTLS;
@ -17,28 +18,35 @@ export class EAPHandler {
* @param data
* @param type 1 = identity, 21 = EAP-TTLS, 2 = notification, 4 = md5-challenge, 3 = NAK
*/
private sendEAPResponse(
private async sendEAPResponse(
response: ResponseHandler,
identifier: number,
data?: Buffer,
msgType = 21,
msgFlags = 0x00
) {
const maxFragmentSize = 1400; // @todo .. take framed-mtu into account from AVPs
let i = 0;
const maxSize = (MAX_RADIUS_ATTRIBUTE_SIZE - 5) * 4;
let sentDataSize = 0;
let currentIdentifier = identifier;
let currentResponse = response;
do {
const fragmentMaxPart =
data && (i + 1) * maxFragmentSize > data.length ? undefined : (i + 1) * maxFragmentSize;
const sslPart = data && data.slice(i * maxFragmentSize, fragmentMaxPart);
console.log('sslPart', sslPart, i, maxFragmentSize, i * maxFragmentSize, fragmentMaxPart);
// SLICE
const includeLength =
data &&
i === 0 &&
fragmentMaxPart !== undefined; /* firsrt one and we have more, therefore include length */
// const fragmentMaxPart =
// data && (i + 1) * maxFragmentSize > data.length ? (i + 1) * maxFragmentSize : undefined;
const dataPart = data && data.length > 0 && data.slice(sentDataSize, sentDataSize + maxSize);
/* it's the first one and we have more, therefore include length */
const includeLength = data && i === 0 && sentDataSize < data.length;
sentDataSize += maxSize;
// console.log('includeLength', includeLength, fragmentMaxPart, i)
i += 1;
/*
@ -62,11 +70,13 @@ export class EAPHandler {
const flags =
msgFlags +
(includeLength ? 0b10000000 : 0) + // set L bit
(fragmentMaxPart /* we have more */ ? 0b01000000 : 0); // set M bit
(data && sentDataSize < data.length /* we have more */ ? 0b01000000 : 0); // set M bit
currentIdentifier++;
let buffer = Buffer.from([
1, // request
identifier + 1,
currentIdentifier,
0, // length (1/2)
0, // length (2/2)
msgType, // 1 = identity, 21 = EAP-TTLS, 2 = notificaiton, 4 = md5-challenge, 3 = NAK
@ -81,15 +91,16 @@ export class EAPHandler {
buffer = Buffer.concat([buffer, length]);
}
const resBuffer = sslPart ? Buffer.concat([buffer, sslPart]) : buffer;
const resBuffer = dataPart ? Buffer.concat([buffer, dataPart]) : buffer;
resBuffer.writeUInt16BE(resBuffer.byteLength, 2);
console.log('EAP RESPONSE', {
console.log('<<<<<<<<<<<< EAP RESPONSE TO CLIENT', {
code: 1,
identifier: identifier + 1,
length: (includeLength && data && data.byteLength) || 0,
msgType,
flags,
currentIdentifier,
includeLength,
length: (data && data.byteLength) || 0,
msgType: msgType.toString(10),
flags: `00000000${flags.toString(2)}`.substr(-8),
data
});
@ -98,13 +109,14 @@ export class EAPHandler {
// buffer.writeInt8(21, 4); // eap-ttls
// buffer.writeInt8(0, 5); // flags
/*
@todo: this is wrong,
if there are more messages, add them to a queue
and process the next one when client has ack. (message without data)
*/
response(resBuffer);
} while (data && i * maxFragmentSize < data.length);
console.log('sending message with identifier', currentIdentifier);
({ identifier: currentIdentifier, response: currentResponse } = await currentResponse(
resBuffer
));
console.log('next message got identifier', currentIdentifier);
} while (data && sentDataSize < data.length);
console.log('DONE', sentDataSize, data && data.length);
}
handleEAPMessage(msg: Buffer, state: string, handlers: IResponseHandlers) {
@ -148,8 +160,7 @@ export class EAPHandler {
Message Length | Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
console.log('RESPONDING WITH IDENTIDY / START');
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: IDENTIFY', {});
this.sendEAPResponse(handlers.response, identifier, undefined, 21, 0x20);
@ -167,14 +178,17 @@ export class EAPHandler {
break;
case 21: // EAP TTLS
this.eapTTLS.handleMessage(msg, state, handlers, identifier);
return;
break;
case 3: // nak
this.sendEAPResponse(handlers.response, identifier, undefined, 3);
// this.sendEAPResponse(handlers.response, identifier, undefined, 3);
break;
case 2: // notification
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: notification', {});
console.info('notification');
break;
case 4: // md5-challenge
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: md5-challenge', {});
console.info('md5-challenge');
break;
case 254: // expanded type
@ -183,7 +197,11 @@ export class EAPHandler {
break;
default:
console.error('unsupported type', type);
// we do not support this auth type, ask for TTLS
console.error('unsupported type', type, 'requesting TTLS (21)');
this.sendEAPResponse(handlers.response, identifier, Buffer.from([21]), 3);
break;
}
break;

4
src/eap/challenges/pap.ts
View File

@ -1,6 +1,6 @@
import { IAuthChallenge } from '../../types/AuthChallenge';
import { IEAPChallenge } from '../../types/EAPChallenge';
export class PAPChallenge implements IAuthChallenge {
export class PAPChallenge implements IEAPChallenge {
// i couldn't find any documentation about it, therefore best guess how this is processed...
// http://www.networksorcery.com/enp/rfc/rfc1334.txt ?

88
src/eap/eap-ttls.ts
View File

@ -1,10 +1,16 @@
/* eslint-disable no-bitwise */
import * as events from 'events';
import * as tls from 'tls';
import { encodeTunnelPW, openTLSSockets, startTLSServer } from '../tls/crypt';
import { AdditionalAuthHandler, IResponseHandlers } from '../types/Handler';
import { AdditionalAuthHandler, ResponseAuthHandler } from '../types/Handler';
import { PAPChallenge } from './challenges/pap';
import { IEAPType } from '../types/EAPType';
interface IEAPResponseHandlers {
response: (respData?: Buffer, msgType?: number) => void;
checkAuth: ResponseAuthHandler;
}
export class EAPTTLS implements IEAPType {
papChallenge: PAPChallenge;
@ -12,23 +18,48 @@ export class EAPTTLS implements IEAPType {
this.papChallenge = new PAPChallenge();
}
handleMessage(msg: Buffer, state: string, handlers, identifier: number) {
const flags = msg.slice(5, 6); // .toString('hex');
decode(msg: Buffer) {
const flags = msg.slice(5, 6).readUInt8(0); // .toString('hex');
// if (flags)
// @todo check if "L" flag is set in flags
const msglength = msg.slice(6, 10).readInt32BE(0); // .toString('hex');
const data = msg.slice(6, msg.length); // 10); //.toString('hex');
const decodedFlags = {
lengthIncluded: flags & 0b010000000,
moreFragments: flags & 0b001000000,
start: flags & 0b000100000,
reserved: flags & 0b000011000,
version: flags & 0b010000111
};
let msglength;
if (decodedFlags.lengthIncluded) {
msglength = msg.slice(6, 10).readInt32BE(0); // .readDoubleLE(0); // .toString('hex');
}
const data = msg.slice(decodedFlags.lengthIncluded ? 10 : 6, msg.length);
return {
decodedFlags,
msglength,
data
};
}
handleMessage(msg: Buffer, state: string, handlers, identifier: number) {
const { decodedFlags, msglength, data } = this.decode(msg);
// check if no data package is there and we have something in the queue, if so.. empty the queue first
if (!data) {
if (!data || data.length === 0) {
// @todo: queue processing
console.warn('no data, just a confirmation!');
console.warn(
`>>>>>>>>>>>> REQUEST FROM CLIENT: EAP TTLS, ACK / NACK (no data, just a confirmation, ID: ${identifier})`
);
return;
}
console.log('incoming EAP TTLS', {
flags /*
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: EAP TTLS', {
// flags: `00000000${flags.toString(2)}`.substr(-8),
decodedFlags,
identifier,
/*
0 1 2 3 4 5 6 7
+---+---+---+---+---+---+---+---+
| L | M | S | R | R | V |
@ -39,14 +70,15 @@ export class EAPTTLS implements IEAPType {
S = Start
R = Reserved
V = Version (000 for EAP-TTLSv0)
*/,
*/
msglength,
data,
dataStr: data.toString()
});
let currentConnection = openTLSSockets.get(state) as
| { events: events.EventEmitter; tls: tls.TLSSocket; currentHandlers: IResponseHandlers }
| { events: events.EventEmitter; tls: tls.TLSSocket; currentHandlers: IEAPResponseHandlers }
| undefined;
if (!currentConnection) {
const connection = startTLSServer();
@ -71,12 +103,15 @@ export class EAPTTLS implements IEAPType {
// pwd not found..
console.error('pwd not found', err);
// NAK
currentConnection!.currentHandlers.response(undefined, 3);
/*
this.sendEAPResponse(
currentConnection!.currentHandlers.response,
identifier,
undefined,
3
);
); */
currentConnection!.events.emit('end');
throw new Error(`pwd not found`);
}
@ -85,16 +120,28 @@ export class EAPTTLS implements IEAPType {
console.log('data', incomingData);
console.log('data str', incomingData.toString());
currentConnection!.events.emit('end');
throw new Error(`unsupported auth type${type}`);
// currentConnection!.events.emit('end');
console.log('UNSUPPORTED AUTH TYPE, requesting PAP');
// throw new Error(`unsupported auth type${type}`);
currentConnection!.currentHandlers.response(Buffer.from([1]), 3);
/*
this.sendEAPResponse(
currentConnection!.currentHandlers.response,
identifier,
Buffer.from([1]),
3
); */
}
});
currentConnection.events.on('response', (responseData: Buffer) => {
console.log('sending encrypted data back to client', responseData);
// console.log('sending encrypted data back to client', responseData);
// send back...
this.sendEAPResponse(currentConnection!.currentHandlers.response, identifier, responseData);
currentConnection!.currentHandlers.response(responseData);
// this.sendEAPResponse(currentConnection!.currentHandlers.response, identifier, responseData);
// this.sendMessage(TYPE.PRELOGIN, data, false);
});
@ -103,13 +150,14 @@ export class EAPTTLS implements IEAPType {
console.log('ENDING SOCKET');
openTLSSockets.del(state);
});
} else {
} /* else {
console.log('using existing socket');
}
} */
// update handlers
currentConnection.currentHandlers = {
...handlers,
response: (respData?: Buffer, msgType?: number) =>
this.sendEAPResponse(handlers.response, identifier, respData, msgType),
checkAuth: (username: string, password: string) => {
const additionalAuthHandler: AdditionalAuthHandler = (success, params) => {
const buffer = Buffer.from([
@ -138,7 +186,7 @@ export class EAPTTLS implements IEAPType {
'ttls keying material'
);
console.log('keyingMaterial', keyingMaterial);
// console.log('keyingMaterial', keyingMaterial);
// eapKeyData + len
params.attributes.push([

30
src/helpers.ts
View File

@ -7,3 +7,33 @@ export function makeid(length) {
}
return result;
}
export const MAX_RADIUS_ATTRIBUTE_SIZE = 253;
export interface IDeferredPromise {
promise: Promise<any>;
resolve: (value?: unknown) => Promise<void>;
reject: (reason?: any) => Promise<void>;
}
export const newDeferredPromise = (): IDeferredPromise => {
if (Promise && !('deferred' in Promise)) {
let fResolve;
let fReject;
const P = new Promise((resolve, reject) => {
fResolve = resolve;
fReject = reject;
});
return {
promise: P,
resolve: fResolve,
reject: fReject
};
}
return (Promise as any).deferred;
};
export const delay = (timeout: number) =>
new Promise(resolve => setTimeout(() => resolve(), timeout));

22
src/tls/crypt.ts
View File

@ -5,14 +5,21 @@ import { createSecureContext } from 'tls';
import * as fs from 'fs';
import * as crypto from 'crypto';
import * as DuplexPair from 'native-duplexpair';
import * as constants from 'constants';
import { makeid } from '../helpers';
import * as config from '../../config';
// https://nodejs.org/api/tls.html
const tlsOptions = {
cert: fs.readFileSync('./ssl/public-cert.pem'),
key: fs.readFileSync('./ssl/private-key.pem'),
ecdhCurve: 'auto'
const tlsOptions: tls.SecureContextOptions = {
...config.certificate,
// ca: fs.readFileSync('./ssl/server.pem'),
// eslint-disable-next-line no-bitwise
secureOptions: constants.SSL_OP_NO_TICKET // : constants.SSL_OP_NO_TLSv1_2 | constants.SSL_OP_NO_TLSv1_1,
// honorCipherOrder: true
// secureOptions:
// ecdhCurve: 'auto'
};
console.log('tlsOptions', tlsOptions);
const secureContext = createSecureContext(tlsOptions);
export const openTLSSockets = new NodeCache({ useClones: false, stdTTL: 3600 }); // keep sockets for about one hour
@ -22,7 +29,11 @@ export function startTLSServer(): { events: events.EventEmitter; tls: tls.TLSSoc
const cleartext = new tls.TLSSocket(duplexpair.socket1, {
secureContext,
isServer: true
isServer: true,
enableTrace: true,
rejectUnauthorized: false,
// handshakeTimeout: 10,
requestCert: false
});
const encrypted = duplexpair.socket2;
@ -71,6 +82,7 @@ export function startTLSServer(): { events: events.EventEmitter; tls: tls.TLSSoc
console.log('*********** new client connection established / secured ********');
// this.emit('secure', securePair.cleartext);
// this.encryptAllFutureTraffic();
console.log('GET FINSIHED', cleartext.getFinished());
});
cleartext.on('error', (err?: Error) => {

3
src/types/Authentication.ts Normal file
View File

@ -0,0 +1,3 @@
export interface IAuthentication {
authenticate(username: string, password: string): Promise<string>;
}

2
src/types/AuthChallenge.ts → src/types/EAPChallenge.ts
View File

@ -1,3 +1,3 @@
export interface IAuthChallenge {
export interface IEAPChallenge {
decode(data: Buffer): { username: string; password: string };
}

2
src/types/EAPType.ts
View File

@ -1,3 +1,3 @@
export interface IEAPType {
handleMessage(msg: Buffer, state: string, handlers, identifier: number)
handleMessage(msg: Buffer, state: string, handlers, identifier: number);
}

4
src/types/Handler.ts
View File

@ -1,6 +1,8 @@
import { RadiusPacket } from 'radius';
export type ResponseHandler = (msg: Buffer) => void;
export type ResponseHandler = (
msg: Buffer
) => Promise<{ identifier: number; response: ResponseHandler }>;
export type ResponseAuthHandler = (
username: string,
password: string,

8
ssl/README.md Normal file
View File

@ -0,0 +1,8 @@
this is based on freeradius cert directory :)
1.) edit ca.cnf
2.) edit server.cnf
3.) replace your choosen pwd (deafult is whatever2020) in create.sh
4.) run ./create.sh
5.) set your choosen pwd in ~/config.js

61
ssl/ca.cnf Normal file
View File

@ -0,0 +1,61 @@
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./cert/
certs = $dir
crl_dir = $dir/crl
database = db/index.txt
new_certs_dir = $dir
certificate = $dir/ca.pem
serial = db/serial
crl = $dir/crl.pem
private_key = $dir/ca.key
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 60
default_crl_days = 30
default_md = sha256
preserve = no
policy = policy_match
crlDistributionPoints = URI:http://www.example.org/example_ca.crl
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
prompt = no
distinguished_name = certificate_authority
default_bits = 2048
input_password = whatever2020
output_password = whatever2020
x509_extensions = v3_ca
[certificate_authority]
countryName = AT
stateOrProvinceName = Vienna
localityName = Vienna
organizationName = hokify.com
emailAddress = info@hokify.com
commonName = "hokify GmbH"
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
crlDistributionPoints = URI:http://www.example.org/example_ca.crl

0
ssl/cert/index.txt Normal file
View File

1
ssl/cert/serial Normal file
View File

@ -0,0 +1 @@
00

17
ssl/create.sh
View File

@ -1,2 +1,15 @@
openssl genrsa -out private-key.pem 1024
openssl req -new -key private-key.pem -out csr.pem
# generate private key
# openssl genrsa -out csr.key 2048
# CA
openssl req -new -x509 -keyout cert/ca.key -out cert/ca.pem -days 3600 -config ./ca.cnf
# server
openssl req -new -out cert/server.csr -keyout cert/server.key -config ./server.cnf
# sign it
# -key $(PASSWORD_CA) (default pwd is whatever2020)
openssl ca -batch -keyfile cert/ca.key -cert cert/ca.pem -in cert/server.csr -key whatever2020 -out cert/server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
# sign it
# openssl x509 -req -in csr.pem -signkey private-key.pem -out public-cert.pem

54
ssl/server.cnf Normal file
View File

@ -0,0 +1,54 @@
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./cert/
certs = $dir
crl_dir = $dir/crl
database = db/index.txt
new_certs_dir = $dir
certificate = $dir/server.pem
serial = db/serial
crl = $dir/crl.pem
private_key = $dir/server.key
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 6000
default_crl_days = 30
default_md = sha256
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
prompt = no
distinguished_name = server
default_bits = 2048
input_password = whatever2020
output_password = whatever2020
[server]
countryName = AT
stateOrProvinceName = Vienna
localityName = Vienna
organizationName = hokify.com
emailAddress = info@hokify.com
commonName = "hokify GmbH"

1
ssl/sign.sh
View File

@ -1 +0,0 @@
openssl x509 -req -in csr.pem -signkey private-key.pem -out public-cert.pem

24
ssl/xpextensions Normal file
View File

@ -0,0 +1,24 @@
#
# File containing the OIDs required for Windows.
#
# http://support.microsoft.com/kb/814394/en-us
#
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
crlDistributionPoints = URI:http://www.example.com/example_ca.crl
[ xpserver_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
crlDistributionPoints = URI:http://www.example.com/example_ca.crl
#
# Add this to the PKCS#7 keybag attributes holding the client's private key
# for machine authentication.
#
# the presence of this OID tells Windows XP that the cert is intended
# for use by the computer itself, and not by an end-user.
#
# The other solution is to use Microsoft's web certificate server
# to generate these certs.
#
# 1.3.6.1.4.1.311.17.2