fix: a lot of bug fixes, first running version for windows and android :)

code is super ugly right now.. please don't judge
2020-02-22 02:32:12 +01:00
parent 7e28c60d81
commit 0cb807a555
21 changed files with 449 additions and 97 deletions
--- a/ssl/README.md
+++ b/ssl/README.md
@@ -0,0 +1,8 @@
+this is based on freeradius cert directory :)
+
+1.) edit ca.cnf
+2.) edit server.cnf
+3.) replace your choosen pwd (deafult is whatever2020) in create.sh
+4.) run ./create.sh
+5.) set your choosen pwd in ~/config.js  
+
--- a/ssl/ca.cnf
+++ b/ssl/ca.cnf
@@ -0,0 +1,61 @@
+[ ca ]
+default_ca              = CA_default
+
+[ CA_default ]
+dir                     = ./cert/
+certs                   = $dir
+crl_dir                 = $dir/crl
+database                = db/index.txt
+new_certs_dir           = $dir
+certificate             = $dir/ca.pem
+serial                  = db/serial
+crl                     = $dir/crl.pem
+private_key             = $dir/ca.key
+RANDFILE                = $dir/.rand
+name_opt                = ca_default
+cert_opt                = ca_default
+default_days            = 60
+default_crl_days        = 30
+default_md              = sha256
+preserve                = no
+policy                  = policy_match
+crlDistributionPoints   = URI:http://www.example.org/example_ca.crl
+
+[ policy_match ]
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_anything ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+prompt                  = no
+distinguished_name      = certificate_authority
+default_bits            = 2048
+input_password          = whatever2020
+output_password         = whatever2020
+x509_extensions         = v3_ca
+
+[certificate_authority]
+countryName             = AT
+stateOrProvinceName     = Vienna
+localityName            = Vienna
+organizationName        = hokify.com
+emailAddress            = info@hokify.com
+commonName              = "hokify GmbH"
+
+[v3_ca]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer:always
+basicConstraints        = critical,CA:true
+crlDistributionPoints   = URI:http://www.example.org/example_ca.crl
--- a/ssl/cert/index.txt
+++ b/ssl/cert/index.txt
--- a/ssl/cert/serial
+++ b/ssl/cert/serial
@@ -0,0 +1 @@
+00
--- a/ssl/create.sh
+++ b/ssl/create.sh
@@ -1,2 +1,15 @@
-openssl genrsa -out private-key.pem 1024
-openssl req -new -key private-key.pem -out csr.pem
+# generate private key
+# openssl genrsa -out csr.key 2048
+
+# CA
+openssl req -new -x509 -keyout cert/ca.key -out cert/ca.pem -days 3600 -config ./ca.cnf
+
+# server
+openssl req -new  -out cert/server.csr -keyout cert/server.key -config ./server.cnf
+
+# sign it
+# -key $(PASSWORD_CA) (default pwd is whatever2020)
+openssl ca -batch -keyfile cert/ca.key -cert cert/ca.pem -in cert/server.csr -key whatever2020 -out cert/server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
+
+# sign it
+# openssl x509 -req -in csr.pem -signkey private-key.pem -out public-cert.pem
--- a/ssl/server.cnf
+++ b/ssl/server.cnf
@@ -0,0 +1,54 @@
+[ ca ]
+default_ca		= CA_default
+
+[ CA_default ]
+dir			= ./cert/
+certs			= $dir
+crl_dir			= $dir/crl
+database		= db/index.txt
+new_certs_dir		= $dir
+certificate		= $dir/server.pem
+serial			= db/serial
+crl			= $dir/crl.pem
+private_key		= $dir/server.key
+RANDFILE		= $dir/.rand
+name_opt		= ca_default
+cert_opt		= ca_default
+default_days		= 6000
+default_crl_days	= 30
+default_md		= sha256
+preserve		= no
+policy			= policy_match
+
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ req ]
+prompt			= no
+distinguished_name	= server
+default_bits		= 2048
+input_password		= whatever2020
+output_password		= whatever2020
+
+[server]
+countryName		= AT
+stateOrProvinceName	= Vienna
+localityName		= Vienna
+organizationName	= hokify.com
+emailAddress		= info@hokify.com
+commonName		= "hokify GmbH"
+
--- a/ssl/sign.sh
+++ b/ssl/sign.sh
@@ -1 +0,0 @@
-openssl x509 -req -in csr.pem -signkey private-key.pem -out public-cert.pem
--- a/ssl/xpextensions
+++ b/ssl/xpextensions
@@ -0,0 +1,24 @@
+#
+#  File containing the OIDs required for Windows.
+#
+#  http://support.microsoft.com/kb/814394/en-us
+#
+[ xpclient_ext]
+extendedKeyUsage = 1.3.6.1.5.5.7.3.2
+crlDistributionPoints = URI:http://www.example.com/example_ca.crl
+
+[ xpserver_ext]
+extendedKeyUsage = 1.3.6.1.5.5.7.3.1
+crlDistributionPoints = URI:http://www.example.com/example_ca.crl
+
+#
+#  Add this to the PKCS#7 keybag attributes holding the client's private key
+#  for machine authentication.
+#
+#  the presence of this OID tells Windows XP that the cert is intended
+#  for use by the computer itself, and not by an end-user.
+#
+#  The other solution is to use Microsoft's web certificate server
+#  to generate these certs.
+#
+# 1.3.6.1.4.1.311.17.2
				`@@ -1 +0,0 @@`
				`openssl x509 -req -in csr.pem -signkey private-key.pem -out public-cert.pem`