Several updates

* Subnets configuration option for Kerberos machine enrollment
* Configurable script snippets via [service] configuration section
* Preliminary revocation reason support
* Improved signature profile support
* Add domain components to DN to distinguish certificate CN's namespace
* Image builder improvements, add Elliptic Curve support
* Added GetCACaps operation and more digest algorithms for SCEP
* Generate certificate and CRL serial from timestamp (64+32bits) and random bytes (56bits)
* Move client storage pool to /etc/certidude/authority/
* Cleanups & bugfixes

doc/build-ap.sh

@@ -1,58 +0,0 @@
-#!/bin/bash
-
-set -e
-set -x
-umask 022
-
-VERSION=17.01.4
-BASENAME=lede-imagebuilder-$VERSION-ar71xx-generic.Linux-x86_64
-FILENAME=$BASENAME.tar.xz
-URL=http://downloads.lede-project.org/releases/$VERSION/targets/ar71xx/generic/$FILENAME
-
-PACKAGES="luci luci-app-commands \
-    collectd collectd-mod-conntrack collectd-mod-interface \
-    collectd-mod-iwinfo collectd-mod-load collectd-mod-memory \
-    collectd-mod-network collectd-mod-protocols collectd-mod-tcpconns \
-    collectd-mod-uptime \
-    openssl-util openvpn-openssl curl ca-certificates \
-    htop iftop tcpdump nmap nano -odhcp6c -odhcpd -dnsmasq \
-    -luci-app-firewall \
-    -pppd -luci-proto-ppp -kmod-ppp -ppp -ppp-mod-pppoe \
-    -kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6"
-
-
-if [ ! -e $FILENAME ]; then
-    wget -q $URL
-fi
-
-if [ ! -e $BASENAME ]; then
-    tar xf $FILENAME
-fi
-
-cd $BASENAME
-
-# Copy CA certificate
-AUTHORITY=$(hostname -f)
-CERTIDUDE_DIR=/var/lib/certidude/$AUTHORITY
-if [ -d "$CERTIDUDE_DIR" ]; then
-    mkdir -p overlay/$CERTIDUDE_DIR
-    cp $CERTIDUDE_DIR/ca_cert.pem overlay/$CERTIDUDE_DIR
-fi
-
-cat < EOF > overlay/etc/config/certidude
-
-config authority
-    option url http://$AUTHORITY
-    option authority_path /var/lib/certidude/$AUTHORITY/ca_cert.pem
-    option request_path /var/lib/certidude/$AUTHORITY/client_req.pem
-    option certificate_path /var/lib/certidude/$AUTHORITY/client_cert.pem
-    option key_path /var/lib/certidude/$AUTHORITY/client_key.pem
-    option key_type rsa
-    option key_length 1024
-    option red_led gl-connect:red:wlan
-    option green_led gl-connect:green:lan
-
-EOF
-
-make image FILES=../overlay/ PACKAGES="$PACKAGES" PROFILE="$PROFILE"
-

doc/builder/ap.sh

@@ -109,11 +109,10 @@ esac
 EOF
 
 make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="luci luci-app-commands \
-    openssl-util curl ca-certificates \
-    strongswan-mod-kernel-libipsec kmod-tun ip-full strongswan-full \
+    openssl-util curl ca-certificates dropbear \
+    strongswan-mod-kernel-libipsec kmod-tun strongswan-default strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm \
     htop iftop tcpdump nmap nano -odhcp6c -odhcpd -dnsmasq \
     -luci-app-firewall \
     -pppd -luci-proto-ppp -kmod-ppp -ppp -ppp-mod-pppoe \
-    -kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6"
-
+    -kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6 bc"
 

doc/builder/common.sh

@@ -9,6 +9,12 @@ BASENAME=lede-imagebuilder-$VERSION-ar71xx-generic.Linux-x86_64
 FILENAME=$BASENAME.tar.xz
 URL=http://downloads.lede-project.org/releases/$VERSION/targets/ar71xx/generic/$FILENAME
 
+# curl of vanilla LEDE doesn't support ECDSA at the moment
+BASENAME=lede-imagebuilder-ar71xx-generic.Linux-x86_64
+FILENAME=$BASENAME.tar.xz
+URL=https://www.koodur.com/$FILENAME
+
+
 if [ ! -e $BUILD/$FILENAME ]; then
     wget -q $URL -O $BUILD/$FILENAME
 fi
@@ -19,58 +25,94 @@ fi
 
 # Copy CA certificate
 AUTHORITY=$(hostname -f)
-CERTIDUDE_DIR=/var/lib/certidude/$AUTHORITY
 
 mkdir -p $OVERLAY/etc/config
 mkdir -p $OVERLAY/etc/uci-defaults
-mkdir -p $OVERLAY/etc/certidude/authority/$AUTHORITY
+mkdir -p $OVERLAY/etc/certidude/authority/$AUTHORITY/
 cp /var/lib/certidude/$AUTHORITY/ca_cert.pem $OVERLAY/etc/certidude/authority/$AUTHORITY/
 
+echo /etc/certidude >> $OVERLAY/etc/sysupgrade.conf
+
 cat <<EOF > $OVERLAY/etc/config/certidude
 
 config authority
-    option gateway router.k-space.ee
-    option url http://$AUTHORITY
+    option gateway "$ROUTER"
+    option hostname "$AUTHORITY"
     option trigger wan
-    option authority_path /etc/certidude/authority/$AUTHORITY/ca_cert.pem
-    option request_path /etc/certidude/authority/$AUTHORITY/client_req.pem
-    option certificate_path /etc/certidude/authority/$AUTHORITY/client_cert.pem
-    option key_path /etc/certidude/authority/$AUTHORITY/client_key.pem
-    option key_type rsa
+    option key_type $AUTHORITY_CERTIFICATE_ALGORITHM
     option key_length 2048
+    option key_curve secp384r1
 
 EOF
 
+
 cat << EOF > $OVERLAY/etc/uci-defaults/40-disable-ipsec
 /etc/init.d/ipsec disable
 EOF
 
+case $AUTHORITY_CERTIFICATE_ALGORITHM in
+    rsa)
+        echo ": RSA /etc/certidude/authority/$AUTHORITY/host_key.pem" >> $OVERLAY/etc/ipsec.secrets
+        DHGROUP=modp2048
+        ;;
+    ec)
+        echo ": ECDSA /etc/certidude/authority/$AUTHORITY/host_key.pem" >> $OVERLAY/etc/ipsec.secrets
+        DHGROUP=ecp384
+        ;;
+    *)
+        echo "Unknown algorithm $AUTHORITY_CERTIFICATE_ALGORITHM"
+        exit 1
+        ;;
+esac
 
+cat << EOF > $OVERLAY/etc/certidude/authority/$AUTHORITY/updown
+#!/bin/sh
 
-cat << EOF > $OVERLAY/etc/ipsec.secrets
-: RSA /etc/certidude/authority/$AUTHORITY/client_key.pem
+CURL="curl -m 3 -f --key /etc/certidude/authority/$AUTHORITY/host_key.pem --cert /etc/certidude/authority/$AUTHORITY/host_cert.pem --cacert /etc/certidude/authority/$AUTHORITY/ca_cert.pem"
+URL="https://$AUTHORITY:8443/api/signed/\$(uci get system.@system[0].hostname)/script/"
+
+case \$PLUTO_VERB in
+  up-client)
+    logger -t certidude -s "Downloading and executing \$URL"
+    \$CURL \$URL -o /tmp/script.sh && sh /tmp/script.sh
+  ;;
+  *) ;;
+esac
 EOF
 
+chmod +x  $OVERLAY/etc/certidude/authority/$AUTHORITY/updown
+
 cat << EOF > $OVERLAY/etc/ipsec.conf
 
 config setup
+    strictcrlpolicy=yes
 
 ca $AUTHORITY
-	cacert=/etc/certidude/authority/$AUTHORITY/ca_cert.pem
-	auto=add
+    auto=add
+    cacert=/etc/certidude/authority/$AUTHORITY/ca_cert.pem
+    ocspuri = http://$AUTHORITY/api/ocsp/
 
-conn router.k-space.ee
-	right=router.k-space.ee
-	dpdaction=restart
-	auto=start
-	rightsubnet=0.0.0.0/0
-	rightid=%any
-	leftsourceip=%config
-	keyexchange=ikev2
-	closeaction=restart
-	leftcert=/etc/certidude/authority/$AUTHORITY/client_cert.pem
-	left=%defaultroute
+conn %default
+    keyingtries=%forever
+    dpdaction=restart
+    closeaction=restart
+    ike=aes256-sha384-ecp384!
+    esp=aes128gcm16-aes128gmac!
+    left=%defaultroute
+    leftcert=/etc/certidude/authority/$AUTHORITY/host_cert.pem
+    leftca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME"
+    rightca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME"
+
+conn client-to-site
+    auto=start
+    right="$ROUTER"
+    rightsubnet=0.0.0.0/0
+    leftsourceip=%config
+    leftupdown=/etc/certidude/authority/$AUTHORITY/updown
 
 EOF
 
-
+cat << EOF > $OVERLAY/etc/uci-defaults/99-uhttpd-disable-https
+uci delete uhttpd.main.listen_https
+uci delete uhttpd.main.redirect_https
+EOF

doc/builder/ipcam.sh

@@ -38,6 +38,7 @@ uci certidude.@authority[0].green_led='gl-connect:green:lan'
 EOF
 
 
-make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates strongswan-full htop \
-    iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci luci-app-mjpg-streamer kmod-video-uvc \
-    pciutils -dnsmasq -odhcpd -odhcp6c -kmod-ath9k picocom strongswan-mod-kernel-libipsec kmod-tun ip-full"
+make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates \
+    strongswan-default strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm htop \
+    iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci luci-app-mjpg-streamer kmod-video-uvc dropbear \
+    pciutils -dnsmasq -odhcpd -odhcp6c -kmod-ath9k picocom strongswan-mod-kernel-libipsec kmod-tun bc"

doc/builder/mfp.sh

@@ -96,15 +96,15 @@ uci set firewall.@redirect[-1].target=DNAT
 uci set firewall.@redirect[-1].proto=tcp
 uci set firewall.@redirect[-1].enabled=0
 
-uci set uhttpd.main.listen_http=0.0.0.0:8080
-
 /etc/init.d/dropbear disable
 
+uci set uhttpd.main.listen_http=0.0.0.0:8080
+
 EOF
 
 make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates htop \
-    iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci \
-    strongswan-mod-kernel-libipsec kmod-tun ip-full strongswan-full \
-    pciutils -odhcpd -odhcp6c -kmod-ath9k picocom libustream-openssl kmod-crypto-gcm"
+    iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci dropbear kmod-tun \
+    strongswan-default strongswan-mod-kernel-libipsec strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm \
+    pciutils -odhcpd -odhcp6c -kmod-ath9k picocom libustream-openssl kmod-crypto-gcm bc"
 
 

doc/overlay/etc/hotplug.d/iface/50-certidude

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# To test: ACTION=ifup INTERFACE=wan sh /etc/hotplug.d/iface/50-certidude
+
+AUTHORITY=certidude.@authority[0]
+
+[ $ACTION == "ifup" ] || exit 0
+[ $INTERFACE == "$(uci get $AUTHORITY.trigger)" ] || exit 0
+
+/usr/bin/certidude-enroll

doc/overlay/etc/uci-defaults/60-cron

@@ -0,0 +1,9 @@
+cat << EOF > /etc/crontabs/root
+15 1 * * * sleep 70 && touch /etc/banner && reboot
+10 1 1 */2 * /usr/bin/certidude-enroll-renew
+EOF
+
+chmod 0600 /etc/crontabs/root
+
+/etc/init.d/cron enable
+

doc/overlay/usr/bin/certidude-enroll

@@ -0,0 +1,123 @@
+#!/bin/sh
+
+AUTHORITY=certidude.@authority[0]
+
+# TODO: iterate over all authorities
+
+GATEWAY=$(uci get $AUTHORITY.gateway)
+COMMON_NAME=$(uci get system.@system[0].hostname)
+
+DIR=/etc/certidude/authority/$(uci get $AUTHORITY.hostname)
+mkdir -p $DIR
+
+AUTHORITY_PATH=$DIR/ca_cert.pem
+CERTIFICATE_PATH=$DIR/host_cert.pem
+REQUEST_PATH=$DIR/host_req.pem
+KEY_PATH=$DIR/host_key.pem
+KEY_TYPE=$(uci get $AUTHORITY.key_type)
+KEY_LENGTH=$(uci get $AUTHORITY.key_length)
+KEY_CURVE=$(uci get $AUTHORITY.key_curve)
+
+NTP_SERVERS=$(uci get system.ntp.server)
+
+logger -t certidude -s "Fetching time from NTP servers: $NTP_SERVERS"
+ntpd -q -n -d -p $NTP_SERVERS
+
+logger -t certidude -s "Time is now: $(date)"
+
+# If certificate file is there assume everything's set up
+if [ -f $CERTIFICATE_PATH ]; then
+    SERIAL=$(openssl x509 -in $CERTIFICATE_PATH -noout -serial | cut -d "=" -f 2 | tr [A-F] [a-f])
+    logger -t certidude -s "Certificate with serial $SERIAL already exists in $CERTIFICATE_PATH, attempting to bring up VPN tunnel..."
+    ipsec restart
+    exit 0
+fi
+
+
+#########################################
+### Generate private key if necessary ###
+#########################################
+
+if [ ! -f $KEY_PATH ]; then
+
+    logger -t certidude -s "Generating $KEY_TYPE key for VPN..."
+
+    case $KEY_TYPE in
+        rsa)
+            openssl genrsa -out $KEY_PATH.part $KEY_LENGTH
+            ;;
+        ec)
+            openssl ecparam -name $KEY_CURVE -genkey -noout -out $KEY_PATH.part
+            ;;
+    esac
+    mv $KEY_PATH.part $KEY_PATH
+fi
+
+
+############################
+### Fetch CA certificate ###
+############################
+
+if [ ! -f $AUTHORITY_PATH ]; then
+
+    logger -t certidude -s "Fetching CA certificate from $URL/api/certificate/"
+    curl -f -s http://$(uci get $AUTHORITY.hostname)/api/certificate/ -o $AUTHORITY_PATH.part
+    if [ $? -ne 0 ]; then
+        logger -t certidude -s "Failed to receive CA certificate, server responded: $(cat $AUTHORITY_PATH.part)"
+        exit 10
+    fi
+
+    openssl x509 -in $AUTHORITY_PATH.part -noout
+    if [ $? -ne 0 ]; then
+        logger -t certidude -s "Received invalid CA certificate"
+        exit 11
+    fi
+
+    mv $AUTHORITY_PATH.part $AUTHORITY_PATH
+fi
+
+logger -t certidude -s "CA certificate md5sum: $(md5sum -b $AUTHORITY_PATH)"
+
+
+#####################################
+### Generate request if necessary ###
+#####################################
+
+if [ ! -f $REQUEST_PATH ]; then
+    openssl req -new -sha256 -key $KEY_PATH -out $REQUEST_PATH.part -subj "/CN=$COMMON_NAME"
+    mv $REQUEST_PATH.part $REQUEST_PATH
+fi
+
+logger -t certidude -s "Request md5sum is $(md5sum -b $REQUEST_PATH)"
+
+curl -f -L \
+    -H "Content-Type: application/pkcs10" \
+    --cacert $AUTHORITY_PATH \
+    --data-binary @$REQUEST_PATH \
+    https://$(uci get $AUTHORITY.hostname):8443/api/request/?autosign=true\&wait=yes -o $CERTIFICATE_PATH.part
+
+# TODO: Loop until we get exitcode 0
+# TODO: Use backoff time $((2\*X))
+
+if [ $? -ne 0 ]; then
+    echo "Failed to fetch certificate"
+    exit 21
+fi
+
+# Verify certificate
+openssl verify -CAfile $AUTHORITY_PATH $CERTIFICATE_PATH.part
+
+if [ $? -ne 0 ]; then
+    logger -t certidude -s "Received bogus certificate!"
+    exit 22
+fi
+
+logger -t certidude -s "Certificate md5sum: $(md5sum -b $CERTIFICATE_PATH.part)"
+
+uci commit
+
+mv $CERTIFICATE_PATH.part $CERTIFICATE_PATH
+
+# Start services
+logger -t certidude -s "Starting IPSec IKEv2 daemon..."
+ipsec restart

doc/overlay/usr/bin/certidude-enroll-renew

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+AUTHORITY=certidude.@authority[0]
+URL=https://$(uci get $AUTHORITY.hostname):8443
+DIR=/etc/certidude/authority/$(uci get $AUTHORITY.hostname)
+AUTHORITY_PATH=$DIR/ca_cert.pem
+CERTIFICATE_PATH=$DIR/host_cert.pem
+REQUEST_PATH=$DIR/host_req.pem
+KEY_PATH=$DIR/host_key.pem
+
+curl -f -L \
+    -H "Content-Type: application/pkcs10" \
+    --data-binary @$REQUEST_PATH \
+    --cacert $AUTHORITY_PATH \
+    --key $KEY_PATH \
+    --cert $CERTIFICATE_PATH \
+    $URL/api/request/ -o $CERTIFICATE_PATH.part
+
+if [ $? -eq 0 ]; then
+    logger -t certidude -s "Certificate renewal successful"
+    mv $CERTIFICATE_PATH.part $CERTIFICATE_PATH
+    ipsec reload
+else
+    logger -t certidude -s "Failed to renew certificate"
+fi