Several updates

* Subnets configuration option for Kerberos machine enrollment * Configurable script snippets via [service] configuration section * Preliminary revocation reason support * Improved signature profile support * Add domain components to DN to distinguish certificate CN's namespace * Image builder improvements, add Elliptic Curve support * Added GetCACaps operation and more digest algorithms for SCEP * Generate certificate and CRL serial from timestamp (64+32bits) and random bytes (56bits) * Move client storage pool to /etc/certidude/authority/ * Cleanups & bugfixes
2025-09-09 06:51:04 +00:00 · 2018-04-27 07:48:15 +00:00
parent 94e5f72566
commit 5e9251f365
35 changed files with 1192 additions and 580 deletions
--- a/doc/builder/ap.sh
+++ b/doc/builder/ap.sh
@@ -109,11 +109,10 @@ esac
 EOF

 make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="luci luci-app-commands \
-    openssl-util curl ca-certificates \
-    strongswan-mod-kernel-libipsec kmod-tun ip-full strongswan-full \
+    openssl-util curl ca-certificates dropbear \
+    strongswan-mod-kernel-libipsec kmod-tun strongswan-default strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm \
    htop iftop tcpdump nmap nano -odhcp6c -odhcpd -dnsmasq \
    -luci-app-firewall \
    -pppd -luci-proto-ppp -kmod-ppp -ppp -ppp-mod-pppoe \
-    -kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6"
-
+    -kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6 bc"

--- a/doc/builder/common.sh
+++ b/doc/builder/common.sh
@@ -9,6 +9,12 @@ BASENAME=lede-imagebuilder-$VERSION-ar71xx-generic.Linux-x86_64
 FILENAME=$BASENAME.tar.xz
 URL=http://downloads.lede-project.org/releases/$VERSION/targets/ar71xx/generic/$FILENAME

+# curl of vanilla LEDE doesn't support ECDSA at the moment
+BASENAME=lede-imagebuilder-ar71xx-generic.Linux-x86_64
+FILENAME=$BASENAME.tar.xz
+URL=https://www.koodur.com/$FILENAME
+
+
 if [ ! -e $BUILD/$FILENAME ]; then
    wget -q $URL -O $BUILD/$FILENAME
 fi
@@ -19,58 +25,94 @@ fi

 # Copy CA certificate
 AUTHORITY=$(hostname -f)
-CERTIDUDE_DIR=/var/lib/certidude/$AUTHORITY

 mkdir -p $OVERLAY/etc/config
 mkdir -p $OVERLAY/etc/uci-defaults
-mkdir -p $OVERLAY/etc/certidude/authority/$AUTHORITY
+mkdir -p $OVERLAY/etc/certidude/authority/$AUTHORITY/
 cp /var/lib/certidude/$AUTHORITY/ca_cert.pem $OVERLAY/etc/certidude/authority/$AUTHORITY/

+echo /etc/certidude >> $OVERLAY/etc/sysupgrade.conf
+
 cat <<EOF > $OVERLAY/etc/config/certidude

 config authority
-    option gateway router.k-space.ee
-    option url http://$AUTHORITY
+    option gateway "$ROUTER"
+    option hostname "$AUTHORITY"
    option trigger wan
-    option authority_path /etc/certidude/authority/$AUTHORITY/ca_cert.pem
-    option request_path /etc/certidude/authority/$AUTHORITY/client_req.pem
-    option certificate_path /etc/certidude/authority/$AUTHORITY/client_cert.pem
-    option key_path /etc/certidude/authority/$AUTHORITY/client_key.pem
-    option key_type rsa
+    option key_type $AUTHORITY_CERTIFICATE_ALGORITHM
    option key_length 2048
+    option key_curve secp384r1

 EOF

+
 cat << EOF > $OVERLAY/etc/uci-defaults/40-disable-ipsec
 /etc/init.d/ipsec disable
 EOF

+case $AUTHORITY_CERTIFICATE_ALGORITHM in
+    rsa)
+        echo ": RSA /etc/certidude/authority/$AUTHORITY/host_key.pem" >> $OVERLAY/etc/ipsec.secrets
+        DHGROUP=modp2048
+        ;;
+    ec)
+        echo ": ECDSA /etc/certidude/authority/$AUTHORITY/host_key.pem" >> $OVERLAY/etc/ipsec.secrets
+        DHGROUP=ecp384
+        ;;
+    *)
+        echo "Unknown algorithm $AUTHORITY_CERTIFICATE_ALGORITHM"
+        exit 1
+        ;;
+esac

+cat << EOF > $OVERLAY/etc/certidude/authority/$AUTHORITY/updown
+#!/bin/sh

-cat << EOF > $OVERLAY/etc/ipsec.secrets
-: RSA /etc/certidude/authority/$AUTHORITY/client_key.pem
+CURL="curl -m 3 -f --key /etc/certidude/authority/$AUTHORITY/host_key.pem --cert /etc/certidude/authority/$AUTHORITY/host_cert.pem --cacert /etc/certidude/authority/$AUTHORITY/ca_cert.pem"
+URL="https://$AUTHORITY:8443/api/signed/\$(uci get system.@system[0].hostname)/script/"
+
+case \$PLUTO_VERB in
+  up-client)
+    logger -t certidude -s "Downloading and executing \$URL"
+    \$CURL \$URL -o /tmp/script.sh && sh /tmp/script.sh
+  ;;
+  *) ;;
+esac
 EOF

+chmod +x  $OVERLAY/etc/certidude/authority/$AUTHORITY/updown
+
 cat << EOF > $OVERLAY/etc/ipsec.conf

 config setup
+    strictcrlpolicy=yes

 ca $AUTHORITY
-	cacert=/etc/certidude/authority/$AUTHORITY/ca_cert.pem
-	auto=add
+    auto=add
+    cacert=/etc/certidude/authority/$AUTHORITY/ca_cert.pem
+    ocspuri = http://$AUTHORITY/api/ocsp/

-conn router.k-space.ee
-	right=router.k-space.ee
-	dpdaction=restart
-	auto=start
-	rightsubnet=0.0.0.0/0
-	rightid=%any
-	leftsourceip=%config
-	keyexchange=ikev2
-	closeaction=restart
-	leftcert=/etc/certidude/authority/$AUTHORITY/client_cert.pem
-	left=%defaultroute
+conn %default
+    keyingtries=%forever
+    dpdaction=restart
+    closeaction=restart
+    ike=aes256-sha384-ecp384!
+    esp=aes128gcm16-aes128gmac!
+    left=%defaultroute
+    leftcert=/etc/certidude/authority/$AUTHORITY/host_cert.pem
+    leftca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME"
+    rightca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME"
+
+conn client-to-site
+    auto=start
+    right="$ROUTER"
+    rightsubnet=0.0.0.0/0
+    leftsourceip=%config
+    leftupdown=/etc/certidude/authority/$AUTHORITY/updown

 EOF

-
+cat << EOF > $OVERLAY/etc/uci-defaults/99-uhttpd-disable-https
+uci delete uhttpd.main.listen_https
+uci delete uhttpd.main.redirect_https
+EOF
--- a/doc/builder/ipcam.sh
+++ b/doc/builder/ipcam.sh
@@ -38,6 +38,7 @@ uci certidude.@authority[0].green_led='gl-connect:green:lan'
 EOF


-make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates strongswan-full htop \
-    iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci luci-app-mjpg-streamer kmod-video-uvc \
-    pciutils -dnsmasq -odhcpd -odhcp6c -kmod-ath9k picocom strongswan-mod-kernel-libipsec kmod-tun ip-full"
+make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates \
+    strongswan-default strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm htop \
+    iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci luci-app-mjpg-streamer kmod-video-uvc dropbear \
+    pciutils -dnsmasq -odhcpd -odhcp6c -kmod-ath9k picocom strongswan-mod-kernel-libipsec kmod-tun bc"
--- a/doc/builder/mfp.sh
+++ b/doc/builder/mfp.sh
@@ -96,15 +96,15 @@ uci set firewall.@redirect[-1].target=DNAT
 uci set firewall.@redirect[-1].proto=tcp
 uci set firewall.@redirect[-1].enabled=0

-uci set uhttpd.main.listen_http=0.0.0.0:8080
-
 /etc/init.d/dropbear disable

+uci set uhttpd.main.listen_http=0.0.0.0:8080
+
 EOF

 make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates htop \
-    iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci \
-    strongswan-mod-kernel-libipsec kmod-tun ip-full strongswan-full \
-    pciutils -odhcpd -odhcp6c -kmod-ath9k picocom libustream-openssl kmod-crypto-gcm"
+    iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci dropbear kmod-tun \
+    strongswan-default strongswan-mod-kernel-libipsec strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm \
+    pciutils -odhcpd -odhcp6c -kmod-ath9k picocom libustream-openssl kmod-crypto-gcm bc"