Fixes, add some screenshots

This commit is contained in:
Lauri Võsandi 2017-04-22 22:48:29 +03:00
parent 029ee357fb
commit 9658d8cc83
7 changed files with 48 additions and 60 deletions

View File

@ -12,15 +12,14 @@ Introduction
------------
Certidude is a novel X.509 Certificate Authority management tool
with privilege isolation mechanism and Kerberos authentication aiming to
eventually support PKCS#11 and in far future WebCrypto.
.. figure:: doc/usecase-diagram.png
Certidude is mainly designed for StrongSwan and OpenVPN gateway operators to make
with privilege isolation mechanism and Kerberos authentication
mainly designed for OpenVPN gateway operators to make
VPN client setup on laptops, desktops and mobile devices as painless as possible.
Certidude can also be used to manage HTTPS client certificates for
eg. maintaining an extra layer of protection for intranet websites.
.. figure:: doc/certidude.png
Certidude can also be used to manage IPSec certifcates (StrongSwan)
or HTTPS client certificates to limit access to eg. intranet websites.
For a full-blown CA you might want to take a look at
`EJBCA <http://www.ejbca.org/features.html>`_ or
`OpenCA <https://pki.openca.org/>`_.
@ -29,6 +28,8 @@ For a full-blown CA you might want to take a look at
Usecases
--------
.. figure:: doc/usecase-diagram.png
Following usecases are covered:
* I am a sysadmin. Employees with different operating systems need to access
@ -79,6 +80,7 @@ Common:
Virtual private networking:
* Send OpenVPN profile URL tokens via e-mail, for simplified VPN adoption on Android, iOS, Windows, Mac OS X and Ubuntu.
* OpenVPN integration, check out ``certidude setup openvpn server`` and ``certidude setup openvpn client``.
* strongSwan integration, check out ``certidude setup strongswan server`` and ``certidude setup strongswan client``.
* NetworkManager integration, check out ``certidude setup openvpn networkmanager`` and ``certidude setup strongswan networkmanager``.
@ -95,7 +97,7 @@ TODO
* `OCSP <https://tools.ietf.org/html/rfc4557>`_ support, needs a bit hacking since OpenSSL wrappers are not exposing the functionality.
* `SCEP <https://tools.ietf.org/html/draft-nourse-scep-23>`_ support, a client implementation available `here <https://github.com/certnanny/sscep>`_. Not sure if we can implement server-side events within current standard.
* WebCrypto support, meanwhile check out `hwcrypto.js <https://github.com/open-eid/hwcrypto.js>`_.
* Ability to send OpenVPN profile URL tokens via e-mail, for simplified VPN adoption.
* Use `pki.js <https://pkijs.org/>`_ for generating keypair in the browser when claiming a token.
* Signer process logging.

View File

@ -120,7 +120,7 @@ def revoke(common_name):
attach_cert = buf, "application/x-pem-file", common_name + ".crt"
mailer.send("certificate-revoked.md",
attachments=(attach_cert,),
serial_number="%x" % cert.serial,
serial_hex="%x" % cert.serial,
common_name=common_name)
return revoked_path
@ -298,11 +298,15 @@ def _sign(csr, buf, overwrite=False):
from xattr import getxattr, listxattr, setxattr
common_name, = csr.subject.get_attributes_for_oid(NameOID.COMMON_NAME)
cert_path = os.path.join(config.SIGNED_DIR, common_name.value + ".pem")
cert_path = os.path.join(config.SIGNED_DIR, "%s.pem" % common_name.value)
renew = False
signed_path = os.path.join(config.SIGNED_DIR, "%s.pem" % common_name.value)
attachments = [
(buf, "application/x-pem-file", common_name.value + ".csr"),
]
revoked_path = None
overwritten = False
# Move existing certificate if necessary
if os.path.exists(cert_path):
@ -313,12 +317,12 @@ def _sign(csr, buf, overwrite=False):
renew = prev.public_key().public_numbers() == csr.public_key().public_numbers()
if overwrite:
if renew:
# TODO: is this the best approach?
revoked_path = os.path.join(config.REVOKED_DIR, "%x.pem" % prev.serial)
os.rename(signed_path, revoked_path)
else:
revoked_path = revoke(common_name.value)
# TODO: is this the best approach?
prev_serial_hex = "%x" % prev.serial
revoked_path = os.path.join(config.REVOKED_DIR, "%s.pem" % prev_serial_hex)
os.rename(cert_path, revoked_path)
attachments += [(prev_buf, "application/x-pem-file", "deprecated.crt" if renew else "overwritten.crt")]
overwritten = True
else:
raise EnvironmentError("Will not overwrite existing certificate")
@ -328,42 +332,21 @@ def _sign(csr, buf, overwrite=False):
with open(cert_path + ".part", "wb") as fh:
fh.write(cert_buf)
os.rename(cert_path + ".part", cert_path)
attachments.append((cert_buf, "application/x-pem-file", common_name.value + ".crt"))
cert_serial_hex = "%x" % cert.serial
# Copy filesystem attributes to newly signed certificate
if revoked_path:
for key in listxattr(revoked_path):
if not key.startswith("user."):
continue
setxattr(signed_path, key, getxattr(revoked_path, key))
setxattr(cert_path, key, getxattr(revoked_path, key))
# Send mail
recipient = None
if renew:
mailer.send(
"certificate-renewed.md",
to=recipient,
attachments=(
(prev_buf, "application/x-pem-file", "deprecated.crt"),
(cert_buf, "application/x-pem-file", common_name.value + ".crt")
),
serial_number="%x" % cert.serial,
common_name=common_name.value,
certificate=cert,
)
else:
mailer.send(
"certificate-signed.md",
to=recipient,
attachments=(
(buf, "application/x-pem-file", common_name.value + ".csr"),
(cert_buf, "application/x-pem-file", common_name.value + ".crt")
),
serial_number="%x" % cert.serial,
common_name=common_name.value,
certificate=cert,
)
if renew: # Same keypair
mailer.send("certificate-renewed.md", **locals())
else: # New keypair
mailer.send("certificate-signed.md", **locals())
if config.LONG_POLL_PUBLISH:
url = config.LONG_POLL_PUBLISH % hashlib.sha256(buf).hexdigest()

View File

@ -1,9 +1,9 @@
Renewed {{ common_name }} ({{ serial_number }})
Renewed {{ common_name.value }} ({{ cert_serial_hex }})
This is simply to notify that certificate for {{ common_name }}
was renewed and the serial number of the new certificate is {{ serial_number }}.
This is simply to notify that certificate for {{ common_name.value }}
was renewed and the serial number of the new certificate is {{ cert_serial_hex }}.
The new certificate is valid from {{ certificate.not_valid_before }} until
{{ certificate.not_valid_after }}.
The new certificate is valid from {{ cert.not_valid_before }} until
{{ cert.not_valid_after }}.
Services making use of those certificates should continue working as expected.

View File

@ -1,4 +1,4 @@
Revoked {{ common_name }} ({{ serial_number }})
Revoked {{ common_name }} ({{ serial_hex }})
This is simply to notify that certificate {{ common_name }}
was revoked.

View File

@ -1,11 +1,14 @@
Signed {{ common_name }} ({{ serial_number }})
Signed {{ common_name.value }} ({{ cert_serial_hex }})
This is simply to notify that certificate {{ common_name }}
with serial number {{ serial_number }}
This is simply to notify that certificate {{ common_name.value }}
with serial number {{ cert_serial_hex }}
was signed{% if signer %} by {{ signer }}{% endif %}.
The certificate is valid from {{ certificate.not_valid_before }} until
{{ certificate.not_valid_after }}.
The certificate is valid from {{ cert.not_valid_before }} until
{{ cert.not_valid_after }}.
Any existing certificates with the same common name were rejected by doing so
and services making use of those certificates might become unavailable.
{% if overwritten %}
By doing so existing certificate with the same common name
and serial number {{ prev_serial_hex }} was rejected
and services making use of that certificate might become unavailable.
{% endif %}

View File

@ -1,4 +1,4 @@
Token for setting up VPN
Token for {{ user.name }}
{{ issuer }} has provided {{ user }} a token for retrieving
profile from the link below.

BIN
doc/certidude.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 61 KiB