lauri/certidude
1
0
Fork 0
mirror of https://github.com/laurivosandi/certidude synced 2025-09-10 07:21:05 +00:00
Code Issues Activity

Released 0.1.17

Browse Source
This commit is contained in:
Lauri Võsandi
2015-08-13 11:11:08 +03:00
parent f24ef4024c
commit c5d27e8a76
19 changed files with 809 additions and 404 deletions
Download Patch File Download Diff File Expand all files Collapse all files

169
certidude/templates/index.html
View File

@@ -1,162 +1,55 @@
<!DOCTYPE html>
<html lang="en">
<head>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<link href='http://fonts.googleapis.com/css?family=Ubuntu+Mono' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Gentium' rel='stylesheet' type='text/css'>
<link href="//fonts.googleapis.com/css?family=PT+Sans+Narrow" rel="stylesheet" type="text/css">
<meta charset="utf-8"/>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>Certidude server</title>
<style type="text/css">
svg {
position: relative;
top: 0.5em;
}
img {
max-width: 100%;
max-height: 100%;
}
ul {
list-style: none;
margin: 1em 0;
padding: 0;
}
button, .button {
color: #000;
float: right;
border: 1pt solid #ccc;
background-color: #eee;
border-radius: 6px;
margin: 2px;
padding: 4px 8px;
box-sizing: border-box;
}
button:disabled, .button:disabled {
color: #888;
}
.monospace {
font-family: 'Ubuntu Mono', courier, monospace;
}
footer {
display: block;
color: #fff;
text-align: center;
}
a {
text-decoration: none;
color: #44c;
}
footer a {
color: #aaf;
}
html,body {
margin: 0;
padding: 0 0 1em 0;
}
body {
background: #222;
background-image: url('http://fc00.deviantart.net/fs71/i/2013/078/9/6/free_hexa_pattern_cc0_by_black_light_studio-d4ig12f.png');
background-position: center;
}
.comment {
color: #aaf;
}
table th, table td {
border: 1px solid #ccc;
padding: 2px;
}
h1, h2, th {
font-family: 'Gentium';
}
h1 {
text-align: center;
font-size: 22pt;
}
h2 {
font-size: 18pt;
}
h2 svg {
position: relative;
top: 16px;
}
p, td, footer, li, button {
font-family: 'PT Sans Narrow';
font-size: 14pt;
}
pre {
overflow: auto;
border: 1px solid #000;
background: #444;
color: #fff;
font-size: 12pt;
padding: 4px;
border-radius: 6px;
margin: 0 0;
}
#container {
max-width: 60em;
margin: 1em auto;
background: #fff;
padding: 1em;
border-style: solid;
border-width: 2px;
border-color: #aaa;
border-radius: 10px;
}
li {
margin: 4px 0;
padding: 4px 0;
clear: both;
border-top: 1px dashed #ccc;
}
</style>
<link href="/css/style.css" rel="stylesheet" type="text/css"/>
<link href="//fonts.googleapis.com/css?family=Ubuntu+Mono" rel="stylesheet" type="text/css"/>
<link href="//fonts.googleapis.com/css?family=Gentium" rel="stylesheet" type="text/css"/>
<link href="//fonts.googleapis.com/css?family=PT+Sans+Narrow" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="/js/jquery-2.1.4.min.js"></script>
</head>
<body>
<div id="container">
<h1>Submit signing request</h1>
<p>Request submission is allowed from: {% for i in authority.request_whitelist %}{{ i }} {% endfor %}</p>
<p>Autosign is allowed from: {% for i in authority.autosign_whitelist %}{{ i }} {% endfor %}</p>
<h2>IPsec gateway on OpenWrt</h2>
{% set s = authority.certificate.subject %}
<!--
<p>To submit new certificate signing request first set common name, eg:</p>
<pre>
export CN=$(hostname)
opkg update
opkg install strongswan-default curl openssl-util
modprobe authenc
</pre>
<p>Generate key and submit using standard shell tools:</p>
<pre>
curl {{request.url}}/certificate/ > ca.crt
openssl genrsa -out $CN.key 4096
openssl req -new -sha256 -key $CN.key -out $CN.csr -subj "{% if s.C %}/C={{s.C}}{% endif %}{% if s.ST %}/ST={{s.ST}}{% endif %}{% if s.L %}/L={{s.L}}{% endif %}{% if s.O %}/O={{s.O}}{% endif %}{% if s.OU %}/OU={{s.OU}}{% endif %}/CN=$CN"
wget --header "Content-Type: application/pkcs10" --post-data="$(cat $CN.csr)" http://localhost:9090/api/buujaa/request/?autosign=1\&wait=30 -O $CN.crt
openssl verify -CAfile ca.crt $CN.crt
CN=$(cat /proc/sys/kernel/hostname)
curl {{request.url}}/certificate/ > /etc/ipsec.d/cacerts/ca.pem
openssl genrsa -out /etc/ipsec.d/private/$CN.pem 4096
chmod 0600 /etc/ipsec.d/private/$CN.pem
openssl req -new -sha256 -key /etc/ipsec.d/private/$CN.pem -out /etc/ipsec.d/reqs/$CN.pem -subj "{% if s.C %}/C={{s.C}}{% endif %}{% if s.ST %}/ST={{s.ST}}{% endif %}{% if s.L %}/L={{s.L}}{% endif %}{% if s.O %}/O={{s.O}}{% endif %}{% if s.OU %}/OU={{s.OU}}{% endif %}/CN=$CN"
curl -L -H "Content-Type: application/pkcs10" --data-binary @/etc/ipsec.d/reqs/$CN.pem {{request.uri}}/request/?autosign=1\&wait=30 > /etc/ipsec.d/certs/$CN.pem.part
if [ $? -eq 0 ]; then mv /etc/ipsec.d/certs/$CN.pem.part /etc/ipsec.d/certs/$CN.pem; fi
openssl verify -CAfile /etc/ipsec.d/cacerts/ca.pem /etc/ipsec.d/certs/$CN.pem
</pre>
<p>
Inspect newly created files:
</p>
<pre>
openssl x509 -text -noout -in /etc/ipsec.d/cacerts/ca.pem
openssl x509 -text -noout -in /etc/ipsec.d/certs/$CN.pem
openssl rsa -check -in /etc/ipsec.d/private/$CN.pem
</pre>
-->
<p>Assuming you have Certidude installed</p>

51
certidude/templates/nginx.conf Normal file
View File

@@ -0,0 +1,51 @@
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
{% if not push_server %}
push_stream_shared_memory_size 32M;
{% endif %}
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
upstream certidude_api {
server unix:///run/uwsgi/app/certidude/socket;
}
server {
server_name {{hostname}};
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
error_page 500 502 503 504 /50x.html;
root {{static_path}};
location /api/ {
include uwsgi_params;
uwsgi_pass certidude_api;
}
{% if not push_server %}
location ~ /publish/(.*) {
allow 127.0.0.1;
push_stream_publisher admin;
push_stream_channels_path $1;
}
location ~ /subscribe/(.*) {
push_stream_channels_path $1;
push_stream_subscriber long-polling;
}
{% endif %}
}
}

12
certidude/templates/openssl.cnf
View File

@@ -1,5 +1,6 @@
[CA_{{slug}}]
default_days = 1825
default_crl_days = {{revocation_list_lifetime}}
default_days = {{certificate_lifetime}}
dir = {{directory}}
private_key = $dir/ca_key.pem
certificate = $dir/ca_crt.pem
@@ -9,12 +10,15 @@ certs = $dir/signed/
crl = $dir/ca_crl.pem
serial = $dir/serial
{% if crl_distribution_points %}
crlDistributionPoints = {{crl_distribution_points}}{% endif %}
crlDistributionPoints = {{crl_distribution_points}}
{% endif %}
{% if email_address %}
emailAddress = {{email_address}}{% endif %}
emailAddress = {{email_address}}
{% endif %}
x509_extensions = {{slug}}_cert
policy = poliy_{{slug}}
autosign_whitelist = 127.
request_whitelist =
autosign_whitelist = 127.0.0.0/8
inbox = {{inbox}}
outbox = {{outbox}}

0
certidude/templates/client-to-site.ovpn → certidude/templates/openvpn-client-to-site.ovpn
View File

4
certidude/templates/site-to-client.ovpn → certidude/templates/openvpn-site-to-client.ovpn
View File

@@ -14,4 +14,6 @@ group nogroup
ifconfig-pool-persist /tmp/openvpn-leases.txt
ifconfig {{subnet_first}} {{subnet.netmask}}
server-bridge {{subnet_first}} {{subnet.netmask}} {{subnet_second}} {{subnet_last}}
{% for subnet in route %}
push "route {{subnet}}"
{% endfor %}

27
certidude/templates/strongswan-client-to-site.conf Normal file
View File

@@ -0,0 +1,27 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
# left/local = client
# right/remote = gateway
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
dpdaction={{dpdaction}}
conn home
auto={{auto}}
type=tunnel
left=%defaultroute # Use IP of default route for listening
leftcert={{certificate_path}} # Client certificate
leftid={{common_name}} # Client certificate identifier
leftfirewall=yes
right={{remote}} # Gateway IP address
rightid=%any # Allow any common name
rightsubnet=0.0.0.0/0 # Accept all subnets suggested by server
#rightcert=server.pem

28
certidude/templates/strongswan-site-to-client.conf Normal file
View File

@@ -0,0 +1,28 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
# left/local = gateway
# right/remote = client
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw
auto=add
right=%any # Allow connecting from any IP address
left={{local}} # Gateway IP address
leftcert={{certificate_path}} # Gateway certificate
leftfirewall=yes
{% if route %}
{% if route | length == 1 %}
leftsubnet={{route[0]}} # Advertise routes via this connection
{% else %}
leftsubnet={ {{ route | join(', ') }} }
{% endif %}
{% endif %}

23
certidude/templates/uwsgi.ini Normal file
View File

@@ -0,0 +1,23 @@
[uwsgi]
exec-as-root = /usr/local/bin/certidude spawn
master = true
processes = 1
vacuum = true
uid = {{username}}
gid = {{username}}
plugins = python34
chdir = /tmp
module = certidude.wsgi
callable = app
chmod-socket = 660
chown-socket = {{username}}:www-data
{% if push_server %}
env = CERTIDUDE_EVENT_PUBLISH={{push_server}}/publish/%(channel)s
env = CERTIDUDE_EVENT_SUBSCRIBE={{push_server}}/subscribe/%(channel)s
{% else %}
env = CERTIDUDE_EVENT_PUBLISH=http://localhost/event/publish/%(channel)s
env = CERTIDUDE_EVENT_SUBSCRIBE=http://localhost/event/subscribe/%(channel)s
{% endif %}
env = LANG=C.UTF-8
env = LC_ALL=C.UTF-8