lauri
/
certidude
mirror of https://github.com/laurivosandi/certidude
1
0
Fork 0
Code Issues Activity
certidude/certidude/static/views/authority.html

541 lines
20 KiB
HTML
Raw Blame History

<div class="modal fade" id="request_submission_modal" role="dialog">
<div class="modal-dialog modal-lg">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal">&times;</button>
<h4 class="modal-title">Request submission</h4>
</div>
<form action="/api/request/" method="post">
<div class="modal-body">
<h5>Certidude client</h5>
<p>Submit a certificate signing request from Mac OS X, Ubuntu or Fedora:</p>
<div class="highlight">
<pre><code>easy_install pip;
pip3 install certidude;
certidude bootstrap {{ window.location.hostname }}
</code></pre>
</div>
<h5>Windows 10</h5>
<p>On Windows execute following PowerShell script</p>
<div class="highlight">
<pre class="code"><code>$hostname = $env:computername.ToLower()
$templ = @"
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=$hostname"
Exportable = FALSE
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderType = 12
RequestType = PKCS10
{% if session.authority.certificate.algorithm == "ec" %}ProviderName = "Microsoft Software Key Storage Provider"
KeyAlgorithm = ECDSA_P384
{% else %}ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
KeyLength = 2048
{% endif %}"@
$templ | Out-File req.inf
# Fetch CA certificate and install it
Invoke-WebRequest -Uri http://{{ window.location.hostname }}/api/certificate -OutFile ca_cert.pem
Import-Certificate -FilePath ca_cert.pem -CertStoreLocation Cert:\LocalMachine\Root
# Generate keypair and submit CSR
C:\Windows\system32\certreq.exe -new -f -q req.inf client_csr.pem
Invoke-WebRequest -TimeoutSec 900 -Uri http://{{ window.location.hostname }}/api/request/?wait=1 -InFile client_csr.pem -ContentType application/pkcs10 -Method POST -MaximumRedirection 3 -OutFile client_cert.pem
# Import certificate
Import-Certificate -FilePath client_cert.pem -CertStoreLocation Cert:\LocalMachine\My
# Set up IPSec VPN tunnel
Remove-VpnConnection -AllUserConnection -Force k-space
Add-VpnConnection `
-Name k-space `
-ServerAddress guests.k-space.ee `
-AuthenticationMethod MachineCertificate `
-SplitTunneling `
-TunnelType ikev2 `
-PassThru -AllUserConnection
# Security hardening
Set-VpnConnectionIPsecConfiguration `
-ConnectionName k-space `
-AuthenticationTransformConstants GCMAES128 `
-CipherTransformConstants GCMAES128 `
-EncryptionMethod AES128 `
-IntegrityCheckMethod none `
-PfsGroup {% if session.authority.certificate.algorithm == "ec" %}ECP384 -DHGroup ECP384{% else %}PFS2048 -DHGroup Group14{% endif %} `
-PassThru -AllUserConnection -Force</code></pre>
</div>
<h5>UNIX & UNIX-like</h5>
<p>On other UNIX-like machines generate key pair and submit the signing request using OpenSSL and cURL:</p>
<div class="highlight">
<pre class="code"><code>NAME=$(hostname);
{% if session.authority.certificate.algorithm == "ec" %}openssl ecparam -name secp384r1 -genkey -noout -out client_key.pem{% else %}openssl genrsa -out client_key.pem 2048;{% endif %}
openssl req -new -sha384 -key client_key.pem -out client_req.pem -subj "/CN=$NAME";
curl -f -L -H "Content-type: application/pkcs10" --data-binary @client_req.pem \
http://{{ window.location.hostname }}/api/request/?wait=yes > client_cert.pem</code></pre>
</div>
<h5>StrongSwan as client</h5>
<p>First enroll certificates:</p>
<div class="highlight">
<pre class="code"><code>
FQDN=$(cat /etc/hostname)
curl -f http://{{ window.location.hostname }}/api/certificate/ -o /etc/ipsec.d/cacerts/ca.pem; \
test -e /etc/ipsec.d/private/client.pem \
|| openssl ecparam -name secp384r1 -genkey -noout -out /etc/ipsec.d/private/client.pem; \
test -e /etc/ipsec.d/reqs/client.pem \
|| openssl req -new -sha384 \
-key /etc/ipsec.d/private/client.pem \
-out /etc/ipsec.d/reqs/client.pem -subj "/CN=$FQDN"; \
curl -f -L -H "Content-type: application/pkcs10" \
--data-binary @/etc/ipsec.d/reqs/client.pem \
-o /etc/ipsec.d/certs/client.pem \
http://{{ window.location.hostname }}/api/request/?wait=yes</code></pre>
</div>
<p>Then configure StrongSwan</p>
<div class="highlight">
<pre class="code"><code>
cat > /etc/ipsec.conf << EOF
conn c2s
auto=start
right=router.k-space.ee
dpdaction=restart
closeaction=restart
left=%defaultroute
rightsubnet=0.0.0.0/0
keyingtries=%forever
rightid=%any
leftsourceip=%config
leftcert=client.pem
ike=aes128-sha384-{% if session.authority.certificate.algorithm == "ec" %}ecp384{% else %}modp2048{% endif %}!
esp=aes128gcm16!
EOF
echo ": {% if session.authority.certificate.algorithm == "ec" %}ECDSA{% else %}RSA{% endif %} client.pem" > /etc/ipsec.secrets
ipsec restart</code></pre>
</div>
<h5>OpenWrt/LEDE as VPN gateway</h5>
<p>First enroll certificates:</p>
<div class="highlight">
<pre class="code"><code># Derive FQDN from WAN interface's reverse DNS record
FQDN=$(nslookup $(uci get network.wan.ipaddr) | grep "name =" | head -n1 | cut -d "=" -f 2 | xargs)
mkdir -p /etc/certidude/authority/{{ window.location.hostname }}
grep -c certidude /etc/sysupgrade.conf || echo /etc/certidude >> /etc/sysupgrade.conf
cat << EOF > /etc/certidude/authority/{{ window.location.hostname }}/ca_cert.pem
{{ session.authority.certificate.blob }}
EOF
test -e /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem \
|| openssl {% if session.authority.certificate.algorithm == "ec" %}ecparam -name secp384r1 -genkey -noout -out /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem{% else %}genrsa -out /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem 2048{% endif %}
test -e /etc/certidude/authority/{{ window.location.hostname }}/server_req.pem \
|| openssl req -new -sha384 \
-key /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem \
-out /etc/certidude/authority/{{ window.location.hostname }}/server_req.pem -subj "/CN=$FQDN"
cat /etc/certidude/authority/{{ window.location.hostname }}/server_req.pem
curl -f -L -H "Content-type: application/pkcs10" \
--data-binary @/etc/certidude/authority/{{ window.location.hostname }}/server_req.pem \
-o /etc/certidude/authority/{{ window.location.hostname }}/server_cert.pem \
http://{{ window.location.hostname }}/api/request/?wait=yes
# Create VPN gateway up/down script for reporting client IP addresses to CA
cat <<\EOF > /etc/certidude/authority/{{ window.location.hostname }}/updown
#!/bin/sh
CURL="curl -m 3 -f --key /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem --cert /etc/certidude/authority/{{ window.location.hostname }}/server_cert.pem --cacert /etc/certidude/authority/{{ window.location.hostname }}/ca_cert.pem https://{{ window.location.hostname }}:8443/api/lease/"
case $PLUTO_VERB in
up-client) $CURL --data-urlencode "outer_address=$PLUTO_PEER" --data-urlencode "inner_address=$PLUTO_PEER_SOURCEIP" --data-urlencode "client=$PLUTO_PEER_ID" ;;
*) ;;
esac
case $script_type in
client-connect) $CURL --data-urlencode client=$X509_0_CN --data-urlencode serial=$tls_serial_0 --data-urlencode outer_address=$untrusted_ip --data-urlencode inner_address=$ifconfig_pool_remote_ip ;;
*) ;;
esac
EOF
chmod +x /etc/certidude/authority/{{ window.location.hostname }}/updown</code></pre>
</div>
<p>Then either set up OpenVPN service:</p>
<div class="highlight">
<pre class="code"><code># Generate Diffie-Hellman parameters file for OpenVPN
test -e /etc/certidude/dh.pem \
|| openssl dhparam 2048 -out /etc/certidude/dh.pem
# Create interface definition for tunnel
uci set network.vpn=interface
uci set network.vpn.name='vpn'
uci set network.vpn.ifname=tun_s2c_udp tun_s2c_tcp
uci set network.vpn.proto='none'
# Create zone definition for VPN interface
uci set firewall.vpn=zone
uci set firewall.vpn.name='vpn'
uci set firewall.vpn.input='ACCEPT'
uci set firewall.vpn.forward='ACCEPT'
uci set firewall.vpn.output='ACCEPT'
uci set firewall.vpn.network='vpn'
# Allow UDP 1194 on WAN interface
uci set firewall.openvpn=rule
uci set firewall.openvpn.name='Allow OpenVPN'
uci set firewall.openvpn.src='wan'
uci set firewall.openvpn.dest_port=1194
uci set firewall.openvpn.proto='udp'
uci set firewall.openvpn.target='ACCEPT'
# Allow TCP 443 on WAN interface
uci set firewall.openvpn=rule
uci set firewall.openvpn.name='Allow OpenVPN over TCP'
uci set firewall.openvpn.src='wan'
uci set firewall.openvpn.dest_port=443
uci set firewall.openvpn.proto='tcp'
uci set firewall.openvpn.target='ACCEPT'
# Forward traffic from VPN to LAN
uci set firewall.c2s=forwarding
uci set firewall.c2s.src='vpn'
uci set firewall.c2s.dest='lan'
# Permit DNS queries from VPN
uci set dhcp.@dnsmasq[0].localservice='0'
touch /etc/config/openvpn
# Configure OpenVPN over TCP
uci set openvpn.s2c_tcp=openvpn
uci set openvpn.s2c_tcp.local=$(uci get network.wan.ipaddr)
uci set openvpn.s2c_tcp.server='10.179.43.0 255.255.255.128'
uci set openvpn.s2c_tcp.proto='tcp-server'
uci set openvpn.s2c_tcp.port='443'
uci set openvpn.s2c_tcp.dev=tun_s2c_tcp
# Configure OpenVPN over UDP
uci set openvpn.s2c_udp=openvpn
uci set openvpn.s2c_udp.local=$(uci get network.wan.ipaddr)
uci set openvpn.s2c_udp.server='10.179.43.128 255.255.255.128'
uci set openvpn.s2c_tcp.dev=tun_s2c_udp
for section in s2c_tcp s2c_udp; do
# Common paths
uci set openvpn.$section.script_security=2
uci set openvpn.$section.client_connect='/etc/certidude/updown'
uci set openvpn.$section.key='/etc/certidude/authority/{{ window.location.hostname }}/server_key.pem'
uci set openvpn.$section.cert='/etc/certidude/authority/{{ window.location.hostname }}/server_cert.pem'
uci set openvpn.$section.ca='/etc/certidude/authority/{{ window.location.hostname }}/ca_cert.pem'
uci set openvpn.$section.dh='/etc/certidude/dh.pem'
uci set openvpn.$section.enabled=1
# DNS and routes
uci add_list openvpn.$section.push="route-metric 1000"
uci add_list openvpn.$section.push="route $(uci get network.lan.ipaddr) $(uci get network.lan.netmask)"
uci add_list openvpn.$section.push="dhcp-option DNS $(uci get network.lan.ipaddr)"
uci add_list openvpn.$section.push="dhcp-option DOMAIN $(uci get dhcp.@dnsmasq[0].domain)"
# Security hardening
uci set openvpn.$section.tls_version_min='1.2'
uci set openvpn.$section.tls_cipher='TLS-{% if session.authority.certificate.algorithm == "ec" %}ECDHE-ECDSA{% else %}DHE-RSA{% endif %}-WITH-AES-128-GCM-SHA384'
uci set openvpn.$section.cipher='AES-128-GCM'
uci set openvpn.$section.auth='SHA384'
done
/etc/init.d/openvpn restart
/etc/init.d/firewall restart</code></pre>
</div>
<p>Alternatively or additionally set up StrongSwan:</p>
<div class="highlight">
<pre class="code"><code># Generate StrongSwan config
cat > /etc/ipsec.conf << EOF
config setup
strictcrlpolicy=yes
uniqueids = yes
ca {{ window.location.hostname }}
auto=add
cacert = /etc/certidude/authority/{{ window.location.hostname }}/ca_cert.pem
crluri = http://{{ window.location.hostname }}/api/revoked
ocspuri = http://{{ window.location.hostname }}/api/ocsp/
conn s2c
auto=add
dpdaction=clear
closeaction=clear
leftdns=$(uci get network.lan.ipaddr)
rightsourceip=172.21.0.0/24
left=$(uci get network.wan.ipaddr)
leftsubnet=$(uci get network.lan.ipaddr | cut -d . -f 1-3).0/24
leftcert=/etc/certidude/authority/{{ window.location.hostname }}/server_cert.pem
ike=aes128-sha384-{% if session.authority.certificate.algorithm == "ec" %}ecp384{% else %}modp2048{% endif %}!
esp=aes128gcm16!
leftupdown=/etc/certidude/{{ window.location.hostname }}/updown
EOF
echo ": {% if session.authority.certificate.algorithm == "ec" %}ECDSA{% else %}RSA{% endif %} /etc/certidude/authority/{{ window.location.hostname }}/server_key.pem" > /etc/ipsec.secrets
ipsec restart</code></pre>
</div>
{% if session.authority.builder %}
<h5>OpenWrt/LEDE image builder</h5>
<p>Hit a link to generate machine specific image. Note that this might take couple minutes to finish.</p>
<ul>
{% for name, title, filename in session.authority.builder.profiles %}
<li><a href="/api/build/{{ name }}/{{ filename }}">{{ title }}</a></li>
{% endfor %}
</ul>
{% endif %}
<h5>SCEP</h5>
<p>Use following as the enrollment URL: http://{{ window.location.hostname }}/cgi-bin/pkiclient.exe</p>
<h5>Copy & paste</h5>
<p>Use whatever tools you have available on your platform to generate
keypair and just paste ASCII armored PEM file contents here and hit submit:</p>
<textarea id="request_body" style="width:100%; min-height: 10em;" placeholder="-----BEGIN CERTIFICATE REQUEST-----"></textarea>
</div>
<div class="modal-footer">
<div class="btn-group">
<button type="button" onclick="onSubmitRequest();" class="btn btn-primary"><i class="fa fa-upload"></i> Submit</button>
<button type="button" class="btn btn-secondary" data-dismiss="modal"><i class="fa fa-ban"></i> Close</button>
</div>
</div>
</form>
</div>
</div>
</div>
<div class="modal fade" id="revocation_list_modal" role="dialog">
<div class="modal-dialog modal-lg">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal">&times;</button>
<h4 class="modal-title">Revocation lists</h4>
</div>
<div class="modal-body">
<p>To fetch <a href="http://{{window.location.hostname}}/api/revoked/">certificate revocation list</a>:</p>
<pre><code>curl http://{{window.location.hostname}}/api/revoked/ > crl.der
curl http://{{window.location.hostname}}/api/revoked/ -L -H "Accept: application/x-pem-file"
curl http://{{window.location.hostname}}/api/revoked/?wait=yes -L -H "Accept: application/x-pem-file" > crl.pem</code></pre>
</div>
<div class="modal-footer">
<button type="button" class="btn" data-dismiss="modal">Close</button>
</div>
</div>
</div>
</div>
<section id="about">
<h2>{{ session.user.gn }} {{ session.user.sn }} ({{session.user.name }}) settings</h2>
<p title="Bundles are mainly intended for Android and iOS users">
Click <button id="enroll">here</button> to generate Android or iOS bundle for current user account.</p>
<p>Mails will be sent to: {{ session.user.mail }}</p>
{% if session.authority %}
<h2>Authority certificate</h2>
<p>Several things are hardcoded into the <a href="/api/certificate">certificate</a> and
as such require complete reset of X509 infrastructure if some of them needs to be changed.</p>
<h2>Authority settings</h2>
<p>These can be reconfigured via /etc/certidude/server.conf on the server.</p>
{% if session.authority.mailer %}
<p>Mails will appear from: {{ session.authority.mailer.name }} &lt;{{ session.authority.mailer.address }}&gt;</p>
{% else %}
<p>E-mail disabled</p>
{% endif %}
<p>User enrollment:
{% if session.authority.user_enrollment_allowed %}
{% if session.authority.user_multiple_certificates %}
multiple
{% else %}
single
{% endif %}
allowed
{% else %}
forbidden
{% endif %}
</p>
<p>Machine enrollment:
{% if session.authority.machine_enrollment_allowed %}
allowed
{% else %}
forbidden
{% endif %}
</p>
<p>Certificate attributes:</p>
<ul>
<li>Server certificate lifetime: {{ session.authority.signature.server_certificate_lifetime }} days</li>
<li>Client certificate lifetime: {{ session.authority.signature.client_certificate_lifetime }} days</li>
<li>Revocation list lifetime: {{ session.authority.signature.revocation_list_lifetime }} seconds</li>
</ul>
<p>Authenticated users allowed from:
{% if not session.authority.user_subnets %}
nowhere</p>
{% elif "0.0.0.0/0" in session.authority.user_subnets %}
anywhere</p>
{% else %}
</p>
<ul>
{% for i in session.authority.user_subnets %}
<li>{{ i }}</li>
{% endfor %}
</ul>
{% endif %}
<p>Authority administration is allowed from:
{% if not session.authority.admin_subnets %}
nowhere</p>
{% elif "0.0.0.0/0" in session.authority.admin_subnets %}
anywhere</p>
{% else %}
<ul>
{% for subnet in session.authority.admin_subnets %}
<li>{{ subnet }}</li>
{% endfor %}
</ul>
{% endif %}
<p>Authority administration allowed for:</p>
<ul>
{% for user in session.authority.admin_users %}
<li><a href="mailto:{{ user.mail}}">{{ user.given_name }} {{user.surname }}</a></li>
{% endfor %}
</ul>
</section>
{% else %}
<p>Here you can renew your certificates</p>
{% endif %}
{% set s = session.certificate.identity %}
<div class="row">
<div class="col-sm-6">
<h1>Signed certificates</h1>
<p>Following certificates have been signed:</p>
<div id="signed_certificates">
{% for certificate in session.authority.signed | sort(attribute="signed", reverse=true) %}
{% include "views/signed.html" %}
{% endfor %}
</div>
</div>
<div class="col-sm-6">
{% if session.authority %}
{% if session.features.token %}
<h1>Tokens</h1>
<p>Tokens allow enrolling smartphones and third party devices.</p>
<ul>
<li>You can issue yourself a token to be used on a mobile device</li>
<li>Enter username to issue a token to issue a token for another user</li>
<li>Enter e-mail address to issue a token to guest users outside domain</li>
</ul>
<p>
<div class="input-group">
<input id="token_username" name="username" type="text" class="form-control" placeholder="Username" aria-describedby="sizing-addon2">
<input id="token_mail" name="mail" type="mail" class="form-control" placeholder="Optional e-mail" aria-describedby="sizing-addon2">
<span class="input-group-btn">
<button class="btn btn-secondary" type="button" onClick="onSendToken();"><i class="fa fa-send"></i> Send token</button>
</span>
</div>
</p>
<div id="token_qrcode"></div>
{% endif %}
<h1>Pending requests</h1>
<p>Use Certidude client to apply for a certificate.
{% if not session.authority.request_subnets %}
Request submission disabled.
{% elif "0.0.0.0/0" in session.authority.request_subnets %}
Request submission is enabled.
{% else %}
Request submission allowed from
{% for subnet in session.authority.request_subnets %}{{ subnet }},{% endfor %}.
{% endif %}
{# if session.request_submission_allowed #}
See <a href="#request_submission_modal" data-toggle="modal">here</a> for more information on manual signing request upload.
{# endif #}
{% if session.authority.autosign_subnets %}
{% if "0.0.0.0/0" in session.authority.autosign_subnets %}
All requests are automatically signed.
{% else %}
Requests from
{% for subnet in session.authority.autosign_subnets %}
{{ subnet }},
{% endfor %}
are automatically signed.
{% endif %}
{% endif %}
</p>
<div id="pending_requests">
{% for request in session.authority.requests | sort(attribute="submitted", reverse=true) %}
{% include "views/request.html" %}
{% endfor %}
</div>
<p><h1>Revoked certificates</h1></p>
<p>Following certificates have been revoked,for more information click
<a href="#revocation_list_modal" data-toggle="modal">here</a>.</p>
{% for certificate in session.authority.revoked | sort(attribute="revoked", reverse=true) %}
{% include "views/revoked.html" %}
{% endfor %}
</div>
</div>
<section id="config">
</section>
{% endif %}
Reference in New Issue View Git Blame Copy Permalink