pinecrypt
/
pinecrypt-gateway-frontend
2
1
Fork 0
Code Issues 4 Pull Requests Projects Activity

Compare commits

merge into: pinecrypt:ec-key-support
Branches Tags
pinecrypt:master
pinecrypt:ec-key-support
...
pull from: pinecrypt:master
Branches Tags
pinecrypt:master
pinecrypt:ec-key-support

10 Commits
ec-key-sup ... master

Author SHA1 Message Date
Lauri Võsandi dfefda89ba Add Drone configuration 2022-02-09 14:29:48 +02:00
Lauri Võsandi 41ebc4eb95 Use algorithm neutral wording for key generation 2021-09-29 21:43:45 +03:00
Lauri Võsandi a8a9168648 Use updated WebCrypto parameters from bootstrap API endpoint 2021-09-29 20:05:18 +03:00
Lauri Võsandi e7821b91be Update VPN profile deployment instructions 2021-09-29 20:03:54 +03:00
Lauri Võsandi fa508a0fdd Drop unused vanilla P12 export 2021-09-29 09:17:26 +03:00
Lauri Võsandi b9d631c401 Use updated algorithm fields 2021-09-29 09:17:26 +03:00
Marvin Martinson 5fcedc0fe9 Add date to header in windows 2021-09-07 11:43:44 +00:00
pehmo1 d8d5b5f6bc Use new values from /api/bootstrap 2021-08-31 20:46:25 +03:00
pehmo1 c5a452933a Don't try to use webcrypto if not https 2021-08-19 23:39:46 +03:00
Lauri Võsandi b40bd2ed25 Merge pull request 'Add support for EC keys' (#3) from ec-key-support into master 
Reviewed-on: http://git.k-space.ee/pinecrypt/frontend/pulls/3
 2021-08-19 16:59:20 +00:00
4 changed files with 49 additions and 64 deletions
Show Stats Expand all files Collapse all files

16
.drone.yml Normal file
View File

@ -0,0 +1,16 @@
---
kind: pipeline
type: kubernetes
name: default
steps:
- name: docker
image: plugins/docker
settings:
repo: harbor.k-space.ee/${DRONE_REPO}
registry: harbor.k-space.ee
mtu: 1300
username:
from_secret: docker_username
password:
from_secret: docker_password

57
static/js/certidude.js
View File

@ -88,6 +88,9 @@ function onKeyGen() {
return;
}
console.info("Using hashing algorithm:", window.authority.webcrypto.hash_algorithm);
console.info("Using signature algorithm:", window.authority.webcrypto.signature_algorithm);
let pkcs10 = new CertificationRequest();
// Commonname
@ -103,14 +106,15 @@ function onKeyGen() {
let algorithm;
if (authority.certificate.algorithm == "rsa") {
algorithm = getAlgorithmParameters(
window.authority.certificate.key_type_specific, "generatekey");
window.authority.webcrypto.signature_algorithm, "generatekey");
} else if (authority.certificate.algorithm == "ec") {
algorithm = getAlgorithmParameters("ECDSA", "generatekey");
algorithm.algorithm.namedCurve = window.authority.webcrypto.curve;
} else {
console.error("Unsupported certificate algortihm:", authority.certificate.algorithm);
}
if (authority.certificate.algorithm == "ec") {
algorithm = getAlgorithmParameters(
window.authority.certificate.curve, "generatekey");
}
if ("hash" in algorithm.algorithm)
algorithm.algorithm.hash.name = window.authority.certificate.hash_algorithm;
algorithm.algorithm.hash.name = window.authority.webcrypto.hash_algorithm;
const keyPair = await window.cryptoEngine.generateKey(
algorithm.algorithm, true, algorithm.usages);
@ -119,7 +123,7 @@ function onKeyGen() {
const privateKey = keyPair.privateKey;
await pkcs10.subjectPublicKeyInfo.importKey(publicKey);
await pkcs10.sign(privateKey, window.authority.certificate.hash_algorithm);
await pkcs10.sign(privateKey, window.authority.webcrypto.hash_algorithm);
window.csr = pkcs10;
console.info("Certification request created");
@ -198,16 +202,9 @@ function onEnroll(encoding) {
let privKeyBase64 = await pkijsToBase64(keys.privateKey);
switch(encoding) {
case 'p12':
var p12 = await pkcs12chain(privKeyBase64, [certBase64, caBase64], "", window.authority.certificate.hash_algorithm);
var buf = arrayBufferToString(p12.toSchema().toBER(false));
var mimetype = "application/x-pkcs12"
a.download = query.title + ".p12";
break
case 'sswan':
var p12 = arrayBufferToString(
(await pkcs12chain(privKeyBase64, [certBase64, caBase64], "", window.authority.certificate.hash_algorithm)).toSchema().toBER(false));
(await pkcs12chain(privKeyBase64, [certBase64, caBase64], "", window.authority.webcrypto.hash_algorithm)).toSchema().toBER(false));
var buf = JSON.stringify({
uuid: await blobToUuid(authority.namespace),
@ -246,7 +243,7 @@ function onEnroll(encoding) {
var p12 = arrayBufferToString(
(await pkcs12chain(
privKeyBase64, [certBase64, caBase64],
"1234", window.authority.certificate.hash_algorithm))
"1234", window.authority.webcrypto.hash_algorithm))
.toSchema().toBER(false));
var buf = nunjucks.render('snippets/ios.mobileconfig', {
@ -312,12 +309,6 @@ async function onHashChanged() {
success: async function(authority) {
window.authority = authority
// convert "sha512" to "SHA-512"
window.authority.certificate.hash_algorithm =
(window.authority.certificate.hash_algorithm.slice(0,3) +
"-" + window.authority.certificate.hash_algorithm.slice(3))
.toUpperCase();
var prefix = "unknown";
for (i in DEVICE_KEYWORDS) {
var keyword = DEVICE_KEYWORDS[i];
@ -327,14 +318,14 @@ async function onHashChanged() {
}
}
// Device identifier
var dig = await blobToUuid(window.navigator.userAgent);
window.common_name = prefix + "-" + dig.substring(0, 5);
console.info("Device identifier:", common_name);
if (window.location.protocol != "https:") {
$("#view-dashboard").html(env.render('views/insecure.html', {authority:authority}));
} else {
// Device identifier
var dig = await blobToUuid(window.navigator.userAgent);
window.common_name = prefix + "-" + dig.substring(0, 5);
console.info("Device identifier:", common_name);
if (query.action == "enroll") {
$("#view-dashboard").html(env.render('views/enroll.html', {
common_name: common_name,
@ -363,7 +354,9 @@ function onToggleAccessButtonClicked(e) {
var value = $(e.target).attr("data-value") == 'True';
var confirm = window.confirm("Do you want to disable " + cn);
var textValues = {false:"Disable",true:"Enable"}
var confirm = window.confirm("Do you want to " + textValues[value] +" "+ cn);
if (confirm) {
$.ajax({
@ -772,10 +765,10 @@ function loadAuthority(query) {
$("#enroll").click(async function() {
var keys = await window.cryptoEngine.generateKey(
{
name: window.authority.certificate.key_type_specific,
name: window.authority.webcrypto.signature_algorithm,
modulusLength: window.authority.certificate.key_size,
publicExponent: new Uint8Array([1, 0, 1]),
hash: window.authority.certificate.hash_algorithm,
hash: window.authority.webcrypto.hash_algorithm,
},
true,
["encrypt", "decrypt"]);
@ -945,4 +938,4 @@ window.onSubmitRequest = onSubmitRequest;
window.onServerStarted = onServerStarted;
window.onServerStopped = onServerStopped;
window.onIssueToken = onIssueToken;
window.onInstanceAvailabilityUpdated = onInstanceAvailabilityUpdated;
window.onInstanceAvailabilityUpdated = onInstanceAvailabilityUpdated;

1
templates/snippets/request-client.ps1
View File

@ -22,6 +22,7 @@ Invoke-WebRequest `{% if token %}
-Method PUT `{% else %}
-Uri 'https://{{ authority.namespace }}:8443/api/request/?wait=yes&autosign=yes' `
-Method POST `{% endif %}
-Headers @{'Date' = (Get-Date).ToUniversalTime().ToString("r")} `
-TimeoutSec 900 `
-InFile host_csr.pem `
-ContentType application/pkcs10 `

39
templates/views/enroll.html
View File

@ -22,7 +22,7 @@ OS/soft status
<div id="enroll" class="row">
<div class="loader-container">
<div class="loader"></div>
<p>Generating RSA keypair, this will take a while...</p>
<p>Generating keypair, this will take a moment...</p>
</div>
<div class="col-sm-12 mt-3 edge-broken" style="display:none;">
@ -33,18 +33,9 @@ OS/soft status
<div class="col-sm-12 mt-3 option ubuntu linux openvpn">
<div class="card">
<div class="card-block">
<h3 class="card-title">Ubuntu 16.04+</h3>
<h3 class="card-title">Ubuntu 20.04+</h3>
<p class="card-text">Install OpenVPN plugin for NetworkManager by executing following two command in the terminal:
<pre><code># Ubuntu 16.04 ships with older OpenVPN 2.3, to support newer ciphers add OpenVPN's repo
if [ $(lsb_relase -cs) == "xenial" ]; then
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
apt update
apt install openvpn
fi
sudo apt install -y network-manager-openvpn-gnome
<pre><code>sudo apt install -y network-manager-openvpn-gnome
sudo systemctl restart network-manager
</code></pre>
@ -77,10 +68,10 @@ sudo systemctl restart network-manager
</div>
</div>
<div class="col-sm-12 mt-3 option ubuntu linux openvpn advanced">
<div class="col-sm-12 mt-3 option advanced">
<div class="card">
<div class="card-block">
<h3 class="card-title">Ubuntu 18.04+ (advanced)</h3>
<h3 class="card-title">Ubuntu 20.04+ via OpenVPN (advanced)</h3>
<p class="card-text">Copy-paste follownig to terminal as root user:</p>
<pre><code>{% include "snippets/request-client.sh" %}
cat << EOF > '/etc/NetworkManager/system-connections/OpenVPN to {{ authority.namespace }}'
@ -92,10 +83,10 @@ nmcli con reload
</div>
</div>
<div class="col-sm-12 mt-3 option ubuntu linux ikev2 advanced">
<div class="col-sm-12 mt-3 option advanced">
<div class="card">
<div class="card-block">
<h3 class="card-title">Ubuntu 18.04+ (advanced)</h3>
<h3 class="card-title">Ubuntu 20.04+ via IPSec (advanced)</h3>
<p class="card-text">Copy-paste follownig to terminal as root user:</p>
<pre><code>{% include "snippets/request-client.sh" %}
cat << EOF > '/etc/NetworkManager/system-connections/IPSec to {{ authority.namespace }}'
@ -122,22 +113,6 @@ systemctl restart NetworkManager</code></pre>
</div>
</div>
<div class="col-sm-12 mt-3 option windows ipsec">
<div class="card">
<div class="card-block">
<h3 class="card-title">Windows</h3>
<p class="card-text">
Import PKCS#12 container to your machine trust store.
Import VPN connection profile by moving the downloaded .pbk file to
<pre><code>%userprofile%\AppData\Roaming\Microsoft\Network\Connections\PBK</code></pre>
or
<pre><code>C:\ProgramData\Microsoft\Network\Connections\Pbk</code></pre></p>
<a href="javascript:onEnroll('p12');" class="btn btn-primary">Fetch PKCS#12 container</a>
<a href="#" class="btn btn-secondary">Fetch IPSec IKEv2 VPN profile</a>
</div>
</div>
</div>
<div class="col-sm-12 mt-3 option windows ikev2">
<div class="card">
<div class="card-block">