Compare commits
No commits in common. "master" and "ec-key-support" have entirely different histories.
master
...
ec-key-sup
16
.drone.yml
16
.drone.yml
@ -1,16 +0,0 @@
|
|||||||
---
|
|
||||||
kind: pipeline
|
|
||||||
type: kubernetes
|
|
||||||
name: default
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: docker
|
|
||||||
image: plugins/docker
|
|
||||||
settings:
|
|
||||||
repo: harbor.k-space.ee/${DRONE_REPO}
|
|
||||||
registry: harbor.k-space.ee
|
|
||||||
mtu: 1300
|
|
||||||
username:
|
|
||||||
from_secret: docker_username
|
|
||||||
password:
|
|
||||||
from_secret: docker_password
|
|
@ -88,9 +88,6 @@ function onKeyGen() {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
console.info("Using hashing algorithm:", window.authority.webcrypto.hash_algorithm);
|
|
||||||
console.info("Using signature algorithm:", window.authority.webcrypto.signature_algorithm);
|
|
||||||
|
|
||||||
let pkcs10 = new CertificationRequest();
|
let pkcs10 = new CertificationRequest();
|
||||||
|
|
||||||
// Commonname
|
// Commonname
|
||||||
@ -106,15 +103,14 @@ function onKeyGen() {
|
|||||||
let algorithm;
|
let algorithm;
|
||||||
if (authority.certificate.algorithm == "rsa") {
|
if (authority.certificate.algorithm == "rsa") {
|
||||||
algorithm = getAlgorithmParameters(
|
algorithm = getAlgorithmParameters(
|
||||||
window.authority.webcrypto.signature_algorithm, "generatekey");
|
window.authority.certificate.key_type_specific, "generatekey");
|
||||||
} else if (authority.certificate.algorithm == "ec") {
|
|
||||||
algorithm = getAlgorithmParameters("ECDSA", "generatekey");
|
|
||||||
algorithm.algorithm.namedCurve = window.authority.webcrypto.curve;
|
|
||||||
} else {
|
|
||||||
console.error("Unsupported certificate algortihm:", authority.certificate.algorithm);
|
|
||||||
}
|
}
|
||||||
|
if (authority.certificate.algorithm == "ec") {
|
||||||
algorithm.algorithm.hash.name = window.authority.webcrypto.hash_algorithm;
|
algorithm = getAlgorithmParameters(
|
||||||
|
window.authority.certificate.curve, "generatekey");
|
||||||
|
}
|
||||||
|
if ("hash" in algorithm.algorithm)
|
||||||
|
algorithm.algorithm.hash.name = window.authority.certificate.hash_algorithm;
|
||||||
|
|
||||||
const keyPair = await window.cryptoEngine.generateKey(
|
const keyPair = await window.cryptoEngine.generateKey(
|
||||||
algorithm.algorithm, true, algorithm.usages);
|
algorithm.algorithm, true, algorithm.usages);
|
||||||
@ -123,7 +119,7 @@ function onKeyGen() {
|
|||||||
const privateKey = keyPair.privateKey;
|
const privateKey = keyPair.privateKey;
|
||||||
|
|
||||||
await pkcs10.subjectPublicKeyInfo.importKey(publicKey);
|
await pkcs10.subjectPublicKeyInfo.importKey(publicKey);
|
||||||
await pkcs10.sign(privateKey, window.authority.webcrypto.hash_algorithm);
|
await pkcs10.sign(privateKey, window.authority.certificate.hash_algorithm);
|
||||||
window.csr = pkcs10;
|
window.csr = pkcs10;
|
||||||
console.info("Certification request created");
|
console.info("Certification request created");
|
||||||
|
|
||||||
@ -202,9 +198,16 @@ function onEnroll(encoding) {
|
|||||||
let privKeyBase64 = await pkijsToBase64(keys.privateKey);
|
let privKeyBase64 = await pkijsToBase64(keys.privateKey);
|
||||||
|
|
||||||
switch(encoding) {
|
switch(encoding) {
|
||||||
|
case 'p12':
|
||||||
|
var p12 = await pkcs12chain(privKeyBase64, [certBase64, caBase64], "", window.authority.certificate.hash_algorithm);
|
||||||
|
|
||||||
|
var buf = arrayBufferToString(p12.toSchema().toBER(false));
|
||||||
|
var mimetype = "application/x-pkcs12"
|
||||||
|
a.download = query.title + ".p12";
|
||||||
|
break
|
||||||
case 'sswan':
|
case 'sswan':
|
||||||
var p12 = arrayBufferToString(
|
var p12 = arrayBufferToString(
|
||||||
(await pkcs12chain(privKeyBase64, [certBase64, caBase64], "", window.authority.webcrypto.hash_algorithm)).toSchema().toBER(false));
|
(await pkcs12chain(privKeyBase64, [certBase64, caBase64], "", window.authority.certificate.hash_algorithm)).toSchema().toBER(false));
|
||||||
|
|
||||||
var buf = JSON.stringify({
|
var buf = JSON.stringify({
|
||||||
uuid: await blobToUuid(authority.namespace),
|
uuid: await blobToUuid(authority.namespace),
|
||||||
@ -243,7 +246,7 @@ function onEnroll(encoding) {
|
|||||||
var p12 = arrayBufferToString(
|
var p12 = arrayBufferToString(
|
||||||
(await pkcs12chain(
|
(await pkcs12chain(
|
||||||
privKeyBase64, [certBase64, caBase64],
|
privKeyBase64, [certBase64, caBase64],
|
||||||
"1234", window.authority.webcrypto.hash_algorithm))
|
"1234", window.authority.certificate.hash_algorithm))
|
||||||
.toSchema().toBER(false));
|
.toSchema().toBER(false));
|
||||||
|
|
||||||
var buf = nunjucks.render('snippets/ios.mobileconfig', {
|
var buf = nunjucks.render('snippets/ios.mobileconfig', {
|
||||||
@ -309,6 +312,12 @@ async function onHashChanged() {
|
|||||||
success: async function(authority) {
|
success: async function(authority) {
|
||||||
window.authority = authority
|
window.authority = authority
|
||||||
|
|
||||||
|
// convert "sha512" to "SHA-512"
|
||||||
|
window.authority.certificate.hash_algorithm =
|
||||||
|
(window.authority.certificate.hash_algorithm.slice(0,3) +
|
||||||
|
"-" + window.authority.certificate.hash_algorithm.slice(3))
|
||||||
|
.toUpperCase();
|
||||||
|
|
||||||
var prefix = "unknown";
|
var prefix = "unknown";
|
||||||
for (i in DEVICE_KEYWORDS) {
|
for (i in DEVICE_KEYWORDS) {
|
||||||
var keyword = DEVICE_KEYWORDS[i];
|
var keyword = DEVICE_KEYWORDS[i];
|
||||||
@ -318,14 +327,14 @@ async function onHashChanged() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Device identifier
|
||||||
|
var dig = await blobToUuid(window.navigator.userAgent);
|
||||||
|
window.common_name = prefix + "-" + dig.substring(0, 5);
|
||||||
|
console.info("Device identifier:", common_name);
|
||||||
|
|
||||||
if (window.location.protocol != "https:") {
|
if (window.location.protocol != "https:") {
|
||||||
$("#view-dashboard").html(env.render('views/insecure.html', {authority:authority}));
|
$("#view-dashboard").html(env.render('views/insecure.html', {authority:authority}));
|
||||||
} else {
|
} else {
|
||||||
// Device identifier
|
|
||||||
var dig = await blobToUuid(window.navigator.userAgent);
|
|
||||||
window.common_name = prefix + "-" + dig.substring(0, 5);
|
|
||||||
console.info("Device identifier:", common_name);
|
|
||||||
|
|
||||||
if (query.action == "enroll") {
|
if (query.action == "enroll") {
|
||||||
$("#view-dashboard").html(env.render('views/enroll.html', {
|
$("#view-dashboard").html(env.render('views/enroll.html', {
|
||||||
common_name: common_name,
|
common_name: common_name,
|
||||||
@ -354,9 +363,7 @@ function onToggleAccessButtonClicked(e) {
|
|||||||
|
|
||||||
var value = $(e.target).attr("data-value") == 'True';
|
var value = $(e.target).attr("data-value") == 'True';
|
||||||
|
|
||||||
var textValues = {false:"Disable",true:"Enable"}
|
var confirm = window.confirm("Do you want to disable " + cn);
|
||||||
|
|
||||||
var confirm = window.confirm("Do you want to " + textValues[value] +" "+ cn);
|
|
||||||
|
|
||||||
if (confirm) {
|
if (confirm) {
|
||||||
$.ajax({
|
$.ajax({
|
||||||
@ -765,10 +772,10 @@ function loadAuthority(query) {
|
|||||||
$("#enroll").click(async function() {
|
$("#enroll").click(async function() {
|
||||||
var keys = await window.cryptoEngine.generateKey(
|
var keys = await window.cryptoEngine.generateKey(
|
||||||
{
|
{
|
||||||
name: window.authority.webcrypto.signature_algorithm,
|
name: window.authority.certificate.key_type_specific,
|
||||||
modulusLength: window.authority.certificate.key_size,
|
modulusLength: window.authority.certificate.key_size,
|
||||||
publicExponent: new Uint8Array([1, 0, 1]),
|
publicExponent: new Uint8Array([1, 0, 1]),
|
||||||
hash: window.authority.webcrypto.hash_algorithm,
|
hash: window.authority.certificate.hash_algorithm,
|
||||||
},
|
},
|
||||||
true,
|
true,
|
||||||
["encrypt", "decrypt"]);
|
["encrypt", "decrypt"]);
|
||||||
@ -938,4 +945,4 @@ window.onSubmitRequest = onSubmitRequest;
|
|||||||
window.onServerStarted = onServerStarted;
|
window.onServerStarted = onServerStarted;
|
||||||
window.onServerStopped = onServerStopped;
|
window.onServerStopped = onServerStopped;
|
||||||
window.onIssueToken = onIssueToken;
|
window.onIssueToken = onIssueToken;
|
||||||
window.onInstanceAvailabilityUpdated = onInstanceAvailabilityUpdated;
|
window.onInstanceAvailabilityUpdated = onInstanceAvailabilityUpdated;
|
@ -22,7 +22,6 @@ Invoke-WebRequest `{% if token %}
|
|||||||
-Method PUT `{% else %}
|
-Method PUT `{% else %}
|
||||||
-Uri 'https://{{ authority.namespace }}:8443/api/request/?wait=yes&autosign=yes' `
|
-Uri 'https://{{ authority.namespace }}:8443/api/request/?wait=yes&autosign=yes' `
|
||||||
-Method POST `{% endif %}
|
-Method POST `{% endif %}
|
||||||
-Headers @{'Date' = (Get-Date).ToUniversalTime().ToString("r")} `
|
|
||||||
-TimeoutSec 900 `
|
-TimeoutSec 900 `
|
||||||
-InFile host_csr.pem `
|
-InFile host_csr.pem `
|
||||||
-ContentType application/pkcs10 `
|
-ContentType application/pkcs10 `
|
||||||
|
@ -22,7 +22,7 @@ OS/soft status
|
|||||||
<div id="enroll" class="row">
|
<div id="enroll" class="row">
|
||||||
<div class="loader-container">
|
<div class="loader-container">
|
||||||
<div class="loader"></div>
|
<div class="loader"></div>
|
||||||
<p>Generating keypair, this will take a moment...</p>
|
<p>Generating RSA keypair, this will take a while...</p>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="col-sm-12 mt-3 edge-broken" style="display:none;">
|
<div class="col-sm-12 mt-3 edge-broken" style="display:none;">
|
||||||
@ -33,9 +33,18 @@ OS/soft status
|
|||||||
<div class="col-sm-12 mt-3 option ubuntu linux openvpn">
|
<div class="col-sm-12 mt-3 option ubuntu linux openvpn">
|
||||||
<div class="card">
|
<div class="card">
|
||||||
<div class="card-block">
|
<div class="card-block">
|
||||||
<h3 class="card-title">Ubuntu 20.04+</h3>
|
<h3 class="card-title">Ubuntu 16.04+</h3>
|
||||||
<p class="card-text">Install OpenVPN plugin for NetworkManager by executing following two command in the terminal:
|
<p class="card-text">Install OpenVPN plugin for NetworkManager by executing following two command in the terminal:
|
||||||
<pre><code>sudo apt install -y network-manager-openvpn-gnome
|
|
||||||
|
<pre><code># Ubuntu 16.04 ships with older OpenVPN 2.3, to support newer ciphers add OpenVPN's repo
|
||||||
|
if [ $(lsb_relase -cs) == "xenial" ]; then
|
||||||
|
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
|
||||||
|
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
|
||||||
|
apt update
|
||||||
|
apt install openvpn
|
||||||
|
fi
|
||||||
|
|
||||||
|
sudo apt install -y network-manager-openvpn-gnome
|
||||||
sudo systemctl restart network-manager
|
sudo systemctl restart network-manager
|
||||||
</code></pre>
|
</code></pre>
|
||||||
|
|
||||||
@ -68,10 +77,10 @@ sudo systemctl restart network-manager
|
|||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="col-sm-12 mt-3 option advanced">
|
<div class="col-sm-12 mt-3 option ubuntu linux openvpn advanced">
|
||||||
<div class="card">
|
<div class="card">
|
||||||
<div class="card-block">
|
<div class="card-block">
|
||||||
<h3 class="card-title">Ubuntu 20.04+ via OpenVPN (advanced)</h3>
|
<h3 class="card-title">Ubuntu 18.04+ (advanced)</h3>
|
||||||
<p class="card-text">Copy-paste follownig to terminal as root user:</p>
|
<p class="card-text">Copy-paste follownig to terminal as root user:</p>
|
||||||
<pre><code>{% include "snippets/request-client.sh" %}
|
<pre><code>{% include "snippets/request-client.sh" %}
|
||||||
cat << EOF > '/etc/NetworkManager/system-connections/OpenVPN to {{ authority.namespace }}'
|
cat << EOF > '/etc/NetworkManager/system-connections/OpenVPN to {{ authority.namespace }}'
|
||||||
@ -83,10 +92,10 @@ nmcli con reload
|
|||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="col-sm-12 mt-3 option advanced">
|
<div class="col-sm-12 mt-3 option ubuntu linux ikev2 advanced">
|
||||||
<div class="card">
|
<div class="card">
|
||||||
<div class="card-block">
|
<div class="card-block">
|
||||||
<h3 class="card-title">Ubuntu 20.04+ via IPSec (advanced)</h3>
|
<h3 class="card-title">Ubuntu 18.04+ (advanced)</h3>
|
||||||
<p class="card-text">Copy-paste follownig to terminal as root user:</p>
|
<p class="card-text">Copy-paste follownig to terminal as root user:</p>
|
||||||
<pre><code>{% include "snippets/request-client.sh" %}
|
<pre><code>{% include "snippets/request-client.sh" %}
|
||||||
cat << EOF > '/etc/NetworkManager/system-connections/IPSec to {{ authority.namespace }}'
|
cat << EOF > '/etc/NetworkManager/system-connections/IPSec to {{ authority.namespace }}'
|
||||||
@ -113,6 +122,22 @@ systemctl restart NetworkManager</code></pre>
|
|||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
<div class="col-sm-12 mt-3 option windows ipsec">
|
||||||
|
<div class="card">
|
||||||
|
<div class="card-block">
|
||||||
|
<h3 class="card-title">Windows</h3>
|
||||||
|
<p class="card-text">
|
||||||
|
Import PKCS#12 container to your machine trust store.
|
||||||
|
Import VPN connection profile by moving the downloaded .pbk file to
|
||||||
|
<pre><code>%userprofile%\AppData\Roaming\Microsoft\Network\Connections\PBK</code></pre>
|
||||||
|
or
|
||||||
|
<pre><code>C:\ProgramData\Microsoft\Network\Connections\Pbk</code></pre></p>
|
||||||
|
<a href="javascript:onEnroll('p12');" class="btn btn-primary">Fetch PKCS#12 container</a>
|
||||||
|
<a href="#" class="btn btn-secondary">Fetch IPSec IKEv2 VPN profile</a>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
|
||||||
<div class="col-sm-12 mt-3 option windows ikev2">
|
<div class="col-sm-12 mt-3 option windows ikev2">
|
||||||
<div class="card">
|
<div class="card">
|
||||||
<div class="card-block">
|
<div class="card-block">
|
||||||
|
Loading…
Reference in New Issue
Block a user