From 93c2e60b36f277eaf1cf73dd9d75a8b06f28f778 Mon Sep 17 00:00:00 2001 From: Ben Greear Date: Tue, 31 Mar 2015 20:14:17 -0400 Subject: [PATCH] HS 2.0R2 CA: Improve setup.sh and .conf for more flexibility This gives more flexibility when generating keys so that users do not have to edit files to generate their own specific keys. Update HS 2.0 OSU server notes as well. Signed-off-by: Ben Greear --- hs20/server/ca/clean.sh | 5 +- hs20/server/ca/openssl-root.cnf | 4 +- hs20/server/ca/openssl.cnf | 20 +++--- hs20/server/ca/setup.sh | 118 +++++++++++++++++++++++++++----- hs20/server/hs20-osu-server.txt | 61 +++++++++++++++++ 5 files changed, 178 insertions(+), 30 deletions(-) diff --git a/hs20/server/ca/clean.sh b/hs20/server/ca/clean.sh index c69a1f54c..c72dcbda4 100755 --- a/hs20/server/ca/clean.sh +++ b/hs20/server/ca/clean.sh @@ -5,6 +5,9 @@ for i in server-client server server-revoked user ocsp; do done rm -f openssl.cnf.tmp -rm -r demoCA +if [ -d demoCA ]; then + rm -r demoCA +fi rm -f ca.pem logo.asn1 logo.der server.der ocsp-server-cache.der +rm -f my-openssl.cnf my-openssl-root.cnf #rm -r rootCA diff --git a/hs20/server/ca/openssl-root.cnf b/hs20/server/ca/openssl-root.cnf index 5b220fe80..5bc50be1d 100644 --- a/hs20/server/ca/openssl-root.cnf +++ b/hs20/server/ca/openssl-root.cnf @@ -69,8 +69,8 @@ distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert -input_password = whatever -output_password = whatever +input_password = @PASSWORD@ +output_password = @PASSWORD@ string_mask = utf8only diff --git a/hs20/server/ca/openssl.cnf b/hs20/server/ca/openssl.cnf index a939f081e..614101383 100644 --- a/hs20/server/ca/openssl.cnf +++ b/hs20/server/ca/openssl.cnf @@ -80,8 +80,8 @@ distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert -input_password = whatever -output_password = whatever +input_password = @PASSWORD@ +output_password = @PASSWORD@ string_mask = utf8only @@ -95,7 +95,7 @@ localityName = Locality Name (eg, city) localityName_default = Tuusula 0.organizationName = Organization Name (eg, company) -0.organizationName_default = w1.fi +0.organizationName_default = @DOMAIN@ ##organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = @@ -117,10 +117,10 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, cRLSign, keyCertSign -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/ +authorityInfoAccess = OCSP;URI:@OCSP_URI@ # For SP intermediate CA #subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU -#nameConstraints=permitted;DNS:.w1.fi +#nameConstraints=permitted;DNS:.@DOMAIN@ #1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn [ v3_osu_server ] @@ -150,16 +150,16 @@ value1=SEQUENCE:HashAlgAndValueSHA256 #value2=SEQUENCE:HashAlgAndValueSHA1 [HashAlgAndValueSHA256] hashAlg=SEQUENCE:sha256_alg -hashValue=FORMAT:HEX,OCTETSTRING:4532f7ec36424381617c03c6ce87b55a51d6e7177ffafda243cebf280a68954d +hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH256@ [HashAlgAndValueSHA1] hashAlg=SEQUENCE:sha1_alg -hashValue=FORMAT:HEX,OCTETSTRING:5e1d5085676eede6b02da14d31c523ec20ffba0b +hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH1@ [sha256_alg] algorithm=OID:sha256 [sha1_alg] algorithm=OID:sha1 [URI] -uri=IA5STRING:http://osu.w1.fi/w1fi_logo.png +uri=IA5STRING:@LOGO_URI@ [LogotypeImageInfo] # default value color(1), component optional #type=IMP:0,INTEGER:1 @@ -184,7 +184,7 @@ extendedKeyUsage = OCSPSigning basicConstraints=CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/ +authorityInfoAccess = OCSP;URI:@OCSP_URI@ #@ALTNAME@ extendedKeyUsage = clientAuth @@ -194,7 +194,7 @@ extendedKeyUsage = clientAuth basicConstraints=critical, CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/ +authorityInfoAccess = OCSP;URI:@OCSP_URI@ #@ALTNAME@ extendedKeyUsage = critical, serverAuth keyUsage = critical, keyEncipherment diff --git a/hs20/server/ca/setup.sh b/hs20/server/ca/setup.sh index f61bf73b6..78abcccff 100755 --- a/hs20/server/ca/setup.sh +++ b/hs20/server/ca/setup.sh @@ -5,6 +5,67 @@ if [ -z "$OPENSSL" ]; then fi export OPENSSL_CONF=$PWD/openssl.cnf PASS=whatever +if [ -z "$DOMAIN" ]; then + DOMAIN=w1.fi +fi +COMPANY=w1.fi +OPER_ENG="engw1.fi TESTING USE" +OPER_FI="finw1.fi TESTIKÄYTTÖ" +CNR="Hotspot 2.0 Trust Root CA - 99" +CNO="ocsp.$DOMAIN" +CNV="osu-revoked.$DOMAIN" +CNOC="osu-client.$DOMAIN" +OSU_SERVER_HOSTNAME="osu.$DOMAIN" +DEBUG=0 +OCSP_URI="http://$CNO:8888/" +LOGO_URI="http://osu.w1.fi/w1fi_logo.png" +LOGO_HASH256="4532f7ec36424381617c03c6ce87b55a51d6e7177ffafda243cebf280a68954d" +LOGO_HASH1="5e1d5085676eede6b02da14d31c523ec20ffba0b" + +# Command line overrides +USAGE=$( cat < openssl.cnf.tmp +if [ $DEBUG = 1 ] +then + set -x +fi + +# Set the passphrase and some other common config accordingly. +cat openssl-root.cnf | sed "s/@PASSWORD@/$PASS/" \ + > my-openssl-root.cnf + +cat openssl.cnf | sed "s/@PASSWORD@/$PASS/" | +sed "s,@OCSP_URI@,$OCSP_URI," | +sed "s,@LOGO_URI@,$LOGO_URI," | +sed "s,@LOGO_HASH1@,$LOGO_HASH1," | +sed "s,@LOGO_HASH256@,$LOGO_HASH256," | +sed "s/@DOMAIN@/$DOMAIN/" \ + > my-openssl.cnf + + +cat my-openssl-root.cnf | sed "s/#@CN@/commonName_default = $CNR/" > openssl.cnf.tmp mkdir -p rootCA/certs rootCA/crl rootCA/newcerts rootCA/private touch rootCA/index.txt if [ -e rootCA/private/cakey.pem ]; then @@ -26,6 +105,8 @@ else $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:4096 -keyout rootCA/private/cakey.pem -out rootCA/careq.pem || fail "Failed to generate Root CA private key" echo " * Sign Root CA certificate" $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out rootCA/cacert.pem -days 10957 -batch -keyfile rootCA/private/cakey.pem -passin pass:$PASS -selfsign -extensions v3_ca -outdir rootCA/newcerts -infiles rootCA/careq.pem || fail "Failed to sign Root CA certificate" + $OPENSSL x509 -in rootCA/cacert.pem -out rootCA/cacert.der -outform DER || fail "Failed to create rootCA DER" + sha256sum rootCA/cacert.der > rootCA/cacert.fingerprint || fail "Failed to create rootCA fingerprint" fi if [ ! -e rootCA/crlnumber ]; then echo 00 > rootCA/crlnumber @@ -35,7 +116,7 @@ echo echo "---[ Intermediate CA ]--------------------------------------------------" echo -cat openssl.cnf | sed "s/#@CN@/commonName_default = w1.fi Hotspot 2.0 Intermediate CA/" > openssl.cnf.tmp +cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $COMPANY Hotspot 2.0 Intermediate CA/" > openssl.cnf.tmp mkdir -p demoCA/certs demoCA/crl demoCA/newcerts demoCA/private touch demoCA/index.txt if [ -e demoCA/private/cakey.pem ]; then @@ -47,6 +128,8 @@ else $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out demoCA/cacert.pem -days 3652 -batch -keyfile rootCA/private/cakey.pem -cert rootCA/cacert.pem -passin pass:$PASS -extensions v3_ca -infiles demoCA/careq.pem || fail "Failed to sign Intermediate CA certificate" # horrible from security view point, but for testing purposes since OCSP responder does not seem to support -passin openssl rsa -in demoCA/private/cakey.pem -out demoCA/private/cakey-plain.pem -passin pass:$PASS + $OPENSSL x509 -in demoCA/cacert.pem -out demoCA/cacert.der -outform DER || fail "Failed to create demoCA DER." + sha256sum demoCA/cacert.der > demoCA/cacert.fingerprint || fail "Failed to create demoCA fingerprint" fi if [ ! -e demoCA/crlnumber ]; then echo 00 > demoCA/crlnumber @@ -56,45 +139,46 @@ echo echo "OCSP responder" echo -cat openssl.cnf | sed "s/#@CN@/commonName_default = ocsp.w1.fi/" > openssl.cnf.tmp +cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNO/" > openssl.cnf.tmp $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out ocsp.csr -keyout ocsp.key -extensions v3_OCSP -$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP +$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP || fail "Could not generate ocsp.pem" echo echo "---[ Server - to be revoked ] ------------------------------------------" echo -cat openssl.cnf | sed "s/#@CN@/commonName_default = osu-revoked.w1.fi/" > openssl.cnf.tmp +cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNV/" > openssl.cnf.tmp $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-revoked.csr -keyout server-revoked.key $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-revoked.csr -out server-revoked.pem -key $PASS -days 730 -extensions ext_server $OPENSSL ca -revoke server-revoked.pem -key $PASS echo echo "---[ Server - with client ext key use ] ---------------------------------" +echo "---[ Only used for negative-testing for OSU-client implementation ] -----" echo -cat openssl.cnf | sed "s/#@CN@/commonName_default = osu-client.w1.fi/" > openssl.cnf.tmp -$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-client.csr -keyout server-client.key -$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-client.csr -out server-client.pem -key $PASS -days 730 -extensions ext_client +cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNOC/" > openssl.cnf.tmp +$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-client.csr -keyout server-client.key || fail "Could not create server-client.key" +$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-client.csr -out server-client.pem -key $PASS -days 730 -extensions ext_client || fail "Could not create server-client.pem" echo echo "---[ User ]-------------------------------------------------------------" echo -cat openssl.cnf | sed "s/#@CN@/commonName_default = User/" > openssl.cnf.tmp -$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out user.csr -keyout user.key -$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in user.csr -out user.pem -key $PASS -days 730 -extensions ext_client +cat my-openssl.cnf | sed "s/#@CN@/commonName_default = User/" > openssl.cnf.tmp +$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out user.csr -keyout user.key || fail "Could not create user.key" +$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in user.csr -out user.pem -key $PASS -days 730 -extensions ext_client || fail "Could not create user.pem" echo echo "---[ Server ]-----------------------------------------------------------" echo -ALT="DNS:osu.w1.fi" -ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engw1.fi TESTING USE" -ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:finw1.fi TESTIKÄYTTÖ" +ALT="DNS:$OSU_SERVER_HOSTNAME" +ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_ENG" +ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_FI" -cat openssl.cnf | - sed "s/#@CN@/commonName_default = osu.w1.fi/" | +cat my-openssl.cnf | + sed "s/#@CN@/commonName_default = $OSU_SERVER_HOSTNAME/" | sed "s/^##organizationalUnitName/organizationalUnitName/" | sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" | sed "s/#@ALTNAME@/subjectAltName=critical,$ALT/" \ @@ -113,7 +197,7 @@ echo echo "---[ CRL ]---------------------------------------------------------------" echo -$OPENSSL ca -config $PWD/openssl.cnf -gencrl -md sha256 -out demoCA/crl/crl.pem -passin pass:$PASS +$OPENSSL ca -config $PWD/my-openssl.cnf -gencrl -md sha256 -out demoCA/crl/crl.pem -passin pass:$PASS echo echo "---[ Verify ]------------------------------------------------------------" diff --git a/hs20/server/hs20-osu-server.txt b/hs20/server/hs20-osu-server.txt index 80985f730..001d6f25f 100644 --- a/hs20/server/hs20-osu-server.txt +++ b/hs20/server/hs20-osu-server.txt @@ -100,6 +100,21 @@ sqlite3 /home/user/hs20-server/AS/DB/eap_user.db < sql-example.txt # the examples as-is for initial testing). cp -r www /home/user/hs20-server +# Build local keys and certs +cd ca +# Display help options. +./setup.sh -h + +# Remove old keys, fill in appropriate values, and generate your keys. +# For instance: +./clean.sh +rm -fr rootCA" +old_hostname=myserver.local +./setup.sh -C "Hotspot 2.0 Trust Root CA - CT" -d $old_hostname \ + -I "Hotspot 2.0 Intermediate CA - CT" -o $old_hostname-osu-client \ + -O $old_hostname-oscp -p lanforge -S $old_hostname \ + -V $old_hostname-osu-revoked \ + -m local -u http://$old_hostname:8888/ # Configure subscription policies mkdir -p /home/user/hs20-server/spp/policy @@ -156,6 +171,50 @@ cd /home/user/hs20-server/AS ./hostapd -B as-sql.conf +OSEN RADIUS server configuration notes + +The OSEN RADIUS server config file should have the 'ocsp_stapling_response' +configuration in it. For example: + +# hostapd-radius config for the radius used by the OSEN AP +interface=eth0#0 +driver=none +logger_syslog=-1 +logger_syslog_level=2 +logger_stdout=-1 +logger_stdout_level=2 +ctrl_interface=/var/run/hostapd +ctrl_interface_group=0 +eap_server=1 +eap_user_file=/home/user/hs20-server/AS/hostapd-osen.eap_user +server_id=ben-ota-2-osen +radius_server_auth_port=1811 +radius_server_clients=/home/user/hs20-server/AS/hostap.radius_clients + +ca_cert=/home/user/hs20-server/ca/ca.pem +server_cert=/home/user/hs20-server/ca/server.pem +private_key=/home/user/hs20-server/ca/server.key +private_key_passwd=whatever + +ocsp_stapling_response=/home/user/hs20-server/ca/ocsp-server-cache.der + +The /home/user/hs20-server/AS/hostapd-osen.eap_user file should look +similar to this, and should coorelate with the osu_nai entry in +the non-OSEN VAP config file. For instance: + +# cat hostapd-osen.eap_user +# For OSEN authentication (Hotspot 2.0 Release 2) +"osen@w1.fi" WFA-UNAUTH-TLS + + +# Run OCSP server: +cd /home/user/hs20-server/ca +./ocsp-responder.sh& + +# Update cache (This should be run periodically) +./ocsp-update-cache.sh + + Configure web server -------------------- @@ -172,6 +231,8 @@ Add following block just before "SSL Engine Switch" line": Update SSL configuration to use the OSU server certificate/key. +They keys and certs are called 'server.key' and 'server.pem' from +ca/setup.sh. Enable default-ssl site and restart Apache2: sudo a2ensite default-ssl