Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 4b78669686
Branches Tags
krackattacks
/
hs20
/
server
/
ca
/
setup.sh

setup.sh 8.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209 
  1. #!/bin/sh
    2. 

  2. 

  3. if [ -z "$OPENSSL" ]; then
    4. 

  4.     OPENSSL=openssl
    5. 

  5. fi
    6. 

  6. export OPENSSL_CONF=$PWD/openssl.cnf
    7. 

  7. PASS=whatever
    8. 

  8. if [ -z "$DOMAIN" ]; then
    9. 

  9.     DOMAIN=w1.fi
    10. 

  10. fi
    11. 

  11. COMPANY=w1.fi
    12. 

  12. OPER_ENG="engw1.fi TESTING USE"
    13. 

  13. OPER_FI="finw1.fi TESTIKÄYTTÖ"
    14. 

  14. CNR="Hotspot 2.0 Trust Root CA - 99"
    15. 

  15. CNO="ocsp.$DOMAIN"
    16. 

  16. CNV="osu-revoked.$DOMAIN"
    17. 

  17. CNOC="osu-client.$DOMAIN"
    18. 

  18. OSU_SERVER_HOSTNAME="osu.$DOMAIN"
    19. 

  19. DEBUG=0
    20. 

  20. OCSP_URI="http://$CNO:8888/"
    21. 

  21. LOGO_URI="http://osu.w1.fi/w1fi_logo.png"
    22. 

  22. LOGO_HASH256="4532f7ec36424381617c03c6ce87b55a51d6e7177ffafda243cebf280a68954d"
    23. 

  23. LOGO_HASH1="5e1d5085676eede6b02da14d31c523ec20ffba0b"
    24. 

  24. 

  25. # Command line overrides
    26. 

  26. USAGE=$( cat <<EOF
    27. 

  27. Usage:\n
    28. 

  28. # -c:  Company name, used to generate Subject name CN for Intermediate CA\n
    29. 

  29. # -C:  Subject name CN of the Root CA ($CNR)\n
    30. 

  30. # -D:  Enable debugging (set -x, etc)\n
    31. 

  31. # -g:  Logo sha1 hash ($LOGO_HASH1)\n
    32. 

  32. # -G:  Logo sha256 hash ($LOGO_HASH256)\n
    33. 

  33. # -h:  Show this help message\n
    34. 

  34. # -l:  Logo URI ($LOGO_URI)\n
    35. 

  35. # -m:  Domain ($DOMAIN)\n
    36. 

  36. # -o:  Subject name CN for OSU-Client Server ($CNOC)\n
    37. 

  37. # -O:  Subject name CN for OCSP Server ($CNO)\n
    38. 

  38. # -p:  passphrase for private keys ($PASS)\n
    39. 

  39. # -r:  Operator-english ($OPER_ENG)\n
    40. 

  40. # -R:  Operator-finish ($OPER_FI)\n
    41. 

  41. # -S:  OSU Server name ($OSU_SERVER_HOSTNAME)\n
    42. 

  42. # -u:  OCSP-URI ($OCSP_URI)\n
    43. 

  43. # -V:  Subject name CN for OSU-Revoked Server ($CNV)\n
    44. 

  44. EOF
    45. 

  45. )
    46. 

  46. 

  47. while getopts "c:C:Dg:G:l:m:o:O:p:r:R:S:u:V:h" flag
    48. 

  48.   do
    49. 

  49.   case $flag in
    50. 

  50.       c) COMPANY=$OPTARG;;
    51. 

  51.       C) CNR=$OPTARG;;
    52. 

  52.       D) DEBUG=1;;
    53. 

  53.       g) LOGO_HASH1=$OPTARG;;
    54. 

  54.       G) LOGO_HASH256=$OPTARG;;
    55. 

  55.       h) echo -e $USAGE; exit 0;;
    56. 

  56.       l) LOGO_URI=$OPTARG;;
    57. 

  57.       m) DOMAIN=$OPTARG;;
    58. 

  58.       o) CNOC=$OPTARG;;
    59. 

  59.       O) CNO=$OPTARG;;
    60. 

  60.       p) PASS=$OPTARG;;
    61. 

  61.       r) OPER_ENG=$OPTARG;;
    62. 

  62.       R) OPER_FI=$OPTARG;;
    63. 

  63.       S) OSU_SERVER_HOSTNAME=$OPTARG;;
    64. 

  64.       u) OCSP_URI=$OPTARG;;
    65. 

  65.       V) CNV=$OPTARG;;
    66. 

  66.       *) echo "Unknown flag: $flag"; echo -e $USAGE; exit 1;;
    67. 

  67.   esac
    68. 

  68. done
    69. 

  69. 

  70. fail()
    71. 

  71. {
    72. 

  72.     echo "$*"
    73. 

  73.     exit 1
    74. 

  74. }
    75. 

  75. 

  76. echo
    77. 

  77. echo "---[ Root CA ]----------------------------------------------------------"
    78. 

  78. echo
    79. 

  79. 

  80. if [ $DEBUG = 1 ]
    81. 

  81. then
    82. 

  82.     set -x
    83. 

  83. fi
    84. 

  84. 

  85. # Set the passphrase and some other common config accordingly.
    86. 

  86. cat openssl-root.cnf | sed "s/@PASSWORD@/$PASS/" \
    87. 

  87.  > my-openssl-root.cnf
    88. 

  88. 

  89. cat openssl.cnf | sed "s/@PASSWORD@/$PASS/" |
    90. 

  90. sed "s,@OCSP_URI@,$OCSP_URI," |
    91. 

  91. sed "s,@LOGO_URI@,$LOGO_URI," |
    92. 

  92. sed "s,@LOGO_HASH1@,$LOGO_HASH1," |
    93. 

  93. sed "s,@LOGO_HASH256@,$LOGO_HASH256," |
    94. 

  94. sed "s/@DOMAIN@/$DOMAIN/" \
    95. 

  95.  > my-openssl.cnf
    96. 

  96. 

  97. 

  98. cat my-openssl-root.cnf | sed "s/#@CN@/commonName_default = $CNR/" > openssl.cnf.tmp
    99. 

  99. mkdir -p rootCA/certs rootCA/crl rootCA/newcerts rootCA/private
    100. 

  100. touch rootCA/index.txt
    101. 

  101. if [ -e rootCA/private/cakey.pem ]; then
    102. 

  102.     echo " * Use existing Root CA"
    103. 

  103. else
    104. 

  104.     echo " * Generate Root CA private key"
    105. 

  105.     $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:4096 -keyout rootCA/private/cakey.pem -out rootCA/careq.pem || fail "Failed to generate Root CA private key"
    106. 

  106.     echo " * Sign Root CA certificate"
    107. 

  107.     $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out rootCA/cacert.pem -days 10957 -batch -keyfile rootCA/private/cakey.pem -passin pass:$PASS -selfsign -extensions v3_ca -outdir rootCA/newcerts -infiles rootCA/careq.pem || fail "Failed to sign Root CA certificate"
    108. 

  108.     $OPENSSL x509 -in rootCA/cacert.pem -out rootCA/cacert.der -outform DER || fail "Failed to create rootCA DER"
    109. 

  109.     sha256sum rootCA/cacert.der > rootCA/cacert.fingerprint || fail "Failed to create rootCA fingerprint"
    110. 

  110. fi
    111. 

  111. if [ ! -e rootCA/crlnumber ]; then
    112. 

  112.     echo 00 > rootCA/crlnumber
    113. 

  113. fi
    114. 

  114. 

  115. echo
    116. 

  116. echo "---[ Intermediate CA ]--------------------------------------------------"
    117. 

  117. echo
    118. 

  118. 

  119. cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $COMPANY Hotspot 2.0 Intermediate CA/" > openssl.cnf.tmp
    120. 

  120. mkdir -p demoCA/certs demoCA/crl demoCA/newcerts demoCA/private
    121. 

  121. touch demoCA/index.txt
    122. 

  122. if [ -e demoCA/private/cakey.pem ]; then
    123. 

  123.     echo " * Use existing Intermediate CA"
    124. 

  124. else
    125. 

  125.     echo " * Generate Intermediate CA private key"
    126. 

  126.     $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -keyout demoCA/private/cakey.pem -out demoCA/careq.pem || fail "Failed to generate Intermediate CA private key"
    127. 

  127.     echo " * Sign Intermediate CA certificate"
    128. 

  128.     $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out demoCA/cacert.pem -days 3652 -batch -keyfile rootCA/private/cakey.pem -cert rootCA/cacert.pem -passin pass:$PASS -extensions v3_ca -infiles demoCA/careq.pem || fail "Failed to sign Intermediate CA certificate"
    129. 

  129.     # horrible from security view point, but for testing purposes since OCSP responder does not seem to support -passin
    130. 

  130.     openssl rsa -in demoCA/private/cakey.pem -out demoCA/private/cakey-plain.pem -passin pass:$PASS
    131. 

  131.     $OPENSSL x509 -in demoCA/cacert.pem -out demoCA/cacert.der -outform DER || fail "Failed to create demoCA DER."
    132. 

  132.     sha256sum demoCA/cacert.der > demoCA/cacert.fingerprint || fail "Failed to create demoCA fingerprint"
    133. 

  133. fi
    134. 

  134. if [ ! -e demoCA/crlnumber ]; then
    135. 

  135.     echo 00 > demoCA/crlnumber
    136. 

  136. fi
    137. 

  137. 

  138. echo
    139. 

  139. echo "OCSP responder"
    140. 

  140. echo
    141. 

  141. 

  142. cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNO/" > openssl.cnf.tmp
    143. 

  143. $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out ocsp.csr -keyout ocsp.key -extensions v3_OCSP
    144. 

  144. $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP || fail "Could not generate ocsp.pem"
    145. 

  145. 

  146. echo
    147. 

  147. echo "---[ Server - to be revoked ] ------------------------------------------"
    148. 

  148. echo
    149. 

  149. 

  150. cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNV/" > openssl.cnf.tmp
    151. 

  151. $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-revoked.csr -keyout server-revoked.key
    152. 

  152. $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-revoked.csr -out server-revoked.pem -key $PASS -days 730 -extensions ext_server
    153. 

  153. $OPENSSL ca -revoke server-revoked.pem -key $PASS
    154. 

  154. 

  155. echo
    156. 

  156. echo "---[ Server - with client ext key use ] ---------------------------------"
    157. 

  157. echo "---[ Only used for negative-testing for OSU-client implementation ] -----"
    158. 

  158. echo
    159. 

  159. 

  160. cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNOC/" > openssl.cnf.tmp
    161. 

  161. $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-client.csr -keyout server-client.key || fail "Could not create server-client.key"
    162. 

  162. $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-client.csr -out server-client.pem -key $PASS -days 730 -extensions ext_client || fail "Could not create server-client.pem"
    163. 

  163. 

  164. echo
    165. 

  165. echo "---[ User ]-------------------------------------------------------------"
    166. 

  166. echo
    167. 

  167. 

  168. cat my-openssl.cnf | sed "s/#@CN@/commonName_default = User/" > openssl.cnf.tmp
    169. 

  169. $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out user.csr -keyout user.key || fail "Could not create user.key"
    170. 

  170. $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in user.csr -out user.pem -key $PASS -days 730 -extensions ext_client || fail "Could not create user.pem"
    171. 

  171. 

  172. echo
    173. 

  173. echo "---[ Server ]-----------------------------------------------------------"
    174. 

  174. echo
    175. 

  175. 

  176. ALT="DNS:$OSU_SERVER_HOSTNAME"
    177. 

  177. ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_ENG"
    178. 

  178. ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_FI"
    179. 

  179. 

  180. cat my-openssl.cnf |
    181. 

  181. 	sed "s/#@CN@/commonName_default = $OSU_SERVER_HOSTNAME/" |
    182. 

  182. 	sed "s/^##organizationalUnitName/organizationalUnitName/" |
    183. 

  183. 	sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" |
    184. 

  184. 	sed "s/#@ALTNAME@/subjectAltName=critical,$ALT/" \
    185. 

  185. 	> openssl.cnf.tmp
    186. 

  186. echo $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -reqexts v3_osu_server
    187. 

  187. $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -reqexts v3_osu_server || fail "Failed to generate server request"
    188. 

  188. $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server.csr -out server.pem -key $PASS -days 730 -extensions ext_server -policy policy_osu_server || fail "Failed to sign server certificate"
    189. 

  189. 

  190. #dump logotype details for debugging
    191. 

  191. $OPENSSL x509 -in server.pem -out server.der -outform DER
    192. 

  192. openssl asn1parse -in server.der -inform DER | grep HEX | tail -1 | sed 's/.*://' | xxd -r -p > logo.der
    193. 

  193. openssl asn1parse -in logo.der -inform DER > logo.asn1
    194. 

  194. 

  195. 

  196. echo
    197. 

  197. echo "---[ CRL ]---------------------------------------------------------------"
    198. 

  198. echo
    199. 

  199. 

  200. $OPENSSL ca -config $PWD/my-openssl.cnf -gencrl -md sha256 -out demoCA/crl/crl.pem -passin pass:$PASS
    201. 

  201. 

  202. echo
    203. 

  203. echo "---[ Verify ]------------------------------------------------------------"
    204. 

  204. echo
    205. 

  205. 

  206. $OPENSSL verify -CAfile rootCA/cacert.pem demoCA/cacert.pem
    207. 

  207. $OPENSSL verify -CAfile rootCA/cacert.pem -untrusted demoCA/cacert.pem *.pem
    208. 

  208. 

  209. cat rootCA/cacert.pem demoCA/cacert.pem > ca.pem
    210.