-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
On 06/12/2015 10:10, Mindy wrote:
We don't have a nice way to generate certificate signing requests
or self-signed certificates ourselves yet, right? I'm writing up a
thing on getting HTTPS up and running with mirage-seal and those
are places where I have to say "invoke openssl or your favorite
alternative, but we got nothin' for you".
If I'm incorrect, I'd appreciate a pointer on where to go looking.
:)
While there is not yet any command-line tool, there is support for
creating and signing certificate signing requests on a branch [0]:
````
let write filename data =
Lwt_unix.openfile filename [Unix.O_WRONLY ; Unix.O_CREAT] 0o400
= fun fd ->
Lwt_unix.write fd (Cstruct.to_string data) 0 (Cstruct.len data)
= fun l ->
assert (l = Cstruct.len data) ;
Lwt_unix.close fd
in
let create_key filename =
(* initialise our Rng *)
Nocrypto_entropy_lwt.initialize () >>= fun () ->
(* generate RSA private key *)
let key = `RSA (Nocrypto.Rsa.generate 2048) in
(* dump to disk *)
let pem = X509.Encoding.Pem.Private_key.to_pem_cstruct1 key in
write filename pem >|= fun () ->
key
in
let create_signing_request ?extensions filename name priv =
let extensions = match extensions with
| None -> []
| Some x -> [`Extensions x]
in
let csr = X509.CA.generate name ~extensions priv in
let pem =
X509.Encoding.Pem.Certificate_signing_request.to_pem_cstruct1 csr in
write filename pem >|= fun () ->
csr
in
let sign_request filename ?extensions req priv =
let cert = X509.CA.sign req ?extensions priv [ `CN "authority" ] in
let pem = X509.Encoding.Pem.Cert.to_pem_cstruct1 cert in
write filename pem >|= fun () ->
cert
in
create_key "server.key" >>= fun key ->
let name = [`CN "mirage.io"] in
let extensions =
[(false, `Key_usage [ `Digital_signature ; `Data_encipherment ]) ;
(true, `Basic_constraints (false, None)) ;
(false, `Subject_alt_name [ `DNS "mirage.io" ; `DNS
"www.mirage.io" ])]
in
create_signing_request "server.csr" ~extensions name key >>= fun csr ->
sign_request "server.pem" ~extensions csr key
````
This code snippet will generate a certificate request server.csr
(which can be submitted to a certificate authority) self-signed
certificate server.pem (valid for a single day, using SHA256 as digest
algorithm) and private key server.key.
There are certainly some rough edges... e.g. `sign` does not respect
the proposed extensions of the signing request (to run a CA, a policy
is needed here: who is allowed to add which extensions, and how to
overwrite them; otherwise clients can easily request certificates
which are valid as certificate authorities)...
Hannes
0: https://github.com/mirleft/ocaml-x509/tree/naming
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCQAGBQJVftPVAAoJELyJZYjffCjuWPsP/1DC3oSLGXZNXFKlceaSIApQ
6lit8TdL3YTBTMX2PB4acgo57PDCBQjV0Fo8CgKQ9/C7ORhMdt7iCAbmRDKNCBqu
tgIUOpkvOVzg+kRx0e8QA/IedHhkrdB7fjKhJJOaIzGr2dKGUaAwKB7XLdRx9VbM
2gfAyhwOIDcITRexOiK9UkMVhYSxuVe0M9mTGePdM0Aajhzkg0jVcn0L5belcOBv
0/DNLH1aZ2gvXGP63/TOWi71tIZqVVbCVdCVvfXO4r7SKZ7kasfMCT7YpF6TWBA3
O8SGoJM/FzSTRGhSSsEe80rzE4rdQQPogtvBIr+v40Hr8gddCZftqb2xEkCFFwUt
vH8BeBllUF1JeyvNAWb4S9AN8lO8y3u6p7i4qK5moNMeKdDJmosNtGqxHAhbePpJ
HBazMK6p1uqG753vLLFKBLNmrQwyRoGF+lK2DHGk4MTijxXPv96+T1xaaoEdSB8/
Tfb550efq8zdB0NGXvjA85S+OHSdNAIwHek7zK2MePTqTZkit+7wg9nLcOo+G0UH
pVhIi4wiaL/5+pvmy0LM1fmOOtlyp/AQlgXy9A3BQ9nRo+LuUc+GB2gGHdXGm9p4
O2B47I79tkVq20/M/tZyt2QZAPTB1uFIa3zJhKfUt4lSfeY9OScCBidtDDxwxgd9
0lNf3hZgo0vT9ZDL6R6r
=jihz
-----END PGP SIGNATURE-----
_______________________________________________
MirageOS-devel mailing list
MirageOS-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel
