[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] csrs and self-signed certs for TLS



I've made a simple command-line tool that generates self-signed certs and private keys with nocrypto 0.4.0 and the current trunk of x509, which I'll be releasing shortly; I'll expand it to build CSRs with your branch as well.

Cheers,
Mindy

On 06/15/2015 02:32 PM, Hannes Mehnert wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

On 06/12/2015 10:10, Mindy wrote:
We don't have a nice way to generate certificate signing requests
or self-signed certificates ourselves yet, right?  I'm writing up a
thing on getting HTTPS up and running with mirage-seal and those
are places where I have to say "invoke openssl or your favorite
alternative, but we got nothin' for you".

If I'm incorrect, I'd appreciate a pointer on where to go looking.
:)
While there is not yet any command-line tool, there is support for
creating and signing certificate signing requests on a branch [0]:

````
   let write filename data =
     Lwt_unix.openfile filename [Unix.O_WRONLY ; Unix.O_CREAT] 0o400
= fun fd ->
     Lwt_unix.write fd (Cstruct.to_string data) 0 (Cstruct.len data)
= fun l ->
     assert (l = Cstruct.len data) ;
     Lwt_unix.close fd
   in

   let create_key filename =
     (* initialise our Rng *)
     Nocrypto_entropy_lwt.initialize () >>= fun () ->
     (* generate RSA private key *)
     let key = `RSA (Nocrypto.Rsa.generate 2048) in
     (* dump to disk *)
     let pem = X509.Encoding.Pem.Private_key.to_pem_cstruct1 key in
     write filename pem >|= fun () ->
     key
   in

   let create_signing_request ?extensions filename name priv =
     let extensions = match extensions with
       | None -> []
       | Some x -> [`Extensions x]
     in
     let csr = X509.CA.generate name ~extensions priv in
     let pem =
X509.Encoding.Pem.Certificate_signing_request.to_pem_cstruct1 csr in
     write filename pem >|= fun () ->
     csr
   in

   let sign_request filename ?extensions req priv =
     let cert = X509.CA.sign req ?extensions priv [ `CN "authority" ] in
     let pem = X509.Encoding.Pem.Cert.to_pem_cstruct1 cert in
     write filename pem >|= fun () ->
     cert
   in

   create_key "server.key" >>= fun key ->
   let name = [`CN "mirage.io"] in
   let extensions =
     [(false, `Key_usage [ `Digital_signature ; `Data_encipherment ]) ;
      (true, `Basic_constraints (false, None)) ;
      (false, `Subject_alt_name [ `DNS "mirage.io" ; `DNS
"www.mirage.io" ])]
   in
   create_signing_request "server.csr" ~extensions name key >>= fun csr ->
   sign_request "server.pem" ~extensions csr key
````

This code snippet will generate a certificate request server.csr
(which can be submitted to a certificate authority) self-signed
certificate server.pem (valid for a single day, using SHA256 as digest
algorithm) and private key server.key.

There are certainly some rough edges... e.g. `sign` does not respect
the proposed extensions of the signing request (to run a CA, a policy
is needed here: who is allowed to add which extensions, and how to
overwrite them; otherwise clients can easily request certificates
which are valid as certificate authorities)...


Hannes


0: https://github.com/mirleft/ocaml-x509/tree/naming

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCQAGBQJVftPVAAoJELyJZYjffCjuWPsP/1DC3oSLGXZNXFKlceaSIApQ
6lit8TdL3YTBTMX2PB4acgo57PDCBQjV0Fo8CgKQ9/C7ORhMdt7iCAbmRDKNCBqu
tgIUOpkvOVzg+kRx0e8QA/IedHhkrdB7fjKhJJOaIzGr2dKGUaAwKB7XLdRx9VbM
2gfAyhwOIDcITRexOiK9UkMVhYSxuVe0M9mTGePdM0Aajhzkg0jVcn0L5belcOBv
0/DNLH1aZ2gvXGP63/TOWi71tIZqVVbCVdCVvfXO4r7SKZ7kasfMCT7YpF6TWBA3
O8SGoJM/FzSTRGhSSsEe80rzE4rdQQPogtvBIr+v40Hr8gddCZftqb2xEkCFFwUt
vH8BeBllUF1JeyvNAWb4S9AN8lO8y3u6p7i4qK5moNMeKdDJmosNtGqxHAhbePpJ
HBazMK6p1uqG753vLLFKBLNmrQwyRoGF+lK2DHGk4MTijxXPv96+T1xaaoEdSB8/
Tfb550efq8zdB0NGXvjA85S+OHSdNAIwHek7zK2MePTqTZkit+7wg9nLcOo+G0UH
pVhIi4wiaL/5+pvmy0LM1fmOOtlyp/AQlgXy9A3BQ9nRo+LuUc+GB2gGHdXGm9p4
O2B47I79tkVq20/M/tZyt2QZAPTB1uFIa3zJhKfUt4lSfeY9OScCBidtDDxwxgd9
0lNf3hZgo0vT9ZDL6R6r
=jihz
-----END PGP SIGNATURE-----

_______________________________________________
MirageOS-devel mailing list
MirageOS-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel


_______________________________________________
MirageOS-devel mailing list
MirageOS-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.