|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [MirageOS-devel] csrs and self-signed certs for TLS
On 15 June 2015 at 14:32, Hannes Mehnert <hannes@xxxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA384 > > On 06/12/2015 10:10, Mindy wrote: >> We don't have a nice way to generate certificate signing requests >> or self-signed certificates ourselves yet, right? I'm writing up a >> thing on getting HTTPS up and running with mirage-seal and those >> are places where I have to say "invoke openssl or your favorite >> alternative, but we got nothin' for you". >> >> If I'm incorrect, I'd appreciate a pointer on where to go looking. >> :) > > While there is not yet any command-line tool, there is support for > creating and signing certificate signing requests on a branch [0]: Great :-) > ```` > let write filename data = > Lwt_unix.openfile filename [Unix.O_WRONLY ; Unix.O_CREAT] 0o400 >>> = fun fd -> > Lwt_unix.write fd (Cstruct.to_string data) 0 (Cstruct.len data) >>> = fun l -> > assert (l = Cstruct.len data) ; > Lwt_unix.close fd > in > > let create_key filename = > (* initialise our Rng *) > Nocrypto_entropy_lwt.initialize () >>= fun () -> > (* generate RSA private key *) > let key = `RSA (Nocrypto.Rsa.generate 2048) in One suggestion: this code is going to get copied and pasted into a lot of projects, but good defaults (algorithm, key size, etc) get out of date over time. It would be really nice to have a `generate_key` library function that provides sensible defaults, so we only have to update it in one place. > (* dump to disk *) > let pem = X509.Encoding.Pem.Private_key.to_pem_cstruct1 key in > write filename pem >|= fun () -> > key > in > > let create_signing_request ?extensions filename name priv = > let extensions = match extensions with > | None -> [] > | Some x -> [`Extensions x] > in > let csr = X509.CA.generate name ~extensions priv in > let pem = > X509.Encoding.Pem.Certificate_signing_request.to_pem_cstruct1 csr in > write filename pem >|= fun () -> > csr > in > > let sign_request filename ?extensions req priv = > let cert = X509.CA.sign req ?extensions priv [ `CN "authority" ] in > let pem = X509.Encoding.Pem.Cert.to_pem_cstruct1 cert in > write filename pem >|= fun () -> > cert > in > > create_key "server.key" >>= fun key -> > let name = [`CN "mirage.io"] in > let extensions = > [(false, `Key_usage [ `Digital_signature ; `Data_encipherment ]) ; > (true, `Basic_constraints (false, None)) ; > (false, `Subject_alt_name [ `DNS "mirage.io" ; `DNS > "www.mirage.io" ])] > in > create_signing_request "server.csr" ~extensions name key >>= fun csr -> > sign_request "server.pem" ~extensions csr key > ```` > > This code snippet will generate a certificate request server.csr > (which can be submitted to a certificate authority) self-signed > certificate server.pem (valid for a single day, using SHA256 as digest > algorithm) and private key server.key. > > There are certainly some rough edges... e.g. `sign` does not respect > the proposed extensions of the signing request (to run a CA, a policy > is needed here: who is allowed to add which extensions, and how to > overwrite them; otherwise clients can easily request certificates > which are valid as certificate authorities)... > > > Hannes > > > 0: https://github.com/mirleft/ocaml-x509/tree/naming > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCQAGBQJVftPVAAoJELyJZYjffCjuWPsP/1DC3oSLGXZNXFKlceaSIApQ > 6lit8TdL3YTBTMX2PB4acgo57PDCBQjV0Fo8CgKQ9/C7ORhMdt7iCAbmRDKNCBqu > tgIUOpkvOVzg+kRx0e8QA/IedHhkrdB7fjKhJJOaIzGr2dKGUaAwKB7XLdRx9VbM > 2gfAyhwOIDcITRexOiK9UkMVhYSxuVe0M9mTGePdM0Aajhzkg0jVcn0L5belcOBv > 0/DNLH1aZ2gvXGP63/TOWi71tIZqVVbCVdCVvfXO4r7SKZ7kasfMCT7YpF6TWBA3 > O8SGoJM/FzSTRGhSSsEe80rzE4rdQQPogtvBIr+v40Hr8gddCZftqb2xEkCFFwUt > vH8BeBllUF1JeyvNAWb4S9AN8lO8y3u6p7i4qK5moNMeKdDJmosNtGqxHAhbePpJ > HBazMK6p1uqG753vLLFKBLNmrQwyRoGF+lK2DHGk4MTijxXPv96+T1xaaoEdSB8/ > Tfb550efq8zdB0NGXvjA85S+OHSdNAIwHek7zK2MePTqTZkit+7wg9nLcOo+G0UH > pVhIi4wiaL/5+pvmy0LM1fmOOtlyp/AQlgXy9A3BQ9nRo+LuUc+GB2gGHdXGm9p4 > O2B47I79tkVq20/M/tZyt2QZAPTB1uFIa3zJhKfUt4lSfeY9OScCBidtDDxwxgd9 > 0lNf3hZgo0vT9ZDL6R6r > =jihz > -----END PGP SIGNATURE----- > > _______________________________________________ > MirageOS-devel mailing list > MirageOS-devel@xxxxxxxxxxxxxxxxxxxx > http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel -- Dr Thomas Leonard http://roscidus.com/blog/ GPG: DA98 25AE CAD0 8975 7CDA BD8E 0713 3F96 CA74 D8BA _______________________________________________ MirageOS-devel mailing list MirageOS-devel@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |