Index of /yacht

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[TXT]README.html2019-09-18 10:37 7.0K 
[DIR]root/2019-09-18 09:42 -  
[DIR]smime/2019-09-18 17:30 -  
[DIR]www/2019-09-18 09:40 -  

Yet Another CA How To with Smartcard HSM
iy3xk ftc9ky
#
# YACHT (Yet Another CA How To) Using Smartcard HSM for Root
#      Placed in public domain. slamb at xtcn.com RLamb 2019
#      The work is free for all purposes without any express
#      guarantee it works. i.e.,
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#

YACHT TL;DR

Get: openssl, opensc, smartcard hsm, reader
untar stuff somewhere
*ROOT
cd root
./hcarderase  (sopin)
./hmakeshares (sopin,pass1,pass1,pass2,pass2)
./himportshare dkek-share-1.pbe (pass1)
./himportshare dkek-share-2.pbe (pass2)
./hkeygen   (03,sopin)
./hcardshow
./hwrapkey (03,sopin)
to create copy of smartcard:
./hcarderase  (sopin)
./himportshare dkek-share-1.pbe (pass1)
./himportshare dkek-share-2.pbe (pass2)
./hunwrapkey (03.wrap,sopin)

./mkca (03,sopin)
ca.crt,ca.cer -> www.example.com/ca/

./mkwww (03,sopin)
index.txt -> www.example.com/ca/ocsp/

./mksmime (03,sopin)
index.txt -> www.example.com/ca/ocsp/

./mkocsp
ocsp.[crt,key] -> www.example.com:ocsp.pem
ca.crt -> www.example.com/ca/cafile.pem
index.txt index.txt.attr -> www.example.com/ca/ocsp/
index.cgi -> www.example.com/ca/ocsp/

./gencrl (03,sopin) (run >= twice a year)
ca.crl -> www.example.com/ca/

./revoke 01  (03,sopin)
index.txt -> www.example.com/ca/ocsp/
./gencrl
ca.crl -> www.example.com/ca/

[Lock up smartcard HSM]


*Intermediate WWW
cd ../www
openssl x509 -in ca.crt -outform der -out ca.cer
ca.crt,ca.cer -> www.example.com/ca/www/

./mkcsr www.example.com
./signcsr
index.txt -> www.example.com/ca/www/ocsp/
new.[crt,key,chain] -> www.example.com:server.[crt,key,chain]

./mkocsp
ocsp.crt+ocsp.key -> www.example.com:ocsp_www.pem
../root/ca.crt+ca.crt -> www.example.com/ca/www/cafile.pem
index.txt index.txt.attr -> www.example.com/ca/www/ocsp/
index.cgi -> www.example.com/ca/www/ocsp/

./revoke 01
index.txt -> www.example.com/ca/www/ocsp/


*Intermiediate SMIME
cd ../smime
openssl x509 -in ca.crt -outform der -out ca.cer
ca.crt,ca.cer -> www.example.com/ca/smime/

./mkcsr foo@example.com
./signcsr
index.txt -> www.example.com/ca/smime/ocsp/
new.p12 -> foo@example.com

./mkocsp
ocsp.crt+ocsp.key -> www.example.com:ocsp_sime.pem
../root/ca.crt+ca.crt -> www.example.com/ca/smime/cafile.pem
index.txt index.txt.attr -> www.example.com/ca/smime/ocsp/
index.cgi -> www.example.com/ca/smime/ocsp/

./gencrl (run >= twice a week)
ca.crl -> www.example.com/ca/smime/

./revoke 01
index.txt -> www.example.com/ca/smime/ocsp/
./gencrl
ca.crl -> www.example.com/ca/smime/

*OCSP setup
In www.example.com/ca/ocsp/ www.example.com/ca/www/ocsp/ www.example.com/ca/smime/ocsp/
put the following index.cgi file to kickoff openssl ocsp. This is built on the sample
from mod_gnutls. https://mod.gnutls.org/browser/mod_gnutls/test/data/ocsp.cgi

#!/bin/bash
#
# Pick one below depending on root, www, or smime ocsp responder 
based="../../../.." # for www, smime
# based="../../.."   # for ROOT
rsigner="$based/ocsp_www.pem"
# rsigner="$based/ocsp.pem"
if [ -z "${OPENSSL}" ]; then
  OPENSSL=$(which openssl)
fi
case "${REQUEST_METHOD}" in
  ("GET")
    echo "Status: 405 Method Not Allowed"
    echo -e "Content-Type: text/plain\n"
    echo "OCSP GET request not implemented."
    ;;
  ("POST")
    if [ "${CONTENT_TYPE}" == "application/ocsp-request" ] &&
       [ ! -z "${CONTENT_LENGTH}" ]; then        
        fname=`$based/post2file`  # post2file reads CONTENT_LENGTH bytes into a new file and returns its full path if successful. a few lines of C
        echo "========== WWW ${CONTENT_LENGTH} |$fname|" >> /tmp/myocsp.log
        ${OPENSSL} ocsp -index index.txt -CA ../ca.crt -rsigner $rsigner -CAfile ../cafile.pem -nmin 3 -reqin $fname -respout $fname-resp >> /tmp/myocsp.log 2>&1
        echo "Status: 200 OK"
        echo -e "Content-Type: application/ocsp-response\n"
        cat $fname-resp
        rm -f $fname-resp $fname
      else
        echo "Status: 415 Unsupported Media Type"
        echo -e "Content-Type: text/plain\n"
        echo "POST request must contain application/ocsp-request data."
      fi
      ;;
  (*)
    echo "Status: 405 Method Not Allowed"
    echo -e "Content-Type: text/plain\n"
    ;;
esac
    

#
# YACHT little longer version
#
Why?
For 20+ years every time I need some certs for testing I go through the exercise of having 
to re-learn all openssl/smartcard nuances to create a CA and satisfy S/MIME products and 
browsers. Bit or crypto rot have claimed some of my early efforts. So I thought I would try 
to do it right once and not waste another 20 years... I know there are many CA HowTo sites 
and many much more comprehensive that this one, but if this helps someone else, great. 
I tried to use the experience I got from other CAs in architechting the DNSSEC root.  
But I do not claim any of what I offer here is special. It is only the work of 2 days 
and is a work AS IS. 

smartcards: https://www.smartcard-hsm.com/features.html (EAL 5+ so maybe * 
  or HSM that lets you wrap/unwrap)
reader: scr331 us govt surplus. most readers work like dell built in ones
tamper evident bags (TEB): diebold (blue ones) or ampac (orange gcs0912)
hardware: something that can boot of a DVD offline (for root part only) 
software: ubuntu on a DVD is better than USB or CD against bit rot.

TBD
cps: will crib a doc together
key ceremony: Ill modify my http://www.co.tt/vnnic/sgn-dnssec-KC-demo-main.pdf

Trust
Long topic but minimally:
Separate roles for smartcard physical access (safe combo) and sopin, 
  e.g., sys admin (SA) and security officer (SO).
HSM cloning share(.pbe files) kept with smartcard in safe. SO holds pass1 and pass2.
SO only works with SA present. Both SA and SO sign off on any audit evidence. Ideally 
  the relationship between SA (safe combo holder) and SO (pin holder) may be adveserial. 
root/ directory with .wrap, .pbe and other files is kept offline on R/W media 
  (e.g., flash drive and backups of same - see key ceremony document) with smartcard 
  in TEB+safe - separate from www/ smime/ directories (a copy of their respective 
  intermiediate certificates and keys would also be kept with these).

*  "The CA SHALL protect its Private Key in a system or device that has been validated 
as meeting at least FIPS 140 level 3 or an appropriate Common Criteria Protection Profile 
or Security Target, EAL 4 (or higher), which includes requirements to protect the 
Private Key and other assets against known threats."

From 6.2.7 of  https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.4.pdf