Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce new global options: --ku-critical and --bc-critical #1063

Closed
wants to merge 1 commit into from

Conversation

TinCanTech
Copy link
Collaborator

@TinCanTech TinCanTech commented Jan 14, 2024

These option allow X509 'critical' attributes to be used.

--ku-critical (--ku-crit):
Configure 'keyUsage' to set 'critical' attribute.

--bc-critical (--bc-crit):
Configure 'basicContraints' to set 'critical' attribute.

Use of these options is left to the discretion of the the user task.

Supported certificate types does not include 'email', 'codeSigning' or 'kdc'.

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Jan 14, 2024

No unit-test.

Early manual test, failed for CA:

tct@home:/dev/shm/easyrsa-ut$ easyrsa init-pki

WARNING!!!

You are about to remove the EASYRSA_PKI at:
* /dev/shm/easyrsa-ut/pki

and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes


Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /dev/shm/easyrsa-ut/pki


Using Easy-RSA configuration:
* undefined
tct@home:/dev/shm/easyrsa-ut$ easyrsa --nopass --ku-crit --bc-crit build-ca
...+++++
....................................+++++
Can't load /dev/shm/easyrsa-ut/pki/.rnd into RNG
140700229961024:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/dev/shm/easyrsa-ut/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

Notice
------
CA creation complete. Your new CA certificate is at:
* /dev/shm/easyrsa-ut/pki/ca.crt

tct@home:/dev/shm/easyrsa-ut$ easyrsa --nopass --ku-crit --bc-crit build-server-full s1
Generating a RSA private key
........+++++
.............+++++
writing new private key to '/dev/shm/easyrsa-ut/pki/58acae36/temp.1.1'
-----

Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /dev/shm/easyrsa-ut/pki/reqs/s1.req
* key: /dev/shm/easyrsa-ut/pki/private/s1.key 


You are about to sign the following certificate:
Request subject, to be signed as a server certificate 
for '825' days:

subject=
    commonName                = s1

X509v3 Subject Alternative Name:
    DNS:s1

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes

Using configuration from /usr/share/easy-rsa/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'s1'
Certificate is to be certified until Apr 18 00:59:07 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Notice
------
Certificate created at:
* /dev/shm/easyrsa-ut/pki/issued/s1.crt


Notice
------
Inline file created:
* /dev/shm/easyrsa-ut/pki/inline/s1.inline

tct@home:/dev/shm/easyrsa-ut$ easyrsa show-ca

Notice
------
Showing details for CA certificate, at:
* /dev/shm/easyrsa-ut/pki/ca.crt


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            36:35:23:5d:90:db:f8:96:dd:fc:6c:6f:60:0c:2c:a0:22:67:65:64
        Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            commonName                = Easy-RSA CA
        Validity
            Not Before: Jan 14 00:58:53 2024 GMT
            Not After : Jan 11 00:58:53 2034 GMT
        Subject:
            commonName                = Easy-RSA CA
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                DA:40:C0:D9:C4:12:92:F2:EC:EB:67:9C:D1:20:51:CE:71:2B:44:3D
            X509v3 Authority Key Identifier: 
                keyid:DA:40:C0:D9:C4:12:92:F2:EC:EB:67:9C:D1:20:51:CE:71:2B:44:3D
                DirName:/CN=Easy-RSA CA
                serial:36:35:23:5D:90:DB:F8:96:DD:FC:6C:6F:60:0C:2C:A0:22:67:65:64

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
tct@home:/dev/shm/easyrsa-ut$ easyrsa show-cert s1

Notice
------
Showing 'cert' details for: 's1'

This file is stored at:
* /dev/shm/easyrsa-ut/pki/issued/s1.crt


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1255548484 (0x4ad62644)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            commonName                = Easy-RSA CA
        Validity
            Not Before: Jan 14 00:59:07 2024 GMT
            Not After : Apr 18 00:59:07 2026 GMT
        Subject:
            commonName                = s1
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                D3:CF:2C:64:CC:30:2E:5D:61:74:52:FB:02:04:6B:5A:7B:02:6E:CF
            X509v3 Authority Key Identifier: 
                keyid:DA:40:C0:D9:C4:12:92:F2:EC:EB:67:9C:D1:20:51:CE:71:2B:44:3D
                DirName:/CN=Easy-RSA CA
                serial:36:35:23:5D:90:DB:F8:96:DD:FC:6C:6F:60:0C:2C:A0:22:67:65:64

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:s1

These option allow X509 'critical' attributes to be used.

--ku-critical (--ku-crit):
Configure 'keyUsage' to set 'critical' attribute.

--bc-critical (--bc-crit):
Configure 'basicContraints' to set 'critical' attribute.

Use of these options is left to the discretion of the the user task.

Supported certificate types does not include 'email', 'codeSigning' or 'kdc'.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech force-pushed the x509-attr-critical branch from f86fa88 to 56c5e2e Compare June 25, 2024 18:55
@TinCanTech
Copy link
Collaborator Author

Superseded-by: #1176

@TinCanTech TinCanTech closed this Jun 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant