nicolas314 / 2cca Goto Github PK

View Code? Open in Web Editor NEW

28.0 4.0 12.0 49 KB

2-cent Certification Authority

License: MIT License

Python 31.59% C 67.05% Makefile 1.35%

rootca hacktoberfest2020 openvpn openssl-commands crt

2cca's Introduction

2cca

2-cent Certification Authority

This Python script is meant to replace the easy-rsa scripts found in default installations for OpenVPN. For some reason, it was easier for me to write this tool than to try and understand easy-rsa. Shortest path wins.

Since OpenSSL decided to wreak havoc by mutating their API starting with version 1.1, I decided to stop supporting the C version (May 2017) and will continue supporting the Python version instead.

To avoid any dependency on wrapper libraries, this script uses the openssl command directly, producing temporary configuration files and showing what commands are being executed.

Both versions are MIT-licensed.

Usage:

2cca root
    Create a root CA
    You need to give it a name with CN=NAME
    You may also want to specify:
    - An organization:  O=Bozzos
    - An organization unit: OU=Clowns
    - Some geographical data:
      Country: C=UK
      Locality: L=Cambridge
      State or Province: ST=Cambridgeshire
    - A duration in days -- start validity date is now.
      days=365
    - A key size for an RSA key:
      rsa=4096
    - The name of an elliptic curve instead of RSA:
      ecc=prime256v1

    Example:
    2cca root CN=RootCA O=Bozzos OU=Clowns C=UK L=Cambridge days=365 rsa=4096

2cca sub
    Create a Subordinate CA (optional)
    Same options as above. In addition, you also need to specify which CA
    will sign this new certificate with CA=NAME, like:

    2cca sub CA=RootCA CN=MySubCA O=Bozzos days=364 rsa=4096

2cca server
    Create a server certificate, useful for an OpenVPN server.
    Same options as above. Do not forget to specify the signing CA.

2cca client
    Create a client certificate, useful for an OpenVPN client.
    Same options as above. Do not forget to specify the signing CA.

2cca web
    Create a web server certificate. For this kind of certificate you also
    want to provide Subject Alternative Names using alt=NAME, possibly
    multiple times, like:

    2cca www CA=RootCA CN=www.example.com alt=www.example.com alt=example.com

2cca signcsr
    Sign a Certificate Signing Request, and create a server certificate.
    Specify the CSR file with CSR=myrequest.csr, provide the CN, and do not
    forget to specify the signing CA.

    2cca signcsr CA=RootCA CN=www.example.com CSR=www_example_com.csr

If you want to have spaces inside values, use double quotes around options:
    2cca root "CN=My Root CA" "O=Bozzos Inc."

2cca generates one identity per request. An identity is made of:

A certificate (.crt)
A private key (.key) The file names are whatever you used for CN (Common Name). In the above example you will obtain Root.crt and Root.key in the current directory.

NB: All options names are case-insensitive, i.e. CA=RootCA is the same as ca=RootCA

Examples

Create a root named RootCA, organisation is ACME, located in Cambridge UK, use a 2048-bit RSA key (default):

    2cca root O=ACME C=UK L=Cambridge CN=RootCA
    -> Generates RootCA.crt and RootCA.key in the current dir

Create a server located in Paris FR, use a 2048-bit RSA key, sign it with the root CA you just created:

    2cca server ca=RootCA C=FR L=Paris CN=openvpn-server
    -> Generates openvpn-server.crt and openvpn-server.key

Create a client named Marco located in Torino IT:

    2cca client ca=RootCA C=IT L=Torino CN=Marco
    -> Generates Marco.crt and Marco.key

Create a PKCS#12 (PFX) file:

    $ read -s CA_P12_PASSWORD  # 1
    $ export CA_P12_PASSWORD  # 2
    $ 2cca p12 cn=example.org

Line 1, 2 above is optional, just make sure that the CA_P12_PASSWORD environment variable has a password set before invoking 2cca.

Security (and lack thereof)

This is not meant to be a PKI, this is meant as a replacement to distribute keys to clients who want to connect to an OpenVPN server and easily maintain them. The keys are stored unprotected on the local file system.

openssl commands are executed using 'system' so don't use any untrusted user inputs when calling this script. This is meant to be executed by a single person on a preferrably air-gapped machine when generating keys for groups of people who need VPN access.

TODO

email is not handled yet
Need to add CRL display and revocation
Need to add fancy display of all existing certs and their status

-- nicolas314 - 2017-May

2cca's People

Contributors

Stargazers

Watchers

Forkers

randunel sugonyak joshland milaq markush podjacker zsoltm tiefpunkt leonamtv rohanza

2cca's Issues

the generation of for root is only 1-month

Generating a root certificate seems to only allow 1-month duration. I put days=3650 and days=365 but it is not honoring it. Is this working for you?

Published on npmjs.com

Just wanted to let you know that i forked your project, added package.json with the compile script and published it https://www.npmjs.com/package/2cca because I used it as a dev dependency in some projects.

I haven't made any changes (other than package.json) and so far I've merged all your changes. If you want to maintain it yourself, let me know.

Build failed on debian

I am trying to build 2cca on debian (jessie and stretch, same problem).

I installed these:

apt -y install build-essential libssl-dev

GCC version:

gcc --version
gcc (Debian 6.3.0-14) 6.3.0 20170415

libssl-dev version:

Version: 1.1.0e-1

When I compile I get:

# gcc -o 2cca 2cca.c -lcrypto
2cca.c: In function ‘build_identity’:
2cca.c:239:9: warning: ‘RSA_generate_key’ is deprecated [-Wdeprecated-declarations]
         rsa = RSA_generate_key(certinfo.rsa_keysz, RSA_F4, progress, 0);
         ^~~
In file included from /usr/include/openssl/rsa.h:13:0,
                 from /usr/include/openssl/x509.h:31,
                 from /usr/include/openssl/pem.h:17,
                 from 2cca.c:19:
/usr/include/openssl/rsa.h:193:1: note: declared here
 DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
 ^
2cca.c: In function ‘show_crl’:
2cca.c:398:34: error: dereferencing pointer to incomplete type ‘X509_REVOKED {aka struct x509_revoked_st}’
         i2a_ASN1_INTEGER(out, rev->serialNumber);
                                  ^~

Any idea?

Are generated serial numbers unique?

Is I know, os.urandom is the best random generator, but it not guarantees that generated numbers is totally unique.

uuid.uuid otherwise guarantees unique numbers, but less random and therefore less secure.

So is it possible to recieve serial number collisions on a very big amount of generated certs?

Some properties in CA cert with exclamation

Hi, first of all thanks for python implementation for PKI!

Cert generated with python script has theese exclamations:
http://prntscr.com/cv88j3

But cert generated with EasyRSA hasn't. Is it some kind of issue?

Build failure against openssl 1.1.1g

I'm able to build against the (now unsupported) OpenSSL 1.0.2, or LibreSSL 3.1.3, but not OpenSSL 1.1.1g.

Using the following Nix derivation (to reproducibly specify the build environment when combined with a pinned version of nixpkgs; using a snapshot of nixos-20.09 for the below):

{ nixpkgs ? import <nixpkgs> {}, stdenv ? nixpkgs.stdenv, openssl ? nixpkgs.openssl, fetchFromGitHub ? nixpkgs.fetchFromGitHub }:

stdenv.mkDerivation rec {
  pname = "2cca";
  version = "20201005";

  src = fetchFromGitHub {
    owner = "nicolas314";
    repo = pname;
    rev = "d27fc5d2a7d99d687c3eff895a5a3cd5bc260b64";
    sha256 = "1iwi3wq5p0jjnrmrbhxbamh96an4j2c609y2pjs3nsz9ak0bzpi9";
  };

  nativeBuildInputs = [ openssl ];

  installPhase = ''
    mkdir -p $out/bin
    cp -- 2cca{,.py} $out/bin/
  '';
}

...I receive the error:

building '/nix/store/szaxvcinfh9acgvxhb7h3vzl6p1yknva-2cca-20201005.drv'...
unpacking sources
unpacking source archive /nix/store/n73cp8mhc12c7axvlsi8qgl97dyl1gig-source
source root is source
patching sources
configuring
no configure script, doing nothing
building
build flags: SHELL=/nix/store/2jysm3dfsgby5sw5jgj43qjrb5v79ms9-bash-4.4-p23/bin/bash
gcc -g -Wall -o 2cca 2cca.c -lcrypto
2cca.c: In function 'build_identity':
2cca.c:239:9: warning: 'RSA_generate_key' is deprecated [-Wdeprecated-declarations]
  239 |         rsa = RSA_generate_key(certinfo.rsa_keysz, RSA_F4, progress, 0);
      |         ^~~
In file included from /nix/store/lwcrmj44j6s5ww3j0ybar2jc7kf9ddzq-openssl-1.1.1g-dev/include/openssl/e_os2.h:13,
                 from /nix/store/lwcrmj44j6s5ww3j0ybar2jc7kf9ddzq-openssl-1.1.1g-dev/include/openssl/asn1.h:14,
                 from 2cca.c:15:
/nix/store/lwcrmj44j6s5ww3j0ybar2jc7kf9ddzq-openssl-1.1.1g-dev/include/openssl/rsa.h:235:1: note: declared here
  235 | DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
      | ^~~~~~~~~~~~~~~~~~
2cca.c: In function 'show_crl':
2cca.c:398:34: error: dereferencing pointer to incomplete type 'X509_REVOKED' {aka 'struct x509_revoked_st'}
  398 |         i2a_ASN1_INTEGER(out, rev->serialNumber);
      |                                  ^~
2cca.c: In function 'set_serial128':
2cca.c:93:5: warning: ignoring return value of 'fread', declared with attribute warn_unused_result [-Wunused-result]
   93 |     fread(c_serial, SERIAL_SZ, 1, urandom);
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
make: *** [Makefile:23: 2cca] Error 1
builder for '/nix/store/szaxvcinfh9acgvxhb7h3vzl6p1yknva-2cca-20201005.drv' failed with exit code 2
error: build of '/nix/store/szaxvcinfh9acgvxhb7h3vzl6p1yknva-2cca-20201005.drv' failed

nicolas314 / 2cca Goto Github PK

2cca's Introduction

2cca

Examples

Security (and lack thereof)

TODO

2cca's People

Contributors

Stargazers

Watchers

Forkers

2cca's Issues

the generation of for root is only 1-month

Published on npmjs.com

Build failed on debian

Are generated serial numbers unique?

Some properties in CA cert with exclamation

Build failure against openssl 1.1.1g

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent