* [PATCH 1/2] hs20-ca: Update key generation scripts and files.
@ 2015-03-23 18:03 greearb
2015-03-23 18:03 ` [PATCH 2/2] hs20: Update hs20 server notes file greearb
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: greearb @ 2015-03-23 18:03 UTC (permalink / raw)
To: linux-wireless; +Cc: johannes, Ben Greear
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 5261 bytes --]
From: Ben Greear <greearb@candelatech.com>
This lets us properly over-ride the default w1.fi
related strings in order to properly generate keys
that can be used by the OCSP process.
Signed-off-by: Ben Greear <greearb@candelatech.com>
---
hs20/server/ca/openssl.cnf | 12 ++++++------
hs20/server/ca/setup.sh | 42 ++++++++++++++++++++++++++++++------------
2 files changed, 36 insertions(+), 18 deletions(-)
diff --git a/hs20/server/ca/openssl.cnf b/hs20/server/ca/openssl.cnf
index e29e737..c614479 100644
--- a/hs20/server/ca/openssl.cnf
+++ b/hs20/server/ca/openssl.cnf
@@ -95,7 +95,7 @@ localityName = Locality Name (eg, city)
localityName_default = Tuusula
0.organizationName = Organization Name (eg, company)
-0.organizationName_default = w1.fi
+0.organizationName_default = @DOMAIN@
##organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
@@ -117,10 +117,10 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, cRLSign, keyCertSign
-authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
+authorityInfoAccess = OCSP;URI:@OCSP_URI@
# For SP intermediate CA
#subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU
-#nameConstraints=permitted;DNS:.w1.fi
+#nameConstraints=permitted;DNS:.@DOMAIN@
#1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
[ v3_osu_server ]
@@ -159,7 +159,7 @@ algorithm=OID:sha256
[sha1_alg]
algorithm=OID:sha1
[URI]
-uri=IA5STRING:http://osu.w1.fi/w1fi_logo.png
+uri=IA5STRING:@LOGO_URI@
[LogotypeImageInfo]
# default value color(1), component optional
#type=IMP:0,INTEGER:1
@@ -184,7 +184,7 @@ extendedKeyUsage = OCSPSigning
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
-authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
+authorityInfoAccess = OCSP;@OCSP_URI@
#@ALTNAME@
extendedKeyUsage = clientAuth
@@ -194,7 +194,7 @@ extendedKeyUsage = clientAuth
basicConstraints=critical, CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
-authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
+authorityInfoAccess = OCSP;URI:@OCSP_URI@
#@ALTNAME@
extendedKeyUsage = critical, serverAuth
keyUsage = critical, keyEncipherment
diff --git a/hs20/server/ca/setup.sh b/hs20/server/ca/setup.sh
index fcf24ad..35d32b1 100755
--- a/hs20/server/ca/setup.sh
+++ b/hs20/server/ca/setup.sh
@@ -5,41 +5,52 @@ if [ -z "$OPENSSL" ]; then
fi
export OPENSSL_CONF=$PWD/openssl.cnf
PASS=whatever
-CNI="w1.fi Hotspot 2.0 Intermediate CA"
+if [ -z "$DOMAIN" ]; then
+ DOMAIN=w1.fi
+fi
+CNI="$DOMAIN Hotspot 2.0 Intermediate CA"
CNR="Hotspot 2.0 Trust Root CA - 99"
-CNO="ocsp.w1.fi"
-CNV="osu-revoked.w1.fi"
-CNOC="osu-client.w1.fi"
-SERVERNAME="osu.w1.fi"
+CNO="ocsp.$DOMAIN"
+CNV="osu-revoked.$DOMAIN"
+CNOC="osu-client.$DOMAIN"
+SERVERNAME="osu.$DOMAIN"
DNS=$SERVERNAME
DEBUG=0
+OCSP_URI="http://$CNO:8888/"
+LOGO_URI="http://osu.w1.fi/w1fi_logo.png"
# Command line over-rides
USAGE=$( cat <<EOF
Usage:\n
# -C: SSL Commonname for Root CA ($CNR)\n
# -d: DNS Name ($DNS)\n
-# -D: Enable debugging (set -x, etc)
+# -D: Enable debugging (set -x, etc)\n
+# -h: Show this help message\n
# -I: SSL Commonname for Intermediate CA ($CNI)\n
+# -m: Domain ($DOMAIN)\n
# -o: SSL Commonname for OSU-Client Server ($CNOC)\n
# -O: SSL Commonname for OCSP Server ($CNO)\n
# -p: password ($PASS)\n
# -S: servername ($SERVERNAME)\n
+# -u: OCSP-URI ($OCSP_URI)\n
# -V: SSL Commonname for OSU-Revoked Server ($CNV)\n
EOF
)
-while getopts "C:d:DI:o:O:p:S:V:" flag
+while getopts "C:d:DI:m:o:O:p:S:u:V:h" flag
do
case $flag in
C) CNR=$OPTARG;;
d) DNS=$OPTARG;;
D) DEBUG=1;;
+ h) echo -e $USAGE; exit 0;;
I) CNI=$OPTARG;;
+ m) DOMAIN=$OPTARG;;
o) CNOC=$OPTARG;;
O) CNO=$OPTARG;;
p) PASS=$OPTARG;;
S) SERVERNAME=$OPTARG;;
+ u) OCSP_URI=$OPTARG;;
V) CNV=$OPTARG;;
*) echo "Un-known flag: $flag"; echo -e $USAGE;exit 1;;
esac
@@ -74,10 +85,17 @@ else
cp openssl.cnf.orig openssl.cnf
fi
-# Set the password accordingly.
-cat openssl-root.cnf | sed "s/@PASSWORD@/$PASS/" > openssl-root.cnf.tmp
+# Set the password and some other common config accordingly.
+cat openssl-root.cnf | sed "s/@PASSWORD@/$PASS/" \
+ > openssl-root.cnf.tmp
mv openssl-root.cnf.tmp openssl-root.cnf
-cat openssl.cnf | sed "s/@PASSWORD@/$PASS/" > openssl.cnf.tmp
+
+set -x
+cat openssl.cnf | sed "s/@PASSWORD@/$PASS/" |
+sed "s,@OCSP_URI@,$OCSP_URI," |
+sed "s,@LOGO_URI@,$LOGO_URI," |
+sed "s/@DOMAIN@/$DOMAIN/" \
+ > openssl.cnf.tmp
mv openssl.cnf.tmp openssl.cnf
@@ -155,8 +173,8 @@ echo "---[ Server ]-----------------------------------------------------------"
echo
ALT="DNS:$DNS"
-ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engw1.fi TESTING USE"
-ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:finw1.fi TESTIKÄYTTÖ"
+ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:eng$DOMAIN TESTING USE"
+ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:fin$DOMAIN TESTIKÄYTTÖ"
cat openssl.cnf |
sed "s/#@CN@/commonName_default = $SERVERNAME/" |
--
1.9.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/2] hs20: Update hs20 server notes file.
2015-03-23 18:03 [PATCH 1/2] hs20-ca: Update key generation scripts and files greearb
@ 2015-03-23 18:03 ` greearb
2015-03-23 18:04 ` [PATCH 1/2] hs20-ca: Update key generation scripts and files Ben Greear
2015-03-23 22:16 ` Julian Calaby
2 siblings, 0 replies; 6+ messages in thread
From: greearb @ 2015-03-23 18:03 UTC (permalink / raw)
To: linux-wireless; +Cc: johannes, Ben Greear
From: Ben Greear <greearb@candelatech.com>
Include example hostapd-radius config file for the OSEN radius
server. Show example of how to use the ca/setup.sh script to
generate keys.
Show how to start OCSP responder and generate the ocsp cache
file.
Signed-off-by: Ben Greear <greearb@candelatech.com>
---
hs20/server/hs20-osu-server.txt | 53 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 53 insertions(+)
diff --git a/hs20/server/hs20-osu-server.txt b/hs20/server/hs20-osu-server.txt
index 80985f7..1557248 100644
--- a/hs20/server/hs20-osu-server.txt
+++ b/hs20/server/hs20-osu-server.txt
@@ -100,6 +100,19 @@ sqlite3 /home/user/hs20-server/AS/DB/eap_user.db < sql-example.txt
# the examples as-is for initial testing).
cp -r www /home/user/hs20-server
+# Build local keys and certs
+cd ca
+# Display help options.
+./setup.sh -h
+
+# Remove old keys, fill in appropriate values, and generate your keys. For instance:
+./clean.sh
+rm -fr rootCA"
+old_hostname=myserver.local
+./setup.sh -C "Hotspot 2.0 Trust Root CA - CT" -d $old_hostname \
+ -I "Hotspot 2.0 Intermediate CA - CT" -o $old_hostname-osu-client \
+ -O $old_hostname-oscp -p lanforge -S $old_hostname -V $old_hostname-osu-revoked \
+ -m local -u http://$old_hostname:8888/
# Configure subscription policies
mkdir -p /home/user/hs20-server/spp/policy
@@ -128,6 +141,7 @@ EOF
# Configure RADIUS authentication service
# Note: Change the URL to match the setup
# Note: Install AAA server key/certificate and root CA in Key directory
+# NOTE: ca.pem is a copy of the hs20-server/ca/ca.pem file
cat > /home/user/hs20-server/AS/as-sql.conf <<EOF
driver=none
@@ -156,6 +170,45 @@ cd /home/user/hs20-server/AS
./hostapd -B as-sql.conf
+OSEN Radius configuration notes.
+
+The OSEN RADIUS server config file should have the 'ocsp_stapling_response'
+configuration in it. For example:
+
+# hostapd-radius config for the radius used by the OSEN AP
+interface=eth0#0
+driver=wired
+logger_syslog=-1
+logger_syslog_level=2
+logger_stdout=-1
+logger_stdout_level=2
+ctrl_interface=/var/run/hostapd
+ctrl_interface_group=0
+#ieee8021x=1
+eapol_key_index_workaround=0
+eap_server=1
+eap_user_file=/home/user/hs20-server/AS/hostapd.eap_user
+server_id=ben-ota-2-osen
+eap_sim_db=unix:/tmp/hlr_auc_gw.sock
+radius_server_auth_port=1811
+radius_server_clients=/home/user/hs20-server/AS/hostap.radius_clients
+
+ca_cert=/home/user/hs20-server/ca/ca.pem
+server_cert=/home/user/hs20-server/ca/server.pem
+private_key=/home/user/hs20-server/ca/server.key
+private_key_passwd=whatever
+
+ocsp_stapling_response=/home/user/hs20-server/ca/ocsp-server-cache.der
+
+
+# Run OCSP server:
+cd /home/user/hs20-server/ca
+./ocsp-responder.sh&
+
+# Update cache (This should be run periodically, but once will work for testing)
+./ocsp-update-cache.sh
+
+
Configure web server
--------------------
--
1.9.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] hs20-ca: Update key generation scripts and files.
2015-03-23 18:03 [PATCH 1/2] hs20-ca: Update key generation scripts and files greearb
2015-03-23 18:03 ` [PATCH 2/2] hs20: Update hs20 server notes file greearb
@ 2015-03-23 18:04 ` Ben Greear
2015-03-23 22:16 ` Julian Calaby
2 siblings, 0 replies; 6+ messages in thread
From: Ben Greear @ 2015-03-23 18:04 UTC (permalink / raw)
To: greearb; +Cc: linux-wireless, johannes
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 193 bytes --]
Sorry, this should have gone elsewhere....will re-send to the appropriate location.
Thanks,
Ben
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] hs20-ca: Update key generation scripts and files.
2015-03-23 18:03 [PATCH 1/2] hs20-ca: Update key generation scripts and files greearb
2015-03-23 18:03 ` [PATCH 2/2] hs20: Update hs20 server notes file greearb
2015-03-23 18:04 ` [PATCH 1/2] hs20-ca: Update key generation scripts and files Ben Greear
@ 2015-03-23 22:16 ` Julian Calaby
2015-03-23 22:31 ` Ben Greear
2 siblings, 1 reply; 6+ messages in thread
From: Julian Calaby @ 2015-03-23 22:16 UTC (permalink / raw)
To: Ben Greear; +Cc: linux-wireless, Johannes Berg
Hi Ben,
On Tue, Mar 24, 2015 at 5:03 AM, <greearb@candelatech.com> wrote:
> From: Ben Greear <greearb@candelatech.com>
>
> This lets us properly over-ride the default w1.fi
> related strings in order to properly generate keys
> that can be used by the OCSP process.
>
> Signed-off-by: Ben Greear <greearb@candelatech.com>
> ---
> hs20/server/ca/openssl.cnf | 12 ++++++------
> hs20/server/ca/setup.sh | 42 ++++++++++++++++++++++++++++++------------
> 2 files changed, 36 insertions(+), 18 deletions(-)
>
> diff --git a/hs20/server/ca/openssl.cnf b/hs20/server/ca/openssl.cnf
> index e29e737..c614479 100644
> --- a/hs20/server/ca/openssl.cnf
> +++ b/hs20/server/ca/openssl.cnf
> @@ -117,10 +117,10 @@ subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid:always,issuer
> basicConstraints = critical, CA:true, pathlen:0
> keyUsage = critical, cRLSign, keyCertSign
> -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
> +authorityInfoAccess = OCSP;URI:@OCSP_URI@
> # For SP intermediate CA
> #subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU
> -#nameConstraints=permitted;DNS:.w1.fi
> +#nameConstraints=permitted;DNS:.@DOMAIN@
> #1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
>
> [ v3_osu_server ]
> @@ -184,7 +184,7 @@ extendedKeyUsage = OCSPSigning
> basicConstraints=CA:FALSE
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer
> -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
> +authorityInfoAccess = OCSP;@OCSP_URI@
Are you sure this change is correct? You drop the "URI:" part here but
not above or below.
> #@ALTNAME@
> extendedKeyUsage = clientAuth
>
> @@ -194,7 +194,7 @@ extendedKeyUsage = clientAuth
> basicConstraints=critical, CA:FALSE
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer
> -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
> +authorityInfoAccess = OCSP;URI:@OCSP_URI@
> #@ALTNAME@
> extendedKeyUsage = critical, serverAuth
> keyUsage = critical, keyEncipherment
Thanks,
--
Julian Calaby
Email: julian.calaby@gmail.com
Profile: http://www.google.com/profiles/julian.calaby/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] hs20-ca: Update key generation scripts and files.
2015-03-23 22:16 ` Julian Calaby
@ 2015-03-23 22:31 ` Ben Greear
2015-03-23 22:33 ` Julian Calaby
0 siblings, 1 reply; 6+ messages in thread
From: Ben Greear @ 2015-03-23 22:31 UTC (permalink / raw)
To: Julian Calaby; +Cc: linux-wireless
On 03/23/2015 03:16 PM, Julian Calaby wrote:
> Hi Ben,
>
> On Tue, Mar 24, 2015 at 5:03 AM, <greearb@candelatech.com> wrote:
>> From: Ben Greear <greearb@candelatech.com>
>>
>> This lets us properly over-ride the default w1.fi
>> related strings in order to properly generate keys
>> that can be used by the OCSP process.
>>
>> Signed-off-by: Ben Greear <greearb@candelatech.com>
>> ---
>> hs20/server/ca/openssl.cnf | 12 ++++++------
>> hs20/server/ca/setup.sh | 42 ++++++++++++++++++++++++++++++------------
>> 2 files changed, 36 insertions(+), 18 deletions(-)
>>
>> diff --git a/hs20/server/ca/openssl.cnf b/hs20/server/ca/openssl.cnf
>> index e29e737..c614479 100644
>> --- a/hs20/server/ca/openssl.cnf
>> +++ b/hs20/server/ca/openssl.cnf
>> @@ -117,10 +117,10 @@ subjectKeyIdentifier=hash
>> authorityKeyIdentifier=keyid:always,issuer
>> basicConstraints = critical, CA:true, pathlen:0
>> keyUsage = critical, cRLSign, keyCertSign
>> -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
>> +authorityInfoAccess = OCSP;URI:@OCSP_URI@
>> # For SP intermediate CA
>> #subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU
>> -#nameConstraints=permitted;DNS:.w1.fi
>> +#nameConstraints=permitted;DNS:.@DOMAIN@
>> #1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
>>
>> [ v3_osu_server ]
>> @@ -184,7 +184,7 @@ extendedKeyUsage = OCSPSigning
>> basicConstraints=CA:FALSE
>> subjectKeyIdentifier=hash
>> authorityKeyIdentifier=keyid,issuer
>> -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
>> +authorityInfoAccess = OCSP;@OCSP_URI@
>
> Are you sure this change is correct? You drop the "URI:" part here but
> not above or below.
You are correct, this is a bug. I've fixed it locally,
but not posted a new patch yet. And, I'll post it to the hostapd
mailing list instead of linux-wireless next time since that seems more
appropriate.
Thanks for the review!
Ben
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] hs20-ca: Update key generation scripts and files.
2015-03-23 22:31 ` Ben Greear
@ 2015-03-23 22:33 ` Julian Calaby
0 siblings, 0 replies; 6+ messages in thread
From: Julian Calaby @ 2015-03-23 22:33 UTC (permalink / raw)
To: Ben Greear; +Cc: linux-wireless
Hi Ben,
On Tue, Mar 24, 2015 at 9:31 AM, Ben Greear <greearb@candelatech.com> wrote:
> On 03/23/2015 03:16 PM, Julian Calaby wrote:
>> Hi Ben,
>>
>> On Tue, Mar 24, 2015 at 5:03 AM, <greearb@candelatech.com> wrote:
>>> From: Ben Greear <greearb@candelatech.com>
>>>
>>> This lets us properly over-ride the default w1.fi
>>> related strings in order to properly generate keys
>>> that can be used by the OCSP process.
>>>
>>> Signed-off-by: Ben Greear <greearb@candelatech.com>
>>> ---
>>> hs20/server/ca/openssl.cnf | 12 ++++++------
>>> hs20/server/ca/setup.sh | 42 ++++++++++++++++++++++++++++++------------
>>> 2 files changed, 36 insertions(+), 18 deletions(-)
>>>
>>> diff --git a/hs20/server/ca/openssl.cnf b/hs20/server/ca/openssl.cnf
>>> index e29e737..c614479 100644
>>> --- a/hs20/server/ca/openssl.cnf
>>> +++ b/hs20/server/ca/openssl.cnf
>>> @@ -117,10 +117,10 @@ subjectKeyIdentifier=hash
>>> authorityKeyIdentifier=keyid:always,issuer
>>> basicConstraints = critical, CA:true, pathlen:0
>>> keyUsage = critical, cRLSign, keyCertSign
>>> -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
>>> +authorityInfoAccess = OCSP;URI:@OCSP_URI@
>>> # For SP intermediate CA
>>> #subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU
>>> -#nameConstraints=permitted;DNS:.w1.fi
>>> +#nameConstraints=permitted;DNS:.@DOMAIN@
>>> #1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
>>>
>>> [ v3_osu_server ]
>>> @@ -184,7 +184,7 @@ extendedKeyUsage = OCSPSigning
>>> basicConstraints=CA:FALSE
>>> subjectKeyIdentifier=hash
>>> authorityKeyIdentifier=keyid,issuer
>>> -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
>>> +authorityInfoAccess = OCSP;@OCSP_URI@
>>
>> Are you sure this change is correct? You drop the "URI:" part here but
>> not above or below.
>
> You are correct, this is a bug. I've fixed it locally,
> but not posted a new patch yet. And, I'll post it to the hostapd
> mailing list instead of linux-wireless next time since that seems more
> appropriate.
>
> Thanks for the review!
I had no idea what the patch was for, but little inconsistencies like
that tend to jump out at me.
Thanks,
--
Julian Calaby
Email: julian.calaby@gmail.com
Profile: http://www.google.com/profiles/julian.calaby/
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-03-23 22:33 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-23 18:03 [PATCH 1/2] hs20-ca: Update key generation scripts and files greearb
2015-03-23 18:03 ` [PATCH 2/2] hs20: Update hs20 server notes file greearb
2015-03-23 18:04 ` [PATCH 1/2] hs20-ca: Update key generation scripts and files Ben Greear
2015-03-23 22:16 ` Julian Calaby
2015-03-23 22:31 ` Ben Greear
2015-03-23 22:33 ` Julian Calaby
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.