[PATCH 1/2] hs20-ca: Update key generation scripts and files.

[PATCH 1/2] hs20-ca: Update key generation scripts and files.

[greearb]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 5261 bytes --]

From: Ben Greear <greearb@candelatech.com>

This lets us properly over-ride the default w1.fi
related strings in order to properly generate keys
that can be used by the OCSP process.

Signed-off-by: Ben Greear <greearb@candelatech.com>
---
 hs20/server/ca/openssl.cnf | 12 ++++++------
 hs20/server/ca/setup.sh    | 42 ++++++++++++++++++++++++++++++------------
 2 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/hs20/server/ca/openssl.cnf b/hs20/server/ca/openssl.cnf
index e29e737..c614479 100644
--- a/hs20/server/ca/openssl.cnf
+++ b/hs20/server/ca/openssl.cnf
@@ -95,7 +95,7 @@ localityName			= Locality Name (eg, city)
 localityName_default		= Tuusula
 
 0.organizationName		= Organization Name (eg, company)
-0.organizationName_default	= w1.fi
+0.organizationName_default	= @DOMAIN@
 
 ##organizationalUnitName		= Organizational Unit Name (eg, section)
 #organizationalUnitName_default	=
@@ -117,10 +117,10 @@ subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
 basicConstraints = critical, CA:true, pathlen:0
 keyUsage = critical, cRLSign, keyCertSign
-authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
+authorityInfoAccess = OCSP;URI:@OCSP_URI@
 # For SP intermediate CA
 #subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU
-#nameConstraints=permitted;DNS:.w1.fi
+#nameConstraints=permitted;DNS:.@DOMAIN@
 #1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
 
 [ v3_osu_server ]
@@ -159,7 +159,7 @@ algorithm=OID:sha256
 [sha1_alg]
 algorithm=OID:sha1
 [URI]
-uri=IA5STRING:http://osu.w1.fi/w1fi_logo.png
+uri=IA5STRING:@LOGO_URI@
 [LogotypeImageInfo]
 # default value color(1), component optional
 #type=IMP:0,INTEGER:1
@@ -184,7 +184,7 @@ extendedKeyUsage = OCSPSigning
 basicConstraints=CA:FALSE
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
-authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
+authorityInfoAccess = OCSP;@OCSP_URI@
 #@ALTNAME@
 extendedKeyUsage = clientAuth
 
@@ -194,7 +194,7 @@ extendedKeyUsage = clientAuth
 basicConstraints=critical, CA:FALSE
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
-authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
+authorityInfoAccess = OCSP;URI:@OCSP_URI@
 #@ALTNAME@
 extendedKeyUsage = critical, serverAuth
 keyUsage = critical, keyEncipherment
diff --git a/hs20/server/ca/setup.sh b/hs20/server/ca/setup.sh
index fcf24ad..35d32b1 100755
--- a/hs20/server/ca/setup.sh
+++ b/hs20/server/ca/setup.sh
@@ -5,41 +5,52 @@ if [ -z "$OPENSSL" ]; then
 fi
 export OPENSSL_CONF=$PWD/openssl.cnf
 PASS=whatever
-CNI="w1.fi Hotspot 2.0 Intermediate CA"
+if [ -z "$DOMAIN" ]; then
+    DOMAIN=w1.fi
+fi
+CNI="$DOMAIN Hotspot 2.0 Intermediate CA"
 CNR="Hotspot 2.0 Trust Root CA - 99"
-CNO="ocsp.w1.fi"
-CNV="osu-revoked.w1.fi"
-CNOC="osu-client.w1.fi"
-SERVERNAME="osu.w1.fi"
+CNO="ocsp.$DOMAIN"
+CNV="osu-revoked.$DOMAIN"
+CNOC="osu-client.$DOMAIN"
+SERVERNAME="osu.$DOMAIN"
 DNS=$SERVERNAME
 DEBUG=0
+OCSP_URI="http://$CNO:8888/"
+LOGO_URI="http://osu.w1.fi/w1fi_logo.png"
 
 # Command line over-rides
 USAGE=$( cat <<EOF
 Usage:\n
 # -C:  SSL Commonname for Root CA ($CNR)\n
 # -d:  DNS Name ($DNS)\n
-# -D:  Enable debugging (set -x, etc)
+# -D:  Enable debugging (set -x, etc)\n
+# -h:  Show this help message\n
 # -I:  SSL Commonname for Intermediate CA ($CNI)\n
+# -m:  Domain ($DOMAIN)\n
 # -o:  SSL Commonname for OSU-Client Server ($CNOC)\n
 # -O:  SSL Commonname for OCSP Server ($CNO)\n
 # -p:  password ($PASS)\n
 # -S:  servername ($SERVERNAME)\n
+# -u:  OCSP-URI ($OCSP_URI)\n
 # -V:  SSL Commonname for OSU-Revoked Server ($CNV)\n
 EOF
 )
 
-while getopts "C:d:DI:o:O:p:S:V:" flag
+while getopts "C:d:DI:m:o:O:p:S:u:V:h" flag
   do
   case $flag in
       C) CNR=$OPTARG;;
       d) DNS=$OPTARG;;
       D) DEBUG=1;;
+      h) echo -e $USAGE; exit 0;;
       I) CNI=$OPTARG;;
+      m) DOMAIN=$OPTARG;;
       o) CNOC=$OPTARG;;
       O) CNO=$OPTARG;;
       p) PASS=$OPTARG;;
       S) SERVERNAME=$OPTARG;;
+      u) OCSP_URI=$OPTARG;;
       V) CNV=$OPTARG;;
       *) echo "Un-known flag: $flag"; echo -e $USAGE;exit 1;;
   esac
@@ -74,10 +85,17 @@ else
     cp openssl.cnf.orig openssl.cnf
 fi
 
-# Set the password accordingly.
-cat openssl-root.cnf | sed "s/@PASSWORD@/$PASS/" > openssl-root.cnf.tmp
+# Set the password and some other common config accordingly.
+cat openssl-root.cnf | sed "s/@PASSWORD@/$PASS/" \
+ > openssl-root.cnf.tmp
 mv openssl-root.cnf.tmp openssl-root.cnf
-cat openssl.cnf | sed "s/@PASSWORD@/$PASS/" > openssl.cnf.tmp
+
+set -x
+cat openssl.cnf | sed "s/@PASSWORD@/$PASS/" |
+sed "s,@OCSP_URI@,$OCSP_URI," |
+sed "s,@LOGO_URI@,$LOGO_URI," |
+sed "s/@DOMAIN@/$DOMAIN/" \
+ > openssl.cnf.tmp
 mv openssl.cnf.tmp openssl.cnf
 
 
@@ -155,8 +173,8 @@ echo "---[ Server ]-----------------------------------------------------------"
 echo
 
 ALT="DNS:$DNS"
-ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engw1.fi TESTING USE"
-ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:finw1.fi TESTIKÄYTTÖ"
+ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:eng$DOMAIN TESTING USE"
+ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:fin$DOMAIN TESTIKÄYTTÖ"
 
 cat openssl.cnf |
 	sed "s/#@CN@/commonName_default = $SERVERNAME/" |
-- 
1.9.3

[PATCH 2/2] hs20: Update hs20 server notes file.

[greearb]

From: Ben Greear <greearb@candelatech.com>

Include example hostapd-radius config file for the OSEN radius
server.  Show example of how to use the ca/setup.sh script to
generate keys.

Show how to start OCSP responder and generate the ocsp cache
file.

Signed-off-by: Ben Greear <greearb@candelatech.com>
---
 hs20/server/hs20-osu-server.txt | 53 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/hs20/server/hs20-osu-server.txt b/hs20/server/hs20-osu-server.txt
index 80985f7..1557248 100644
--- a/hs20/server/hs20-osu-server.txt
+++ b/hs20/server/hs20-osu-server.txt
@@ -100,6 +100,19 @@ sqlite3 /home/user/hs20-server/AS/DB/eap_user.db < sql-example.txt
 # the examples as-is for initial testing).
 cp -r www /home/user/hs20-server
 
+# Build local keys and certs
+cd ca
+# Display help options.
+./setup.sh -h
+
+# Remove old keys, fill in appropriate values, and generate your keys.  For instance:
+./clean.sh
+rm -fr rootCA"
+old_hostname=myserver.local
+./setup.sh -C "Hotspot 2.0 Trust Root CA - CT" -d $old_hostname \
+   -I "Hotspot 2.0 Intermediate CA - CT" -o $old_hostname-osu-client \
+   -O $old_hostname-oscp -p lanforge -S $old_hostname -V $old_hostname-osu-revoked \
+   -m local -u http://$old_hostname:8888/
 
 # Configure subscription policies
 mkdir -p /home/user/hs20-server/spp/policy
@@ -128,6 +141,7 @@ EOF
 # Configure RADIUS authentication service
 # Note: Change the URL to match the setup
 # Note: Install AAA server key/certificate and root CA in Key directory
+# NOTE: ca.pem is a copy of the hs20-server/ca/ca.pem file
 
 cat > /home/user/hs20-server/AS/as-sql.conf <<EOF
 driver=none
@@ -156,6 +170,45 @@ cd /home/user/hs20-server/AS
 ./hostapd -B as-sql.conf
 
 
+OSEN Radius configuration notes.
+
+The OSEN RADIUS server config file should have the 'ocsp_stapling_response'
+configuration in it.  For example:
+
+# hostapd-radius config for the radius used by the OSEN AP
+interface=eth0#0
+driver=wired
+logger_syslog=-1
+logger_syslog_level=2
+logger_stdout=-1
+logger_stdout_level=2
+ctrl_interface=/var/run/hostapd
+ctrl_interface_group=0
+#ieee8021x=1
+eapol_key_index_workaround=0
+eap_server=1
+eap_user_file=/home/user/hs20-server/AS/hostapd.eap_user
+server_id=ben-ota-2-osen
+eap_sim_db=unix:/tmp/hlr_auc_gw.sock
+radius_server_auth_port=1811
+radius_server_clients=/home/user/hs20-server/AS/hostap.radius_clients
+
+ca_cert=/home/user/hs20-server/ca/ca.pem
+server_cert=/home/user/hs20-server/ca/server.pem
+private_key=/home/user/hs20-server/ca/server.key
+private_key_passwd=whatever
+
+ocsp_stapling_response=/home/user/hs20-server/ca/ocsp-server-cache.der
+
+
+# Run OCSP server:
+cd /home/user/hs20-server/ca
+./ocsp-responder.sh&
+
+# Update cache (This should be run periodically, but once will work for testing)
+./ocsp-update-cache.sh
+
+
 Configure web server
 --------------------
 
-- 
1.9.3

Re: [PATCH 1/2] hs20-ca: Update key generation scripts and files.

[Ben Greear]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 193 bytes --]

Sorry, this should have gone elsewhere....will re-send to the appropriate location.

Thanks,
Ben

-- 
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

Re: [PATCH 1/2] hs20-ca: Update key generation scripts and files.

[Julian Calaby]

Hi Ben,

On Tue, Mar 24, 2015 at 5:03 AM,  <greearb@candelatech.com> wrote:
> From: Ben Greear <greearb@candelatech.com>
>
> This lets us properly over-ride the default w1.fi
> related strings in order to properly generate keys
> that can be used by the OCSP process.
>
> Signed-off-by: Ben Greear <greearb@candelatech.com>
> ---
>  hs20/server/ca/openssl.cnf | 12 ++++++------
>  hs20/server/ca/setup.sh    | 42 ++++++++++++++++++++++++++++++------------
>  2 files changed, 36 insertions(+), 18 deletions(-)
>
> diff --git a/hs20/server/ca/openssl.cnf b/hs20/server/ca/openssl.cnf
> index e29e737..c614479 100644
> --- a/hs20/server/ca/openssl.cnf
> +++ b/hs20/server/ca/openssl.cnf
> @@ -117,10 +117,10 @@ subjectKeyIdentifier=hash
>  authorityKeyIdentifier=keyid:always,issuer
>  basicConstraints = critical, CA:true, pathlen:0
>  keyUsage = critical, cRLSign, keyCertSign
> -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
> +authorityInfoAccess = OCSP;URI:@OCSP_URI@
>  # For SP intermediate CA
>  #subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU
> -#nameConstraints=permitted;DNS:.w1.fi
> +#nameConstraints=permitted;DNS:.@DOMAIN@
>  #1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
>
>  [ v3_osu_server ]
> @@ -184,7 +184,7 @@ extendedKeyUsage = OCSPSigning
>  basicConstraints=CA:FALSE
>  subjectKeyIdentifier=hash
>  authorityKeyIdentifier=keyid,issuer
> -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
> +authorityInfoAccess = OCSP;@OCSP_URI@

Are you sure this change is correct? You drop the "URI:" part here but
not above or below.

>  #@ALTNAME@
>  extendedKeyUsage = clientAuth
>
> @@ -194,7 +194,7 @@ extendedKeyUsage = clientAuth
>  basicConstraints=critical, CA:FALSE
>  subjectKeyIdentifier=hash
>  authorityKeyIdentifier=keyid,issuer
> -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
> +authorityInfoAccess = OCSP;URI:@OCSP_URI@
>  #@ALTNAME@
>  extendedKeyUsage = critical, serverAuth
>  keyUsage = critical, keyEncipherment

Thanks,

-- 
Julian Calaby

Email: julian.calaby@gmail.com
Profile: http://www.google.com/profiles/julian.calaby/

Re: [PATCH 1/2] hs20-ca: Update key generation scripts and files.

[Ben Greear]

On 03/23/2015 03:16 PM, Julian Calaby wrote:
> Hi Ben,
> 
> On Tue, Mar 24, 2015 at 5:03 AM,  <greearb@candelatech.com> wrote:
>> From: Ben Greear <greearb@candelatech.com>
>>
>> This lets us properly over-ride the default w1.fi
>> related strings in order to properly generate keys
>> that can be used by the OCSP process.
>>
>> Signed-off-by: Ben Greear <greearb@candelatech.com>
>> ---
>>  hs20/server/ca/openssl.cnf | 12 ++++++------
>>  hs20/server/ca/setup.sh    | 42 ++++++++++++++++++++++++++++++------------
>>  2 files changed, 36 insertions(+), 18 deletions(-)
>>
>> diff --git a/hs20/server/ca/openssl.cnf b/hs20/server/ca/openssl.cnf
>> index e29e737..c614479 100644
>> --- a/hs20/server/ca/openssl.cnf
>> +++ b/hs20/server/ca/openssl.cnf
>> @@ -117,10 +117,10 @@ subjectKeyIdentifier=hash
>>  authorityKeyIdentifier=keyid:always,issuer
>>  basicConstraints = critical, CA:true, pathlen:0
>>  keyUsage = critical, cRLSign, keyCertSign
>> -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
>> +authorityInfoAccess = OCSP;URI:@OCSP_URI@
>>  # For SP intermediate CA
>>  #subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU
>> -#nameConstraints=permitted;DNS:.w1.fi
>> +#nameConstraints=permitted;DNS:.@DOMAIN@
>>  #1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
>>
>>  [ v3_osu_server ]
>> @@ -184,7 +184,7 @@ extendedKeyUsage = OCSPSigning
>>  basicConstraints=CA:FALSE
>>  subjectKeyIdentifier=hash
>>  authorityKeyIdentifier=keyid,issuer
>> -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
>> +authorityInfoAccess = OCSP;@OCSP_URI@
> 
> Are you sure this change is correct? You drop the "URI:" part here but
> not above or below.

You are correct, this is a bug.  I've fixed it locally,
but not posted a new patch yet.  And, I'll post it to the hostapd
mailing list instead of linux-wireless next time since that seems more
appropriate.

Thanks for the review!

Ben

-- 
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

Re: [PATCH 1/2] hs20-ca: Update key generation scripts and files.

[Julian Calaby]

Hi Ben,

On Tue, Mar 24, 2015 at 9:31 AM, Ben Greear <greearb@candelatech.com> wrote:
> On 03/23/2015 03:16 PM, Julian Calaby wrote:
>> Hi Ben,
>>
>> On Tue, Mar 24, 2015 at 5:03 AM,  <greearb@candelatech.com> wrote:
>>> From: Ben Greear <greearb@candelatech.com>
>>>
>>> This lets us properly over-ride the default w1.fi
>>> related strings in order to properly generate keys
>>> that can be used by the OCSP process.
>>>
>>> Signed-off-by: Ben Greear <greearb@candelatech.com>
>>> ---
>>>  hs20/server/ca/openssl.cnf | 12 ++++++------
>>>  hs20/server/ca/setup.sh    | 42 ++++++++++++++++++++++++++++++------------
>>>  2 files changed, 36 insertions(+), 18 deletions(-)
>>>
>>> diff --git a/hs20/server/ca/openssl.cnf b/hs20/server/ca/openssl.cnf
>>> index e29e737..c614479 100644
>>> --- a/hs20/server/ca/openssl.cnf
>>> +++ b/hs20/server/ca/openssl.cnf
>>> @@ -117,10 +117,10 @@ subjectKeyIdentifier=hash
>>>  authorityKeyIdentifier=keyid:always,issuer
>>>  basicConstraints = critical, CA:true, pathlen:0
>>>  keyUsage = critical, cRLSign, keyCertSign
>>> -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
>>> +authorityInfoAccess = OCSP;URI:@OCSP_URI@
>>>  # For SP intermediate CA
>>>  #subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU
>>> -#nameConstraints=permitted;DNS:.w1.fi
>>> +#nameConstraints=permitted;DNS:.@DOMAIN@
>>>  #1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
>>>
>>>  [ v3_osu_server ]
>>> @@ -184,7 +184,7 @@ extendedKeyUsage = OCSPSigning
>>>  basicConstraints=CA:FALSE
>>>  subjectKeyIdentifier=hash
>>>  authorityKeyIdentifier=keyid,issuer
>>> -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/
>>> +authorityInfoAccess = OCSP;@OCSP_URI@
>>
>> Are you sure this change is correct? You drop the "URI:" part here but
>> not above or below.
>
> You are correct, this is a bug.  I've fixed it locally,
> but not posted a new patch yet.  And, I'll post it to the hostapd
> mailing list instead of linux-wireless next time since that seems more
> appropriate.
>
> Thanks for the review!

I had no idea what the patch was for, but little inconsistencies like
that tend to jump out at me.

Thanks,

-- 
Julian Calaby

Email: julian.calaby@gmail.com
Profile: http://www.google.com/profiles/julian.calaby/