pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/pkgtools/pkg_install/files/x509 Merge x509 setup and d...
details: https://anonhg.NetBSD.org/pkgsrc/rev/6825131f8e2a
branches: trunk
changeset: 553881:6825131f8e2a
user: joerg <joerg%pkgsrc.org@localhost>
date: Mon Feb 02 12:49:16 2009 +0000
description:
Merge x509 setup and documentation from pkg_install-renovation.
diffstat:
pkgtools/pkg_install/files/x509/pkgsrc.cnf | 136 ++++++++++++++++++++++++++++
pkgtools/pkg_install/files/x509/pkgsrc.sh | 63 ++++++++++++
pkgtools/pkg_install/files/x509/signing.txt | 59 ++++++++++++
3 files changed, 258 insertions(+), 0 deletions(-)
diffs (270 lines):
diff -r d62123fa7ce5 -r 6825131f8e2a pkgtools/pkg_install/files/x509/pkgsrc.cnf
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/pkgtools/pkg_install/files/x509/pkgsrc.cnf Mon Feb 02 12:49:16 2009 +0000
@@ -0,0 +1,136 @@
+# $NetBSD: pkgsrc.cnf,v 1.2 2009/02/02 12:49:16 joerg Exp $
+#
+# OpenSSL sample configuration file for use by pkgsrc.sh
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./pkgsrc # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several ctificates with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+default_md = sha1
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+
+string_mask = utf8only
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (eg, YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+[ pkgkey ]
+nsComment = "Certificate for binary pkgsrc packages"
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+subjectAltName=email:move
+
+extendedKeyUsage = codeSigning, emailProtection
+
+[ pkgsec ]
+nsComment = "Certificate for pkg-vulnerabilities"
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+subjectAltName=email:move
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical,CA:true
diff -r d62123fa7ce5 -r 6825131f8e2a pkgtools/pkg_install/files/x509/pkgsrc.sh
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/pkgtools/pkg_install/files/x509/pkgsrc.sh Mon Feb 02 12:49:16 2009 +0000
@@ -0,0 +1,63 @@
+#!/bin/sh
+#
+# $NetBSD: pkgsrc.sh,v 1.2 2009/02/02 12:49:16 joerg Exp $
+#
+
+CA="openssl ca -config pkgsrc.cnf"
+REQ="openssl req -config pkgsrc.cnf"
+
+set -e
+
+new_ca() {
+ if [ -f $1/serial ]; then
+ echo "CA already exists, exiting" >& 2
+ exit 1
+ fi
+
+ mkdir -p $1/certs $1/crl $1/newcerts $1/private
+ echo "00" > $1/serial
+ touch $1/index.txt
+
+ echo "Making CA certificate ..."
+ $REQ -new -keyout $1/private/cakey.pem \
+ -out $1/careq.pem
+ $CA -out $1/cacert.pem -batch \
+ -keyfile $1/private/cakey.pem -selfsign \
+ -infiles $1/careq.pem
+}
+
+new_pkgkey() {
+ $REQ -new -keyout pkgkey_key.pem -out pkgkey_req.pem
+ $CA -extensions pkgkey -policy policy_match -out pkgkey_cert.pem -infiles pkgkey_req.pem
+ rm pkgkey_req.pem
+ echo "Signed certificate is in pkgkey_cert.pem, key in pkgkey_key.pem"
+}
+
+new_pkgsec() {
+ $REQ -new -keyout pkgsec_key.pem -out pkgsec_req.pem
+ $CA -extensions pkgsec -policy policy_match -out pkgsec_cert.pem -infiles pkgsec_req.pem
+ rm pkgsec_req.pem
+ echo "Signed certificate is in pkgsec_cert.pem, key in pkgsec_key.pem"
+}
+
+usage() {
+ echo "$0:"
+ echo "setup - create new CA in ./pkgsrc for use by pkg_install"
+ echo "pkgkey - create and sign a certificate for binary packages"
+ echo "pkgsec - create and sign a certificate for pkg-vulnerabilities"
+}
+
+case "$1" in
+setup)
+ new_ca ./pkgsrc
+ ;;
+pkgkey)
+ new_pkgkey
+ ;;
+pkgsec)
+ new_pkgsec
+ ;;
+*)
+ usage
+ ;;
+esac
diff -r d62123fa7ce5 -r 6825131f8e2a pkgtools/pkg_install/files/x509/signing.txt
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/pkgtools/pkg_install/files/x509/signing.txt Mon Feb 02 12:49:16 2009 +0000
@@ -0,0 +1,59 @@
+Use of digital signatures in pkg_install
+----------------------------------------
+
+(1) pkg_vulnerabilities: list of known vulnerabilities, provided by
+ the pkgsrc security team and updated regulary
+(2) binary packages: check who provided binary packages
+
+For (1) gpg is currently the only choice. After pkgsrcCon (?) a PKCS7
+signature will be added as well. With the pkg_install-renovation branch,
+PKCS7 is the only supported verification mechanism for (2) and preferred
+for (1) once the infrastructure exists.
+
+PKCS7 is a format to use RSA public key cryptography with X509
+certificates. Those are commonly used for SSL. X509 implements a
+hierachical trust model. For this purpose it means that one or more
+certificates are installed and marked as trusted. A certificate used for
+signing a binary package or pkg_vulnerabilities will have to be included
+in the list to be trusted OR it must be itself signed by a trusted
+certificate. The original list is called the TRUST ANCHOR.
+
+Optionally, a second list of certificates can be provided to fill gaps.
+Let's assume A is a trust anchor and C is used to sign a package. C
+itself is not signed by A, so it won't be trusted. Instead, there's a
+third certificate B; and C includes a signature with B. The certificate
+chain file can now provide B signed by A. This gives a certificate chain
+of C -> B (included in the package) -> A (with the chain file) and the
+signature is valid and trusted.
+
+
+Practical implications for pkgsrc users:
+- get the pkgsrc-security certificate and point CERTIFICATE_ANCHOR_PKGVULN to it
+- get the certificate used by your bulk builder and point
+CERTIFICATE_ANCHOR_PKGS to it
+- at some later point a CA for pkgsrc might be created, in that case it
+will serve as certificate for both purposes; a list of all certificates
+will be provided in that case to point CERTIFICATE_CHAIN to.
+
+
+How to create your own keys:
+
+The pkgsrc.sh script and the corresponding pkgsrc.cnf file provide a working
+wrapper around the OpenSSL command line tool.
+
+The root certificate can be created by running "sh pkgsrc.sh setup",
+the output can found in the pkgsrc subdirectory of the current directory.
+The meta data is for human beings and displayed e.g. by pkg_add, but not
+relevant for cryptographic purposes. pkgsrc/newcerts/00.pem is the
+public key and can be used as trust anchor.
+A certificate for signing packages can be created by running
+"sh pkgsrc.sh pkgkey". The private key can be found in pkgkey_key.pem
+and the certificate in pkgkey_cert.pem.
+Similary, "sh pkgsrc.sh pkgsec" will create a certificate/key pair for
+signing pkg-vulnerabilities.
+
+How to verify a certificate:
+- decode the data with "openssl x509 -text -noout -in newcert.pem"
+- "Issuer" is vouching for the identity (and reliability) of "Subject"
+- "X509v3 Basic Constraints" should list "CA:FALSE" for all keys that are not allowed
+ to sign further keys.
Home |
Main Index |
Thread Index |
Old Index