certifix/README.md

# Certifix

Not an Asterix character.  A small HTTP(S)[*] API that accepts X509
CSRs and signs them if they contain the magic number (specifically, if
they have a custom `challengePassword` attribute containing a
pre-agreed value)

Modelled on the Puppet CA "Policy-based autosigning" functionality,
but without the rest of Puppet

What's it for? I have a bunch of small devices on my LAN that may or
may not be able to retain persistent state across reboots. I would
like them to be able to talk securely to a server using standard TLS
with client authentication, and without having to rely on network
firewall rules to prevent the rest of the world also talking to the
service.

[*] it will do S, but as of writing this footnote it doesn't yet

## To try it out

_This is experiment-quality code that I have published mostly so that
it does't die with my laptop. Some day it will be grown-up but in the
meantime try it at your own risk - or even better, don't try it_

It's written in [Fennel](https://www.fennel-lang.org). To build it
either use Nix or read [package.nix](package.nix) and figure out how
to replicate the steps manually.  Note that it requires a patch to the
luaossl module


```
# pick a PSK
echo 'loves labours lost' > psk
chmod 0700 psk

# create CA key and cert used for signing
openssl genrsa -out ca.key 4096
CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt

# create key for the server and sign it with the CA 
CN=localhost openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout server.key --out server.csr
openssl x509 -req -in server.csr -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

# create example client CSR for testing (check openssl.cnf against "psk" file)
CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr

# build and start the server
nix-build && result/bin/certifix  --challenge-password psk  --certificate ca.crt --private-key ca.key localhost:19613

# send it
curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr  https://localhost:19613/sign
```

## Background

* [how Puppet does it](https://www.puppet.com/docs/puppet/7/ssl_attributes_extensions#csr_custom_attributes-recommended-oids-custom-attributes)

* [RFC 5967 - spec for a CSR](https://datatracker.ietf.org/doc/html/rfc5967)
add title 2024-09-25 20:34:27 +00:00			`# Certifix`

			`Not an Asterix character. A small HTTP(S)[*] API that accepts X509`
			`CSRs and signs them if they contain the magic number (specifically, if`
			they have a custom `challengePassword` attribute containing a
			`pre-agreed value)`
improve README 2024-09-25 20:30:32 +00:00
			`Modelled on the Puppet CA "Policy-based autosigning" functionality,`
			`but without the rest of Puppet`

			`What's it for? I have a bunch of small devices on my LAN that may or`
			`may not be able to retain persistent state across reboots. I would`
			`like them to be able to talk securely to a server using standard TLS`
			`with client authentication, and without having to rely on network`
			`firewall rules to prevent the rest of the world also talking to the`
			`service.`

			`[*] it will do S, but as of writing this footnote it doesn't yet`

			`## To try it out`

			`_This is experiment-quality code that I have published mostly so that`
			`it does't die with my laptop. Some day it will be grown-up but in the`
			`meantime try it at your own risk - or even better, don't try it_`

			`It's written in [Fennel](https://www.fennel-lang.org). To build it`
			`either use Nix or read [package.nix](package.nix) and figure out how`
			`to replicate the steps manually. Note that it requires a patch to the`
			`luaossl module`


			```
			`# pick a PSK`
matchng psk in example between client and expected 2024-09-25 20:40:01 +00:00			`echo 'loves labours lost' > psk`
improve README 2024-09-25 20:30:32 +00:00			`chmod 0700 psk`

matchng psk in example between client and expected 2024-09-25 20:40:01 +00:00			`# create CA key and cert used for signing`
add title 2024-09-25 20:34:27 +00:00			`openssl genrsa -out ca.key 4096`
improve README 2024-09-25 20:30:32 +00:00			`CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt`

use https 2024-09-27 18:47:11 +00:00			`# create key for the server and sign it with the CA`
			`CN=localhost openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout server.key --out server.csr`
			`openssl x509 -req -in server.csr -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt`

matchng psk in example between client and expected 2024-09-25 20:40:01 +00:00			`# create example client CSR for testing (check openssl.cnf against "psk" file)`
add title 2024-09-25 20:34:27 +00:00			`CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr`
improve README 2024-09-25 20:30:32 +00:00
bind to address provided on command line bonus: and print an error if we couldn't 2024-09-26 21:06:06 +00:00			`# build and start the server`
			`nix-build && result/bin/certifix --challenge-password psk --certificate ca.crt --private-key ca.key localhost:19613`
improve README 2024-09-25 20:30:32 +00:00
			`# send it`
use https 2024-09-27 18:47:11 +00:00			`curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr https://localhost:19613/sign`
improve README 2024-09-25 20:30:32 +00:00			```

			`## Background`

			`* [how Puppet does it](https://www.puppet.com/docs/puppet/7/ssl_attributes_extensions#csr_custom_attributes-recommended-oids-custom-attributes)`

			`* [RFC 5967 - spec for a CSR](https://datatracker.ietf.org/doc/html/rfc5967)`