certifix/README.md

# Certifix

Not an Asterix character.

A small HTTPS API modelled on the description of the
[Puppet CA "Policy-based autosigning" functionality](
https://www.puppet.com/docs/puppet/7/ssl_attributes_extensions#csr_custom_attributes-recommended-oids-custom-attributes),
that accepts X509 CSRs and automatically signs them without human
interaction if they have a custom `challengePassword` attribute
containing a pre-agreed value.

What's it for? I have a bunch of small devices on my LAN that may or
may not be able to retain persistent state across reboots. I would
like them to be able to talk securely to services on the network using
standard TLS with client authentication, and (because "[zero trust]
(https://en.wikipedia.org/wiki/Zero_trust_security_model)")
without having to rely on network firewall rules to prevent the rest
of the world also being able to talk to the service.

## To try it out

_This is alpha-quality code which was written by someone with only the
most passing familiarity with TLS or cryptography in general, and
has not been audited. Try it at your own risk._

It's written in [Fennel](https://www.fennel-lang.org). To build it
either use Nix or read [package.nix](package.nix) and figure out how
to replicate the steps manually.  Note that it requires a patch to the
luaossl module.

### CA key and cert

Create the CA key and the certificate used for signing. You will be
asked a bunch of questions that will be incorporated into the
certificate: when prompted for "Common Name", say "Certificate
Authority" or something like that

```
openssl genrsa -out ca.key 4096
openssl req  -addext basicConstraints=critical,CA:TRUE,pathlen:1  --x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt
```

### Server key and cert

The certifix service is exposed over HTTPS, so it needs its own
certificate signed by the CA. Use your hostname when prompted for
Common Name

```
openssl req -newkey rsa:2048 -nodes -keyout server.key --out server.csr
openssl x509 -req -in server.csr -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
```

### Build and start the server

The server needs to be told of all of the preceding files, _plus_ a
file containing the expected value of the pre-shared key that you want
it to check client certificate requests against.

```
echo 'loves labours lost' > psk
chmod 0700 psk
nix-build
result/bin/certifix  --challenge-password psk  --ca-certificate ca.crt --ca-private-key --server-certificate server.crt --server-private-key server.key localhost:19613
```

### Try it and see if it works

To set the `challengePassword` attribute in a CSR using OpenSSL, you
need to create a configuration file.  Copy `openssl.cnf.example` to
`openssl.cnf` and edit it for your setup.

* the values in `req_distinguished_name` should match your organisation
* the `challengePassword` attribute must match whatever you told the
 service to expect (`psk` file in the preceding step)

```
# make CSR
CN=mydevice openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr

# send it to certifix, should get a certificate in response
curl --cacert ca.crt   -v -H 'content-type: application/x-pem-file' --data-binary @client.csr  https://localhost:19613/sign
```


## Reasons this is not secure

* the CA key is readable by and present in the memory of the process
that reads and parses network requests. Bearing in mind the the whole
point is to automate signing we can only do so much about this, but at
least we could move the actual signing to a separate process which is
only invoked once an acceptable request has been received.

* there is no intermediate key - the requests are signed directly by the root CA

* I haven't checked that the protocols or the ciphers are restricted
  to modern and sensible defaults

* doesn't set 4.2.1.6.  Subject Alternative Name

* doesn't set Key Usage extension (https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3)

* probably has wrong basicConstraints in CA cert

* likewise other TLS best practices


## Background


* [RFC 5967 - spec for a CSR](https://datatracker.ietf.org/doc/html/rfc5967)
* [A gentle introduction to ASN1. and DER](https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/)
add title 2024-09-25 20:34:27 +00:00			`# Certifix`

more text, inclding actual reasons you shouldn't use it 2024-09-29 09:20:10 +00:00			`Not an Asterix character.`
improve README 2024-09-25 20:30:32 +00:00
more text, inclding actual reasons you shouldn't use it 2024-09-29 09:20:10 +00:00			`A small HTTPS API modelled on the description of the`
			`[Puppet CA "Policy-based autosigning" functionality](`
			`https://www.puppet.com/docs/puppet/7/ssl_attributes_extensions#csr_custom_attributes-recommended-oids-custom-attributes),`
			`that accepts X509 CSRs and automatically signs them without human`
			interaction if they have a custom `challengePassword` attribute
			`containing a pre-agreed value.`
improve README 2024-09-25 20:30:32 +00:00
			`What's it for? I have a bunch of small devices on my LAN that may or`
			`may not be able to retain persistent state across reboots. I would`
more text, inclding actual reasons you shouldn't use it 2024-09-29 09:20:10 +00:00			`like them to be able to talk securely to services on the network using`
			`standard TLS with client authentication, and (because "[zero trust]`
			`(https://en.wikipedia.org/wiki/Zero_trust_security_model)")`
			`without having to rely on network firewall rules to prevent the rest`
			`of the world also being able to talk to the service.`
improve README 2024-09-25 20:30:32 +00:00
			`## To try it out`

more text, inclding actual reasons you shouldn't use it 2024-09-29 09:20:10 +00:00			`_This is alpha-quality code which was written by someone with only the`
			`most passing familiarity with TLS or cryptography in general, and`
			`has not been audited. Try it at your own risk._`
improve README 2024-09-25 20:30:32 +00:00
			`It's written in [Fennel](https://www.fennel-lang.org). To build it`
			`either use Nix or read [package.nix](package.nix) and figure out how`
			`to replicate the steps manually. Note that it requires a patch to the`
polish the README and remove my local config from it 2024-10-02 17:04:42 +00:00			`luaossl module.`
improve README 2024-09-25 20:30:32 +00:00
polish the README and remove my local config from it 2024-10-02 17:04:42 +00:00			`### CA key and cert`

			`Create the CA key and the certificate used for signing. You will be`
			`asked a bunch of questions that will be incorporated into the`
			`certificate: when prompted for "Common Name", say "Certificate`
			`Authority" or something like that`

			```
			`openssl genrsa -out ca.key 4096`
			`openssl req -addext basicConstraints=critical,CA:TRUE,pathlen:1 --x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt`
			```

			`### Server key and cert`

			`The certifix service is exposed over HTTPS, so it needs its own`
			`certificate signed by the CA. Use your hostname when prompted for`
			`Common Name`

			```
			`openssl req -newkey rsa:2048 -nodes -keyout server.key --out server.csr`
			`openssl x509 -req -in server.csr -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt`
			```

			`### Build and start the server`

			`The server needs to be told of all of the preceding files, _plus_ a`
			`file containing the expected value of the pre-shared key that you want`
			`it to check client certificate requests against.`
improve README 2024-09-25 20:30:32 +00:00
			```
matchng psk in example between client and expected 2024-09-25 20:40:01 +00:00			`echo 'loves labours lost' > psk`
improve README 2024-09-25 20:30:32 +00:00			`chmod 0700 psk`
polish the README and remove my local config from it 2024-10-02 17:04:42 +00:00			`nix-build`
			`result/bin/certifix --challenge-password psk --ca-certificate ca.crt --ca-private-key --server-certificate server.crt --server-private-key server.key localhost:19613`
			```
improve README 2024-09-25 20:30:32 +00:00
polish the README and remove my local config from it 2024-10-02 17:04:42 +00:00			`### Try it and see if it works`
improve README 2024-09-25 20:30:32 +00:00
polish the README and remove my local config from it 2024-10-02 17:04:42 +00:00			To set the `challengePassword` attribute in a CSR using OpenSSL, you
			need to create a configuration file. Copy `openssl.cnf.example` to
			`openssl.cnf` and edit it for your setup.

			* the values in `req_distinguished_name` should match your organisation
			* the `challengePassword` attribute must match whatever you told the
			service to expect (`psk` file in the preceding step)
use https 2024-09-27 18:47:11 +00:00
polish the README and remove my local config from it 2024-10-02 17:04:42 +00:00			```
			`# make CSR`
			`CN=mydevice openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr`
improve README 2024-09-25 20:30:32 +00:00
polish the README and remove my local config from it 2024-10-02 17:04:42 +00:00			`# send it to certifix, should get a certificate in response`
curl with our custom ca cert 2024-10-01 23:28:12 +00:00			`curl --cacert ca.crt -v -H 'content-type: application/x-pem-file' --data-binary @client.csr https://localhost:19613/sign`
improve README 2024-09-25 20:30:32 +00:00			```

polish the README and remove my local config from it 2024-10-02 17:04:42 +00:00
more text, inclding actual reasons you shouldn't use it 2024-09-29 09:20:10 +00:00			`## Reasons this is not secure`

polish the README and remove my local config from it 2024-10-02 17:04:42 +00:00			`* the CA key is readable by and present in the memory of the process`
			`that reads and parses network requests. Bearing in mind the the whole`
			`point is to automate signing we can only do so much about this, but at`
			`least we could move the actual signing to a separate process which is`
			`only invoked once an acceptable request has been received.`
more text, inclding actual reasons you shouldn't use it 2024-09-29 09:20:10 +00:00
polish the README and remove my local config from it 2024-10-02 17:04:42 +00:00			`* there is no intermediate key - the requests are signed directly by the root CA`
more text, inclding actual reasons you shouldn't use it 2024-09-29 09:20:10 +00:00
			`* I haven't checked that the protocols or the ciphers are restricted`
polish the README and remove my local config from it 2024-10-02 17:04:42 +00:00			`to modern and sensible defaults`
more text, inclding actual reasons you shouldn't use it 2024-09-29 09:20:10 +00:00
			`* doesn't set 4.2.1.6. Subject Alternative Name`

			`* doesn't set Key Usage extension (https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3)`

polish the README and remove my local config from it 2024-10-02 17:04:42 +00:00			`* probably has wrong basicConstraints in CA cert`
more text, inclding actual reasons you shouldn't use it 2024-09-29 09:20:10 +00:00
polish the README and remove my local config from it 2024-10-02 17:04:42 +00:00			`* likewise other TLS best practices`
more text, inclding actual reasons you shouldn't use it 2024-09-29 09:20:10 +00:00

improve README 2024-09-25 20:30:32 +00:00			`## Background`

more text, inclding actual reasons you shouldn't use it 2024-09-29 09:20:10 +00:00
improve README 2024-09-25 20:30:32 +00:00			`* [RFC 5967 - spec for a CSR](https://datatracker.ietf.org/doc/html/rfc5967)`
polish the README and remove my local config from it 2024-10-02 17:04:42 +00:00			`* [A gentle introduction to ASN1. and DER](https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/)`