more text, inclding actual reasons you shouldn't use it

handle CSRs with no attributes
add error handler
2024-09-29 10:20:10 +01:00 · 2024-09-29 10:19:07 +01:00 · 2024-09-27 19:47:31 +01:00 · 2024-09-27 19:47:11 +01:00
2 changed files with 71 additions and 31 deletions
--- a/README.md
+++ b/README.md
@ -1,27 +1,27 @@
 # Certifix

-Not an Asterix character.  A small HTTP(S)[*] API that accepts X509
-CSRs and signs them if they contain the magic number (specifically, if
-they have a custom `challengePassword` attribute containing a
-pre-agreed value)
+Not an Asterix character.

-Modelled on the Puppet CA "Policy-based autosigning" functionality,
-but without the rest of Puppet
+A small HTTPS API modelled on the description of the
+[Puppet CA "Policy-based autosigning" functionality](
+https://www.puppet.com/docs/puppet/7/ssl_attributes_extensions#csr_custom_attributes-recommended-oids-custom-attributes),
+that accepts X509 CSRs and automatically signs them without human
+interaction if they have a custom `challengePassword` attribute
+containing a pre-agreed value.

 What's it for? I have a bunch of small devices on my LAN that may or
 may not be able to retain persistent state across reboots. I would
-like them to be able to talk securely to a server using standard TLS
-with client authentication, and without having to rely on network
-firewall rules to prevent the rest of the world also talking to the
-service.
-
-[*] it will do S, but as of writing this footnote it doesn't yet
+like them to be able to talk securely to services on the network using
+standard TLS with client authentication, and (because "[zero trust]
+(https://en.wikipedia.org/wiki/Zero_trust_security_model)")
+without having to rely on network firewall rules to prevent the rest
+of the world also being able to talk to the service.

 ## To try it out

-_This is experiment-quality code that I have published mostly so that
-it does't die with my laptop. Some day it will be grown-up but in the
-meantime try it at your own risk - or even better, don't try it_
+_This is alpha-quality code which was written by someone with only the
+most passing familiarity with TLS or cryptography in general, and
+has not been audited. Try it at your own risk._

 It's written in [Fennel](https://www.fennel-lang.org). To build it
 either use Nix or read [package.nix](package.nix) and figure out how
@ -38,18 +38,41 @@ chmod 0700 psk
 openssl genrsa -out ca.key 4096
 CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt

+# create key for the server and sign it with the CA
+CN=localhost openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout server.key --out server.csr
+openssl x509 -req -in server.csr -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
+
 # create example client CSR for testing (check openssl.cnf against "psk" file)
 CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr

 # build and start the server
-nix-build && result/bin/certifix  --challenge-password psk  --certificate ca.crt --private-key ca.key localhost:19613
-
+nix-build && result/bin/certifix  --challenge-password psk  --ca-certificate ca.crt --ca-private-key --server-certificate server.crt --server-private-key server.key localhost:19613
 # send it
-curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr  http://localhost:8201/sign
+curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr  https://localhost:19613/sign
 ```

+## Reasons this is not secure
+
+* the CA key is present in the memory of the process that reads and
+parses network requests
+
+* there is no "intermediate" key: requests are signed by the root key
+
+* I haven't checked that the protocols or the ciphers are restricted
+to modern and sensible defaults
+
+* doesn't set 4.2.1.6.  Subject Alternative Name
+
+* doesn't set Key Usage extension (https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3)
+
+* likewise other TLS best practices
+
+
+
+
+
 ## Background

-* [how Puppet does it](https://www.puppet.com/docs/puppet/7/ssl_attributes_extensions#csr_custom_attributes-recommended-oids-custom-attributes)
+

 * [RFC 5967 - spec for a CSR](https://datatracker.ietf.org/doc/html/rfc5967)
--- a/main.fnl
+++ b/main.fnl
@ -2,7 +2,8 @@

 (local server (require :http.server))
 (local headers (require :http.headers))
-(local ssl (require :openssl))
+(local htls (require :http.tls))
+(local ctx (require :openssl.ssl.context))
 (local csr (require :openssl.x509.csr))
 (local x509 (require :openssl.x509))
 (local pkey (require :openssl.pkey))
@ -53,10 +54,14 @@

 (fn parse-args [args]
  (match args
-    ["--certificate" f & rest]
-    (assoc (parse-args rest) :certificate (slurp f))
-    ["--private-key" f & rest]
-    (assoc (parse-args rest) :private-key (slurp f))
+    ["--ca-certificate" f & rest]
+    (assoc (parse-args rest) :ca-certificate (slurp f))
+    ["--ca-private-key" f & rest]
+    (assoc (parse-args rest) :ca-private-key (slurp f))
+    ["--server-certificate" f & rest]
+    (assoc (parse-args rest) :server-certificate (slurp f))
+    ["--server-private-key" f & rest]
+    (assoc (parse-args rest) :server-private-key (slurp f))
    ["--challenge-password" f & rest]
    (assoc (parse-args rest) :challenge-password (read-line f))
    [bind-address] { : bind-address }
@ -66,13 +71,15 @@
       (doto
           (parse-args arg)
         (case
-             {: certificate : private-key : challenge-password : bind-address}
+             {: ca-certificate : ca-private-key
+              : server-certificate : server-private-key
+              : challenge-password : bind-address}
           true
           _
           (assert nil "missing required command line params"))))

-(local ca-key (pkey.new options.private-key))
-(local ca-crt (x509.new options.certificate))
+(local ca-key (pkey.new options.ca-private-key))
+(local ca-crt (x509.new options.ca-certificate))

 (fn new-crt [csr]
  (let [crt
@ -87,10 +94,11 @@
    (crt:toPEM)))

 (fn approve-request? [csr]
-  (let [attr (csr:getAttributes)]
-    (accumulate [found false
-                 _ v (ipairs (. attr "challengePassword"))]
-      (or found (= v options.challenge-password)))))
+  (let [{ : challengePassword } (csr:getAttributes)]
+    (when challengePassword
+      (accumulate [found false
+                   _ v (ipairs challengePassword)]
+        (or found (= v options.challenge-password))))))

 (fn handle-sign-csr [out]
  (let [req (csr.new (out:get_body_as_string))]
@ -110,6 +118,11 @@
      _
      (send-error out 404 "not found"))))

+(fn ssl-context []
+  (doto (htls.new_server_context)
+    (: :setCertificate (x509.new options.server-certificate))
+    (: :setPrivateKey (pkey.new options.server-private-key))))
+
 (fn new-server []
  (let [(addr port) (string.match options.bind-address "(.+):(%d+)$")]
    (ncall (server.listen
@ -117,6 +130,10 @@
            :host addr
            :port (tonumber port)
            :onstream on-stream
+            :onerror (fn [server ctx op err errno]
+                       (print (view { : server : ctx : err : errno })))
+            :tls true
+            :ctx (ssl-context)
            }))))

 (let [s (new-server)]
Author	SHA1	Message	Date
Daniel Barlow	0844177d51	more text, inclding actual reasons you shouldn't use it	2024-09-29 10:20:10 +01:00
Daniel Barlow	a56a9ba013	handle CSRs with no attributes	2024-09-29 10:19:07 +01:00
Daniel Barlow	e4410323cf	add error handler	2024-09-27 19:47:31 +01:00
Daniel Barlow	d98f78db85	use https	2024-09-27 19:47:11 +01:00