1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
#
# Signing profiles are used by CertificateAuthority in order to
# set the correct flags when signing certificates.
#
module LeapCli; module X509
#
# For CA self-signing
#
def self.ca_root_signing_profile
{
"extensions" => {
"basicConstraints" => {"ca" => true},
"keyUsage" => {
"usage" => ["critical", "keyCertSign"]
},
"extendedKeyUsage" => {
"usage" => []
}
}
}
end
#
# For keyusage, openvpn server certs can have keyEncipherment or keyAgreement.
# Web browsers seem to break without keyEncipherment.
# For now, I am using digitalSignature + keyEncipherment
#
# * digitalSignature -- for (EC)DHE cipher suites
# "The digitalSignature bit is asserted when the subject public key is used
# with a digital signature mechanism to support security services other
# than certificate signing (bit 5), or CRL signing (bit 6). Digital
# signature mechanisms are often used for entity authentication and data
# origin authentication with integrity."
#
# * keyEncipherment ==> for plain RSA cipher suites
# "The keyEncipherment bit is asserted when the subject public key is used for
# key transport. For example, when an RSA key is to be used for key management,
# then this bit is set."
#
# * keyAgreement ==> for used with DH, not RSA.
# "The keyAgreement bit is asserted when the subject public key is used for key
# agreement. For example, when a Diffie-Hellman key is to be used for key
# management, then this bit is set."
#
# digest options: SHA512, SHA256, SHA1
#
def self.server_signing_profile(node)
{
"digest" => node.env.provider.ca.server_certificates.digest,
"extensions" => {
"keyUsage" => {
"usage" => ["digitalSignature", "keyEncipherment"]
},
"extendedKeyUsage" => {
"usage" => ["serverAuth", "clientAuth"]
},
"subjectAltName" => {
"ips" => [node.ip_address],
"dns_names" => node.all_dns_names
}
}
}
end
#
# This is used when signing the main cert for the provider's domain
# with our own CA (for testing purposes). Typically, this cert would
# be purchased from a commercial CA, and not signed this way.
#
def self.domain_test_signing_profile
{
"digest" => "SHA256",
"extensions" => {
"keyUsage" => {
"usage" => ["digitalSignature", "keyEncipherment"]
},
"extendedKeyUsage" => {
"usage" => ["serverAuth"]
}
}
}
end
#
# This is used when signing a dummy client certificate that is only to be
# used for testing.
#
def self.client_test_signing_profile
{
"digest" => "SHA256",
"extensions" => {
"keyUsage" => {
"usage" => ["digitalSignature"]
},
"extendedKeyUsage" => {
"usage" => ["clientAuth"]
}
}
}
end
end; end
|
