Ready to generate new certificates

This commit is contained in:
nemunaire 2014-01-21 03:07:52 +01:00
parent ac5aa1099e
commit cc588d51f9
7 changed files with 67 additions and 209 deletions

View File

@ -110,6 +110,11 @@ for my $f (readdir $dh)
elsif ($type eq "sha512") { elsif ($type eq "sha512") {
$tmp_solution = sha512_hex($solution); $tmp_solution = sha512_hex($solution);
} }
elsif ($type eq "whirlpool") {
my $hash = Digest->new( 'Whirlpool' );
$hash->add( $solution );
$tmp_solution = $hash->hexdigest;
}
elsif ($type ne "raw") { elsif ($type ne "raw") {
warn "$type not implemented"; warn "$type not implemented";
} }

View File

@ -11,7 +11,8 @@ fi
CAKEY=./cakey.key CAKEY=./cakey.key
CAREQ=./careq.csr CAREQ=./careq.csr
CACERT=./cacert.crt CACERT=./cacert.crt
DAYS=365
DAYS=2
#GREEN="\033[1;32m" #GREEN="\033[1;32m"
#RED="\033[1;31m" #RED="\033[1;31m"
@ -63,7 +64,6 @@ case $1 in
echo -e "${GREEN}Making CA key and csr${COLOR_RST}" echo -e "${GREEN}Making CA key and csr${COLOR_RST}"
sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF
sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF
sed -i "s/=.*#CERTTYPE/= objsign #CERTTYPE/" $OPENSSL_CONF
type pwgen > /dev/null type pwgen > /dev/null
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
@ -72,10 +72,9 @@ case $1 in
fi fi
pass=`pwgen -n -B -y 12 1` pass=`pwgen -n -B -y 12 1`
openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY} \ openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY} \
-out ${TOP_DIR}/${CAREQ} -passout pass:$pass \ -out ${TOP_DIR}/${CAREQ} -passout pass:$pass \
-config $OPENSSL_CONF > $OUTPUT 2>&1 -config $OPENSSL_CONF -extensions CORE_CA > $OUTPUT 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
cat $OUTPUT cat $OUTPUT
clean "ca" clean "ca"
@ -94,7 +93,7 @@ case $1 in
echo -e "${GREEN}Self signes the CA certificate${COLOR_RST}" echo -e "${GREEN}Self signes the CA certificate${COLOR_RST}"
openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT} \ openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT} \
-days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY} \ -days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY} \
-selfsign -extensions v3_ca -config ${OPENSSL_CONF} \ -selfsign -extensions CORE_CA -config ${OPENSSL_CONF} \
-infiles ${TOP_DIR}/${CAREQ} > $OUTPUT 2>&1 -infiles ${TOP_DIR}/${CAREQ} > $OUTPUT 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
cat $OUTPUT cat $OUTPUT
@ -108,17 +107,16 @@ case $1 in
echo -e "${RED}Can not found the CA's key${COLOR_RST}" echo -e "${RED}Can not found the CA's key${COLOR_RST}"
exit 2 exit 2
fi fi
sed -i 's/=.*#COMMONNAME/= FIC2014 Server #COMMONNAME/' $OPENSSL_CONF sed -i 's/=.*#COMMONNAME/=10.226.3.70#COMMONNAME/' $OPENSSL_CONF
sed -i "s/=.*#CERTTYPE/= server #CERTTYPE/" $OPENSSL_CONF
openssl req -batch -new -keyout server.key -out server.csr \ openssl req -batch -new -keyout server.key -out server.csr \
-days ${DAYS} -config ${OPENSSL_CONF} > $OUTPUT 2>&1 -days ${DAYS} -config ${OPENSSL_CONF} -extensions SERVER_SSL > $OUTPUT 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
cat $OUTPUT cat $OUTPUT
exit 4 exit 4
fi fi
echo -e "${GREEN}Signing the Server crt${COLOR_RST}" echo -e "${GREEN}Signing the Server crt${COLOR_RST}"
openssl ca -policy policy_match -config ${OPENSSL_CONF} \ openssl ca -policy policy_match -config ${OPENSSL_CONF} \
-out server.crt -infiles server.csr > $OUTPUT 2>&1 -out server.crt -extensions SERVER_SSL -infiles server.csr
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo -e "${RED}Signing failed for new server${COLOR_RST}" echo -e "${RED}Signing failed for new server${COLOR_RST}"
rm -rf server.key server.crt server.csr rm -rf server.key server.crt server.csr
@ -145,7 +143,6 @@ case $1 in
exit 2 exit 2
fi fi
sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF
sed -i "s/=.*#CERTTYPE/= client #CERTTYPE/" $OPENSSL_CONF
type pwgen > /dev/null type pwgen > /dev/null
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
@ -156,7 +153,7 @@ case $1 in
pass=`pwgen -n -B -y 12 1` pass=`pwgen -n -B -y 12 1`
openssl req -batch -new -keyout ${TOP_DIR}/${2}.key -out ${TOP_DIR}/${2}.csr \ openssl req -batch -new -keyout ${TOP_DIR}/${2}.key -out ${TOP_DIR}/${2}.csr \
-config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS} > $OUTPUT 2>&1 -config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS} -extensions CLIENT_SSL > $OUTPUT 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
cat $OUTPUT cat $OUTPUT
clean "client" $2 clean "client" $2
@ -165,7 +162,7 @@ case $1 in
echo -e "${GREEN}Signing the Client crt${COLOR_RST}" echo -e "${GREEN}Signing the Client crt${COLOR_RST}"
openssl ca -batch -policy policy_match -out ${TOP_DIR}/${2}.crt \ openssl ca -batch -policy policy_match -out ${TOP_DIR}/${2}.crt \
-config ${OPENSSL_CONF} -infiles ${TOP_DIR}/${2}.csr > $OUTPUT 2>&1 -config ${OPENSSL_CONF} -extensions CLIENT_SSL -infiles ${TOP_DIR}/${2}.csr > $OUTPUT 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo -e "${RED}Signing failed for $2 ${COLOR_RST}" echo -e "${RED}Signing failed for $2 ${COLOR_RST}"
cat $OUTPUT cat $OUTPUT

View File

@ -55,8 +55,6 @@ crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.key # The private key private_key = $dir/private/cakey.key # The private key
RANDFILE = $dir/private/.rand # private random number file RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional" # Comment out the following two lines for the "traditional"
# (and highly broken) format. # (and highly broken) format.
name_opt = ca_default # Subject Name options name_opt = ca_default # Subject Name options
@ -70,7 +68,7 @@ cert_opt = ca_default # Certificate field options
# crlnumber must also be commented out to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext # crl_extensions = crl_ext
default_days = 365 # how long to certify for default_days = 2 # how long to certify for
default_crl_days= 30 # how long before next CRL default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD default_md = default # use public key default MD
preserve = no # keep passed DN ordering preserve = no # keep passed DN ordering
@ -147,7 +145,7 @@ organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = SRS organizationalUnitName_default = SRS
commonName = Common Name (e.g. server FQDN or YOUR name) commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Groupe_8#COMMONNAME commonName_default =10.226.3.70#COMMONNAME
commonName_max = 64 commonName_max = 64
emailAddress = Email Address emailAddress = Email Address
@ -163,191 +161,37 @@ challengePassword_max = 20
unstructuredName = An optional company name unstructuredName = An optional company name
[ usr_cert ] [CORE_CA]
nsComment = "FIC2014 CA"
# These extensions are added when 'ca' signs a request. basicConstraints = critical,CA:TRUE,pathlen:1
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
nsCertType = client #CERTTYPE
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "FIC 2014 generated certificates"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier = hash subjectKeyIdentifier = hash
authorityKeyIdentifier=keyid,issuer authorityKeyIdentifier = keyid,issuer:always
issuerAltName = issuer:copy
# This stuff is for subjectAltName and issuerAltname. keyUsage = keyCertSign, cRLSign
# Import the email address. nsCertType = sslCA
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical [SERVER_SSL]
# extensions. nsComment = "FIC2014 Server"
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier = hash subjectKeyIdentifier = hash
authorityKeyIdentifier=keyid,issuer authorityKeyIdentifier = keyid,issuer:always
issuerAltName = issuer:copy
basicConstraints = critical,CA:FALSE
keyUsage = digitalSignature, keyEncipherment
nsCertType = server
extendedKeyUsage = serverAuth
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This stuff is for subjectAltName and issuerAltname. [CLIENT_SSL]
# Import the email address. nsComment = "FIC2014 Client"
# subjectAltName=email:copy subjectKeyIdentifier = hash
# An alternative to produce certificates that aren't authorityKeyIdentifier = keyid,issuer:always
# deprecated according to PKIX. issuerAltName = issuer:copy
# subjectAltName=email:move basicConstraints = critical,CA:FALSE
keyUsage = digitalSignature, nonRepudiation
# Copy subject details nsCertType = client
# issuerAltName=issuer:copy extendedKeyUsage = clientAuth
subjectKeyIdentifier=hash
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem authorityKeyIdentifier=keyid:always,issuer
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)

View File

@ -2,6 +2,13 @@ server_tokens off;
client_header_buffer_size 512; client_header_buffer_size 512;
client_max_body_size 512; client_max_body_size 512;
server {
listen 80 default;
listen [::]:80 ipv6only=on default;
rewrite ^ https://$host$uri;
}
server { server {
listen 443 ssl; listen 443 ssl;
listen [::]:443 ipv6only=on ssl; listen [::]:443 ipv6only=on ssl;
@ -13,14 +20,14 @@ server {
access_log /var/log/nginx/fic.access_log; access_log /var/log/nginx/fic.access_log;
error_log /var/log/nginx/fic.error_log; error_log /var/log/nginx/fic.error_log;
ssl_certificate /var/www/fic2014-server/misc/server.crt; ssl_certificate /var/www/fic2014-server/server.crt;
ssl_certificate_key /var/www/fic2014-server/misc/server.key; ssl_certificate_key /var/www/fic2014-server/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!ADH:!AECDH:!MD5:!DSS; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!ADH:!AECDH:!MD5:!DSS;
ssl_client_certificate /var/www/fic2014-server/misc/pki/cacert.crt; ssl_client_certificate /var/www/fic2014-server/cacert.crt;
ssl_verify_client optional; ssl_verify_client optional;
ssl_crl /var/www/fic2014-server/misc/pki/crl.pem; ssl_crl /var/www/fic2014-server/crl.pem;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains"; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";

View File

@ -22,13 +22,13 @@
<h3>Top 10</h3> <h3>Top 10</h3>
<div class="list-group"> <div class="list-group">
{foreach from=$top item=t key=k} {foreach from=$top item=t key=k}
<div class="list-group-item">{$k+1}. {link href="{$t->id}-{$t->get_name_url()}" href_prefix="/" label=$t->get_name()} <div class="list-group-item">{$k+1}. {link href="{$t->id}-{$t->get_name_url()}" href_prefix="/" label={$t->get_name()|replace:"_":" et "}}
<span class="badge"> <span class="badge">
{$t->get_pts()} {$t->get_pts()}
</span> </span>
</div> </div>
{/foreach} {/foreach}
<div class="list-group-item">&nbsp;&nbsp;&nbsp;&nbsp;{link href="classement" href_prefix="/" label="Classement general"}</div> <div class="list-group-item">&nbsp;&nbsp;&nbsp;&nbsp;{link href="classement" href_prefix="/" label="Classement g&eacute;n&eacute;ral"}</div>
</div> </div>
</div> </div>

View File

@ -8,7 +8,8 @@ function show($file)
header("HTTP/1.1 403 Forbidden"); header("HTTP/1.1 403 Forbidden");
} }
$file = __DIR__."/submission/".intval($_GET["team"])."-".intval($_GET["theme"])."-".urlencode($_GET["exercice"]); $filename = intval($_GET["team"])."-".intval($_GET["theme"])."-".urlencode($_GET["exercice"]);
$file = __DIR__."/submission/".$filename;
if (file_exists($file)) if (file_exists($file))
@ -16,7 +17,12 @@ if (file_exists($file))
else if (!empty($_POST["solution"]) && !empty($_GET["team"]) && !empty($_GET["theme"]) && !empty($_GET["exercice"])) else if (!empty($_POST["solution"]) && !empty($_GET["team"]) && !empty($_GET["theme"]) && !empty($_GET["exercice"]))
{ {
file_put_contents($file, $_POST['solution'], LOCK_EX); $algos = array("md5", "sha1", "sha256", "sha384", "sha512", "whirlpool");
$content = "";
foreach($algos as $algo)
$content .= mcrypt_encrypt(MCRYPT_SERPENT_256, hash($algo, $_POST["solution"]), hash($algo, $filename), MCRYPT_MODE_ECB)."\n";
file_put_contents($file, $content, LOCK_EX);
show(__DIR__."/teams/".intval($_GET["team"])."/".urlencode($_GET["theme"])."/".urlencode($_GET["exercice"])."/submission/index.html"); show(__DIR__."/teams/".intval($_GET["team"])."/".urlencode($_GET["theme"])."/".urlencode($_GET["exercice"])."/submission/index.html");
} }

View File

@ -19,8 +19,7 @@ rsync -e ssh -av $OPTS out/errors phobos:~/
rsync -e ssh -av $OPTS out/htdocs phobos:~/ rsync -e ssh -av $OPTS out/htdocs phobos:~/
rsync -e ssh -av $OPTS out/teams phobos:~/ rsync -e ssh -av $OPTS out/teams phobos:~/
rsync -e ssh -avL $OPTS files phobos:~/ rsync -e ssh -avL $OPTS files phobos:~/
rsync -e ssh -av $OPTS misc/server.* misc/pki/cacert.crt misc/pki/crl.pem phobos:~/ rsync -e ssh -av $OPTS nginx.conf submission.php misc/server.* misc/pki/cacert.crt misc/pki/crl.pem phobos:~/
scp nginx.conf submission.php phobos:~/
rsync -e ssh -av phobos:~/submission/ submission/ rsync -e ssh -av phobos:~/submission/ submission/
ssh phobos "rm -fv ~/submission/*" ssh phobos "rm -fv ~/submission/*"