Ready to generate new certificates

2014-01-21 03:07:52 +01:00 · 2014-01-21 03:07:52 +01:00 · cc588d51f9
commit cc588d51f9
parent ac5aa1099e
7 changed files with 67 additions and 209 deletions
--- a/check.pl
+++ b/check.pl
@ -110,6 +110,11 @@ for my $f (readdir $dh)
 	    elsif ($type eq "sha512") {
 		$tmp_solution = sha512_hex($solution);
 	    }
+	    elsif ($type eq "whirlpool") {
+		my $hash = Digest->new( 'Whirlpool' );
+		$hash->add( $solution );
+		$tmp_solution = $hash->hexdigest;
+	    }
 	    elsif ($type ne "raw") {
 		warn "$type not implemented";
 	    }
--- a/misc/CA.sh
+++ b/misc/CA.sh
@ -11,7 +11,8 @@ fi
 CAKEY=./cakey.key
 CAREQ=./careq.csr
 CACERT=./cacert.crt
-DAYS=365
+
+DAYS=2

 #GREEN="\033[1;32m"
 #RED="\033[1;31m"
@ -63,7 +64,6 @@ case $1 in
        echo -e "${GREEN}Making CA key and csr${COLOR_RST}"
        sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF
        sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF
-        sed -i "s/=.*#CERTTYPE/= objsign #CERTTYPE/" $OPENSSL_CONF

        type pwgen > /dev/null
        if [ $? -ne 0 ]; then
@ -72,10 +72,9 @@ case $1 in
        fi

        pass=`pwgen -n -B -y 12 1`
-
        openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY}         \
                    -out ${TOP_DIR}/${CAREQ} -passout pass:$pass            \
-                    -config $OPENSSL_CONF > $OUTPUT 2>&1
+                    -config $OPENSSL_CONF -extensions CORE_CA > $OUTPUT 2>&1
        if [ $? -ne 0 ]; then
            cat $OUTPUT
            clean "ca"
@ -94,7 +93,7 @@ case $1 in
        echo -e "${GREEN}Self signes the CA certificate${COLOR_RST}"
        openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT}          \
                -days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY}          \
-                -selfsign -extensions v3_ca -config ${OPENSSL_CONF}         \
+                -selfsign -extensions CORE_CA -config ${OPENSSL_CONF}         \
                -infiles ${TOP_DIR}/${CAREQ} > $OUTPUT 2>&1
        if [ $? -ne 0 ]; then
            cat $OUTPUT
@ -108,17 +107,16 @@ case $1 in
            echo -e "${RED}Can not found the CA's key${COLOR_RST}"
            exit 2
        fi
-        sed -i 's/=.*#COMMONNAME/= FIC2014 Server #COMMONNAME/' $OPENSSL_CONF
-        sed -i "s/=.*#CERTTYPE/= server #CERTTYPE/" $OPENSSL_CONF
+        sed -i 's/=.*#COMMONNAME/=10.226.3.70#COMMONNAME/' $OPENSSL_CONF
        openssl req -batch -new -keyout server.key -out server.csr          \
-                    -days ${DAYS} -config ${OPENSSL_CONF} > $OUTPUT 2>&1
+                    -days ${DAYS} -config ${OPENSSL_CONF} -extensions SERVER_SSL > $OUTPUT 2>&1
        if [ $? -ne 0 ]; then
            cat $OUTPUT
            exit 4
        fi
        echo -e "${GREEN}Signing the Server crt${COLOR_RST}"
        openssl ca -policy policy_match -config ${OPENSSL_CONF}             \
-                   -out server.crt -infiles server.csr > $OUTPUT 2>&1
+                   -out server.crt -extensions SERVER_SSL -infiles server.csr
        if [ $? -ne 0 ]; then
            echo -e "${RED}Signing failed for new server${COLOR_RST}"
            rm -rf server.key server.crt server.csr
@ -145,7 +143,6 @@ case $1 in
            exit 2
        fi
        sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF
-        sed -i "s/=.*#CERTTYPE/= client #CERTTYPE/" $OPENSSL_CONF

        type pwgen > /dev/null
        if [ $? -ne 0 ]; then
@ -156,7 +153,7 @@ case $1 in
        pass=`pwgen -n -B -y 12 1`

        openssl req -batch -new -keyout ${TOP_DIR}/${2}.key -out ${TOP_DIR}/${2}.csr              \
-                    -config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS} > $OUTPUT 2>&1
+                    -config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS} -extensions CLIENT_SSL > $OUTPUT 2>&1
        if [ $? -ne 0 ]; then
            cat $OUTPUT
            clean "client" $2
@ -165,7 +162,7 @@ case $1 in

        echo -e "${GREEN}Signing the Client crt${COLOR_RST}"
        openssl ca -batch -policy policy_match -out ${TOP_DIR}/${2}.crt                \
-                   -config ${OPENSSL_CONF} -infiles ${TOP_DIR}/${2}.csr > $OUTPUT 2>&1
+                   -config ${OPENSSL_CONF} -extensions CLIENT_SSL -infiles ${TOP_DIR}/${2}.csr > $OUTPUT 2>&1
        if [ $? -ne 0 ]; then
            echo -e "${RED}Signing failed for $2 ${COLOR_RST}"
            cat $OUTPUT
--- a/misc/openssl.cnf
+++ b/misc/openssl.cnf
@ -55,8 +55,6 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.key # The private key
 RANDFILE	= $dir/private/.rand	# private random number file

-x509_extensions	= usr_cert		# The extentions to add to the cert
-
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
 name_opt 	= ca_default		# Subject Name options
@ -70,7 +68,7 @@ cert_opt 	= ca_default		# Certificate field options
 # crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions	= crl_ext

-default_days	= 365			# how long to certify for
+default_days	= 2			# how long to certify for
 default_crl_days= 30			# how long before next CRL
 default_md	= default		# use public key default MD
 preserve	= no			# keep passed DN ordering
@ -147,7 +145,7 @@ organizationalUnitName		= Organizational Unit Name (eg, section)
 organizationalUnitName_default	= SRS

 commonName			= Common Name (e.g. server FQDN or YOUR name)
-commonName_default		= Groupe_8#COMMONNAME
+commonName_default		=10.226.3.70#COMMONNAME
 commonName_max			= 64

 emailAddress			= Email Address
@ -163,191 +161,37 @@ challengePassword_max		= 20

 unstructuredName		= An optional company name

-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-nsCertType			= client #CERTTYPE
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "FIC 2014 generated certificates"
-
-# PKIX recommendations harmless if included in all certificates.
+[CORE_CA]
+nsComment                       = "FIC2014 CA"
+basicConstraints                = critical,CA:TRUE,pathlen:1
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid,issuer:always
+issuerAltName                   = issuer:copy
+keyUsage                        = keyCertSign, cRLSign
+nsCertType                      = sslCA
 subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-# This is required for TSA certificates.
-# extendedKeyUsage = critical,timeStamping
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-
-
-# Extensions for a typical CA
-
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-
 authorityKeyIdentifier=keyid:always,issuer

-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always
-
-[ proxy_cert_ext ]
-# These extensions should be added when creating a proxy certificate
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
+[SERVER_SSL]
+nsComment                       = "FIC2014 Server"
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid,issuer:always
+issuerAltName                   = issuer:copy
+basicConstraints                = critical,CA:FALSE
+keyUsage                        = digitalSignature, keyEncipherment
+nsCertType                      = server
+extendedKeyUsage                = serverAuth
 subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
+authorityKeyIdentifier=keyid:always,issuer

-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-# This really needs to be in place for it to be a proxy certificate.
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
-
-####################################################################
-[ tsa ]
-
-default_tsa = tsa_config1	# the default TSA section
-
-[ tsa_config1 ]
-
-# These are used by the TSA reply generation only.
-dir		= ./demoCA		# TSA root directory
-serial		= $dir/tsaserial	# The current serial number (mandatory)
-crypto_device	= builtin		# OpenSSL engine to use for signing
-signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
-					# (optional)
-certs		= $dir/cacert.pem	# Certificate chain to include in reply
-					# (optional)
-signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
-
-default_policy	= tsa_policy1		# Policy if request did not specify it
-					# (optional)
-other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
-accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
-clock_precision_digits  = 0	# number of digits after dot. (optional)
-ordering		= yes	# Is ordering defined for timestamps?
-				# (optional, default: no)
-tsa_name		= yes	# Must the TSA name be included in the reply?
-				# (optional, default: no)
-ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
-				# (optional, default: no)
+[CLIENT_SSL]
+nsComment                       = "FIC2014 Client"
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid,issuer:always
+issuerAltName                   = issuer:copy
+basicConstraints                = critical,CA:FALSE
+keyUsage                        = digitalSignature, nonRepudiation
+nsCertType                      = client
+extendedKeyUsage                = clientAuth
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
--- a/nginx.conf
+++ b/nginx.conf
@ -2,6 +2,13 @@ server_tokens off;
 client_header_buffer_size 512;
 client_max_body_size 512;

+server {
+    listen 80 default;
+    listen [::]:80 ipv6only=on default;
+
+    rewrite ^ https://$host$uri;
+}
+
 server {
    listen 443 ssl;
    listen [::]:443 ipv6only=on ssl;
@ -13,14 +20,14 @@ server {
    access_log /var/log/nginx/fic.access_log;
    error_log /var/log/nginx/fic.error_log;

-    ssl_certificate		/var/www/fic2014-server/misc/server.crt;
-    ssl_certificate_key		/var/www/fic2014-server/misc/server.key;
+    ssl_certificate		/var/www/fic2014-server/server.crt;
+    ssl_certificate_key		/var/www/fic2014-server/server.key;
    ssl_protocols		TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers	on;
    ssl_ciphers			ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!ADH:!AECDH:!MD5:!DSS;
-    ssl_client_certificate	/var/www/fic2014-server/misc/pki/cacert.crt;
+    ssl_client_certificate	/var/www/fic2014-server/cacert.crt;
    ssl_verify_client		optional;
-    ssl_crl			/var/www/fic2014-server/misc/pki/crl.pem;	
+    ssl_crl			/var/www/fic2014-server/crl.pem;	

    add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";

--- a/onyx/tpl/bootstrap/public/layout.tpl
+++ b/onyx/tpl/bootstrap/public/layout.tpl
@ -22,13 +22,13 @@
      <h3>Top 10</h3>
      <div class="list-group">
      {foreach from=$top item=t key=k}
-        <div class="list-group-item">{$k+1}. {link href="{$t->id}-{$t->get_name_url()}" href_prefix="/" label=$t->get_name()}
+        <div class="list-group-item">{$k+1}. {link href="{$t->id}-{$t->get_name_url()}" href_prefix="/" label={$t->get_name()|replace:"_":" et "}}
 <span class="badge">
 {$t->get_pts()}
 </span>
 </div>
      {/foreach}
-        <div class="list-group-item">&nbsp;&nbsp;&nbsp;&nbsp;{link href="classement" href_prefix="/" label="Classement general"}</div>
+        <div class="list-group-item">&nbsp;&nbsp;&nbsp;&nbsp;{link href="classement" href_prefix="/" label="Classement g&eacute;n&eacute;ral"}</div>
      </div>
    </div>

--- a/submission.php
+++ b/submission.php
@ -8,7 +8,8 @@ function show($file)
        header("HTTP/1.1 403 Forbidden");
 }

-$file = __DIR__."/submission/".intval($_GET["team"])."-".intval($_GET["theme"])."-".urlencode($_GET["exercice"]);
+$filename = intval($_GET["team"])."-".intval($_GET["theme"])."-".urlencode($_GET["exercice"]);
+$file = __DIR__."/submission/".$filename;


 if (file_exists($file))
@ -16,7 +17,12 @@ if (file_exists($file))

 else if (!empty($_POST["solution"]) && !empty($_GET["team"]) && !empty($_GET["theme"]) && !empty($_GET["exercice"]))
 {
-    file_put_contents($file, $_POST['solution'], LOCK_EX);
+    $algos = array("md5", "sha1", "sha256", "sha384", "sha512", "whirlpool");
+    $content = "";
+    foreach($algos as $algo)
+      $content .= mcrypt_encrypt(MCRYPT_SERPENT_256, hash($algo, $_POST["solution"]), hash($algo, $filename), MCRYPT_MODE_ECB)."\n";
+
+    file_put_contents($file, $content, LOCK_EX);

    show(__DIR__."/teams/".intval($_GET["team"])."/".urlencode($_GET["theme"])."/".urlencode($_GET["exercice"])."/submission/index.html");
 }
--- a/synchro.sh
+++ b/synchro.sh
@ -19,8 +19,7 @@ rsync -e ssh -av  $OPTS out/errors phobos:~/
 rsync -e ssh -av  $OPTS out/htdocs phobos:~/
 rsync -e ssh -av  $OPTS out/teams phobos:~/
 rsync -e ssh -avL $OPTS files phobos:~/
-rsync -e ssh -av  $OPTS misc/server.* misc/pki/cacert.crt misc/pki/crl.pem phobos:~/
-scp nginx.conf submission.php phobos:~/
+rsync -e ssh -av  $OPTS nginx.conf submission.php misc/server.* misc/pki/cacert.crt misc/pki/crl.pem phobos:~/

 rsync -e ssh -av phobos:~/submission/ submission/
 ssh phobos "rm -fv ~/submission/*"