feat: sign the ICA1 CSR

This introduces a bunch of facilities for PKI manipulations. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-31 17:50:18 +01:00 · 2024-12-31 17:50:18 +01:00 · 1bb6e8a681
commit 1bb6e8a681
parent 02b140aa3d
13 changed files with 167 additions and 0 deletions
--- a/default.nix
+++ b/default.nix
@ -0,0 +1,13 @@
+(import
+  (
+    let
+      lock = builtins.fromJSON (builtins.readFile ./flake.lock);
+      inherit (lock.nodes.flake-compat.locked) narHash rev url;
+    in
+    builtins.fetchTarball {
+      url = "${url}/archive/${rev}.tar.gz";
+      sha256 = narHash;
+    }
+  )
+  { src = ./.; }
+).defaultNix
--- a/pki/.envrc
+++ b/pki/.envrc
@ -0,0 +1 @@
+use nix
--- a/pki/README.md
+++ b/pki/README.md
@ -0,0 +1,5 @@
+# PKI management
+
+This is our expressions to generate and manage our PKI in the project.
+
+We are using NitroHSMs for the offline storage and OpenBao server for the online operations.
--- a/pki/cacerts/README.md
+++ b/pki/cacerts/README.md
@ -0,0 +1,13 @@
+# CA certificate chains
+
+## `ca.crt`
+
+The root CA.
+
+## `ica1.crt`
+
+The chain from ICA1 to root CA.
+
+## `ica2.crt`
+
+The chain from ICA2 to root CA (ICA2 → ICA → root CA), this is what you want to usually use to trust our PKI.
--- a/pki/cacerts/ca.crt
+++ b/pki/cacerts/ca.crt
--- a/pki/cacerts/ica1.crt
+++ b/pki/cacerts/ica1.crt
@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIICrzCCAhKgAwIBAgIUUfC3HiC4wWFjkavirLxjTpVrxkcwCgYIKoZIzj0EAwIw
+gZsxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1z
+dGFkdDEXMBUGA1UECgwORmxvcmFsIFN5c3RlbXMxLTArBgNVBAsMJEZsb3JhbCBT
+eXN0ZW1zIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWRmxvcmFsIFN5
+c3RlbXMgUm9vdCBDQTAeFw0yNDEyMzExNjQ0MjJaFw0yNTAxMzAxNjQ0MjJaMIGZ
+MQswCQYDVQQGEwJERTEPMA0GA1UECBMGSGVzc2VuMRIwEAYDVQQHEwlEYXJtc3Rh
+ZHQxFzAVBgNVBAoTDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLEyRGbG9yYWwgU3lz
+dGVtcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMTFEludGVybWVkaWF0
+ZSBDQTEgdjEgMCowBQYDK2VwAyEA/SgktXV6oQ4Bk5X9P0uAtX08g4hgdyYY/q+z
+0C+D9OujYzBhMB0GA1UdDgQWBBRqxA1IFDZW0IULtTmjs6HdHnmL+zAfBgNVHSME
+GDAWgBRlFXmiKsRTP5Jn0wTWH+rGMisrgTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
+DwEB/wQEAwIBhjAKBggqhkjOPQQDAgOBigAwgYYCQDgp6p7TvWOZmaC0WZHnVCeU
+AVJ1qSKjHRqnLUHAIBoPTvsEm1ActVcOYOyq5VxS7StirkULn7qWKzr2l67k5MYC
+QgG5sSKwP7vn+2B+/yNkBQTbHKyNZAQOg+tvPTwrmzmBzak3J1b2d4+qSkq9JEnZ
+uCAwXV3uHmNPlK4jgr4SHxwYKg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDJDCCAoagAwIBAgIUHW9bhbgk6GXm5i+uamYWbInHDhkwCgYIKoZIzj0EAwQw
+gZsxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1z
+dGFkdDEXMBUGA1UECgwORmxvcmFsIFN5c3RlbXMxLTArBgNVBAsMJEZsb3JhbCBT
+eXN0ZW1zIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWRmxvcmFsIFN5
+c3RlbXMgUm9vdCBDQTAeFw0yNDEyMzAxMzEwMDlaFw0zNDEyMjgxMzEwMDlaMIGb
+MQswCQYDVQQGEwJERTEPMA0GA1UECAwGSGVzc2VuMRIwEAYDVQQHDAlEYXJtc3Rh
+ZHQxFzAVBgNVBAoMDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLDCRGbG9yYWwgU3lz
+dGVtcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFkZsb3JhbCBTeXN0
+ZW1zIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAD6xFA+QeHoUVZr
+WaDbfoUkELxnviEPLogl8+IgJ06ki+84yIAM3Zn+6IlmnJGoPaceoPIdYwHByWqf
+wvhvTobYRgB8T4l7vyt/KmMfkD2SU576syuR23PkJ6eImGklU3P1+H9CyU2BoPIg
+N21Kumx7GCvGAA8NsQyQVdZeLZ6lYjnCfaNjMGEwHQYDVR0OBBYEFGUVeaIqxFM/
+kmfTBNYf6sYyKyuBMB8GA1UdIwQYMBaAFGUVeaIqxFM/kmfTBNYf6sYyKyuBMA8G
+A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMEA4GLADCB
+hwJBLvw4lfu2efHxdkPZpddMe9wLrrOFwoeYMIJ4XN4qn8WwQCy4G0oXTKHzwm3y
+I82YwdK5r6tUtdoHhQ5BscrrnRsCQgGNejEZMet0lFgch1Dr2iunnsOEpdODtapD
+Jwp4PRUSTdlqk0C2GOWUtbcK2arZ/QexnqLAKhASuY/clqVZLLzHTw==
+-----END CERTIFICATE-----
--- a/pki/csr/Floral_Systems_v1_ICA1_v1.csr
+++ b/pki/csr/Floral_Systems_v1_ICA1_v1.csr
@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBGjCBzQIBADCBmTELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3NlbjESMBAG
+A1UEBxMJRGFybXN0YWR0MRcwFQYDVQQKEw5GbG9yYWwgU3lzdGVtczEtMCsGA1UE
+CxMkRmxvcmFsIFN5c3RlbXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR0wGwYDVQQD
+ExRJbnRlcm1lZGlhdGUgQ0ExIHYxIDAqMAUGAytlcAMhAP0oJLV1eqEOAZOV/T9L
+gLV9PIOIYHcmGP6vs9Avg/TroAAwBQYDK2VwA0EATxwhMrur5dneuko3+Atpwt7V
+HIW1LrZKqbyo0DPVhs5mcQ9BXKFX1N+zhReR8Et/tx3ZIJ+OtjZslBQ71JESCA==
+-----END CERTIFICATE REQUEST-----
--- a/pki/csr/README.md
+++ b/pki/csr/README.md
@ -0,0 +1,3 @@
+# A trace of our CSRs files
+
+This is a collection of the CSRs we built for our needs.
--- a/pki/default.nix
+++ b/pki/default.nix
@ -0,0 +1,23 @@
+{ flake ? import ../., nixpkgs ? flake.inputs.nixpkgs, pkgs ? import nixpkgs { } }:
+{
+  shell = pkgs.mkShell {
+    buildInputs = [
+      pkgs.openssl
+    ];
+
+    OPENSSL_CONF = pkgs.writeText "openssl-pkcs11.conf" ''
+      openssl_conf = openssl_def
+
+      [openssl_def]
+      engines = engine_section
+
+      [engine_section]
+      pkcs11 = pkcs11_section
+
+      [pkcs11_section]
+      engine_id = pkcs11
+      dynamic_path = ${pkgs.libp11}/lib/engines/libpkcs11.so
+      MODULE_PATH = ${pkgs.opensc}/lib/opensc-pkcs11.so
+    '';
+  };
+}
--- a/pki/policies/README.md
+++ b/pki/policies/README.md
@ -0,0 +1 @@
+# OpenSSL policies for extensions and CAs
--- a/pki/policies/ca.conf
+++ b/pki/policies/ca.conf
@ -0,0 +1,56 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = .
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha512
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+prompt              = no
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha512
+
+[ req_distinguished_name ]
+C                   = DE
+ST                  = Hessen
+L                   = Darmstadt
+O                   = Floral Systems
+OU                  = Floral Systems Certificate Authority
+CN                  = Floral Systems Root CA
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
--- a/pki/policies/ica1_intermediate.conf
+++ b/pki/policies/ica1_intermediate.conf
@ -0,0 +1,6 @@
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
--- a/pki/shell.nix
+++ b/pki/shell.nix
@ -0,0 +1,2 @@
+(import ./. { }).shell
+