diff --git a/default.nix b/default.nix new file mode 100644 index 0000000..816b13e --- /dev/null +++ b/default.nix @@ -0,0 +1,13 @@ +(import + ( + let + lock = builtins.fromJSON (builtins.readFile ./flake.lock); + inherit (lock.nodes.flake-compat.locked) narHash rev url; + in + builtins.fetchTarball { + url = "${url}/archive/${rev}.tar.gz"; + sha256 = narHash; + } + ) + { src = ./.; } +).defaultNix diff --git a/pki/.envrc b/pki/.envrc new file mode 100644 index 0000000..1d953f4 --- /dev/null +++ b/pki/.envrc @@ -0,0 +1 @@ +use nix diff --git a/pki/README.md b/pki/README.md new file mode 100644 index 0000000..bdd339b --- /dev/null +++ b/pki/README.md @@ -0,0 +1,5 @@ +# PKI management + +This is our expressions to generate and manage our PKI in the project. + +We are using NitroHSMs for the offline storage and OpenBao server for the online operations. diff --git a/pki/cacerts/README.md b/pki/cacerts/README.md new file mode 100644 index 0000000..6eb0b4c --- /dev/null +++ b/pki/cacerts/README.md @@ -0,0 +1,13 @@ +# CA certificate chains + +## `ca.crt` + +The root CA. + +## `ica1.crt` + +The chain from ICA1 to root CA. + +## `ica2.crt` + +The chain from ICA2 to root CA (ICA2 → ICA → root CA), this is what you want to usually use to trust our PKI. diff --git a/pki/ca.crt b/pki/cacerts/ca.crt similarity index 100% rename from pki/ca.crt rename to pki/cacerts/ca.crt diff --git a/pki/cacerts/ica1.crt b/pki/cacerts/ica1.crt new file mode 100644 index 0000000..a355757 --- /dev/null +++ b/pki/cacerts/ica1.crt @@ -0,0 +1,36 @@ +-----BEGIN CERTIFICATE----- +MIICrzCCAhKgAwIBAgIUUfC3HiC4wWFjkavirLxjTpVrxkcwCgYIKoZIzj0EAwIw +gZsxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1z +dGFkdDEXMBUGA1UECgwORmxvcmFsIFN5c3RlbXMxLTArBgNVBAsMJEZsb3JhbCBT +eXN0ZW1zIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWRmxvcmFsIFN5 +c3RlbXMgUm9vdCBDQTAeFw0yNDEyMzExNjQ0MjJaFw0yNTAxMzAxNjQ0MjJaMIGZ +MQswCQYDVQQGEwJERTEPMA0GA1UECBMGSGVzc2VuMRIwEAYDVQQHEwlEYXJtc3Rh +ZHQxFzAVBgNVBAoTDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLEyRGbG9yYWwgU3lz +dGVtcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMTFEludGVybWVkaWF0 +ZSBDQTEgdjEgMCowBQYDK2VwAyEA/SgktXV6oQ4Bk5X9P0uAtX08g4hgdyYY/q+z +0C+D9OujYzBhMB0GA1UdDgQWBBRqxA1IFDZW0IULtTmjs6HdHnmL+zAfBgNVHSME +GDAWgBRlFXmiKsRTP5Jn0wTWH+rGMisrgTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud +DwEB/wQEAwIBhjAKBggqhkjOPQQDAgOBigAwgYYCQDgp6p7TvWOZmaC0WZHnVCeU +AVJ1qSKjHRqnLUHAIBoPTvsEm1ActVcOYOyq5VxS7StirkULn7qWKzr2l67k5MYC +QgG5sSKwP7vn+2B+/yNkBQTbHKyNZAQOg+tvPTwrmzmBzak3J1b2d4+qSkq9JEnZ +uCAwXV3uHmNPlK4jgr4SHxwYKg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDJDCCAoagAwIBAgIUHW9bhbgk6GXm5i+uamYWbInHDhkwCgYIKoZIzj0EAwQw +gZsxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1z +dGFkdDEXMBUGA1UECgwORmxvcmFsIFN5c3RlbXMxLTArBgNVBAsMJEZsb3JhbCBT +eXN0ZW1zIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWRmxvcmFsIFN5 +c3RlbXMgUm9vdCBDQTAeFw0yNDEyMzAxMzEwMDlaFw0zNDEyMjgxMzEwMDlaMIGb +MQswCQYDVQQGEwJERTEPMA0GA1UECAwGSGVzc2VuMRIwEAYDVQQHDAlEYXJtc3Rh +ZHQxFzAVBgNVBAoMDkZsb3JhbCBTeXN0ZW1zMS0wKwYDVQQLDCRGbG9yYWwgU3lz +dGVtcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFkZsb3JhbCBTeXN0 +ZW1zIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAD6xFA+QeHoUVZr +WaDbfoUkELxnviEPLogl8+IgJ06ki+84yIAM3Zn+6IlmnJGoPaceoPIdYwHByWqf +wvhvTobYRgB8T4l7vyt/KmMfkD2SU576syuR23PkJ6eImGklU3P1+H9CyU2BoPIg +N21Kumx7GCvGAA8NsQyQVdZeLZ6lYjnCfaNjMGEwHQYDVR0OBBYEFGUVeaIqxFM/ +kmfTBNYf6sYyKyuBMB8GA1UdIwQYMBaAFGUVeaIqxFM/kmfTBNYf6sYyKyuBMA8G +A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMEA4GLADCB +hwJBLvw4lfu2efHxdkPZpddMe9wLrrOFwoeYMIJ4XN4qn8WwQCy4G0oXTKHzwm3y +I82YwdK5r6tUtdoHhQ5BscrrnRsCQgGNejEZMet0lFgch1Dr2iunnsOEpdODtapD +Jwp4PRUSTdlqk0C2GOWUtbcK2arZ/QexnqLAKhASuY/clqVZLLzHTw== +-----END CERTIFICATE----- diff --git a/pki/csr/Floral_Systems_v1_ICA1_v1.csr b/pki/csr/Floral_Systems_v1_ICA1_v1.csr new file mode 100644 index 0000000..a9260cc --- /dev/null +++ b/pki/csr/Floral_Systems_v1_ICA1_v1.csr @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBGjCBzQIBADCBmTELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3NlbjESMBAG +A1UEBxMJRGFybXN0YWR0MRcwFQYDVQQKEw5GbG9yYWwgU3lzdGVtczEtMCsGA1UE +CxMkRmxvcmFsIFN5c3RlbXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR0wGwYDVQQD +ExRJbnRlcm1lZGlhdGUgQ0ExIHYxIDAqMAUGAytlcAMhAP0oJLV1eqEOAZOV/T9L +gLV9PIOIYHcmGP6vs9Avg/TroAAwBQYDK2VwA0EATxwhMrur5dneuko3+Atpwt7V +HIW1LrZKqbyo0DPVhs5mcQ9BXKFX1N+zhReR8Et/tx3ZIJ+OtjZslBQ71JESCA== +-----END CERTIFICATE REQUEST----- diff --git a/pki/csr/README.md b/pki/csr/README.md new file mode 100644 index 0000000..56eeb3f --- /dev/null +++ b/pki/csr/README.md @@ -0,0 +1,3 @@ +# A trace of our CSRs files + +This is a collection of the CSRs we built for our needs. diff --git a/pki/default.nix b/pki/default.nix new file mode 100644 index 0000000..7425403 --- /dev/null +++ b/pki/default.nix @@ -0,0 +1,23 @@ +{ flake ? import ../., nixpkgs ? flake.inputs.nixpkgs, pkgs ? import nixpkgs { } }: +{ + shell = pkgs.mkShell { + buildInputs = [ + pkgs.openssl + ]; + + OPENSSL_CONF = pkgs.writeText "openssl-pkcs11.conf" '' + openssl_conf = openssl_def + + [openssl_def] + engines = engine_section + + [engine_section] + pkcs11 = pkcs11_section + + [pkcs11_section] + engine_id = pkcs11 + dynamic_path = ${pkgs.libp11}/lib/engines/libpkcs11.so + MODULE_PATH = ${pkgs.opensc}/lib/opensc-pkcs11.so + ''; + }; +} diff --git a/pki/policies/README.md b/pki/policies/README.md new file mode 100644 index 0000000..af8b2ba --- /dev/null +++ b/pki/policies/README.md @@ -0,0 +1 @@ +# OpenSSL policies for extensions and CAs diff --git a/pki/policies/ca.conf b/pki/policies/ca.conf new file mode 100644 index 0000000..ba46b9b --- /dev/null +++ b/pki/policies/ca.conf @@ -0,0 +1,56 @@ +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = . +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha512 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_strict + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha512 + +[ req_distinguished_name ] +C = DE +ST = Hessen +L = Darmstadt +O = Floral Systems +OU = Floral Systems Certificate Authority +CN = Floral Systems Root CA + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign diff --git a/pki/policies/ica1_intermediate.conf b/pki/policies/ica1_intermediate.conf new file mode 100644 index 0000000..700bc5f --- /dev/null +++ b/pki/policies/ica1_intermediate.conf @@ -0,0 +1,6 @@ +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign diff --git a/pki/shell.nix b/pki/shell.nix new file mode 100644 index 0000000..55672cf --- /dev/null +++ b/pki/shell.nix @@ -0,0 +1,2 @@ +(import ./. { }).shell +