You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Recording



PlayBook

Key generation command sequence

eduGAIN Key generation commands
#Check correct date on the box
date
alias getCode='/usr/local/keykeeper/bin/getCode.py'

# Plug in generator
# Start random genrator
rc-service rngd start
ps auxww | grep '[r]ngd'

# Check entropy strength
dd if=/dev/ttyUSB0 bs=4000 count=250 iflag=fullblock | ent

# Enter secure directory. Will be cleaned after reboot.
cd /dev/shm

# Configure teh Yubikey into " Static Password Mode."
# Create a random " Secret Key"
openssl rand -hex 16 | awk '{printf "%s", $1}' > /dev/shm/SecretKey
ls -la  /dev/shm/SecretKey
wc -m /dev/shm/SecretKey
# Insert 1 Yubikey
ykpersonalize -y -1 -oappend-cr -ostatic-ticket -ostrong-pw1 -ostrong-pw2 -oman-update -a$(cat /dev/shm/SecretKey) >/dev/null || echo FAIL
# Insert 2 Yubikey
ykpersonalize -y -1 -oappend-cr -ostatic-ticket -ostrong-pw1 -ostrong-pw2 -oman-update -a$(cat /dev/shm/SecretKey) >/dev/null || echo FAIL

#Remove SecretKey
rm /dev/shm/SecretKey && echo Key removed || echo FAIL

# Create a openssl.conf to get CA flag into cert
cat > openssl.cnf << EOF
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
EOF

# Create RSA key
getCode | openssl genpkey -aes-256-cbc -pass stdin -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out /dev/shm/edugain_rsa.key && echo Key created || echo FAIL
# Create RSA cert-request
getCode | openssl req -new -passin stdin -key /dev/shm/edugain_rsa.key -out edugain_rsa.req -subj "/O=GEANT/CN=eduGAIN RSA Signer CA 2022" && echo Request created || echo FAIL
# Sign RSA Cert
getCode | openssl x509 -req -passin stdin -days 7305 -in edugain_rsa.req -signkey /dev/shm/edugain_rsa.key -out edugain_rsa.crt -extfile openssl.cnf -extensions v3_ca  && echo Certificate created || echo FAIL

# Create EC key
getCode | openssl genpkey -aes-256-cbc -pass stdin -algorithm ed25519 -out /dev/shm/edugain_ecc.key && echo Key created || echo FAIL
# Create EC cert-request
getCode | openssl req -new -passin stdin -key /dev/shm/edugain_ecc.key -out edugain_ecc.req -subj "/O=GEANT/CN=eduGAIN ECC Signer CA 2022" && echo Request created || echo FAIL
# Create EC cert-request
getCode | openssl x509 -req -passin stdin -days 7305 -in edugain_ecc.req -signkey /dev/shm/edugain_ecc.key -out edugain_ecc.crt -extfile openssl.cnf -extensions v3_ca && echo Certificate created || echo FAIL

# Verify Keys / Certs
openssl x509 -noout -modulus -in /dev/shm/edugain_rsa.crt | openssl sha256
getCode | openssl rsa -passin stdin -noout -modulus -in /dev/shm/edugain_rsa.key | openssl sha256 
 
openssl x509 -noout -text -in /dev/shm/edugain_ecc.crt | egrep -A 4 "ED25519 Public-Key" | sed 's/^ *//g'
getCode | openssl pkey -passin stdin -noout -in /dev/shm/edugain_ecc.key -text_pub | sed 's/^ *//g' 

# Show that the Keys are encrypted
grep -- "-" *.key

#Show RSA cert
openssl x509 -in /dev/shm/edugain_rsa.crt

echo -e "\nFingerprint" && \
openssl x509 -noout -in /dev/shm/edugain_rsa.crt -fingerprint -sha256 && \
echo -e "\nSubject" && \
openssl x509 -noout -in /dev/shm/edugain_rsa.crt -issuer -subject && \
echo "" && \
openssl x509 -noout -in /dev/shm/edugain_rsa.crt -text | grep -A2 Valid

# Same thing with EC
openssl x509 -in edugain_ecc.crt

echo -e "\nFingerprint" && \
openssl x509 -noout -in edugain_ecc.crt -fingerprint -sha256 && \
echo -e "\nSubject" && \
openssl x509 -noout -in edugain_ecc.crt -issuer -subject && \
echo "" && \
openssl x509 -noout -in edugain_ecc.crt -text | grep -A2 Valid

# Show checksum before copy
sha256sum edugain_rsa.crt edugain_rsa.key edugain_ecc.crt edugain_ecc.key

#Mount and copy
mkfs.ext4 /dev/sdb1
mount /dev/sdb1 /mnt || echo "Fail to mount"
cp edugain_rsa.crt edugain_rsa.key edugain_ecc.crt edugain_ecc.key /mnt || echo "Fail to copy files"
sha256sum /mnt/edugain_rsa.crt /mnt/edugain_rsa.key /mnt/edugain_ecc.crt /mnt/edugain_ecc.key
umount /mnt || echo "Fail to umount"

# Next USB
#Mount and copy in one step
mkfs.ext4 /dev/sdb1 && \
mount /dev/sdb1 /mnt || echo "Fail to mount"

cp edugain_rsa.crt edugain_rsa.key edugain_ecc.crt edugain_ecc.key /mnt || echo "Fail to copy files" && \
sha256sum /mnt/edugain_rsa.crt /mnt/edugain_rsa.key /mnt/edugain_ecc.crt /mnt/edugain_ecc.key && \
umount /mnt || echo "Fail to umount"

# Next USB
#Mount and copy in one step
mkfs.ext4 /dev/sdb1 && \
mount /dev/sdb1 /mnt || echo "Fail to mount"

cp edugain_rsa.crt edugain_ecc.crt  /mnt || echo "Fail to copy files" && \
sha256sum /mnt/edugain_rsa.crt /mnt/edugain_ecc.crt && \
umount /mnt || echo "Fail to umount"

# Check that /mnt is empty ant nothing got copied here by mistake
ls /mnt


#Boot outside serverhall
#Setup getCode again
alias getCode='/usr/local/keykeeper/bin/getCode.py'

#Move into /dev/shm
cd /dev/shm

# remount usbstick with key on it
mount /dev/sdb1 /mnt || echo "Fail to mount"

# export cleartext into /dev/shm/edugain_rsa.clear to be able to import
getCode |openssl rsa -passin stdin -in /mnt/edugain_rsa.key -out /dev/shm/edugain_rsa.clear

#Import key
/usr/safenet/lunaclient/bin/cmu importkey -in /dev/shm/edugain_rsa.clear -keyalg RSA -setkeyattr CKA_SIGN
#Import cert
/usr/safenet/lunaclient/bin/cmu import -inputFile /mnt/edugain_rsa.crt -label edugain_rsa

# list handles
/usr/safenet/lunaclient/bin/cmu list 


 


Supporting Evidence


  • No labels