- Created by Nicole Harris, last modified by Davide Vaghetti on Mar 11, 2022
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 7 Next »
Recording
PlayBook
Key generation command sequence
eduGAIN Key generation commands Expand source
#Check correct date on the box
date
alias getCode='/usr/local/keykeeper/bin/getCode.py'
# Plug in generator
# Start random genrator
rc-service rngd start
ps auxww | grep '[r]ngd'
# Check entropy strength
dd if=/dev/ttyUSB0 bs=4000 count=250 iflag=fullblock | ent
# Enter secure directory. Will be cleaned after reboot.
cd /dev/shm
# Configure teh Yubikey into " Static Password Mode."
# Create a random " Secret Key"
openssl rand -hex 16 | awk '{printf "%s", $1}' > /dev/shm/SecretKey
ls -la /dev/shm/SecretKey
wc -m /dev/shm/SecretKey
# Insert 1 Yubikey
ykpersonalize -y -1 -oappend-cr -ostatic-ticket -ostrong-pw1 -ostrong-pw2 -oman-update -a$(cat /dev/shm/SecretKey) >/dev/null || echo FAIL
# Insert 2 Yubikey
ykpersonalize -y -1 -oappend-cr -ostatic-ticket -ostrong-pw1 -ostrong-pw2 -oman-update -a$(cat /dev/shm/SecretKey) >/dev/null || echo FAIL
#Remove SecretKey
rm /dev/shm/SecretKey && echo Key removed || echo FAIL
# Create a openssl.conf to get CA flag into cert
cat > openssl.cnf << EOF
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
EOF
# Create RSA key
getCode | openssl genpkey -aes-256-cbc -pass stdin -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out /dev/shm/edugain_rsa.key && echo Key created || echo FAIL
# Create RSA cert-request
getCode | openssl req -new -passin stdin -key /dev/shm/edugain_rsa.key -out edugain_rsa.req -subj "/O=GEANT/CN=eduGAIN RSA Signer CA 2022" && echo Request created || echo FAIL
# Sign RSA Cert
getCode | openssl x509 -req -passin stdin -days 7305 -in edugain_rsa.req -signkey /dev/shm/edugain_rsa.key -out edugain_rsa.crt -extfile openssl.cnf -extensions v3_ca && echo Certificate created || echo FAIL
# Create EC key
getCode | openssl genpkey -aes-256-cbc -pass stdin -algorithm ed25519 -out /dev/shm/edugain_ecc.key && echo Key created || echo FAIL
# Create EC cert-request
getCode | openssl req -new -passin stdin -key /dev/shm/edugain_ecc.key -out edugain_ecc.req -subj "/O=GEANT/CN=eduGAIN ECC Signer CA 2022" && echo Request created || echo FAIL
# Create EC cert-request
getCode | openssl x509 -req -passin stdin -days 7305 -in edugain_ecc.req -signkey /dev/shm/edugain_ecc.key -out edugain_ecc.crt -extfile openssl.cnf -extensions v3_ca && echo Certificate created || echo FAIL
# Verify Keys / Certs
openssl x509 -noout -modulus -in /dev/shm/edugain_rsa.crt | openssl sha256
getCode | openssl rsa -passin stdin -noout -modulus -in /dev/shm/edugain_rsa.key | openssl sha256
openssl x509 -noout -text -in /dev/shm/edugain_ecc.crt | egrep -A 4 "ED25519 Public-Key" | sed 's/^ *//g'
getCode | openssl pkey -passin stdin -noout -in /dev/shm/edugain_ecc.key -text_pub | sed 's/^ *//g'
# Show that the Keys are encrypted
grep -- "-" *.key
#Show RSA cert
openssl x509 -in /dev/shm/edugain_rsa.crt
echo -e "\nFingerprint" && \
openssl x509 -noout -in /dev/shm/edugain_rsa.crt -fingerprint -sha256 && \
echo -e "\nSubject" && \
openssl x509 -noout -in /dev/shm/edugain_rsa.crt -issuer -subject && \
echo "" && \
openssl x509 -noout -in /dev/shm/edugain_rsa.crt -text | grep -A2 Valid
# Same thing with EC
openssl x509 -in edugain_ecc.crt
echo -e "\nFingerprint" && \
openssl x509 -noout -in edugain_ecc.crt -fingerprint -sha256 && \
echo -e "\nSubject" && \
openssl x509 -noout -in edugain_ecc.crt -issuer -subject && \
echo "" && \
openssl x509 -noout -in edugain_ecc.crt -text | grep -A2 Valid
# Show checksum before copy
sha256sum edugain_rsa.crt edugain_rsa.key edugain_ecc.crt edugain_ecc.key
#Mount and copy
mkfs.ext4 /dev/sdb1
mount /dev/sdb1 /mnt || echo "Fail to mount"
cp edugain_rsa.crt edugain_rsa.key edugain_ecc.crt edugain_ecc.key /mnt || echo "Fail to copy files"
sha256sum /mnt/edugain_rsa.crt /mnt/edugain_rsa.key /mnt/edugain_ecc.crt /mnt/edugain_ecc.key
umount /mnt || echo "Fail to umount"
# Next USB
#Mount and copy in one step
mkfs.ext4 /dev/sdb1 && \
mount /dev/sdb1 /mnt || echo "Fail to mount"
cp edugain_rsa.crt edugain_rsa.key edugain_ecc.crt edugain_ecc.key /mnt || echo "Fail to copy files" && \
sha256sum /mnt/edugain_rsa.crt /mnt/edugain_rsa.key /mnt/edugain_ecc.crt /mnt/edugain_ecc.key && \
umount /mnt || echo "Fail to umount"
# Next USB
#Mount and copy in one step
mkfs.ext4 /dev/sdb1 && \
mount /dev/sdb1 /mnt || echo "Fail to mount"
cp edugain_rsa.crt edugain_ecc.crt /mnt || echo "Fail to copy files" && \
sha256sum /mnt/edugain_rsa.crt /mnt/edugain_ecc.crt && \
umount /mnt || echo "Fail to umount"
# Check that /mnt is empty ant nothing got copied here by mistake
ls /mnt
#Boot outside serverhall
#Setup getCode again
alias getCode='/usr/local/keykeeper/bin/getCode.py'
#Move into /dev/shm
cd /dev/shm
# remount usbstick with key on it
mount /dev/sdb1 /mnt || echo "Fail to mount"
# export cleartext into /dev/shm/edugain_rsa.clear to be able to import
getCode |openssl rsa -passin stdin -in /mnt/edugain_rsa.key -out /dev/shm/edugain_rsa.clear
#Import key
/usr/safenet/lunaclient/bin/cmu importkey -in /dev/shm/edugain_rsa.clear -keyalg RSA -setkeyattr CKA_SIGN
#Import cert
/usr/safenet/lunaclient/bin/cmu import -inputFile /mnt/edugain_rsa.crt -label edugain_rsa
# list handles
/usr/safenet/lunaclient/bin/cmu list
Supporting Evidence
- No labels