Mercurial > hg > freeDiameter
changeset 326:230158150ac9
Added PHPki mods for freeDiameter nodes
| author | Sebastien Decugis <sdecugis@nict.go.jp> |
|---|---|
| date | Thu, 27 May 2010 17:15:11 +0900 |
| parents | 5133b45e3305 |
| children | 0f43f42669be |
| files | contrib/phpki-0.82.patch |
| diffstat | 1 files changed, 284 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/contrib/phpki-0.82.patch Thu May 27 17:15:11 2010 +0900 @@ -0,0 +1,284 @@ +diff -Nur phpki-0.82/ca/main.php phpki-0.82-fD/ca/main.php +--- phpki-0.82/ca/main.php 2005-11-17 10:17:20.000000000 +0900 ++++ phpki-0.82-fD/ca/main.php 2010-05-27 17:04:44.000000000 +0900 +@@ -36,7 +36,7 @@ + else { + ?> + <font color=#ff0000> +- <h2>There was an error updating the Certificate Revocation List.</h2></font><br> ++ <h2>There was an error updating the Certificate Revocation List.</h2></font><br /> + <blockquote> + <h3>Debug Info:</h3> + <pre><?=$errtxt?></pre> +@@ -53,8 +53,11 @@ + default: + printHeader('ca'); + ?> +- <br> +- <br> ++ <br /> ++ <br /> ++ ++ <center><h3>For <span style="color: #FF0000;">freeDiameter</span> specific instructions, scroll down this page...</h3></center><br /> ++ + <center> + <table class=menu width=600><th class=menu colspan=2><big>CERTIFICATE MANAGEMENT MENU</big></th> + +@@ -89,7 +92,57 @@ + + </table> + </center> +- <br><br> ++ <br /><br /> ++ <center> ++ <table class=menu width=900><th class=menu colspan=2><big>FREEDIAMETER INSTRUCTIONS</big></th> ++ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> ++ Create a new certificate</td> ++ ++ <td>Use the <strong><cite>Create a New Certificate</cite></strong> link in previous table to request a new certificate. Fill the form as follow: ++ <ul> ++ <li><strong>Common Name</strong>: use your new freeDiameter identity (usually the FQDN).</li> ++ <li><strong>E-mail Address</strong>: Provide your address so that you can be contacted in case of inquiry.</li> ++ <li><strong>Organization</strong>: use "freeDiameter testbed" for example.</li> ++ <li><strong>Certificate Password</strong>: Do not loose the password you provide, you'll need it in the next step. <br /> ++ The password must be >= 8 chars.</li> ++ <li>The other fields can be filled at your taste.</li> ++ </ul> ++ Once you have validated, you can check the values, and then proceed to download the new certificate and private key. ++ You will receive a file in PEM format. Let's call this file <em>mycertprotected.pem</em>. ++ It contains: ++ <ul> ++ <li>Your password-protected RSA private key.</li> ++ <li>Your certificate in PEM format.</li> ++ <li>The CA certificate.</li> ++ </ul></td></tr> ++ ++ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> ++ Split the file</td> ++ ++ <td>In order to use the information with freeDiameter daemon, you must transform the data as follow: ++ <ul> ++ <li><strong>Decode the private key</strong>: <br /> ++ <code>openssl rsa -in <em>mycertprotected.pem</em> -out /etc/ssl/private/freeDiameter.key</code><br /> ++ OpenSSL will ask for the password you entered when creating the certificate.</li> ++ <li><strong>Extract your certificate</strong>: <br /> ++ <code>openssl x509 -in <em>mycertprotected.pem</em> > /etc/ssl/certs/freeDiameter.pem</code></li> ++ <li><strong>Get the CA certificate</strong>: <br /> ++ <code>wget --no-check-certificate "$config[base_url]index.php?stage=dl_root" -O /etc/ssl/certs/freeDiameter_testbed_CA.pem</code></li> ++ </ul> ++ Note: for the last step, you could also extract it directly from the PEM file you received.<br /> ++ Note: the CRL is also available from the website, but this feature is not tested yet.</td></tr> ++ ++ <tr><td style="text-align: center; vertical-align: middle; font-weight: bold;"> ++ Configure freeDiameter</td> ++ ++ <td>Here is the configuration related to TLS that you should set in your <em>/etc/freeDiameter/freeDiameter.conf</em> file: ++ <blockquote>TLS_Cred = "/etc/ssl/certs/freeDiameter.pem", "/etc/ssl/private/freeDiameter.key";<br /> ++TLS_CA = "/etc/ssl/certs/freeDiameter_testbed_CA.pem";</blockquote></td></tr> ++ ++ ++ </table> ++ </center> ++ <br /><br /> + <? + printFooter(); + } +diff -Nur phpki-0.82/ca/request_cert.php phpki-0.82-fD/ca/request_cert.php +--- phpki-0.82/ca/request_cert.php 2007-01-04 14:45:09.000000000 +0900 ++++ phpki-0.82-fD/ca/request_cert.php 2010-05-27 16:59:16.000000000 +0900 +@@ -197,6 +197,7 @@ + + switch($cert_type) { + case 'server': ++ case 'freediameter': + upload(array("$config[private_dir]/$serial-key.pem","$config[new_certs_dir]/$serial.pem",$config['cacert_pem']), "$common_name ($email).pem",'application/pkix-cert'); + break; + case 'email': +@@ -225,7 +226,7 @@ + if (! $email) $email = ""; + if (! $expiry) $expiry = 1; + if (! $keysize) $keysize = 1024; +- if (! $cert_type) $cert_type = 'email'; ++ if (! $cert_type) $cert_type = 'freediameter'; + + printHeader(); + ?> +@@ -302,13 +303,14 @@ + <td>Certificate Use: </td> + <td><select name=cert_type> + <? +- print '<option value="email" '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>'; +- print '<option value="email_signing" '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>'; +- print '<option value="server" '.($cert_type=='server'?'selected':'').'>SSL Server</option>'; +- print '<option value="vpn_client" '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>'; +- print '<option value="vpn_server" '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>'; +- print '<option value="vpn_client_server" '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>'; +- print '<option value="time_stamping" '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>'; ++ print '<option value="email" disabled '.($cert_type=='email'?'selected':'').'>E-mail, SSL Client</option>'; ++ print '<option value="email_signing" disabled '.($cert_type=='email_signing'?'selected':'').'>E-mail, SSL Client, Code Signing</option>'; ++ print '<option value="server" disabled '.($cert_type=='server'?'selected':'').'>SSL Server</option>'; ++ print '<option value="freediameter" '.($cert_type=='freediameter'?'selected':'').'>freeDiameter node</option>'; ++ print '<option value="vpn_client" disabled '.($cert_type=='vpn_client'?'selected':'').'>VPN Client Only</option>'; ++ print '<option value="vpn_server" disabled '.($cert_type=='vpn_server'?'selected':'').'>VPN Server Only</option>'; ++ print '<option value="vpn_client_server" disabled '.($cert_type=='vpn_client_server'?'selected':'').'>VPN Client, VPN Server</option>'; ++ print '<option value="time_stamping" disabled '.($cert_type=='time_stamping'?'selected':'').'>Time Stamping</option>'; + ?> + </select></td> + </tr> +diff -Nur phpki-0.82/include/openssl_functions.php phpki-0.82-fD/include/openssl_functions.php +--- phpki-0.82/include/openssl_functions.php 2007-01-04 15:47:57.000000000 +0900 ++++ phpki-0.82-fD/include/openssl_functions.php 2010-05-27 16:59:57.000000000 +0900 +@@ -69,6 +69,13 @@ + default_days = 365 + policy = policy_supplied + ++[ freediameter_cert ] ++x509_extensions = freediameter_ext ++default_days = 730 ++policy = policy_supplied ++ ++ ++ + [ vpn_cert ] + x509_extensions = vpn_client_server_ext + default_days = 365 +@@ -152,6 +159,24 @@ + nsRevocationUrl = ns_revoke_query.php? + nsCaPolicyUrl = $config[base_url]policy.html + ++[ freediameter_ext ] ++basicConstraints = CA:false ++keyUsage = critical, digitalSignature, keyEncipherment ++extendedKeyUsage = critical, serverAuth, clientAuth ++nsCertType = critical, server, client ++subjectKeyIdentifier = hash ++authorityKeyIdentifier = keyid:always, issuer:always ++subjectAltName = DNS:$common_name,email:copy ++issuerAltName = issuer:copy ++crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl ++nsComment = \"PHPki/OpenSSL Generated Secure Certificate for freeDiameter\" ++nsBaseUrl = $config[base_url] ++nsRevocationUrl = ns_revoke_query.php? ++nsCaPolicyUrl = $config[base_url]policy.html ++ ++ ++ ++ + [ time_stamping_ext ] + basicConstraints = CA:false + keyUsage = critical, nonRepudiation, digitalSignature +diff -Nur phpki-0.82/openssl.cnf phpki-0.82-fD/openssl.cnf +--- phpki-0.82/openssl.cnf 2006-07-23 00:33:34.000000000 +0900 ++++ phpki-0.82-fD/openssl.cnf 2010-05-27 17:00:33.000000000 +0900 +@@ -39,6 +39,11 @@ + default_days = 365 + policy = policy_supplied + ++[ freediameter_cert ] ++x509_extensions = freediameter_ext ++default_days = 730 ++policy = policy_supplied ++ + [ vpn_cert ] + x509_extensions = vpn_client_server_ext + default_days = 365 +@@ -115,6 +120,23 @@ + nsRevocationUrl = ns_revoke_query.php? + nsCaPolicyUrl = http://www.somewhere.com/phpki/policy.html + ++[ freediameter_ext ] ++basicConstraints = CA:false ++keyUsage = critical, digitalSignature, keyEncipherment ++extendedKeyUsage = critical, serverAuth, clientAuth ++nsCertType = critical, server, client ++subjectKeyIdentifier = hash ++authorityKeyIdentifier = keyid:always, issuer:always ++subjectAltName = DNS:$common_name,email:copy ++issuerAltName = issuer:copy ++crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl ++nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter" ++nsBaseUrl = $config[base_url] ++nsRevocationUrl = ns_revoke_query.php? ++nsCaPolicyUrl = $config[base_url]policy.html ++ ++ ++ + [ vpn_client_ext ] + basicConstraints = critical, CA:false + keyUsage = critical, digitalSignature +diff -Nur phpki-0.82/setup.php phpki-0.82-fD/setup.php +--- phpki-0.82/setup.php 2007-07-22 23:34:08.000000000 +0900 ++++ phpki-0.82-fD/setup.php 2010-05-27 17:01:41.000000000 +0900 +@@ -339,6 +339,11 @@ + default_days = 365 + policy = policy_supplied + ++[ freediameter_cert ] ++x509_extensions = freediameter_ext ++default_days = 730 ++policy = policy_supplied ++ + [ vpn_cert ] + x509_extensions = vpn_client_server_ext + default_days = 365 +@@ -418,6 +423,22 @@ + nsRevocationUrl = ns_revoke_query.php? + nsCaPolicyUrl = $config[base_url]policy.html + ++[ freediameter_ext ] ++basicConstraints = CA:false ++keyUsage = critical, digitalSignature, keyEncipherment ++extendedKeyUsage = critical, serverAuth, clientAuth ++nsCertType = critical, server, client ++subjectKeyIdentifier = hash ++authorityKeyIdentifier = keyid:always, issuer:always ++subjectAltName = DNS:$common_name,email:copy ++issuerAltName = issuer:copy ++crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl ++nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter" ++nsBaseUrl = $config[base_url] ++nsRevocationUrl = ns_revoke_query.php? ++nsCaPolicyUrl = $config[base_url]policy.html ++ ++ + [ time_stamping_ext ] + basicConstraints = CA:false + keyUsage = critical, nonRepudiation, digitalSignature +diff -Nur phpki-0.82/setup.php-presetup phpki-0.82-fD/setup.php-presetup +--- phpki-0.82/setup.php-presetup 2007-07-22 23:34:08.000000000 +0900 ++++ phpki-0.82-fD/setup.php-presetup 2010-05-27 17:01:41.000000000 +0900 +@@ -339,6 +339,11 @@ + default_days = 365 + policy = policy_supplied + ++[ freediameter_cert ] ++x509_extensions = freediameter_ext ++default_days = 730 ++policy = policy_supplied ++ + [ vpn_cert ] + x509_extensions = vpn_client_server_ext + default_days = 365 +@@ -418,6 +423,22 @@ + nsRevocationUrl = ns_revoke_query.php? + nsCaPolicyUrl = $config[base_url]policy.html + ++[ freediameter_ext ] ++basicConstraints = CA:false ++keyUsage = critical, digitalSignature, keyEncipherment ++extendedKeyUsage = critical, serverAuth, clientAuth ++nsCertType = critical, server, client ++subjectKeyIdentifier = hash ++authorityKeyIdentifier = keyid:always, issuer:always ++subjectAltName = DNS:$common_name,email:copy ++issuerAltName = issuer:copy ++crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl ++nsComment = "PHPki/OpenSSL Generated Secure Certificate for freeDiameter" ++nsBaseUrl = $config[base_url] ++nsRevocationUrl = ns_revoke_query.php? ++nsCaPolicyUrl = $config[base_url]policy.html ++ ++ + [ time_stamping_ext ] + basicConstraints = CA:false + keyUsage = critical, nonRepudiation, digitalSignature