Sutty Certificate Authority

The Sutty CA is meant for development environments!

.gitignore

@@ -0,0 +1,2 @@
+*.key
+*.csr

LICENSE

@@ -0,0 +1,168 @@
+Copyright (c) 2020 Sutty
+
+The following license is modified from the MIT license and downloaded
+from <https://github.com/Laurelai/anti-fascist-mit-license> on
+2019-07-11.
+
+Anti-Fascist MIT License:
+
+The following conditions must be met by any person obtaining a copy of
+this software:
+
+- You MAY NOT be a fascist.
+- You MUST not financially support fascists.
+- You MUST not intentionally provide or knowingly provide through
+  inaction a platform for fascists to spread propaganda or organize.
+- You MUST not publicly voice support for fascists.
+- You MAY NOT be a member of any fascist organization, even if you are a
+  member to infiltrate for anti-fascist purposes.
+
+"Fascist" can be understood as any group or individual who promotes the
+political ideology of fascism.
+
+"Fascism" can be broken down into 11 ideological features as well as 8
+tactics that can form a fascist system in varying combinations, for the
+sake of simplicity and brevity the individual or organization in
+question must match to at least 5 features or tactics or a combination
+of the two determined by the individual licencer.
+
+Said licencer may provide a list if an individual or group matches to at
+least 5 features upon request from the individual or group in question.
+
+The ideological features are listed below.
+
+1. Hyper-nationalism.
+
+As defined as "The belief in the superiority of one's nation and of the
+paramount importance of advancing it."
+
+2. Militarism.
+
+As defined as "Advocating for an increase in military forces beyond what
+the real defense of a nation needs, more influence of the military upon
+the policies of the civilian government, and a preference for force as a
+solution over diplomacy for problems."
+
+3. Glorification of violence and readiness to use it in politics.
+
+As defined as "The belief that violence can be used to cleanse a
+tarnished nation, also by using violence to harm, intimidate or kill
+political oppoenents."
+
+4. Fetishization of youth.
+
+As defined as "Extolling the virtues of youth and making a special
+appeal to young people to join a cause or organization"
+
+5. Fetishization of masculinity.
+
+As defined as "Extolling the virtues of male authority or patriarchy and
+making a special appeal to men to be leaders of households and groups"
+
+6. Leader cult.
+
+As defined as "Creating an idealized, heroic, and worshipful image of a
+leader, often through unquestioning flattery and praise."
+
+7. Lost-golden-age syndrome.
+
+As defined as "Creating or promoting the idea that a nation had a lost
+or stolen golden age in the past that must be returned to"
+
+8. Self-definition by opposition.
+
+As defined as "Creating or promoting the idea that the group or
+individual is the only person or way who can fight real or imagined
+evils within a society."
+
+9. Mass mobilization and mass party.
+
+As defined as "Creating or promoting the creation of a populist group or
+party for the advancment of fascist tactics or features."
+
+10. Hierarchical party structure and tendency to purge the disloyal.
+
+As defined as "Removal of membership from a group for lacking absolute
+loyalty or lacking further usefulness to the group. Also having a
+hierarchical structure within the group itself."
+
+11. Theatricality.
+
+As defined as "Using spectacle to gain and keep the attention of those
+inside and outside of the group using speeches full of absolutes and or
+superlatives. Elaborate collective rituals (rallies) meant to reenforce
+loyalty within the group."
+
+Fascist tactics include
+
+1) Persecution of national minorities.
+2) Persecution of racial minorities.
+3) Persecution of religious minorities (Anti-Semitism, Islamophobia and others).
+4) Promotion of a type of national purity.
+5) Promotion of a state run by ideologically oriented corporate bodies.
+6) Persecution of gender or sexual minorities.
+7) Persecution of the disabled.
+8) Formation of extra-legal forces (brownshirts) to defend fascist values.
+
+Special criteria: Meeting only one point of the special criteria is
+enough to consider someone or a group to be fascist for the purposes of
+this licence.
+
+1. Promotion of any theories that state members of the jewish ethnicity
+   or faith control or largely control the world, finance, or other
+   global major power system.
+
+2. Denial of the holocaust or any other historically proven genocide.
+
+3. Promotion of ethnostates.
+
+4. Advocating for eugenics. Either positive or negative eugenics.
+   Promotion for the rights of abortion are not considered eugenics.
+
+5. Advocating for the removal of rights or legal protections from a
+   class or group of people.
+
+Former fascists: People or organizations who used to promote the
+political ideology of fascism but no longer do so must meet the
+following criterea to be able to use this software.
+
+1. Publicly disavow past fascist deeds and ideologies.
+
+2. Expose any and all known fascists former allies to the public.
+
+   A suggested route would be through the one peoples project
+   (onepeoplesproject.com).  If they can confirm you have done so that
+   will count as meeting condition two.
+
+3. Publicly destroy any and all fascist paraphenelia you have in your
+   posession including removal of tattoos and body markings
+   affiliated with fascist groups or gangs.
+
+ANTI-FASCIST-MIT LICENSE:
+
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be included
+in all copies or substantial portions of the Software.
+
+The above licence agreement conditions are met in full.
+
+The Anti-Fascist MIT License may only be used under the terms of the
+Anti-Fascist MIT License.
+
+Any modified versions of this software must also include the
+Anti-Fascist MIT Licence.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Makefile

@@ -0,0 +1,55 @@
+# Especify the domain here or as an argument
+domain ?= sutty.local
+serial ?= $(shell date +%s)
+
+# Never remove private keys!
+.PRECIOUS: %.key
+
+.DEFAULT_GOAL := all
+
+ca_key ?= ca/key.key
+ca_crt ?= ca/crt.crt
+ca_tpl ?= templates/ca.tpl
+
+domain_key ?= domain/$(domain).key
+domain_csr ?= domain/$(domain).csr
+domain_crt ?= domain/$(domain).crt
+domain_tpl ?= templates/domain.tpl
+
+# Make variables available to templates
+export
+
+# Render templates
+templates/%.tpl: templates/%.tpl.in
+	envsubst < $< > $@
+
+# Generate private keys
+%.key:
+	mkdir -p $(dir $@)
+	certtool --generate-privkey --ask-pass --sec-param medium --outfile $@
+	chmod 600 $@
+
+# Generates a self-signed key for the CA
+$(ca_crt): $(ca_key)
+	certtool --generate-self-signed \
+	         --load-privkey $< \
+	         --template $(ca_tpl) \
+	         --outfile $@
+
+# Generates a certificate signing request
+domain/%.csr: $(domain_tpl)
+	certtool --generate-request --load-privkey $(domain_key) --outfile $@ --template $<
+
+# Generates a site certificate
+domain/%.crt:
+	certtool --generate-certificate --load-request $(domain_csr) \
+	         --load-ca-certificate $(ca_crt) \
+	         --load-ca-privkey $(ca_key) \
+	         --template $(domain_tpl) \
+	         --outfile $@
+
+ca: $(ca_key) $(ca_crt) ## Generate the CA keypair
+install-ca: $(ca_crt)   ## Install the CA on system
+	sudo trust anchor $<
+all: ca install-ca      ## Generate and install
+domain: $(domain_key) $(domain_csr) $(domain_crt) ## Issue a site certificate

README.md

@@ -0,0 +1,71 @@
+# Sutty Certificate Authority
+
+The Sutty CA generates a certificate we can trust in our development
+environment and use to work with all the nic
+
+## Usage
+
+Install `certtools`, it comes with GnuTLS (the package is called
+`gnutls-tools` or something like in _certain_ distributions).
+
+Generate and install the CA:
+
+```bash
+make all
+```
+
+Generate a certificate for each site.  We use domains in the `.local`
+domain, but it could be anything:
+
+```bash
+make domain domain=sutty.local
+```
+
+Then install the generated private key and certificate into your
+project, for instance:
+
+```bash
+# For the platform
+cp domain/sutty.local.* ../sutty/config/
+cd ../sutty
+rails s -b "ssl://localhost:3000?key=sutty/config/sutty.local.key&cert=sutty/config/sutty.local.crt"
+
+# For static websites
+cp domain/sutty.local.* ../sutty.nl/
+nghttpd -d _site 8080 sutty.local.{key,crt}
+```
+
+### DNS resolver
+
+You'll probably need to add the fake domains in your `/etc/hosts`, or
+even run your local DNS resolver that redirects all .local to localhost!
+
+```bash
+# This method doesn't required anything extra but it doesn't support
+# wildcard certificates so you need to run it once per domain
+echo "127.0.0.1 sutty.local" | sudo tee -a /etc/hosts
+```
+
+This method requires a few extra steps but it works automatically
+afterwards:
+
+* Install `dnsmasq`
+
+* Add the configuration option `address=/local/127.0.0.1` to
+  `/etc/dnsmasq.conf` or run the program with the
+  `--address=/local/127.0.0.1` flag.
+
+* Add a new DNS server on top of your regular DNS resolvers in your
+  network manager or directly into `/etc/resolv.conf`.
+
+## How can this work
+
+A certificate authority is a certificate that is trusted by the local
+system.  Any certificate signed (trusted) by this certificate is
+automatically trusted.
+
+Handle with care!  You can even issue certificates for sites in the
+Internet! ;)
+
+For more info, please refer to the
+[documentation](https://help.ubuntu.com/community/GnuTLS).

templates/ca.tpl

@@ -0,0 +1,33 @@
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "Sutty"
+
+# The organizational unit of the subject.
+#unit = "sleeping dept."
+
+# The state of the certificate owner.
+state = "Cyberspace"
+
+# The country of the subject. Two letter code.
+country = IN
+
+# The common name of the certificate owner.
+cn = "Sutty Local CA"
+
+# The serial number of the certificate. Should be incremented each time a new certificate is generated.
+serial = 007
+
+# In how many days, counting from today, this certificate will expire.
+expiration_days = 3650
+
+# Whether this is a CA certificate or not
+ca
+
+# Whether this key will be used to sign other certificates.
+cert_signing_key
+
+# Whether this key will be used to sign CRLs.
+crl_signing_key

templates/domain.tpl.in

@@ -0,0 +1,45 @@
+
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "Sutty"
+
+# The organizational unit of the subject.
+#unit = "sleeping dept."
+
+# The state of the certificate owner.
+state = "Cyberspace"
+
+# The country of the subject. Two letter code.
+country = IN
+
+# The common name of the certificate owner.
+cn = "Sutty"
+
+# A user id of the certificate owner.
+#uid = "scertowner"
+
+# The serial number of the certificate. Should be incremented each time a new certificate is generated.
+serial = ${serial}
+
+# In how many days, counting from today, this certificate will expire.
+expiration_days = 365
+
+# X.509 v3 extensions
+
+# DNS name(s) of the server
+dns_name = "${domain}"
+dns_name = "*.${domain}"
+
+# (Optional) Server IP address
+#ip_address = "192.168.1.1"
+
+# Whether this certificate will be used for a TLS server
+tls_www_server
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing.
+encryption_key