From b206bc5883dfaf11df8677aa55de6958ff506751 Mon Sep 17 00:00:00 2001 From: f Date: Fri, 31 Jan 2020 21:53:14 -0300 Subject: [PATCH] Sutty Certificate Authority The Sutty CA is meant for development environments! --- .gitignore | 2 + LICENSE | 168 ++++++++++++++++++++++++++++++++++++++++ Makefile | 55 +++++++++++++ README.md | 71 +++++++++++++++++ templates/ca.tpl | 33 ++++++++ templates/domain.tpl.in | 45 +++++++++++ 6 files changed, 374 insertions(+) create mode 100644 .gitignore create mode 100644 LICENSE create mode 100644 Makefile create mode 100644 README.md create mode 100644 templates/ca.tpl create mode 100644 templates/domain.tpl.in diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..868f023 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +*.key +*.csr diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..d840e5e --- /dev/null +++ b/LICENSE @@ -0,0 +1,168 @@ +Copyright (c) 2020 Sutty + +The following license is modified from the MIT license and downloaded +from on +2019-07-11. + +Anti-Fascist MIT License: + +The following conditions must be met by any person obtaining a copy of +this software: + +- You MAY NOT be a fascist. +- You MUST not financially support fascists. +- You MUST not intentionally provide or knowingly provide through + inaction a platform for fascists to spread propaganda or organize. +- You MUST not publicly voice support for fascists. +- You MAY NOT be a member of any fascist organization, even if you are a + member to infiltrate for anti-fascist purposes. + +"Fascist" can be understood as any group or individual who promotes the +political ideology of fascism. + +"Fascism" can be broken down into 11 ideological features as well as 8 +tactics that can form a fascist system in varying combinations, for the +sake of simplicity and brevity the individual or organization in +question must match to at least 5 features or tactics or a combination +of the two determined by the individual licencer. + +Said licencer may provide a list if an individual or group matches to at +least 5 features upon request from the individual or group in question. + +The ideological features are listed below. + +1. Hyper-nationalism. + +As defined as "The belief in the superiority of one's nation and of the +paramount importance of advancing it." + +2. Militarism. + +As defined as "Advocating for an increase in military forces beyond what +the real defense of a nation needs, more influence of the military upon +the policies of the civilian government, and a preference for force as a +solution over diplomacy for problems." + +3. Glorification of violence and readiness to use it in politics. + +As defined as "The belief that violence can be used to cleanse a +tarnished nation, also by using violence to harm, intimidate or kill +political oppoenents." + +4. Fetishization of youth. + +As defined as "Extolling the virtues of youth and making a special +appeal to young people to join a cause or organization" + +5. Fetishization of masculinity. + +As defined as "Extolling the virtues of male authority or patriarchy and +making a special appeal to men to be leaders of households and groups" + +6. Leader cult. + +As defined as "Creating an idealized, heroic, and worshipful image of a +leader, often through unquestioning flattery and praise." + +7. Lost-golden-age syndrome. + +As defined as "Creating or promoting the idea that a nation had a lost +or stolen golden age in the past that must be returned to" + +8. Self-definition by opposition. + +As defined as "Creating or promoting the idea that the group or +individual is the only person or way who can fight real or imagined +evils within a society." + +9. Mass mobilization and mass party. + +As defined as "Creating or promoting the creation of a populist group or +party for the advancment of fascist tactics or features." + +10. Hierarchical party structure and tendency to purge the disloyal. + +As defined as "Removal of membership from a group for lacking absolute +loyalty or lacking further usefulness to the group. Also having a +hierarchical structure within the group itself." + +11. Theatricality. + +As defined as "Using spectacle to gain and keep the attention of those +inside and outside of the group using speeches full of absolutes and or +superlatives. Elaborate collective rituals (rallies) meant to reenforce +loyalty within the group." + +Fascist tactics include + +1) Persecution of national minorities. +2) Persecution of racial minorities. +3) Persecution of religious minorities (Anti-Semitism, Islamophobia and others). +4) Promotion of a type of national purity. +5) Promotion of a state run by ideologically oriented corporate bodies. +6) Persecution of gender or sexual minorities. +7) Persecution of the disabled. +8) Formation of extra-legal forces (brownshirts) to defend fascist values. + +Special criteria: Meeting only one point of the special criteria is +enough to consider someone or a group to be fascist for the purposes of +this licence. + +1. Promotion of any theories that state members of the jewish ethnicity + or faith control or largely control the world, finance, or other + global major power system. + +2. Denial of the holocaust or any other historically proven genocide. + +3. Promotion of ethnostates. + +4. Advocating for eugenics. Either positive or negative eugenics. + Promotion for the rights of abortion are not considered eugenics. + +5. Advocating for the removal of rights or legal protections from a + class or group of people. + +Former fascists: People or organizations who used to promote the +political ideology of fascism but no longer do so must meet the +following criterea to be able to use this software. + +1. Publicly disavow past fascist deeds and ideologies. + +2. Expose any and all known fascists former allies to the public. + + A suggested route would be through the one peoples project + (onepeoplesproject.com). If they can confirm you have done so that + will count as meeting condition two. + +3. Publicly destroy any and all fascist paraphenelia you have in your + posession including removal of tattoos and body markings + affiliated with fascist groups or gangs. + +ANTI-FASCIST-MIT LICENSE: + +Permission is hereby granted, free of charge, to any person obtaining a +copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be included +in all copies or substantial portions of the Software. + +The above licence agreement conditions are met in full. + +The Anti-Fascist MIT License may only be used under the terms of the +Anti-Fascist MIT License. + +Any modified versions of this software must also include the +Anti-Fascist MIT Licence. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..2a3a321 --- /dev/null +++ b/Makefile @@ -0,0 +1,55 @@ +# Especify the domain here or as an argument +domain ?= sutty.local +serial ?= $(shell date +%s) + +# Never remove private keys! +.PRECIOUS: %.key + +.DEFAULT_GOAL := all + +ca_key ?= ca/key.key +ca_crt ?= ca/crt.crt +ca_tpl ?= templates/ca.tpl + +domain_key ?= domain/$(domain).key +domain_csr ?= domain/$(domain).csr +domain_crt ?= domain/$(domain).crt +domain_tpl ?= templates/domain.tpl + +# Make variables available to templates +export + +# Render templates +templates/%.tpl: templates/%.tpl.in + envsubst < $< > $@ + +# Generate private keys +%.key: + mkdir -p $(dir $@) + certtool --generate-privkey --ask-pass --sec-param medium --outfile $@ + chmod 600 $@ + +# Generates a self-signed key for the CA +$(ca_crt): $(ca_key) + certtool --generate-self-signed \ + --load-privkey $< \ + --template $(ca_tpl) \ + --outfile $@ + +# Generates a certificate signing request +domain/%.csr: $(domain_tpl) + certtool --generate-request --load-privkey $(domain_key) --outfile $@ --template $< + +# Generates a site certificate +domain/%.crt: + certtool --generate-certificate --load-request $(domain_csr) \ + --load-ca-certificate $(ca_crt) \ + --load-ca-privkey $(ca_key) \ + --template $(domain_tpl) \ + --outfile $@ + +ca: $(ca_key) $(ca_crt) ## Generate the CA keypair +install-ca: $(ca_crt) ## Install the CA on system + sudo trust anchor $< +all: ca install-ca ## Generate and install +domain: $(domain_key) $(domain_csr) $(domain_crt) ## Issue a site certificate diff --git a/README.md b/README.md new file mode 100644 index 0000000..6e9d1a8 --- /dev/null +++ b/README.md @@ -0,0 +1,71 @@ +# Sutty Certificate Authority + +The Sutty CA generates a certificate we can trust in our development +environment and use to work with all the nic + +## Usage + +Install `certtools`, it comes with GnuTLS (the package is called +`gnutls-tools` or something like in _certain_ distributions). + +Generate and install the CA: + +```bash +make all +``` + +Generate a certificate for each site. We use domains in the `.local` +domain, but it could be anything: + +```bash +make domain domain=sutty.local +``` + +Then install the generated private key and certificate into your +project, for instance: + +```bash +# For the platform +cp domain/sutty.local.* ../sutty/config/ +cd ../sutty +rails s -b "ssl://localhost:3000?key=sutty/config/sutty.local.key&cert=sutty/config/sutty.local.crt" + +# For static websites +cp domain/sutty.local.* ../sutty.nl/ +nghttpd -d _site 8080 sutty.local.{key,crt} +``` + +### DNS resolver + +You'll probably need to add the fake domains in your `/etc/hosts`, or +even run your local DNS resolver that redirects all .local to localhost! + +```bash +# This method doesn't required anything extra but it doesn't support +# wildcard certificates so you need to run it once per domain +echo "127.0.0.1 sutty.local" | sudo tee -a /etc/hosts +``` + +This method requires a few extra steps but it works automatically +afterwards: + +* Install `dnsmasq` + +* Add the configuration option `address=/local/127.0.0.1` to + `/etc/dnsmasq.conf` or run the program with the + `--address=/local/127.0.0.1` flag. + +* Add a new DNS server on top of your regular DNS resolvers in your + network manager or directly into `/etc/resolv.conf`. + +## How can this work + +A certificate authority is a certificate that is trusted by the local +system. Any certificate signed (trusted) by this certificate is +automatically trusted. + +Handle with care! You can even issue certificates for sites in the +Internet! ;) + +For more info, please refer to the +[documentation](https://help.ubuntu.com/community/GnuTLS). diff --git a/templates/ca.tpl b/templates/ca.tpl new file mode 100644 index 0000000..287a158 --- /dev/null +++ b/templates/ca.tpl @@ -0,0 +1,33 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "Sutty" + +# The organizational unit of the subject. +#unit = "sleeping dept." + +# The state of the certificate owner. +state = "Cyberspace" + +# The country of the subject. Two letter code. +country = IN + +# The common name of the certificate owner. +cn = "Sutty Local CA" + +# The serial number of the certificate. Should be incremented each time a new certificate is generated. +serial = 007 + +# In how many days, counting from today, this certificate will expire. +expiration_days = 3650 + +# Whether this is a CA certificate or not +ca + +# Whether this key will be used to sign other certificates. +cert_signing_key + +# Whether this key will be used to sign CRLs. +crl_signing_key diff --git a/templates/domain.tpl.in b/templates/domain.tpl.in new file mode 100644 index 0000000..0a10675 --- /dev/null +++ b/templates/domain.tpl.in @@ -0,0 +1,45 @@ + +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "Sutty" + +# The organizational unit of the subject. +#unit = "sleeping dept." + +# The state of the certificate owner. +state = "Cyberspace" + +# The country of the subject. Two letter code. +country = IN + +# The common name of the certificate owner. +cn = "Sutty" + +# A user id of the certificate owner. +#uid = "scertowner" + +# The serial number of the certificate. Should be incremented each time a new certificate is generated. +serial = ${serial} + +# In how many days, counting from today, this certificate will expire. +expiration_days = 365 + +# X.509 v3 extensions + +# DNS name(s) of the server +dns_name = "${domain}" +dns_name = "*.${domain}" + +# (Optional) Server IP address +#ip_address = "192.168.1.1" + +# Whether this certificate will be used for a TLS server +tls_www_server + +# Whether this certificate will be used to encrypt data (needed +# in TLS RSA ciphersuites). Note that it is preferred to use different +# keys for encryption and signing. +encryption_key