Re: [PATCH 7/9] osu: Create keys for osu-signup web server too.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Feb 07, 2020 at 01:10:15AM -0800, greearb@xxxxxxxxxxxxxxx wrote:
> diff --git a/hs20/server/ca/setup.sh b/hs20/server/ca/setup.sh
> @@ -21,6 +21,7 @@ OCSP_URI="http://$CNO:8888/";
> +DAYS=7300
> @@ -141,7 +144,7 @@ echo
> -$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP || fail "Could not generate ocsp.pem"
> +$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days $DAYS -extensions v3_OCSP || fail "Could not generate ocsp.pem"

This change of replacing hardcoded 7300 with $DAYS in existing commands
should be in its own separate patch to make this easier to read for the
new functionality.

> @@ -180,12 +183,35 @@ ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_FI"
>  cat my-openssl.cnf |
>  	sed "s/#@CN@/commonName_default = $OSU_SERVER_HOSTNAME/" |
>  	sed "s/^##organizationalUnitName/organizationalUnitName/" |
> -	sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" |
> +	sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Server/" |

Why?

> +#dump logotype details for debugging
> +$OPENSSL x509 -in server.pem -out server.der -outform DER
> +openssl asn1parse -in server.der -inform DER | grep HEX | tail -1 | sed 's/.*://' | xxd -r -p > logo.der
> +openssl asn1parse -in logo.der -inform DER > logo.asn1

This belongs in another patch since it has nothing to do with the main
topic here..

> +echo
> +echo "---[ Signup Server ]-----------------------------------------------------------"
> +echo
> +
> +ALT="DNS:$OSU_SIGNUP_SERVER_HOSTNAME"
> +ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_ENG"
> +ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_FI"
> +
> +cat my-openssl.cnf |
> +	sed "s/#@CN@/commonName_default = $OSU_SIGNUP_SERVER_HOSTNAME/" |
> +	sed "s/^##organizationalUnitName/organizationalUnitName/" |
> +	sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" |
> +	sed "s/#@ALTNAME@/subjectAltName=critical,$ALT/" \
> +	> openssl.cnf.tmp
> +echo $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out signup-server.csr -keyout signup-server.key -reqexts v3_osu_server
> +$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out signup-server.csr -keyout signup-server.key -reqexts v3_osu_server || fail "Failed to generate signup server request"
> +$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in signup-server.csr -out signup-server.pem -key $PASS -days $DAYS -extensions ext_server -policy policy_osu_server || fail "Failed to sign signup server certificate"

What is the purpose of creating yet another server certificate? This
does not sound like something that an operator would do (pay a CA
for..). The same OSU server certificate would be expected to be used
both on the AAA server for OSEN and the OSU server.
 
-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux