mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-25 16:58:41 -05:00
93c2e60b36
This gives more flexibility when generating keys so that users do not have to edit files to generate their own specific keys. Update HS 2.0 OSU server notes as well. Signed-off-by: Ben Greear <greearb@candelatech.com>
201 lines
5.3 KiB
INI
201 lines
5.3 KiB
INI
# OpenSSL configuration file for Hotspot 2.0 PKI (Intermediate CA)
|
|
|
|
HOME = .
|
|
RANDFILE = $ENV::HOME/.rnd
|
|
oid_section = new_oids
|
|
|
|
[ new_oids ]
|
|
|
|
#logotypeoid=1.3.6.1.5.5.7.1.12
|
|
|
|
####################################################################
|
|
[ ca ]
|
|
default_ca = CA_default # The default ca section
|
|
|
|
####################################################################
|
|
[ CA_default ]
|
|
|
|
dir = ./demoCA # Where everything is kept
|
|
certs = $dir/certs # Where the issued certs are kept
|
|
crl_dir = $dir/crl # Where the issued crl are kept
|
|
database = $dir/index.txt # database index file.
|
|
#unique_subject = no # Set to 'no' to allow creation of
|
|
# several certificates with same subject
|
|
new_certs_dir = $dir/newcerts # default place for new certs.
|
|
|
|
certificate = $dir/cacert.pem # The CA certificate
|
|
serial = $dir/serial # The current serial number
|
|
crlnumber = $dir/crlnumber # the current crl number
|
|
# must be commented out to leave a V1 CRL
|
|
crl = $dir/crl.pem # The current CRL
|
|
private_key = $dir/private/cakey.pem# The private key
|
|
RANDFILE = $dir/private/.rand # private random number file
|
|
|
|
x509_extensions = ext_client # The extentions to add to the cert
|
|
|
|
name_opt = ca_default # Subject Name options
|
|
cert_opt = ca_default # Certificate field options
|
|
|
|
# Extension copying option: use with caution.
|
|
copy_extensions = copy
|
|
|
|
default_days = 365 # how long to certify for
|
|
default_crl_days= 30 # how long before next CRL
|
|
default_md = default # use public key default MD
|
|
preserve = no # keep passed DN ordering
|
|
|
|
policy = policy_match
|
|
|
|
# For the CA policy
|
|
[ policy_match ]
|
|
countryName = supplied
|
|
stateOrProvinceName = optional
|
|
organizationName = supplied
|
|
organizationalUnitName = optional
|
|
commonName = supplied
|
|
emailAddress = optional
|
|
|
|
[ policy_osu_server ]
|
|
countryName = match
|
|
stateOrProvinceName = optional
|
|
organizationName = match
|
|
organizationalUnitName = supplied
|
|
commonName = supplied
|
|
emailAddress = optional
|
|
|
|
[ policy_anything ]
|
|
countryName = optional
|
|
stateOrProvinceName = optional
|
|
localityName = optional
|
|
organizationName = optional
|
|
organizationalUnitName = optional
|
|
commonName = supplied
|
|
emailAddress = optional
|
|
|
|
####################################################################
|
|
[ req ]
|
|
default_bits = 2048
|
|
default_keyfile = privkey.pem
|
|
distinguished_name = req_distinguished_name
|
|
attributes = req_attributes
|
|
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
|
|
|
input_password = @PASSWORD@
|
|
output_password = @PASSWORD@
|
|
|
|
string_mask = utf8only
|
|
|
|
[ req_distinguished_name ]
|
|
countryName = Country Name (2 letter code)
|
|
countryName_default = FI
|
|
countryName_min = 2
|
|
countryName_max = 2
|
|
|
|
localityName = Locality Name (eg, city)
|
|
localityName_default = Tuusula
|
|
|
|
0.organizationName = Organization Name (eg, company)
|
|
0.organizationName_default = @DOMAIN@
|
|
|
|
##organizationalUnitName = Organizational Unit Name (eg, section)
|
|
#organizationalUnitName_default =
|
|
#@OU@
|
|
|
|
commonName = Common Name (e.g. server FQDN or YOUR name)
|
|
#@CN@
|
|
commonName_max = 64
|
|
|
|
emailAddress = Email Address
|
|
emailAddress_max = 64
|
|
|
|
[ req_attributes ]
|
|
|
|
[ v3_ca ]
|
|
|
|
# Hotspot 2.0 PKI requirements
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid:always,issuer
|
|
basicConstraints = critical, CA:true, pathlen:0
|
|
keyUsage = critical, cRLSign, keyCertSign
|
|
authorityInfoAccess = OCSP;URI:@OCSP_URI@
|
|
# For SP intermediate CA
|
|
#subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU
|
|
#nameConstraints=permitted;DNS:.@DOMAIN@
|
|
#1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
|
|
|
|
[ v3_osu_server ]
|
|
|
|
basicConstraints = critical, CA:true, pathlen:0
|
|
keyUsage = critical, keyEncipherment
|
|
#@ALTNAME@
|
|
|
|
#logotypeoid=ASN1:SEQUENCE:LogotypeExtn
|
|
1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
|
|
[LogotypeExtn]
|
|
communityLogos=EXP:0,SEQUENCE:LogotypeInfo
|
|
[LogotypeInfo]
|
|
# note: implicit tag converted to explicit for CHOICE
|
|
direct=EXP:0,SEQUENCE:LogotypeData
|
|
[LogotypeData]
|
|
image=SEQUENCE:LogotypeImage
|
|
[LogotypeImage]
|
|
imageDetails=SEQUENCE:LogotypeDetails
|
|
imageInfo=SEQUENCE:LogotypeImageInfo
|
|
[LogotypeDetails]
|
|
mediaType=IA5STRING:image/png
|
|
logotypeHash=SEQUENCE:HashAlgAndValues
|
|
logotypeURI=SEQUENCE:URI
|
|
[HashAlgAndValues]
|
|
value1=SEQUENCE:HashAlgAndValueSHA256
|
|
#value2=SEQUENCE:HashAlgAndValueSHA1
|
|
[HashAlgAndValueSHA256]
|
|
hashAlg=SEQUENCE:sha256_alg
|
|
hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH256@
|
|
[HashAlgAndValueSHA1]
|
|
hashAlg=SEQUENCE:sha1_alg
|
|
hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH1@
|
|
[sha256_alg]
|
|
algorithm=OID:sha256
|
|
[sha1_alg]
|
|
algorithm=OID:sha1
|
|
[URI]
|
|
uri=IA5STRING:@LOGO_URI@
|
|
[LogotypeImageInfo]
|
|
# default value color(1), component optional
|
|
#type=IMP:0,INTEGER:1
|
|
fileSize=INTEGER:7549
|
|
xSize=INTEGER:128
|
|
ySize=INTEGER:80
|
|
language=IMP:4,IA5STRING:zxx
|
|
|
|
[ crl_ext ]
|
|
|
|
# issuerAltName=issuer:copy
|
|
authorityKeyIdentifier=keyid:always
|
|
|
|
[ v3_OCSP ]
|
|
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
extendedKeyUsage = OCSPSigning
|
|
|
|
[ ext_client ]
|
|
|
|
basicConstraints=CA:FALSE
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid,issuer
|
|
authorityInfoAccess = OCSP;URI:@OCSP_URI@
|
|
#@ALTNAME@
|
|
extendedKeyUsage = clientAuth
|
|
|
|
[ ext_server ]
|
|
|
|
# Hotspot 2.0 PKI requirements
|
|
basicConstraints=critical, CA:FALSE
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid,issuer
|
|
authorityInfoAccess = OCSP;URI:@OCSP_URI@
|
|
#@ALTNAME@
|
|
extendedKeyUsage = critical, serverAuth
|
|
keyUsage = critical, keyEncipherment
|