Date | March 8th 2022 10:00-12:00am CET |
---|---|
Location | SUNET Office Stockholm |
Participants (in presence) | Nicole Harris (GEANT), Leif Johansson (SUNET), Björn Mattson (SUNET), Pål Axelsson (SUNET), Kushal Das (SUNET), Davide Vaghetti (GARR) |
Participants (remote) | Marco Malavolti, Eisaku Sakane, Tomasz Wolniewicz, Mark Williams, Pensri A., Dariusz Janny (PSNC), Maarten Kremers, Maja Górecka-Wolniewicz, Dubravko Penezic (SRCE) (dpenezic), Stephen Lovell (GÉANT), Thomas Bärecke, Alex Stuart, Martin Stanislav,Niels van Dijk, alan buxey, Leonardo Marino, Barbara Monticini, Zbigniew Ołtuszyk (PSNC), Ian Galpin, Donald Coetzee, Jule Ziegler, Valeriu Vraciu (UAIC), Daniel Kouřil, Thijs Kinkhorst, Takeshi Nishimura (GakuNin / NII), TENET Boardroom, Massimiliano Adamo, Thomas Nilsson,Macías José Manuel, Renato Furter, Warda Al Habsi (OMREN), Saeed Khademi, , Salu Upadhyay, Halil Adem, Fredrik Domeij, Gheorghita BUTNARU, Mario Di Lorenzo, Guy Halse, Laura Pirelli, Lewisham West & Penge CLP, Eilia Etminan |
<iframe width="560" height="315" src="https://www.youtube.com/embed/59csB3jiOeQ" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> |
Key type | Key Subject | Key Duration |
---|---|---|
RSA 4096bit | O=GEANT, CN=eduGAIN RSA Signer CA 2022 | 20 Years |
ECC 384bits | O=GEANT, CN=eduGAIN ECC Signer CA 2022 | 20 Years |
#Check correct date on the box date alias getCode='/usr/local/keykeeper/bin/getCode.py' # Plug in generator # Start random genrator rc-service rngd start ps auxww | grep '[r]ngd' # Check entropy strength dd if=/dev/ttyUSB0 bs=4000 count=250 iflag=fullblock | ent # Enter secure directory. Will be cleaned after reboot. cd /dev/shm # Configure teh Yubikey into " Static Password Mode." # Create a random " Secret Key" openssl rand -hex 16 | awk '{printf "%s", $1}' > /dev/shm/SecretKey ls -la /dev/shm/SecretKey wc -m /dev/shm/SecretKey # Insert 1 Yubikey ykpersonalize -y -1 -oappend-cr -ostatic-ticket -ostrong-pw1 -ostrong-pw2 -oman-update -a$(cat /dev/shm/SecretKey) >/dev/null || echo FAIL # Insert 2 Yubikey ykpersonalize -y -1 -oappend-cr -ostatic-ticket -ostrong-pw1 -ostrong-pw2 -oman-update -a$(cat /dev/shm/SecretKey) >/dev/null || echo FAIL #Remove SecretKey rm /dev/shm/SecretKey && echo Key removed || echo FAIL # Create a openssl.conf to get CA flag into cert cat > openssl.cnf << EOF [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = critical,CA:true EOF # Create RSA key getCode | openssl genpkey -aes-256-cbc -pass stdin -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out /dev/shm/edugain_rsa.key && echo Key created || echo FAIL # Create RSA cert-request getCode | openssl req -new -passin stdin -key /dev/shm/edugain_rsa.key -out edugain_rsa.req -subj "/O=GEANT/CN=eduGAIN RSA Signer CA 2022" && echo Request created || echo FAIL # Sign RSA Cert getCode | openssl x509 -req -passin stdin -days 7305 -in edugain_rsa.req -signkey /dev/shm/edugain_rsa.key -out edugain_rsa.crt -extfile openssl.cnf -extensions v3_ca && echo Certificate created || echo FAIL # Create EC key getCode | openssl genpkey -aes-256-cbc -pass stdin -algorithm ed25519 -out /dev/shm/edugain_ecc.key && echo Key created || echo FAIL # Create EC cert-request getCode | openssl req -new -passin stdin -key /dev/shm/edugain_ecc.key -out edugain_ecc.req -subj "/O=GEANT/CN=eduGAIN ECC Signer CA 2022" && echo Request created || echo FAIL # Create EC cert-request getCode | openssl x509 -req -passin stdin -days 7305 -in edugain_ecc.req -signkey /dev/shm/edugain_ecc.key -out edugain_ecc.crt -extfile openssl.cnf -extensions v3_ca && echo Certificate created || echo FAIL # Verify Keys / Certs openssl x509 -noout -modulus -in /dev/shm/edugain_rsa.crt | openssl sha256 getCode | openssl rsa -passin stdin -noout -modulus -in /dev/shm/edugain_rsa.key | openssl sha256 openssl x509 -noout -text -in /dev/shm/edugain_ecc.crt | egrep -A 4 "ED25519 Public-Key" | sed 's/^ *//g' getCode | openssl pkey -passin stdin -noout -in /dev/shm/edugain_ecc.key -text_pub | sed 's/^ *//g' # Show that the Keys are encrypted grep -- "-" *.key #Show RSA cert openssl x509 -in /dev/shm/edugain_rsa.crt echo -e "\nFingerprint" && \ openssl x509 -noout -in /dev/shm/edugain_rsa.crt -fingerprint -sha256 && \ echo -e "\nSubject" && \ openssl x509 -noout -in /dev/shm/edugain_rsa.crt -issuer -subject && \ echo "" && \ openssl x509 -noout -in /dev/shm/edugain_rsa.crt -text | grep -A2 Valid # Same thing with EC openssl x509 -in edugain_ecc.crt echo -e "\nFingerprint" && \ openssl x509 -noout -in edugain_ecc.crt -fingerprint -sha256 && \ echo -e "\nSubject" && \ openssl x509 -noout -in edugain_ecc.crt -issuer -subject && \ echo "" && \ openssl x509 -noout -in edugain_ecc.crt -text | grep -A2 Valid # Show checksum before copy sha256sum edugain_rsa.crt edugain_rsa.key edugain_ecc.crt edugain_ecc.key #Mount and copy mkfs.ext4 /dev/sdb1 mount /dev/sdb1 /mnt || echo "Fail to mount" cp edugain_rsa.crt edugain_rsa.key edugain_ecc.crt edugain_ecc.key /mnt || echo "Fail to copy files" sha256sum /mnt/edugain_rsa.crt /mnt/edugain_rsa.key /mnt/edugain_ecc.crt /mnt/edugain_ecc.key umount /mnt || echo "Fail to umount" # Next USB #Mount and copy in one step mkfs.ext4 /dev/sdb1 && \ mount /dev/sdb1 /mnt || echo "Fail to mount" cp edugain_rsa.crt edugain_rsa.key edugain_ecc.crt edugain_ecc.key /mnt || echo "Fail to copy files" && \ sha256sum /mnt/edugain_rsa.crt /mnt/edugain_rsa.key /mnt/edugain_ecc.crt /mnt/edugain_ecc.key && \ umount /mnt || echo "Fail to umount" # Next USB #Mount and copy in one step mkfs.ext4 /dev/sdb1 && \ mount /dev/sdb1 /mnt || echo "Fail to mount" cp edugain_rsa.crt edugain_ecc.crt /mnt || echo "Fail to copy files" && \ sha256sum /mnt/edugain_rsa.crt /mnt/edugain_ecc.crt && \ umount /mnt || echo "Fail to umount" # Check that /mnt is empty ant nothing got copied here by mistake ls /mnt #Boot outside serverhall #Setup getCode again alias getCode='/usr/local/keykeeper/bin/getCode.py' #Move into /dev/shm cd /dev/shm # remount usbstick with key on it mount /dev/sdb1 /mnt || echo "Fail to mount" # export cleartext into /dev/shm/edugain_rsa.clear to be able to import getCode |openssl rsa -passin stdin -in /mnt/edugain_rsa.key -out /dev/shm/edugain_rsa.clear #Import key /usr/safenet/lunaclient/bin/cmu importkey -in /dev/shm/edugain_rsa.clear -keyalg RSA -setkeyattr CKA_SIGN #Import cert /usr/safenet/lunaclient/bin/cmu import -inputFile /mnt/edugain_rsa.crt -label edugain_rsa # list handles /usr/safenet/lunaclient/bin/cmu list |
Yubikey code reader: