Skip to content

Commit

Permalink
Merge pull request #210 from stackql/feature/update-certificate-compact
Browse files Browse the repository at this point in the history 
new-certificate
  • Loading branch information
@general-kroll-4-life
general-kroll-4-life authored Mar 10, 2024
2 parents 90a1236 + 046b170 commit ea3371d
Show file tree
Hide file tree
Showing 7 changed files with 93 additions and 22 deletions.
17 changes: 17 additions & 0 deletions docs/signing-and-verification.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,4 +52,21 @@ Some more context and sample code can be drawn from:
2. We will use the indicated `Ed25519` signing algorithm.
3. We will couple (2) with a code signing pattern inclusive of chain of trust, similar in nature to [this](https://www.digicert.com/signing/code-signing-certificates#Code-Signing).

### Practicalities

It is possible retrospectively regenerate certificates manually (requires `faketime`):

```bash

signing/Ed25519/setup/re-generate-faketime.sh

```

Easiest thing is edit this script to reflect desired window start datetime. Of course, you will need to possess key material and ensure it is in expected location per script.

Then, simply copy the output from `signing/Ed25519/setup/out/stackql-cert.pem` to both:

- `signing/Ed25519/app/edcrypto/embeddedcerts/signingcerts/stackql-signing-bundle.pem`.
- `signing/Ed25519/app/edcrypto/embeddedcerts/stackql-root-cert-bundle.pem`.

Following this, need to propogate a new version of this module through the toolchain.
16 changes: 7 additions & 9 deletions signing/Ed25519/app/edcrypto/embeddedcerts/signingcerts/stackql-signing-bundle.pem
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,9 @@
-----BEGIN CERTIFICATE-----
MIIBojCCAVSgAwIBAgIRAKAWgEHxNF0qkxpplNUZAP0wBQYDK2VwMDExGDAWBgNV
BAoTD1N0YWNrUUwgU3R1ZGlvczEVMBMGA1UEAxMMSmVmZnJleSBBdmVuMB4XDTIy
MDIxMjEwNTUwNVoXDTI0MDIxMjEwNTUwNVowMTEYMBYGA1UEChMPU3RhY2tRTCBT
dHVkaW9zMRUwEwYDVQQDEwxKZWZmcmV5IEF2ZW4wKjAFBgMrZXADIQB65xX15bpp
HNK45rF7UVMNpq0lfsnHQiwIwbobNmOROaOBgDB+MA4GA1UdDwEB/wQEAwIChDAT
BgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSF
yMVSawVqu2UzXd7IT7Ge/kIBSjAnBgNVHREEIDAeggpzdGFja3FsLmlvgRBqYXZl
bkBzdGFja3FsLmlvMAUGAytlcANBAKg1uOra6+vlpbtzXXPw0mqiHVygyrh2jIr4
oz//4tApDLcPvbErdixrMwq5fKtgD/w10Z0Hu/wKFe89o0ZU7AI=
MIIBRDCB96ADAgECAhQiDsQ/AgsU7dsx/eX6xv1oBGlM2TAFBgMrZXAwMTEYMBYG
A1UECgwPU3RhY2tRTCBTdHVkaW9zMRUwEwYDVQQDDAxKZWZmcmV5IEF2ZW4wHhcN
MjMwMjI3MjExNTAwWhcNMjUwODE1MjExNTAwWjAxMRgwFgYDVQQKDA9TdGFja1FM
IFN0dWRpb3MxFTATBgNVBAMMDEplZmZyZXkgQXZlbjAqMAUGAytlcAMhAHrnFfXl
umkc0rjmsXtRUw2mrSV+ycdCLAjBuhs2Y5E5oyEwHzAdBgNVHQ4EFgQUhcjFUmsF
artlM13eyE+xnv5CAUowBQYDK2VwA0EAw/d4dT7ZRLK9OoUhEyxvzRYKaJgtLdsu
L/+IcLm++FCHaneF6Z1TsciHQSHzJPX80LDr8Wct7ens0TpvJGqKBQ==
-----END CERTIFICATE-----
16 changes: 7 additions & 9 deletions signing/Ed25519/app/edcrypto/embeddedcerts/stackql-root-cert-bundle.pem
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,9 @@
-----BEGIN CERTIFICATE-----
MIIBojCCAVSgAwIBAgIRAKAWgEHxNF0qkxpplNUZAP0wBQYDK2VwMDExGDAWBgNV
BAoTD1N0YWNrUUwgU3R1ZGlvczEVMBMGA1UEAxMMSmVmZnJleSBBdmVuMB4XDTIy
MDIxMjEwNTUwNVoXDTI0MDIxMjEwNTUwNVowMTEYMBYGA1UEChMPU3RhY2tRTCBT
dHVkaW9zMRUwEwYDVQQDEwxKZWZmcmV5IEF2ZW4wKjAFBgMrZXADIQB65xX15bpp
HNK45rF7UVMNpq0lfsnHQiwIwbobNmOROaOBgDB+MA4GA1UdDwEB/wQEAwIChDAT
BgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSF
yMVSawVqu2UzXd7IT7Ge/kIBSjAnBgNVHREEIDAeggpzdGFja3FsLmlvgRBqYXZl
bkBzdGFja3FsLmlvMAUGAytlcANBAKg1uOra6+vlpbtzXXPw0mqiHVygyrh2jIr4
oz//4tApDLcPvbErdixrMwq5fKtgD/w10Z0Hu/wKFe89o0ZU7AI=
MIIBRDCB96ADAgECAhQiDsQ/AgsU7dsx/eX6xv1oBGlM2TAFBgMrZXAwMTEYMBYG
A1UECgwPU3RhY2tRTCBTdHVkaW9zMRUwEwYDVQQDDAxKZWZmcmV5IEF2ZW4wHhcN
MjMwMjI3MjExNTAwWhcNMjUwODE1MjExNTAwWjAxMRgwFgYDVQQKDA9TdGFja1FM
IFN0dWRpb3MxFTATBgNVBAMMDEplZmZyZXkgQXZlbjAqMAUGAytlcAMhAHrnFfXl
umkc0rjmsXtRUw2mrSV+ycdCLAjBuhs2Y5E5oyEwHzAdBgNVHQ4EFgQUhcjFUmsF
artlM13eyE+xnv5CAUowBQYDK2VwA0EAw/d4dT7ZRLK9OoUhEyxvzRYKaJgtLdsu
L/+IcLm++FCHaneF6Z1TsciHQSHzJPX80LDr8Wct7ens0TpvJGqKBQ==
-----END CERTIFICATE-----
4 changes: 3 additions & 1 deletion signing/Ed25519/setup/.gitignore
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
*
!README.md
!generate.sh
!re-generate-faketime.sh
!openssl-ed25519.cnf
!scratchpad
!.gitignore
!.gitignore
!v1/
6 changes: 3 additions & 3 deletions signing/Ed25519/setup/openssl-ed25519.cnf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,12 @@ distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = AU
CN = stackql.io
O=StackQL Studios
CN=Jeffrey Aven
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = stackql.io
DNS.2 = www.stackql.io
email.1 = javen@stackql.io
54 changes: 54 additions & 0 deletions signing/Ed25519/setup/re-generate-faketime.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
#!/usr/bin/env bash

SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )


_version="${1:-"v1"}"

_out_dir="${SCRIPT_DIR}/out"

_fakeTime="${2:-"2023-02-28 08:15:00"}"

_durationDays="${3:-"900"}"


#### https://blog.pinterjann.is/ed25519-certificates.html

CNF_FILE="openssl-ed25519.cnf"
CSR_FILE_NAME="stackql.io.csr"
PRIVATE_KEY_FILE_NAME="${_version}-private-key.pem"
PUBLIC_KEY_FILE_NAME="${_version}-public-key.pem"
SELF_SIGNED_CERT_FILE_NAME="stackql-cert.pem"


openssl req -new -out ${_out_dir}/${CSR_FILE_NAME} -key ${SCRIPT_DIR}/${_version}/${PRIVATE_KEY_FILE_NAME} -config ${SCRIPT_DIR}/${CNF_FILE}

echo
echo "########################################################"
echo "######### CSR DETAILS ##################################"
echo "########################################################"
echo

openssl req -in ${_out_dir}/${CSR_FILE_NAME} -text -noout

echo
echo "########################################################"
echo "########################################################"
echo "########################################################"
echo

faketime "${_fakeTime}" openssl x509 -req -days "${_durationDays}" -in ${_out_dir}/${CSR_FILE_NAME} -signkey ${SCRIPT_DIR}/${_version}/${PRIVATE_KEY_FILE_NAME} -out ${_out_dir}/${SELF_SIGNED_CERT_FILE_NAME}

echo
echo "########################################################"
echo "######### SELF SIGNED CERT DETAILS #####################"
echo "########################################################"
echo

openssl x509 -in ${_out_dir}/${SELF_SIGNED_CERT_FILE_NAME} -text -noout

echo
echo "########################################################"
echo "########################################################"
echo "########################################################"
echo
2 changes: 2 additions & 0 deletions signing/Ed25519/setup/v1/.gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
*
!.gitignore

0 comments on commit ea3371d

Please sign in to comment.