Skip to content

Laboratory-for-Safe-and-Secure-Systems/kritis3m_est

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

185 Commits
certs
certs
 
 
cmd
cmd
 
 
internal
internal
 
 
ui
ui
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

KRITS3M EST

This EST (Enrollment over Secure Transport) project provides a Go implementation of the EST protocol, with PQ (Post-Quantum) support built on top of the KRITIS3M ASL Library.

Prerequisites

To build the EST server, you need to have the following software installed:

Installation

To install the EST server/client you have 3 options.

The first option does not require installing the Go toolchain, but it requires the KRITIS3M ASL Library to be installed.

  • Download the latest release from the releases page.

  • Clone the repository and build the server from source:

git clone https://github.com/Laboratory-for-Safe-and-Secure-Systems/kritis3m_est.git
cd est
go build -o estserver cmd/estserver
  • Use the go install command:
go install github.com/Laboratory-for-Safe-and-Secure-Systems/kritis3m_est/cmd/estserver@latest

Usage

Server

Best is to create a configuration file for the server. An example configuration file looks like this:

{
  "ca": {
    "certificates": "<path-to-ca-cert>",
    "private_key": "<path-to-ca-private-key>"
  },
  "tls": {
    "listen_address": ":8443",
    "certificates": "<path-to-server-cert>",
    "private_key": "<path-to-server-private-key>",
    "client_cas": [
      "<path-to-client-ca-certs>"
    ]
  },
  "endpoint": {
    "mutual_authentication": true,
    "no_encryption": false,
    "asl_key_exchange_method": 0,
    "hybrid_signature_mode": 0,
    "keylog_file": "/tmp/keylog.txt"
  },
  "asl_config": {
    "logging_enabled": true,
    "log_level": 3,
    "secure_element_log_support": false
  },
  "allowed_hosts": [
    "localhost",
    "127.0.0.1",
    "[::1]"
  ],
  "healthcheck_password": "xyzzy",
  "rate_limit": 150,
  "timeout": 30
}
estserver -config config.json

Client

The client can be used to enroll a device with the EST server:

!!! warning Use the same values in the certificate you use for the mtls connection.

estclient csr \
    -key <path-to-client-key> \
    -cn "<value>" \
    -country "<value>" \
    -org "<value>" \
    -ou "<value>" \
    -emails "<value>" \
    -dnsnames "localhost" \
    -out csr.pem -ips 127.0.0.1
estclient enroll \
    -server localhost:8443 \
    -explicit <path-to-ca-cert> \
    -csr csr.pem \
    -ca <path-to-ca-cert> \
    -cert <path-to-client-cert> \
    -key <path-to-client-key>

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

ESTClients for arm and x86 Latest
Dec 3, 2024
+ 1 release

Packages

No packages published

Contributors 2

  •  
  •  

Languages