Set up certificates using local IACA certificate

Author: gfour

.github/README.md

@@ -16,12 +16,16 @@ This setup assumes two devices (one Android, one Linux).
    environment, install dependencies, generate self-signed certificate
    bound to the local host IP).
 
+3. Optional: consult the last section in the output of the command
+   above to find how to set up local signing certificates (signed
+   by a local IACA certificate).
+
 4. Run `./run-issuer.sh` to spin up the issuer server.
 
 ### Android wallet
 
 1. Clone [the Android app fork](https://github.com/gfour/eudi-app-android-wallet-ui)
-   and switch to branch "local-deploy".
+   and switch to branch "local-deploy-v2".
 
 3. Run the issuer as above
 

iaca.key

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICIoPMsIqxayJXj4PKtz0EKTfw7wz6xh1ACO9stjooWjoAoGCCqGSM49
+AwEHoUQDQgAEwFNM8IyEp1s0tzgdDQMnyvul5dCkk6iEJ2siHLliLxcTKmNFHaPz
+MRtlXO3NTe/LGtAegXq8BTfSWArRkUqNKw==
+-----END EC PRIVATE KEY-----

iaca.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICnjCCAkOgAwIBAgIUFE0Dgl2yQ3/sGNmTsq68RepL8icwCgYIKoZIzj0EAwIw
+PTEeMBwGA1UEAwwVUElEIElzc3VlciBDQSAtIEdSIDAxMQ4wDAYDVQQKDAVHUk5F
+VDELMAkGA1UEBhMCR1IwHhcNMjUwMzExMDc1NjE3WhcNMjYwMzExMDc1NjE3WjA9
+MR4wHAYDVQQDDBVQSUQgSXNzdWVyIENBIC0gR1IgMDExDjAMBgNVBAoMBUdSTkVU
+MQswCQYDVQQGEwJHUjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMBTTPCMhKdb
+NLc4HQ0DJ8r7peXQpJOohCdrIhy5Yi8XEypjRR2j8zEbZVztzU3vyxrQHoF6vAU3
+0lgK0ZFKjSujggEfMIIBGzASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSa
+hjchdcXwuEb6Rr8ELeS3+ZyONjBiBgNVHSMEWzBZoUGkPzA9MR4wHAYDVQQDDBVQ
+SUQgSXNzdWVyIENBIC0gR1IgMDExDjAMBgNVBAoMBUdSTkVUMQswCQYDVQQGEwJH
+UoIUFE0Dgl2yQ3/sGNmTsq68RepL8icwPgYDVR0lAQH/BDQwMgYIK4ECAgAAAQcG
+CCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEMDIGA1UdHwQr
+MCkwJ6AloCOGIWh0dHA6Ly84My4yMTIuNzIuMTE0OjgwODIvY3JsLnBlbTAOBgNV
+HQ8BAf8EBAMCAfYwCgYIKoZIzj0EAwIDSQAwRgIhAKK820GxcGVoj1Fe0ewMFK6j
+zSdjvEuJhBfpUqTA+Xj1AiEAiKS/fZ8lfDH1aUs1pSGnlmBe+IXhcXbohroLq/Ql
+ckc=
+-----END CERTIFICATE-----

run-issuer.sh

@@ -3,7 +3,7 @@
 HOST_IP=$(<.config.ip)
 
 source .venv/bin/activate
-export REQUESTS_CA_BUNDLE=$(realpath cert.pem)
+export REQUESTS_CA_BUNDLE=$(realpath iaca.pem)
 export SERVICE_URL="https://${HOST_IP}:5000/"
 export EIDAS_NODE_URL="https://TODO1/"
 export DYNAMIC_PRESENTATION_URL="https://TODO2/"

scripts/create-iaca.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+#
+# This file demonstrates creation of IACA certificates. Notes:
+#
+# * This is not complete; a .crl distribution server should also
+#   be set up (see "crlDistributionPoints" property below).
+#
+# * The generated certificate is self-signed.
+#
+# * For convenience, the generated certificate can also sign
+#   SSL server certificates.
+#
+
+echo Creating root certificate...
+openssl ecparam -name prime256v1 -genkey -noout -out iaca.key
+
+echo '[ req ]
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca # Section to use for cert extensions
+
+[ req_distinguished_name ]
+CN = PID Issuer CA - GR 01
+O = GRNET
+C = GR
+
+[ v3_ca ]
+basicConstraints = critical, CA:TRUE, pathlen:0
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = critical, 1.3.130.2.0.0.1.7, serverAuth, clientAuth, codeSigning, emailProtection
+crlDistributionPoints = URI:http://83.212.72.114:8082/crl.pem
+keyUsage = critical, keyCertSign, cRLSign, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+' > eudi-cert.conf
+
+IACA=iaca.pem
+openssl req -new -key iaca.key -x509 -nodes -days 365 \
+    -subj "/CN=PID Issuer CA - GR 01/O=GRNET/C=GR" \
+    -out ${IACA} \
+    -config eudi-cert.conf \
+    -extensions v3_ca
+
+openssl x509 -in ${IACA} -noout -text
+echo "Created: ${IACA}"
+
+# We check that this IACA can also be used to issue SSL server
+# certificates (required key usages: https://www.ietf.org/rfc/rfc3280.txt, p.41)
+echo "Checking validity for SSL server purposes"
+openssl verify -CAfile iaca.pem -purpose sslserver ${IACA}

scripts/create-issuer-mdl-cert.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+set -e
+
+if [ "$1" == "" ]; then
+    echo "Usage: ./create-issuer-mdl-cert.sh <DOMAIN>"
+    echo "Creates a certificate for mDL issuance"
+    exit
+fi
+
+echo "== Creating key =="
+KEY="$1.key"
+openssl ecparam -name prime256v1 -genkey -noout -out ${KEY}
+
+echo "== Creating certificate signing request =="
+CSR="$1.csr"
+rm -f ${CSR}
+echo "[ req ]
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca  # Section to use for cert extensions
+
+[ req_distinguished_name ]
+CN = $1
+O = GRNET
+C = GR
+
+[ v3_ca ]
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = 1.0.18013.5.1.2
+crlDistributionPoints = URI:http://83.212.72.114:8082/crl.pem
+keyUsage = digitalSignature
+" > eudi-mdl-cert.conf
+
+openssl req -new -sha256 -key ${KEY} \
+	-subj "/CN=$1/O=GRNET/C=GR" \
+	-out ${CSR}
+
+echo "== Verifying the request =="
+openssl req -in ${CSR} -noout -text
+
+echo "== Generating the certificate =="
+rm -f iaca.srl
+CRT="$1.crt"
+openssl x509 -req -in ${CSR} -CA iaca.pem -CAkey iaca.key -CAcreateserial -out ${CRT} -days 500 -sha256 -extfile eudi-mdl-cert.conf -extensions v3_ca
+openssl x509 -in ${CRT} -noout -text
+rm -f eudi-mdl-cert.conf
+
+PUB_JWK="$1.jwk.pub.json"
+JWK="$1.jwk.json"
+step crypto jwk create ${PUB_JWK} ${JWK} --from-pem ${KEY} --insecure --no-password --force
+DER="${CRT}.der"
+openssl x509 -in ${CRT} -out ${DER} -outform DER
+
+echo "== Files created =="
+echo ${CRT}
+echo ${DER}
+echo ${KEY}
+echo ${PUB_JWK}
+echo ${JWK}

scripts/setup-cert.sh

@@ -0,0 +1,143 @@
+#!/usr/bin/env bash
+
+LOCAL_ROOT_CA="iaca.pem"
+LOCAL_ROOT_CA_KEY="iaca.key"
+
+function install_certificates() {
+    echo Installing keys/certificates...
+    PRIVKEY_DIR=/etc/eudiw/pid-issuer/privKey/
+    CERT_DIR=/etc/eudiw/pid-issuer/cert/
+    sudo mkdir -p ${PRIVKEY_DIR}
+    sudo mkdir -p ${CERT_DIR}
+    sudo chmod +rx /etc/eudiw
+    sudo chmod +rx /etc/eudiw/pid-issuer
+    sudo chmod +rx ${PRIVKEY_DIR}
+    sudo chmod +rx ${CERT_DIR}
+
+    echo Copying signing certificates...
+    sudo unzip -o api_docs/test_tokens/DS-token/PID-DS-0002.zip -d ${PRIVKEY_DIR}
+    sudo mv ${PRIVKEY_DIR}/PID-DS-0002.cert.der ${CERT_DIR}/
+    sudo chmod +r ${PRIVKEY_DIR}*
+    sudo cp ${LOCAL_ADDR}.crt.der ${CERT_DIR}/
+    sudo chmod +r ${CERT_DIR}/${LOCAL_ADDR}.crt.der
+    sudo cp ${LOCAL_ADDR}.key ${PRIVKEY_DIR}/
+    sudo chmod +r ${PRIVKEY_DIR}/${LOCAL_ADDR}.key
+
+    echo Copying IACA files...
+    gunzip -f -k api_docs/test_tokens/IACA-token/PIDIssuerCAUT01.pem.gz
+    sudo mkdir -p /etc/eudiw/pid-issuer/cert/
+    sudo chmod +rx /etc/eudiw/pid-issuer/cert/
+    sudo cp api_docs/test_tokens/IACA-token/PIDIssuerCAUT01.pem /etc/eudiw/pid-issuer/cert/
+    if [ -f "${LOCAL_ROOT_CA}" ]; then
+        sudo cp "${LOCAL_ROOT_CA}" /etc/eudiw/pid-issuer/cert/
+    fi
+}
+
+function generate_config_file()
+{
+    cat << EOF
+[req]
+default_bits = 2048
+distinguished_name = req_distinguished_name
+req_extensions = req_ext
+x509_extensions = v3_req
+prompt = no
+
+[req_ext]
+subjectAltName = @alt_names
+
+[req_distinguished_name]
+countryName = GR
+stateOrProvinceName = Attica
+localityName = N/A
+organizationName = GRNET
+commonName = GRNET-Issuer
+
+[v3_ca]
+authorityKeyIdentifier=keyid,issuer:always
+basicConstraints=critical,CA:FALSE
+keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
+extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
+
+[v3_req]
+subjectAltName = @alt_names
+
+[alt_names]
+IP.1 = ${LOCAL_ADDR}
+EOF
+}
+
+function generate_ssl_certificate() {
+    echo "== Generating SSL certificate configuration =="
+    config_file=$(mktemp)
+    echo "Using temporary configuration in ${config_file}"
+    generate_config_file > ${config_file}
+    cat ${config_file}
+
+    if [ -f "${LOCAL_ROOT_CA}" ] && [ -f "${LOCAL_ROOT_CA_KEY}" ]; then
+        CUSTOM_ROOT_CA=1
+    else
+        CUSTOM_ROOT_CA=0
+    fi
+
+    # No local root CA available, create a simple self-signed certificate
+    if [ $CUSTOM_ROOT_CA -eq 0 ]; then
+        openssl req -x509 -nodes -days 730 \
+            -newkey rsa:2048 \
+            -keyout ${KEY} \
+            -out ${CRT} \
+            -config "$config_file"
+        return
+    fi
+
+    # Local root CA available, create a certificate signed by it
+    echo "== Creating key =="
+    KEY="key.pem"
+    openssl genrsa -out ${KEY} 2048
+
+    echo "== Creating SSL certificate signing request =="
+    CSR="cert.csr"
+    rm -f ${CSR}
+    openssl req -new -sha256 -key ${KEY} \
+        -subj "/CN=${LOCAL_ADDR}/O=GRNET/C=GR" \
+        -out ${CSR}
+
+    echo "== Verifying the request =="
+    openssl req -in ${CSR} -noout -text
+
+    echo "== Generating the SSL certificate =="
+    CRT="cert.pem"
+    openssl x509 -req -in ${CSR} -CA ${LOCAL_ROOT_CA} -CAkey ${LOCAL_ROOT_CA_KEY} -out ${CRT} -days 400 -sha256 -extfile "${config_file}" -extensions v3_req
+    rm -f ${config_file}
+
+
+    if [ $CUSTOM_ROOT_CA -eq 1 ]; then
+        echo "== Verifying the certificate using root CA ${LOCAL_ROOT_CA} =="
+        openssl verify -CAfile ${LOCAL_ROOT_CA} -purpose sslserver -verify_ip ${LOCAL_ADDR} ${CRT}
+    fi
+}
+
+if [ "$1" == "-h" ]; then
+    echo "Set up the certificate of the issuer"
+    echo "Usage: setup-cert.sh [LOCAL_IP]"
+    exit
+elif [ "$1" == "" ]; then
+    echo $(./resolve-ip.sh) > .config.ip
+else
+    echo $1 > .config.ip
+fi
+
+LOCAL_ADDR=$(cat .config.ip)
+echo "Using local address: ${LOCAL_ADDR}"
+
+generate_ssl_certificate
+scripts/create-issuer-mdl-cert.sh ${LOCAL_ADDR}
+
+install_certificates
+
+echo
+echo "mdoc certificate created, set the following options in app/app_config/config_countries.py:"
+echo '"pid_mdoc_privkey": "/etc/eudiw/pid-issuer/privKey/'${LOCAL_ADDR}'.key"'
+echo '"pid_mdoc_privkey_passwd": None'
+echo '"pid_mdoc_cert": "/etc/eudiw/pid-issuer/cert/'${LOCAL_ADDR}'.crt.der"'
+echo

scripts/setup-issuer-metadata.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+if [ "$1" == "-h" ]; then
+    echo "Usage: setup-issuer-metadata.sh [IP]"
+    echo
+    echo "IP      the local IP of the issuer, empty for autodetection"
+    exit
+elif [ "$1" == "" ]; then
+    IP=$(cat .config.ip)
+else
+    IP=$1
+fi
+
+git restore app/metadata_config/metadata_config.json app/metadata_config/oauth-authorization-server.json app/metadata_config/openid-configuration.json
+git grep issuer.eudiw.dev | fgrep --color=none .json | cut -d ':' -f 1 | sort -u | xargs sed -i -e "s/https:\/\/issuer.eudiw.dev/https:\/\/${IP}:5000/g"