Synchronize openssl config

WIP: devsetup
Switch imap and smtp to debian:buster-slim
2021-01-08 18:44:01 +01:00 · 2021-01-05 20:26:29 +01:00 · 2021-01-05 08:11:18 +01:00 · 2021-01-04 20:40:51 +01:00 · 2021-01-04 08:11:23 +01:00
13 changed files with 81 additions and 31 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1 +1,2 @@
 .env
+**/.idea/**
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1,7 @@
+.env
 .idea/
 cacert-cats/
+cacert-gosigner/
 cacert-mgr/
 cacert-software/
-.env
 testca/
--- a/.mrconfig
+++ b/.mrconfig
@ -6,3 +6,6 @@ checkout = git clone git+ssh://git.cacert.org/srv/git/cacert-mgr.git cacert-mgr

 [cacert-software]
 checkout = git clone git+ssh://git.cacert.org/srv/git/cacert-devel.git cacert-software
+
+[cacert-gosigner]
+checkout = git clone https://git.dittberner.info/jan/cacert-gosigner.git
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -108,7 +108,7 @@ services:
  signer:
    build:
      context: .
-      dockerfile: signer.Dockerfile
+      dockerfile: gosigner.Dockerfile
    environment:
      SIGNER_WORKDIR: /srv/ca/work
      SIGNER_CA_CONFIG: /srv/caconfig
--- a/docker/run-gosigner
+++ b/docker/run-gosigner
@ -0,0 +1,31 @@
+#!/bin/sh
+
+set -eu
+
+export SERIAL_PORT=/dev/ttyUSB0
+
+mkdir -p /srv/ca/CA/certs /srv/ca/CA/private /srv/ca/CA/newcerts
+cp /srv/testca/root/ca.crt.pem /srv/ca/CA/ca.crt.pem
+cp /srv/testca/root/private/ca.key.pem /srv/ca/CA/private/ca.key.pem
+if [ ! -f /srv/ca/CA/index.txt ]; then cp /srv/testca/root/index.txt /srv/ca/CA/index.txt; fi
+if [ ! -f /srv/ca/CA/index.txt.attr ]; then cp /srv/testca/root/index.txt.attr /srv/ca/CA/index.txt.attr; fi
+if [ ! -f /srv/ca/CA/serial ]; then printf '00' >/srv/ca/CA/serial; fi
+if [ ! -f /srv/ca/CA/crlnumber ]; then echo 1000 >/srv/ca/CA/crlnumber; fi
+
+mkdir -p /srv/ca/class3/certs /srv/ca/class3/private /srv/ca/class3/newcerts /srv/ca/gpg/gpg_root_0
+cp /srv/testca/class3/ca.crt.pem /srv/ca/class3/ca.crt.pem
+cp /srv/testca/class3/private/ca.key.pem /srv/ca/class3/private/ca.key.pem
+if [ ! -f /srv/ca/class3/index.txt ]; then cp /srv/testca/class3/index.txt /srv/ca/class3/index.txt; fi
+if [ ! -f /srv/ca/class3/index.txt.attr ]; then cp /srv/testca/class3/index.txt.attr /srv/ca/class3/index.txt.attr; fi
+if [ ! -f /srv/ca/class3/serial ]; then printf '00' >/srv/ca/class3/serial; fi
+if [ ! -f /srv/ca/class3/crlnumber ]; then echo 1000 >/srv/ca/class3/crlnumber; fi
+if [ ! -f /srv/ca/gpg/gpg_root_0/secring.gpg ]; then cp /srv/testca/gpg/gpg_root_0/secring.gpg /srv/ca/gpg/gpg_root_0/secring.gpg; fi
+if [ ! -f /srv/ca/gpg/gpg_root_0/pubring.gpg ]; then cp /srv/testca/gpg/gpg_root_0/pubring.gpg /srv/ca/gpg/gpg_root_0/pubring.gpg; fi
+
+rm -f /srv/sockets/signer
+socat -d -d PTY,link=/dev/ttyUSB0 UNIX-LISTEN:/srv/sockets/signer 2>&1 &
+sleep 1
+
+cd /app/
+
+exec ./signer
--- a/docker/signer-config/class3-client-codesign.cnf
+++ b/docker/signer-config/class3-client-codesign.cnf
@ -29,10 +29,10 @@ commonName             = optional
 emailAddress           = optional

 [ usr_cert ]
-basicConstraints       = critical, CA:FALSE
+basicConstraints       = critical,CA:FALSE
 nsComment              = "To get your own certificate for FREE head over to http://www.CAcert.org"
-keyUsage               = critical, digitalSignature, keyEncipherment, keyAgreement
-extendedKeyUsage       = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC
+keyUsage               = critical,digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage       = emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
 authorityInfoAccess    = OCSP;URI:http://ocsp.cacert.org
 crlDistributionPoints  = URI:http://crl.cacert.localhost/test-class3-revoke.crl
 subjectAltName         = email:copy
--- a/docker/signer-config/class3-client-org.cnf
+++ b/docker/signer-config/class3-client-org.cnf
@ -29,10 +29,10 @@ commonName             = optional
 emailAddress           = optional

 [ usr_cert ]
-basicConstraints       = critical, CA:FALSE
+basicConstraints       = critical,CA:FALSE
 nsComment              = "To get your own certificate for FREE head over to http://www.CAcert.org"
-keyUsage               = critical, digitalSignature, keyEncipherment, keyAgreement
-extendedKeyUsage       = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+keyUsage               = critical,digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage       = emailProtection,clientAuth,msEFS,msSGC,nsSGC
 authorityInfoAccess    = OCSP;URI:http://ocsp.cacert.org
 crlDistributionPoints  = URI:http://crl.cacert.localhost/class3-revoke.crl
 subjectAltName         = email:copy
--- a/docker/signer-config/class3-client.cnf
+++ b/docker/signer-config/class3-client.cnf
@ -30,10 +30,10 @@ commonName             = optional
 emailAddress           = optional

 [ usr_cert ]
-basicConstraints       = critical, CA:FALSE
+basicConstraints       = critical,CA:FALSE
 nsComment              = "To get your own certificate for FREE head over to http://www.CAcert.org"
-keyUsage               = critical, digitalSignature, keyEncipherment, keyAgreement
-extendedKeyUsage       = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+keyUsage               = critical,digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage       = emailProtection,clientAuth,msEFS,msSGC,nsSGC
 authorityInfoAccess    = OCSP;URI:http://ocsp.cacert.org
 crlDistributionPoints  = URI:http://crl.cacert.localhost/class3-revoke.crl
 subjectAltName         = email:copy
--- a/gosigner.Dockerfile
+++ b/gosigner.Dockerfile
@ -0,0 +1,30 @@
+FROM golang:alpine AS builder
+
+COPY cacert-gosigner /src/
+
+RUN set -ex ; \
+    cd /src/cmd/signer ; \
+    CGO_ENABLED=0 go build .
+
+# need to use Debian because we need xdelta 1.x to support signer protocol
+# version 1
+FROM debian:buster-slim
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive \
+    apt-get install -y --no-install-recommends \
+    socat \
+    xdelta \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /src/cmd/signer/signer /app/
+
+COPY docker/run-gosigner usr/local/bin/
+COPY docker/signer-config/* /srv/caconfig/
+COPY testca /srv/testca/
+
+VOLUME /srv/ca
+
+ENTRYPOINT []
+CMD ["/usr/local/bin/run-gosigner"]
--- a/imap.Dockerfile
+++ b/imap.Dockerfile
@ -1,15 +0,0 @@
-FROM debian:buster
-
-RUN apt-get update \
-    && DEBIAN_FRONTEND=noninteractive \
-    apt-get install -y --no-install-recommends \
-    ca-certificates \
-    curl \
-    dovecot-imapd \
-    psmisc \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
-EXPOSE 25
-
-COPY docker/start-postfix.sh /usr/local
--- a/mail.Dockerfile
+++ b/mail.Dockerfile
@ -1,4 +1,4 @@
-FROM debian:buster
+FROM debian:buster-slim

 RUN apt-get update \
    && DEBIAN_FRONTEND=noninteractive \
--- a/setup_test_ca.sh
+++ b/setup_test_ca.sh
@ -133,8 +133,7 @@ if [ ! -f root/ca.crt.pem ]; then
  openssl req -new -x509 -config ca.cnf \
    -keyout root/private/ca.key.pem \
    -nodes \
-    -subj "/CN=Test Root/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \
-    -days 3650 \
+    -subj "/C=${COUNTRY_CODE}/O=${ORGANIZATION}/CN=Test Root" \
    -extensions root_extensions \
    -out root/ca.crt.pem
 fi
--- a/smtp.Dockerfile
+++ b/smtp.Dockerfile
@ -1,4 +1,4 @@
-FROM debian:buster
+FROM debian:buster-slim

 RUN apt-get update \
    && DEBIAN_FRONTEND=noninteractive \
@ -26,4 +26,4 @@ VOLUME /home/catchall/Maildir

 COPY docker/run-postfix /usr/local/bin/run-postfix

-CMD ["dumb-init", "/usr/local/bin/run-postfix"]
+CMD ["dumb-init", "/usr/local/bin/run-postfix"]
Author	SHA1	Message	Date
Jan Dittberner	0d012cbfe1	Synchronize openssl config	2021-01-08 18:44:01 +01:00
Jan Dittberner	7ee3ddd998	WIP: devsetup	2021-01-05 20:26:29 +01:00
Jan Dittberner	e8bf83b231	Switch imap and smtp to debian:buster-slim	2021-01-05 08:11:18 +01:00
Jan Dittberner	7e09af008e	Use buster-slim for go signer and smtp	2021-01-04 20:40:51 +01:00
Jan Dittberner	8fca612a7d	Start work for using the go based signer	2021-01-04 08:11:23 +01:00