Compare commits

...

5 commits

Author SHA1 Message Date
0d012cbfe1 Synchronize openssl config 2021-01-08 18:44:01 +01:00
7ee3ddd998 WIP: devsetup 2021-01-05 20:26:29 +01:00
Jan Dittberner
e8bf83b231 Switch imap and smtp to debian:buster-slim 2021-01-05 08:11:18 +01:00
7e09af008e Use buster-slim for go signer and smtp 2021-01-04 20:40:51 +01:00
Jan Dittberner
8fca612a7d Start work for using the go based signer 2021-01-04 08:11:23 +01:00
13 changed files with 81 additions and 31 deletions

View file

@ -1 +1,2 @@
.env .env
**/.idea/**

3
.gitignore vendored
View file

@ -1,6 +1,7 @@
.env
.idea/ .idea/
cacert-cats/ cacert-cats/
cacert-gosigner/
cacert-mgr/ cacert-mgr/
cacert-software/ cacert-software/
.env
testca/ testca/

View file

@ -6,3 +6,6 @@ checkout = git clone git+ssh://git.cacert.org/srv/git/cacert-mgr.git cacert-mgr
[cacert-software] [cacert-software]
checkout = git clone git+ssh://git.cacert.org/srv/git/cacert-devel.git cacert-software checkout = git clone git+ssh://git.cacert.org/srv/git/cacert-devel.git cacert-software
[cacert-gosigner]
checkout = git clone https://git.dittberner.info/jan/cacert-gosigner.git

View file

@ -108,7 +108,7 @@ services:
signer: signer:
build: build:
context: . context: .
dockerfile: signer.Dockerfile dockerfile: gosigner.Dockerfile
environment: environment:
SIGNER_WORKDIR: /srv/ca/work SIGNER_WORKDIR: /srv/ca/work
SIGNER_CA_CONFIG: /srv/caconfig SIGNER_CA_CONFIG: /srv/caconfig

31
docker/run-gosigner Executable file
View file

@ -0,0 +1,31 @@
#!/bin/sh
set -eu
export SERIAL_PORT=/dev/ttyUSB0
mkdir -p /srv/ca/CA/certs /srv/ca/CA/private /srv/ca/CA/newcerts
cp /srv/testca/root/ca.crt.pem /srv/ca/CA/ca.crt.pem
cp /srv/testca/root/private/ca.key.pem /srv/ca/CA/private/ca.key.pem
if [ ! -f /srv/ca/CA/index.txt ]; then cp /srv/testca/root/index.txt /srv/ca/CA/index.txt; fi
if [ ! -f /srv/ca/CA/index.txt.attr ]; then cp /srv/testca/root/index.txt.attr /srv/ca/CA/index.txt.attr; fi
if [ ! -f /srv/ca/CA/serial ]; then printf '00' >/srv/ca/CA/serial; fi
if [ ! -f /srv/ca/CA/crlnumber ]; then echo 1000 >/srv/ca/CA/crlnumber; fi
mkdir -p /srv/ca/class3/certs /srv/ca/class3/private /srv/ca/class3/newcerts /srv/ca/gpg/gpg_root_0
cp /srv/testca/class3/ca.crt.pem /srv/ca/class3/ca.crt.pem
cp /srv/testca/class3/private/ca.key.pem /srv/ca/class3/private/ca.key.pem
if [ ! -f /srv/ca/class3/index.txt ]; then cp /srv/testca/class3/index.txt /srv/ca/class3/index.txt; fi
if [ ! -f /srv/ca/class3/index.txt.attr ]; then cp /srv/testca/class3/index.txt.attr /srv/ca/class3/index.txt.attr; fi
if [ ! -f /srv/ca/class3/serial ]; then printf '00' >/srv/ca/class3/serial; fi
if [ ! -f /srv/ca/class3/crlnumber ]; then echo 1000 >/srv/ca/class3/crlnumber; fi
if [ ! -f /srv/ca/gpg/gpg_root_0/secring.gpg ]; then cp /srv/testca/gpg/gpg_root_0/secring.gpg /srv/ca/gpg/gpg_root_0/secring.gpg; fi
if [ ! -f /srv/ca/gpg/gpg_root_0/pubring.gpg ]; then cp /srv/testca/gpg/gpg_root_0/pubring.gpg /srv/ca/gpg/gpg_root_0/pubring.gpg; fi
rm -f /srv/sockets/signer
socat -d -d PTY,link=/dev/ttyUSB0 UNIX-LISTEN:/srv/sockets/signer 2>&1 &
sleep 1
cd /app/
exec ./signer

View file

@ -29,10 +29,10 @@ commonName = optional
emailAddress = optional emailAddress = optional
[ usr_cert ] [ usr_cert ]
basicConstraints = critical, CA:FALSE basicConstraints = critical,CA:FALSE
nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org"
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC extendedKeyUsage = emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
crlDistributionPoints = URI:http://crl.cacert.localhost/test-class3-revoke.crl crlDistributionPoints = URI:http://crl.cacert.localhost/test-class3-revoke.crl
subjectAltName = email:copy subjectAltName = email:copy

View file

@ -29,10 +29,10 @@ commonName = optional
emailAddress = optional emailAddress = optional
[ usr_cert ] [ usr_cert ]
basicConstraints = critical, CA:FALSE basicConstraints = critical,CA:FALSE
nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org"
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC extendedKeyUsage = emailProtection,clientAuth,msEFS,msSGC,nsSGC
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl
subjectAltName = email:copy subjectAltName = email:copy

View file

@ -30,10 +30,10 @@ commonName = optional
emailAddress = optional emailAddress = optional
[ usr_cert ] [ usr_cert ]
basicConstraints = critical, CA:FALSE basicConstraints = critical,CA:FALSE
nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org"
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC extendedKeyUsage = emailProtection,clientAuth,msEFS,msSGC,nsSGC
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl
subjectAltName = email:copy subjectAltName = email:copy

30
gosigner.Dockerfile Normal file
View file

@ -0,0 +1,30 @@
FROM golang:alpine AS builder
COPY cacert-gosigner /src/
RUN set -ex ; \
cd /src/cmd/signer ; \
CGO_ENABLED=0 go build .
# need to use Debian because we need xdelta 1.x to support signer protocol
# version 1
FROM debian:buster-slim
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive \
apt-get install -y --no-install-recommends \
socat \
xdelta \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
COPY --from=builder /src/cmd/signer/signer /app/
COPY docker/run-gosigner usr/local/bin/
COPY docker/signer-config/* /srv/caconfig/
COPY testca /srv/testca/
VOLUME /srv/ca
ENTRYPOINT []
CMD ["/usr/local/bin/run-gosigner"]

View file

@ -1,15 +0,0 @@
FROM debian:buster
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive \
apt-get install -y --no-install-recommends \
ca-certificates \
curl \
dovecot-imapd \
psmisc \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
EXPOSE 25
COPY docker/start-postfix.sh /usr/local

View file

@ -1,4 +1,4 @@
FROM debian:buster FROM debian:buster-slim
RUN apt-get update \ RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive \ && DEBIAN_FRONTEND=noninteractive \

View file

@ -133,8 +133,7 @@ if [ ! -f root/ca.crt.pem ]; then
openssl req -new -x509 -config ca.cnf \ openssl req -new -x509 -config ca.cnf \
-keyout root/private/ca.key.pem \ -keyout root/private/ca.key.pem \
-nodes \ -nodes \
-subj "/CN=Test Root/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \ -subj "/C=${COUNTRY_CODE}/O=${ORGANIZATION}/CN=Test Root" \
-days 3650 \
-extensions root_extensions \ -extensions root_extensions \
-out root/ca.crt.pem -out root/ca.crt.pem
fi fi

View file

@ -1,4 +1,4 @@
FROM debian:buster FROM debian:buster-slim
RUN apt-get update \ RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive \ && DEBIAN_FRONTEND=noninteractive \
@ -26,4 +26,4 @@ VOLUME /home/catchall/Maildir
COPY docker/run-postfix /usr/local/bin/run-postfix COPY docker/run-postfix /usr/local/bin/run-postfix
CMD ["dumb-init", "/usr/local/bin/run-postfix"] CMD ["dumb-init", "/usr/local/bin/run-postfix"]