Added READMEs for SNI Challenge, renamed variables, added options-ssl-conf

client-webserver/README

@@ -12,3 +12,8 @@ chocolate.py - server-side, requires web.py (python-webpy),
 client.py - experimental tool for making requests and parsing replies
 
 chocolate_protocol.proto - protocol definition; needs protobuf-compiler
+
+sni_challenge - Assumes Apache server with name based virtual hosts is running (for intended address).
+	Call perform_sni_cert_challenge(address, r, nonce) to do the whole challenge.
+	Example code is given in main method
+	Right now requires full path specification of CSR/KEY in the Global Variables (how should this be specified?)

client-webserver/options-ssl.conf

@@ -0,0 +1,24 @@
+# Baseline setting to Include for SSL sites
+
+SSLEngine On
+SSLProtocol -all +SSLv3 +TLSv1
+SSLCipherSuite HIGH:!aNULL:!ADH:!EXP:!SSLv2:!MD5:@STRENGTH
+SSLHonorCipherOrder on
+
+ServerSignature Off
+AcceptPathInfo Off
+AddOutputFilterByType DEFLATE text/html text/plain text/xml application/pdf
+AddDefaultCharset UTF-8
+
+SSLOptions +StrictRequire
+
+# Add vhost name to log entries:
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
+LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
+
+CustomLog /var/log/apache2/access.log vhost_combined
+LogLevel warn
+ErrorLog /var/log/apache2/error.log
+
+# Always ensure Cookies have "Secure" set (JAH 2012/1)
+#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

client-webserver/sni_challenge.py

@@ -5,7 +5,6 @@ from Crypto.PublicKey import RSA
 from Crypto import Random
 import hmac
 import hashlib
-import random
 from shutil import move
 from os import remove, close
 
@@ -16,11 +15,12 @@ SERVER_BASE = "/etc/apache2/"
 CHOC_CERT = CHOC_DIR + "choc.crt"
 CSR = CHOC_DIR + "choc.csr"
 CHOC_CERT_CONF = "choc_cert_extensions.cnf"
+OPTIONS_SSL_CONF = CHOC_DIR + "options-ssl.conf"
 APACHE_CHALLENGE_CONF = CHOC_DIR + "choc_sni_cert_challenge.conf"
-S_SIZE = 20
+S_SIZE = 32
+NONCE_SIZE = 32
 
 def findApacheConfigFile():
-    #return CHOC_DIR + "demo_apache.conf"
     #This needs to be fixed to account for multiple httpd.conf files
     try:
         p = subprocess.check_output(["sudo", "find", "/", "-name", "httpd.conf"], stderr=open("/dev/null"))
@@ -40,7 +40,7 @@ UseCanonicalName on \n \
 \n \
 LimitRequestBody 1048576 \n \
 \n \
-Include " + CHOC_DIR + "options-ssl.conf \n \
+Include " + OPTIONS_SSL_CONF + " \n \
 SSLCertificateFile " + CHOC_CERT + " \n \
 SSLCertificateKeyFile " + CHOC_KEY + " \n \
 \n \
@@ -109,12 +109,12 @@ def apache_restart():
     subprocess.call(["sudo", "/etc/init.d/apache2", "reload"])
 
 #main call
-def perform_sni_cert_challenge(encryptedValue, nonce):
-    ext = generateExtension(encryptedValue)
+def perform_sni_cert_challenge(address, r, nonce):
+    ext = generateExtension(r)
     createChallengeCert(ext)
     
     #Need to decide the form of nonce
-    modifyApacheConfig(findApacheConfigFile(), nonce, "127.0.0.1")
+    modifyApacheConfig(findApacheConfigFile(), nonce, address)
     apache_restart()
 
 def main():
@@ -123,8 +123,14 @@ def main():
 
     #the second parameter is ignored
     #https://www.dlitz.net/software/pycrypto/api/current/
-    encryptedValue = testkey.encrypt('0x12345678', 0)
-    perform_sni_cert_challenge(encryptedValue, "nonce")
+
+    r = Random.get_random_bytes(S_SIZE)
+    r = "testValueForR"
+    nonce = Random.get_random_bytes(NONCE_SIZE)
+    nonce = "nonce"
+
+    y = testkey.encrypt(r, 0)
+    perform_sni_cert_challenge("127.0.0.1", y, nonce)
 
 if __name__ == "__main__":
     main()

server-ca/sni_challenge/README

@@ -0,0 +1,4 @@
+Open make.sh and change second command to point to your include/pythonX.X implementation.
+Run make.sh
+
+Run: make a call to verify_challenge(address, r, nonce).  Nonce and r must match up to original challenge values.  Example code is given in main().

server-ca/sni_challenge/verify_sni_challenge.py

@@ -1,9 +1,11 @@
 import M2Crypto
+from Crypto import Random
 import sni_support
 import hmac
 import hashlib
 
-S_SIZE = 20
+S_SIZE = 32
+NONCE_SIZE = 32
 
 def check(one, two, three, four, five):
     print "done"
@@ -61,13 +63,16 @@ def main():
     #Testing the example sni_challenge
     from Crypto.PublicKey import RSA
 
+    nonce = Random.get_random_bytes(NONCE_SIZE)
     nonce = "nonce"
     testkey = RSA.importKey(open("testing.key").read())
 
     #the second parameter is ignored
     #https://www.dlitz.net/software/pycrypto/api/current/
-    encryptedValue = testkey.encrypt('0x12345678', 0)
-    valid, response = verify_challenge("127.0.0.1", '0x12345678', nonce)
+    r = Random.get_random_bytes(NONCE_SIZE)
+    r = "testValueForR"
+    encryptedValue = testkey.encrypt(r, 0)
+    valid, response = verify_challenge("127.0.0.1", r, nonce)
     print response
 
 if __name__ == "__main__":