This is a baby CA working in lab/intranet
Message space
Signature space
Key space
$1 \lt e \lt \phi(N)$ such that gcd(e, $\phi(N)$) = 1. Compute d such that$ed \equiv 1 \mod \phi(N)$
Sign
Given a message x and private key K=(p, q, a)
Verify
Given a message x with signature y and public key (n, b), compute
CA
Generate private key CAPri.key
and CA cert CA.pem
. CA acts as root CA.
openssl genrsa -des3 -out CAPri.key 2048
openssl req -x509 -new -nodes -key CAPri.key -sha256 -days 365 -out CA.pem
Then run Baby-CA.py
Node 1
Generate private key node1Pri.key
and generate CSR node1.csr
(cert request)
openssl genrsa -out node1Pri.key 2048
openssl req -new -key node1Pri.key -out node1.csr
CA
Generate cert node1.crt
with CSR
openssl x509 -req -in node1.csr -CA CA.pem -CAkey CAPri.key -CAcreateserial -out node1.crt -days 365 -sha256
Node 1
Sign to-sign.txt
using the private key node1Pri.key
. Get the signature signature.txt
openssl dgst -sha256 -sign node1Pri.key -out signature.txt to-sign.txt
Node 2
To verify the signature signature.txt
, first load the cert node1.crt
, then verify. If to-sign.txt
is changed, verification failure will occur.
openssl x509 -in node1.crt
openssl dgst -sha256 -verify <(openssl x509 -in node1.crt -pubkey -noout) -signature signature.txt to-sign.txt
If -f
is set for Baby CA, CA will listen to port 3001
for flag values from clients. If "1" received, the flag value for the certain client would be updated to "True" ("False by default").
First generate private key and pem for CA.
openssl genrsa -des3 -out CAPri.key 2048
openssl req -x509 -new -nodes -key CAPri.key -sha256 -days 365 -out CA.pem
Baby CA
usage: Baby-CA.py [-h] [-f]
options:
-h, --help show this help message and exit
-f, --flag The CA will constantly receive flags from clinets.
Baby Client
usage: Baby-Client.py [-h] [-k] [-r] [-c]
options:
-h, --help show this help message and exit
-k, --key Generate Private Key locally
-r, --request Construct CSR locally and request CA for cert
-c, --cert Print cert info
Examples
Generate private key for client:
Start Baby CA without -f
option:
Start Baby CA with -f
option: