vasco/FSI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

assignment 3 enunciado

Browse Source
This commit is contained in:
vasco
2026-05-11 11:38:51 +01:00
parent b03a6987f4
commit 66534a1648
57 changed files with 0 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
assignment2/VM_CONFIG.sh Normal file
View File

@@ -0,0 +1,30 @@
#!/bin/bash
# NOTA(vasco): feito para correr como root
if [[ "$USER" != "root" ]]; then
echo "corre o script como root"
exit 1
fi
yum install -y epel-release
yum install -y openvpn iptables-services dhcp-client ntpsec
systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld
systemctl enable iptables
iptables -F
CA_DIR="/etc/pki/CA"
mkdir -p "${CA_DIR}/newcerts"
mkdir -p "${CA_DIR}/private"
touch "${CA_DIR}/index.txt"
cp ca/serial "${CA_DIR}/serial"
mkdir -p /etc/openvpn/server
mkdir -p /etc/openvpn/client
# NOTE(vasco): tive problemas com a sincronização de tempo
# se nao tiver sincronizado, o TOTP nao funciona
systemctl stop chronyd
ntpdate pool.ntp.org
systemctl start chronyd

52
assignment2/VM_OPENSSL_APACHE.sh Normal file
View File

@@ -0,0 +1,52 @@
#!/bin/bash
# configuracao
source VM_CONFIG.sh
sudo yum install -y epel-release
sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator
sudo yum install -y mod_session
# utilizador
id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john
if_dentro="enp0s8"
ip_dentro="10.60.0.1"
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
# route de volta para comunicar com o warrior
route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.60.0.3
cp conf/openssl.cnf /etc/pki/tls/
# copiar ca para esta VM
cp ca/index.txt $CA_DIR
cp ca/ca.crt $CA_DIR
cp ca/ca.key $CA_DIR
cp ca/serial $CA_DIR
cp ca/dh2048.pem $CA_DIR
# correr oscp
killall openssl 2>/dev/null
openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &
# apache
mkdir -p /etc/httpd/ssl
cp ca/ca.crt /etc/httpd/ssl/
cp ca/apache.crt /etc/httpd/ssl/
cp ca/apache.key /etc/httpd/ssl/
cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf
cp conf/httpd.conf /etc/httpd/conf/httpd.conf
cp conf/httpd-totp /etc/pam.d/httpd-totp
# sim, é preciso fazer isto para carregar serviços
echo "LoadModule session_module modules/mod_session.so" > /etc/httpd/conf.modules.d/01-session.conf
echo "LoadModule session_cookie_module modules/mod_session_cookie.so" >> /etc/httpd/conf.modules.d/01-session.conf
echo "LoadModule auth_form_module modules/mod_auth_form.so" > /etc/httpd/conf.modules.d/01-auth_form.conf
# mega paginas webs
cp -r www/* /var/www/html/
chown -R apache:apache /var/www/html/
httpd -X

20
assignment2/VM_ROAD_WARRIOR.sh Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# --- configuração --- #
source VM_CONFIG.sh
ifconfig enp0s8 193.136.212.10 netmask 255.255.255.0
route add default gw 193.136.212.1
if ! grep -q "apache" /etc/hosts; then
echo "10.60.0.1 apache" >> /etc/hosts
fi
# --- vpn client --- #
vpn_dir="/etc/openvpn/client/"
cp ca/ta.key $vpn_dir
cp ca/ca.crt $vpn_dir
cp ca/user.key $vpn_dir
cp ca/user.crt $vpn_dir
cp conf/client.conf $vpn_dir
openvpn --config "${vpn_dir}/client.conf"

48
assignment2/VM_VPN_GATEWAY.sh Normal file
View File

@@ -0,0 +1,48 @@
#!/bin/bash
# NOTE(vasco):
# Ao configurar a maquina virtual em si deixei a rede externa primeiro (enp0s8)
# E a rede interna como a segunda interface (enp0s9).
# --- configuração --- #
source VM_CONFIG.sh
yum install -y google-authenticator qrencode ntpsec
# --- forwarding --- #
if_fora="enp0s8"
ip_fora="193.136.212.1"
if_dentro="enp0s9"
ip_dentro="10.60.0.3"
mega_tunel="tun0"
ip_mega_tunel="10.8.0.0/24"
ifconfig $if_fora $ip_fora netmask 255.255.255.0
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT
iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT
iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT
iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
# --- vpn server --- #
vpn_dir="/etc/openvpn/server"
cp ca/ta.key $vpn_dir
cp ca/ca.crt $vpn_dir
cp ca/vpn.key $vpn_dir
cp ca/vpn.crt $vpn_dir
cp ca/dh2048.pem $vpn_dir
cp conf/vpn.conf $vpn_dir
cp conf/ocsp-verify.sh $vpn_dir
cp conf/totp /etc/pam.d/
# --- utilizador --- #
id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john
openvpn --config /etc/openvpn/server/vpn.conf

74
assignment2/ca/1000.pem Normal file
View File

@@ -0,0 +1,74 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 10:50:26 2026 GMT
Not After : Apr 22 10:50:26 2027 GMT
Subject: CN=gateway
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bc:46:6b:0e:12:3f:c2:64:0d:dd:36:e7:86:a2:
f6:98:04:86:21:73:85:3b:cc:ce:7d:c5:74:f9:8d:
97:f8:c9:01:1c:e9:88:db:10:fc:40:a8:2a:44:76:
de:07:bd:39:58:c3:ba:b3:9a:d2:01:91:12:c8:7f:
0e:7a:51:56:f6:a4:ad:4e:63:92:8e:05:b9:9d:5a:
76:37:60:58:60:0a:10:f2:6e:15:6b:76:a1:34:91:
c5:cf:c7:86:00:cd:3f:53:c2:e9:45:8c:86:49:c2:
a1:36:f9:ca:3b:a5:30:76:92:ff:a6:e5:fa:40:67:
d9:91:ea:24:90:a5:a4:e0:15:2a:da:ce:1b:4e:f9:
86:7e:9f:33:de:e9:24:dc:b9:60:fa:c9:f0:e0:79:
83:a3:d3:b3:c9:61:37:9d:26:ab:e9:bd:21:68:74:
51:02:e0:a2:36:24:9e:c6:5d:22:f3:f6:76:8d:17:
ab:e3:46:a2:dc:a3:e4:f8:bc:a2:4b:59:8b:76:f4:
91:7e:2f:48:79:b6:72:1b:d5:45:e2:9f:d3:8d:b2:
f6:45:53:07:95:4d:8e:76:73:b8:54:10:17:63:c4:
07:bf:bf:a6:72:4f:ea:be:b7:1d:38:37:3a:95:26:
8f:36:81:a0:53:07:d3:49:32:7a:de:3c:7f:61:b6:
7c:21
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
96:52:2F:9E:1C:51:4D:A7:91:73:93:1B:E6:69:6C:06:99:28:2D:0B
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9a:fd:c0:13:d2:8a:7d:8d:d6:79:d0:35:1f:a6:75:ea:ff:1b:
73:1a:4b:30:d9:c8:3b:9d:96:e5:a8:28:eb:74:26:0d:13:fa:
e1:89:ad:eb:38:d4:57:d1:72:af:c5:93:ab:ce:07:35:3a:b5:
34:9f:72:af:71:b7:79:23:c8:88:99:af:a9:bf:72:8f:01:f2:
cf:f8:a1:57:8e:2a:05:e7:05:c2:0e:ac:92:df:db:f4:fd:64:
16:01:28:5a:7b:8b:c1:e3:8b:49:48:58:b4:36:28:ed:a3:99:
60:9c:a7:a6:3b:eb:07:3d:42:36:29:f2:d2:ff:07:86:34:3c:
0a:b0:70:cb:23:d2:f3:f1:f7:88:74:a5:a6:c3:ee:4e:5f:d7:
6d:ba:a6:83:09:76:f5:e4:1a:3b:d5:58:e9:be:a8:80:cf:68:
13:82:95:b3:da:75:43:4b:e7:f3:fb:6b:0d:b3:d5:07:5e:1b:
7a:69:f4:77:1b:59:eb:c5:a1:84:fb:cc:3e:5c:26:f5:b3:b3:
4d:36:8d:40:d2:53:f9:1e:bd:cf:b9:4b:c3:a8:40:29:97:58:
48:c2:94:94:28:9d:3f:e7:e3:d2:a3:db:32:8d:fb:a9:bb:c3:
32:a5:b3:c0:8b:c5:e3:56:45:55:2d:fb:62:5a:c0:36:f1:df:
b6:00:f9:b9
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEwNTAyNloXDTI3MDQyMjEw
NTAyNlowEjEQMA4GA1UEAwwHZ2F0ZXdheTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALxGaw4SP8JkDd0254ai9pgEhiFzhTvMzn3FdPmNl/jJARzpiNsQ
/ECoKkR23ge9OVjDurOa0gGREsh/DnpRVvakrU5jko4FuZ1adjdgWGAKEPJuFWt2
oTSRxc/HhgDNP1PC6UWMhknCoTb5yjulMHaS/6bl+kBn2ZHqJJClpOAVKtrOG075
hn6fM97pJNy5YPrJ8OB5g6PTs8lhN50mq+m9IWh0UQLgojYknsZdIvP2do0Xq+NG
otyj5Pi8oktZi3b0kX4vSHm2chvVReKf042y9kVTB5VNjnZzuFQQF2PEB7+/pnJP
6r63HTg3OpUmjzaBoFMH00kyet48f2G2fCECAwEAAaNCMEAwHQYDVR0OBBYEFJZS
L54cUU2nkXOTG+ZpbAaZKC0LMB8GA1UdIwQYMBaAFKzNecyAF6qNFsyXsek2XgAq
vVvVMA0GCSqGSIb3DQEBCwUAA4IBAQCa/cAT0op9jdZ50DUfpnXq/xtzGksw2cg7
nZblqCjrdCYNE/rhia3rONRX0XKvxZOrzgc1OrU0n3Kvcbd5I8iIma+pv3KPAfLP
+KFXjioF5wXCDqyS39v0/WQWAShae4vB44tJSFi0Nijto5lgnKemO+sHPUI2KfLS
/weGNDwKsHDLI9Lz8feIdKWmw+5OX9dtuqaDCXb15Bo71VjpvqiAz2gTgpWz2nVD
S+fz+2sNs9UHXht6afR3G1nrxaGE+8w+XCb1s7NNNo1A0lP5Hr3PuUvDqEApl1hI
wpSUKJ0/5+PSo9syjfupu8MypbPAi8XjVkVVLftiWsA28d+2APm5
-----END CERTIFICATE-----

74
assignment2/ca/1001.pem Normal file
View File

@@ -0,0 +1,74 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4097 (0x1001)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 10:50:26 2026 GMT
Not After : Apr 22 10:50:26 2027 GMT
Subject: CN=warrior
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:5e:36:38:85:bb:f8:15:29:90:2a:03:47:26:
36:ad:47:b8:80:c2:1c:b2:35:53:34:a3:c8:79:73:
1a:7b:c5:06:f9:0e:fb:61:e9:16:81:81:4d:55:ac:
25:7d:96:f4:a4:1a:46:d0:0a:af:48:65:b7:1e:9b:
02:4a:4a:af:53:64:20:4f:af:d8:ab:f7:99:c2:b7:
80:b2:80:24:00:7c:a7:43:f7:35:69:47:fc:bc:ce:
fa:1a:8e:81:c3:2b:55:ea:57:c8:ec:76:3b:1b:58:
e9:65:c1:66:97:c5:39:62:1f:c7:f2:64:b3:6a:31:
41:a9:66:00:f5:48:3c:31:9b:70:a7:ca:f0:b8:28:
d3:cf:fb:86:25:f0:93:17:ad:3f:c8:60:dd:a7:a1:
be:b4:e8:fc:79:47:53:68:ed:eb:21:b5:f7:aa:f5:
bf:22:45:d9:10:5a:db:be:41:c3:09:47:72:f4:6b:
d6:21:65:77:43:79:89:0d:cd:72:58:14:e2:25:55:
0b:17:e8:97:d4:d0:0e:9c:7d:9c:38:6e:52:50:cb:
25:a5:00:fc:cb:69:bb:09:f0:3a:f1:8a:83:e7:7c:
95:07:46:58:11:41:25:8d:5c:91:02:ec:d2:83:4c:
98:d0:aa:ad:b0:fa:67:6c:22:79:87:de:5a:f5:01:
8f:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
30:84:32:04:21:19:F0:A6:B7:C1:32:4C:1B:9F:7E:EF:EC:3C:D3:79
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
60:76:03:78:46:0e:db:33:a4:1a:13:67:11:66:b6:7e:bf:ba:
23:4e:01:9e:6b:28:dc:46:9c:5e:e8:a9:2a:72:d2:ae:c0:c7:
b7:68:6f:92:55:43:b7:cd:8f:6b:78:ad:86:d1:8a:bb:ba:7a:
a7:3b:fa:53:8f:1d:ec:75:0b:36:05:6b:14:91:c4:79:51:b2:
d0:2f:b9:17:0c:f1:6b:88:4d:24:6b:ae:15:36:2b:ac:4b:94:
67:04:f8:93:49:cc:c1:d7:ec:ae:a2:dc:32:c8:d1:f4:ee:4b:
0c:11:ad:4c:84:5d:96:97:31:d6:9f:c5:a7:79:b2:f1:b8:42:
5b:79:b8:12:d2:a3:56:a0:ae:3b:ba:7f:56:25:d4:ad:a7:fa:
39:52:e0:57:af:4f:d2:c6:3c:24:5d:d6:07:84:b0:a5:5f:d2:
3c:8b:36:2a:1f:24:55:cd:89:22:94:b7:f2:93:69:01:89:6e:
a4:67:2d:8b:d9:cd:af:29:70:09:83:69:e5:46:35:51:59:90:
71:c0:0a:8a:00:5c:55:c6:12:34:1a:b7:3d:a9:67:9c:0b:2f:
71:32:cb:87:92:b0:18:ff:fe:ec:f0:3e:cc:e3:1c:65:c8:24:
a9:bd:c9:8f:96:f7:19:af:95:a6:e0:e5:21:65:50:ad:69:da:
d3:09:27:84
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEwNTAyNloXDTI3MDQyMjEw
NTAyNlowEjEQMA4GA1UEAwwHd2FycmlvcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANheNjiFu/gVKZAqA0cmNq1HuIDCHLI1UzSjyHlzGnvFBvkO+2Hp
FoGBTVWsJX2W9KQaRtAKr0hltx6bAkpKr1NkIE+v2Kv3mcK3gLKAJAB8p0P3NWlH
/LzO+hqOgcMrVepXyOx2OxtY6WXBZpfFOWIfx/Jks2oxQalmAPVIPDGbcKfK8Lgo
08/7hiXwkxetP8hg3aehvrTo/HlHU2jt6yG196r1vyJF2RBa275BwwlHcvRr1iFl
d0N5iQ3NclgU4iVVCxfol9TQDpx9nDhuUlDLJaUA/MtpuwnwOvGKg+d8lQdGWBFB
JY1ckQLs0oNMmNCqrbD6Z2wieYfeWvUBj1kCAwEAAaNCMEAwHQYDVR0OBBYEFDCE
MgQhGfCmt8EyTBuffu/sPNN5MB8GA1UdIwQYMBaAFKzNecyAF6qNFsyXsek2XgAq
vVvVMA0GCSqGSIb3DQEBCwUAA4IBAQBgdgN4Rg7bM6QaE2cRZrZ+v7ojTgGeayjc
Rpxe6KkqctKuwMe3aG+SVUO3zY9reK2G0Yq7unqnO/pTjx3sdQs2BWsUkcR5UbLQ
L7kXDPFriE0ka64VNiusS5RnBPiTSczB1+yuotwyyNH07ksMEa1MhF2WlzHWn8Wn
ebLxuEJbebgS0qNWoK47un9WJdStp/o5UuBXr0/SxjwkXdYHhLClX9I8izYqHyRV
zYkilLfyk2kBiW6kZy2L2c2vKXAJg2nlRjVRWZBxwAqKAFxVxhI0Grc9qWecCy9x
MsuHkrAY//7s8D7M4xxlyCSpvcmPlvcZr5Wm4OUhZVCtadrTCSeE
-----END CERTIFICATE-----

74
assignment2/ca/1002.pem Normal file
View File

@@ -0,0 +1,74 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4098 (0x1002)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 12:33:59 2026 GMT
Not After : Apr 22 12:33:59 2027 GMT
Subject: CN=apache
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:88:fb:32:17:9b:9d:95:15:42:a5:b3:20:0e:
27:1a:bd:aa:10:6a:59:9c:18:40:cb:81:80:70:33:
1a:22:34:08:6f:94:0c:97:1c:68:d4:69:59:7e:50:
65:c1:46:2a:fd:9d:4e:96:13:47:58:da:87:86:0e:
ac:ad:ad:48:ad:d1:b1:6e:61:2b:de:04:c1:5f:cf:
60:f5:a6:bd:3d:fd:b3:eb:a0:db:8f:9f:67:5b:91:
76:aa:a5:87:9a:83:57:1a:84:3d:11:c2:b3:71:84:
51:48:d3:38:8e:0e:f2:c5:96:55:b5:6e:86:4c:f0:
22:9d:19:13:ae:23:21:ea:d5:fe:e4:1d:9c:fb:42:
3a:84:81:43:03:2e:c5:bd:ed:0b:7e:48:50:83:e0:
0b:15:87:bd:65:9b:0d:d0:7e:55:8d:02:e9:03:af:
fe:7d:19:28:ef:46:6b:2c:02:04:33:05:2e:73:94:
10:ae:54:25:d2:82:55:10:22:74:7b:44:7c:c6:d3:
e5:35:5e:10:af:9e:67:49:0a:1f:fe:bb:00:60:26:
a8:ee:4b:66:2f:7d:f4:76:24:3e:73:81:e4:79:53:
3c:30:e6:25:00:80:fb:d2:0c:fa:e7:db:01:15:52:
4e:c4:ec:9f:95:b4:1d:a0:e7:7a:a2:59:77:c0:24:
13:a9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
13:9F:64:BF:CB:5E:2F:7D:F8:0B:26:94:DB:17:9D:F4:59:CE:79:20
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
a4:24:8d:a2:b8:b4:da:5c:a6:e0:75:2a:e0:71:aa:03:35:e8:
b4:64:49:90:b9:f3:09:a6:c6:99:0c:64:04:5e:65:e6:09:72:
13:11:e8:4c:29:a4:99:c5:dd:67:ff:49:fb:5f:8a:b3:cf:3a:
e5:b7:1c:a0:8a:59:ca:10:a9:dd:26:c3:3d:25:c7:82:b8:0d:
db:91:fe:45:d1:3b:ac:80:1d:11:49:85:13:9b:c2:86:fd:17:
81:5d:e3:a4:d1:64:2d:27:0c:c9:77:08:2a:89:ed:7e:2e:ac:
d2:86:f5:d5:fd:de:a6:c4:5d:18:33:ec:78:a1:ca:cf:64:68:
cb:1a:25:1e:a3:cf:e5:28:0b:a2:f8:45:bd:b6:99:54:17:62:
09:f0:ab:ba:d2:38:dc:bc:7b:1d:b8:f2:51:e5:d3:0c:1d:8d:
a3:3e:57:c2:0d:ef:93:5d:39:9c:ee:50:f1:e3:f8:fb:ff:94:
88:2c:37:f7:39:47:97:2c:fc:71:27:88:21:b3:da:68:ac:f4:
c6:a0:77:00:25:37:67:ea:ee:d1:a8:44:01:f6:40:79:68:4a:
94:24:d8:1a:d9:07:7d:73:0b:8c:b0:80:dd:b4:a9:49:3f:33:
73:7e:4d:5a:b6:f0:51:94:46:b2:81:a3:cb:81:a2:d9:7f:dd:
32:60:ba:8c
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEyMzM1OVoXDTI3MDQyMjEy
MzM1OVowETEPMA0GA1UEAwwGYXBhY2hlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA0Ij7MhebnZUVQqWzIA4nGr2qEGpZnBhAy4GAcDMaIjQIb5QMlxxo
1GlZflBlwUYq/Z1OlhNHWNqHhg6sra1IrdGxbmEr3gTBX89g9aa9Pf2z66Dbj59n
W5F2qqWHmoNXGoQ9EcKzcYRRSNM4jg7yxZZVtW6GTPAinRkTriMh6tX+5B2c+0I6
hIFDAy7Fve0LfkhQg+ALFYe9ZZsN0H5VjQLpA6/+fRko70ZrLAIEMwUuc5QQrlQl
0oJVECJ0e0R8xtPlNV4Qr55nSQof/rsAYCao7ktmL330diQ+c4HkeVM8MOYlAID7
0gz659sBFVJOxOyflbQdoOd6oll3wCQTqQIDAQABo0IwQDAdBgNVHQ4EFgQUE59k
v8teL334CyaU2xed9FnOeSAwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9
W9UwDQYJKoZIhvcNAQELBQADggEBAKQkjaK4tNpcpuB1KuBxqgM16LRkSZC58wmm
xpkMZAReZeYJchMR6EwppJnF3Wf/SftfirPPOuW3HKCKWcoQqd0mwz0lx4K4DduR
/kXRO6yAHRFJhRObwob9F4Fd46TRZC0nDMl3CCqJ7X4urNKG9dX93qbEXRgz7Hih
ys9kaMsaJR6jz+UoC6L4Rb22mVQXYgnwq7rSONy8ex248lHl0wwdjaM+V8IN75Nd
OZzuUPHj+Pv/lIgsN/c5R5cs/HEniCGz2mis9MagdwAlN2fq7tGoRAH2QHloSpQk
2BrZB31zC4ywgN20qUk/M3N+TVq28FGURrKBo8uBotl/3TJguow=
-----END CERTIFICATE-----

77
assignment2/ca/1003.pem Normal file
View File

@@ -0,0 +1,77 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4099 (0x1003)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 14:14:59 2026 GMT
Not After : Apr 22 14:14:59 2027 GMT
Subject: CN=apache.coimbra
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:88:fb:32:17:9b:9d:95:15:42:a5:b3:20:0e:
27:1a:bd:aa:10:6a:59:9c:18:40:cb:81:80:70:33:
1a:22:34:08:6f:94:0c:97:1c:68:d4:69:59:7e:50:
65:c1:46:2a:fd:9d:4e:96:13:47:58:da:87:86:0e:
ac:ad:ad:48:ad:d1:b1:6e:61:2b:de:04:c1:5f:cf:
60:f5:a6:bd:3d:fd:b3:eb:a0:db:8f:9f:67:5b:91:
76:aa:a5:87:9a:83:57:1a:84:3d:11:c2:b3:71:84:
51:48:d3:38:8e:0e:f2:c5:96:55:b5:6e:86:4c:f0:
22:9d:19:13:ae:23:21:ea:d5:fe:e4:1d:9c:fb:42:
3a:84:81:43:03:2e:c5:bd:ed:0b:7e:48:50:83:e0:
0b:15:87:bd:65:9b:0d:d0:7e:55:8d:02:e9:03:af:
fe:7d:19:28:ef:46:6b:2c:02:04:33:05:2e:73:94:
10:ae:54:25:d2:82:55:10:22:74:7b:44:7c:c6:d3:
e5:35:5e:10:af:9e:67:49:0a:1f:fe:bb:00:60:26:
a8:ee:4b:66:2f:7d:f4:76:24:3e:73:81:e4:79:53:
3c:30:e6:25:00:80:fb:d2:0c:fa:e7:db:01:15:52:
4e:c4:ec:9f:95:b4:1d:a0:e7:7a:a2:59:77:c0:24:
13:a9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:10.60.0.1, DNS:apache
X509v3 Subject Key Identifier:
13:9F:64:BF:CB:5E:2F:7D:F8:0B:26:94:DB:17:9D:F4:59:CE:79:20
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9c:7e:99:3c:10:22:23:cd:d6:c7:96:be:82:5e:e5:7f:69:16:
5c:57:e1:68:e2:04:26:74:e9:72:ea:3b:03:5c:81:bd:21:15:
a3:e8:86:4d:93:6f:a4:d8:a1:47:de:e0:b5:a3:bb:aa:5b:24:
e9:9d:f7:9d:7d:e3:ba:38:39:af:c6:8b:36:5c:a8:3d:37:af:
79:be:8f:bf:ba:76:a5:d5:62:8e:37:c8:2e:6d:7e:24:fc:56:
d2:91:01:9e:05:4d:26:16:52:75:3d:28:7f:20:d0:88:25:96:
2a:d3:3a:8f:27:3d:99:46:4d:de:e2:a7:11:07:84:ff:ac:55:
54:4a:25:1b:b3:05:47:b5:d5:db:b9:69:e5:f6:d7:28:c9:54:
45:9c:a5:9a:86:74:37:33:7c:47:75:5a:dd:bf:50:23:be:95:
8e:cd:2c:ba:72:cc:41:95:1f:a0:67:78:61:de:38:89:18:c4:
0c:df:e0:be:f3:9d:3e:e7:72:9f:3c:a3:e0:06:9a:6c:28:d1:
e2:1d:d2:14:76:89:8a:d4:ca:e1:38:9c:b3:31:81:bb:ca:11:
ba:78:36:01:e5:db:bf:a0:82:36:d2:b4:65:01:60:bf:63:c2:
a8:86:54:cb:ac:59:52:31:bd:a2:cc:94:47:cc:0a:cc:d3:87:
db:7b:fa:1a
-----BEGIN CERTIFICATE-----
MIIDQzCCAiugAwIBAgICEAMwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjE0MTQ1OVoXDTI3MDQyMjE0
MTQ1OVowGTEXMBUGA1UEAwwOYXBhY2hlLmNvaW1icmEwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDQiPsyF5udlRVCpbMgDicavaoQalmcGEDLgYBwMxoi
NAhvlAyXHGjUaVl+UGXBRir9nU6WE0dY2oeGDqytrUit0bFuYSveBMFfz2D1pr09
/bProNuPn2dbkXaqpYeag1cahD0RwrNxhFFI0ziODvLFllW1boZM8CKdGROuIyHq
1f7kHZz7QjqEgUMDLsW97Qt+SFCD4AsVh71lmw3QflWNAukDr/59GSjvRmssAgQz
BS5zlBCuVCXSglUQInR7RHzG0+U1XhCvnmdJCh/+uwBgJqjuS2YvffR2JD5zgeR5
Uzww5iUAgPvSDPrn2wEVUk7E7J+VtB2g53qiWXfAJBOpAgMBAAGjWzBZMBcGA1Ud
EQQQMA6HBAo8AAGCBmFwYWNoZTAdBgNVHQ4EFgQUE59kv8teL334CyaU2xed9FnO
eSAwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9W9UwDQYJKoZIhvcNAQEL
BQADggEBAJx+mTwQIiPN1seWvoJe5X9pFlxX4WjiBCZ06XLqOwNcgb0hFaPohk2T
b6TYoUfe4LWju6pbJOmd951947o4Oa/GizZcqD03r3m+j7+6dqXVYo43yC5tfiT8
VtKRAZ4FTSYWUnU9KH8g0IgllirTOo8nPZlGTd7ipxEHhP+sVVRKJRuzBUe11du5
aeX21yjJVEWcpZqGdDczfEd1Wt2/UCO+lY7NLLpyzEGVH6BneGHeOIkYxAzf4L7z
nT7ncp88o+AGmmwo0eId0hR2iYrUyuE4nLMxgbvKEbp4NgHl27+ggjbStGUBYL9j
wqiGVMusWVIxvaLMlEfMCszTh9t7+ho=
-----END CERTIFICATE-----

77
assignment2/ca/apache.crt Normal file
View File

@@ -0,0 +1,77 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4099 (0x1003)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 14:14:59 2026 GMT
Not After : Apr 22 14:14:59 2027 GMT
Subject: CN=apache.coimbra
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:88:fb:32:17:9b:9d:95:15:42:a5:b3:20:0e:
27:1a:bd:aa:10:6a:59:9c:18:40:cb:81:80:70:33:
1a:22:34:08:6f:94:0c:97:1c:68:d4:69:59:7e:50:
65:c1:46:2a:fd:9d:4e:96:13:47:58:da:87:86:0e:
ac:ad:ad:48:ad:d1:b1:6e:61:2b:de:04:c1:5f:cf:
60:f5:a6:bd:3d:fd:b3:eb:a0:db:8f:9f:67:5b:91:
76:aa:a5:87:9a:83:57:1a:84:3d:11:c2:b3:71:84:
51:48:d3:38:8e:0e:f2:c5:96:55:b5:6e:86:4c:f0:
22:9d:19:13:ae:23:21:ea:d5:fe:e4:1d:9c:fb:42:
3a:84:81:43:03:2e:c5:bd:ed:0b:7e:48:50:83:e0:
0b:15:87:bd:65:9b:0d:d0:7e:55:8d:02:e9:03:af:
fe:7d:19:28:ef:46:6b:2c:02:04:33:05:2e:73:94:
10:ae:54:25:d2:82:55:10:22:74:7b:44:7c:c6:d3:
e5:35:5e:10:af:9e:67:49:0a:1f:fe:bb:00:60:26:
a8:ee:4b:66:2f:7d:f4:76:24:3e:73:81:e4:79:53:
3c:30:e6:25:00:80:fb:d2:0c:fa:e7:db:01:15:52:
4e:c4:ec:9f:95:b4:1d:a0:e7:7a:a2:59:77:c0:24:
13:a9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:10.60.0.1, DNS:apache
X509v3 Subject Key Identifier:
13:9F:64:BF:CB:5E:2F:7D:F8:0B:26:94:DB:17:9D:F4:59:CE:79:20
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9c:7e:99:3c:10:22:23:cd:d6:c7:96:be:82:5e:e5:7f:69:16:
5c:57:e1:68:e2:04:26:74:e9:72:ea:3b:03:5c:81:bd:21:15:
a3:e8:86:4d:93:6f:a4:d8:a1:47:de:e0:b5:a3:bb:aa:5b:24:
e9:9d:f7:9d:7d:e3:ba:38:39:af:c6:8b:36:5c:a8:3d:37:af:
79:be:8f:bf:ba:76:a5:d5:62:8e:37:c8:2e:6d:7e:24:fc:56:
d2:91:01:9e:05:4d:26:16:52:75:3d:28:7f:20:d0:88:25:96:
2a:d3:3a:8f:27:3d:99:46:4d:de:e2:a7:11:07:84:ff:ac:55:
54:4a:25:1b:b3:05:47:b5:d5:db:b9:69:e5:f6:d7:28:c9:54:
45:9c:a5:9a:86:74:37:33:7c:47:75:5a:dd:bf:50:23:be:95:
8e:cd:2c:ba:72:cc:41:95:1f:a0:67:78:61:de:38:89:18:c4:
0c:df:e0:be:f3:9d:3e:e7:72:9f:3c:a3:e0:06:9a:6c:28:d1:
e2:1d:d2:14:76:89:8a:d4:ca:e1:38:9c:b3:31:81:bb:ca:11:
ba:78:36:01:e5:db:bf:a0:82:36:d2:b4:65:01:60:bf:63:c2:
a8:86:54:cb:ac:59:52:31:bd:a2:cc:94:47:cc:0a:cc:d3:87:
db:7b:fa:1a
-----BEGIN CERTIFICATE-----
MIIDQzCCAiugAwIBAgICEAMwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjE0MTQ1OVoXDTI3MDQyMjE0
MTQ1OVowGTEXMBUGA1UEAwwOYXBhY2hlLmNvaW1icmEwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDQiPsyF5udlRVCpbMgDicavaoQalmcGEDLgYBwMxoi
NAhvlAyXHGjUaVl+UGXBRir9nU6WE0dY2oeGDqytrUit0bFuYSveBMFfz2D1pr09
/bProNuPn2dbkXaqpYeag1cahD0RwrNxhFFI0ziODvLFllW1boZM8CKdGROuIyHq
1f7kHZz7QjqEgUMDLsW97Qt+SFCD4AsVh71lmw3QflWNAukDr/59GSjvRmssAgQz
BS5zlBCuVCXSglUQInR7RHzG0+U1XhCvnmdJCh/+uwBgJqjuS2YvffR2JD5zgeR5
Uzww5iUAgPvSDPrn2wEVUk7E7J+VtB2g53qiWXfAJBOpAgMBAAGjWzBZMBcGA1Ud
EQQQMA6HBAo8AAGCBmFwYWNoZTAdBgNVHQ4EFgQUE59kv8teL334CyaU2xed9FnO
eSAwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9W9UwDQYJKoZIhvcNAQEL
BQADggEBAJx+mTwQIiPN1seWvoJe5X9pFlxX4WjiBCZ06XLqOwNcgb0hFaPohk2T
b6TYoUfe4LWju6pbJOmd951947o4Oa/GizZcqD03r3m+j7+6dqXVYo43yC5tfiT8
VtKRAZ4FTSYWUnU9KH8g0IgllirTOo8nPZlGTd7ipxEHhP+sVVRKJRuzBUe11du5
aeX21yjJVEWcpZqGdDczfEd1Wt2/UCO+lY7NLLpyzEGVH6BneGHeOIkYxAzf4L7z
nT7ncp88o+AGmmwo0eId0hR2iYrUyuE4nLMxgbvKEbp4NgHl27+ggjbStGUBYL9j
wqiGVMusWVIxvaLMlEfMCszTh9t7+ho=
-----END CERTIFICATE-----

74
assignment2/ca/apache.crt.old Normal file
View File

@@ -0,0 +1,74 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4098 (0x1002)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 12:33:59 2026 GMT
Not After : Apr 22 12:33:59 2027 GMT
Subject: CN=apache
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:88:fb:32:17:9b:9d:95:15:42:a5:b3:20:0e:
27:1a:bd:aa:10:6a:59:9c:18:40:cb:81:80:70:33:
1a:22:34:08:6f:94:0c:97:1c:68:d4:69:59:7e:50:
65:c1:46:2a:fd:9d:4e:96:13:47:58:da:87:86:0e:
ac:ad:ad:48:ad:d1:b1:6e:61:2b:de:04:c1:5f:cf:
60:f5:a6:bd:3d:fd:b3:eb:a0:db:8f:9f:67:5b:91:
76:aa:a5:87:9a:83:57:1a:84:3d:11:c2:b3:71:84:
51:48:d3:38:8e:0e:f2:c5:96:55:b5:6e:86:4c:f0:
22:9d:19:13:ae:23:21:ea:d5:fe:e4:1d:9c:fb:42:
3a:84:81:43:03:2e:c5:bd:ed:0b:7e:48:50:83:e0:
0b:15:87:bd:65:9b:0d:d0:7e:55:8d:02:e9:03:af:
fe:7d:19:28:ef:46:6b:2c:02:04:33:05:2e:73:94:
10:ae:54:25:d2:82:55:10:22:74:7b:44:7c:c6:d3:
e5:35:5e:10:af:9e:67:49:0a:1f:fe:bb:00:60:26:
a8:ee:4b:66:2f:7d:f4:76:24:3e:73:81:e4:79:53:
3c:30:e6:25:00:80:fb:d2:0c:fa:e7:db:01:15:52:
4e:c4:ec:9f:95:b4:1d:a0:e7:7a:a2:59:77:c0:24:
13:a9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
13:9F:64:BF:CB:5E:2F:7D:F8:0B:26:94:DB:17:9D:F4:59:CE:79:20
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
a4:24:8d:a2:b8:b4:da:5c:a6:e0:75:2a:e0:71:aa:03:35:e8:
b4:64:49:90:b9:f3:09:a6:c6:99:0c:64:04:5e:65:e6:09:72:
13:11:e8:4c:29:a4:99:c5:dd:67:ff:49:fb:5f:8a:b3:cf:3a:
e5:b7:1c:a0:8a:59:ca:10:a9:dd:26:c3:3d:25:c7:82:b8:0d:
db:91:fe:45:d1:3b:ac:80:1d:11:49:85:13:9b:c2:86:fd:17:
81:5d:e3:a4:d1:64:2d:27:0c:c9:77:08:2a:89:ed:7e:2e:ac:
d2:86:f5:d5:fd:de:a6:c4:5d:18:33:ec:78:a1:ca:cf:64:68:
cb:1a:25:1e:a3:cf:e5:28:0b:a2:f8:45:bd:b6:99:54:17:62:
09:f0:ab:ba:d2:38:dc:bc:7b:1d:b8:f2:51:e5:d3:0c:1d:8d:
a3:3e:57:c2:0d:ef:93:5d:39:9c:ee:50:f1:e3:f8:fb:ff:94:
88:2c:37:f7:39:47:97:2c:fc:71:27:88:21:b3:da:68:ac:f4:
c6:a0:77:00:25:37:67:ea:ee:d1:a8:44:01:f6:40:79:68:4a:
94:24:d8:1a:d9:07:7d:73:0b:8c:b0:80:dd:b4:a9:49:3f:33:
73:7e:4d:5a:b6:f0:51:94:46:b2:81:a3:cb:81:a2:d9:7f:dd:
32:60:ba:8c
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEyMzM1OVoXDTI3MDQyMjEy
MzM1OVowETEPMA0GA1UEAwwGYXBhY2hlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA0Ij7MhebnZUVQqWzIA4nGr2qEGpZnBhAy4GAcDMaIjQIb5QMlxxo
1GlZflBlwUYq/Z1OlhNHWNqHhg6sra1IrdGxbmEr3gTBX89g9aa9Pf2z66Dbj59n
W5F2qqWHmoNXGoQ9EcKzcYRRSNM4jg7yxZZVtW6GTPAinRkTriMh6tX+5B2c+0I6
hIFDAy7Fve0LfkhQg+ALFYe9ZZsN0H5VjQLpA6/+fRko70ZrLAIEMwUuc5QQrlQl
0oJVECJ0e0R8xtPlNV4Qr55nSQof/rsAYCao7ktmL330diQ+c4HkeVM8MOYlAID7
0gz659sBFVJOxOyflbQdoOd6oll3wCQTqQIDAQABo0IwQDAdBgNVHQ4EFgQUE59k
v8teL334CyaU2xed9FnOeSAwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9
W9UwDQYJKoZIhvcNAQELBQADggEBAKQkjaK4tNpcpuB1KuBxqgM16LRkSZC58wmm
xpkMZAReZeYJchMR6EwppJnF3Wf/SftfirPPOuW3HKCKWcoQqd0mwz0lx4K4DduR
/kXRO6yAHRFJhRObwob9F4Fd46TRZC0nDMl3CCqJ7X4urNKG9dX93qbEXRgz7Hih
ys9kaMsaJR6jz+UoC6L4Rb22mVQXYgnwq7rSONy8ex248lHl0wwdjaM+V8IN75Nd
OZzuUPHj+Pv/lIgsN/c5R5cs/HEniCGz2mis9MagdwAlN2fq7tGoRAH2QHloSpQk
2BrZB31zC4ywgN20qUk/M3N+TVq28FGURrKBo8uBotl/3TJguow=
-----END CERTIFICATE-----

17
assignment2/ca/apache.csr Normal file
View File

@@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICxjCCAa4CAQAwVzELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0NvaW1icmExEDAO
BgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVDMRcwFQYDVQQDDA5hcGFjaGUuY29p
bWJyYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCI+zIXm52VFUKl
syAOJxq9qhBqWZwYQMuBgHAzGiI0CG+UDJccaNRpWX5QZcFGKv2dTpYTR1jah4YO
rK2tSK3RsW5hK94EwV/PYPWmvT39s+ug24+fZ1uRdqqlh5qDVxqEPRHCs3GEUUjT
OI4O8sWWVbVuhkzwIp0ZE64jIerV/uQdnPtCOoSBQwMuxb3tC35IUIPgCxWHvWWb
DdB+VY0C6QOv/n0ZKO9GaywCBDMFLnOUEK5UJdKCVRAidHtEfMbT5TVeEK+eZ0kK
H/67AGAmqO5LZi999HYkPnOB5HlTPDDmJQCA+9IM+ufbARVSTsTsn5W0HaDneqJZ
d8AkE6kCAwEAAaAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDocECjwAAYIG
YXBhY2hlMA0GCSqGSIb3DQEBCwUAA4IBAQBzs+QEnIvT5ArumDP7/7TeEcOeTmfh
GkLMHKn2+lRH055KE+sv2k2l+PW4zrPLdEWw82CW7zy4ilpXjzywGIXZY0dCAWWH
wc/mRqbE6b4gdatU+LEqkcUiiCKkAh+stG1QOYB4yhISR0N/KWC4GIBsNIen8jjO
+qQunBa/wb7XRvHWCl4ihLMSA4PjijkxPOAjnGe6swPCo8gl39477bdAYL2Qrrr2
FxkZRZMZG1cSX2lV8DhBV4/AZAzZMGFHc4GOzcyzPNJ3PWFotv+jNQ1DxbTFmOYI
m6A0coUdCw87lYuWlH8J3s0CUUb7Swd1dKrTjk7UDOTG1VK7q7xYaMkJ
-----END CERTIFICATE REQUEST-----

28
assignment2/ca/apache.key Normal file
View File

@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDQiPsyF5udlRVC
pbMgDicavaoQalmcGEDLgYBwMxoiNAhvlAyXHGjUaVl+UGXBRir9nU6WE0dY2oeG
DqytrUit0bFuYSveBMFfz2D1pr09/bProNuPn2dbkXaqpYeag1cahD0RwrNxhFFI
0ziODvLFllW1boZM8CKdGROuIyHq1f7kHZz7QjqEgUMDLsW97Qt+SFCD4AsVh71l
mw3QflWNAukDr/59GSjvRmssAgQzBS5zlBCuVCXSglUQInR7RHzG0+U1XhCvnmdJ
Ch/+uwBgJqjuS2YvffR2JD5zgeR5Uzww5iUAgPvSDPrn2wEVUk7E7J+VtB2g53qi
WXfAJBOpAgMBAAECggEAC8SDGlVLNoYEbF2h4U/zJHbp+yGpO14CAAnnh81WbvIt
PLCn0jor7zqfrnlWeKTfRa8EEYN2ffzc83NuCqHx7T8dSluI6G8vw1qWP96AJNil
d8k8wprN8BSiE+ih4ZYCSxCFyrQIQMJk/N1QfnG5AO3mGcYqJXrSlTdmTSgV4KTH
HMhcbE3oBi5sixfYuhz7JmoN2MtvUH7T1XQ93IK/EDANCHeOYfVDlQMv+VKqUsEA
4tB1j2Mk+MENIbxg2vswsDzi4X3geU9kDkZ+V/ahzQSKnoUJtC81QftGst7gia7i
Kl51DWvw3SXclDn//5ZSaWd6T0a0Gc8f73yC0vzKIQKBgQD9TVBrSTZTvJcJhhMQ
Tk7Epe96nWPw3PwKPntAaCcWaNi+AXOWw5oKX1Okilrsbxz5P6yH/jTvFZF33zpT
nhS30ew41GTSL0j3gCWK25I0SJOeth2dycyjd/yljotOGOz667vTGHleso7NYthD
s+iU6ceb7EuU9T0JjhHDsrVK8QKBgQDSwZmOwMAq0evNFgKB0QiipABIWhm7As1n
O0M439zA2bVo8Z3UAQb7YOBG/EoH+I/1HakJBM0BVyGRzkg4Krq0Dd8iL4gESj8E
niCtIC874AjhemVjHDPNwI/m93Czg8tqfd3r82rOa5HJWW4WYGeHPTjvd0puS8/6
SWTyBgSkOQKBgANxmKVMwoNS7g7AFuRC3ElKJD5bg29T4c1V2iEfCWEBnei/Zk3n
bOG1OBLlmqTaQd+VoQfcSeXyOh8SFt3qKUfyf66qHJDK+cf7owcHQy6YygD/Ytmx
U6npSLMLhBNUvWwP5mbRT10dOlnKfTw2ZvQXVZJmHQTybJkDqHQrqtFRAoGAA1t6
Kr//T69QZk/3ckH2NUEPkBd/WW9N/lr/UySdy6SsMyPGM95gUhjU+cyDEWVwRaNX
UgF1kpPkwQHcPKjRmJSv/Udsj0TvhA9QzfE5T2bePVlJzC5i1OBAapl+fh2XW/bt
Vhjmlqs4A1EdY9XdUFY1Vfs8gE1M3tvUc9aMtGECgYA3ebYLBwDB48gbYfnv8o3P
rY2hBfBsvfSKeYT/NPxG/XR035h9BnBcNG2L7U7GKmbxdULYZ2nEOSjqTxTvlHUO
ncGr7M00D9hpzTX+Yfr3em+lGsZxVfU7sKq1fWF/BdF7gCf8cdHk66gR19kYhi38
cEB0Z02sLDDP2AYOawrliA==
-----END PRIVATE KEY-----

21
assignment2/ca/ca.crt Normal file
View File

@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDhzCCAm+gAwIBAgIUHeUZwwOlaXM3yPbokh5CjXEFw/YwDQYJKoZIhvcNAQEL
BQAwUzELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0Nv
aW1icmExCzAJBgNVBAoMAlVDMRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQy
MjEwNDgwMloXDTI3MDQyMjEwNDgwMlowUzELMAkGA1UEBhMCUFQxEDAOBgNVBAgM
B0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVDMRMwEQYDVQQD
DApDb2ltYnJhVlBOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs1ft
wTq/HG1SavpgkRSP/ZO3hvW8lCR8e8ica/w7ogJwMoTAHz0axMpY9MQ6SmXXvXEh
/DY0wwM60jJ8f332fk3otcWzHznEK+EC2xrZSvnikWYSWcaDe6PzPtu0w9//y/Cl
Jt8ocvC1qyN20skhCP8nuTCW7o0nO+glPEHAl1fSuHuA/0tXbpROsxpi3cqzWypB
ufnDyIg4vxKbhQdtJn0UMvA2g92gTpxl9Dvt4L68L2e/Oz5B2l+USEIHxfkS+N1v
p8O22H+KV4+4Le76RJ/DOzV+pAieY4/bWIFQ5CsB6SvcHwP0CxOa1KOeHZbdyyDe
TBCmDTR3K4ZBy/ii2wIDAQABo1MwUTAdBgNVHQ4EFgQUrM15zIAXqo0WzJex6TZe
ACq9W9UwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9W9UwDwYDVR0TAQH/
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAlkndsM3ikWZibO3l5UBBVSQjgjdf
8CdE3UyrzuTOTFGWW8ALD1PTMjZ/uFR6mX5pn3Afd6CcRvm/SP/ybh4q+7oBlJCT
hjJo/r8NAsaN1TubFSaLsQTzilZDCK6Go+WvcNgar0pwgMunqphBycuLOkT3cxli
ubGzplv33gA6EPwZ7LaSfMRf/mVeLutUyP0SKyos3/Je1lAz8Wel245JPJ2mI8fT
HopjnVWScOPedFKt/nh//RVTjZDvPGH5Lvglg9ko+Lc62JF/5XIqIS25TwcUskXK
KfotGiwJM1VHyi49PWEC1Asu7C9ljMbHy/UsISPGxUOq/oy3OQoj7DXEng==
-----END CERTIFICATE-----

28
assignment2/ca/ca.key Normal file
View File

@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzV+3BOr8cbVJq
+mCRFI/9k7eG9byUJHx7yJxr/DuiAnAyhMAfPRrEylj0xDpKZde9cSH8NjTDAzrS
Mnx/ffZ+Tei1xbMfOcQr4QLbGtlK+eKRZhJZxoN7o/M+27TD3//L8KUm3yhy8LWr
I3bSySEI/ye5MJbujSc76CU8QcCXV9K4e4D/S1dulE6zGmLdyrNbKkG5+cPIiDi/
EpuFB20mfRQy8DaD3aBOnGX0O+3gvrwvZ787PkHaX5RIQgfF+RL43W+nw7bYf4pX
j7gt7vpEn8M7NX6kCJ5jj9tYgVDkKwHpK9wfA/QLE5rUo54dlt3LIN5MEKYNNHcr
hkHL+KLbAgMBAAECggEAPpkTUJ3LtQVnfhWUfS87LxxPM9k0EFVH6gDUsFBjFCJb
vRZe5Mh0PnoOYKjZW7x+eA4z+Y+GDQdkkZezouB5mA5jiobOBbkpAtPQJmARtjzQ
W0XQY+uJWy+XqLoRN0lJRIrjalT8Dlp8XpbLU7mGQVimKdqO5Ab6ycs2q/ibW3dj
am9L/AaV8YW99xWeRVi8OKn1Oyhpaplnb7IDdeDx8/nCSplVx1EggsV7XPStfL2R
us8/sE525OCo7mriXBLph62r7C1oFxxeASIjpPD5+gh09CCoMcodETlCBKPia7Q4
ha/nnsjXRPZIq4b2y4BYzlCVnCldwKzr+QW+s0EZKQKBgQDZRV2kR4k9ytF1kG85
DCW8ogk03BZ2x9Wk6sEU3lUtR3YfyHe3zFrZ2lDynknVAxXABPQ8XG8i24O0ZQ/h
oiRu9LtUIf+rYVrZke8DiPEuGUdTMLeLMBUhWtSpG5kNrpr/hdt/lXnnszTd5Xon
YGpa2qQAB2eki+uxnJMbAHopRQKBgQDTT9V2FEUa+GG5mbQXClbXqbd7+8LoKH7l
VYzQxaWSWgW1o9/0NOBY5Jw6PoWdhbf0IzA2bYeKIChp6IwhEh9+A+Vdp0Hupz/Z
tDlHThWXUBqYTPM1mXX1KyEoNjGQiMMpeuOc0sUJZvMfFWrzkn0kG8VsB9u8n1ND
CQ+O3MaNnwKBgEQJ5+ApEr5KBDvnphzcQ/kFWRK3lUVPIQVLCnnpggzy4vfjBDKH
iS/NoSnJDd/p3mbKZl18qMTmryDPwSBscTJZ60vWdcUKcLPPcmTN/pDsE5zmlaO9
w/A1DIGEhfJ16k34chtLCOjZAsY2NYGdPNEExPTJXNh3hLCTErIS/S5tAoGAITum
A6sObz5vCCSPOSxsGgDcFYizz5VG18SLn+3lq02zJiz+tMZ4HiLeGx7oHq0AEEpU
c8roDSYflQB4wV67SzNLqF38tY7iMNfyRi+Wn7R+akN34I8hCQzeaxeS1ftcTjLA
h1JyoJbrV5Ejv+ji+4HOm73kphacnqdXJg28wFsCgYEAs4VbAruXv3thxJ8a7Y4n
8FRwdDV2nJRGYRR6WdE8qCLFi5rhoI2/sqblp2i/j8e419YWzj+pRqDMCWlePg+i
7Ne5swH3UQXb+3sS/q0BUnYuJDnpmae/qJ4gDU1NvHZnrqz047hfvHw9gAcCh4a2
IZGzyqYAUSqhzm9epjEZ9+w=
-----END PRIVATE KEY-----

12
assignment2/ca/cheese.cfg Normal file
View File

@@ -0,0 +1,12 @@
[ ca ]
default_ca = CA_default
[ CA_default ]
default_days = 365
database = index.txt
serial = serial
copy_extensions = copy
new_certs_dir = .
default_md = sha256
policy = policy_any
[ policy_any ]
commonName = supplied

22
assignment2/ca/create_all_keys.sh Normal file
View File

@@ -0,0 +1,22 @@
#!/bin/bash
cert_ca="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=CoimbraVPN"
cert_vpn="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=gateway"
cert_user="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=warrior"
cert_apache="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=apache.coimbra"
[[ -e "serial" ]] || echo 1000 > serial
[[ -e "index.txt" ]] || touch index.txt
[[ -e "ca.key" ]] || openssl genrsa -out "ca.key" 2048
[[ -e "ca.crt" ]] || openssl req -x509 -nodes -days 365 -key "ca.key" -out "ca.crt" -subj "$cert_ca"
[[ -e "vpn.key" ]] || openssl genrsa -out "vpn.key" 2048
[[ -e "vpn.csr" ]] || openssl req -new -key "vpn.key" -out "vpn.csr" -subj "$cert_vpn"
[[ -e "vpn.crt" ]] || openssl ca -batch -in "vpn.csr" -cert "ca.crt" -keyfile "ca.key" -out "vpn.crt" -config cheese.cfg
[[ -e "dh2048.pem" ]] || openssl dhparam -out "dh2048.pem" 2048
[[ -e "ta.key" ]] || openvpn --genkey secret "ta.key"
[[ -e "user.key" ]] || openssl genrsa -out user.key
[[ -e "user.csr" ]] || openssl req -new -key user.key -out user.csr -subj "$cert_user"
[[ -e "user.crt" ]] || openssl ca -batch -in "user.csr" -cert "ca.crt" -keyfile "ca.key" -out "user.crt" -config cheese.cfg
[[ -e "apache.key" ]] || openssl genrsa -out apache.key
[[ -e "apache.csr" ]] || openssl req -new -key apache.key -out apache.csr -subj "$cert_apache" -addext "subjectAltName = IP:10.60.0.1,DNS:apache"
[[ -e "apache.crt" ]] || openssl ca -batch -in "apache.csr" -cert "ca.crt" -keyfile "ca.key" -out "apache.crt" -config cheese.cfg

8
assignment2/ca/dh2048.pem Normal file
View File

@@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBDAKCAQEAvqMnND0GPZb1287Irc8grekth4JCb5Mfz4iig9GR0AJNzIj+/hf6
Cnz3+5F6OD7XDyY7Prgq/dZ6KhZAnKOSQ4r6rDbgcVqPoU5g8ykKuhI3daAOr/Ut
EauKJN4kcTDARvdk9gebWNIDRrbuV0wv7QDsO3TIznn24MTnYUm3ReExv58fmqX6
Ttr74clxnUC660HX084sxhxAA9Mfewy+8KCxy1MF2MttZP6DY3IWEVokfK2W/ZlE
UsFIMNlblKK/JBn7Y/6/FZN/V8zwxFCQBhuvOvaNbtraejkeUnl7VdqQ6T4Rmvid
0jN5ddbuyyu+pm7WPU94ilLyPQECexnx7wIBAgICAOE=
-----END DH PARAMETERS-----

4
assignment2/ca/index.txt Normal file
View File

@@ -0,0 +1,4 @@
V 270422105026Z 1000 unknown /CN=gateway
V 270422105026Z 1001 unknown /CN=warrior
V 270422123359Z 1002 unknown /CN=apache
V 270422141459Z 1003 unknown /CN=apache.coimbra

1
assignment2/ca/index.txt.attr Normal file
View File

@@ -0,0 +1 @@
unique_subject = yes

1
assignment2/ca/index.txt.attr.old Normal file
View File

@@ -0,0 +1 @@
unique_subject = yes

3
assignment2/ca/index.txt.old Normal file
View File

@@ -0,0 +1,3 @@
V 270422105026Z 1000 unknown /CN=gateway
V 270422105026Z 1001 unknown /CN=warrior
V 270422123359Z 1002 unknown /CN=apache

2
assignment2/ca/revoke_user.sh Normal file
View File

@@ -0,0 +1,2 @@
#!/bin/bash
openssl ca -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt

1
assignment2/ca/serial Normal file
View File

@@ -0,0 +1 @@
1004

1
assignment2/ca/serial.old Normal file
View File

@@ -0,0 +1 @@
1003

21
assignment2/ca/ta.key Normal file
View File

@@ -0,0 +1,21 @@
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
8ab6c529070f93ad262f6ba5ec506c5e
3e89f24851df40259a2e5fce5b98117c
4ccba0c1c5a045d802ee4638c1f047fb
f2537cb038f1faf976e1cf05ad2c5cc2
23be82d9bdd89180ff235bc995116c83
f08bc102313dd043fa3dcb924665fc36
408fd7bc620c6939e0a42f90e37a9ea7
078e323acbe6b844405b929fecbcc539
e5022c1e9a2b76503b63d35aeeb70cb4
cf260ac014c5914b30ee0020a737bcc5
d08a810e512769245993d9075572f1c0
4971992ba8782b2b7e6189b03c8e1448
842e42983c9af8c32d007237e9b597db
2c6cf399d16f153136307605297e3bbb
cb1b9b1cc9c4cb2f2684ad5d50dd0448
3480fb0a4cc3af1553e5b40645eae3f0
-----END OpenVPN Static key V1-----

74
assignment2/ca/user.crt Normal file
View File

@@ -0,0 +1,74 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4097 (0x1001)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 10:50:26 2026 GMT
Not After : Apr 22 10:50:26 2027 GMT
Subject: CN=warrior
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:5e:36:38:85:bb:f8:15:29:90:2a:03:47:26:
36:ad:47:b8:80:c2:1c:b2:35:53:34:a3:c8:79:73:
1a:7b:c5:06:f9:0e:fb:61:e9:16:81:81:4d:55:ac:
25:7d:96:f4:a4:1a:46:d0:0a:af:48:65:b7:1e:9b:
02:4a:4a:af:53:64:20:4f:af:d8:ab:f7:99:c2:b7:
80:b2:80:24:00:7c:a7:43:f7:35:69:47:fc:bc:ce:
fa:1a:8e:81:c3:2b:55:ea:57:c8:ec:76:3b:1b:58:
e9:65:c1:66:97:c5:39:62:1f:c7:f2:64:b3:6a:31:
41:a9:66:00:f5:48:3c:31:9b:70:a7:ca:f0:b8:28:
d3:cf:fb:86:25:f0:93:17:ad:3f:c8:60:dd:a7:a1:
be:b4:e8:fc:79:47:53:68:ed:eb:21:b5:f7:aa:f5:
bf:22:45:d9:10:5a:db:be:41:c3:09:47:72:f4:6b:
d6:21:65:77:43:79:89:0d:cd:72:58:14:e2:25:55:
0b:17:e8:97:d4:d0:0e:9c:7d:9c:38:6e:52:50:cb:
25:a5:00:fc:cb:69:bb:09:f0:3a:f1:8a:83:e7:7c:
95:07:46:58:11:41:25:8d:5c:91:02:ec:d2:83:4c:
98:d0:aa:ad:b0:fa:67:6c:22:79:87:de:5a:f5:01:
8f:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
30:84:32:04:21:19:F0:A6:B7:C1:32:4C:1B:9F:7E:EF:EC:3C:D3:79
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
60:76:03:78:46:0e:db:33:a4:1a:13:67:11:66:b6:7e:bf:ba:
23:4e:01:9e:6b:28:dc:46:9c:5e:e8:a9:2a:72:d2:ae:c0:c7:
b7:68:6f:92:55:43:b7:cd:8f:6b:78:ad:86:d1:8a:bb:ba:7a:
a7:3b:fa:53:8f:1d:ec:75:0b:36:05:6b:14:91:c4:79:51:b2:
d0:2f:b9:17:0c:f1:6b:88:4d:24:6b:ae:15:36:2b:ac:4b:94:
67:04:f8:93:49:cc:c1:d7:ec:ae:a2:dc:32:c8:d1:f4:ee:4b:
0c:11:ad:4c:84:5d:96:97:31:d6:9f:c5:a7:79:b2:f1:b8:42:
5b:79:b8:12:d2:a3:56:a0:ae:3b:ba:7f:56:25:d4:ad:a7:fa:
39:52:e0:57:af:4f:d2:c6:3c:24:5d:d6:07:84:b0:a5:5f:d2:
3c:8b:36:2a:1f:24:55:cd:89:22:94:b7:f2:93:69:01:89:6e:
a4:67:2d:8b:d9:cd:af:29:70:09:83:69:e5:46:35:51:59:90:
71:c0:0a:8a:00:5c:55:c6:12:34:1a:b7:3d:a9:67:9c:0b:2f:
71:32:cb:87:92:b0:18:ff:fe:ec:f0:3e:cc:e3:1c:65:c8:24:
a9:bd:c9:8f:96:f7:19:af:95:a6:e0:e5:21:65:50:ad:69:da:
d3:09:27:84
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEwNTAyNloXDTI3MDQyMjEw
NTAyNlowEjEQMA4GA1UEAwwHd2FycmlvcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANheNjiFu/gVKZAqA0cmNq1HuIDCHLI1UzSjyHlzGnvFBvkO+2Hp
FoGBTVWsJX2W9KQaRtAKr0hltx6bAkpKr1NkIE+v2Kv3mcK3gLKAJAB8p0P3NWlH
/LzO+hqOgcMrVepXyOx2OxtY6WXBZpfFOWIfx/Jks2oxQalmAPVIPDGbcKfK8Lgo
08/7hiXwkxetP8hg3aehvrTo/HlHU2jt6yG196r1vyJF2RBa275BwwlHcvRr1iFl
d0N5iQ3NclgU4iVVCxfol9TQDpx9nDhuUlDLJaUA/MtpuwnwOvGKg+d8lQdGWBFB
JY1ckQLs0oNMmNCqrbD6Z2wieYfeWvUBj1kCAwEAAaNCMEAwHQYDVR0OBBYEFDCE
MgQhGfCmt8EyTBuffu/sPNN5MB8GA1UdIwQYMBaAFKzNecyAF6qNFsyXsek2XgAq
vVvVMA0GCSqGSIb3DQEBCwUAA4IBAQBgdgN4Rg7bM6QaE2cRZrZ+v7ojTgGeayjc
Rpxe6KkqctKuwMe3aG+SVUO3zY9reK2G0Yq7unqnO/pTjx3sdQs2BWsUkcR5UbLQ
L7kXDPFriE0ka64VNiusS5RnBPiTSczB1+yuotwyyNH07ksMEa1MhF2WlzHWn8Wn
ebLxuEJbebgS0qNWoK47un9WJdStp/o5UuBXr0/SxjwkXdYHhLClX9I8izYqHyRV
zYkilLfyk2kBiW6kZy2L2c2vKXAJg2nlRjVRWZBxwAqKAFxVxhI0Grc9qWecCy9x
MsuHkrAY//7s8D7M4xxlyCSpvcmPlvcZr5Wm4OUhZVCtadrTCSeE
-----END CERTIFICATE-----

16
assignment2/ca/user.csr Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIClTCCAX0CAQAwUDELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0NvaW1icmExEDAO
BgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVDMRAwDgYDVQQDDAd3YXJyaW9yMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2F42OIW7+BUpkCoDRyY2rUe4
gMIcsjVTNKPIeXMae8UG+Q77YekWgYFNVawlfZb0pBpG0AqvSGW3HpsCSkqvU2Qg
T6/Yq/eZwreAsoAkAHynQ/c1aUf8vM76Go6BwytV6lfI7HY7G1jpZcFml8U5Yh/H
8mSzajFBqWYA9Ug8MZtwp8rwuCjTz/uGJfCTF60/yGDdp6G+tOj8eUdTaO3rIbX3
qvW/IkXZEFrbvkHDCUdy9GvWIWV3Q3mJDc1yWBTiJVULF+iX1NAOnH2cOG5SUMsl
pQD8y2m7CfA68YqD53yVB0ZYEUEljVyRAuzSg0yY0KqtsPpnbCJ5h95a9QGPWQID
AQABoAAwDQYJKoZIhvcNAQELBQADggEBAKBuw6o5zucZ3cULpuQBZiBtvodrV1ht
V7NCqQe5UoFP0wywUCQyB1A4rAT+Of3yJxKLYiBrq8u9/ra6zGfXTOxZSSpm+1cN
iZMVb3c57Hir3cS3sG/tLi147168GpBxiV87WLgBozw2ki0x9fApx5crLZY9/FlM
qCwTF8g/Pu6c/gXf+y/aGzcElx0tTpR5FvJopFJ/PNNJSmJZ22Mtbynvztnk8xB6
vzX3+0lp9eNv7X1IwcaDk45B1Fv+7OiyVZ57hOrsUsr4whmb7jctpEm5UzL4cHuE
nMjY5Eqe9Gsct5g7PO+LVH8CF1joBLShgqOIH+1k797iS5maYWHdYW0=
-----END CERTIFICATE REQUEST-----

28
assignment2/ca/user.key Normal file
View File

@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDYXjY4hbv4FSmQ
KgNHJjatR7iAwhyyNVM0o8h5cxp7xQb5Dvth6RaBgU1VrCV9lvSkGkbQCq9IZbce
mwJKSq9TZCBPr9ir95nCt4CygCQAfKdD9zVpR/y8zvoajoHDK1XqV8jsdjsbWOll
wWaXxTliH8fyZLNqMUGpZgD1SDwxm3CnyvC4KNPP+4Yl8JMXrT/IYN2nob606Px5
R1No7eshtfeq9b8iRdkQWtu+QcMJR3L0a9YhZXdDeYkNzXJYFOIlVQsX6JfU0A6c
fZw4blJQyyWlAPzLabsJ8DrxioPnfJUHRlgRQSWNXJEC7NKDTJjQqq2w+mdsInmH
3lr1AY9ZAgMBAAECggEAaYNcDqlM9pifWbHbQl2kyVDR7Vx78P3nMyLx1yQmFJiL
I3bGaUNpWcNMCsz1xW6Ro9s6kCa9vuD3cYHnFoKgSFrqFOIsmAQZZCbnqGSr6d7g
FNlfnxVfb1XCCqRXLG2cKrkffwzTGy17OEedt8KSjsLv10l7YvxdSHY5XmQZEpkU
l9O6olSvhaPQxx3RynR0rTdyESZMLMj2SqHpSlHg6TVvTjRH5EspMTpJiU/cNiqv
b57OH02gh1huS0DKV3aPvR8+6jlP0Ec0djcwXatQxzesFjHutVR1f5RBh36O6zJ0
9Nx2wxppFPsFVB5olJWzIkMH2MalYyIK5+0Lpl3PDwKBgQD04wRGe+EZrCcfLJy+
wpsBqoUeclhDtfz1aMlmhCurWdIQKiEn1lYVMopxn+FvZy3pyE9ymn7aSsmb6PT4
f1j3rOjYcWKceyUCdEsYDRq8ciW7bhKVwXd+763CI485x63ZkKcKe2b7v1GIhkII
7Kp/Nwh5tXxCp6ta+0hJO9nEqwKBgQDiL+CDlgkEVM0MsjuSS2arHwfolXEaoApy
CwX6abCOkV3RiMmuMGKidQJ3v0K+vI3WlG/fW9s6ZRe9mSj/Qu3hq3el5ozzSpW9
FOI41cTOHdvKDpN21Cgk9gMBt0Slp2+qrv+OT4zCheQV29mGZ0dudr5/fMzrAxnk
nbhkXlpUCwKBgQC5mgHYhfVypraz+vUF46rl1V61V8ar8xe4zGWwzEXoxdffJn8g
mWN/B2JEgf+zlokG4inM22l/eyVYhHR+js5YUXXc7frmTLMdLBTqMqxr3TvZ1bBC
TnKKA5A3TwozqbKK7gacfDDuZu+dwNv1taH3bzd+P13hiwDloQQFdVY0pwKBgEC1
S7i5apj3nbXdI5fFxHh+JygN4M6qLHLV3n72T5Fp2vo/9NrFcuJhMTSK3hBtJvLV
gm/W+o/pLfKK56SnRCDEijVHENnlY5M1b0atOWFyP1e99cgQB/ATBWcvRA9UKGkf
KXNQJMfdwBPU0pVV5KSgif00+fbd60FxMbhdGeBjAoGBAO4GIfg1FgIixd3BjuW8
vCcYqqyRphtiHUeZMoVeIVO+CwD4tm7Rj7mRux/3lU8qRFdD/5O5oFE5MR6gvyno
aBt/fPzA40/zjsDMdILaL6IoJUw1B3OsRUoNTupHxqkBl3gJV1WUnWMQftzNAYuy
GJzEUr6jpE6MJyt3osZwfurm
-----END PRIVATE KEY-----

74
assignment2/ca/vpn.crt Normal file
View File

@@ -0,0 +1,74 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 10:50:26 2026 GMT
Not After : Apr 22 10:50:26 2027 GMT
Subject: CN=gateway
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bc:46:6b:0e:12:3f:c2:64:0d:dd:36:e7:86:a2:
f6:98:04:86:21:73:85:3b:cc:ce:7d:c5:74:f9:8d:
97:f8:c9:01:1c:e9:88:db:10:fc:40:a8:2a:44:76:
de:07:bd:39:58:c3:ba:b3:9a:d2:01:91:12:c8:7f:
0e:7a:51:56:f6:a4:ad:4e:63:92:8e:05:b9:9d:5a:
76:37:60:58:60:0a:10:f2:6e:15:6b:76:a1:34:91:
c5:cf:c7:86:00:cd:3f:53:c2:e9:45:8c:86:49:c2:
a1:36:f9:ca:3b:a5:30:76:92:ff:a6:e5:fa:40:67:
d9:91:ea:24:90:a5:a4:e0:15:2a:da:ce:1b:4e:f9:
86:7e:9f:33:de:e9:24:dc:b9:60:fa:c9:f0:e0:79:
83:a3:d3:b3:c9:61:37:9d:26:ab:e9:bd:21:68:74:
51:02:e0:a2:36:24:9e:c6:5d:22:f3:f6:76:8d:17:
ab:e3:46:a2:dc:a3:e4:f8:bc:a2:4b:59:8b:76:f4:
91:7e:2f:48:79:b6:72:1b:d5:45:e2:9f:d3:8d:b2:
f6:45:53:07:95:4d:8e:76:73:b8:54:10:17:63:c4:
07:bf:bf:a6:72:4f:ea:be:b7:1d:38:37:3a:95:26:
8f:36:81:a0:53:07:d3:49:32:7a:de:3c:7f:61:b6:
7c:21
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
96:52:2F:9E:1C:51:4D:A7:91:73:93:1B:E6:69:6C:06:99:28:2D:0B
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9a:fd:c0:13:d2:8a:7d:8d:d6:79:d0:35:1f:a6:75:ea:ff:1b:
73:1a:4b:30:d9:c8:3b:9d:96:e5:a8:28:eb:74:26:0d:13:fa:
e1:89:ad:eb:38:d4:57:d1:72:af:c5:93:ab:ce:07:35:3a:b5:
34:9f:72:af:71:b7:79:23:c8:88:99:af:a9:bf:72:8f:01:f2:
cf:f8:a1:57:8e:2a:05:e7:05:c2:0e:ac:92:df:db:f4:fd:64:
16:01:28:5a:7b:8b:c1:e3:8b:49:48:58:b4:36:28:ed:a3:99:
60:9c:a7:a6:3b:eb:07:3d:42:36:29:f2:d2:ff:07:86:34:3c:
0a:b0:70:cb:23:d2:f3:f1:f7:88:74:a5:a6:c3:ee:4e:5f:d7:
6d:ba:a6:83:09:76:f5:e4:1a:3b:d5:58:e9:be:a8:80:cf:68:
13:82:95:b3:da:75:43:4b:e7:f3:fb:6b:0d:b3:d5:07:5e:1b:
7a:69:f4:77:1b:59:eb:c5:a1:84:fb:cc:3e:5c:26:f5:b3:b3:
4d:36:8d:40:d2:53:f9:1e:bd:cf:b9:4b:c3:a8:40:29:97:58:
48:c2:94:94:28:9d:3f:e7:e3:d2:a3:db:32:8d:fb:a9:bb:c3:
32:a5:b3:c0:8b:c5:e3:56:45:55:2d:fb:62:5a:c0:36:f1:df:
b6:00:f9:b9
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEwNTAyNloXDTI3MDQyMjEw
NTAyNlowEjEQMA4GA1UEAwwHZ2F0ZXdheTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALxGaw4SP8JkDd0254ai9pgEhiFzhTvMzn3FdPmNl/jJARzpiNsQ
/ECoKkR23ge9OVjDurOa0gGREsh/DnpRVvakrU5jko4FuZ1adjdgWGAKEPJuFWt2
oTSRxc/HhgDNP1PC6UWMhknCoTb5yjulMHaS/6bl+kBn2ZHqJJClpOAVKtrOG075
hn6fM97pJNy5YPrJ8OB5g6PTs8lhN50mq+m9IWh0UQLgojYknsZdIvP2do0Xq+NG
otyj5Pi8oktZi3b0kX4vSHm2chvVReKf042y9kVTB5VNjnZzuFQQF2PEB7+/pnJP
6r63HTg3OpUmjzaBoFMH00kyet48f2G2fCECAwEAAaNCMEAwHQYDVR0OBBYEFJZS
L54cUU2nkXOTG+ZpbAaZKC0LMB8GA1UdIwQYMBaAFKzNecyAF6qNFsyXsek2XgAq
vVvVMA0GCSqGSIb3DQEBCwUAA4IBAQCa/cAT0op9jdZ50DUfpnXq/xtzGksw2cg7
nZblqCjrdCYNE/rhia3rONRX0XKvxZOrzgc1OrU0n3Kvcbd5I8iIma+pv3KPAfLP
+KFXjioF5wXCDqyS39v0/WQWAShae4vB44tJSFi0Nijto5lgnKemO+sHPUI2KfLS
/weGNDwKsHDLI9Lz8feIdKWmw+5OX9dtuqaDCXb15Bo71VjpvqiAz2gTgpWz2nVD
S+fz+2sNs9UHXht6afR3G1nrxaGE+8w+XCb1s7NNNo1A0lP5Hr3PuUvDqEApl1hI
wpSUKJ0/5+PSo9syjfupu8MypbPAi8XjVkVVLftiWsA28d+2APm5
-----END CERTIFICATE-----

16
assignment2/ca/vpn.csr Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIClTCCAX0CAQAwUDELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0NvaW1icmExEDAO
BgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVDMRAwDgYDVQQDDAdnYXRld2F5MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvEZrDhI/wmQN3TbnhqL2mASG
IXOFO8zOfcV0+Y2X+MkBHOmI2xD8QKgqRHbeB705WMO6s5rSAZESyH8OelFW9qSt
TmOSjgW5nVp2N2BYYAoQ8m4Va3ahNJHFz8eGAM0/U8LpRYyGScKhNvnKO6UwdpL/
puX6QGfZkeokkKWk4BUq2s4bTvmGfp8z3ukk3Llg+snw4HmDo9OzyWE3nSar6b0h
aHRRAuCiNiSexl0i8/Z2jRer40ai3KPk+LyiS1mLdvSRfi9IebZyG9VF4p/TjbL2
RVMHlU2OdnO4VBAXY8QHv7+mck/qvrcdODc6lSaPNoGgUwfTSTJ63jx/YbZ8IQID
AQABoAAwDQYJKoZIhvcNAQELBQADggEBAAqV168ZttquI1P85iodBEo4pkefV9g7
DNOtjf/BQ4SZUmtMBSH95aH1o+EjhYy+522IJ7yTOke5uTsr4R0uD/D7EX9hKnp5
Qx2t/QZc+q3VKzOMV687VfBfq2RErMGSvJmk7cH40HyDlh4Ts5NZO3CAwaiIovKc
ddcZfrO3naktT8jwayWA16pk+vxf0G3jwJqbeizyS0hl12+dwPr/+ESRHCQoSkUH
wG5mL4eRW5E0NyuH9iGvOHms6WDrPU0qp2Rztql+FYZB+qGPJ3pdsajCIjJG7n4E
n3D5ofg5q3dlLHAwueMcMLGL9hpjXRGLZturgB5JdUp9+1fMhgxYfFY=
-----END CERTIFICATE REQUEST-----

28
assignment2/ca/vpn.key Normal file
View File

@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC8RmsOEj/CZA3d
NueGovaYBIYhc4U7zM59xXT5jZf4yQEc6YjbEPxAqCpEdt4HvTlYw7qzmtIBkRLI
fw56UVb2pK1OY5KOBbmdWnY3YFhgChDybhVrdqE0kcXPx4YAzT9TwulFjIZJwqE2
+co7pTB2kv+m5fpAZ9mR6iSQpaTgFSrazhtO+YZ+nzPe6STcuWD6yfDgeYOj07PJ
YTedJqvpvSFodFEC4KI2JJ7GXSLz9naNF6vjRqLco+T4vKJLWYt29JF+L0h5tnIb
1UXin9ONsvZFUweVTY52c7hUEBdjxAe/v6ZyT+q+tx04NzqVJo82gaBTB9NJMnre
PH9htnwhAgMBAAECggEABIq6WGuOSDU7tGN3sGLMChzJ05LC2w90x8n0qXSF/wVy
Vm031PkS7MhhxKcNcihZcs+9+Ek62bjTOC0Af2jo7ShJ2gNC7NQshyRAh9N2LlLv
17laIO6Kswb1O673h5tr9KxWDkx2jN76HqZl/4xbn/Cp5C/WGqmmsQNyAF9Om+08
M/5jB3aVT4PFBoyOXd3WDkuxG1wEfFZPrrbOu7T06duzMH8yYnxFX42UyDOVNT73
iqZsxLzlOjLiAaVEZE+2WpZICnwaa04OaOimGHgYEcr4DFQwgUvkVQBvg6sDHVk2
R9GpBsf7BJceimpOAzw3zQaJ/BftFgli6/gHCZpJAQKBgQDgxxbBIxyVHYeaddAJ
cDMHTCr2wsk63gUxdqilDC/HZWpCtB1AI02IyxjPVQ87FxtQrCrGXAeztrqYRbKB
7bPu4UbYP1XCm8o0jNIsFObrMKv1KFLTycZEmvhjivFrQMXLunyPmciV1HKoPg1w
fZqJjn6X6nJyYEZBYDX6XmaX8QKBgQDWbVNxMEw4cpEdpl9lMTpry87XS1SpOKSR
YLqa5yhXMC+5l54B3a/xxoo3wY8YJLixWy67PXakKZ4iWhmAxzQocAJ4ML0ztLep
Z6fGjmE4XyBKQRIz4NaHZ76bh3SwSc07XirTahib6CPjpVc4b5h7+4JNcnmpIiq7
yFs0RfjXMQKBgAOQRHUVaGuYx0CUo5Kyu6xe8cNtvSD4yh5JokzTj6Jaoj+ieWA9
7wm/JoqK763hJOa3hAoXBWw89mJZoIXczeB4o9Xj0yk9rQv+O4rFXg/WerNtSzre
VQ1bY5q4ZjFsGnarYzQnnP17G8I9EZt58kxB/RHNfrj/e72nl9N7UacRAoGBAKeS
/t/5X8fJeTFTwT+i7kYqG/bTL1GkK7BViN/gAP3KcbG4FMrehk8L2x7hzMOQhypL
2USJLzvyLlwoT7/9bfygNL3bUTGkbNgeYtbglIfqh6CgI+qZLu7ZG/QOMxpGQva/
i/Z29s545/tTTsuTIvbZwqZl7UBJrF3eobBDcsoxAoGAbtIHtMulH7WJYu57DdC2
AD/xc0YBESCDN8wV73XZrOTluuCXDGOiQow4jWZM9SgFosVY0DrAM4pu6JWso93x
xAPexrca18YxCs2UwT66AYzDXOcijl1F9fUitf3WC/sZWmO3sd1FVFuLRGlq8mXY
kGgsbmgiuKROuuMqB2fHgWo=
-----END PRIVATE KEY-----

19
assignment2/conf/client.conf Normal file
View File

@@ -0,0 +1,19 @@
client
dev tun
proto udp
remote 193.136.212.1 1194 # ip da vpn gateway
persist-tun
persist-key
# certificados
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/user.crt
key /etc/openvpn/client/user.key
# auth
cipher AES-256-GCM
auth SHA256
auth-user-pass
tls-auth /etc/openvpn/client/ta.key 1
reneg-sec 0

3
assignment2/conf/httpd-totp Normal file
View File

@@ -0,0 +1,3 @@
auth required pam_google_authenticator.so forward_pass secret=/home/${USER}/.google_authenticator user=apache
auth required pam_unix.so use_first_pass
account required pam_unix.so

20
assignment2/conf/httpd.conf Normal file
View File

@@ -0,0 +1,20 @@
ServerRoot "/etc/httpd"
Include conf.modules.d/*.conf
LoadModule authnz_pam_module modules/mod_authnz_pam.so
LoadModule mpm_event_module modules/mod_mpm_event.so
User apache
Group apache
Listen 80
Listen 443
Include conf.d/*.conf
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

15
assignment2/conf/ocsp-verify.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
depth=$1
if [ "$depth" -eq 0 ]; then
if [ -n "$tls_serial_0" ]; then
# é preciso converter o serial para hexadecimal porque o openssl espera em hex
hex_serial=$(printf '%x' "$tls_serial_0")
status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
if echo "$status" | grep -q "good"; then
exit 0 # sucesso
fi
exit 1 # revogado ou não encontrado
fi
exit 1
fi

64
assignment2/conf/ssl.conf Normal file
View File

@@ -0,0 +1,64 @@
<VirtualHost *:443>
ServerName 10.60.0.1
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key
SSLCACertificateFile /etc/httpd/ssl/ca.crt
# mutual authentication
SSLVerifyClient require
SSLVerifyDepth 1
# ocsp validation
SSLOCSPEnable on
SSLOCSPDefaultResponder "http://10.60.0.1:8888"
SSLOCSPOverrideResponder on
SSLOCSPUseRequestNonce off
# session management
Session On
SessionCookieName session path=/;HttpOnly;Secure
# proteger
<Location "/">
AuthType Form
AuthName "Coimbra VPN"
AuthFormProvider PAM
AuthPAMService httpd-totp
AuthFormLoginRequiredLocation "/login.html"
Require valid-user
</Location>
# public login page
<Location "/login.html">
AuthType None
Require all granted
</Location>
# login handler
<Location "/dologin">
SetHandler form-login-handler
AuthType Form
AuthName "Coimbra VPN"
AuthFormProvider PAM
AuthPAMService httpd-totp
Require all granted
AuthFormLoginSuccessLocation "/index.html"
AuthFormLoginRequiredLocation "/login.html?error=1"
</Location>
# logout handler
<Location "/logout">
SetHandler form-logout-handler
AuthFormLogoutLocation "/login.html?loggedout=1"
</Location>
</VirtualHost>
# redirect para https
<VirtualHost *:80>
ServerName 10.60.0.1
Redirect permanent / https://10.60.0.1/
</VirtualHost>

3
assignment2/conf/totp Normal file
View File

@@ -0,0 +1,3 @@
auth required pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
account required pam_unix.so

29
assignment2/conf/vpn.conf Normal file
View File

@@ -0,0 +1,29 @@
local 193.136.212.1
port 1194
proto udp
dev tun
verb 4
# Bro is too honorable
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn.crt
key /etc/openvpn/server/vpn.key
dh /etc/openvpn/server/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
push "route 10.60.0.0 255.255.255.0"
# OCSP and Revocation
script-security 2
tls-verify /etc/openvpn/server/ocsp-verify.sh
# auth
cipher AES-256-GCM
auth SHA256
# plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so totp
tls-auth /etc/openvpn/server/ta.key 0

BIN
assignment2/entrega.zip Normal file
View File

Binary file not shown.

4702
assignment2/entrega.zip.asc Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
assignment2/enunciado.pdf Normal file
View File

Binary file not shown.

143
assignment2/enunciado.txt Normal file
View File

@@ -0,0 +1,143 @@
FSI 2025/2026
Practical Assignment #2
1. Goals
Configure a VPN tunnel in the “road warrior” scenario.
Enable two-factor user authentication with OpenVPN and Apache services.
Manage PKI: certification authorities, X.509 certificates, revocation and OCSP.
2. General description
Figure 1 illustrates the scenario considered for our practical assignment. As illustrated, secure communications are
supported by a VPN tunnel established between a remote client (road warrior) and the VPN gateway, with the purpose of
enabling accesses to services in the Internal Network, particularly a web server running Apache. To enable the VPN tunnel,
we will use OpenVPN (https://openvpn.net).
Figure 1 Scenario for the Practical Assignment #1
Regarding authentication, the two communication entities participating in the VPN tunnel (road warrior and the VPN
gateway) should possess valid X.509 certificates, which are created with a private Certification Authority (CA). Users
establishing remote connections to the VPN gateway (road warriors), as well as users connecting to the Apache server, will
also use two-factor authentication, as described below. Apache must also implement client authentication via X.509
certificates. Figure 2 provides an illustration of the interactions between all the entities involved in this setup.
Figure 2 X.509 mutual authentication and OCSP
As we can observe in Figure 2, the VPN gateway and the Apache web server must verify the status of validity of certificates
using OCSP (Online Certificate Status Protocol) and revocation information from the CA. OCSP verification in not
required for the road warrior. Next, we describe the configuration requirements for the various components of the
assignment.
3. Configuration requirements
VPN tunnel for remote access (road warriors)
As illustrated in Figure 1, remote clients (road warriors) are able to connect to the Coimbra VPN gateway, and using the
tunnel remotely access hosts in the Internal network. The following configuration requirements should be considered:
In order to establish a VPN tunnel with the Coimbra gateway, the road warrior must be in the possession of a valid
X.509 certificate, issued by the private CA of the scenario.
The road warrior and the Coimbra VPN gateway must perform mutual authentication using X.509 digital certificates.
The Coimbra VPN gateway should verify the validity of the X.509 certificate presented by the road warrior using OCSP
and, in case the certificate is revoked, the gateway should refuse the connection.
In order to authorize the remote user, the Coimbra gateway should also enforce two other authentication steps: the user
must present a valid username and password, plus a one-time password (OTP, or an authentication token).
Web server
2
The road warrior user should be able to contact the Apache web server with HTTPS through the VPN tunnel. The
following configuration requirements should be considered:
Apache should enforce two-factor authentication in order to authorize accesses from clients: the client (browser) should
present a valid X.509 certificate (issued with the private CA of the scenario) and the user should also present a valid onetime password (or authentication token).
As in the VPN, the validity of the X.509 certificate presented by the client should be checked in the CA using OCSP.
Two-factor user authentication
As previously discussed, VPN establishment and HTTPS accesses to Apache make use of one-time passwords
(authentication tokens), which may be generated by an appropriate application. One-time passwords may be generated using
the TOTP (Time-based One-time Password Algorithm). This algorithm employs a secret key shared between the user
(client) and the remote service, plus a timestamp (obtained from the current system time), to obtain a one-time password.
In order to generate a one-time password, the user may use an application such as Google Authenticator, illustrated in
Figure 3. This application periodically generates a new one-time password that can be used to authenticate the user with the
remote service. This application is available for iOS and Android 1.
Certification authority
As already discussed, the goal is to use OpenSSL to configure a private Certification Authority, as well as to issue and revoke
X.509 digital certificates for the VPN gateways and remote users. The following configuration requirements should be
considered:
The Certification Authority is used to issue certificates for the VPN gateway, VPN client and Apache web server.
The Certification Authority allows the revocation of certificates previously issued.
The Certification Authority also supports a OCSP responder.
For Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en and
for Apple iOS: https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
1
3
Figure 3 Google Authenticator app, to generate a one-time password to access services enabled with two-factor authentication
4. Delivery of the Practical Assignment
With the assignment, please deliver also a report, containing the following information:
Descriptions of the configurations for the implementation of the previous requirements.
A description of how the private Certification Authority was created using OpenSSL.
A description of how X.509 certificates were issued and revoked using the private Certification Authority.
A description of the tests performed to validate the functionalities implemented.
Remaining information considered relevant.
For the delivery of the assignment, put your report, as well as the relevant configuration files, in a single archive. This archive
should be signed using your PGP key and encrypted using the PGP key of your PL teacher.
Note: Assignments without PGP will be accepted, although with a discount of 5% in the final grade.
Delivery deadline:
The deadline for the delivery of the assignment (configuration files and report) is May 3rd 2026.
Submission via Inforestudante.
4

BIN
assignment2/relatorio/google-authenticator.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

27
assignment2/relatorio/relatorio.aux Normal file
View File

@@ -0,0 +1,27 @@
\relax
\providecommand \babel@aux [2]{\global \let \babel@toc \@gobbletwo }
\@nameuse{bbl@beforestart}
\catcode `"\active
\providecommand\hyper@newdestlabel[2]{}
\providecommand\HyField@AuxAddToFields[1]{}
\providecommand\HyField@AuxAddToCoFields[2]{}
\babel@aux{portuguese}{}
\@writefile{toc}{\contentsline {section}{\numberline {1}Introdução}{3}{section.1}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {2}Preparação Inicial}{3}{section.2}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Criação de Certificados}{3}{subsection.2.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Configuração geral}{4}{subsection.2.2}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {3}VPN Gateway}{5}{section.3}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}Configuração da Máquina}{5}{subsection.3.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}Configuração do Serviço OpenVPN}{6}{subsection.3.2}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Erros}{7}{subsection.3.3}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Configurar o utilizador com TOTP}{7}{subsection.3.4}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {4}VPN Client (Road Warrior)}{8}{section.4}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.1}Configuração da Máquina}{8}{subsection.4.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Configuração do Cliente OpenVPN}{8}{subsection.4.2}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.3}Testes}{9}{subsection.4.3}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {5}Servidor Apache e OCSP}{9}{section.5}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {5.1}Configuração da Máquina}{10}{subsection.5.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.1.1}Testes}{12}{subsubsection.5.1.1}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {6}Teste Integrado}{13}{section.6}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {7}Conclusão}{13}{section.7}\protected@file@percent }
\gdef \@abspage@last{13}

1
assignment2/relatorio/relatorio.listing Normal file
View File

@@ -0,0 +1 @@
openssl ca -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt

1288
assignment2/relatorio/relatorio.log Normal file
View File

File diff suppressed because it is too large Load Diff

18
assignment2/relatorio/relatorio.out Normal file
View File

@@ -0,0 +1,18 @@
\BOOKMARK [1][-]{section.1}{\376\377\000I\000n\000t\000r\000o\000d\000u\000\347\000\343\000o}{}% 1
\BOOKMARK [1][-]{section.2}{\376\377\000P\000r\000e\000p\000a\000r\000a\000\347\000\343\000o\000\040\000I\000n\000i\000c\000i\000a\000l}{}% 2
\BOOKMARK [2][-]{subsection.2.1}{\376\377\000C\000r\000i\000a\000\347\000\343\000o\000\040\000d\000e\000\040\000C\000e\000r\000t\000i\000f\000i\000c\000a\000d\000o\000s}{section.2}% 3
\BOOKMARK [2][-]{subsection.2.2}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000g\000e\000r\000a\000l}{section.2}% 4
\BOOKMARK [1][-]{section.3}{\376\377\000V\000P\000N\000\040\000G\000a\000t\000e\000w\000a\000y}{}% 5
\BOOKMARK [2][-]{subsection.3.1}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000d\000a\000\040\000M\000\341\000q\000u\000i\000n\000a}{section.3}% 6
\BOOKMARK [2][-]{subsection.3.2}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000d\000o\000\040\000S\000e\000r\000v\000i\000\347\000o\000\040\000O\000p\000e\000n\000V\000P\000N}{section.3}% 7
\BOOKMARK [2][-]{subsection.3.3}{\376\377\000E\000r\000r\000o\000s}{section.3}% 8
\BOOKMARK [2][-]{subsection.3.4}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000r\000\040\000o\000\040\000u\000t\000i\000l\000i\000z\000a\000d\000o\000r\000\040\000c\000o\000m\000\040\000T\000O\000T\000P}{section.3}% 9
\BOOKMARK [1][-]{section.4}{\376\377\000V\000P\000N\000\040\000C\000l\000i\000e\000n\000t\000\040\000\050\000R\000o\000a\000d\000\040\000W\000a\000r\000r\000i\000o\000r\000\051}{}% 10
\BOOKMARK [2][-]{subsection.4.1}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000d\000a\000\040\000M\000\341\000q\000u\000i\000n\000a}{section.4}% 11
\BOOKMARK [2][-]{subsection.4.2}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000d\000o\000\040\000C\000l\000i\000e\000n\000t\000e\000\040\000O\000p\000e\000n\000V\000P\000N}{section.4}% 12
\BOOKMARK [2][-]{subsection.4.3}{\376\377\000T\000e\000s\000t\000e\000s}{section.4}% 13
\BOOKMARK [1][-]{section.5}{\376\377\000S\000e\000r\000v\000i\000d\000o\000r\000\040\000A\000p\000a\000c\000h\000e\000\040\000e\000\040\000O\000C\000S\000P}{}% 14
\BOOKMARK [2][-]{subsection.5.1}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000d\000a\000\040\000M\000\341\000q\000u\000i\000n\000a}{section.5}% 15
\BOOKMARK [3][-]{subsubsection.5.1.1}{\376\377\000T\000e\000s\000t\000e\000s}{subsection.5.1}% 16
\BOOKMARK [1][-]{section.6}{\376\377\000T\000e\000s\000t\000e\000\040\000I\000n\000t\000e\000g\000r\000a\000d\000o}{}% 17
\BOOKMARK [1][-]{section.7}{\376\377\000C\000o\000n\000c\000l\000u\000s\000\343\000o}{}% 18

BIN
assignment2/relatorio/relatorio.pdf Normal file
View File

Binary file not shown.

575
assignment2/relatorio/relatorio.tex Normal file
View File

@@ -0,0 +1,575 @@
\documentclass[11pt,a4paper]{article}
\usepackage[portuguese]{babel}
\usepackage[lining]{ebgaramond}
\usepackage{style}
\setlength{\parindent}{0em}
\setlength{\parskip}{2ex}
\title{Practical Assignment \#2}
\author{
João Neto -- 2023234004\\[1em]
Vasco Alves -- 2022228207
}
\begin{document}
\maketitle
\newpage
\tableofcontents
\newpage
\section{Introdução}
Este projeto tem como âmbito implementar, uma rede virtual privada (VPN) num cenário
de road-warrior, configurar \textit{two-factor authentication} (2FA) com os serviços
OpenVPN e Apache, e gerir certificados X.509 utilizando OCSP.
% NOTE(vasco): Eu acho que basta explicar o cenario e explicar como decidimos
% implementar <- yeah agree, also esta introdução acho que é boa fala sobre o objetivo
% e o cenario, e porque é que o nosso cenario é como é. Não sei se a parte das razões de
%segurança devia estar nesta parte ou na conclusão como perpetiva futura e reflexão, mas aqui
%também não está mal.
% Para tal, foi implementado um servidor e um cliente OpenVPN, certificados por uma
% autoridade central (CA) que em si é \textit{self-signed}. Para além disto, foi implementado
% um sistema de autenticação de dois factores através do plugin
% \textit{google-authenticator} para o OpenVPN e para o servidor de Apache.
Decidimos utilizar apenas três máquinas virtuais: o cliente (ou \textit{road warrior}),
a \textit{gateway} que utiliza OpenVPN e um servidor interno com OpenSSL e Apache.
Isto simplifica a elaboração do projecto, mas por razões de segurança poderia querer
separar a máquina de OpenSSL de outras máquinas destinadas a serviços da rede interna,
pois esta contém o \textit{certificate authority} (CA).
% Ambos o OpenVPN eo servidor Apache utilizam 2FA,
% recebendo o utilizador, e uma password que é uma concatenação da palavra-passe do utilizador
% e de uma password temporária (TOTP) de 6 dígitos. O servidor de Apache implementa a mesma autenticação.
\begin{tabular}{l l l}
{\bf Nome} & {\bf Script} & {\bf Rede} \\\toprule
Road Warrior & VM\_ROAD\_WARRIOR.sh & Rede Externa 193.168.0.0/24 \\
VPN Gateway & VM\_OPENVPN\_GATEWAY.sh & Router \\
OpenSSL / Apache & VM\_OPENSSL\_APACHE.sh & Rede Interna 10.60.0.0/24 \\
\end{tabular}
\section{Preparação Inicial}
\subsection{Criação de Certificados}
Os certificados utilizados foram auto-certificados por uma autoridade central que ``pertence''
à máquina de OpenSSL. Esta mesma faz a gestão da lista de revogação.
Todas as chaves foram criadas no mesmo computador, com as variáveis que estão
neste código. Aspetos importantes para mais tarde serão os parâmetros de Comon Name (CN)
pois servem para a validação do certificado ambos pelo OpenSSL e pelo browser.
Nós optamos por assumir que num cenário real, teríamos acesso físico às máquinas, por isso em vez
de utilizar, por exemplo SCP ou FTP, escolhemos partilhar os ficheiros a partir da máquina host. No entanto, outra abordagem também estaria correta.
\begin{codeblock}[bash]{create\_all\_keys.sh}
cert_ca="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=CoimbraVPN"
cert_vpn="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=gateway"
cert_user="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=warrior"
cert_apache="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=apache.coimbra"
openssl genrsa -out "ca.key" 2048
openssl req -x509 -nodes -days 365 -key "ca.key" -out "ca.crt" -subj "$cert_ca"
openssl genrsa -out "vpn.key" 2048
openssl req -new -key "vpn.key" -out "vpn.csr" -subj "$cert_vpn"
openssl ca -batch -in "vpn.csr" -cert "ca.crt" -keyfile "ca.key" -out "vpn.crt" -config cheese.cfg
openssl dhparam -out "dh2048.pem" 2048
openvpn --genkey secret "ta.key"
openssl genrsa -out user.key
openssl req -new -key user.key -out user.csr -subj "$cert_user"
openssl ca -batch -in "user.csr" -cert "ca.crt" -keyfile "ca.key" -out "user.crt" -config cheese.cfg
openssl genrsa -out apache.key
openssl req -new -key apache.key -out apache.csr -subj "$cert_apache" -addext "subjectAltName = IP:10.60.0.1,DNS:apache"
openssl ca -batch -in "apache.csr" -cert "ca.crt" -keyfile "ca.key" -out "apache.crt" -config cheese.cfg
openssl --genkey secret ta.key
\end{codeblock}
Como o CA foi criado ``\textit{in place}'', e não na sua pasta prédefinida, foi necessário utilizar
um configuração própria para definir os ficheiros \textit{index.txt} e \textit{serial}.
\begin{codeblock}[bash]{cheese.cfg}
[ ca ]
default_ca = CA_default
[ CA_default ]
default_days = 365
database = index.txt
serial = serial
copy_extensions = copy
new_certs_dir = .
default_md = sha256
policy = policy_any
[ policy_any ]
commonName = supplied
\end{codeblock}
\subsection{Configuração geral}
Para evitar repetição e redundancia; e para garantir consistencia na elaboração do projeto criamos varios shell scripts, um destinado a cada maquina virtual.
Para configurar as VMs era preciso introduzir os mesmos comandos várias vezes, o que levava muitas vezes a erros de escrita,
ou a correr o mesmo comando várias vezes, por isso criamos vários ficheiros .sh para conseguir facilitar o processo.
A utilização de ficheiros .sh também vem com outros positivos pois facilita a testagem, e a recriação do cenário rapidamente.
No entanto para os serviços que configuramos, instalar, desativar e dar flush às iptables não foi suficiente, tivemos que criar
pastas e sincronizar os relógios de todas as VMs visto que elas estarem ligeiramente atrasadas nunca conseguíamos acertar na
password do google-authenticator visto que utiliza o tempo local para calcular a sua chave.
\begin{codeblock}[bash]{VM\_CONFIG.sh}
yum install -y epel-release
yum install -y openvpn iptables-services dhcp-client
systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld
systemctl enable iptables
iptables -F
CA_DIR="/etc/pki/CA"
mkdir -p "${CA_DIR}/newcerts"
mkdir -p "${CA_DIR}/private"
touch "${CA_DIR}/index.txt"
cp ca/serial "${CA_DIR}/serial"
mkdir -p /etc/openvpn/server
mkdir -p /etc/openvpn/client
# NOTE(vasco): tive problemas com a sincronizacao de tempo
# se nao tiver sincronizado, o TOTP nao funciona
systemctl stop chronyd
ntpdate pool.ntp.org
systemctl start chronyd
\end{codeblock}
\section{VPN Gateway}
\subsection{Configuração da Máquina}
Como já foi dito anteriormente, cada máquina vem com um \textit{script}
que instala toda a configuração necessária.
Para que a gateway funcione como router entre a rede externa e a rede interna,
foi necessário ativar o \textit{IP forwarding} no kernel e configurar as regras
de \textit{iptables} para permitir o tráfego da VPN e realizar o mascaramento
de IP (NAT).
% NOTA(vasco): Não temos regras de DROP a packets
% talvez deviamos mudar isso nao sei <- não diz nada no enunciado ¯\_(ツ)_/¯
% também o trabalho não é sobre ip tables por isso it does make sense não fazer drop
%e utilizar as regras apenas para encaminhar corretamente.
% Colocar isso na conclusão tho
\begin{codeblock}[bash]{VM\_VPN\_GATEWAY.sh}
#!/bin/bash
# --- configuracao --- #
source VM_CONFIG.sh
yum install -y google-authenticator qrencode ntpsec
# --- forwarding --- #
if_fora="enp0s8"
ip_fora="193.136.212.1"
if_dentro="enp0s9"
ip_dentro="10.60.0.3"
mega_tunel="tun0"
ip_mega_tunel="10.8.0.0/24"
ifconfig $if_fora $ip_fora netmask 255.255.255.0
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT
iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT
iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT
iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
# --- vpn server --- #
vpn_dir="/etc/openvpn/server"
cp ca/ta.key $vpn_dir
cp ca/ca.crt $vpn_dir
cp ca/vpn.key $vpn_dir
cp ca/vpn.crt $vpn_dir
cp ca/dh2048.pem $vpn_dir
cp conf/vpn.conf $vpn_dir
cp conf/ocsp-verify.sh $vpn_dir
cp conf/totp /etc/pam.d/
# --- utilizador --- #
id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john
openvpn --config /etc/openvpn/server/vpn.conf
\end{codeblock}
\subsection{Configuração do Serviço OpenVPN}
O servidor OpenVPN utiliza um certificado X.509 assinado pelo nosso \textit{Certificate Authority} (CA).
E faz uso de um script \texttt{oscp-verify.sh} para validar ou revogar os certificados através do servidor OCSP.
\begin{codeblock}{vpn.conf}
local 193.136.212.1
port 1194
proto udp
dev tun
verb 4
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn.crt
key /etc/openvpn/server/vpn.key
dh /etc/openvpn/server/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
push "route 10.60.0.0 255.255.255.0"
# ocsp and revocation
script-security 2
tls-verify /etc/openvpn/server/ocsp-verify.sh
# auth
cipher AES-256-GCM
auth SHA256
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so totp
tls-auth /etc/openvpn/server/ta.key 0
\end{codeblock}
Foi criado o ficheiro \texttt{totp} com a configuração de autenticação a
ser utilizada pelo plugin de PAM para o openvpn.
\begin{codeblock}{totp}
auth required pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
account required pam_unix.so
\end{codeblock}
Este script simplesmente comunica com o servidor OpenSSl
e verifica o resultado.
\begin{codeblock}{ocsp\_verify.sh}
#!/bin/bash
depth=$1
if [ "$depth" -eq 0 ]; then
if [ -n "$tls_serial_0" ]; then
# e preciso converter o serial para hexadecimal porque o openssl espera em hex
hex_serial=$(printf '%x' "$tls_serial_0")
status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
if echo "$status" | grep -q "good"; then
exit 0 # sucesso
fi
exit 1 # revogado ou nao encontrado
fi
exit 1
fi
\end{codeblock}
\subsection{Erros}
Um dos erros que encontramos pelo caminho foi que o OpenSSL OCSP espera que o
\textit{serial} esteja num formato diferente do que o esperado. Foi necessário
converter para hexadecimal primeiro.
Adicionalmente, devido às restrições de segurança do \textit{systemd},
tentamos desativar o \texttt{ProtectHome} no serviço do OpenVPN
para que o plugin PAM consiga ler os ficheiros de segredo do Google Authenticator
localizados nas diretorias \textit{home} dos utilizadores. Mas isto não
foi suficiente, por isso acabamos por correr os serviços pela linha
de comandoos.
\subsection{Configurar o utilizador com TOTP}
Primeiro, na gateway, entramos como o utilizador desejado e obtemos a chave
do gerador de palavras passes temporárias. Ao inserir a chave no
\texttt{google authenticator} podemos obter um código QR, a nossa primeira
chave de 6 dígitos.
\begin{figure}[h]
\centering
\includegraphics[width=8em]{google-authenticator}
\end{figure}
\begin{codeblock}[bash]{}
su john
google-authenticator
\end{codeblock}
\section{VPN Client (Road Warrior)}
\subsection{Configuração da Máquina}
Para a configuração da Máquina, configuramos o edereço, o default gateway e adicionamos apache aos Hosts:
\begin{codeblock}{VM\_ROAD\_WARRIOR.sh}
#!/bin/bash
# --- configuracao --- #
source VM_CONFIG.sh
ifconfig enp0s8 193.136.212.10 netmask 255.255.255.0
route add default gw 193.136.212.1
if ! grep -q "apache" /etc/hosts; then
echo "10.60.0.1 apache" >> /etc/hosts
fi
# --- vpn client --- #
vpn_dir="/etc/openvpn/client/"
cp ca/ta.key $vpn_dir
cp ca/ca.crt $vpn_dir
cp ca/user.key $vpn_dir
cp ca/user.crt $vpn_dir
cp conf/client.conf $vpn_dir
openvpn --config "${vpn_dir}/client.conf"
\end{codeblock}
% Esta configuração foi necessaria, porque sem edereço a VM não conseguia-se identificar na rede. Sem o default gateway
% os edereços desconhecidos seriam enviados para a porta da internet, e adicionamos apache aos Hosts para que fosse igual
% ao domain para não haver erros.
%(I dunno about this Apache part??) Also sinto que ainda precisa de mais um bocado.
Também foram movidos os certificados e chaves necessarias para as pastas do serviço openvpn, para que o Road Warrior
consiga comunicar e ser validado pela gateway.
\subsection{Configuração do Cliente OpenVPN}
O cliente encontra-se na rede externa (\texttt{193.136.212.10}) e liga-se à VPN
gateway na porta 1194. Para garantir a segurança, utilizamos autenticação mútua (os certificados X.509)
e um \textit{two factor authentication} (2FA) como palavras-passe temporárias, geradas através do
\textit{Google Authenticator}.
\begin{codeblock}{client.conf}
client
dev tun
proto udp
remote 193.136.212.1 1194
ca ca.crt
cert user.crt
key user.key
auth-user-pass
cipher AES-256-GCM
auth SHA256
\end{codeblock}
\subsection{Testes}
Para verificar que a autenticação foi corretamente implementada, inserimos a password de um utilizador sem os digitos do TOTP, e identificamos que utilizar somente a password não é suficiente para autenticar. Igualmente ao utilizar ambos a autenticação é bem sucedida.
Para verificar que o tunel foi estabelecido, primeiro corremos na linha de comandos \texttt{ip a}. Observamos a existencia de uma nova interface tun0, ou seja o tunel foi corretamente establecido. Depois demos ping ao route e depois ao servidor interno, que resultou em pacotes devolvidos para ambos.
% TODO: screenshots? dizer que erros exatos nos obtemos a cada etapa
% TODO: erros ortograficos lol
Para verificar que o OCSP funciona correctamente, o cliente conectou ao servidor OpenVPN:
primeiro, sem o servidor OCSP a correr, uma segunda vez com ele a correr e com o certificado correcto
e uma terceira vez com um certificado revogado. Fizemos estes testes sabendo que o
cliente e o servidor já estavam correctamente configurados.
Verificamos que, como é suposto: sem OCSP não é possivel autenticar; com OCSP e com certificado válido,
podemos autenticar; e com OCSP mas com certificado revogado, a autenticação falha.
\section{Servidor Apache e OCSP}
Para a configuração da ultima maquina, temos o OpenSSL e Apache no mesmo servidor, por isso temos de configurar
as pastas necessarias, os utilizadores do serviço, configurar os edereços e uma route:
\begin{codeblock}{VM\_OPENSSL\_APACHE.sh}
#!/bin/bash
# configuracao
source VM_CONFIG.sh
sudo yum install -y epel-release
sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator
sudo yum install -y mod_session
# utilizador
id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john
if_dentro="enp0s8"
ip_dentro="10.60.0.1"
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
# route de volta para comunicar com o warrior
route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.60.0.3
cp conf/openssl.cnf /etc/pki/tls/
# copiar ca para esta VM
cp ca/index.txt $CA_DIR
cp ca/ca.crt $CA_DIR
cp ca/ca.key $CA_DIR
cp ca/serial $CA_DIR
cp ca/dh2048.pem $CA_DIR
# correr oscp
killall openssl 2>/dev/null
openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &
# apache
mkdir -p /etc/httpd/ssl
cp ca/ca.crt /etc/httpd/ssl/
cp ca/apache.crt /etc/httpd/ssl/
cp ca/apache.key /etc/httpd/ssl/
cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf
cp conf/httpd.conf /etc/httpd/conf/httpd.conf
cp conf/httpd-totp /etc/pam.d/httpd-totp
echo "LoadModule session_module modules/mod_session.so" > /etc/httpd/conf.modules.d/01-session.conf
echo "LoadModule session_cookie_module modules/mod_session_cookie.so" >> /etc/httpd/conf.modules.d/01-session.conf
echo "LoadModule auth_form_module modules/mod_auth_form.so" > /etc/httpd/conf.modules.d/01-auth_form.conf
cp -r www/* /var/www/html/
chown -R apache:apache /var/www/html/
httpd -X
\end{codeblock}
\subsection{Configuração da Máquina}
Como já referimos a Máquina tem ambos o serviço OpenSSL e Apache, por isso vai precisar de dois .conf files para
configurar-los. O httpd.conf tem as portas e modulos enquanto o ssl.conf tem a configuração da autenticação mútua, e o OCSP:
\begin{codeblock}{httpd.conf}
ServerRoot "/etc/httpd"
Include conf.modules.d/*.conf
LoadModule authnz_pam_module modules/mod_authnz_pam.so
LoadModule mpm_event_module modules/mod_mpm_event.so
User apache
Group apache
Listen 80
Listen 443
Include conf.d/*.conf
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
\end{codeblock}
\begin{codeblock}{ssl.conf}
<VirtualHost *:443>
ServerName 10.60.0.1
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key
SSLCACertificateFile /etc/httpd/ssl/ca.crt
# mutual authentication
SSLVerifyClient require
SSLVerifyDepth 1
# ocsp validation
SSLOCSPEnable on
SSLOCSPDefaultResponder "http://10.60.0.1:8888"
SSLOCSPOverrideResponder on
SSLOCSPUseRequestNonce off
# session management
Session On
SessionCookieName session path=/;HttpOnly;Secure
# proteger
<Location "/">
AuthType Form
AuthName "Coimbra VPN"
AuthFormProvider PAM
AuthPAMService httpd-totp
AuthFormLoginRequiredLocation "/login.html"
Require valid-user
</Location>
# public login page
<Location "/login.html">
AuthType None
Require all granted
</Location>
# login handler
<Location "/dologin">
SetHandler form-login-handler
AuthType Form
AuthName "Coimbra VPN"
AuthFormProvider PAM
AuthPAMService httpd-totp
Require all granted
AuthFormLoginSuccessLocation "/index.html"
AuthFormLoginRequiredLocation "/login.html?error=1"
</Location>
# logout handler
<Location "/logout">
SetHandler form-logout-handler
AuthFormLogoutLocation "/login.html?loggedout=1"
</Location>
</VirtualHost>
# redirect para https
<VirtualHost *:80>
ServerName 10.60.0.1
Redirect permanent / https://10.60.0.1/
</VirtualHost>
\end{codeblock}
\subsubsection{Testes}
\begin{itemize}
\item \textbf{Domínio:} Verificou-se que o acesso só é permitido utilizando o endereço correto, pois se for inserido outro dominio, não é direcionado para o site do Apache.
\item \textbf{Redirecionamento HTTPS:} Ao testar quando colocamos http, e o dominio certo, era redirecionado para https.
\item \textbf{Autenticação com o Certificado:} O acesso foi negado ao apresentar certificados inválidos ou ausentes no browser, devolvendo um erro com sobre não conseguir establecer connexão porque falta de certificado.
\end{itemize}
Para testar o OCSP, fizemos os seguintes paços:
\begin{enumerate}
\item Estabelecer a ligação VPN e verificar a conectividade à rede interna.
\item No diretório da autoridade de certificação (máquina \textit{host}), revogar o certificado do utilizador:
\begin{codeblock}[bash]{revoke.sh}
openssl ca -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt
\end{codeblock}
\item Atualizar o ficheiro \texttt{index.txt} no servidor OCSP e reiniciar o serviço para carregar o novo estado de revogação.
\item Tentar estabelecer uma nova ligação VPN e verificar que a autenticação falha devido à resposta \texttt{revoked} do responder OCSP.
\end{enumerate}
\section{Teste Integrado}
Para validar, efetuámos um teste integrado englobando todos os requisitos:
\begin{enumerate}
\item Começamos por iniciar todas as máquinas com os devidos \textit{scripts}.
\item Na máquina \textit{Road Warrior}, iniciámos a ligação OpenVPN com o utilizador, a sua password e o \textit{token} TOTP.
\item O \textit{Gateway} OpenVPN verifica as credenciais e verifica o certificado cliente contra o servidor OCSP.
\item Antes de acedermos ao firefox, temos que verificar que já adicionámos a nossa a nossa CA e o certificado \texttt{p12}.
\item Através do túnel VPN, acedemos agora ao endereço \texttt{https://apache.coimbra} no browser.
\item O servidor Apache solicitou o certificado X.509 do utilizador e validou a sua autenticidade e estado de revogação no OCSP.
\item Finalmente, o Apache apresentou a página de login, onde inserimos as credenciais e o código TOTP.
\end{enumerate}
\section{Conclusão}
Atingimos o objetivo deste trabalho: conseguimos configurar o túnel VPN,
o \textit{two-factor authentication} em múltiplos serviços, e conseguimos gerir o ciclo de vida dos
certificados emitidos através de uma CA própria e OCSP. Utilizar mais máquinas para simular um cenário
maior seria redundante e apenas exigiria a emissão de mais certificados, não acrescentando muito ao nível de aprendizagem.
Aplicando conhecimentos de trabalhos anteriores,
poderíamos aplicar políticas mais restritas nas \textit{iptables} (ex: regras de DROP aos pacotes indesejados),
e implementar ferramentas como o Suricata para identificar possíveis anomalias e ataques aos serviços.
\end{document}

19
assignment2/relatorio/relatorio.toc Normal file
View File

@@ -0,0 +1,19 @@
\babel@toc {portuguese}{}\relax
\contentsline {section}{\numberline {1}Introdução}{3}{section.1}%
\contentsline {section}{\numberline {2}Preparação Inicial}{3}{section.2}%
\contentsline {subsection}{\numberline {2.1}Criação de Certificados}{3}{subsection.2.1}%
\contentsline {subsection}{\numberline {2.2}Configuração geral}{4}{subsection.2.2}%
\contentsline {section}{\numberline {3}VPN Gateway}{5}{section.3}%
\contentsline {subsection}{\numberline {3.1}Configuração da Máquina}{5}{subsection.3.1}%
\contentsline {subsection}{\numberline {3.2}Configuração do Serviço OpenVPN}{6}{subsection.3.2}%
\contentsline {subsection}{\numberline {3.3}Erros}{7}{subsection.3.3}%
\contentsline {subsection}{\numberline {3.4}Configurar o utilizador com TOTP}{7}{subsection.3.4}%
\contentsline {section}{\numberline {4}VPN Client (Road Warrior)}{8}{section.4}%
\contentsline {subsection}{\numberline {4.1}Configuração da Máquina}{8}{subsection.4.1}%
\contentsline {subsection}{\numberline {4.2}Configuração do Cliente OpenVPN}{8}{subsection.4.2}%
\contentsline {subsection}{\numberline {4.3}Testes}{9}{subsection.4.3}%
\contentsline {section}{\numberline {5}Servidor Apache e OCSP}{9}{section.5}%
\contentsline {subsection}{\numberline {5.1}Configuração da Máquina}{10}{subsection.5.1}%
\contentsline {subsubsection}{\numberline {5.1.1}Testes}{12}{subsubsection.5.1.1}%
\contentsline {section}{\numberline {6}Teste Integrado}{13}{section.6}%
\contentsline {section}{\numberline {7}Conclusão}{13}{section.7}%

64
assignment2/relatorio/style.sty Normal file
View File

@@ -0,0 +1,64 @@
\usepackage[margin=1in]{geometry}
\usepackage{raleway}
\renewcommand{\familydefault}{\sfdefault}
\usepackage{ulem}
\usepackage{wrapfig}
\usepackage{graphicx,tabularx,booktabs}
\usepackage{paracol}
\usepackage[dvipsnames]{xcolor}
\usepackage{enumitem,amssymb}
\usepackage[colorlinks=true,urlcolor=blue,linkcolor=MidnightBlue]{hyperref}
\graphicspath{{./img/}}
\usepackage{enumitem,amssymb}
\newlist{todolist}{itemize}{2}
\setlist[todolist]{noitemsep, topsep=0pt,label=$\square$}
\usepackage{pifont}
\usepackage{amssymb}
\usepackage[most]{tcolorbox}
\tcbuselibrary{listings, skins, breakable}
\lstdefinestyle{mystyle}{
basicstyle=\ttfamily\footnotesize,
breakatwhitespace=false,
breaklines=true,
captionpos=b,
keepspaces=true,
numbers=left,
numbersep=5pt,
showspaces=false,
showstringspaces=false,
showtabs=false,
tabsize=2,
commentstyle=\color{gray},
keywordstyle=\color{MidnightBlue}\bfseries,
stringstyle=\color{ForestGreen}
}
\newtcblisting{codeblock}[2][]{
enhanced,
breakable,
colback=gray!2!white,
colframe=gray!20!black,
attach boxed title to top left={yshift*=-\tcboxedtitleheight/2, xshift=4mm},
boxed title style={
colback=gray!20!black,
outer arc=0pt,
arc=0pt,
top=1pt,
bottom=1pt,
},
fonttitle=\bfseries\ttfamily\footnotesize,
title={#2},
listing only,
listing options={
style=mystyle,
language=#1,
}
}
\setlength{\parskip}{1em}%
\setlength{\parindent}{0em}%

BIN
assignment2/user.p12 Normal file
View File

Binary file not shown.

13
assignment2/www/index.html Normal file
View File

@@ -0,0 +1,13 @@
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Coimbra VPN</title>
</head>
<body>
<h1>Coimbra VPN</h1>
<p>Lorem ipsum dolor, sit amet consectetur adipisicing elit.
Minima porro unde praesentium sint itaque optio, deserunt eum est voluptatum, natus nihil repellat amet impedit? Fugiat fugit ex quis molestiae sit.</p>
</body>
</html>

25
assignment2/www/login.html Normal file
View File

@@ -0,0 +1,25 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Coimbra VPN</title>
</head>
<body>
<h1>Two-Factor Auth</h1>
<p>Enter your UNIX credentials and TOTP code</p>
<form action="/dologin" method="POST">
<label for="username">Username</label>
<input type="text" id="username" name="httpd_username" placeholder="username">
<br>
<label for="password">UNIX Password (password + 6 digit TOTP)</label>
<input type="password" id="password" name="httpd_password" placeholder="password + TOTP" required>
<button type="submit">Login</button>
</form>
</body>
</html>