/pyCA

Demo of a CA (Certification Authority) signing certificates and revoking them (issuing a CRL).

Primary LanguagePython

pyCA

Demo of a CA (Certification Authority) signing certificates and revoking them (issuing a CRL). This demo uses Python with the package pyOpenSSL. Python scripts are executed in Docker containers.

This application has been developed for HW7 of Computer and Network Security course at Sapienza University of Rome, year 2019/2020.

Description

This program is composed of a CA and two clients, namely client1 and client2. The execution is merely a simulation that can be summarized by the following points:

  1. the script that will be our CA self-signes a certificate and starts listening for clients that may want the CA to sign their CSRs,
  2. client1 produces a CSR and sends it to the CA, which sends back a signed certificate,
  3. client2 starts listening for incoming messages,
  4. client1 sends a message to client2, along with a signature of the message and its certificate (the one previously signed from the CA),
  5. client2 verifies the signature using the certificate, then asks the CA for a CRL, in order to verify the validity of the certificate,
  6. client2 receives the CRL and checks if the certificate has been revoked or is still valid through its serial number (in this case it will be valid).
  7. client1 asks the CA to revoke its certificate (maybe its key has been compromised), then sends a message to client2 like it did before (this time, though, the certificate is not valid),
  8. client2 again verifies the signature using the cerificate and asks the CA to send it a CRL,
  9. client2 receives the CRL and notices that the serial number of the certificate it received is amongst the revoked in the CRL, meaning that the received certificate is not valid anymore and, consequently, the signature can't be trusted.

How to Execute

After installing both Docker and Docker-compose, to execute the program you just need to run the following two commands:

docker-compose build
docker-compose up

The console will print the output of the programs and show the certificates that are exchanged. At the end of the execution, in the folders where each file.py is, you will find all keys and certificates used, along with CSR and CRL that have been produced.

At the end of execution client1 terminates, while client2 and CA keep listening for incoming connections. Shut down them with ctrl+C if you need them to terminate.