Commit 2ad7d712 authored by Janek Bevendorff's avatar Janek Bevendorff

Update PKI cert issue script

parent 4191a783
......@@ -26,12 +26,15 @@ if [ "$CMD" == "issue" ]; then
DEFINE_string "cryfs_dir" "" "CryFS base dir containing the encrypted certificates." "d"
DEFINE_string "root_cn" "" "CN of the root certificate for signing (optional)" "r"
DEFINE_string "type" "client" "Certificate type (client | server | ca)" "t"
DEFINE_string "common_name" "" "Common Name (CN) for the certificate" "c"
DEFINE_string "organization" "Webis" "Organization (O) for the certificate (optional)" "g"
DEFINE_string "common_name" "" "Common Name (CN) for the certificate (e.g., username)" "c"
DEFINE_string "full_name" "" "User's full name" "f"
DEFINE_string "default_subj" "/C=DE/ST=Thuringia/L=Weimar/O=Webis/" "Default Subj fields (optional)" "s"
DEFINE_string "organizational_unit" "" "Organizational Unit (OU) for the certificate (optional)" "u"
DEFINE_string "email" "" "E-Mail address for the certificate" "e"
DEFINE_string "csr" "" "CSR file (optional)" "s"
DEFINE_string "out" "" "OpenVPN .ovpn config file to generate (required if --type=client)" "o"
DEFINE_boolean "no_password" false "Do not encrypt private key" "n"
DEFINE_boolean "overwrite" false "Overwrite existing certificates instead of incrementing CN" "x"
DEFINE_string "csr" "" "CSR file (optional)" "i"
DEFINE_string "out" "/dev/stdout" "OpenVPN .ovpn config file to generate (optional)" "o"
elif [ "$CMD" == "revoke" ]; then
DEFINE_string "cryfs_dir" "" "CryFS base dir containing the encrypted certificates." "d"
DEFINE_string "root_cn" "" "CN of the root certificate for signing (optional)" "r"
......@@ -97,7 +100,7 @@ mount_cryfs() {
fi
logInfo "Mounting CryFS..."
mkdir "$2"
mkdir -p "$2"
if ! cryfs "$1" "$2"; then
logError "Failed to mount CryFS volume!"
cleanup "$2"
......@@ -134,11 +137,12 @@ generate_key() {
openssl genrsa -out "$1" "$2"
}
# Usage: generate_csr CONF CERT_TYPE KEY_FILE OUT_FILE O OU CLIENT_CN CLIENT_EMAIL
# Usage: generate_csr CONF CERT_TYPE KEY_FILE OUT_FILE DEFAULT_SUBJ ORG_UNIT CLIENT_CN CLIENT_FULL_NAME CLIENT_EMAIL
generate_csr() {
logInfo "Generating CSR..."
openssl req -config "$1" -new -key "$3" -out "$4" -reqexts "v3_req_${2}" \
-subj "/C=DE/ST=Thuringia/O=${5}/OU=${6}/L=Weimar/CN=${7}/emailAddress=${8}"
-subj "${5}OU=${6}/CN=${7}/emailAddress=${9}"
# -addext "subjectAltName = otherName:${8}"
}
# Usage: revoke_cert CONF CERT CA_KEY CA_CERT
......@@ -200,21 +204,32 @@ resolve_ca_chain() {
done
}
# Usage: OUT_FILE CERT CA_CERT [KEY]
# Usage: OUT_FILE CERT CA_CERT [KEY] [NO_PASSWORD]
generate_ovpn_file() {
if [ "$4" != "" ]; then
if [ "$4" != "" ] && [ "$5" -eq 0 ]; then
local pem="$(cat "$4")"
elif [ "$4" != "" ]; then
local extra_param=""
if ! tty -s; then
# non-interactive shell, get password from env
extra_param="-passout env:PK_PASS"
fi
echo "Password to encrypt private key in .ovpn config file: " >&2
local pem="$(openssl rsa -aes256 -in $4)"
local pem="$(openssl rsa -aes256 -in $4 $extra_param)"
local counter=0
while [ "$pem" == "" ]; do
logError "Invalid passphrase, please try again."
local pem="$(openssl rsa -aes256 -in $4)"
local pem="$(openssl rsa -aes256 -in $4 $extra_param)"
counter=$(($counter + 1))
if [ $counter -ge 10 ]; then
logError "Too many input failures."
return 1
fi
done
fi
local out_file="$1"
if ! $(echo "$out_file" | grep -q '\.ovpn$'); then
out_file="${out_file}.ovpn"
fi
cat <<EOL > "$out_file"
client
......@@ -222,10 +237,11 @@ remote vpn.webis.de
dev tun
proto udp
port 1194
user nobody
group nobody
remote-cert-tls server
# Cipher is set on the server, this is only to avoid warnings
cipher AES-256-GCM
<key>
$pem
</key>
......@@ -240,6 +256,7 @@ $(resolve_ca_chain "$3")
EOL
logInfo "OpenVPN config file has been written to '$1'."
return 0
}
......@@ -259,12 +276,12 @@ issue() {
logError "--common_name is required"
exit 1;
fi
if [ "$FLAGS_email" == "" ]; then
logError "--email is required"
if [ "$FLAGS_full_name" == "" ]; then
logError "--full_name is required"
exit 1;
fi
if [ "$FLAGS_type" == "client" ] && [ "$FLAGS_out" == "" ]; then
logError "--out is required if --type=client"
if [ "$FLAGS_email" == "" ]; then
logError "--email is required"
exit 1;
fi
......@@ -273,8 +290,8 @@ issue() {
MOUNT_DIR="${FLAGS_cryfs_dir}_mount.${RANDOM}"
mount_cryfs "$FLAGS_cryfs_dir" "$MOUNT_DIR"
ROOT_KEY="$FLAGS_root_cn"
if [ "$ROOT_KEY" == "" ] || [ ! -f "$ROOT_KEY" ]; then
ROOT_KEY="${MOUNT_DIR}/ca/${FLAGS_root_cn}.pem"
if [ "$FLAGS_root_cn" == "" ] || [ ! -f "$ROOT_KEY" ]; then
ROOT_KEY="$(choose_root_cert "$MOUNT_DIR")"
logInfo "Using '$(basename "${ROOT_KEY}" | sed 's/\.pem$//')' as the root certificate..."
fi
......@@ -288,9 +305,21 @@ issue() {
CSR="$FLAGS_csr"
DELETE_KEY=false
DELETE_CSR=false
CERT="${MOUNT_DIR}/${FLAGS_type}/${FLAGS_common_name}.crt"
local counter_suffix=0
while [ $FLAGS_overwrite -eq 1 ] && [ -f "$CERT" ]; do
counter_suffix=$(($counter_suffix + 1))
CERT="${MOUNT_DIR}/${FLAGS_type}/${FLAGS_common_name}_${counter_suffix}.crt"
done
if [ $counter_suffix -gt 0 ]; then
logWarn "Certificate file '${FLAGS_type}/${FLAGS_common_name}.crt' already exists, incrementing CN to ${counter_suffix}!"
export FLAGS_common_name="${FLAGS_common_name}_${counter_suffix}"
fi
if [ "$CSR" == "" ] || [ ! -f "$CSR" ]; then
KEY="${MOUNT_DIR}/${FLAGS_type}/${FLAGS_common_name}.pem"
if [ -f "$KEY" ]; then
if [ $FLAGS_overwrite -eq 1 ] && [ -f "$KEY" ]; then
logError "Key file ${KEY} already exists!"
cleanup "$MOUNT_DIR"
exit 1
......@@ -298,12 +327,12 @@ issue() {
generate_key "$KEY" "$BITS"
CSR="${MOUNT_DIR}/${FLAGS_type}/${FLAGS_common_name}.csr"
if [ -f "$CSR" ]; then
if [ $FLAGS_overwrite -eq 1 ] && [ -f "$CSR" ]; then
logError "CSR file ${CSR} already exists!"
cleanup "$MOUNT_DIR"
exit 1
fi
if ! generate_csr "$CONF" "$FLAGS_type" "$KEY" "$CSR" "$FLAGS_organization" "$FLAGS_organizational_unit" "$FLAGS_common_name" "$FLAGS_email"; then
if ! generate_csr "$CONF" "$FLAGS_type" "$KEY" "$CSR" "$FLAGS_default_subj" "$FLAGS_organizational_unit" "$FLAGS_common_name" "$FLAGS_full_name" "$FLAGS_email"; then
logError "CSR generation failed!"
cleanup "$MOUNT_DIR"
exit 1
......@@ -316,12 +345,6 @@ issue() {
fi
logInfo "Signing client certificate..."
CERT="${MOUNT_DIR}/${FLAGS_type}/${FLAGS_common_name}.crt"
if [ -f "$CERT" ]; then
logError "Certificate file '${FLAGS_type}/${FLAGS_common_name}.crt' already exists, please delete it before renewal!"
cleanup "$MOUNT_DIR"
exit 1
fi
if ! sign_csr "$CONF" "$CSR" "$CERT" "$ROOT_KEY" "$ROOT_CERT" "$FLAGS_type"; then
logError "Signing failed!"
cleanup "$MOUNT_DIR"
......@@ -331,7 +354,10 @@ issue() {
if [ "$FLAGS_type" == "client" ]; then
logInfo "Writing .ovpn file..."
ROOT_CA_CERT="$(dirname $ROOT_CERT)/Webis_Root_CA.crt"
generate_ovpn_file "$FLAGS_out" "$CERT" "$ROOT_CERT" "$KEY"
if ! generate_ovpn_file "$FLAGS_out" "$CERT" "$ROOT_CERT" "$KEY" $FLAGS_no_password; then
cleanup "$MOUNT_DIR"
exit 1
fi
fi
if $DELETE_KEY; then
# delete private key after generating ovpn file
......@@ -375,8 +401,8 @@ revoke() {
MOUNT_DIR="${FLAGS_cryfs_dir}_mount.${RANDOM}"
mount_cryfs "$FLAGS_cryfs_dir" "$MOUNT_DIR"
ROOT_KEY="$FLAGS_root_cn"
if [ "$ROOT_KEY" == "" ] || [ ! -f "$ROOT_KEY" ]; then
ROOT_KEY="${MOUNT_DIR}/ca/${FLAGS_root_cn}.pem"
if [ "$FLAGS_root_cn" == "" ] || [ ! -f "$ROOT_KEY" ]; then
ROOT_KEY="$(choose_root_cert "$MOUNT_DIR")"
logInfo "Using '$(basename "${ROOT_KEY}" | sed 's/\.pem$//')' as the root certificate..."
fi
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment