Commit 7004e5c0 authored by Janek Bevendorff's avatar Janek Bevendorff

Generate PEM file for server certificates

parent fecca189
...@@ -35,7 +35,7 @@ if [ "$CMD" == "issue" ]; then ...@@ -35,7 +35,7 @@ if [ "$CMD" == "issue" ]; then
DEFINE_boolean "no_password" false "Do not encrypt private key" "n" DEFINE_boolean "no_password" false "Do not encrypt private key" "n"
DEFINE_boolean "overwrite" false "Overwrite existing certificates instead of incrementing filename (use with caution!)" "x" DEFINE_boolean "overwrite" false "Overwrite existing certificates instead of incrementing filename (use with caution!)" "x"
DEFINE_string "csr" "" "CSR file (optional)" "i" DEFINE_string "csr" "" "CSR file (optional)" "i"
DEFINE_string "out" "/dev/stdout" "OpenVPN .ovpn config file to generate (optional)" "o" DEFINE_string "out" "/dev/stdout" "OpenVPN .ovpn config or PEM file to generate (optional)" "o"
elif [ "$CMD" == "revoke" ]; then elif [ "$CMD" == "revoke" ]; then
DEFINE_string "cryfs_dir" "" "CryFS base dir containing the encrypted certificates." "d" DEFINE_string "cryfs_dir" "" "CryFS base dir containing the encrypted certificates." "d"
DEFINE_string "root_cn" "" "CN of the root certificate for signing (optional)" "r" DEFINE_string "root_cn" "" "CN of the root certificate for signing (optional)" "r"
...@@ -217,22 +217,22 @@ resolve_ca_chain() { ...@@ -217,22 +217,22 @@ resolve_ca_chain() {
done done
} }
# Usage: OUT_FILE CERT CA_CERT [KEY] [NO_PASSWORD] # Usage: TYPE OUT_FILE CERT CA_CERT [KEY] [NO_PASSWORD]
generate_ovpn_file() { generate_output_file() {
if [ "$4" != "" ] && [ "$5" -eq 0 ]; then if [ "$5" != "" ] && [ "$6" -eq 0 ]; then
local pem="$(cat "$4")" local pem="$(cat "$5")"
elif [ "$4" != "" ]; then elif [ "$5" != "" ]; then
local extra_param="" local extra_param=""
if ! tty -s; then if ! tty -s; then
# non-interactive shell, get password from env # non-interactive shell, get password from env
extra_param="-passout env:PK_PASS" extra_param="-passout env:PK_PASS"
fi fi
echo "Password to encrypt private key in .ovpn config file: " >&2 echo "Password to encrypt private key in .ovpn config file: " >&2
local pem="$(openssl rsa -aes256 -in $4 $extra_param)" local pem="$(openssl rsa -aes256 -in $5 $extra_param)"
local counter=0 local counter=0
while [ "$pem" == "" ]; do while [ "$pem" == "" ]; do
logError "Invalid passphrase, please try again." logError "Invalid passphrase, please try again."
local pem="$(openssl rsa -aes256 -in $4 $extra_param)" local pem="$(openssl rsa -aes256 -in $5 $extra_param)"
counter=$(($counter + 1)) counter=$(($counter + 1))
if [ $counter -ge 10 ]; then if [ $counter -ge 10 ]; then
...@@ -242,8 +242,9 @@ generate_ovpn_file() { ...@@ -242,8 +242,9 @@ generate_ovpn_file() {
done done
fi fi
local out_file="$1" local out_file="$2"
if [ "$1" == "ovpn" ]; then
cat <<EOL > "$out_file" cat <<EOL > "$out_file"
client client
remote vpn.webis.de remote vpn.webis.de
...@@ -263,15 +264,27 @@ $pem ...@@ -263,15 +264,27 @@ $pem
</key> </key>
<cert> <cert>
$(cat "$2") $(cat "$3")
</cert> </cert>
<ca> <ca>
$(resolve_ca_chain "$3") $(resolve_ca_chain "$4")
</ca> </ca>
EOL EOL
logInfo "OpenVPN config file has been written to '$1'." logInfo "OpenVPN config file has been written to '$2'."
else
cat <<EOL > "$out_file"
$pem
$(cat "$3")
$(resolve_ca_chain "$4")
EOL
logInfo "PEM file has been written to '$2'."
fi
return 0 return 0
} }
...@@ -373,12 +386,16 @@ issue() { ...@@ -373,12 +386,16 @@ issue() {
if [ "$FLAGS_type" == "client" ]; then if [ "$FLAGS_type" == "client" ]; then
logInfo "Writing .ovpn file..." logInfo "Writing .ovpn file..."
ROOT_CA_CERT="$(dirname $ROOT_CERT)/Webis_Root_CA.crt" local type="ovpn"
if ! generate_ovpn_file "$FLAGS_out" "$CERT" "$ROOT_CERT" "$KEY" $FLAGS_no_password; then else
rm -f "$KEY" "$CSR" "$CERT" logInfo "Writing PEM file..."
cleanup "$MOUNT_DIR" local type="pem"
exit 1 fi
fi ROOT_CA_CERT="$(dirname $ROOT_CERT)/Webis_Root_CA.crt"
if ! generate_output_file "$type" "$FLAGS_out" "$CERT" "$ROOT_CERT" "$KEY" $FLAGS_no_password; then
rm -f "$KEY" "$CSR" "$CERT"
cleanup "$MOUNT_DIR"
exit 1
fi fi
if $DELETE_KEY; then if $DELETE_KEY; then
# delete private key after generating ovpn file # delete private key after generating ovpn file
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment