From cca072425b9f035afa4fd028e5233921d1c34db0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= <jdubois@evolix.fr>
Date: Thu, 1 Dec 2022 16:55:28 +0100
Subject: [PATCH] openvpn: shellpki upstream release 22.12

---
 CHANGELOG.md                               |   1 +
 openvpn/files/shellpki/cert-expirations.sh | 136 ++++++++++++++++++---
 openvpn/files/shellpki/openssl.cnf         |   2 +
 openvpn/files/shellpki/shellpki            |  29 +++--
 4 files changed, 137 insertions(+), 31 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e24bbd8e..089f1346 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -41,6 +41,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * varnish: better package facts usage with check mode and tags
 * varnish: systemd override depends on Varnish version instead of Debian version
 * keepalived: change exit code (warning if runnin but not on expected state ; critical if not running)
+* openvpn: shellpki upstream release 22.12
 
 ### Fixed
 
diff --git a/openvpn/files/shellpki/cert-expirations.sh b/openvpn/files/shellpki/cert-expirations.sh
index 9e27dcc7..dbb25357 100644
--- a/openvpn/files/shellpki/cert-expirations.sh
+++ b/openvpn/files/shellpki/cert-expirations.sh
@@ -1,26 +1,124 @@
 #!/bin/sh
 
-carp=$(/sbin/ifconfig carp0 2>/dev/null | grep 'status' | cut -d' ' -f2)
+VERSION="22.12"
 
-if [ "$carp" = "backup" ]; then
-    exit 0
-fi
+show_version() {
+    cat <<END
+cert-expirations.sh version ${VERSION}
 
-echo "Warning : all times are in UTC !\n"
+Copyright 2020-2022 Evolix <info@evolix.fr>,
+                    Jérémy Lecour <jlecour@evolix.fr>,
+                    Jérémy Dubois <jdubois@evolix.fr>
+                    and others.
 
-echo "CA certificate:"
-openssl x509 -enddate -noout -in /etc/shellpki/cacert.pem \
-    | cut -d '=' -f 2 \
-    | sed -e "s/^\(.*\)\ \(20..\).*/- \2 \1/"
+cert-expirations.sh comes with ABSOLUTELY NO WARRANTY.  This is free software,
+and you are welcome to redistribute it under certain conditions.
+See the MIT Licence for details.
+END
+}
 
-echo ""
+show_usage() {
+    cat <<END
+Usage: ${0} [--version]
+END
+}
 
-echo "Client certificates:"
-cat /etc/shellpki/index.txt \
-    | grep ^V \
-    | awk -F "/" '{print $1,$5}' \
-    | awk '{print $2,$5}' \
-    | sed 's/CN=//' \
-    | sed -E 's/([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})Z (.*)/- 20\1 \2 \3 \4:\5:\6 \7/' \
-    | awk '{if ($3 == "01") $3="Jan"; else if ($3 == "02") $3="Feb"; else if ($3 == "03") $3="Mar"; else if ($3 == "04") $3="Apr"; else if ($3 == "05") $3="May"; else if ($3 == "06") $3="Jun"; else if ($3 == "07") $3="Jul"; else if ($3 == "08") $3="Aug"; else if ($3 == "09") $3="Sep"; else if ($3 == "10") $3="Oct"; else if ($3 == "11") $3="Nov"; else if ($3 == "12") $3="Dec"; print $0;}' \
-    | sort -n -k 2 -k 3M -k 4
+check_ca_expiration() {
+    echo "CA certificate:"
+    openssl x509 -enddate -noout -in ${cacert_path} \
+        | cut -d '=' -f 2 \
+        | sed -e "s/^\(.*\)\ \(20..\).*/- \2 \1/"
+}
+
+check_certs_expiration() {
+    # Syntax "cmd | { while read line; do var="foo"; done echo $var }" needed, otherwise $var is empty at the end of while loop
+    grep ^V ${index_path} \
+        | awk -F "/" '{print $1,$5}' \
+        | awk '{print $2,$5}' \
+        | sed 's/CN=//' \
+        | sed -E 's/([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})Z (.*)/- 20\1 \2 \3 \4:\5:\6 \7/' \
+        | awk '{if ($3 == "01") $3="Jan"; else if ($3 == "02") $3="Feb"; else if ($3 == "03") $3="Mar"; else if ($3 == "04") $3="Apr"; else if ($3 == "05") $3="May"; else if ($3 == "06") $3="Jun"; else if ($3 == "07") $3="Jul"; else if ($3 == "08") $3="Aug"; else if ($3 == "09") $3="Sep"; else if ($3 == "10") $3="Oct"; else if ($3 == "11") $3="Nov"; else if ($3 == "12") $3="Dec"; print $0;}' \
+        | sort -n -k 2 -k 3M -k 4 | { 
+            while read -r line; do
+    
+            # Predicting expirations - OpenBSD case (date is not the same than in Linux)
+            if [ "${SYSTEM}" = "openbsd" ]; then
+                # Already expired if expiration date is before now
+                if [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -le "$(date +%s)" ]; then
+                    expired_certs="${expired_certs}$line\n"
+                # Expiring soon if expiration date is after now and before now + $somedays days
+                elif [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -gt "$(date +%s)" ] && [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -lt "$(($(date +%s) + somedays))" ]; then
+                    expiring_soon_certs="${expiring_soon_certs}$line\n"
+                # Still valid for a time if expiration date is after now + $somedays days
+                elif [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -ge "$(($(date +%s) + somedays))" ]; then
+                    still_valid_certs="${still_valid_certs}$line\n"
+                fi
+            # Non OpenBSD cases
+            else
+                # Already expired if expiration date is before now
+                if [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -le "$(date +%s)" ]; then
+                    expired_certs="${expired_certs}$line\n"
+                # Expiring soon if expiration date is after now and before now + $somedays days
+                elif [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -gt "$(date +%s)" ] && [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -lt "$(($(date +%s) + somedays))" ]; then
+                    expiring_soon_certs="${expiring_soon_certs}$line\n"
+                # Still valid for a time if expiration date is after now + $somedays days
+                elif [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -ge "$(($(date +%s) + somedays))" ]; then
+                    still_valid_certs="${still_valid_certs}$line\n"
+                fi
+            fi
+        done
+        
+        echo "Expired client certificates:"
+        echo "${expired_certs}"
+        echo "Valid client certificates expiring soon (in less than $((somedays / 60 / 60 / 24)) days):"
+        echo "${expiring_soon_certs}"
+        echo "Valid client certificates expiring later (in more than $((somedays / 60 / 60 / 24)) days):"
+        echo "${still_valid_certs}"
+    }
+}
+
+main() {
+    SYSTEM=$(uname | tr '[:upper:]' '[:lower:]')
+    
+    if [ "${SYSTEM}" = "openbsd" ]; then
+        carp=$(/sbin/ifconfig carp0 2>/dev/null | grep 'status' | cut -d' ' -f2)
+    
+        if [ "$carp" = "backup" ]; then
+            exit 0
+        fi
+    fi
+    
+    cacert_path="/etc/openvpn/ssl/ca/cacert.pem"
+    index_path="/etc/openvpn/ssl/ca/index.txt"
+    somedays="3456000" # 40 days currently
+    expired_certs=""
+    expiring_soon_certs=""
+    still_valid_certs=""
+
+    case "$1" in
+        version|--version)
+            show_version
+            exit 0
+        ;;
+
+        help|--help)
+            show_usage
+            exit 0
+        ;;
+
+        "")
+            echo "Warning : all times are in UTC !"
+            echo ""
+            check_ca_expiration
+            echo ""
+            check_certs_expiration
+        ;;
+
+        *)
+            show_usage >&2
+            exit 1
+        ;;
+    esac
+}
+
+main "$@"
diff --git a/openvpn/files/shellpki/openssl.cnf b/openvpn/files/shellpki/openssl.cnf
index 2c87f10d..5e1e3c83 100644
--- a/openvpn/files/shellpki/openssl.cnf
+++ b/openvpn/files/shellpki/openssl.cnf
@@ -1,3 +1,5 @@
+# VERSION="22.04"
+
 [ ca ]
 default_ca      = CA_default
 
diff --git a/openvpn/files/shellpki/shellpki b/openvpn/files/shellpki/shellpki
index 5d139866..5e7169c9 100755
--- a/openvpn/files/shellpki/shellpki
+++ b/openvpn/files/shellpki/shellpki
@@ -5,7 +5,7 @@
 
 set -u
 
-VERSION="22.04"
+VERSION="22.12"
 
 show_version() {
     cat <<END
@@ -137,14 +137,14 @@ warning() {
 }
 
 verify_ca_password() {
-    "${OPENSSL_BIN}" rsa \
+    "${OPENSSL_BIN}" pkey \
         -in "${CA_KEY}"    \
         -passin pass:"${CA_PASSWORD}" \
         >/dev/null 2>&1
 }
 get_real_path() {
     # --canonicalize is supported on Linux
-    # -f is supported on Linux and OpenBSD 
+    # -f is supported on Linux and OpenBSD
     readlink -f -- "${1}"
 }
 
@@ -227,6 +227,7 @@ init() {
     [ -d "${CA_DIR}" ] || mkdir -m 0750 "${CA_DIR}"
     [ -d "${CRT_DIR}" ] || mkdir -m 0750 "${CRT_DIR}"
     [ -f "${INDEX_FILE}" ] || touch "${INDEX_FILE}"
+    [ -f "${INDEX_FILE}.attr" ] || touch "${INDEX_FILE}.attr"
     [ -f "${CRL}" ] || touch "${CRL}"
     [ -f "${SERIAL}" ] || echo "01" > "${SERIAL}"
 
@@ -278,17 +279,18 @@ init() {
 
     passout_arg=""
     if [ -n "${CA_PASSWORD:-}" ]; then
-        passout_arg="-passout pass:${CA_PASSWORD}"
+        passout_arg="-pass pass:${CA_PASSWORD}"
     elif [ "${non_interactive}" -eq 1 ]; then
         error "In non-interactive mode, you must pass CA_PASSWORD as environment variable."
     fi
 
     if [ ! -f "${CA_KEY}" ]; then
-        "${OPENSSL_BIN}" genrsa \
+        "${OPENSSL_BIN}" genpkey \
+            -algorithm RSA \
             -out "${CA_KEY}" \
             ${passout_arg} \
             -aes256 \
-            "${CA_KEY_LENGTH}" \
+            -pkeyopt "rsa_keygen_bits:${CA_KEY_LENGTH}" \
             >/dev/null 2>&1
         # shellcheck disable=SC2181
         if [ "$?" -ne 0 ]; then
@@ -355,9 +357,10 @@ ocsp() {
     port=$(echo "${ocsp_uri}" | cut -d':' -f2)
 
     if [ ! -f "${OCSP_KEY}" ]; then
-        "${OPENSSL_BIN}" genrsa \
+        "${OPENSSL_BIN}" genpkey \
+            -algorithm RSA \
             -out "${OCSP_KEY}" \
-            "${KEY_LENGTH}" \
+            -pkeyopt "rsa_keygen_bits:${KEY_LENGTH}" \
             >/dev/null 2>&1
         # shellcheck disable=SC2181
         if [ "$?" -ne 0 ]; then
@@ -680,17 +683,19 @@ create() {
         # generate private key
         pass_args=""
         if [ -n "${password_file:-}" ]; then
-            pass_args="-aes256 -passout file:${password_file}"
+            pass_args="-aes256 -pass file:${password_file}"
         elif [ -n "${PASSWORD:-}" ]; then
-            pass_args="-aes256 -passout pass:${PASSWORD}"
+            pass_args="-aes256 -pass pass:${PASSWORD}"
         fi
-        "${OPENSSL_BIN}" genrsa \
+        "${OPENSSL_BIN}" genpkey \
+            -algorithm RSA \
             -out "${key_file}" \
             ${pass_args} \
-            "${KEY_LENGTH}" \
+            -pkeyopt "rsa_keygen_bits:${KEY_LENGTH}" \
             >/dev/null 2>&1
         # shellcheck disable=SC2181
         if [ "$?" -eq 0 ]; then
+            chmod 600 "${key_file}"
             echo "The KEY file is available at \`${key_file}'"
         else
             error "Error generating the private key"