evolix/shellpki
21
0
Fork 0
Code Issues Pull requests Releases 3 Wiki Activity

Extract variables for files

Browse source
This commit is contained in:
Jérémy Lecour 2020-05-05 00:28:00 +02:00 committed by Jérémy Lecour
parent 7506003f53
commit 165c96ca55
2 changed files with 53 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -21,6 +21,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
* verify_ca_password() looks for a previously set password and verifies it * verify_ca_password() looks for a previously set password and verifies it
* Extract cert_end_date() function * Extract cert_end_date() function
* Extract is_user() and is_group() functions * Extract is_user() and is_group() functions
* Extract variables for files
### Deprecated ### Deprecated

93
shellpki
View file

@ -98,6 +98,7 @@ ocsp() {
show_usage >&2 show_usage >&2
exit 1 exit 1
fi fi
ocsp_csr_file="${CSR_DIR}/ocsp.csr"
url=$(echo "${ocsp_uri}" | cut -d':' -f1) url=$(echo "${ocsp_uri}" | cut -d':' -f1)
port=$(echo "${ocsp_uri}" | cut -d':' -f2) port=$(echo "${ocsp_uri}" | cut -d':' -f2)
@ -113,7 +114,7 @@ ocsp() {
-batch \ -batch \
-new \ -new \
-key "${OCSP_KEY}" \ -key "${OCSP_KEY}" \
-out "${CSR_DIR}/ocsp.csr" \ -out "${ocsp_csr_file}" \
-config /dev/stdin <<EOF -config /dev/stdin <<EOF
$(cat "${CONF_FILE}") $(cat "${CONF_FILE}")
commonName_default = ${url} commonName_default = ${url}
@ -128,7 +129,7 @@ EOF
if [ ! -f "${OCSP_CERT}" ]; then if [ ! -f "${OCSP_CERT}" ]; then
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \ CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
-extensions v3_ocsp \ -extensions v3_ocsp \
-in "${CSR_DIR}/ocsp.csr" \ -in "${ocsp_csr_file}" \
-out "${OCSP_CERT}" \ -out "${OCSP_CERT}" \
-passin env:CA_PASSWORD \ -passin env:CA_PASSWORD \
-config "${CONF_FILE}" -config "${CONF_FILE}"
@ -357,6 +358,8 @@ create() {
warning "Warning: --password-file is ignored with -f|--file|--crt-file" warning "Warning: --password-file is ignored with -f|--file|--crt-file"
fi fi
crt_file="${CRT_DIR}/${cn}.crt"
# ask for CA passphrase # ask for CA passphrase
ask_ca_password 0 ask_ca_password 0
@ -401,18 +404,23 @@ create() {
-config "${CONF_FILE}" \ -config "${CONF_FILE}" \
-in "${csr_file}" \ -in "${csr_file}" \
-passin env:CA_PASSWORD \ -passin env:CA_PASSWORD \
-out "${CRT_DIR}/${cn}.crt" \ -out "${crt_file}" \
${crt_expiration_arg} ${crt_expiration_arg}
echo "The CRT file is available in ${CRT_DIR}/${cn}.crt" echo "The CRT file is available in ${crt_file}"
else else
if [ -z "${cn}" ]; then if [ -z "${cn}" ]; then
show_usage >&2 show_usage >&2
exit 1 exit 1
fi fi
csr_file="${CSR_DIR}/${cn}-${SUFFIX}.csr"
crt_file="${CRT_DIR}/${cn}.crt"
key_file="${KEY_DIR}/${cn}-${SUFFIX}.key"
ovpn_file="${OVPN_DIR}/${cn}-${SUFFIX}.ovpn"
pkcs12_file="${PKCS12_DIR}/${cn}-${SUFFIX}.p12"
# check if CN already exist # check if CN already exist
if [ -f "${CRT_DIR}/${cn}.crt" ]; then if [ -f "${crt_file}" ]; then
printf "%s already exists, do you revoke and recreate it ? [y/N] " "${cn}" printf "%s already exists, do you revoke and recreate it ? [y/N] " "${cn}"
read -r REPLY read -r REPLY
resp=$(echo "${REPLY}" | tr 'Y' 'y') resp=$(echo "${REPLY}" | tr 'Y' 'y')
@ -449,12 +457,12 @@ create() {
PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" genrsa \ PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" genrsa \
-aes256 \ -aes256 \
-passout env:PASSWORD \ -passout env:PASSWORD \
-out "${KEY_DIR}/${cn}-${SUFFIX}.key" \ -out "${key_file}" \
${KEY_LENGTH} \ ${KEY_LENGTH} \
>/dev/null 2>&1 >/dev/null 2>&1
else else
"${OPENSSL_BIN}" genrsa \ "${OPENSSL_BIN}" genrsa \
-out "${KEY_DIR}/${cn}-${SUFFIX}.key" \ -out "${key_file}" \
${KEY_LENGTH} \ ${KEY_LENGTH} \
>/dev/null 2>&1 >/dev/null 2>&1
fi fi
@ -464,9 +472,9 @@ create() {
PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" req \ PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" req \
-batch \ -batch \
-new \ -new \
-key "${KEY_DIR}/${cn}-${SUFFIX}.key" \ -key "${key_file}" \
-passin env:PASSWORD \ -passin env:PASSWORD \
-out "${CSR_DIR}/${cn}-${SUFFIX}.csr" \ -out "${csr_file}" \
-config /dev/stdin <<EOF -config /dev/stdin <<EOF
$(cat "${CONF_FILE}") $(cat "${CONF_FILE}")
commonName_default = ${cn} commonName_default = ${cn}
@ -476,8 +484,8 @@ EOF
"${OPENSSL_BIN}" req \ "${OPENSSL_BIN}" req \
-batch \ -batch \
-new \ -new \
-key "${KEY_DIR}/${cn}-${SUFFIX}.key" \ -key "${key_file}" \
-out "${CSR_DIR}/${cn}-${SUFFIX}.csr" \ -out "${csr_file}" \
-config /dev/stdin <<EOF -config /dev/stdin <<EOF
$(cat "${CONF_FILE}") $(cat "${CONF_FILE}")
commonName_default = ${cn} commonName_default = ${cn}
@ -488,27 +496,26 @@ EOF
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \ CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
-config "${CONF_FILE}" \ -config "${CONF_FILE}" \
-passin env:CA_PASSWORD \ -passin env:CA_PASSWORD \
-in "${CSR_DIR}/${cn}-${SUFFIX}.csr" \ -in "${csr_file}" \
-out "${CRT_DIR}/${cn}.crt" \ -out "${crt_file}" \
${crt_expiration_arg} ${crt_expiration_arg}
# check if CRT is a valid # check if CRT is a valid
"${OPENSSL_BIN}" x509 \ "${OPENSSL_BIN}" x509 \
-noout \ -noout \
-subject \ -subject \
-in "${CRT_DIR}/${cn}.crt" \ -in "${crt_file}" \
>/dev/null 2>&1 >/dev/null 2>&1
if [ "$?" -ne 0 ]; then if [ "$?" -ne 0 ]; then
rm -f "${CRT_DIR}/${cn}.crt" rm -f "${crt_file}"
fi fi
if [ ! -f "${crt_file}" ]; then
if [ ! -f "${CRT_DIR}/${cn}.crt" ]; then
error "Error in CSR creation" error "Error in CSR creation"
fi fi
chmod 640 "${CRT_DIR}/${cn}.crt" chmod 640 "${crt_file}"
echo "The CRT file is available in ${CRT_DIR}/${cn}.crt" echo "The CRT file is available in ${crt_file}"
# generate pkcs12 format # generate pkcs12 format
if [ -n "${PASSWORD}" ]; then if [ -n "${PASSWORD}" ]; then
@ -517,39 +524,39 @@ EOF
-nodes \ -nodes \
-passin env:PASSWORD \ -passin env:PASSWORD \
-passout env:PASSWORD \ -passout env:PASSWORD \
-inkey "${KEY_DIR}/${cn}-${SUFFIX}.key" \ -inkey "${key_file}" \
-in "${CRT_DIR}/${cn}.crt" \ -in "${crt_file}" \
-out "${PKCS12_DIR}/${cn}-${SUFFIX}.p12" -out "${pkcs12_file}"
else else
"${OPENSSL_BIN}" pkcs12 \ "${OPENSSL_BIN}" pkcs12 \
-export \ -export \
-nodes \ -nodes \
-passout pass: \ -passout pass: \
-inkey "${KEY_DIR}/${cn}-${SUFFIX}.key" \ -inkey "${key_file}" \
-in "${CRT_DIR}/${cn}.crt" \ -in "${crt_file}" \
-out "${PKCS12_DIR}/${cn}-${SUFFIX}.p12" -out "${pkcs12_file}"
fi fi
chmod 640 "${PKCS12_DIR}/${cn}-${SUFFIX}.p12" chmod 640 "${pkcs12_file}"
echo "The PKCS12 config file is available in ${PKCS12_DIR}/${cn}-${SUFFIX}.p12" echo "The PKCS12 config file is available in ${pkcs12_file}"
# generate openvpn format # generate openvpn format
if [ -e "${CA_DIR}/ovpn.conf" ]; then if [ -e "${CA_DIR}/ovpn.conf" ]; then
cat "${CA_DIR}/ovpn.conf" - > "${OVPN_DIR}/${cn}-${SUFFIX}.ovpn" <<EOF cat "${CA_DIR}/ovpn.conf" - > "${ovpn_file}" <<EOF
<ca> <ca>
$(cat "${CA_CERT}") $(cat "${CA_CERT}")
</ca> </ca>
<cert> <cert>
$(cat "${CRT_DIR}/${cn}.crt") $(cat "${crt_file}")
</cert> </cert>
<key> <key>
$(cat "${KEY_DIR}/${cn}-${SUFFIX}.key") $(cat "${key_file}")
</key> </key>
EOF EOF
chmod 640 "${OVPN_DIR}/${cn}-${SUFFIX}.ovpn" chmod 640 "${ovpn_file}"
echo "The OpenVPN config file is available in ${OVPN_DIR}/${cn}-${SUFFIX}.ovpn" echo "The OpenVPN config file is available in ${ovpn_file}"
fi fi
fi fi
} }
@ -559,39 +566,43 @@ revoke() {
show_usage >&2 show_usage >&2
exit 1 exit 1
fi fi
crt_file="${CRT_DIR}/${cn}.crt"
# get CN from param # get CN from param
cn="${1}" cn="${1}"
# check if CRT exists # check if CRT exists
if [ ! -f "${CRT_DIR}/${cn}.crt" ]; then if [ ! -f "${crt_file}" ]; then
error "Unknow CN : ${cn}" error "Unknow CN : ${cn} (\`${crt_file}' not found)"
fi fi
# check if CRT is a valid # check if CRT is a valid
"${OPENSSL_BIN}" x509 \ "${OPENSSL_BIN}" x509 \
-noout \ -noout \
-subject \ -subject \
-in "${CRT_DIR}/${cn}.crt" \ -in "${crt_file}" \
>/dev/null 2>&1 >/dev/null 2>&1
if [ "$?" -ne 0 ]; then if [ "$?" -ne 0 ]; then
error "${CRT_DIR}/${cn}.crt is not a valid CRT, you must delete it !" error "${crt_file} is not a valid CRT, you must delete it !"
fi fi
# ask for CA passphrase # ask for CA passphrase
ask_ca_password 0 ask_ca_password 0
echo "Revoke certificate ${CRT_DIR}/${cn}.crt :" echo "Revoke certificate ${crt_file} :"
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \ CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
-config "${CONF_FILE}" \ -config "${CONF_FILE}" \
-passin env:CA_PASSWORD \ -passin env:CA_PASSWORD \
-revoke "${CRT_DIR}/${cn}.crt" \ -revoke "${crt_file}"
&& rm "${CRT_DIR}/${cn}.crt" if [ "$?" -eq 0 ]; then
rm "${crt_file}"
fi
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \ CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
-config "${CONF_FILE}" \ -config "${CONF_FILE}" \
-passin env:CA_PASSWORD \ -passin env:CA_PASSWORD \
-gencrl -out "${CRL}" -gencrl \
-out "${CRL}"
} }
list() { list() {