whitespaces and if/then normalization
This commit is contained in:
parent
f63caa0779
commit
420fcddb90
166
shellpki
166
shellpki
|
@ -46,28 +46,39 @@ init() {
|
||||||
if [ -f "${CAKEY}" ]; then
|
if [ -f "${CAKEY}" ]; then
|
||||||
printf "%s already exists, do you really want to erase it ? [y/N] " "${CAKEY}"
|
printf "%s already exists, do you really want to erase it ? [y/N] " "${CAKEY}"
|
||||||
read -r REPLY
|
read -r REPLY
|
||||||
resp=$(echo "${REPLY}"|tr 'Y' 'y')
|
resp=$(echo "${REPLY}" | tr 'Y' 'y')
|
||||||
[ "${resp}" = "y" ] && rm -f "${CAKEY}" "${CACERT}"
|
if [ "${resp}" = "y" ]; then
|
||||||
|
rm -f "${CAKEY}" "${CACERT}"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ ! -f "${CAKEY}" ] && "$OPENSSL" \
|
if [ ! -f "${CAKEY}" ]; then
|
||||||
genrsa \
|
"$OPENSSL" genrsa \
|
||||||
-out "${CAKEY}" \
|
-out "${CAKEY}" \
|
||||||
-aes256 4096 >/dev/null 2>&1
|
-aes256 4096 \
|
||||||
|
>/dev/null 2>&1
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -f "${CACERT}" ]; then
|
if [ -f "${CACERT}" ]; then
|
||||||
printf "%s already exists, do you really want to erase it ? [y/N] " "${CACERT}"
|
printf "%s already exists, do you really want to erase it ? [y/N] " "${CACERT}"
|
||||||
read -r REPLY
|
read -r REPLY
|
||||||
resp=$(echo "${REPLY}"|tr 'Y' 'y')
|
resp=$(echo "${REPLY}" | tr 'Y' 'y')
|
||||||
[ "${resp}" = "y" ] && rm "${CACERT}"
|
if [ "${resp}" = "y" ]; then
|
||||||
|
rm "${CACERT}"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ ! -f "${CACERT}" ] && ask_ca_password 0
|
if [ ! -f "${CACERT}" ]; then
|
||||||
|
ask_ca_password 0
|
||||||
|
fi
|
||||||
|
|
||||||
[ ! -f "${CACERT}" ] && CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" \
|
if [ ! -f "${CACERT}" ]; then
|
||||||
req -new \
|
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" req \
|
||||||
-batch -sha512 \
|
-new \
|
||||||
-x509 -days 3650 \
|
-batch \
|
||||||
|
-sha512 \
|
||||||
|
-x509 \
|
||||||
|
-days 3650 \
|
||||||
-extensions v3_ca \
|
-extensions v3_ca \
|
||||||
-key "${CAKEY}" \
|
-key "${CAKEY}" \
|
||||||
-out "${CACERT}" \
|
-out "${CACERT}" \
|
||||||
|
@ -76,6 +87,7 @@ init() {
|
||||||
$(cat "${CONFFILE}")
|
$(cat "${CONFFILE}")
|
||||||
commonName_default = ${cn}
|
commonName_default = ${cn}
|
||||||
EOF
|
EOF
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
ocsp() {
|
ocsp() {
|
||||||
|
@ -87,16 +99,19 @@ ocsp() {
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
url=$(echo "${ocsp_uri}"|cut -d':' -f1)
|
url=$(echo "${ocsp_uri}" | cut -d':' -f1)
|
||||||
port=$(echo "${ocsp_uri}"|cut -d':' -f2)
|
port=$(echo "${ocsp_uri}" | cut -d':' -f2)
|
||||||
|
|
||||||
[ ! -f "${OCSPKEY}" ] && "$OPENSSL" \
|
if [ ! -f "${OCSPKEY}" ]; then
|
||||||
genrsa \
|
"$OPENSSL" genrsa \
|
||||||
-out "${OCSPKEY}" \
|
-out "${OCSPKEY}" \
|
||||||
2048 >/dev/null 2>&1
|
2048 \
|
||||||
|
>/dev/null 2>&1
|
||||||
|
fi
|
||||||
|
|
||||||
"$OPENSSL" req \
|
"$OPENSSL" req \
|
||||||
-batch -new \
|
-batch \
|
||||||
|
-new \
|
||||||
-key "${OCSPKEY}" \
|
-key "${OCSPKEY}" \
|
||||||
-out "${CSRDIR}/ocsp.csr" \
|
-out "${CSRDIR}/ocsp.csr" \
|
||||||
-config /dev/stdin <<EOF
|
-config /dev/stdin <<EOF
|
||||||
|
@ -106,17 +121,27 @@ commonName_default = ${url}
|
||||||
authorityInfoAccess = OCSP;URI:http://${ocsp_uri}
|
authorityInfoAccess = OCSP;URI:http://${ocsp_uri}
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
[ ! -f "${OCSPCERT}" ] && ask_ca_password 0
|
if [ ! -f "${OCSPCERT}" ]; then
|
||||||
|
ask_ca_password 0
|
||||||
|
fi
|
||||||
|
|
||||||
[ ! -f "${OCSPCERT}" ] && CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" \
|
if [ ! -f "${OCSPCERT}" ]; then
|
||||||
ca \
|
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" ca \
|
||||||
-extensions v3_ocsp \
|
-extensions v3_ocsp \
|
||||||
-in "${CSRDIR}/ocsp.csr" \
|
-in "${CSRDIR}/ocsp.csr" \
|
||||||
-out "${OCSPCERT}" \
|
-out "${OCSPCERT}" \
|
||||||
-passin env:CA_PASSWORD \
|
-passin env:CA_PASSWORD \
|
||||||
-config "${CONFFILE}"
|
-config "${CONFFILE}"
|
||||||
|
fi
|
||||||
|
|
||||||
exec "${OPENSSL}" ocsp -ignore_err -index "${INDEX}" -port "${port}" -rsigner "${OCSPCERT}" -rkey "${OCSPKEY}" -CA "${CACERT}" -text
|
exec "${OPENSSL}" ocsp \
|
||||||
|
-ignore_err \
|
||||||
|
-index "${INDEX}" \
|
||||||
|
-port "${port}" \
|
||||||
|
-rsigner "${OCSPCERT}" \
|
||||||
|
-rkey "${OCSPKEY}" \
|
||||||
|
-CA "${CACERT}" \
|
||||||
|
-text
|
||||||
}
|
}
|
||||||
|
|
||||||
show_usage() {
|
show_usage() {
|
||||||
|
@ -167,14 +192,19 @@ warning() {
|
||||||
ask_ca_password() {
|
ask_ca_password() {
|
||||||
[ ! -f "${CAKEY}" ] && error "You must initialize your's PKI with shellpki init !"
|
[ ! -f "${CAKEY}" ] && error "You must initialize your's PKI with shellpki init !"
|
||||||
attempt=$((${1} + 1))
|
attempt=$((${1} + 1))
|
||||||
[ "${attempt}" -gt 1 ] && warning "Invalid password, retry."
|
if [ "${attempt}" -gt 1 ]; then
|
||||||
|
warning "Invalid password, retry."
|
||||||
|
fi
|
||||||
trap 'unset CA_PASSWORD' 0
|
trap 'unset CA_PASSWORD' 0
|
||||||
stty -echo
|
stty -echo
|
||||||
printf "Password for CA key : "
|
printf "Password for CA key : "
|
||||||
read -r CA_PASSWORD
|
read -r CA_PASSWORD
|
||||||
stty echo
|
stty echo
|
||||||
printf "\n"
|
printf "\n"
|
||||||
[ "${CA_PASSWORD}" != "" ] || ask_ca_password "${attempt}"
|
|
||||||
|
if [ -z "${CA_PASSWORD}" ]; then
|
||||||
|
ask_ca_password "${attempt}"
|
||||||
|
fi
|
||||||
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" rsa \
|
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" rsa \
|
||||||
-in "${CAKEY}" \
|
-in "${CAKEY}" \
|
||||||
-passin env:CA_PASSWORD \
|
-passin env:CA_PASSWORD \
|
||||||
|
@ -254,8 +284,12 @@ create() {
|
||||||
cn="${1:-}"
|
cn="${1:-}"
|
||||||
|
|
||||||
if [ "${from_csr}" -eq 1 ]; then
|
if [ "${from_csr}" -eq 1 ]; then
|
||||||
[ "${ask_pass}" -eq 1 ] && warning "Warning: -p|--password is ignored with -f|--file|--crt-file"
|
if [ "${ask_pass}" -eq 1 ]; then
|
||||||
[ -n "${password_file}" ] && warning "Warning: --password-file is ignored with -f|--file|--crt-file"
|
warning "Warning: -p|--password is ignored with -f|--file|--crt-file"
|
||||||
|
fi
|
||||||
|
if [ -n "${password_file}" ]; then
|
||||||
|
warning "Warning: --password-file is ignored with -f|--file|--crt-file"
|
||||||
|
fi
|
||||||
|
|
||||||
# ask for CA passphrase
|
# ask for CA passphrase
|
||||||
ask_ca_password 0
|
ask_ca_password 0
|
||||||
|
@ -276,10 +310,12 @@ create() {
|
||||||
|| error "${csr_file} don't contain a CommonName !"
|
|| error "${csr_file} don't contain a CommonName !"
|
||||||
|
|
||||||
# get CN from CSR
|
# get CN from CSR
|
||||||
cn=$("${OPENSSL}" req -noout -subject -in "${csr_file}"|grep -Eo "CN\s*=[^,/]*"|cut -d'=' -f2|xargs)
|
cn=$("${OPENSSL}" req -noout -subject -in "${csr_file}" | grep -Eo "CN\s*=[^,/]*" | cut -d'=' -f2 | xargs)
|
||||||
|
|
||||||
# check if CN already exist
|
# check if CN already exist
|
||||||
[ -f "${CRTDIR}/${cn}.crt" ] && error "${cn} already used !"
|
if [ -f "${CRTDIR}/${cn}.crt" ]; then
|
||||||
|
error "${cn} already used !"
|
||||||
|
fi
|
||||||
|
|
||||||
# ca sign and generate cert
|
# ca sign and generate cert
|
||||||
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" ca \
|
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" ca \
|
||||||
|
@ -296,7 +332,9 @@ create() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# check if CN already exist
|
# check if CN already exist
|
||||||
[ -f "${CRTDIR}/${cn}.crt" ] && error "${cn} already used !"
|
if [ -f "${CRTDIR}/${cn}.crt" ]; then
|
||||||
|
error "${cn} already used !"
|
||||||
|
fi
|
||||||
|
|
||||||
# ask for CA passphrase
|
# ask for CA passphrase
|
||||||
ask_ca_password 0
|
ask_ca_password 0
|
||||||
|
@ -313,6 +351,7 @@ create() {
|
||||||
read -r PASSWORD
|
read -r PASSWORD
|
||||||
stty echo
|
stty echo
|
||||||
printf "\n"
|
printf "\n"
|
||||||
|
|
||||||
if [ -z "${PASSWORD}" ]; then
|
if [ -z "${PASSWORD}" ]; then
|
||||||
warning "Warning: empty password from input"
|
warning "Warning: empty password from input"
|
||||||
fi
|
fi
|
||||||
|
@ -321,19 +360,23 @@ create() {
|
||||||
# generate private key
|
# generate private key
|
||||||
if [ -n "${PASSWORD}" ]; then
|
if [ -n "${PASSWORD}" ]; then
|
||||||
PASSWORD="${PASSWORD}" "$OPENSSL" genrsa \
|
PASSWORD="${PASSWORD}" "$OPENSSL" genrsa \
|
||||||
-aes256 -passout env:PASSWORD \
|
-aes256 \
|
||||||
|
-passout env:PASSWORD \
|
||||||
-out "${KEYDIR}/${cn}-${TIMESTAMP}.key" \
|
-out "${KEYDIR}/${cn}-${TIMESTAMP}.key" \
|
||||||
2048 >/dev/null 2>&1
|
2048 \
|
||||||
|
>/dev/null 2>&1
|
||||||
else
|
else
|
||||||
"$OPENSSL" genrsa \
|
"$OPENSSL" genrsa \
|
||||||
-out "${KEYDIR}/${cn}-${TIMESTAMP}.key" \
|
-out "${KEYDIR}/${cn}-${TIMESTAMP}.key" \
|
||||||
2048 >/dev/null 2>&1
|
2048 \
|
||||||
|
>/dev/null 2>&1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "${PASSWORD}" ]; then
|
if [ -n "${PASSWORD}" ]; then
|
||||||
# generate csr req
|
# generate csr req
|
||||||
PASSWORD="${PASSWORD}" "$OPENSSL" req \
|
PASSWORD="${PASSWORD}" "$OPENSSL" req \
|
||||||
-batch -new \
|
-batch \
|
||||||
|
-new \
|
||||||
-key "${KEYDIR}/${cn}-${TIMESTAMP}.key" \
|
-key "${KEYDIR}/${cn}-${TIMESTAMP}.key" \
|
||||||
-passin env:PASSWORD \
|
-passin env:PASSWORD \
|
||||||
-out "${CSRDIR}/${cn}-${TIMESTAMP}.csr" \
|
-out "${CSRDIR}/${cn}-${TIMESTAMP}.csr" \
|
||||||
|
@ -344,7 +387,8 @@ EOF
|
||||||
else
|
else
|
||||||
# generate csr req
|
# generate csr req
|
||||||
"$OPENSSL" req \
|
"$OPENSSL" req \
|
||||||
-batch -new \
|
-batch \
|
||||||
|
-new \
|
||||||
-key "${KEYDIR}/${cn}-${TIMESTAMP}.key" \
|
-key "${KEYDIR}/${cn}-${TIMESTAMP}.key" \
|
||||||
-out "${CSRDIR}/${cn}-${TIMESTAMP}.csr" \
|
-out "${CSRDIR}/${cn}-${TIMESTAMP}.csr" \
|
||||||
-config /dev/stdin <<EOF
|
-config /dev/stdin <<EOF
|
||||||
|
@ -362,12 +406,15 @@ EOF
|
||||||
|
|
||||||
# check if CRT is a valid
|
# check if CRT is a valid
|
||||||
"${OPENSSL}" x509 \
|
"${OPENSSL}" x509 \
|
||||||
-noout -subject \
|
-noout \
|
||||||
|
-subject \
|
||||||
-in "${CRTDIR}/${cn}.crt" \
|
-in "${CRTDIR}/${cn}.crt" \
|
||||||
>/dev/null 2>&1 \
|
>/dev/null 2>&1 \
|
||||||
|| rm -f "${CRTDIR}/${cn}.crt"
|
|| rm -f "${CRTDIR}/${cn}.crt"
|
||||||
|
|
||||||
[ -f "${CRTDIR}/${cn}.crt" ] || error "Error in CSR creation"
|
if [ ! -f "${CRTDIR}/${cn}.crt" ]; then
|
||||||
|
error "Error in CSR creation"
|
||||||
|
fi
|
||||||
|
|
||||||
chmod 640 "${CRTDIR}/${cn}.crt"
|
chmod 640 "${CRTDIR}/${cn}.crt"
|
||||||
|
|
||||||
|
@ -427,10 +474,17 @@ revoke() {
|
||||||
cn="${1}"
|
cn="${1}"
|
||||||
|
|
||||||
# check if CRT exists
|
# check if CRT exists
|
||||||
[ ! -f "${CRTDIR}/${cn}.crt" ] && error "Unknow CN : ${cn}"
|
if [ ! -f "${CRTDIR}/${cn}.crt" ]; then
|
||||||
|
error "Unknow CN : ${cn}"
|
||||||
|
fi
|
||||||
|
|
||||||
# check if CRT is a valid
|
# check if CRT is a valid
|
||||||
"${OPENSSL}" x509 -noout -subject -in "${CRTDIR}/${cn}.crt" >/dev/null 2>&1 || error "${CRTDIR}/${cn}.crt is not a valid CRT, you must delete it !"
|
"${OPENSSL}" x509 \
|
||||||
|
-noout \
|
||||||
|
-subject \
|
||||||
|
-in "${CRTDIR}/${cn}.crt" \
|
||||||
|
>/dev/null 2>&1 \
|
||||||
|
|| error "${CRTDIR}/${cn}.crt is not a valid CRT, you must delete it !"
|
||||||
|
|
||||||
# ask for CA passphrase
|
# ask for CA passphrase
|
||||||
ask_ca_password 0
|
ask_ca_password 0
|
||||||
|
@ -449,7 +503,9 @@ revoke() {
|
||||||
}
|
}
|
||||||
|
|
||||||
list() {
|
list() {
|
||||||
[ -f "${INDEX}" ] || exit 0
|
if [ ! -f "${INDEX}" ]; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
list_valid=0
|
list_valid=0
|
||||||
list_revoked=1
|
list_revoked=1
|
||||||
|
@ -479,11 +535,17 @@ list() {
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
[ "${list_valid}" -eq 0 ] && certs=$(grep "^V" "${INDEX}")
|
if [ "${list_valid}" -eq 0 ]; then
|
||||||
|
certs=$(grep "^V" "${INDEX}")
|
||||||
|
fi
|
||||||
|
|
||||||
[ "${list_revoked}" -eq 0 ] && certs=$(grep "^R" "${INDEX}")
|
if [ "${list_revoked}" -eq 0 ]; then
|
||||||
|
certs=$(grep "^R" "${INDEX}")
|
||||||
|
fi
|
||||||
|
|
||||||
[ "${list_valid}" -eq 0 ] && [ "${list_revoked}" -eq 0 ] && certs=$(cat "${INDEX}")
|
if [ "${list_valid}" -eq 0 ] && [ "${list_revoked}" -eq 0 ]; then
|
||||||
|
certs=$(cat "${INDEX}")
|
||||||
|
fi
|
||||||
|
|
||||||
echo "${certs}" | grep -Eo "CN\s*=[^,/]*" | cut -d'=' -f2 | xargs -n1
|
echo "${certs}" | grep -Eo "CN\s*=[^,/]*" | cut -d'=' -f2 | xargs -n1
|
||||||
}
|
}
|
||||||
|
@ -525,16 +587,16 @@ main() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# retrieve CA path from config file
|
# retrieve CA path from config file
|
||||||
CADIR=$(grep -E "^dir" "${CONFFILE}" | cut -d'=' -f2|xargs -n1)
|
CADIR=$(grep -E "^dir" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1)
|
||||||
CAKEY=$(grep -E "^private_key" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
CAKEY=$(grep -E "^private_key" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~")
|
||||||
CACERT=$(grep -E "^certificate" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
CACERT=$(grep -E "^certificate" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~")
|
||||||
OCSPKEY="${CADIR}/ocsp.key"
|
OCSPKEY="${CADIR}/ocsp.key"
|
||||||
OCSPCERT="${CADIR}/ocsp.pem"
|
OCSPCERT="${CADIR}/ocsp.pem"
|
||||||
CRTDIR=$(grep -E "^certs" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
CRTDIR=$(grep -E "^certs" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~")
|
||||||
TMPDIR=$(grep -E "^new_certs_dir" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
TMPDIR=$(grep -E "^new_certs_dir" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~")
|
||||||
INDEX=$(grep -E "^database" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
INDEX=$(grep -E "^database" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~")
|
||||||
SERIAL=$(grep -E "^serial" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
SERIAL=$(grep -E "^serial" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~")
|
||||||
CRL=$(grep -E "^crl" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
CRL=$(grep -E "^crl" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~")
|
||||||
|
|
||||||
# directories for clients key, csr, crt
|
# directories for clients key, csr, crt
|
||||||
KEYDIR="${CADIR}/private"
|
KEYDIR="${CADIR}/private"
|
||||||
|
@ -549,7 +611,9 @@ main() {
|
||||||
error "You must create ${PKIUSER} user and group !"
|
error "You must create ${PKIUSER} user and group !"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -e "${CONFFILE}" ] || error "${CONFFILE} is missing"
|
if [ ! -e "${CONFFILE}" ]; then
|
||||||
|
error "${CONFFILE} is missing"
|
||||||
|
fi
|
||||||
|
|
||||||
mkdir -p "${CADIR}" "${CRTDIR}" "${KEYDIR}" "${CSRDIR}" "${PKCS12DIR}" "${OVPNDIR}" "${TMPDIR}"
|
mkdir -p "${CADIR}" "${CRTDIR}" "${KEYDIR}" "${CSRDIR}" "${PKCS12DIR}" "${OVPNDIR}" "${TMPDIR}"
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue