reorder functions
This commit is contained in:
parent
68e4648694
commit
6cc29fb1f8
257
shellpki
257
shellpki
|
@ -28,6 +28,135 @@ See the MIT Licence for details.
|
|||
END
|
||||
}
|
||||
|
||||
show_usage() {
|
||||
cat <<EOF
|
||||
Usage: ${0} <subcommand> [options] [CommonName]
|
||||
|
||||
Initialize PKI (create CA key and self-signed cert) :
|
||||
|
||||
${0} init <commonName_for_CA>
|
||||
|
||||
Run OCSP_D server :
|
||||
|
||||
${0} ocsp <ocsp_uri:ocsp_port>
|
||||
|
||||
Create a client cert with key and CSR directly generated on server
|
||||
(use -p or --password-file to set a password on the client key) :
|
||||
|
||||
${0} create [-p|--password-file=<FILE>] <commonName>
|
||||
|
||||
Create a client cert from a CSR (doesn't need key) :
|
||||
|
||||
${0} create -f <path>
|
||||
|
||||
Revoke a client cert with is commonName (CN) :
|
||||
|
||||
${0} revoke <commonName>
|
||||
|
||||
List all actually valid commonName (CN) :
|
||||
|
||||
${0} list [-a|--all|-v|--valid|-r|--revoked]
|
||||
|
||||
Check expiration date of valid certificates :
|
||||
|
||||
${0} check
|
||||
|
||||
EOF
|
||||
}
|
||||
|
||||
error() {
|
||||
echo "${1}" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
warning() {
|
||||
echo "${1}" >&2
|
||||
}
|
||||
|
||||
verify_ca_password() {
|
||||
"${OPENSSL_BIN}" rsa \
|
||||
-in "${CA_KEY}" \
|
||||
-passin pass:"${CA_PASSWORD}" \
|
||||
>/dev/null 2>&1
|
||||
}
|
||||
get_real_path() {
|
||||
# --canonicalize is supported on Linux
|
||||
# -f is supported on Linux and OpenBSD
|
||||
readlink -f -- "${1}"
|
||||
}
|
||||
|
||||
ask_ca_password() {
|
||||
attempt=${1:-0}
|
||||
max_attempts=3
|
||||
|
||||
trap 'unset CA_PASSWORD' 0
|
||||
|
||||
if [ ! -f "${CA_KEY}" ]; then
|
||||
error "You must initialize your PKI with \`shellpki init' !"
|
||||
fi
|
||||
if [ "${attempt}" -gt 0 ]; then
|
||||
warning "Invalid password, retry."
|
||||
fi
|
||||
if [ "${attempt}" -ge "${max_attempts}" ]; then
|
||||
error "Maximum number of attempts reached (${max_attempts})."
|
||||
fi
|
||||
if [ -z "${CA_PASSWORD:-}" ]; then
|
||||
if [ "${non_interactive}" -eq 1 ]; then
|
||||
error "In non-interactive mode, you must pass CA_PASSWORD as environment variable"
|
||||
fi
|
||||
stty -echo
|
||||
printf "Password for CA key: "
|
||||
read -r CA_PASSWORD
|
||||
stty echo
|
||||
printf "\n"
|
||||
fi
|
||||
if [ -z "${CA_PASSWORD:-}" ] || ! verify_ca_password; then
|
||||
unset CA_PASSWORD
|
||||
attempt=$(( attempt + 1 ))
|
||||
ask_ca_password "${attempt}"
|
||||
fi
|
||||
}
|
||||
ask_user_password() {
|
||||
trap 'unset PASSWORD' 0
|
||||
|
||||
if [ -z "${PASSWORD:-}" ]; then
|
||||
if [ "${non_interactive}" -eq 1 ]; then
|
||||
error "In non-interactive mode, you must pass PASSWORD as environment variable or use --password-file"
|
||||
fi
|
||||
stty -echo
|
||||
printf "Password for user key: "
|
||||
read -r PASSWORD
|
||||
stty echo
|
||||
printf "\n"
|
||||
fi
|
||||
if [ -z "${PASSWORD:-}" ]; then
|
||||
warning "Warning: empty password from input"
|
||||
fi
|
||||
}
|
||||
replace_existing_or_abort() {
|
||||
cn=${1:?}
|
||||
if [ "${non_interactive}" -eq 1 ]; then
|
||||
if [ "${replace_existing}" -eq 1 ]; then
|
||||
resp="y"
|
||||
else
|
||||
error "${cn} already exists, use \`--replace-existing' to force"
|
||||
fi
|
||||
else
|
||||
if [ "${replace_existing}" -eq 1 ]; then
|
||||
resp="y"
|
||||
else
|
||||
printf "%s already exists, do you want to revoke and recreate it ? [y/N] " "${cn}"
|
||||
read -r REPLY
|
||||
resp=$(echo "${REPLY}" | tr 'Y' 'y')
|
||||
fi
|
||||
fi
|
||||
if [ "${resp}" = "y" ]; then
|
||||
revoke "${cn}"
|
||||
else
|
||||
error "Aborted"
|
||||
fi
|
||||
}
|
||||
|
||||
init() {
|
||||
umask 0177
|
||||
|
||||
|
@ -193,134 +322,6 @@ EOF
|
|||
-text
|
||||
}
|
||||
|
||||
show_usage() {
|
||||
cat <<EOF
|
||||
Usage: ${0} <subcommand> [options] [CommonName]
|
||||
|
||||
Initialize PKI (create CA key and self-signed cert) :
|
||||
|
||||
${0} init <commonName_for_CA>
|
||||
|
||||
Run OCSP_D server :
|
||||
|
||||
${0} ocsp <ocsp_uri:ocsp_port>
|
||||
|
||||
Create a client cert with key and CSR directly generated on server
|
||||
(use -p or --password-file to set a password on the client key) :
|
||||
|
||||
${0} create [-p|--password-file=<FILE>] <commonName>
|
||||
|
||||
Create a client cert from a CSR (doesn't need key) :
|
||||
|
||||
${0} create -f <path>
|
||||
|
||||
Revoke a client cert with is commonName (CN) :
|
||||
|
||||
${0} revoke <commonName>
|
||||
|
||||
List all actually valid commonName (CN) :
|
||||
|
||||
${0} list [-a|--all|-v|--valid|-r|--revoked]
|
||||
|
||||
Check expiration date of valid certificates :
|
||||
|
||||
${0} check
|
||||
|
||||
EOF
|
||||
}
|
||||
|
||||
error() {
|
||||
echo "${1}" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
warning() {
|
||||
echo "${1}" >&2
|
||||
}
|
||||
|
||||
verify_ca_password() {
|
||||
"${OPENSSL_BIN}" rsa \
|
||||
-in "${CA_KEY}" \
|
||||
-passin pass:"${CA_PASSWORD}" \
|
||||
>/dev/null 2>&1
|
||||
}
|
||||
get_real_path() {
|
||||
# --canonicalize is supported on Linux
|
||||
# -f is supported on Linux and OpenBSD
|
||||
readlink -f -- "${1}"
|
||||
}
|
||||
|
||||
ask_ca_password() {
|
||||
attempt=${1:-0}
|
||||
max_attempts=3
|
||||
|
||||
trap 'unset CA_PASSWORD' 0
|
||||
|
||||
if [ ! -f "${CA_KEY}" ]; then
|
||||
error "You must initialize your PKI with \`shellpki init' !"
|
||||
fi
|
||||
if [ "${attempt}" -gt 0 ]; then
|
||||
warning "Invalid password, retry."
|
||||
fi
|
||||
if [ "${attempt}" -ge "${max_attempts}" ]; then
|
||||
error "Maximum number of attempts reached (${max_attempts})."
|
||||
fi
|
||||
if [ -z "${CA_PASSWORD:-}" ]; then
|
||||
if [ "${non_interactive}" -eq 1 ]; then
|
||||
error "In non-interactive mode, you must pass CA_PASSWORD as environment variable"
|
||||
fi
|
||||
stty -echo
|
||||
printf "Password for CA key: "
|
||||
read -r CA_PASSWORD
|
||||
stty echo
|
||||
printf "\n"
|
||||
fi
|
||||
if [ -z "${CA_PASSWORD:-}" ] || ! verify_ca_password; then
|
||||
unset CA_PASSWORD
|
||||
attempt=$(( attempt + 1 ))
|
||||
ask_ca_password "${attempt}"
|
||||
fi
|
||||
}
|
||||
ask_user_password() {
|
||||
trap 'unset PASSWORD' 0
|
||||
|
||||
if [ -z "${PASSWORD:-}" ]; then
|
||||
if [ "${non_interactive}" -eq 1 ]; then
|
||||
error "In non-interactive mode, you must pass PASSWORD as environment variable or use --password-file"
|
||||
fi
|
||||
stty -echo
|
||||
printf "Password for user key: "
|
||||
read -r PASSWORD
|
||||
stty echo
|
||||
printf "\n"
|
||||
fi
|
||||
if [ -z "${PASSWORD:-}" ]; then
|
||||
warning "Warning: empty password from input"
|
||||
fi
|
||||
}
|
||||
replace_existing_or_abort() {
|
||||
cn=${1:?}
|
||||
if [ "${non_interactive}" -eq 1 ]; then
|
||||
if [ "${replace_existing}" -eq 1 ]; then
|
||||
resp="y"
|
||||
else
|
||||
error "${cn} already exists, use \`--replace-existing' to force"
|
||||
fi
|
||||
else
|
||||
if [ "${replace_existing}" -eq 1 ]; then
|
||||
resp="y"
|
||||
else
|
||||
printf "%s already exists, do you want to revoke and recreate it ? [y/N] " "${cn}"
|
||||
read -r REPLY
|
||||
resp=$(echo "${REPLY}" | tr 'Y' 'y')
|
||||
fi
|
||||
fi
|
||||
if [ "${resp}" = "y" ]; then
|
||||
revoke "${cn}"
|
||||
else
|
||||
error "Aborted"
|
||||
fi
|
||||
}
|
||||
create() {
|
||||
from_csr=0
|
||||
ask_pass=0
|
||||
|
|
Loading…
Reference in a new issue