From 6cc29fb1f837ec5a7a7e6a6280a748b48ad87649 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 11 Mar 2022 14:09:58 +0100 Subject: [PATCH] reorder functions --- shellpki | 257 ++++++++++++++++++++++++++++--------------------------- 1 file changed, 129 insertions(+), 128 deletions(-) diff --git a/shellpki b/shellpki index 885de70..f8326e2 100755 --- a/shellpki +++ b/shellpki @@ -28,6 +28,135 @@ See the MIT Licence for details. END } +show_usage() { + cat < [options] [CommonName] + +Initialize PKI (create CA key and self-signed cert) : + + ${0} init + +Run OCSP_D server : + + ${0} ocsp + +Create a client cert with key and CSR directly generated on server +(use -p or --password-file to set a password on the client key) : + + ${0} create [-p|--password-file=] + +Create a client cert from a CSR (doesn't need key) : + + ${0} create -f + +Revoke a client cert with is commonName (CN) : + + ${0} revoke + +List all actually valid commonName (CN) : + + ${0} list [-a|--all|-v|--valid|-r|--revoked] + +Check expiration date of valid certificates : + + ${0} check + +EOF +} + +error() { + echo "${1}" >&2 + exit 1 +} + +warning() { + echo "${1}" >&2 +} + +verify_ca_password() { + "${OPENSSL_BIN}" rsa \ + -in "${CA_KEY}" \ + -passin pass:"${CA_PASSWORD}" \ + >/dev/null 2>&1 +} +get_real_path() { + # --canonicalize is supported on Linux + # -f is supported on Linux and OpenBSD + readlink -f -- "${1}" +} + +ask_ca_password() { + attempt=${1:-0} + max_attempts=3 + + trap 'unset CA_PASSWORD' 0 + + if [ ! -f "${CA_KEY}" ]; then + error "You must initialize your PKI with \`shellpki init' !" + fi + if [ "${attempt}" -gt 0 ]; then + warning "Invalid password, retry." + fi + if [ "${attempt}" -ge "${max_attempts}" ]; then + error "Maximum number of attempts reached (${max_attempts})." + fi + if [ -z "${CA_PASSWORD:-}" ]; then + if [ "${non_interactive}" -eq 1 ]; then + error "In non-interactive mode, you must pass CA_PASSWORD as environment variable" + fi + stty -echo + printf "Password for CA key: " + read -r CA_PASSWORD + stty echo + printf "\n" + fi + if [ -z "${CA_PASSWORD:-}" ] || ! verify_ca_password; then + unset CA_PASSWORD + attempt=$(( attempt + 1 )) + ask_ca_password "${attempt}" + fi +} +ask_user_password() { + trap 'unset PASSWORD' 0 + + if [ -z "${PASSWORD:-}" ]; then + if [ "${non_interactive}" -eq 1 ]; then + error "In non-interactive mode, you must pass PASSWORD as environment variable or use --password-file" + fi + stty -echo + printf "Password for user key: " + read -r PASSWORD + stty echo + printf "\n" + fi + if [ -z "${PASSWORD:-}" ]; then + warning "Warning: empty password from input" + fi +} +replace_existing_or_abort() { + cn=${1:?} + if [ "${non_interactive}" -eq 1 ]; then + if [ "${replace_existing}" -eq 1 ]; then + resp="y" + else + error "${cn} already exists, use \`--replace-existing' to force" + fi + else + if [ "${replace_existing}" -eq 1 ]; then + resp="y" + else + printf "%s already exists, do you want to revoke and recreate it ? [y/N] " "${cn}" + read -r REPLY + resp=$(echo "${REPLY}" | tr 'Y' 'y') + fi + fi + if [ "${resp}" = "y" ]; then + revoke "${cn}" + else + error "Aborted" + fi +} + init() { umask 0177 @@ -193,134 +322,6 @@ EOF -text } -show_usage() { - cat < [options] [CommonName] - -Initialize PKI (create CA key and self-signed cert) : - - ${0} init - -Run OCSP_D server : - - ${0} ocsp - -Create a client cert with key and CSR directly generated on server -(use -p or --password-file to set a password on the client key) : - - ${0} create [-p|--password-file=] - -Create a client cert from a CSR (doesn't need key) : - - ${0} create -f - -Revoke a client cert with is commonName (CN) : - - ${0} revoke - -List all actually valid commonName (CN) : - - ${0} list [-a|--all|-v|--valid|-r|--revoked] - -Check expiration date of valid certificates : - - ${0} check - -EOF -} - -error() { - echo "${1}" >&2 - exit 1 -} - -warning() { - echo "${1}" >&2 -} - -verify_ca_password() { - "${OPENSSL_BIN}" rsa \ - -in "${CA_KEY}" \ - -passin pass:"${CA_PASSWORD}" \ - >/dev/null 2>&1 -} -get_real_path() { - # --canonicalize is supported on Linux - # -f is supported on Linux and OpenBSD - readlink -f -- "${1}" -} - -ask_ca_password() { - attempt=${1:-0} - max_attempts=3 - - trap 'unset CA_PASSWORD' 0 - - if [ ! -f "${CA_KEY}" ]; then - error "You must initialize your PKI with \`shellpki init' !" - fi - if [ "${attempt}" -gt 0 ]; then - warning "Invalid password, retry." - fi - if [ "${attempt}" -ge "${max_attempts}" ]; then - error "Maximum number of attempts reached (${max_attempts})." - fi - if [ -z "${CA_PASSWORD:-}" ]; then - if [ "${non_interactive}" -eq 1 ]; then - error "In non-interactive mode, you must pass CA_PASSWORD as environment variable" - fi - stty -echo - printf "Password for CA key: " - read -r CA_PASSWORD - stty echo - printf "\n" - fi - if [ -z "${CA_PASSWORD:-}" ] || ! verify_ca_password; then - unset CA_PASSWORD - attempt=$(( attempt + 1 )) - ask_ca_password "${attempt}" - fi -} -ask_user_password() { - trap 'unset PASSWORD' 0 - - if [ -z "${PASSWORD:-}" ]; then - if [ "${non_interactive}" -eq 1 ]; then - error "In non-interactive mode, you must pass PASSWORD as environment variable or use --password-file" - fi - stty -echo - printf "Password for user key: " - read -r PASSWORD - stty echo - printf "\n" - fi - if [ -z "${PASSWORD:-}" ]; then - warning "Warning: empty password from input" - fi -} -replace_existing_or_abort() { - cn=${1:?} - if [ "${non_interactive}" -eq 1 ]; then - if [ "${replace_existing}" -eq 1 ]; then - resp="y" - else - error "${cn} already exists, use \`--replace-existing' to force" - fi - else - if [ "${replace_existing}" -eq 1 ]; then - resp="y" - else - printf "%s already exists, do you want to revoke and recreate it ? [y/N] " "${cn}" - read -r REPLY - resp=$(echo "${REPLY}" | tr 'Y' 'y') - fi - fi - if [ "${resp}" = "y" ]; then - revoke "${cn}" - else - error "Aborted" - fi -} create() { from_csr=0 ask_pass=0