evolix/shellpki
21
0
Fork 0
Code Issues Pull requests Releases 3 Wiki Activity

Let OpenSSL read the password file itself

Browse source
This commit is contained in:
Jérémy Lecour 2020-05-05 09:24:09 +02:00 committed by Jérémy Lecour
parent 165c96ca55
commit 8e92d46ecd
1 changed files with 36 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
shellpki
View file

@ -80,9 +80,9 @@ init() {
-x509 \ -x509 \
-days 3650 \ -days 3650 \
-extensions v3_ca \ -extensions v3_ca \
-passin env:CA_PASSWORD \
-key "${CA_KEY}" \ -key "${CA_KEY}" \
-out "${CA_CERT}" \ -out "${CA_CERT}" \
-passin env:CA_PASSWORD \
-config /dev/stdin <<EOF -config /dev/stdin <<EOF
$(cat "${CONF_FILE}") $(cat "${CONF_FILE}")
commonName_default = ${cn} commonName_default = ${cn}
@ -434,12 +434,7 @@ create() {
# ask for CA passphrase # ask for CA passphrase
ask_ca_password 0 ask_ca_password 0
if [ -n "${password_file}" ] && [ -r "${password_file}" ]; then if [ "${ask_pass}" -eq 1 ]; then
PASSWORD=$(head -n 1 "${password_file}" | tr -d '\n')
if [ -z "${PASSWORD}" ]; then
warning "Warning: empty password from file \`${password_file}'"
fi
elif [ "${ask_pass}" -eq 1 ]; then
trap 'unset PASSWORD' 0 trap 'unset PASSWORD' 0
stty -echo stty -echo
printf "Password for user key : " printf "Password for user key : "
@ -453,7 +448,14 @@ create() {
fi fi
# generate private key # generate private key
if [ -n "${PASSWORD}" ]; then if [ -n "${password_file}" ]; then
"${OPENSSL_BIN}" genrsa \
-aes256 \
-passout file:${password_file} \
-out "${key_file}" \
${KEY_LENGTH} \
>/dev/null 2>&1
elif [ -n "${PASSWORD}" ]; then
PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" genrsa \ PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" genrsa \
-aes256 \ -aes256 \
-passout env:PASSWORD \ -passout env:PASSWORD \
@ -467,7 +469,19 @@ create() {
>/dev/null 2>&1 >/dev/null 2>&1
fi fi
if [ -n "${PASSWORD}" ]; then if [ -n "${password_file}" ]; then
# generate csr req
"${OPENSSL_BIN}" req \
-batch \
-new \
-key "${key_file}" \
-passin file:${password_file} \
-out "${csr_file}" \
-config /dev/stdin <<EOF
$(cat "${CONF_FILE}")
commonName_default = ${cn}
EOF
elif [ -n "${PASSWORD}" ]; then
# generate csr req # generate csr req
PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" req \ PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" req \
-batch \ -batch \
@ -518,22 +532,32 @@ EOF
echo "The CRT file is available in ${crt_file}" echo "The CRT file is available in ${crt_file}"
# generate pkcs12 format # generate pkcs12 format
if [ -n "${PASSWORD}" ]; then
if [ -n "${password_file}" ]; then
"${OPENSSL_BIN}" pkcs12 \
-export \
-nodes \
-passin file:${password_file} \
-inkey "${key_file}" \
-in "${crt_file}" \
-passout file:${password_file} \
-out "${pkcs12_file}"
elif [ -n "${PASSWORD}" ]; then
PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" pkcs12 \ PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" pkcs12 \
-export \ -export \
-nodes \ -nodes \
-passin env:PASSWORD \ -passin env:PASSWORD \
-passout env:PASSWORD \
-inkey "${key_file}" \ -inkey "${key_file}" \
-in "${crt_file}" \ -in "${crt_file}" \
-passout env:PASSWORD \
-out "${pkcs12_file}" -out "${pkcs12_file}"
else else
"${OPENSSL_BIN}" pkcs12 \ "${OPENSSL_BIN}" pkcs12 \
-export \ -export \
-nodes \ -nodes \
-passout pass: \
-inkey "${key_file}" \ -inkey "${key_file}" \
-in "${crt_file}" \ -in "${crt_file}" \
-passout pass: \
-out "${pkcs12_file}" -out "${pkcs12_file}"
fi fi