More readable variable names
This commit is contained in:
parent
420fcddb90
commit
b03e77d307
|
@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* Rename internal function usage() to show_usage()
|
* Rename internal function usage() to show_usage()
|
||||||
|
* More readable variable names
|
||||||
|
|
||||||
### Deprecated
|
### Deprecated
|
||||||
|
|
||||||
|
|
274
shellpki
274
shellpki
|
@ -31,9 +31,9 @@ END
|
||||||
init() {
|
init() {
|
||||||
umask 0177
|
umask 0177
|
||||||
|
|
||||||
[ -d "${CADIR}" ] || mkdir -m 0750 "${CADIR}"
|
[ -d "${CA_DIR}" ] || mkdir -m 0750 "${CA_DIR}"
|
||||||
[ -d "${CRTDIR}" ] || mkdir -m 0750 "${CRTDIR}"
|
[ -d "${CRT_DIR}" ] || mkdir -m 0750 "${CRT_DIR}"
|
||||||
[ -f "${INDEX}" ] || touch "${INDEX}"
|
[ -f "${INDEX_FILE}" ] || touch "${INDEX_FILE}"
|
||||||
[ -f "${CRL}" ] || touch "${CRL}"
|
[ -f "${CRL}" ] || touch "${CRL}"
|
||||||
[ -f "${SERIAL}" ] || echo "01" > "${SERIAL}"
|
[ -f "${SERIAL}" ] || echo "01" > "${SERIAL}"
|
||||||
|
|
||||||
|
@ -43,48 +43,48 @@ init() {
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "${CAKEY}" ]; then
|
if [ -f "${CA_KEY}" ]; then
|
||||||
printf "%s already exists, do you really want to erase it ? [y/N] " "${CAKEY}"
|
printf "%s already exists, do you really want to erase it ? [y/N] " "${CA_KEY}"
|
||||||
read -r REPLY
|
read -r REPLY
|
||||||
resp=$(echo "${REPLY}" | tr 'Y' 'y')
|
resp=$(echo "${REPLY}" | tr 'Y' 'y')
|
||||||
if [ "${resp}" = "y" ]; then
|
if [ "${resp}" = "y" ]; then
|
||||||
rm -f "${CAKEY}" "${CACERT}"
|
rm -f "${CA_KEY}" "${CA_CERT}"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -f "${CAKEY}" ]; then
|
if [ ! -f "${CA_KEY}" ]; then
|
||||||
"$OPENSSL" genrsa \
|
"${OPENSSL_BIN}" genrsa \
|
||||||
-out "${CAKEY}" \
|
-out "${CA_KEY}" \
|
||||||
-aes256 4096 \
|
-aes256 4096 \
|
||||||
>/dev/null 2>&1
|
>/dev/null 2>&1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "${CACERT}" ]; then
|
if [ -f "${CA_CERT}" ]; then
|
||||||
printf "%s already exists, do you really want to erase it ? [y/N] " "${CACERT}"
|
printf "%s already exists, do you really want to erase it ? [y/N] " "${CA_CERT}"
|
||||||
read -r REPLY
|
read -r REPLY
|
||||||
resp=$(echo "${REPLY}" | tr 'Y' 'y')
|
resp=$(echo "${REPLY}" | tr 'Y' 'y')
|
||||||
if [ "${resp}" = "y" ]; then
|
if [ "${resp}" = "y" ]; then
|
||||||
rm "${CACERT}"
|
rm "${CA_CERT}"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -f "${CACERT}" ]; then
|
if [ ! -f "${CA_CERT}" ]; then
|
||||||
ask_ca_password 0
|
ask_ca_password 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -f "${CACERT}" ]; then
|
if [ ! -f "${CA_CERT}" ]; then
|
||||||
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" req \
|
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" req \
|
||||||
-new \
|
-new \
|
||||||
-batch \
|
-batch \
|
||||||
-sha512 \
|
-sha512 \
|
||||||
-x509 \
|
-x509 \
|
||||||
-days 3650 \
|
-days 3650 \
|
||||||
-extensions v3_ca \
|
-extensions v3_ca \
|
||||||
-key "${CAKEY}" \
|
-key "${CA_KEY}" \
|
||||||
-out "${CACERT}" \
|
-out "${CA_CERT}" \
|
||||||
-passin env:CA_PASSWORD \
|
-passin env:CA_PASSWORD \
|
||||||
-config /dev/stdin <<EOF
|
-config /dev/stdin <<EOF
|
||||||
$(cat "${CONFFILE}")
|
$(cat "${CONF_FILE}")
|
||||||
commonName_default = ${cn}
|
commonName_default = ${cn}
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
@ -102,45 +102,45 @@ ocsp() {
|
||||||
url=$(echo "${ocsp_uri}" | cut -d':' -f1)
|
url=$(echo "${ocsp_uri}" | cut -d':' -f1)
|
||||||
port=$(echo "${ocsp_uri}" | cut -d':' -f2)
|
port=$(echo "${ocsp_uri}" | cut -d':' -f2)
|
||||||
|
|
||||||
if [ ! -f "${OCSPKEY}" ]; then
|
if [ ! -f "${OCSP_KEY}" ]; then
|
||||||
"$OPENSSL" genrsa \
|
"${OPENSSL_BIN}" genrsa \
|
||||||
-out "${OCSPKEY}" \
|
-out "${OCSP_KEY}" \
|
||||||
2048 \
|
${KEY_LENGTH} \
|
||||||
>/dev/null 2>&1
|
>/dev/null 2>&1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
"$OPENSSL" req \
|
"${OPENSSL_BIN}" req \
|
||||||
-batch \
|
-batch \
|
||||||
-new \
|
-new \
|
||||||
-key "${OCSPKEY}" \
|
-key "${OCSP_KEY}" \
|
||||||
-out "${CSRDIR}/ocsp.csr" \
|
-out "${CSR_DIR}/ocsp.csr" \
|
||||||
-config /dev/stdin <<EOF
|
-config /dev/stdin <<EOF
|
||||||
$(cat "${CONFFILE}")
|
$(cat "${CONF_FILE}")
|
||||||
commonName_default = ${url}
|
commonName_default = ${url}
|
||||||
[ usr_cert ]
|
[ usr_cert ]
|
||||||
authorityInfoAccess = OCSP;URI:http://${ocsp_uri}
|
authorityInfoAccess = OCSP;URI:http://${ocsp_uri}
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ ! -f "${OCSPCERT}" ]; then
|
if [ ! -f "${OCSP_CERT}" ]; then
|
||||||
ask_ca_password 0
|
ask_ca_password 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -f "${OCSPCERT}" ]; then
|
if [ ! -f "${OCSP_CERT}" ]; then
|
||||||
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" ca \
|
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
|
||||||
-extensions v3_ocsp \
|
-extensions v3_ocsp \
|
||||||
-in "${CSRDIR}/ocsp.csr" \
|
-in "${CSR_DIR}/ocsp.csr" \
|
||||||
-out "${OCSPCERT}" \
|
-out "${OCSP_CERT}" \
|
||||||
-passin env:CA_PASSWORD \
|
-passin env:CA_PASSWORD \
|
||||||
-config "${CONFFILE}"
|
-config "${CONF_FILE}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
exec "${OPENSSL}" ocsp \
|
exec "${OPENSSL_BIN}" ocsp \
|
||||||
-ignore_err \
|
-ignore_err \
|
||||||
-index "${INDEX}" \
|
-index "${INDEX_FILE}" \
|
||||||
-port "${port}" \
|
-port "${port}" \
|
||||||
-rsigner "${OCSPCERT}" \
|
-rsigner "${OCSP_CERT}" \
|
||||||
-rkey "${OCSPKEY}" \
|
-rkey "${OCSP_KEY}" \
|
||||||
-CA "${CACERT}" \
|
-CA "${CA_CERT}" \
|
||||||
-text
|
-text
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -152,7 +152,7 @@ Initialize PKI (create CA key and self-signed cert) :
|
||||||
|
|
||||||
${0} init <commonName_for_CA>
|
${0} init <commonName_for_CA>
|
||||||
|
|
||||||
Run OCSPD server :
|
Run OCSP_D server :
|
||||||
|
|
||||||
${0} ocsp <ocsp_uri:ocsp_port>
|
${0} ocsp <ocsp_uri:ocsp_port>
|
||||||
|
|
||||||
|
@ -190,7 +190,7 @@ warning() {
|
||||||
}
|
}
|
||||||
|
|
||||||
ask_ca_password() {
|
ask_ca_password() {
|
||||||
[ ! -f "${CAKEY}" ] && error "You must initialize your's PKI with shellpki init !"
|
[ ! -f "${CA_KEY}" ] && error "You must initialize your's PKI with shellpki init !"
|
||||||
attempt=$((${1} + 1))
|
attempt=$((${1} + 1))
|
||||||
if [ "${attempt}" -gt 1 ]; then
|
if [ "${attempt}" -gt 1 ]; then
|
||||||
warning "Invalid password, retry."
|
warning "Invalid password, retry."
|
||||||
|
@ -205,8 +205,8 @@ ask_ca_password() {
|
||||||
if [ -z "${CA_PASSWORD}" ]; then
|
if [ -z "${CA_PASSWORD}" ]; then
|
||||||
ask_ca_password "${attempt}"
|
ask_ca_password "${attempt}"
|
||||||
fi
|
fi
|
||||||
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" rsa \
|
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" rsa \
|
||||||
-in "${CAKEY}" \
|
-in "${CA_KEY}" \
|
||||||
-passin env:CA_PASSWORD \
|
-passin env:CA_PASSWORD \
|
||||||
>/dev/null 2>&1 \
|
>/dev/null 2>&1 \
|
||||||
|| ask_ca_password "${attempt}"
|
|| ask_ca_password "${attempt}"
|
||||||
|
@ -295,14 +295,14 @@ create() {
|
||||||
ask_ca_password 0
|
ask_ca_password 0
|
||||||
|
|
||||||
# check if csr_file is a CSR
|
# check if csr_file is a CSR
|
||||||
"${OPENSSL}" req \
|
"${OPENSSL_BIN}" req \
|
||||||
-noout -subject \
|
-noout -subject \
|
||||||
-in "${csr_file}" \
|
-in "${csr_file}" \
|
||||||
>/dev/null 2>&1 \
|
>/dev/null 2>&1 \
|
||||||
|| error "${csr_file} is not a valid CSR !"
|
|| error "${csr_file} is not a valid CSR !"
|
||||||
|
|
||||||
# check if csr_file contain a CN
|
# check if csr_file contain a CN
|
||||||
"${OPENSSL}" req \
|
"${OPENSSL_BIN}" req \
|
||||||
-noout -subject \
|
-noout -subject \
|
||||||
-in "${csr_file}" \
|
-in "${csr_file}" \
|
||||||
| grep -Eo "CN\s*=[^,/]*" \
|
| grep -Eo "CN\s*=[^,/]*" \
|
||||||
|
@ -310,21 +310,21 @@ create() {
|
||||||
|| error "${csr_file} don't contain a CommonName !"
|
|| error "${csr_file} don't contain a CommonName !"
|
||||||
|
|
||||||
# get CN from CSR
|
# get CN from CSR
|
||||||
cn=$("${OPENSSL}" req -noout -subject -in "${csr_file}" | grep -Eo "CN\s*=[^,/]*" | cut -d'=' -f2 | xargs)
|
cn=$("${OPENSSL_BIN}" req -noout -subject -in "${csr_file}" | grep -Eo "CN\s*=[^,/]*" | cut -d'=' -f2 | xargs)
|
||||||
|
|
||||||
# check if CN already exist
|
# check if CN already exist
|
||||||
if [ -f "${CRTDIR}/${cn}.crt" ]; then
|
if [ -f "${CRT_DIR}/${cn}.crt" ]; then
|
||||||
error "${cn} already used !"
|
error "${cn} already used !"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# ca sign and generate cert
|
# ca sign and generate cert
|
||||||
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" ca \
|
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
|
||||||
-config "${CONFFILE}" \
|
-config "${CONF_FILE}" \
|
||||||
-in "${csr_file}" \
|
-in "${csr_file}" \
|
||||||
-passin env:CA_PASSWORD \
|
-passin env:CA_PASSWORD \
|
||||||
-out "${CRTDIR}/${cn}.crt"
|
-out "${CRT_DIR}/${cn}.crt"
|
||||||
|
|
||||||
echo "The CRT file is available in ${CRTDIR}/${cn}.crt"
|
echo "The CRT file is available in ${CRT_DIR}/${cn}.crt"
|
||||||
else
|
else
|
||||||
if [ -z "${cn}" ]; then
|
if [ -z "${cn}" ]; then
|
||||||
show_usage >&2
|
show_usage >&2
|
||||||
|
@ -332,7 +332,7 @@ create() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# check if CN already exist
|
# check if CN already exist
|
||||||
if [ -f "${CRTDIR}/${cn}.crt" ]; then
|
if [ -f "${CRT_DIR}/${cn}.crt" ]; then
|
||||||
error "${cn} already used !"
|
error "${cn} already used !"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -359,107 +359,107 @@ create() {
|
||||||
|
|
||||||
# generate private key
|
# generate private key
|
||||||
if [ -n "${PASSWORD}" ]; then
|
if [ -n "${PASSWORD}" ]; then
|
||||||
PASSWORD="${PASSWORD}" "$OPENSSL" genrsa \
|
PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" genrsa \
|
||||||
-aes256 \
|
-aes256 \
|
||||||
-passout env:PASSWORD \
|
-passout env:PASSWORD \
|
||||||
-out "${KEYDIR}/${cn}-${TIMESTAMP}.key" \
|
-out "${KEY_DIR}/${cn}-${SUFFIX}.key" \
|
||||||
2048 \
|
${KEY_LENGTH} \
|
||||||
>/dev/null 2>&1
|
>/dev/null 2>&1
|
||||||
else
|
else
|
||||||
"$OPENSSL" genrsa \
|
"${OPENSSL_BIN}" genrsa \
|
||||||
-out "${KEYDIR}/${cn}-${TIMESTAMP}.key" \
|
-out "${KEY_DIR}/${cn}-${SUFFIX}.key" \
|
||||||
2048 \
|
${KEY_LENGTH} \
|
||||||
>/dev/null 2>&1
|
>/dev/null 2>&1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "${PASSWORD}" ]; then
|
if [ -n "${PASSWORD}" ]; then
|
||||||
# generate csr req
|
# generate csr req
|
||||||
PASSWORD="${PASSWORD}" "$OPENSSL" req \
|
PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" req \
|
||||||
-batch \
|
-batch \
|
||||||
-new \
|
-new \
|
||||||
-key "${KEYDIR}/${cn}-${TIMESTAMP}.key" \
|
-key "${KEY_DIR}/${cn}-${SUFFIX}.key" \
|
||||||
-passin env:PASSWORD \
|
-passin env:PASSWORD \
|
||||||
-out "${CSRDIR}/${cn}-${TIMESTAMP}.csr" \
|
-out "${CSR_DIR}/${cn}-${SUFFIX}.csr" \
|
||||||
-config /dev/stdin <<EOF
|
-config /dev/stdin <<EOF
|
||||||
$(cat "${CONFFILE}")
|
$(cat "${CONF_FILE}")
|
||||||
commonName_default = ${cn}
|
commonName_default = ${cn}
|
||||||
EOF
|
EOF
|
||||||
else
|
else
|
||||||
# generate csr req
|
# generate csr req
|
||||||
"$OPENSSL" req \
|
"${OPENSSL_BIN}" req \
|
||||||
-batch \
|
-batch \
|
||||||
-new \
|
-new \
|
||||||
-key "${KEYDIR}/${cn}-${TIMESTAMP}.key" \
|
-key "${KEY_DIR}/${cn}-${SUFFIX}.key" \
|
||||||
-out "${CSRDIR}/${cn}-${TIMESTAMP}.csr" \
|
-out "${CSR_DIR}/${cn}-${SUFFIX}.csr" \
|
||||||
-config /dev/stdin <<EOF
|
-config /dev/stdin <<EOF
|
||||||
$(cat "${CONFFILE}")
|
$(cat "${CONF_FILE}")
|
||||||
commonName_default = ${cn}
|
commonName_default = ${cn}
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# ca sign and generate cert
|
# ca sign and generate cert
|
||||||
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" ca \
|
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
|
||||||
-config "${CONFFILE}" \
|
-config "${CONF_FILE}" \
|
||||||
-passin env:CA_PASSWORD \
|
-passin env:CA_PASSWORD \
|
||||||
-in "${CSRDIR}/${cn}-${TIMESTAMP}.csr" \
|
-in "${CSR_DIR}/${cn}-${SUFFIX}.csr" \
|
||||||
-out "${CRTDIR}/${cn}.crt"
|
-out "${CRT_DIR}/${cn}.crt"
|
||||||
|
|
||||||
# check if CRT is a valid
|
# check if CRT is a valid
|
||||||
"${OPENSSL}" x509 \
|
"${OPENSSL_BIN}" x509 \
|
||||||
-noout \
|
-noout \
|
||||||
-subject \
|
-subject \
|
||||||
-in "${CRTDIR}/${cn}.crt" \
|
-in "${CRT_DIR}/${cn}.crt" \
|
||||||
>/dev/null 2>&1 \
|
>/dev/null 2>&1 \
|
||||||
|| rm -f "${CRTDIR}/${cn}.crt"
|
|| rm -f "${CRT_DIR}/${cn}.crt"
|
||||||
|
|
||||||
if [ ! -f "${CRTDIR}/${cn}.crt" ]; then
|
if [ ! -f "${CRT_DIR}/${cn}.crt" ]; then
|
||||||
error "Error in CSR creation"
|
error "Error in CSR creation"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
chmod 640 "${CRTDIR}/${cn}.crt"
|
chmod 640 "${CRT_DIR}/${cn}.crt"
|
||||||
|
|
||||||
echo "The CRT file is available in ${CRTDIR}/${cn}.crt"
|
echo "The CRT file is available in ${CRT_DIR}/${cn}.crt"
|
||||||
|
|
||||||
# generate pkcs12 format
|
# generate pkcs12 format
|
||||||
if [ -n "${PASSWORD}" ]; then
|
if [ -n "${PASSWORD}" ]; then
|
||||||
PASSWORD="${PASSWORD}" "${OPENSSL}" pkcs12 \
|
PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" pkcs12 \
|
||||||
-export \
|
-export \
|
||||||
-nodes \
|
-nodes \
|
||||||
-passin env:PASSWORD \
|
-passin env:PASSWORD \
|
||||||
-passout env:PASSWORD \
|
-passout env:PASSWORD \
|
||||||
-inkey "${KEYDIR}/${cn}-${TIMESTAMP}.key" \
|
-inkey "${KEY_DIR}/${cn}-${SUFFIX}.key" \
|
||||||
-in "${CRTDIR}/${cn}.crt" \
|
-in "${CRT_DIR}/${cn}.crt" \
|
||||||
-out "${PKCS12DIR}/${cn}-${TIMESTAMP}.p12"
|
-out "${PKCS12_DIR}/${cn}-${SUFFIX}.p12"
|
||||||
else
|
else
|
||||||
"${OPENSSL}" pkcs12 \
|
"${OPENSSL_BIN}" pkcs12 \
|
||||||
-export \
|
-export \
|
||||||
-nodes \
|
-nodes \
|
||||||
-passout pass: \
|
-passout pass: \
|
||||||
-inkey "${KEYDIR}/${cn}-${TIMESTAMP}.key" \
|
-inkey "${KEY_DIR}/${cn}-${SUFFIX}.key" \
|
||||||
-in "${CRTDIR}/${cn}.crt" \
|
-in "${CRT_DIR}/${cn}.crt" \
|
||||||
-out "${PKCS12DIR}/${cn}-${TIMESTAMP}.p12"
|
-out "${PKCS12_DIR}/${cn}-${SUFFIX}.p12"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
chmod 640 "${PKCS12DIR}/${cn}-${TIMESTAMP}.p12"
|
chmod 640 "${PKCS12_DIR}/${cn}-${SUFFIX}.p12"
|
||||||
echo "The PKCS12 config file is available in ${PKCS12DIR}/${cn}-${TIMESTAMP}.p12"
|
echo "The PKCS12 config file is available in ${PKCS12_DIR}/${cn}-${SUFFIX}.p12"
|
||||||
|
|
||||||
# generate openvpn format
|
# generate openvpn format
|
||||||
if [ -e "${CADIR}/ovpn.conf" ]; then
|
if [ -e "${CA_DIR}/ovpn.conf" ]; then
|
||||||
cat "${CADIR}/ovpn.conf" - > "${OVPNDIR}/${cn}-${TIMESTAMP}.ovpn" <<EOF
|
cat "${CA_DIR}/ovpn.conf" - > "${OVPN_DIR}/${cn}-${SUFFIX}.ovpn" <<EOF
|
||||||
<ca>
|
<ca>
|
||||||
$(cat "${CACERT}")
|
$(cat "${CA_CERT}")
|
||||||
</ca>
|
</ca>
|
||||||
|
|
||||||
<cert>
|
<cert>
|
||||||
$(cat "${CRTDIR}/${cn}.crt")
|
$(cat "${CRT_DIR}/${cn}.crt")
|
||||||
</cert>
|
</cert>
|
||||||
|
|
||||||
<key>
|
<key>
|
||||||
$(cat "${KEYDIR}/${cn}-${TIMESTAMP}.key")
|
$(cat "${KEY_DIR}/${cn}-${SUFFIX}.key")
|
||||||
</key>
|
</key>
|
||||||
EOF
|
EOF
|
||||||
chmod 640 "${OVPNDIR}/${cn}-${TIMESTAMP}.ovpn"
|
chmod 640 "${OVPN_DIR}/${cn}-${SUFFIX}.ovpn"
|
||||||
echo "The OpenVPN config file is available in ${OVPNDIR}/${cn}-${TIMESTAMP}.ovpn"
|
echo "The OpenVPN config file is available in ${OVPN_DIR}/${cn}-${SUFFIX}.ovpn"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -474,36 +474,36 @@ revoke() {
|
||||||
cn="${1}"
|
cn="${1}"
|
||||||
|
|
||||||
# check if CRT exists
|
# check if CRT exists
|
||||||
if [ ! -f "${CRTDIR}/${cn}.crt" ]; then
|
if [ ! -f "${CRT_DIR}/${cn}.crt" ]; then
|
||||||
error "Unknow CN : ${cn}"
|
error "Unknow CN : ${cn}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# check if CRT is a valid
|
# check if CRT is a valid
|
||||||
"${OPENSSL}" x509 \
|
"${OPENSSL_BIN}" x509 \
|
||||||
-noout \
|
-noout \
|
||||||
-subject \
|
-subject \
|
||||||
-in "${CRTDIR}/${cn}.crt" \
|
-in "${CRT_DIR}/${cn}.crt" \
|
||||||
>/dev/null 2>&1 \
|
>/dev/null 2>&1 \
|
||||||
|| error "${CRTDIR}/${cn}.crt is not a valid CRT, you must delete it !"
|
|| error "${CRT_DIR}/${cn}.crt is not a valid CRT, you must delete it !"
|
||||||
|
|
||||||
# ask for CA passphrase
|
# ask for CA passphrase
|
||||||
ask_ca_password 0
|
ask_ca_password 0
|
||||||
|
|
||||||
echo "Revoke certificate ${CRTDIR}/${cn}.crt :"
|
echo "Revoke certificate ${CRT_DIR}/${cn}.crt :"
|
||||||
CA_PASSWORD="${CA_PASSWORD}" "$OPENSSL" ca \
|
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
|
||||||
-config "${CONFFILE}" \
|
-config "${CONF_FILE}" \
|
||||||
-passin env:CA_PASSWORD \
|
-passin env:CA_PASSWORD \
|
||||||
-revoke "${CRTDIR}/${cn}.crt" \
|
-revoke "${CRT_DIR}/${cn}.crt" \
|
||||||
&& rm "${CRTDIR}/${cn}.crt"
|
&& rm "${CRT_DIR}/${cn}.crt"
|
||||||
|
|
||||||
CA_PASSWORD="${CA_PASSWORD}" "$OPENSSL" ca \
|
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
|
||||||
-config "${CONFFILE}" \
|
-config "${CONF_FILE}" \
|
||||||
-passin env:CA_PASSWORD \
|
-passin env:CA_PASSWORD \
|
||||||
-gencrl -out "${CRL}"
|
-gencrl -out "${CRL}"
|
||||||
}
|
}
|
||||||
|
|
||||||
list() {
|
list() {
|
||||||
if [ ! -f "${INDEX}" ]; then
|
if [ ! -f "${INDEX_FILE}" ]; then
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -536,15 +536,15 @@ list() {
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ "${list_valid}" -eq 0 ]; then
|
if [ "${list_valid}" -eq 0 ]; then
|
||||||
certs=$(grep "^V" "${INDEX}")
|
certs=$(grep "^V" "${INDEX_FILE}")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "${list_revoked}" -eq 0 ]; then
|
if [ "${list_revoked}" -eq 0 ]; then
|
||||||
certs=$(grep "^R" "${INDEX}")
|
certs=$(grep "^R" "${INDEX_FILE}")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "${list_valid}" -eq 0 ] && [ "${list_revoked}" -eq 0 ]; then
|
if [ "${list_valid}" -eq 0 ] && [ "${list_revoked}" -eq 0 ]; then
|
||||||
certs=$(cat "${INDEX}")
|
certs=$(cat "${INDEX_FILE}")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "${certs}" | grep -Eo "CN\s*=[^,/]*" | cut -d'=' -f2 | xargs -n1
|
echo "${certs}" | grep -Eo "CN\s*=[^,/]*" | cut -d'=' -f2 | xargs -n1
|
||||||
|
@ -556,7 +556,7 @@ check() {
|
||||||
min_day=90
|
min_day=90
|
||||||
cur_epoch=$(date -u +'%s')
|
cur_epoch=$(date -u +'%s')
|
||||||
|
|
||||||
for cert in ${CRTDIR}/*; do
|
for cert in ${CRT_DIR}/*; do
|
||||||
end_date=$(openssl x509 -noout -enddate -in "${cert}" | cut -d'=' -f2)
|
end_date=$(openssl x509 -noout -enddate -in "${cert}" | cut -d'=' -f2)
|
||||||
end_epoch=$(date -ud "${end_date}" +'%s')
|
end_epoch=$(date -ud "${end_date}" +'%s')
|
||||||
diff_epoch=$((end_epoch - cur_epoch))
|
diff_epoch=$((end_epoch - cur_epoch))
|
||||||
|
@ -574,48 +574,50 @@ check() {
|
||||||
main() {
|
main() {
|
||||||
# default config
|
# default config
|
||||||
# TODO : override with /etc/default/shellpki
|
# TODO : override with /etc/default/shellpki
|
||||||
CONFFILE="/etc/shellpki/openssl.cnf"
|
CONF_FILE="/etc/shellpki/openssl.cnf"
|
||||||
|
|
||||||
if [ "$(uname)" = "OpenBSD" ]; then
|
if [ "$(uname)" = "OpenBSD" ]; then
|
||||||
PKIUSER="_shellpki"
|
PKI_USER="_shellpki"
|
||||||
else
|
else
|
||||||
PKIUSER="shellpki"
|
PKI_USER="shellpki"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "${USER}" != "root" ] && [ "${USER}" != "${PKIUSER}" ]; then
|
if [ "${USER}" != "root" ] && [ "${USER}" != "${PKI_USER}" ]; then
|
||||||
error "Please become root before running ${0} !"
|
error "Please become root before running ${0} !"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# retrieve CA path from config file
|
# retrieve CA path from config file
|
||||||
CADIR=$(grep -E "^dir" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1)
|
CA_DIR=$(grep -E "^dir" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1)
|
||||||
CAKEY=$(grep -E "^private_key" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~")
|
CA_KEY=$(grep -E "^private_key" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~")
|
||||||
CACERT=$(grep -E "^certificate" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~")
|
CA_CERT=$(grep -E "^certificate" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~")
|
||||||
OCSPKEY="${CADIR}/ocsp.key"
|
OCSP_KEY="${CA_DIR}/ocsp.key"
|
||||||
OCSPCERT="${CADIR}/ocsp.pem"
|
OCSP_CERT="${CA_DIR}/ocsp.pem"
|
||||||
CRTDIR=$(grep -E "^certs" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~")
|
CRT_DIR=$(grep -E "^certs" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~")
|
||||||
TMPDIR=$(grep -E "^new_certs_dir" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~")
|
TMP_DIR=$(grep -E "^new_certs_dir" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~")
|
||||||
INDEX=$(grep -E "^database" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~")
|
INDEX_FILE=$(grep -E "^database" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~")
|
||||||
SERIAL=$(grep -E "^serial" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~")
|
SERIAL=$(grep -E "^serial" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~")
|
||||||
CRL=$(grep -E "^crl" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~")
|
CRL=$(grep -E "^crl" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~")
|
||||||
|
|
||||||
# directories for clients key, csr, crt
|
# directories for clients key, csr, crt
|
||||||
KEYDIR="${CADIR}/private"
|
KEY_DIR="${CA_DIR}/private"
|
||||||
CSRDIR="${CADIR}/requests"
|
CSR_DIR="${CA_DIR}/requests"
|
||||||
PKCS12DIR="${CADIR}/pkcs12"
|
PKCS12_DIR="${CA_DIR}/pkcs12"
|
||||||
OVPNDIR="${CADIR}/openvpn"
|
OVPN_DIR="${CA_DIR}/openvpn"
|
||||||
|
|
||||||
OPENSSL=$(command -v openssl)
|
KEY_LENGTH=2048
|
||||||
TIMESTAMP=$(/bin/date +"%s")
|
|
||||||
|
|
||||||
if ! getent passwd "${PKIUSER}" >/dev/null || ! getent group "${PKIUSER}" >/dev/null; then
|
OPENSSL_BIN=$(command -v openssl)
|
||||||
error "You must create ${PKIUSER} user and group !"
|
SUFFIX=$(/bin/date +"%s")
|
||||||
|
|
||||||
|
if ! getent passwd "${PKI_USER}" >/dev/null || ! getent group "${PKI_USER}" >/dev/null; then
|
||||||
|
error "You must create ${PKI_USER} user and group !"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -e "${CONFFILE}" ]; then
|
if [ ! -e "${CONF_FILE}" ]; then
|
||||||
error "${CONFFILE} is missing"
|
error "${CONF_FILE} is missing"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
mkdir -p "${CADIR}" "${CRTDIR}" "${KEYDIR}" "${CSRDIR}" "${PKCS12DIR}" "${OVPNDIR}" "${TMPDIR}"
|
mkdir -p "${CA_DIR}" "${CRT_DIR}" "${KEY_DIR}" "${CSR_DIR}" "${PKCS12_DIR}" "${OVPN_DIR}" "${TMP_DIR}"
|
||||||
|
|
||||||
command=${1:-help}
|
command=${1:-help}
|
||||||
|
|
||||||
|
@ -667,10 +669,10 @@ main() {
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# fix right
|
# fix right
|
||||||
chown -R "${PKIUSER}":"${PKIUSER}" "${CADIR}"
|
chown -R "${PKI_USER}":"${PKI_USER}" "${CA_DIR}"
|
||||||
chmod 750 "${CADIR}" "${CRTDIR}" "${KEYDIR}" "${CSRDIR}" "${PKCS12DIR}" "${OVPNDIR}" "${TMPDIR}"
|
chmod 750 "${CA_DIR}" "${CRT_DIR}" "${KEY_DIR}" "${CSR_DIR}" "${PKCS12_DIR}" "${OVPN_DIR}" "${TMP_DIR}"
|
||||||
chmod 600 "${INDEX}"* "${SERIAL}"* "${CAKEY}" "${CRL}"
|
chmod 600 "${INDEX_FILE}"* "${SERIAL}"* "${CA_KEY}" "${CRL}"
|
||||||
chmod 640 "${CACERT}"
|
chmod 640 "${CA_CERT}"
|
||||||
}
|
}
|
||||||
|
|
||||||
main "$@"
|
main "$@"
|
||||||
|
|
Loading…
Reference in a new issue