nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- added option nokey for pkcs12 to avoid exporting private keys

Browse Source 
- added command export-p7 to export certs using pkcs7 format.
This commit is contained in:
Luiz Angelo Daros de Luca 2013-11-20 19:31:45 -02:00
parent 8b1fe0152f
commit 4fa57bff6b
1 changed files with 53 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
easyrsa3/easyrsa
View File

@ -38,6 +38,7 @@ Here is the list of commands available with a short syntax reminder. Use the
show-req <filename_base> [ cmd-opts ] show-req <filename_base> [ cmd-opts ]
show-cert <filename_base> [ cmd-opts ] show-cert <filename_base> [ cmd-opts ]
import-req <request_file_path> <short_basename> import-req <request_file_path> <short_basename>
export-p7 <filename_base> [ cmd-opts ]
export-p12 <filename_base> [ cmd-opts ] export-p12 <filename_base> [ cmd-opts ]
" "
@ -128,7 +129,13 @@ cmd_help() {
export-p12 <filename_base> [ cmd-opts ] export-p12 <filename_base> [ cmd-opts ]
Export a PKCS#12 file with the keypair specified by <filename_base>" Export a PKCS#12 file with the keypair specified by <filename_base>"
opts=" opts="
noca - do not include the ca.crt file in the PKCS12 output" ;; noca - do not include the ca.crt file in the PKCS12 output
nokey - do not include the private key in the PKCS12 output" ;;
export-p7) text="
export-p7 <filename_base> [ cmd-opts ]
Export a PKCS#7 file with the pubkey specified by <filename_base>"
opts="
noca - do not include the ca.crt file in the PKCS7 output" ;;
altname|subjectaltname|san) text=" altname|subjectaltname|san) text="
--subject-alt-name=SAN_FORMAT_STRING --subject-alt-name=SAN_FORMAT_STRING
This global option adds a subjectAltName to the request or issued This global option adds a subjectAltName to the request or issued
@ -755,8 +762,13 @@ You may now use this name to perform signing operations on this request.
return 0 return 0
} # => import_req() } # => import_req()
# export-p12 backend # export pkcs#12 or pkcs#7
export_p12() { export_pkcs() {
[[ -n "$1" ]] && [[ ( "$1" == "p12" || "$1" == "p7" ) ]] || die "\
The first argument must be p12 or p7."
local pkcs_type="$1"
shift
[ -n "$1" ] || die "\ [ -n "$1" ] || die "\
Unable to export p12: incorrect command syntax. Unable to export p12: incorrect command syntax.
Run easyrsa without commands for usage and command help." Run easyrsa without commands for usage and command help."
@ -764,7 +776,6 @@ Run easyrsa without commands for usage and command help."
local short_name="$1" local short_name="$1"
local crt_in="$EASYRSA_PKI/issued/$1.crt" local crt_in="$EASYRSA_PKI/issued/$1.crt"
local key_in="$EASYRSA_PKI/private/$1.key" local key_in="$EASYRSA_PKI/private/$1.key"
local p12_out="$EASYRSA_PKI/private/$1.p12"
local crt_ca="$EASYRSA_PKI/ca.crt" local crt_ca="$EASYRSA_PKI/ca.crt"
shift shift
@ -772,42 +783,62 @@ Run easyrsa without commands for usage and command help."
# opts support # opts support
local want_ca=1 local want_ca=1
local want_key=1
while [ -n "$1" ]; do while [ -n "$1" ]; do
case "$1" in case "$1" in
noca) want_ca=0 ;; noca) want_ca=0 ;;
nokey) want_key=0 ;;
*) warn "Ignoring unknown command option: '$1'" ;; *) warn "Ignoring unknown command option: '$1'" ;;
esac esac
shift shift
done done
local p12_opts= local pkcs_opts=
if [ $want_ca -eq 1 ]; then if [ $want_ca -eq 1 ]; then
verify_file x509 "$crt_ca" || die "\ verify_file x509 "$crt_ca" || die "\
Unable to include CA cert in the p12 output (missing file, or use noca option.) Unable to include CA cert in the $pkcs_type output (missing file, or use noca option.)
Missing file expected at: $crt_ca" Missing file expected at: $crt_ca"
p12_opts="$p12_opts -certfile $crt_ca" pkcs_opts="$pkcs_opts -certfile $crt_ca"
fi fi
# input files must exist # input files must exist
verify_file x509 "$crt_in" || die "\ verify_file x509 "$crt_in" || die "\
Unable to export p12 for short name '$short_name' without the certificate. Unable to export $pkcs_type for short name '$short_name' without the certificate.
Missing cert expected at: $crt_in" Missing cert expected at: $crt_in"
case "$pkcs_type" in
p12)
local pkcs_out="$EASYRSA_PKI/private/$short_name.p12"
if [ $want_key -eq 1 ]; then
[ -f "$key_in" ] || die "\ [ -f "$key_in" ] || die "\
Unable to export p12 for short name '$short_name' without the key. Unable to export p12 for short name '$short_name' without the key.
Missing key expected at: $key_in" Missing key expected at: $key_in, or use nokey option.)"
else
pkcs_opts="$pkcs_opts -nokeys"
fi
# export the p12: # export the p12:
"$EASYRSA_OPENSSL" pkcs12 -in "$crt_in" -inkey "$key_in" -export \ "$EASYRSA_OPENSSL" pkcs12 -in "$crt_in" -inkey "$key_in" -export \
-out "$p12_out" $p12_opts || die "\ -out "$pkcs_out" $pkcs_opts || die "\
Export of p12 failed: see above for related openssl errors." Export of p12 failed: see above for related openssl errors."
;;
p7)
local pkcs_out="$EASYRSA_PKI/private/$short_name.p7b"
# export the p7:
"$EASYRSA_OPENSSL" crl2pkcs7 -nocrl -certfile "$crt_in" \
-out "$pkcs_out" $pkcs_opts || die "\
Export of p7 failed: see above for related openssl errors."
;;
esac
notice "\ notice "\
Successful export of p12 file. Your exported file is at the following Successful export of $pkcs_type file. Your exported file is at the following
location: $p12_out location: $pkcs_out
" "
return 0 return 0
} # => export_p12() } # => export_pkcs()
# update-db backend # update-db backend
update_db() { update_db() {
@ -1097,8 +1128,12 @@ case "$cmd" in
import_req "$@" import_req "$@"
;; ;;
export-p12) export-p12)
export_p12 "$@" export_pkcs p12 "$@"
;; ;;
export-p7)
export_pkcs p7 "$@"
;;
update-db) update-db)
update_db update_db
;; ;;