From b2572dcbd82fcd2ce70905f1c00a33454163b3c6 Mon Sep 17 00:00:00 2001 From: Andy Brody Date: Mon, 20 May 2013 00:20:25 -0400 Subject: [PATCH] Expand tabs. --- easy-rsa/2.0/clean-all | 6 +- easy-rsa/2.0/inherit-inter | 4 +- easy-rsa/2.0/list-crl | 2 +- easy-rsa/2.0/pkitool | 214 +++++++++++++++++------------------ easy-rsa/2.0/revoke-full | 6 +- easy-rsa/2.0/whichopensslcnf | 18 +-- 6 files changed, 125 insertions(+), 125 deletions(-) diff --git a/easy-rsa/2.0/clean-all b/easy-rsa/2.0/clean-all index cc6e3b2..b1d0237 100755 --- a/easy-rsa/2.0/clean-all +++ b/easy-rsa/2.0/clean-all @@ -7,9 +7,9 @@ if [ "$KEY_DIR" ]; then rm -rf "$KEY_DIR" mkdir "$KEY_DIR" && \ - chmod go-rwx "$KEY_DIR" && \ - touch "$KEY_DIR/index.txt" && \ - echo 01 >"$KEY_DIR/serial" + chmod go-rwx "$KEY_DIR" && \ + touch "$KEY_DIR/index.txt" && \ + echo 01 >"$KEY_DIR/serial" else echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Make sure you have edited it to reflect your configuration.' diff --git a/easy-rsa/2.0/inherit-inter b/easy-rsa/2.0/inherit-inter index aaa5168..1fe3539 100755 --- a/easy-rsa/2.0/inherit-inter +++ b/easy-rsa/2.0/inherit-inter @@ -27,9 +27,9 @@ if [ "$KEY_DIR" ]; then cp "$1/$2.key" "$KEY_DIR/ca.key" if [ -e "$1/$EXPORT_CA" ]; then - PARENT_CA="$1/$EXPORT_CA" + PARENT_CA="$1/$EXPORT_CA" else - PARENT_CA="$1/ca.crt" + PARENT_CA="$1/ca.crt" fi cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA" cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA" diff --git a/easy-rsa/2.0/list-crl b/easy-rsa/2.0/list-crl index d1d8a69..32c1143 100755 --- a/easy-rsa/2.0/list-crl +++ b/easy-rsa/2.0/list-crl @@ -6,7 +6,7 @@ CRL="${1:-crl.pem}" if [ "$KEY_DIR" ]; then cd "$KEY_DIR" && \ - $OPENSSL crl -text -noout -in "$CRL" + $OPENSSL crl -text -noout -in "$CRL" else echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Make sure you have edited it to reflect your configuration.' diff --git a/easy-rsa/2.0/pkitool b/easy-rsa/2.0/pkitool index b9a9e44..53a4676 100755 --- a/easy-rsa/2.0/pkitool +++ b/easy-rsa/2.0/pkitool @@ -146,51 +146,51 @@ PKCS11_PIN="dummy" while [ $# -gt 0 ]; do case "$1" in --keysize ) KEY_SIZE=$2 - shift;; - --server ) REQ_EXT="$REQ_EXT -extensions server" - CA_EXT="$CA_EXT -extensions server" ;; - --batch ) BATCH="-batch" ;; - --interact ) BATCH="" ;; + shift;; + --server ) REQ_EXT="$REQ_EXT -extensions server" + CA_EXT="$CA_EXT -extensions server" ;; + --batch ) BATCH="-batch" ;; + --interact ) BATCH="" ;; --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;; --initca ) DO_ROOT="1" ;; - --pass ) NODES_REQ="" ;; + --pass ) NODES_REQ="" ;; --csr ) DO_CA="0" ;; --sign ) DO_REQ="0" ;; --pkcs12 ) DO_P12="1" ;; - --pkcs11 ) DO_P11="1" - PKCS11_MODULE_PATH="$2" - PKCS11_SLOT="$3" - PKCS11_ID="$4" - PKCS11_LABEL="$5" - shift 4;; + --pkcs11 ) DO_P11="1" + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + PKCS11_ID="$4" + PKCS11_LABEL="$5" + shift 4;; - # standalone - --pkcs11-init) - PKCS11_MODULE_PATH="$2" - PKCS11_SLOT="$3" - PKCS11_LABEL="$4" - if [ -z "$PKCS11_LABEL" ]; then - die "Please specify library name, slot and label" - fi - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ - --label "$PKCS11_LABEL" && - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" - exit $?;; - --pkcs11-slots) - PKCS11_MODULE_PATH="$2" - if [ -z "$PKCS11_MODULE_PATH" ]; then - die "Please specify library name" - fi - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots - exit 0;; - --pkcs11-objects) - PKCS11_MODULE_PATH="$2" - PKCS11_SLOT="$3" - if [ -z "$PKCS11_SLOT" ]; then - die "Please specify library name and slot" - fi - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" - exit 0;; + # standalone + --pkcs11-init) + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + PKCS11_LABEL="$4" + if [ -z "$PKCS11_LABEL" ]; then + die "Please specify library name, slot and label" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ + --label "$PKCS11_LABEL" && + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" + exit $?;; + --pkcs11-slots) + PKCS11_MODULE_PATH="$2" + if [ -z "$PKCS11_MODULE_PATH" ]; then + die "Please specify library name" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots + exit 0;; + --pkcs11-objects) + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + if [ -z "$PKCS11_SLOT" ]; then + die "Please specify library name and slot" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" + exit 0;; --help|--usage) usage @@ -198,27 +198,27 @@ while [ $# -gt 0 ]; do --version) echo "$PROGNAME $VERSION" exit ;; - # errors - --* ) die "$PROGNAME: unknown option: $1" ;; - * ) break ;; + # errors + --* ) die "$PROGNAME: unknown option: $1" ;; + * ) break ;; esac shift done if ! [ -z "$BATCH" ]; then - if $OPENSSL version | grep 0.9.6 > /dev/null; then - die "Batch mode is unsupported in openssl<0.9.7" - fi + if $OPENSSL version | grep 0.9.6 > /dev/null; then + die "Batch mode is unsupported in openssl<0.9.7" + fi fi if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then - die "PKCS#11 and PKCS#12 cannot be specified together" + die "PKCS#11 and PKCS#12 cannot be specified together" fi if [ $DO_P11 -eq 1 ]; then - if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then - die "Please edit $KEY_CONFIG and setup PKCS#11 engine" - fi + if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then + die "Please edit $KEY_CONFIG and setup PKCS#11 engine" + fi fi # If we are generating pkcs12, only encrypt the final step @@ -228,9 +228,9 @@ if [ $DO_P12 -eq 1 ]; then fi if [ $DO_P11 -eq 1 ]; then - if [ -z "$PKCS11_LABEL" ]; then - die "PKCS#11 arguments incomplete" - fi + if [ -z "$PKCS11_LABEL" ]; then + die "PKCS#11 arguments incomplete" + fi fi # If undefined, set default key expiration intervals @@ -254,28 +254,28 @@ fi # Set KEY_CN, FN if [ $DO_ROOT -eq 1 ]; then if [ -z "$KEY_CN" ]; then - if [ "$1" ]; then - KEY_CN="$1" - elif [ "$KEY_ORG" ]; then - KEY_CN="$KEY_ORG CA" - fi + if [ "$1" ]; then + KEY_CN="$1" + elif [ "$KEY_ORG" ]; then + KEY_CN="$KEY_ORG CA" + fi fi if [ $BATCH ] && [ "$KEY_CN" ]; then - echo "Using CA Common Name:" "$KEY_CN" + echo "Using CA Common Name:" "$KEY_CN" fi FN="$KEY_CN" elif [ $BATCH ] && [ "$KEY_CN" ]; then echo "Using Common Name:" "$KEY_CN" FN="$KEY_CN" if [ "$1" ]; then - FN="$1" + FN="$1" fi else if [ $# -ne 1 ]; then - usage - exit 1 + usage + exit 1 else - KEY_CN="$1" + KEY_CN="$1" fi FN="$KEY_CN" fi @@ -312,64 +312,64 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then # Make sure $KEY_CONFIG points to the correct version # of openssl.cnf if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then - : + : else - echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" + echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" echo "version of openssl.cnf: $KEY_CONFIG" - echo "The correct version should have a comment that says: easy-rsa version 2.x"; - exit 1; + echo "The correct version should have a comment that says: easy-rsa version 2.x"; + exit 1; fi # Build root CA if [ $DO_ROOT -eq 1 ]; then - $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ - -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ - chmod 0600 "$CA.key" + $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ + -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ + chmod 0600 "$CA.key" else # Make sure CA key/cert is available - if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then - if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then - echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" - echo "Try $PROGNAME --initca to build a root certificate/key." - exit 1 - fi - fi + if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then + if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then + echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" + echo "Try $PROGNAME --initca to build a root certificate/key." + exit 1 + fi + fi - # Generate key for PKCS#11 token - PKCS11_ARGS= - if [ $DO_P11 -eq 1 ]; then - stty -echo - echo -n "User PIN: " - read -r PKCS11_PIN - stty echo - export PKCS11_PIN + # Generate key for PKCS#11 token + PKCS11_ARGS= + if [ $DO_P11 -eq 1 ]; then + stty -echo + echo -n "User PIN: " + read -r PKCS11_PIN + stty echo + export PKCS11_PIN - echo "Generating key pair on PKCS#11 token..." - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ - --login --pin "$PKCS11_PIN" \ - --key-type rsa:1024 \ - --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 - PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID" - fi + echo "Generating key pair on PKCS#11 token..." + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ + --login --pin "$PKCS11_PIN" \ + --key-type rsa:1024 \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 + PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID" + fi # Build cert/key - ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ - -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ - ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \ - -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \ - ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \ - -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \ - ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \ - ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" ) + ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ + -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ + ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \ + -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \ + ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \ + -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \ + ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \ + ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" ) - # Load certificate into PKCS#11 token - if [ $DO_P11 -eq 1 ]; then - $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \ - $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \ - --login --pin "$PKCS11_PIN" \ - --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" - [ -e "$FN.crt.der" ]; rm "$FN.crt.der" - fi + # Load certificate into PKCS#11 token + if [ $DO_P11 -eq 1 ]; then + $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \ + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \ + --login --pin "$PKCS11_PIN" \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" + [ -e "$FN.crt.der" ]; rm "$FN.crt.der" + fi fi diff --git a/easy-rsa/2.0/revoke-full b/easy-rsa/2.0/revoke-full index 4169c4c..439f6a0 100755 --- a/easy-rsa/2.0/revoke-full +++ b/easy-rsa/2.0/revoke-full @@ -27,11 +27,11 @@ if [ "$KEY_DIR" ]; then # intermediate PKIs $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" if [ -e export-ca.crt ]; then - cat export-ca.crt "$CRL" >"$RT" + cat export-ca.crt "$CRL" >"$RT" else - cat ca.crt "$CRL" >"$RT" + cat ca.crt "$CRL" >"$RT" fi - + # verify the revocation $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt" else diff --git a/easy-rsa/2.0/whichopensslcnf b/easy-rsa/2.0/whichopensslcnf index ccdaf50..4c5f3c7 100755 --- a/easy-rsa/2.0/whichopensslcnf +++ b/easy-rsa/2.0/whichopensslcnf @@ -3,15 +3,15 @@ cnf="$1/openssl.cnf" if [ "$OPENSSL" ]; then - if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then - cnf="$1/openssl-0.9.6.cnf" - elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then - cnf="$1/openssl-0.9.8.cnf" - elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then - cnf="$1/openssl-1.0.0.cnf" - else - cnf="$1/openssl.cnf" - fi + if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-0.9.6.cnf" + elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-0.9.8.cnf" + elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-1.0.0.cnf" + else + cnf="$1/openssl.cnf" + fi fi echo $cnf