nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Expand tabs.

Browse Source
This commit is contained in:
Andy Brody 2013-05-20 00:20:25 -04:00
parent ff5bfd1dd8
commit b2572dcbd8
6 changed files with 125 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
easy-rsa/2.0/clean-all
View File

@ -7,9 +7,9 @@
if [ "$KEY_DIR" ]; then if [ "$KEY_DIR" ]; then
rm -rf "$KEY_DIR" rm -rf "$KEY_DIR"
mkdir "$KEY_DIR" && \ mkdir "$KEY_DIR" && \
chmod go-rwx "$KEY_DIR" && \ chmod go-rwx "$KEY_DIR" && \
touch "$KEY_DIR/index.txt" && \ touch "$KEY_DIR/index.txt" && \
echo 01 >"$KEY_DIR/serial" echo 01 >"$KEY_DIR/serial"
else else
echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.' echo 'Make sure you have edited it to reflect your configuration.'

4
easy-rsa/2.0/inherit-inter
View File

@ -27,9 +27,9 @@ if [ "$KEY_DIR" ]; then
cp "$1/$2.key" "$KEY_DIR/ca.key" cp "$1/$2.key" "$KEY_DIR/ca.key"
if [ -e "$1/$EXPORT_CA" ]; then if [ -e "$1/$EXPORT_CA" ]; then
PARENT_CA="$1/$EXPORT_CA" PARENT_CA="$1/$EXPORT_CA"
else else
PARENT_CA="$1/ca.crt" PARENT_CA="$1/ca.crt"
fi fi
cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA" cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA" cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"

2
easy-rsa/2.0/list-crl
View File

@ -6,7 +6,7 @@ CRL="${1:-crl.pem}"
if [ "$KEY_DIR" ]; then if [ "$KEY_DIR" ]; then
cd "$KEY_DIR" && \ cd "$KEY_DIR" && \
$OPENSSL crl -text -noout -in "$CRL" $OPENSSL crl -text -noout -in "$CRL"
else else
echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.' echo 'Make sure you have edited it to reflect your configuration.'

214
easy-rsa/2.0/pkitool
View File

@ -146,51 +146,51 @@ PKCS11_PIN="dummy"
while [ $# -gt 0 ]; do while [ $# -gt 0 ]; do
case "$1" in case "$1" in
--keysize ) KEY_SIZE=$2 --keysize ) KEY_SIZE=$2
shift;; shift;;
--server ) REQ_EXT="$REQ_EXT -extensions server" --server ) REQ_EXT="$REQ_EXT -extensions server"
CA_EXT="$CA_EXT -extensions server" ;; CA_EXT="$CA_EXT -extensions server" ;;
--batch ) BATCH="-batch" ;; --batch ) BATCH="-batch" ;;
--interact ) BATCH="" ;; --interact ) BATCH="" ;;
--inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;; --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
--initca ) DO_ROOT="1" ;; --initca ) DO_ROOT="1" ;;
--pass ) NODES_REQ="" ;; --pass ) NODES_REQ="" ;;
--csr ) DO_CA="0" ;; --csr ) DO_CA="0" ;;
--sign ) DO_REQ="0" ;; --sign ) DO_REQ="0" ;;
--pkcs12 ) DO_P12="1" ;; --pkcs12 ) DO_P12="1" ;;
--pkcs11 ) DO_P11="1" --pkcs11 ) DO_P11="1"
PKCS11_MODULE_PATH="$2" PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3" PKCS11_SLOT="$3"
PKCS11_ID="$4" PKCS11_ID="$4"
PKCS11_LABEL="$5" PKCS11_LABEL="$5"
shift 4;; shift 4;;
# standalone # standalone
--pkcs11-init) --pkcs11-init)
PKCS11_MODULE_PATH="$2" PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3" PKCS11_SLOT="$3"
PKCS11_LABEL="$4" PKCS11_LABEL="$4"
if [ -z "$PKCS11_LABEL" ]; then if [ -z "$PKCS11_LABEL" ]; then
die "Please specify library name, slot and label" die "Please specify library name, slot and label"
fi fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
--label "$PKCS11_LABEL" && --label "$PKCS11_LABEL" &&
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
exit $?;; exit $?;;
--pkcs11-slots) --pkcs11-slots)
PKCS11_MODULE_PATH="$2" PKCS11_MODULE_PATH="$2"
if [ -z "$PKCS11_MODULE_PATH" ]; then if [ -z "$PKCS11_MODULE_PATH" ]; then
die "Please specify library name" die "Please specify library name"
fi fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
exit 0;; exit 0;;
--pkcs11-objects) --pkcs11-objects)
PKCS11_MODULE_PATH="$2" PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3" PKCS11_SLOT="$3"
if [ -z "$PKCS11_SLOT" ]; then if [ -z "$PKCS11_SLOT" ]; then
die "Please specify library name and slot" die "Please specify library name and slot"
fi fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
exit 0;; exit 0;;
--help|--usage) --help|--usage)
usage usage
@ -198,27 +198,27 @@ while [ $# -gt 0 ]; do
--version) --version)
echo "$PROGNAME $VERSION" echo "$PROGNAME $VERSION"
exit ;; exit ;;
# errors # errors
--* ) die "$PROGNAME: unknown option: $1" ;; --* ) die "$PROGNAME: unknown option: $1" ;;
* ) break ;; * ) break ;;
esac esac
shift shift
done done
if ! [ -z "$BATCH" ]; then if ! [ -z "$BATCH" ]; then
if $OPENSSL version | grep 0.9.6 > /dev/null; then if $OPENSSL version | grep 0.9.6 > /dev/null; then
die "Batch mode is unsupported in openssl<0.9.7" die "Batch mode is unsupported in openssl<0.9.7"
fi fi
fi fi
if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
die "PKCS#11 and PKCS#12 cannot be specified together" die "PKCS#11 and PKCS#12 cannot be specified together"
fi fi
if [ $DO_P11 -eq 1 ]; then if [ $DO_P11 -eq 1 ]; then
if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
die "Please edit $KEY_CONFIG and setup PKCS#11 engine" die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
fi fi
fi fi
# If we are generating pkcs12, only encrypt the final step # If we are generating pkcs12, only encrypt the final step
@ -228,9 +228,9 @@ if [ $DO_P12 -eq 1 ]; then
fi fi
if [ $DO_P11 -eq 1 ]; then if [ $DO_P11 -eq 1 ]; then
if [ -z "$PKCS11_LABEL" ]; then if [ -z "$PKCS11_LABEL" ]; then
die "PKCS#11 arguments incomplete" die "PKCS#11 arguments incomplete"
fi fi
fi fi
# If undefined, set default key expiration intervals # If undefined, set default key expiration intervals
@ -254,28 +254,28 @@ fi
# Set KEY_CN, FN # Set KEY_CN, FN
if [ $DO_ROOT -eq 1 ]; then if [ $DO_ROOT -eq 1 ]; then
if [ -z "$KEY_CN" ]; then if [ -z "$KEY_CN" ]; then
if [ "$1" ]; then if [ "$1" ]; then
KEY_CN="$1" KEY_CN="$1"
elif [ "$KEY_ORG" ]; then elif [ "$KEY_ORG" ]; then
KEY_CN="$KEY_ORG CA" KEY_CN="$KEY_ORG CA"
fi fi
fi fi
if [ $BATCH ] && [ "$KEY_CN" ]; then if [ $BATCH ] && [ "$KEY_CN" ]; then
echo "Using CA Common Name:" "$KEY_CN" echo "Using CA Common Name:" "$KEY_CN"
fi fi
FN="$KEY_CN" FN="$KEY_CN"
elif [ $BATCH ] && [ "$KEY_CN" ]; then elif [ $BATCH ] && [ "$KEY_CN" ]; then
echo "Using Common Name:" "$KEY_CN" echo "Using Common Name:" "$KEY_CN"
FN="$KEY_CN" FN="$KEY_CN"
if [ "$1" ]; then if [ "$1" ]; then
FN="$1" FN="$1"
fi fi
else else
if [ $# -ne 1 ]; then if [ $# -ne 1 ]; then
usage usage
exit 1 exit 1
else else
KEY_CN="$1" KEY_CN="$1"
fi fi
FN="$KEY_CN" FN="$KEY_CN"
fi fi
@ -312,64 +312,64 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
# Make sure $KEY_CONFIG points to the correct version # Make sure $KEY_CONFIG points to the correct version
# of openssl.cnf # of openssl.cnf
if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
: :
else else
echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
echo "version of openssl.cnf: $KEY_CONFIG" echo "version of openssl.cnf: $KEY_CONFIG"
echo "The correct version should have a comment that says: easy-rsa version 2.x"; echo "The correct version should have a comment that says: easy-rsa version 2.x";
exit 1; exit 1;
fi fi
# Build root CA # Build root CA
if [ $DO_ROOT -eq 1 ]; then if [ $DO_ROOT -eq 1 ]; then
$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
-x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
chmod 0600 "$CA.key" chmod 0600 "$CA.key"
else else
# Make sure CA key/cert is available # Make sure CA key/cert is available
if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
echo "Try $PROGNAME --initca to build a root certificate/key." echo "Try $PROGNAME --initca to build a root certificate/key."
exit 1 exit 1
fi fi
fi fi
# Generate key for PKCS#11 token # Generate key for PKCS#11 token
PKCS11_ARGS= PKCS11_ARGS=
if [ $DO_P11 -eq 1 ]; then if [ $DO_P11 -eq 1 ]; then
stty -echo stty -echo
echo -n "User PIN: " echo -n "User PIN: "
read -r PKCS11_PIN read -r PKCS11_PIN
stty echo stty echo
export PKCS11_PIN export PKCS11_PIN
echo "Generating key pair on PKCS#11 token..." echo "Generating key pair on PKCS#11 token..."
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
--login --pin "$PKCS11_PIN" \ --login --pin "$PKCS11_PIN" \
--key-type rsa:1024 \ --key-type rsa:1024 \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID" PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
fi fi
# Build cert/key # Build cert/key
( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
-keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \ ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
-in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \ -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \ ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
-in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \ -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \ ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \
( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" ) ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
# Load certificate into PKCS#11 token # Load certificate into PKCS#11 token
if [ $DO_P11 -eq 1 ]; then if [ $DO_P11 -eq 1 ]; then
$OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \ $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
--login --pin "$PKCS11_PIN" \ --login --pin "$PKCS11_PIN" \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
[ -e "$FN.crt.der" ]; rm "$FN.crt.der" [ -e "$FN.crt.der" ]; rm "$FN.crt.der"
fi fi
fi fi

6
easy-rsa/2.0/revoke-full
View File

@ -27,11 +27,11 @@ if [ "$KEY_DIR" ]; then
# intermediate PKIs # intermediate PKIs
$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
if [ -e export-ca.crt ]; then if [ -e export-ca.crt ]; then
cat export-ca.crt "$CRL" >"$RT" cat export-ca.crt "$CRL" >"$RT"
else else
cat ca.crt "$CRL" >"$RT" cat ca.crt "$CRL" >"$RT"
fi fi
# verify the revocation # verify the revocation
$OPENSSL verify -CAfile "$RT" -crl_check "$1.crt" $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
else else

18
easy-rsa/2.0/whichopensslcnf
View File

@ -3,15 +3,15 @@
cnf="$1/openssl.cnf" cnf="$1/openssl.cnf"
if [ "$OPENSSL" ]; then if [ "$OPENSSL" ]; then
if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then
cnf="$1/openssl-0.9.6.cnf" cnf="$1/openssl-0.9.6.cnf"
elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then
cnf="$1/openssl-0.9.8.cnf" cnf="$1/openssl-0.9.8.cnf"
elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then
cnf="$1/openssl-1.0.0.cnf" cnf="$1/openssl-1.0.0.cnf"
else else
cnf="$1/openssl.cnf" cnf="$1/openssl.cnf"
fi fi
fi fi
echo $cnf echo $cnf