nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #3 from ab/master

Browse Source 
Various mostly pointless style edits
This commit is contained in:
Eric Crist 2013-07-05 10:49:53 -07:00
commit ce372dfb23
20 changed files with 297 additions and 284 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
easy-rsa/1.0/build-ca
View File

@ -5,9 +5,9 @@
# #
if test $KEY_DIR; then if test $KEY_DIR; then
cd $KEY_DIR && \ cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \ openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \
chmod 0600 ca.key chmod 0600 ca.key
else else
echo you must define KEY_DIR echo you must define KEY_DIR
fi fi

14
easy-rsa/1.0/build-inter
View File

@ -6,14 +6,14 @@
# #
if test $# -ne 1; then if test $# -ne 1; then
echo "usage: build-inter <name>"; echo "usage: build-inter <name>";
exit 1 exit 1
fi fi
if test $KEY_DIR; then if test $KEY_DIR; then
cd $KEY_DIR && \ cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
else else
echo you must define KEY_DIR echo you must define KEY_DIR
fi fi

16
easy-rsa/1.0/build-key
View File

@ -6,15 +6,15 @@
# #
if test $# -ne 1; then if test $# -ne 1; then
echo "usage: build-key <name>"; echo "usage: build-key <name>";
exit 1 exit 1
fi fi
if test $KEY_DIR; then if test $KEY_DIR; then
cd $KEY_DIR && \ cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
chmod 0600 $1.key chmod 0600 $1.key
else else
echo you must define KEY_DIR echo you must define KEY_DIR
fi fi

14
easy-rsa/1.0/build-key-pass
View File

@ -6,15 +6,15 @@
# #
if test $# -ne 1; then if test $# -ne 1; then
echo "usage: build-key-pass <name>"; echo "usage: build-key-pass <name>";
exit 1 exit 1
fi fi
if test $KEY_DIR; then if test $KEY_DIR; then
cd $KEY_DIR && \ cd $KEY_DIR && \
openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
chmod 0600 $1.key chmod 0600 $1.key
else else
echo you must define KEY_DIR echo you must define KEY_DIR
fi fi

18
easy-rsa/1.0/build-key-pkcs12
View File

@ -6,16 +6,16 @@
# the CA certificate as well. # the CA certificate as well.
if test $# -ne 1; then if test $# -ne 1; then
echo "usage: build-key-pkcs12 <name>"; echo "usage: build-key-pkcs12 <name>";
exit 1 exit 1
fi fi
if test $KEY_DIR; then if test $KEY_DIR; then
cd $KEY_DIR && \ cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \ openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \
chmod 0600 $1.key $1.p12 chmod 0600 $1.key $1.p12
else else
echo you must define KEY_DIR echo you must define KEY_DIR
fi fi

16
easy-rsa/1.0/build-key-server
View File

@ -8,15 +8,15 @@
# extension in the openssl.cnf file. # extension in the openssl.cnf file.
if test $# -ne 1; then if test $# -ne 1; then
echo "usage: build-key-server <name>"; echo "usage: build-key-server <name>";
exit 1 exit 1
fi fi
if test $KEY_DIR; then if test $KEY_DIR; then
cd $KEY_DIR && \ cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \ openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \ openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \
chmod 0600 $1.key chmod 0600 $1.key
else else
echo you must define KEY_DIR echo you must define KEY_DIR
fi fi

2
easy-rsa/1.0/build-req
View File

@ -8,7 +8,7 @@
if test $# -ne 1; then if test $# -ne 1; then
echo "usage: build-req <name>"; echo "usage: build-req <name>";
exit 1 exit 1
fi fi
if test $KEY_DIR; then if test $KEY_DIR; then
cd $KEY_DIR && \ cd $KEY_DIR && \

2
easy-rsa/1.0/build-req-pass
View File

@ -8,7 +8,7 @@
if test $# -ne 1; then if test $# -ne 1; then
echo "usage: build-req-pass <name>"; echo "usage: build-req-pass <name>";
exit 1 exit 1
fi fi
if test $KEY_DIR; then if test $KEY_DIR; then
cd $KEY_DIR && \ cd $KEY_DIR && \

12
easy-rsa/1.0/clean-all
View File

@ -9,11 +9,11 @@
d=$KEY_DIR d=$KEY_DIR
if test $d; then if test $d; then
rm -rf $d rm -rf $d
mkdir $d && \ mkdir $d && \
chmod go-rwx $d && \ chmod go-rwx $d && \
touch $d/index.txt && \ touch $d/index.txt && \
echo 01 >$d/serial echo 01 >$d/serial
else else
echo you must define KEY_DIR echo you must define KEY_DIR
fi fi

10
easy-rsa/1.0/list-crl
View File

@ -6,13 +6,13 @@
# #
if test $# -ne 1; then if test $# -ne 1; then
echo "usage: list-crl <crlfile.pem>"; echo "usage: list-crl <crlfile.pem>";
exit 1 exit 1
fi fi
if test $KEY_DIR; then if test $KEY_DIR; then
cd $KEY_DIR && \ cd $KEY_DIR && \
openssl crl -text -noout -in $1 openssl crl -text -noout -in $1
else else
echo you must define KEY_DIR echo you must define KEY_DIR
fi fi

10
easy-rsa/1.0/make-crl
View File

@ -6,13 +6,13 @@
# #
if test $# -ne 1; then if test $# -ne 1; then
echo "usage: make-crl <crlfile.pem>"; echo "usage: make-crl <crlfile.pem>";
exit 1 exit 1
fi fi
if test $KEY_DIR; then if test $KEY_DIR; then
cd $KEY_DIR && \ cd $KEY_DIR && \
openssl ca -gencrl -out $1 -config $KEY_CONFIG openssl ca -gencrl -out $1 -config $KEY_CONFIG
else else
echo you must define KEY_DIR echo you must define KEY_DIR
fi fi

10
easy-rsa/1.0/revoke-crt
View File

@ -6,13 +6,13 @@
# #
if test $# -ne 1; then if test $# -ne 1; then
echo "usage: revoke-crt <file.crt>"; echo "usage: revoke-crt <file.crt>";
exit 1 exit 1
fi fi
if test $KEY_DIR; then if test $KEY_DIR; then
cd $KEY_DIR && \ cd $KEY_DIR && \
openssl ca -revoke $1 -config $KEY_CONFIG openssl ca -revoke $1 -config $KEY_CONFIG
else else
echo you must define KEY_DIR echo you must define KEY_DIR
fi fi

26
easy-rsa/1.0/revoke-full
View File

@ -7,23 +7,23 @@ CRL=crl.pem
RT=revoke-test.pem RT=revoke-test.pem
if test $# -ne 1; then if test $# -ne 1; then
echo "usage: revoke-full <name>"; echo "usage: revoke-full <name>";
exit 1 exit 1
fi fi
if test $KEY_DIR; then if test $KEY_DIR; then
cd $KEY_DIR cd $KEY_DIR
rm -f $RT rm -f $RT
# revoke key and generate a new CRL # revoke key and generate a new CRL
openssl ca -revoke $1.crt -config $KEY_CONFIG openssl ca -revoke $1.crt -config $KEY_CONFIG
# generate a new CRL # generate a new CRL
openssl ca -gencrl -out $CRL -config $KEY_CONFIG openssl ca -gencrl -out $CRL -config $KEY_CONFIG
cat ca.crt $CRL >$RT cat ca.crt $CRL >$RT
# verify the revocation # verify the revocation
openssl verify -CAfile $RT -crl_check $1.crt openssl verify -CAfile $RT -crl_check $1.crt
else else
echo you must define KEY_DIR echo you must define KEY_DIR
fi fi

12
easy-rsa/1.0/sign-req
View File

@ -6,13 +6,13 @@
# #
if test $# -ne 1; then if test $# -ne 1; then
echo "usage: sign-req <name>"; echo "usage: sign-req <name>";
exit 1 exit 1
fi fi
if test $KEY_DIR; then if test $KEY_DIR; then
cd $KEY_DIR && \ cd $KEY_DIR && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
else else
echo you must define KEY_DIR echo you must define KEY_DIR
fi fi

6
easy-rsa/2.0/clean-all
View File

@ -7,9 +7,9 @@
if [ "$KEY_DIR" ]; then if [ "$KEY_DIR" ]; then
rm -rf "$KEY_DIR" rm -rf "$KEY_DIR"
mkdir "$KEY_DIR" && \ mkdir "$KEY_DIR" && \
chmod go-rwx "$KEY_DIR" && \ chmod go-rwx "$KEY_DIR" && \
touch "$KEY_DIR/index.txt" && \ touch "$KEY_DIR/index.txt" && \
echo 01 >"$KEY_DIR/serial" echo 01 >"$KEY_DIR/serial"
else else
echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.' echo 'Make sure you have edited it to reflect your configuration.'

4
easy-rsa/2.0/inherit-inter
View File

@ -27,9 +27,9 @@ if [ "$KEY_DIR" ]; then
cp "$1/$2.key" "$KEY_DIR/ca.key" cp "$1/$2.key" "$KEY_DIR/ca.key"
if [ -e "$1/$EXPORT_CA" ]; then if [ -e "$1/$EXPORT_CA" ]; then
PARENT_CA="$1/$EXPORT_CA" PARENT_CA="$1/$EXPORT_CA"
else else
PARENT_CA="$1/ca.crt" PARENT_CA="$1/ca.crt"
fi fi
cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA" cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA" cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"

2
easy-rsa/2.0/list-crl
View File

@ -6,7 +6,7 @@ CRL="${1:-crl.pem}"
if [ "$KEY_DIR" ]; then if [ "$KEY_DIR" ]; then
cd "$KEY_DIR" && \ cd "$KEY_DIR" && \
$OPENSSL crl -text -noout -in "$CRL" $OPENSSL crl -text -noout -in "$CRL"
else else
echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.' echo 'Make sure you have edited it to reflect your configuration.'

375
easy-rsa/2.0/pkitool
View File

@ -24,8 +24,8 @@
# pkitool is a front-end for the openssl tool. # pkitool is a front-end for the openssl tool.
# Calling scripts can set the certificate organizational # Calling scripts can set the certificate organizational
# unit with the KEY_OU environmental variable. # unit with the KEY_OU environmental variable.
# Calling scripts can also set the KEY_NAME environmental # Calling scripts can also set the KEY_NAME environmental
# variable to set the "name" X509 subject field. # variable to set the "name" X509 subject field.
@ -44,81 +44,94 @@ die()
need_vars() need_vars()
{ {
echo ' Please edit the vars script to reflect your configuration,' cat <<EOM
echo ' then source it with "source ./vars".' Please edit the vars script to reflect your configuration,
echo ' Next, to start with a fresh PKI configuration and to delete any' then source it with "source ./vars".
echo ' previous certificates and keys, run "./clean-all".' Next, to start with a fresh PKI configuration and to delete any
echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys." previous certificates and keys, run "./clean-all".
Finally, you can run this tool ($PROGNAME) to build certificates/keys.
EOM
} }
usage() usage()
{ {
echo "$PROGNAME $VERSION" cat <<EOM
echo "Usage: $PROGNAME [options...] [common-name]" $PROGNAME $VERSION
echo "Options:" Usage: $PROGNAME [options...] [common-name]
echo " --batch : batch mode (default)"
echo " --keysize : Set keysize" Options:
echo " size : size (default=1024)" --batch : batch mode (default)
echo " --interact : interactive mode" --keysize : Set keysize
echo " --server : build server cert" size : size (default=1024)
echo " --initca : build root CA" --interact : interactive mode
echo " --inter : build intermediate CA" --server : build server cert
echo " --pass : encrypt private key with password" --initca : build root CA
echo " --csr : only generate a CSR, do not sign" --inter : build intermediate CA
echo " --sign : sign an existing CSR" --pass : encrypt private key with password
echo " --pkcs12 : generate a combined PKCS#12 file" --csr : only generate a CSR, do not sign
echo " --pkcs11 : generate certificate on PKCS#11 token" --sign : sign an existing CSR
echo " lib : PKCS#11 library" --pkcs12 : generate a combined PKCS#12 file
echo " slot : PKCS#11 slot" --pkcs11 : generate certificate on PKCS#11 token
echo " id : PKCS#11 object id (hex string)" lib : PKCS#11 library
echo " label : PKCS#11 object label" slot : PKCS#11 slot
echo "Standalone options:" id : PKCS#11 object id (hex string)
echo " --pkcs11-slots : list PKCS#11 slots" label : PKCS#11 object label
echo " lib : PKCS#11 library"
echo " --pkcs11-objects : list PKCS#11 token objects" Standalone options:
echo " lib : PKCS#11 library" --pkcs11-slots : list PKCS#11 slots
echo " slot : PKCS#11 slot" lib : PKCS#11 library
echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!" --pkcs11-objects : list PKCS#11 token objects
echo " lib : PKCS#11 library" lib : PKCS#11 library
echo " slot : PKCS#11 slot" slot : PKCS#11 slot
echo " label : PKCS#11 token label" --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!
echo "Notes:" lib : PKCS#11 library
slot : PKCS#11 slot
label : PKCS#11 token label
Notes:
EOM
need_vars need_vars
echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher." cat <<EOM
echo "Generated files and corresponding OpenVPN directives:" In order to use PKCS#11 interface you must have opensc-0.10.0 or higher.
echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
echo " ca.crt -> root certificate (--ca)" Generated files and corresponding OpenVPN directives:
echo " ca.key -> root key, keep secure (not directly used by OpenVPN)" (Files will be placed in the \$KEY_DIR directory, defined in ./vars)
echo " .crt files -> client/server certificates (--cert)" ca.crt -> root certificate (--ca)
echo " .key files -> private keys, keep secure (--key)" ca.key -> root key, keep secure (not directly used by OpenVPN)
echo " .csr files -> certificate signing request (not directly used by OpenVPN)" .crt files -> client/server certificates (--cert)
echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)" .key files -> private keys, keep secure (--key)
echo "Examples:" .csr files -> certificate signing request (not directly used by OpenVPN)
echo " $PROGNAME --initca -> Build root certificate" dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)
echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key"
echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key" Examples:
echo " $PROGNAME client1 -> Build \"client1\" certificate/key" $PROGNAME --initca -> Build root certificate
echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key" $PROGNAME --initca --pass -> Build root certificate with password-protected key
echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format" $PROGNAME --server server1 -> Build "server1" certificate/key
echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA" $PROGNAME client1 -> Build "client1" certificate/key
echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR" $PROGNAME --pass client2 -> Build password-protected "client2" certificate/key
echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key" $PROGNAME --pkcs12 client3 -> Build "client3" certificate/key in PKCS#12 format
echo " Also see ./inherit-inter script." $PROGNAME --csr client4 -> Build "client4" CSR to be signed by another CA
echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5" $PROGNAME --sign client4 -> Sign "client4" CSR
echo " -> Build \"client5\" certificate/key in PKCS#11 token" $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key
echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys." Also see ./inherit-inter script.
echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :" $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5
echo " [edit vars with your site-specific info]" -> Build "client5" certificate/key in PKCS#11 token
echo " source ./vars"
echo " ./clean-all" Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys.
echo " ./build-dh -> takes a long time, consider backgrounding" Protect client2 key with a password. Build DH parms. Generated files in ./keys :
echo " ./$PROGNAME --initca" [edit vars with your site-specific info]
echo " ./$PROGNAME --server myserver" source ./vars
echo " ./$PROGNAME client1" ./clean-all
echo " ./$PROGNAME --pass client2" ./build-dh -> takes a long time, consider backgrounding
echo "Typical usage for adding client cert to existing PKI:" ./$PROGNAME --initca
echo " source ./vars" ./$PROGNAME --server myserver
echo " ./$PROGNAME client-new" ./$PROGNAME client1
./$PROGNAME --pass client2
Typical usage for adding client cert to existing PKI:
source ./vars
./$PROGNAME client-new
EOM
} }
# Set tool defaults # Set tool defaults
@ -146,51 +159,51 @@ PKCS11_PIN="dummy"
while [ $# -gt 0 ]; do while [ $# -gt 0 ]; do
case "$1" in case "$1" in
--keysize ) KEY_SIZE=$2 --keysize ) KEY_SIZE=$2
shift;; shift;;
--server ) REQ_EXT="$REQ_EXT -extensions server" --server ) REQ_EXT="$REQ_EXT -extensions server"
CA_EXT="$CA_EXT -extensions server" ;; CA_EXT="$CA_EXT -extensions server" ;;
--batch ) BATCH="-batch" ;; --batch ) BATCH="-batch" ;;
--interact ) BATCH="" ;; --interact ) BATCH="" ;;
--inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;; --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
--initca ) DO_ROOT="1" ;; --initca ) DO_ROOT="1" ;;
--pass ) NODES_REQ="" ;; --pass ) NODES_REQ="" ;;
--csr ) DO_CA="0" ;; --csr ) DO_CA="0" ;;
--sign ) DO_REQ="0" ;; --sign ) DO_REQ="0" ;;
--pkcs12 ) DO_P12="1" ;; --pkcs12 ) DO_P12="1" ;;
--pkcs11 ) DO_P11="1" --pkcs11 ) DO_P11="1"
PKCS11_MODULE_PATH="$2" PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3" PKCS11_SLOT="$3"
PKCS11_ID="$4" PKCS11_ID="$4"
PKCS11_LABEL="$5" PKCS11_LABEL="$5"
shift 4;; shift 4;;
# standalone # standalone
--pkcs11-init) --pkcs11-init)
PKCS11_MODULE_PATH="$2" PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3" PKCS11_SLOT="$3"
PKCS11_LABEL="$4" PKCS11_LABEL="$4"
if [ -z "$PKCS11_LABEL" ]; then if [ -z "$PKCS11_LABEL" ]; then
die "Please specify library name, slot and label" die "Please specify library name, slot and label"
fi fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
--label "$PKCS11_LABEL" && --label "$PKCS11_LABEL" &&
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
exit $?;; exit $?;;
--pkcs11-slots) --pkcs11-slots)
PKCS11_MODULE_PATH="$2" PKCS11_MODULE_PATH="$2"
if [ -z "$PKCS11_MODULE_PATH" ]; then if [ -z "$PKCS11_MODULE_PATH" ]; then
die "Please specify library name" die "Please specify library name"
fi fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
exit 0;; exit 0;;
--pkcs11-objects) --pkcs11-objects)
PKCS11_MODULE_PATH="$2" PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3" PKCS11_SLOT="$3"
if [ -z "$PKCS11_SLOT" ]; then if [ -z "$PKCS11_SLOT" ]; then
die "Please specify library name and slot" die "Please specify library name and slot"
fi fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
exit 0;; exit 0;;
--help|--usage) --help|--usage)
usage usage
@ -198,27 +211,27 @@ while [ $# -gt 0 ]; do
--version) --version)
echo "$PROGNAME $VERSION" echo "$PROGNAME $VERSION"
exit ;; exit ;;
# errors # errors
--* ) die "$PROGNAME: unknown option: $1" ;; --* ) die "$PROGNAME: unknown option: $1" ;;
* ) break ;; * ) break ;;
esac esac
shift shift
done done
if ! [ -z "$BATCH" ]; then if ! [ -z "$BATCH" ]; then
if $OPENSSL version | grep 0.9.6 > /dev/null; then if $OPENSSL version | grep 0.9.6 > /dev/null; then
die "Batch mode is unsupported in openssl<0.9.7" die "Batch mode is unsupported in openssl<0.9.7"
fi fi
fi fi
if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
die "PKCS#11 and PKCS#12 cannot be specified together" die "PKCS#11 and PKCS#12 cannot be specified together"
fi fi
if [ $DO_P11 -eq 1 ]; then if [ $DO_P11 -eq 1 ]; then
if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
die "Please edit $KEY_CONFIG and setup PKCS#11 engine" die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
fi fi
fi fi
# If we are generating pkcs12, only encrypt the final step # If we are generating pkcs12, only encrypt the final step
@ -228,9 +241,9 @@ if [ $DO_P12 -eq 1 ]; then
fi fi
if [ $DO_P11 -eq 1 ]; then if [ $DO_P11 -eq 1 ]; then
if [ -z "$PKCS11_LABEL" ]; then if [ -z "$PKCS11_LABEL" ]; then
die "PKCS#11 arguments incomplete" die "PKCS#11 arguments incomplete"
fi fi
fi fi
# If undefined, set default key expiration intervals # If undefined, set default key expiration intervals
@ -254,28 +267,28 @@ fi
# Set KEY_CN, FN # Set KEY_CN, FN
if [ $DO_ROOT -eq 1 ]; then if [ $DO_ROOT -eq 1 ]; then
if [ -z "$KEY_CN" ]; then if [ -z "$KEY_CN" ]; then
if [ "$1" ]; then if [ "$1" ]; then
KEY_CN="$1" KEY_CN="$1"
elif [ "$KEY_ORG" ]; then elif [ "$KEY_ORG" ]; then
KEY_CN="$KEY_ORG CA" KEY_CN="$KEY_ORG CA"
fi fi
fi fi
if [ $BATCH ] && [ "$KEY_CN" ]; then if [ $BATCH ] && [ "$KEY_CN" ]; then
echo "Using CA Common Name:" "$KEY_CN" echo "Using CA Common Name:" "$KEY_CN"
fi fi
FN="$KEY_CN" FN="$KEY_CN"
elif [ $BATCH ] && [ "$KEY_CN" ]; then elif [ $BATCH ] && [ "$KEY_CN" ]; then
echo "Using Common Name:" "$KEY_CN" echo "Using Common Name:" "$KEY_CN"
FN="$KEY_CN" FN="$KEY_CN"
if [ "$1" ]; then if [ "$1" ]; then
FN="$1" FN="$1"
fi fi
else else
if [ $# -ne 1 ]; then if [ $# -ne 1 ]; then
usage usage
exit 1 exit 1
else else
KEY_CN="$1" KEY_CN="$1"
fi fi
FN="$KEY_CN" FN="$KEY_CN"
fi fi
@ -312,64 +325,64 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
# Make sure $KEY_CONFIG points to the correct version # Make sure $KEY_CONFIG points to the correct version
# of openssl.cnf # of openssl.cnf
if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
: :
else else
echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
echo "version of openssl.cnf: $KEY_CONFIG" echo "version of openssl.cnf: $KEY_CONFIG"
echo "The correct version should have a comment that says: easy-rsa version 2.x"; echo "The correct version should have a comment that says: easy-rsa version 2.x";
exit 1; exit 1;
fi fi
# Build root CA # Build root CA
if [ $DO_ROOT -eq 1 ]; then if [ $DO_ROOT -eq 1 ]; then
$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
-x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
chmod 0600 "$CA.key" chmod 0600 "$CA.key"
else else
# Make sure CA key/cert is available # Make sure CA key/cert is available
if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
echo "Try $PROGNAME --initca to build a root certificate/key." echo "Try $PROGNAME --initca to build a root certificate/key."
exit 1 exit 1
fi fi
fi fi
# Generate key for PKCS#11 token # Generate key for PKCS#11 token
PKCS11_ARGS= PKCS11_ARGS=
if [ $DO_P11 -eq 1 ]; then if [ $DO_P11 -eq 1 ]; then
stty -echo stty -echo
echo -n "User PIN: " echo -n "User PIN: "
read -r PKCS11_PIN read -r PKCS11_PIN
stty echo stty echo
export PKCS11_PIN export PKCS11_PIN
echo "Generating key pair on PKCS#11 token..." echo "Generating key pair on PKCS#11 token..."
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
--login --pin "$PKCS11_PIN" \ --login --pin "$PKCS11_PIN" \
--key-type rsa:1024 \ --key-type rsa:1024 \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID" PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
fi fi
# Build cert/key # Build cert/key
( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
-keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \ ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
-in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \ -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \ ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
-in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \ -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \ ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \
( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" ) ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
# Load certificate into PKCS#11 token # Load certificate into PKCS#11 token
if [ $DO_P11 -eq 1 ]; then if [ $DO_P11 -eq 1 ]; then
$OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \ $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
--login --pin "$PKCS11_PIN" \ --login --pin "$PKCS11_PIN" \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
[ -e "$FN.crt.der" ]; rm "$FN.crt.der" [ -e "$FN.crt.der" ]; rm "$FN.crt.der"
fi fi
fi fi

6
easy-rsa/2.0/revoke-full
View File

@ -27,11 +27,11 @@ if [ "$KEY_DIR" ]; then
# intermediate PKIs # intermediate PKIs
$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
if [ -e export-ca.crt ]; then if [ -e export-ca.crt ]; then
cat export-ca.crt "$CRL" >"$RT" cat export-ca.crt "$CRL" >"$RT"
else else
cat ca.crt "$CRL" >"$RT" cat ca.crt "$CRL" >"$RT"
fi fi
# verify the revocation # verify the revocation
$OPENSSL verify -CAfile "$RT" -crl_check "$1.crt" $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
else else

18
easy-rsa/2.0/whichopensslcnf
View File

@ -3,15 +3,15 @@
cnf="$1/openssl.cnf" cnf="$1/openssl.cnf"
if [ "$OPENSSL" ]; then if [ "$OPENSSL" ]; then
if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then
cnf="$1/openssl-0.9.6.cnf" cnf="$1/openssl-0.9.6.cnf"
elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then
cnf="$1/openssl-0.9.8.cnf" cnf="$1/openssl-0.9.8.cnf"
elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then
cnf="$1/openssl-1.0.0.cnf" cnf="$1/openssl-1.0.0.cnf"
else else
cnf="$1/openssl.cnf" cnf="$1/openssl.cnf"
fi fi
fi fi
echo $cnf echo $cnf