~poptart/hosaka-pki

25cc2d9928ba8db6f4e43fc71063d6de663adbbc — terrorbyte 1 year, 11 months ago 3e7aaa5
Started fixing the actual structure. This is actually a real project now
5 files changed, 141 insertions(+), 20 deletions(-)

M Makefile
M config.def
M config.mk
M hosaka-pki.sh
M openssl.cnf.tmpl
M Makefile => Makefile +8 -3
@@ 6,17 6,22 @@ check:
	shellcheck -a -x -s sh ./hosaka-pki.sh

config:
	@sed -e "s%SSLDIR%${SSLDIR}%g" \
		-e "s%SSHDIR%${SSHDIR}%g" \
	@sed -e "s%{{SSLDIR}}%${SSLDIR}%g" \
		-e "s%{{SSHDIR}}%${SSHDIR}%g" \
		-e "s%{{CONFIGDIR}}%${CONFIGDIR}%g" \
		< config.def > config

#openssl.cnf:
#	@echo sed -e "" < tmpl/openssl.cnf.tmpl > openssl.cnf

install:
	@printf "installing hosaka-pki"
	@mkdir -p "${CONFIGDIR}" "${CONFIGDIR}/ssl" \
		"${CONFIGDIR}/ssh" "${CONFIGDIR}/util"
	@chown 0700 "${CONFIGDIR}/ssl" "${CONFIGDIR}/ssh"
	@cp -f config "${CONFIGDIR}
	@cp -f hosaka-pki.sh ${PREFIX}/bin/hosaka-pki
	@sed -e "s%{{CONFIGDIR}}%${CONFIGDIR}%g" \
		< hosaka-pki.sh > ${PREFIX}/bin/hosaka-pki
	@chown 755 ${PREFIX}/bin/hosaka-pki
	@printf "hosaka-pki installed into: ${CONFIGDIR}\\n"


M config.def => config.def +34 -3
@@ 1,4 1,35 @@
#This is the hosaka-pki configuration file. It is parsed by the PKI shell 
#script and functions a KEY=VALUE pair set of settings
SSL_CA_DIR="SSLDIR"
SSH_CA_DIR="SSHDIR"
#script and functions a KEY=VALUE pair set of settings.
#
CONFIGDIR="/etc/hosaka/pki"
SSL_CA_DIR="/etc/hosaka/pki/ssl"
SSH_CA_DIR="/etc/ssh/pki/ssh"

### SSL CONFIG OPTIONS
#How many days should the cert be valid for
DAYSVALID=375

#Which signing algorithm to use
MDALGORITHM="sha256"

#Should we configure an intermediate CA
USEINTERMEDIATE=yes

#If an intermediate was generated and the root CA keys are still
#accessible then emit a warning that that's a bad idea
WARNROOTCERT=yes

#Default settings for signing if they are not set
COUNTRYDEFAULT="HX"
STATEDEFAULT="Cyberspace"
LOCALITYDEFAULT="NULL"
ORGNAMEDEFAULT="Hosaka Corporation"
ORGUNITDEFAULT="Crypto Munitions Bureau"
USERCERTCOMMENT="Hosaka PKI Generated Client Certificate"
SRVCERTCOMMENT="Hosaka PKI Generated Server Certificate"

#Default starting serial number
SSLSERIALDEFAULT=1000

### SSH CONFIG OPTIONS
SSHSERIALDEFAULT=1000

M config.mk => config.mk +0 -2
@@ 2,5 2,3 @@ VERSION = 0.0.1
PREFIX = /usr/local
MANPREFIX = ${PREFIX}/share/man
CONFIGDIR = /etc/hosaka/pki
SSHDIR = /etc/ssh
SSLDIR = /etc/ssl

M hosaka-pki.sh => hosaka-pki.sh +87 -0
@@ 0,0 1,87 @@
#!/bin/sh -e

readconf() {
	while IFS='=' read -r key val; do
    		[ "${key##\#*}" ] || continue
    		export "$key=$val" 2>/dev/null ||
    		     printf '%s is not a valid variable\n' "$key"
	done < "${1}"
}

sslgenconf() {
	#Generate conf for the CA and if an intermediate is in use, generate
	#for that as well
	sed -e "" < "$"
}

sslgenca() {
	#TODO automation support
	sslcreatedirs

}

ssluseintermediate() {
	case "$USEINTERMEDIATE" in
		y*|Y*)
			return 0
		;;
	*)
		;;
	esac
	return 1
}

sslcreatedirs() {
	mkdir -p "${SSL_CA_DIR}/intermediate" \
		"${SSL_CA_DIR}/certs" \
		"${SSL_CA_DIR}/crl" \
		"${SSL_CA_DIR}/csr" \
		"${SSL_CA_DIR}/private" \
		"${SSL_CA_DIR}/new" && \
	chmod 700 "${SSL_CA_DIR}/private"
	ssluseintermediate && \
		mkdir -p "${SSL_CA_DIR}/intermediate" \
			"${SSL_CA_DIR}/intermediate/certs" \
			"${SSL_CA_DIR}/intermediate/crl" \
			"${SSL_CA_DIR}/intermediate/csr" \
			"${SSL_CA_DIR}/intermediate/private" \
			"${SSL_CA_DIR}/intermediate/new" && \
		chmod 700 "${SSL_CA_DIR}/intermediate/private"
}

sslgenintermediate() {
	_UMASK="$(umask)"
	umask 077
	#TODO check if files exist
	#TODO check if ca on disk and if not exit
	printf "generating intermediate ca\\n"
	#TODO support automation ie, symm keys stored on disk
	openssl ecparam -genkey -name secp521r1 | openssl ec -aes-256-cbc \
		-out "${SSL_CA_DIR}/intermediate/private/intermediate.key.pem"
	printf "generating intermediate csr\\n"
	openssl req -config "${SSL_CA_DIR}/openssl.cnf" -new -sha512 \
		-key "${SSL_CA_DIR}/intermediate/private/intermediate.key.pem" \
		-out "${SSL_CA_DIR}/intermediate/csr/intermediate.csr.pem"
	printf "signing intermediate ca\\nenter ca cert password\\n"
	openssl ca -config "${SSL_CA_DIR}/openssl.cnf" \
		-extensions v3_intermediate_ca -days "$CADAYSVALID" -notext \
		-md "$MDALGORITHM" \
		-in "${SSL_CA_DIR}/intermediate/csr/intermediate.csr.pem" \
		-out "${SSL_CA_DIR}/intermediate/certs/intermediate.cert.pem"
	umask "${_UMASK}"
}

sslcheckcaondisk() {
	[ -f "$SSL_CA_DIR/private/ca.key.pem" ]
}
#
#sslsignserver() {
#
#}
#
#sslsignclient() {
#
#}
#sslcheckexpir() {
#
#}

M openssl.cnf.tmpl => openssl.cnf.tmpl +12 -12
@@ 2,23 2,23 @@
default_ca = CA_default

[ CA_default ]
dir = /home/ca/ssl
dir = {{SSLDIR}}
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/new
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
RANDFILE = $dir/private/rand
private_key = $dir/private/ca.key.pem
certificate = $dir/certs/ca.cert.pem
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30
default_md        = sha256
default_md        = {{MDALGORITHM}}
name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
default_days      = {{DAYSVALID}}
preserve          = no
policy            = policy_strict



@@ 42,7 42,7 @@ emailAddress            = optional
[ req ]
distinguished_name  = req_distinguished_name
string_mask         = utf8only
default_md          = sha256
default_md          = {{MDALGORITHM}}
x509_extensions     = v3_ca

[ req_distinguished_name ]


@@ 53,11 53,11 @@ localityName                    = Locality Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name

countryName_default             = HX 
stateOrProvinceName_default     = Cyberspace 
localityName_default            = NULL
0.organizationName_default      = Hosaka Corporation 
organizationalUnitName_default = Crypto Munitions Bureau
countryName_default             = {{COUNTRYDEFAULT}}
stateOrProvinceName_default     = {{STATEDEFAULT}}
localityName_default            = {{LOCALITYDEFAULT}}
0.organizationName_default      = {{ORGNAMEDEFAULT}}
organizationalUnitName_default = {{ORGUNITDEFAULT}}

[ v3_ca ]
subjectKeyIdentifier = hash


@@ 74,7 74,7 @@ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
nsComment = "{{USERCERTCOMMENT}}"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment


@@ 83,7 83,7 @@ extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "Generated Server Certificate"
nsComment = "{{SRVCERTCOMMENT}}"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment