~poptart/hosaka-pki

6268c8b0cc56eecb7723c12a0086cec468f7d926 — terrorbyte 5 months ago 2c0bb32
updated the default config to be not specific to my own configuration and some other server functions
2 files changed, 55 insertions(+), 20 deletions(-)

M config.def
M hosaka-pki.sh
M config.def => config.def +5 -5
@@ 11,7 11,7 @@ DAYSVALID=375
CADAYSVALID=3750

#Which signing algorithm to use
MDALGORITHM=sha256
MDALGORITHM=sha512

#Should we configure an intermediate CA
USEINTERMEDIATE=yes


@@ 21,11 21,11 @@ USEINTERMEDIATE=yes
WARNROOTCERT=yes

#Default settings for signing if they are not set
COUNTRYDEFAULT=HX
COUNTRYDEFAULT=US
STATEDEFAULT=Cyberspace
LOCALITYDEFAULT=NULL
ORGNAMEDEFAULT=Hosaka Corporation
ORGUNITDEFAULT=Crypto Munitions Bureau
LOCALITYDEFAULT=Fakeland
ORGNAMEDEFAULT=Hosaka Corporation Examples
ORGUNITDEFAULT=Certificate Land
USERCERTCOMMENT=Hosaka PKI Generated Client Certificate
SRVCERTCOMMENT=Hosaka PKI Generated Server Certificate


M hosaka-pki.sh => hosaka-pki.sh +50 -15
@@ 133,12 133,26 @@ sslgenca() {
	#TODO support automation ie, symm keys stored on disk
	openssl ecparam -genkey -name secp521r1 | openssl ec -aes-256-cbc \
		-out "${SSL_CA_DIR}/private/ca.key.pem"
	openssl req -config "${SSL_CA_DIR}/openssl.cnf" -x509 -new -SHA384 -nodes -key "${SSL_CA_DIR}/private/ca.key.pem" -days 3650 -out "${SSL_CA_DIR}/certs/ca.cert.pem"
	openssl req -config "${SSL_CA_DIR}/openssl.cnf" -x509 -new \
		-md "$MDALGORITHM" -nodes -key "${SSL_CA_DIR}/private/ca.key.pem" -days 3650 \
		-out "${SSL_CA_DIR}/certs/ca.cert.pem"
	touch "${SSL_CA_DIR}/index.txt"
	umask "${_UMASK}"
}


sslgenserver() {
	#TODO actually check / generate based on cli
	_UMASK="$(umask)"
	umask 077
	printf "generating server keys\\n"
	openssl ecparam -genkey -name secp521r1 | openssl ec -aes-256-cbc \
		-out "$2/$1.key.pem"
	openssl req -x509 -config "${SSL_CA_DIR}/openssl.cnf" -new \
		-md "$MDALGORITHM" -nodes -key "$2/$1.key.pem" -days "$DAYSVALID" \
		-out "$2/$1.csr.pem"
	cat "$2/$1.csr.pem"
	umask "${_UMASK}"
}

sslgenintermediate() {
	_UMASK="$(umask)"


@@ 153,7 167,7 @@ sslgenintermediate() {
		-out "${SSL_CA_DIR}/intermediate/private/intermediate.key.pem"
	touch "${SSL_CA_DIR}/intermediate/index.txt"
	printf "generating intermediate csr\\n"
	openssl req -config "${SSL_CA_DIR}/openssl_intermediate.cnf" -new -sha512 \
	openssl req -config "${SSL_CA_DIR}/openssl_intermediate.cnf" -new -md "$MDALGORITHM" \
		-key "${SSL_CA_DIR}/intermediate/private/intermediate.key.pem" \
		-out "${SSL_CA_DIR}/intermediate/csr/intermediate.csr.pem"
	printf "signing intermediate ca\\nenter ca cert password\\n"


@@ 177,18 191,39 @@ sslserialgen() {
	fi
}

getconf
sslcheckcaondisk
sslcreatedirs
sslgenconf
sslgenca
sslserialgen
sslgenintermediate
#
#sslsignserver() {
#
#}
#
sslsignserver(){
	if [ $# != 1 ]; then
		printf "signing only works on a single target, and one is required\\n" 1>&2
		exit 3
	fi
	#TODO check if file exists and is readable
	printf "signing csr\\n"
	if [ "$(ssluseintermediate)" ]; then
		openssl ca -config "${SSL_CA_DIR}/openssl_intermediate.cnf" \
			-extensions v3_intermediate_ca -days "$CADAYSVALID" -notext \
			-md "$MDALGORITHM" \
			-in "$1" \
			-out "${SSL_CA_DIR}/intermediate/certs/$(basename "$1").pem"
	else
		openssl ca -config "${SSL_CA_DIR}/openssl.cnf" \
			-extensions v3_intermediate_ca -days "$CADAYSVALID" -notext \
			-md "$MDALGORITHM" \
			-in "$1" \
			-out "${SSL_CA_DIR}/intermediate/certs/$(basename "$1").pem"
	fi
}



#getconf
#sslcheckcaondisk
#sslcreatedirs
#sslgenconf
#sslgenca
#sslserialgen
#sslgenintermediate


#sslsignclient() {
#
#}