~poptart/hosaka-pki

8e4f26e79c313b1e9949256fde6229e0b1cf18d0 — terrorbyte 1 year, 11 months ago d9b43ad
Added full support for generating CA and Intermediates
2 files changed, 43 insertions(+), 29 deletions(-)

M config.def
M hosaka-pki.sh
M config.def => config.def +7 -7
@@ 21,13 21,13 @@ USEINTERMEDIATE=yes
WARNROOTCERT=yes

#Default settings for signing if they are not set
COUNTRYDEFAULT="HX"
STATEDEFAULT="Cyberspace"
LOCALITYDEFAULT="NULL"
ORGNAMEDEFAULT="Hosaka Corporation"
ORGUNITDEFAULT="Crypto Munitions Bureau"
USERCERTCOMMENT="Hosaka PKI Generated Client Certificate"
SRVCERTCOMMENT="Hosaka PKI Generated Server Certificate"
COUNTRYDEFAULT=HX
STATEDEFAULT=Cyberspace
LOCALITYDEFAULT=NULL
ORGNAMEDEFAULT=Hosaka Corporation
ORGUNITDEFAULT=Crypto Munitions Bureau
USERCERTCOMMENT=Hosaka PKI Generated Client Certificate
SRVCERTCOMMENT=Hosaka PKI Generated Server Certificate

#Default starting serial number
SSLSERIALDEFAULT=1000

M hosaka-pki.sh => hosaka-pki.sh +36 -22
@@ 91,25 91,6 @@ sslgenconf() {
		< "$CONFIGDIR/util/openssl.cnf.tmpl" > "$SSL_CA_DIR/openssl_intermediate.cnf"
}

sslgenca() {
	#TODO automation support
	sslcreatedirs
	_UMASK="$(umask)"
	umask 077
	#TODO check if files exist
	#TODO check if ca on disk and if not exit
	printf "generating ca\\n"
	#TODO support automation ie, symm keys stored on disk
	openssl ecparam -genkey -name secp521r1 | openssl ec -aes-256-cbc \
		-out "${SSL_CA_DIR}/private/ca.key.pem"
	openssl ca -config "${SSL_CA_DIR}/openssl.cnf" \
		-extensions v3_ca -days "$CADAYSVALID" -notext \
		-md "$MDALGORITHM" \
		-in "${SSL_CA_DIR}/csr/intermediate.csr.pem" \
		-out "${SSL_CA_DIR}/certs/intermediate.cert.pem"
	umask "${_UMASK}"
}

ssluseintermediate() {
	case "$USEINTERMEDIATE" in
		y*|Y*)


@@ 140,17 121,39 @@ sslcreatedirs() {
		chmod 700 "${SSL_CA_DIR}/intermediate/private"
}

sslgenca() {
	sslcreatedirs
	_UMASK="$(umask)"
	umask 077
	if [ -f "${SSL_CA_DIR}/private/ca.key.pem" ]; then
		printf "ca key already exists! bailing...\\n" 1>&2
		exit 2
	fi
	printf "generating ca\\n"
	#TODO support automation ie, symm keys stored on disk
	openssl ecparam -genkey -name secp521r1 | openssl ec -aes-256-cbc \
		-out "${SSL_CA_DIR}/private/ca.key.pem"
	openssl req -config "${SSL_CA_DIR}/openssl.cnf" -x509 -new -SHA384 -nodes -key "${SSL_CA_DIR}/private/ca.key.pem" -days 3650 -out "${SSL_CA_DIR}/certs/ca.cert.pem"
	touch "${SSL_CA_DIR}/index.txt"
	umask "${_UMASK}"
}



sslgenintermediate() {
	_UMASK="$(umask)"
	umask 077
	#TODO check if files exist
	#TODO check if ca on disk and if not exit
	if [ -f "${SSL_CA_DIR}/intermediate/private/intermediate.key.pem" ]; then
		printf "intermediate key already exists! bailing...\\n" 1>&2
		exit 2
	fi
	printf "generating intermediate ca\\n"
	#TODO support automation ie, symm keys stored on disk
	openssl ecparam -genkey -name secp521r1 | openssl ec -aes-256-cbc \
		-out "${SSL_CA_DIR}/intermediate/private/intermediate.key.pem"
	touch "${SSL_CA_DIR}/intermediate/index.txt"
	printf "generating intermediate csr\\n"
	openssl req -config "${SSL_CA_DIR}/openssl.cnf" -new -sha512 \
	openssl req -config "${SSL_CA_DIR}/openssl_intermediate.cnf" -new -sha512 \
		-key "${SSL_CA_DIR}/intermediate/private/intermediate.key.pem" \
		-out "${SSL_CA_DIR}/intermediate/csr/intermediate.csr.pem"
	printf "signing intermediate ca\\nenter ca cert password\\n"


@@ 166,10 169,21 @@ sslcheckcaondisk() {
	[ -f "$SSL_CA_DIR/private/ca.key.pem" ] && printf "CA file is on disk. This is not a secure configuration and the root CA should not be stored with the intermediate and should only be used to generate new intermediates.\\n" 1>&2
}

sslserialgen() {
	if [ ! -f "${SSL_CA_DIR}/serial" ]; then
		printf "%s\\n" "$SSLSERIALDEFAULT" > "${SSL_CA_DIR}/serial"
		ssluseintermediate && \
			printf "%s\\n" "$SSLSERIALDEFAULT" > "${SSL_CA_DIR}/intermediate/serial"
	fi
}

getconf
sslcheckcaondisk
sslcreatedirs
sslgenconf
sslgenca
sslserialgen
sslgenintermediate
#
#sslsignserver() {
#