~poptart/hosaka-pki

c88889c4303fe6b561bf20b1d8402e8b5735fe86 — terrorbyte 1 year, 11 months ago 25cc2d9
More functions
2 files changed, 77 insertions(+), 7 deletions(-)

M Makefile
M hosaka-pki.sh
M Makefile => Makefile +2 -4
@@ 11,15 11,13 @@ config:
		-e "s%{{CONFIGDIR}}%${CONFIGDIR}%g" \
		< config.def > config

#openssl.cnf:
#	@echo sed -e "" < tmpl/openssl.cnf.tmpl > openssl.cnf

install:
	@printf "installing hosaka-pki"
	@mkdir -p "${CONFIGDIR}" "${CONFIGDIR}/ssl" \
		"${CONFIGDIR}/ssh" "${CONFIGDIR}/util"
	@chown 0700 "${CONFIGDIR}/ssl" "${CONFIGDIR}/ssh"
	@cp -f config "${CONFIGDIR}
	@cp -f config "${CONFIGDIR}/config"
	@cp -f openssl.cnf.tmpl "${CONFIGDIR}/openssl.cnf.tmpl"
	@sed -e "s%{{CONFIGDIR}}%${CONFIGDIR}%g" \
		< hosaka-pki.sh > ${PREFIX}/bin/hosaka-pki
	@chown 755 ${PREFIX}/bin/hosaka-pki

M hosaka-pki.sh => hosaka-pki.sh +75 -3
@@ 8,16 8,88 @@ readconf() {
	done < "${1}"
}

checkvars() {
	[ -z "$CONFIGDIR" ] && printf "Arguments cannot be empty: %s\\n" "$CONFIGDIR" 1>&2 && exit 1
	[ -z "$SSL_CA_DIR" ] && printf "Arguments cannot be empty: %s\\n" "$SSL_CA_DIR" 1>&2 && exit 1
	[ -z "$SSH_CA_DIR" ] && printf "Arguments cannot be empty: %s\\n" "$SSH_CA_DIR" 1>&2 && exit 1
	[ -z "$DAYSVALID" ] && printf "Arguments cannot be empty: %s\\n" "$DAYSVALID" 1>&2 && exit 1
	[ -z "$MDALGORITHM" ] && printf "Arguments cannot be empty: %s\\n" "$MDALGORITHM" 1>&2 && exit 1
	[ -z "$USEINTERMEDIATE" ] && printf "Arguments cannot be empty: %s\\n" "$USEINTERMEDIATE" 1>&2 && exit 1
	[ -z "$WARNROOTCERT" ] && printf "Arguments cannot be empty: %s\\n" "$WARNROOTCERT" 1>&2 && exit 1
	[ -z "$COUNTRYDEFAULT" ] && printf "Arguments cannot be empty: %s\\n" "$COUNTRYDEFAULT" 1>&2 && exit 1
	[ -z "$STATEDEFAULT" ] && printf "Arguments cannot be empty: %s\\n" "$STATEDEFAULT" 1>&2 && exit 1
	[ -z "$LOCALITYDEFAULT" ] && printf "Arguments cannot be empty: %s\\n" "$LOCALITYDEFAULT" 1>&2 && exit 1
	[ -z "$ORGNAMEDEFAULT" ] && printf "Arguments cannot be empty: %s\\n" "$ORGNAMEDEFAULT" 1>&2 && exit 1
	[ -z "$ORGUNITDEFAULT" ] && printf "Arguments cannot be empty: %s\\n" "$ORGUNITDEFAULT" 1>&2 && exit 1
	[ -z "$USERCERTCOMMENT" ] && printf "Arguments cannot be empty: %s\\n" "$USERCERTCOMMENT" 1>&2 && exit 1
	[ -z "$SRVCERTCOMMENT" ] && printf "Arguments cannot be empty: %s\\n" "$SRVCERTCOMMENT" 1>&2 && exit 1
	[ -z "$SSLSERIALDEFAULT" ] && printf "Arguments cannot be empty: %s\\n" "$SSLSERIALDEFAULT" 1>&2 && exit 1
	[ -z "$SSHSERIALDEFAULT" ] && printf "Arguments cannot be empty: %s\\n" "$SSHSERIALDEFAULT" 1>&2 && exit 1
}

getconf() {
	#The "compilation" step used for hosaka-pki just uses templates and
	#this will work even if the template injection works or not.
	CONFDIR="{{CONFIGDIR}}"
	case $CONFDIR in
		""|"{{CONFIGDIR}}")
			CONFDIR="/etc/hosaka/pki"
			;;
		*)
			CONFDIR="${CONFIGDIR}"
		;;
	esac
	[ -f "${CONFIGDIR}/config" ] && readconf "${CONFIGDIR}/config"
}

sslgenconf() {
	getconf
	checkvars
	#Generate conf for the CA and if an intermediate is in use, generate
	#for that as well
	sed -e "" < "$"
	sed -e "s%{{SSLDIR}}%${SSL_CA_DIR}%g" \
		-e "s%{{MDALGORITHM}}%${MDALGORITHM}%g" \
		-e "s%{{DAYSVALID}}%${DAYSVALID}%g" \
		-e "s%{{COUNTRYDEFAULT}}%${COUNTRYDEFAUL}%g" \
		-e "s%{{STATEDEFAULT}}%${STATEDEFAULT}%g" \
		-e "s%{{LOCALITYDEFAULT}}%${LOCALITYDEFAULT}%g" \
		-e "s%{{ORGNAMEDEFAULT}}%${ORGNAMEDEFAULT}%g" \
		-e "s%{{ORGUNITDEFAULT}}%${ORGUNITDEFAULT}%g" \
		-e "s%{{USERCERTCOMMENT}}%${USERCERTCOMMENT}%g" \
		-e "s%{{SERVERCERTCOMMENT}}%${SERVERCERTCOMMENT}%g" \
		-e "s%{{SSLSERIALDEFAULT}}%${SSLSERIALDEFAULT}%g" \
		< "$SSL_CA_DIR/openssl.cnf.tmpl" > "$SSL_CA_DIR/openssl.cnf"
	ssluseintermediate && sed -e "s%{{SSLDIR}}%${SSL_CA_DIR}/intermediate%g" \
		-e "s%{{MDALGORITHM}}%${MDALGORITHM}%g" \
		-e "s%{{DAYSVALID}}%${DAYSVALID}%g" \
		-e "s%{{COUNTRYDEFAULT}}%${COUNTRYDEFAUL}%g" \
		-e "s%{{STATEDEFAULT}}%${STATEDEFAULT}%g" \
		-e "s%{{LOCALITYDEFAULT}}%${LOCALITYDEFAULT}%g" \
		-e "s%{{ORGNAMEDEFAULT}}%${ORGNAMEDEFAULT}%g" \
		-e "s%{{ORGUNITDEFAULT}}%${ORGUNITDEFAULT}%g" \
		-e "s%{{USERCERTCOMMENT}}%${USERCERTCOMMENT}%g" \
		-e "s%{{SERVERCERTCOMMENT}}%${SERVERCERTCOMMENT}%g" \
		-e "s%{{SSLSERIALDEFAULT}}%${SSLSERIALDEFAULT}%g" \
		< "$SSL_CA_DIR/openssl.cnf.tmpl" > "$SSL_CA_DIR/openssl_intermediate.cnf"
}

sslgenca() {
	#TODO automation support
	sslcreatedirs

	_UMASK="$(umask)"
	umask 077
	#TODO check if files exist
	#TODO check if ca on disk and if not exit
	printf "generating ca\\n"
	#TODO support automation ie, symm keys stored on disk
	openssl ecparam -genkey -name secp521r1 | openssl ec -aes-256-cbc \
		-out "${SSL_CA_DIR}/private/ca.key.pem"
	openssl ca -config "${SSL_CA_DIR}/openssl.cnf" \
		-extensions v3_ca -days "$CADAYSVALID" -notext \
		-md "$MDALGORITHM" \
		-in "${SSL_CA_DIR}/csr/intermediate.csr.pem" \
		-out "${SSL_CA_DIR}/certs/intermediate.cert.pem"
	umask "${_UMASK}"
}

ssluseintermediate() {


@@ 72,7 144,7 @@ sslgenintermediate() {
}

sslcheckcaondisk() {
	[ -f "$SSL_CA_DIR/private/ca.key.pem" ]
	[ -f "$SSL_CA_DIR/private/ca.key.pem" ] && printf "CA file is on disk. This is not a secure configuration and the root CA should not be stored with the intermediate and should only be used to generate new intermediates.\\n" 1>&2
}
#
#sslsignserver() {