~poptart/hosaka-pki

ref: c88889c4303fe6b561bf20b1d8402e8b5735fe86 hosaka-pki/hosaka-pki.sh -rw-r--r-- 5.9 KiB
c88889c4 — terrorbyte More functions 2 years ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
#!/bin/sh -e

readconf() {
	while IFS='=' read -r key val; do
    		[ "${key##\#*}" ] || continue
    		export "$key=$val" 2>/dev/null ||
    		     printf '%s is not a valid variable\n' "$key"
	done < "${1}"
}

checkvars() {
	[ -z "$CONFIGDIR" ] && printf "Arguments cannot be empty: %s\\n" "$CONFIGDIR" 1>&2 && exit 1
	[ -z "$SSL_CA_DIR" ] && printf "Arguments cannot be empty: %s\\n" "$SSL_CA_DIR" 1>&2 && exit 1
	[ -z "$SSH_CA_DIR" ] && printf "Arguments cannot be empty: %s\\n" "$SSH_CA_DIR" 1>&2 && exit 1
	[ -z "$DAYSVALID" ] && printf "Arguments cannot be empty: %s\\n" "$DAYSVALID" 1>&2 && exit 1
	[ -z "$MDALGORITHM" ] && printf "Arguments cannot be empty: %s\\n" "$MDALGORITHM" 1>&2 && exit 1
	[ -z "$USEINTERMEDIATE" ] && printf "Arguments cannot be empty: %s\\n" "$USEINTERMEDIATE" 1>&2 && exit 1
	[ -z "$WARNROOTCERT" ] && printf "Arguments cannot be empty: %s\\n" "$WARNROOTCERT" 1>&2 && exit 1
	[ -z "$COUNTRYDEFAULT" ] && printf "Arguments cannot be empty: %s\\n" "$COUNTRYDEFAULT" 1>&2 && exit 1
	[ -z "$STATEDEFAULT" ] && printf "Arguments cannot be empty: %s\\n" "$STATEDEFAULT" 1>&2 && exit 1
	[ -z "$LOCALITYDEFAULT" ] && printf "Arguments cannot be empty: %s\\n" "$LOCALITYDEFAULT" 1>&2 && exit 1
	[ -z "$ORGNAMEDEFAULT" ] && printf "Arguments cannot be empty: %s\\n" "$ORGNAMEDEFAULT" 1>&2 && exit 1
	[ -z "$ORGUNITDEFAULT" ] && printf "Arguments cannot be empty: %s\\n" "$ORGUNITDEFAULT" 1>&2 && exit 1
	[ -z "$USERCERTCOMMENT" ] && printf "Arguments cannot be empty: %s\\n" "$USERCERTCOMMENT" 1>&2 && exit 1
	[ -z "$SRVCERTCOMMENT" ] && printf "Arguments cannot be empty: %s\\n" "$SRVCERTCOMMENT" 1>&2 && exit 1
	[ -z "$SSLSERIALDEFAULT" ] && printf "Arguments cannot be empty: %s\\n" "$SSLSERIALDEFAULT" 1>&2 && exit 1
	[ -z "$SSHSERIALDEFAULT" ] && printf "Arguments cannot be empty: %s\\n" "$SSHSERIALDEFAULT" 1>&2 && exit 1
}

getconf() {
	#The "compilation" step used for hosaka-pki just uses templates and
	#this will work even if the template injection works or not.
	CONFDIR="{{CONFIGDIR}}"
	case $CONFDIR in
		""|"{{CONFIGDIR}}")
			CONFDIR="/etc/hosaka/pki"
			;;
		*)
			CONFDIR="${CONFIGDIR}"
		;;
	esac
	[ -f "${CONFIGDIR}/config" ] && readconf "${CONFIGDIR}/config"
}

sslgenconf() {
	getconf
	checkvars
	#Generate conf for the CA and if an intermediate is in use, generate
	#for that as well
	sed -e "s%{{SSLDIR}}%${SSL_CA_DIR}%g" \
		-e "s%{{MDALGORITHM}}%${MDALGORITHM}%g" \
		-e "s%{{DAYSVALID}}%${DAYSVALID}%g" \
		-e "s%{{COUNTRYDEFAULT}}%${COUNTRYDEFAUL}%g" \
		-e "s%{{STATEDEFAULT}}%${STATEDEFAULT}%g" \
		-e "s%{{LOCALITYDEFAULT}}%${LOCALITYDEFAULT}%g" \
		-e "s%{{ORGNAMEDEFAULT}}%${ORGNAMEDEFAULT}%g" \
		-e "s%{{ORGUNITDEFAULT}}%${ORGUNITDEFAULT}%g" \
		-e "s%{{USERCERTCOMMENT}}%${USERCERTCOMMENT}%g" \
		-e "s%{{SERVERCERTCOMMENT}}%${SERVERCERTCOMMENT}%g" \
		-e "s%{{SSLSERIALDEFAULT}}%${SSLSERIALDEFAULT}%g" \
		< "$SSL_CA_DIR/openssl.cnf.tmpl" > "$SSL_CA_DIR/openssl.cnf"
	ssluseintermediate && sed -e "s%{{SSLDIR}}%${SSL_CA_DIR}/intermediate%g" \
		-e "s%{{MDALGORITHM}}%${MDALGORITHM}%g" \
		-e "s%{{DAYSVALID}}%${DAYSVALID}%g" \
		-e "s%{{COUNTRYDEFAULT}}%${COUNTRYDEFAUL}%g" \
		-e "s%{{STATEDEFAULT}}%${STATEDEFAULT}%g" \
		-e "s%{{LOCALITYDEFAULT}}%${LOCALITYDEFAULT}%g" \
		-e "s%{{ORGNAMEDEFAULT}}%${ORGNAMEDEFAULT}%g" \
		-e "s%{{ORGUNITDEFAULT}}%${ORGUNITDEFAULT}%g" \
		-e "s%{{USERCERTCOMMENT}}%${USERCERTCOMMENT}%g" \
		-e "s%{{SERVERCERTCOMMENT}}%${SERVERCERTCOMMENT}%g" \
		-e "s%{{SSLSERIALDEFAULT}}%${SSLSERIALDEFAULT}%g" \
		< "$SSL_CA_DIR/openssl.cnf.tmpl" > "$SSL_CA_DIR/openssl_intermediate.cnf"
}

sslgenca() {
	#TODO automation support
	sslcreatedirs
	_UMASK="$(umask)"
	umask 077
	#TODO check if files exist
	#TODO check if ca on disk and if not exit
	printf "generating ca\\n"
	#TODO support automation ie, symm keys stored on disk
	openssl ecparam -genkey -name secp521r1 | openssl ec -aes-256-cbc \
		-out "${SSL_CA_DIR}/private/ca.key.pem"
	openssl ca -config "${SSL_CA_DIR}/openssl.cnf" \
		-extensions v3_ca -days "$CADAYSVALID" -notext \
		-md "$MDALGORITHM" \
		-in "${SSL_CA_DIR}/csr/intermediate.csr.pem" \
		-out "${SSL_CA_DIR}/certs/intermediate.cert.pem"
	umask "${_UMASK}"
}

ssluseintermediate() {
	case "$USEINTERMEDIATE" in
		y*|Y*)
			return 0
		;;
	*)
		;;
	esac
	return 1
}

sslcreatedirs() {
	mkdir -p "${SSL_CA_DIR}/intermediate" \
		"${SSL_CA_DIR}/certs" \
		"${SSL_CA_DIR}/crl" \
		"${SSL_CA_DIR}/csr" \
		"${SSL_CA_DIR}/private" \
		"${SSL_CA_DIR}/new" && \
	chmod 700 "${SSL_CA_DIR}/private"
	ssluseintermediate && \
		mkdir -p "${SSL_CA_DIR}/intermediate" \
			"${SSL_CA_DIR}/intermediate/certs" \
			"${SSL_CA_DIR}/intermediate/crl" \
			"${SSL_CA_DIR}/intermediate/csr" \
			"${SSL_CA_DIR}/intermediate/private" \
			"${SSL_CA_DIR}/intermediate/new" && \
		chmod 700 "${SSL_CA_DIR}/intermediate/private"
}

sslgenintermediate() {
	_UMASK="$(umask)"
	umask 077
	#TODO check if files exist
	#TODO check if ca on disk and if not exit
	printf "generating intermediate ca\\n"
	#TODO support automation ie, symm keys stored on disk
	openssl ecparam -genkey -name secp521r1 | openssl ec -aes-256-cbc \
		-out "${SSL_CA_DIR}/intermediate/private/intermediate.key.pem"
	printf "generating intermediate csr\\n"
	openssl req -config "${SSL_CA_DIR}/openssl.cnf" -new -sha512 \
		-key "${SSL_CA_DIR}/intermediate/private/intermediate.key.pem" \
		-out "${SSL_CA_DIR}/intermediate/csr/intermediate.csr.pem"
	printf "signing intermediate ca\\nenter ca cert password\\n"
	openssl ca -config "${SSL_CA_DIR}/openssl.cnf" \
		-extensions v3_intermediate_ca -days "$CADAYSVALID" -notext \
		-md "$MDALGORITHM" \
		-in "${SSL_CA_DIR}/intermediate/csr/intermediate.csr.pem" \
		-out "${SSL_CA_DIR}/intermediate/certs/intermediate.cert.pem"
	umask "${_UMASK}"
}

sslcheckcaondisk() {
	[ -f "$SSL_CA_DIR/private/ca.key.pem" ] && printf "CA file is on disk. This is not a secure configuration and the root CA should not be stored with the intermediate and should only be used to generate new intermediates.\\n" 1>&2
}
#
#sslsignserver() {
#
#}
#
#sslsignclient() {
#
#}
#sslcheckexpir() {
#
#}