Skip to content

Commit

Permalink
Merge branch 'TinCanTech-init-pki-soft-keep-tls-key'
Browse files Browse the repository at this point in the history
Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Sep 2, 2024
2 parents 294c05b + 445a61e commit fb7663e
Show file tree
Hide file tree
Showing 3 changed files with 173 additions and 88 deletions.
3 changes: 3 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ Easy-RSA 3 ChangeLog

3.2.1 (TBD)

* Integrate Easy-RSA TLS-Key for use with 'init-pki soft' (03d9dc2) (#1220)
Note: Inline files that contain private key data are now created in sub-dir
'pki/inline/private'.
* easyrsa-tools.lib, show-expire: Add CA certificate to report (a36cd54) (#1215)
* inline: OpenVPN TLS Keys inlining for TLS-AUTH, TLS-CRYPT-V1 (6e9e4a2) (#1185)
Note: Command inline only writes directly to inline file not stdout.
Expand Down
57 changes: 35 additions & 22 deletions dev/easyrsa-tools.lib
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,8 @@ verify_openvpn() {
# Try to find openvpn
set_var EASYRSA_OPENVPN "$(which openvpn)"
if [ -f "$EASYRSA_OPENVPN" ]; then
verbose "verify_openvpn - $EASYRSA_OPENVPN"
verbose \
"verify_openvpn - EASYRSA_OPENVPN='$EASYRSA_OPENVPN'"
else
user_error "Cannot find an OpenVPN binary."
fi
Expand All @@ -33,41 +34,52 @@ verify_openvpn() {
# OpenVPN TLS Auth/Crypt Key
tls_key_gen() {
case "$1" in
tls-auth)
tls_key_type=TLS-AUTH
;;
tls-crypt)
tls_key_type=TLS-CRYPT
;;
tls-crypt-v2)
print "Unavailable."
cleanup
;;
*)
die "Unknown key type: '$1'"
tls-crypt) tls_key_type=TLS-CRYPT ;;
tls-auth) tls_key_type=TLS-AUTH ;;
*) die "Unknown key type: '$1'"
esac
tls_key_file="$EASYRSA_PKI/private/easyrsa-tls.key"

# Forbid overwrite
# Over write error message
tls_key_error_msg="
If this file is changed then it MUST be redistributed to ALL servers
AND clients, to be in effect. Do NOT change this existing file."

# Assign possible TLS key sources
tls_key_file="$EASYRSA_PKI"/private/easyrsa-tls.key
old_tls_key_file="$EASYRSA_PKI"/easyrsa-keepsafe-tls.key

# Forbid overwrite - default TLS key
if [ -f "$tls_key_file" ]; then
tls_key_data="$(cat "$tls_key_file")"
case "$tls_key_data" in
*'TLS-AUTH'*)
tls_key_type=TLS-AUTH
;;
*'TLS-CRYPT'*)
tls_key_type=TLS-CRYPT
;;
*)
tls_key_type=UNKNOWN
*'TLS-CRYPT'*) tls_key_type=TLS-CRYPT ;;
*'TLS-AUTH'*) tls_key_type=TLS-AUTH ;;
*) tls_key_type=UNKNOWN
esac

user_error "\
Cannot overwrite existing $tls_key_type Key:
* $tls_key_file
$tls_key_error_msg"
fi

If this file is changed then it MUST be redistributed to ALL servers
AND clients, to be in effect. Do NOT change the existing file."
# Forbid overwrite - Old TLS key
if [ -f "$old_tls_key_file" ]; then
old_tls_key_data="$(cat "$old_tls_key_file")"
case "$old_tls_key_data" in
*'TLS-CRYPT'*) tls_key_type=TLS-CRYPT ;;
*'TLS-AUTH'*) tls_key_type=TLS-AUTH ;;
*) tls_key_type=UNKNOWN
esac

user_error "\
Cannot overwrite existing $tls_key_type Key:
* $old_tls_key_file
$tls_key_error_msg"
fi

verify_openvpn
Expand All @@ -89,7 +101,8 @@ AND clients, to be in effect. Do NOT change the existing file."

notice "\
$tls_key_type Key generated at:
* $tls_key_file"
* $tls_key_file
$tls_key_error_msg"
verbose "tls_key_gen: openvpn --genkey $tls_key_type OK"
} # => tls_key_gen()

Expand Down
Loading

0 comments on commit fb7663e

Please sign in to comment.