create-signing-ca

#!/usr/bin/env bash
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

# Derek Moore <derek.moore@gmail.com>
# Christian Göttsche <cgzones@googlemail.com>

set -eu
set -o pipefail

umask 0077

BIN_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
source "${BIN_DIR}/functions"
source "${BIN_DIR}/defaults.conf"

usage() {
    echo "Usage: $0 [-l] -d CA_DIR"
    echo "Initializes a new signing sub-CA in the directory CA_DIR"
    echo "Must be run inside a root CA dir"
    echo
    echo "Options:"
    echo "    -d CA_DIR  Target directory to be created and initialized"
    echo "               Must not exist yet"
    echo "    -l         Symlink toolchain (designed for development)"
    echo
}

if ! openssl verify -CAfile ca/ca.crt ca/ca.crt >/dev/null 2>&1; then
    echo -e -n "$ERR " && usage && exit 2
fi

CA_DIR=
SYMLINK=0

while getopts d:hl FLAG; do
    case $FLAG in
        d) CA_DIR=${OPTARG} ;;
        h) echo -e -n "$SUCC " && usage && exit 0;;
        l) SYMLINK=1 ;;
        *) echo -e -n "$ERR " && usage && exit 2;;
    esac
done

if [ $OPTIND -le $# ]; then
    echo -e -n "$ERR " && usage && exit 2
elif [[ "${CA_DIR}" = "" ]]; then
    echo -e -n "$SUCC " && usage && exit 2
fi

PARENT="${BIN_DIR}/.."
CA_NAME="$( basename "${CA_DIR}" )"
CA_PATH="${CA_PATH:-$( fullpath "${CA_DIR}")}"
export CA_PATH

echo >&2
echo -e "$NOTE Creating new signing sub-CA in '${CA_DIR}'" >&2
echo >&2

init_ca_home "${CA_DIR}"
trap 'rm -Rf "${CA_DIR}"' 0

# early verification of root ca password
if [ -n "$CA_ENABLE_ENGINE" ]; then
    echo -e "$NOTE Your CA key is on PKCS11 device, enter PIN." >&2
fi
PARENT_PASS=`ask -s "$INPUT Enter passphrase for root CA key: " CA_ROOT_PASS_DEFAULT "${ROOT_PASS:-""}"`
echo >&2
export CA_PARENT_PASS="${PARENT_PASS}"
openssl_engine_cmd='
    -engine pkcs11 
    -inform engine
    -in pkcs11:object=SIGN%20key'
CA_PARENT_MODULUS=$(openssl rsa \
            ${CA_ENABLE_ENGINE:+$openssl_engine_cmd} \
            $( [ -z $CA_ENABLE_ENGINE ] && echo "-check -in ca/private/ca.key") \
            -noout -modulus \
            -passin env:CA_PARENT_PASS | head -n1)

CA_PARENT_ENABLE_ENGINE=$CA_ENABLE_ENGINE

generate_conf "${CA_DIR}/bin/defaults.conf"
source "${CA_DIR}/bin/defaults.conf"

CA_CERT_CN="${CA_CERT_O} Certificate ${CA_NAME}"
CERT_CN=`ask "$INPUT Common Name for CA certificate [${CA_CERT_CN}]: " CA_SUB_CN_DEFAULT "${CA_CERT_CN}"`
if [ -n "${CERT_CN}" ]; then
    CA_CERT_CN="${CERT_CN}"
fi

if [[ -n $CA_ENABLE_ENGINE ]]; then
    LOOP=1
    while [[ -n $CA_PARENT_ENABLE_ENGINE ]] && [[ -n $LOOP ]]; do
        echo -e "$ERR WARNING: please make sure you have the proper pkcs11 device inserted. Do not have your root CA inserted." >&2
        echo -e -n "$INPUT Are you SURE you wish to continue? [y/N]: " >&2
        read -r SURE
        if [ "${SURE}" != "y" ] && [ "${SURE}" != "Y" ]; then
            echo -e "$ERR Exiting." >&2
            exit 1
        fi
        CA_MODULUS=$(openssl rsa \
            ${CA_ENABLE_ENGINE:+$openssl_engine_cmd} \
            $( [ -z $CA_ENABLE_ENGINE ] && echo "-check -in ca/private/ca.key") \
            -noout -modulus \
            -passin env:CA_PARENT_PASS)
        if [[ $CA_PARENT_MODULUS != $CA_MODULUS ]] ; then
            LOOP=
        fi
    done
    init_engine
    init_slot 9c "${CA_DIR}/ca/ca.pub"
    echo -e -n "$INPUT Enter PIN for signing sub-CA key: " >&2
    read -r -s PASS1
    echo >&2
    if [[ ${#PASS1} -lt 4 ]]; then
        echo -e "$ERR Passphrase is too short, please use at least 4 characters!" >&2
        exit 1
    fi
else
    PASS1=`ask -s "$INPUT Enter passphrase for encrypting signing sub-CA key: " CA_SUB_PASS_DEFAULT "${SUB_PASS:-""}"`
    echo >&2
    if [[ ${#PASS1} -lt 4 ]]; then
        echo -e "$ERR Passphrase is too short, please use at least 4 characters!" >&2
        exit 1
    fi
    PASS2=`ask -s "$INPUT Verifying - Enter passphrase for encrypting signing sub-CA key: " CA_SUB_PASS_DEFAULT "${SUB_PASS:-""}"`
    echo >&2
    if [ "${PASS1}" != "${PASS2}" ]; then
        echo -e "$ERR Passphrases did not match, exiting." >&2
        exit 1
    fi
fi

export CA_PASS"=${PASS1}"
export SAN=""

pushd "${CA_DIR}" > /dev/null

# Generate the signing CA openssl config
template "${BIN_DIR}/templates/signing.tpl" "ca/ca.conf"
# Generate the signing CA openssh config
mkdir -p ca/ssh
echo $( od -vAn -N2 -tu2 < /dev/urandom )00 > ca/ssh/serial

echo -e "$NOTE Creating the signing sub-CA key" >&2

# Create the signing CA key
if [[ -z $CA_ENABLE_ENGINE ]]; then
    generate_key ca/private/ca.key
    ln -s ../private/ca.key ca/ssh/ca.ssh
    generate_pubkey ca/private/ca.key ca/ca.pub
else
    generate_pubkey_pkcs11 pkcs11:object=SIGN%20key ca/ca.pub
fi
generate_pubkey_ssh ca/ca.pub ca/ssh/ca.ssh.pub ${CA_DIR}

echo -e "$NOTE Creating the signing sub-CA csr" >&2

openssl_engine_cmd="\
    -engine pkcs11 \
    -keyform engine \
    -key pkcs11:object=SIGN%20key"
openssl req -new -batch \
    ${CA_ENABLE_ENGINE:+$openssl_engine_cmd} \
    $( [ -z $CA_ENABLE_ENGINE ] && echo "-key ca/private/ca.key") \
    -config ca/ca.conf \
    -out ca/ca.csr \
    -passin env:CA_PASS

echo -e "$NOTE Creating the signing sub-CA certificate"

pushd "${PARENT}" > /dev/null

if [[ -n $CA_PARENT_ENABLE_ENGINE ]] && [[ -n $CA_ENABLE_ENGINE ]] ; then
    echo -e "$ERR WARNING: please make sure you have the proper pkcs11 device inserted. You are signing the sub-CA with the root CA device. Do not have your sub-CA device inserted."
    echo -e -n "$INPUT Are you SURE you wish to continue? [y/N]: "
    read -r SURE
    if [ "${SURE}" != "y" ] && [ "${SURE}" != "Y" ]; then
        echo -e "$ERR Exiting."
        exit 1
    fi
fi
openssl_engine_cmd="\
    -engine pkcs11 \
    -keyform engine \
    -keyfile pkcs11:object=SIGN%20key"

openssl ca \
   ${CA_PARENT_ENABLE_ENGINE:+$openssl_engine_cmd} \
   -batch -notext \
   -config ca/ca.conf \
   -in "${CA_DIR}/ca/ca.csr" \
   -out "${CA_DIR}/ca/ca.crt" \
   -extensions signing_ca_ext \
   -passin env:CA_PARENT_PASS

if [[ -n "$CA_ENABLE_ENGINE" ]]; then
    LOOP=1
    while [[ -n $CA_PARENT_ENABLE_ENGINE ]] && [[ -n $LOOP ]]; do
        echo -e "$ERR WARNING: please make sure you have the proper pkcs11 device inserted. Do not have your root CA inserted."
        echo -e -n "$INPUT Are you SURE you wish to continue? [y/N]: "
        read -r SURE
        if [ "${SURE}" != "y" ] && [ "${SURE}" != "Y" ]; then
            echo -e "$ERR Exiting."
            exit 1
        fi
        CA_MODULUS=$(openssl rsa \
            ${CA_ENABLE_ENGINE:+$openssl_engine_cmd} \
            $( [ -z $CA_ENABLE_ENGINE ] && echo "-check -in ca/private/ca.key") \
            -noout -modulus \
            -passin env:CA_PARENT_PASS)
        if [[ $CA_PARENT_MODULUS != $CA_MODULUS ]] ; then
            LOOP=
        fi
    done
    replace_crt 9c "${CA_DIR}/ca/ca.crt"
fi
popd > /dev/null

echo -e "$NOTE Creating the signing sub-CA CRL"

openssl ca -gencrl -batch \
           ${CA_ENABLE_ENGINE:+$openssl_engine_cmd} \
           -config ca/ca.conf \
           -out ca/ca.crl \
           -passin env:CA_PASS

echo -e "$NOTE Creating the chain bundle"

cat "${PARENT}/ca/chain.pem" > ca/chain.pem
cat ca/ca.crt >> ca/chain.pem

cp "${PARENT}/ca/root.crt" ca/root.crt

echo -e "$NOTE Verifying trusted chain"

openssl verify -CAfile ca/chain.pem ca/ca.crt
openssl verify -CAfile ca/root.crt ca/ca.crt

if [ $SYMLINK -eq 1 ]; then
    echo -e "$NOTE Symlinking toolchain (dev mode)"
    CP_CMD='ln -s'
else
    echo -e "$NOTE Copying toolchain"
    CP_CMD='cp'
fi
$CP_CMD "${BIN_DIR}/../README.md" README.md
for BIN in ${BINARIES_SIGN}; do
    $CP_CMD "${BIN_DIR}/${BIN}" bin/
done
mkdir bin/templates/
for TPL in ${TEMPLATES_SIGN}; do
    $CP_CMD "${BIN_DIR}/templates/${TPL}" bin/templates/
done

popd > /dev/null

unset CA_PASS
unset CA_PARENT_PASS

trap 0
echo -e "$SUCC Signing sub-CA initialized."