forked from tomberek/easy-ca
-
Notifications
You must be signed in to change notification settings - Fork 0
/
import-ca
executable file
·227 lines (190 loc) · 5.97 KB
/
import-ca
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
#!/usr/bin/env bash
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Derek Moore <[email protected]>
# Christian Göttsche <[email protected]>
# Tom Bereknyei <[email protected]>
set -eu
umask 0077
set -o pipefail
BIN_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
source "${BIN_DIR}/functions"
source "${BIN_DIR}/defaults.conf"
usage() {
echo "Usage: $0 [-l] -d CA_DIR"
echo "Import CA into the directory CA_DIR"
echo
echo "Options:"
echo " -d CA_DIR Target directory to be created and initialized"
echo " Must not exist yet"
echo
echo " -c CA Certificate path"
echo " Omit if on pkcs11 device"
echo
echo " -k Signing key path"
echo " Omit if on pkcs11 device"
echo
echo " -l Symlink toolchain (designed for development)"
echo
}
CA_DIR=
CERT_PATH=
KEY_PATH=
SYMLINK=0
HAS_PARENT=
if openssl verify -CAfile ca/ca.crt ca/ca.crt >/dev/null 2>&1; then
HAS_PARENT=1
fi
while getopts "d:c:k:hl" FLAG; do
case $FLAG in
d) CA_DIR=${OPTARG} ;;
c) CERT_PATH=${OPTARG} ;;
k) KEY_PATH=${OPTARG} ;;
h) echo -e -n "$SUCC " && usage && exit 0;;
l) SYMLINK=1 ;;
*) echo -e -n "$ERR " && usage && exit 2;;
esac
done
if [ $OPTIND -le $# ]; then
echo -e -n "$ERR " && usage && exit 2
elif [[ "${CA_DIR}" = "" ]]; then
echo -e -n "$SUCC " && usage && exit 1
fi
CA_NAME="$( basename "${CA_DIR}" )"
export CA_NAME
echo -e "$NOTE Creating CA in dir '${CA_DIR}'"
init_ca_home "${CA_DIR}"
trap 'rm -Rf "${CA_DIR}"' 0
echo -e -n "$INPUT Enable PKCS11 Engine for this CA? [y/N]: "
read -r ENABLE_ENGINE
if [ "${ENABLE_ENGINE}" == "y" ] || [ "${ENABLE_ENGINE}" == "Y" ]; then
CA_ENABLE_ENGINE="${ENABLE_ENGINE}"
else
CA_ENABLE_ENGINE=
fi
if [[ -n $CA_ENABLE_ENGINE ]]; then
# Slot 9c requires PIN entry on every operation.
# No need to ask for the PIN for re-use.
echo -e -n "$INPUT Enter PIN for signing CA key: "
read -r -s PASS1
echo
if [[ ${#PASS1} -lt 4 ]]; then
echo -e "$ERR Passphrase is too short, please use at least 4 characters!"
exit 1
fi
elif [ -z "$CERT_PATH" ]; then
echo -e "$ERR Must provide certificate via file or PKCS11."
exit 1
fi
export SAN=""
CA_PATH="${CA_PATH:-$( fullpath "${CA_DIR}")}"
CERT_FULL_PATH="$( fullpath "${CERT_PATH}")"
KEY_FULL_PATH="$( fullpath "${KEY_PATH}")"
export CA_PATH
pushd "${CA_DIR}" > /dev/null
# Import the signing CA key and cert
echo -e "$NOTE Importing the signed CA certificate"
mkdir -p ca/ssh
echo $( od -vAn -N2 -tu2 < /dev/urandom )00 > ca/ssh/serial
PASS1=
if [ -z "$CA_ENABLE_ENGINE" ]; then
cp $CERT_FULL_PATH ca/ca.crt
if [ -n "$KEY_PATH" ] ; then
echo
echo -e -n "$INPUT Enter passphase for CA key: "
read -r -s PASS1
echo
if [[ ${#PASS1} -lt 4 ]]; then
echo -e "$ERR Passphrase is too short, please use at least 4 characters!"
exit 1
fi
echo -e -n "$INPUT Verifying - Enter passphase for encrypting CA key: "
read -r -s PASS2
echo
if [[ "${PASS1}" != "${PASS2}" ]]; then
echo -e "$ERR Passphrases did not match, exiting."
exit 1
fi
cp $KEY_FULL_PATH ca/private/ca.key
ln -s ../private/ca.key ca/ssh/ca.ssh
fi
else
extract_crt 9c ca/ca.crt
fi
export CA_PASS="${PASS1}"
mkdir -p ca/archive
# Fix metadata
cp ca/ca.crt ca/archive/01.pem
CA_SRL=02
extract_pubkey ca/ca.crt ca/ca.pub
generate_pubkey_ssh ca/ca.pub ca/ssh/ca.ssh.pub ${CA_DIR}
# Generate the CA openssl config
echo -n $CA_SRL > ca/db/crt.srl
generate_conf_import "./bin/defaults.conf" ca/ca.crt
source "./bin/defaults.conf"
template "${BIN_DIR}/templates/signing.tpl" "ca/ca.conf"
# Create csr if needed
if [ -n "${CA_ENABLE_ENGINE}" ] || [ -n "${KEY_PATH}" ] ; then
echo -e -n "$NOTE Creating a CA csr"
openssl_engine_cmd="\
-engine pkcs11 \
-keyform engine \
-key pkcs11:object=SIGN%20key"
openssl req -new -batch \
${CA_ENABLE_ENGINE:+$openssl_engine_cmd} \
$( [ -z $CA_ENABLE_ENGINE ] && echo "-key ca/private/ca.key") \
-config ca/ca.conf \
-out ca/ca.csr \
-passin env:CA_PASS
echo -e "$NOTE Get the csr signed"
fi
echo
ln -s ca.crt ca/chain.pem
ln -s ca.crt ca/root.crt
echo
if [ -n "${CA_ENABLE_ENGINE}" ] || [ -n "${KEY_PATH}" ] ; then
echo -e "$NOTE Creating the CA CRL"
SAN="imported"
openssl_engine_cmd="\
-engine pkcs11 \
-keyform engine \
-keyfile pkcs11:object=SIGN%20key"
openssl ca -gencrl -batch \
${CA_ENABLE_ENGINE:+$openssl_engine_cmd} \
-config ca/ca.conf \
-out ca/ca.crl \
-passin env:CA_PASS \
-verbose
else
echo -e "$NOTE Cannot create CRL without key"
fi
# More meta, add it when signed, add import crt function?
echo -e "V\tunknown\t${CA_SRL}\tunknown\t$(openssl x509 -in ca/ca.crt -noout -subject -nameopt sname | sed 's/, /\//g; s/subject=//g;')" > ca/db/certificate.db
echo
if [ $SYMLINK -eq 1 ]; then
echo -e "$NOTE Symlinking toolchain (dev mode)"
CP_CMD='ln -s'
else
echo -e "$NOTE Copying toolchain"
CP_CMD='cp'
fi
for BIN in ${BINARIES_ROOT}; do
$CP_CMD "${BIN_DIR}/${BIN}" bin/
done
mkdir bin/templates/
for TPL in ${TEMPLATES_ROOT}; do
$CP_CMD "${BIN_DIR}/templates/${TPL}" bin/templates/
done
# PARENT only
if [ -n "$HAS_PARENT" ]; then
cd ..
SRL=$(cat ca/db/crt.srl)
echo $((SRL+1)) > ca/db/crt.srl
cp "${CA_DIR}"/ca/ca.crt ca/archive/"$SRL".pem
echo -e "V\tunknown\t${CA_SRL}\tunknown\t$(openssl x509 -in "${CA_DIR}"/ca/ca.crt -noout -subject -nameopt sname | sed 's/, /\//g; s/subject=//g;')" > ca/db/certificate.db
fi
popd > /dev/null
unset CA_PASS
trap 0
echo -e "$SUCC CA initialized."