Add script 'revoke_key.sh'.

2018-03-01 02:20:24 +01:00
parent b30d4da146
commit 0415c1cdfc
1 changed files with 341 additions and 0 deletions
--- a/revoke_key.sh
+++ b/revoke_key.sh
@@ -0,0 +1,341 @@
+#!/usr/bin/env bash
+
+script_dir="$(dirname $(realpath $0))"
+
+log_file="$(mktemp)"
+_date="$(date +%Y-%m-%d-%H%M)"
+
+key_names_reserverd="ta ca server"
+
+#---------------------------------------
+#-----------------------------
+# Some functions
+#-----------------------------
+#---------------------------------------
+
+clean_up() {
+
+   # Perform program exit housekeeping
+   rm $log_file
+   exit $1
+}
+
+is_number() {
+
+   return $(test ! -z "${1##*[!0-9]*}" > /dev/null 2>&1);
+
+   # - also possible
+   # -
+   #[[ ! -z "${1##*[!0-9]*}" ]] && return 0 || return 1
+   #return $([[ ! -z "${1##*[!0-9]*}" ]])
+}
+
+is_int() {
+   return $(test "$@" -eq "$@" > /dev/null 2>&1);
+}
+
+echononl(){
+   echo X\\c > /tmp/shprompt$$
+   if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
+      echo -e -n "$*\\c" 1>&2
+   else
+       echo -e -n "$*" 1>&2
+   fi
+   rm /tmp/shprompt$$
+}
+
+error(){
+   echo ""
+   echo -e "\t[ \033[31m\033[1mError\033[m ]: $*"
+   echo ""
+}
+
+fatal(){
+   echo ""
+   echo -e "\t[ \033[31m\033[1mFatal\033[m ]: $*"
+   echo ""
+   echo -e "\t\033[37m\033[1mInstalllation will be interrupted\033[m\033[m"
+   echo ""
+   clean_up 1
+}
+
+warn (){
+   echo ""
+   echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
+   echo ""
+}
+
+info (){
+   echo ""
+   echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
+   echo ""
+}
+echo_done() {
+   echo -e "\033[80G[ \033[32mdone\033[m ]"
+}
+echo_ok() {
+   echo -e "\033[80G[ \033[32mok\033[m ]"
+}
+echo_warning() {
+   echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]"
+}
+echo_failed(){
+   echo -e "\033[80G[ \033[1;31mfailed\033[m ]"
+}
+echo_skipped() {
+   echo -e "\033[80G[ \033[37mskipped\033[m ]"
+}
+
+trap clean_up SIGHUP SIGINT SIGTERM
+
+
+clear
+echo ""
+echo -e "\033[21G\033[32mRevoke OpenVPN key.. \033[m"
+echo ""
+echo ""
+
+declare -a conf_file_arr=()
+declare -a conf_name_arr=()
+for _conf_file in `ls ${script_dir}/conf/server-*.conf 2>/dev/null` ; do
+   conf_file_arr+=("${_conf_file}")
+   _basename=$(basename $_conf_file)
+   _tmp_name=${_basename%%.*}
+   _tmp_name=${_tmp_name#*-}
+   conf_name_arr+=("$_tmp_name")
+done
+
+if [[ ${#conf_file_arr[@]} -lt 1 ]] ; then
+   fatal "NO Configuration found!"
+fi
+
+
+echo ""
+
+declare -i i=0
+
+if [[ ${#conf_file_arr[@]} -gt 1 ]] ; then
+   echo ""
+   echo "Which Configuration should be loaded?"
+   echo ""
+   for _conf_file in ${conf_file_arr[@]} ; do
+      echo " [${i}] ${conf_name_arr[${i}]}"
+      (( i++ ))
+   done
+   _OK=false
+   echo
+   echononl "Eingabe: "
+   while ! $_OK ; do
+      read _IN
+      if is_number "$_IN" && [[ -n ${conf_file_arr[$_IN]} ]]; then
+         conf_file=${conf_file_arr[$_IN]}
+         _OK=true
+      else
+         echo ""  
+         echo -e "\tFalsche Eingabe !"
+         echo ""
+         echononl "Eingabe: "
+      fi
+   done
+
+else
+   conf_file=${conf_file_arr[0]}
+fi
+
+echo ""
+echo -e "\033[32m--\033[m"
+echo ""
+
+
+#---------------------------------------
+#-----------------------------
+# Read Configurations from $conf_file
+#-----------------------------
+#---------------------------------------
+
+echononl "   Load Configuration File $(basename ${conf_file}).."
+if [[ ! -f "$conf_file" ]]; then
+   echo_failed
+   fatal "Configuration file \033[37m\033[1m$(basename ${conf_file})\033[m not found!"
+else
+   source "${conf_file}" > $log_file 2>&1
+   if [[ $? -eq 0 ]]; then
+      echo_ok
+   else
+      echo_failed
+      fatal "$(cat $log_file)"
+   fi
+fi
+
+EASY_RSA_DIR="${OPENVPN_BASE_DIR}/easy-rsa"
+
+
+
+echo ""
+echo -e "\033[32m--\033[m"
+echo ""
+KEY_NAME_TO_REVOKE=""
+if [ -z "$KEY_NAME_TO_REVOKE" ]; then
+   echo "Insert key name you wish to revoke."
+   echo ""
+   echo ""
+   echononl "key name to revoke: "
+   read KEY_NAME_TO_REVOKE
+   while [ "X$KEY_NAME_TO_REVOKE" = "X" ] ; do
+      echo -e "\n\t\033[33m\033[1mKey name is required!\033[m\n"
+      echononl "key name: "
+      read KEY_NAME_TO_REVOKE
+   done
+fi
+
+for _name in $key_names_reserverd ; do
+   [[ "$_name" = "$KEY_NAME_TO_REVOKE" ]] && fatal "Name '$KEY_NAME_TO_REVOKE' cannot be used - its a reserved name!"
+done
+
+if [[ ! -f "${OPENVPN_BASE_DIR}/keys/${KEY_NAME_TO_REVOKE}.key" ]]; then
+   fatal "Key '$KEY_NAME_TO_REVOKE' not found!"
+fi
+
+echo ""
+echo -e "\033[32m--\033[m"
+echo ""
+echo "Key Name to revoke......: $KEY_NAME_TO_REVOKE"
+
+info "Going to revoke key \033[37m\033[1m${KEY_NAME_TO_REVOKE}.key\033[m.."
+echo -n "To continue type uppercase 'YES': "
+read OK
+echo ""
+if [[ "$OK" != "YES" ]] ; then
+   fatal "Abort by user request - Answer as not 'YES'"
+fi
+
+
+
+
+#---------------------------------------
+#-----------------------------
+# Revoke Key
+#-----------------------------
+#---------------------------------------
+
+echo ""
+
+# ---
+# ---
+echononl "Backup existing OpenVPN directory '$OPENVPN_BASE_DIR'.."
+if [[ -d "$OPENVPN_BASE_DIR" ]]; then
+   cp -a "$OPENVPN_BASE_DIR" "${OPENVPN_BASE_DIR}.$_date" > "$log_file" 2>&1
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      fatal "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+   fatal "OpenVPN directory '$OPENVPN_BASE_DIR' not found!"
+fi
+
+# ---
+# - source file vars
+# ---
+echononl "   Load configuration '${EASY_RSA_DIR}/vars'.."
+source ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
+if [[ $? -eq 0 ]] ; then
+   echo_ok
+else
+   echo_failed
+   error "$(cat $log_file)"
+fi
+
+
+# ---
+# - Revoke Key
+# ---
+echo ""
+echo -e "\033[32m--\033[m"
+echo "Revoke Key ${KEY_NAME_TO_REVOKE}.key .."
+echo -e "\033[32m--\033[m"
+echo ""
+
+echononl "Change into key directory '$KEY_DIR'.."
+cd "$KEY_DIR" > "$log_file" 2>&1
+if [[ $? -eq 0 ]] ; then
+   echo_ok
+else
+   echo_failed
+   fatal "$(cat $log_file)"
+fi
+
+echononl "Set Defaults .."
+CRL="crl.pem"
+RT="revoke-test.pem"
+export KEY_CN=""
+export KEY_OU=""
+export KEY_NAME=""
+echo_ok
+
+echononl "Remove file '$RT'.."
+rm -f "$RT" > "$log_file" 2>&1
+if [[ $? -eq 0 ]] ; then
+   echo_ok
+else
+   echo_failed
+   fatal "$(cat $log_file)"
+fi
+
+echononl "Revoke key ${KEY_NAME_TO_REVOKE}.key and update data base .."
+$OPENSSL ca -revoke "${KEY_NAME_TO_REVOKE}.crt" -config "$KEY_CONFIG" > "$log_file" 2>&1
+if [[ $? -eq 0 ]] ; then
+   echo_ok
+else
+   echo_failed
+   fatal "$(cat $log_file)"
+fi
+
+echononl "Generate a new CRL -- try to be compatible with intermediate PKIs"
+$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" > "$log_file" 2>&1
+if [[ $? -eq 0 ]] ; then
+   echo_ok
+else
+   echo_failed
+   fatal "$(cat $log_file)"
+fi
+
+
+# ---
+# - Check if Revokation was sucessfully.
+# ---
+echo ""
+echo -e "\033[32m--\033[m"
+echo "Check if Revokation of Key ${KEY_NAME_TO_REVOKE} was sucessfully.."
+echo -e "\033[32m--\033[m"
+echo ""
+
+echononl "Create CA file '$RT' from $CRL to check against.."
+if [ -e export-ca.crt ]; then
+   cat export-ca.crt "$CRL" >"$RT" 2> "$log_file"
+   _retval=$?
+else
+   cat ca.crt "$CRL" >"$RT" 2> "$log_file"
+   _retval=$?
+fi
+if [[ $_retval -eq 0 ]]; then
+   echo_ok
+else
+   echo_failed
+   error "$(cat $log_file)"
+   fatal "Verifying the revocation is not possible!"
+fi
+
+echononl "Verify the revocation.."
+$OPENSSL verify -CAfile "$RT" -crl_check "${KEY_NAME_TO_REVOKE}.crt" > "$log_file" 2>&1
+if [[ $? -eq 2 ]]; then
+   echo_ok
+   info "Key \033[37m\033[1m${KEY_NAME_TO_REVOKE}.key\033[m successfully revoked."
+else
+   echo_failed
+   error "$(cat $log_file)"
+fi
+
+clean_up 0