revoke_key.sh: add revokation check for new easyrsa layout. Try to merge with old easyrsa layout.

This commit is contained in:
Christoph 2019-07-16 14:11:53 +02:00
parent 3c05c92ab1
commit 3f24f9a5f0

View File

@ -7,6 +7,11 @@ _date="$(date +%Y-%m-%d-%H%M)"
key_names_reserverd="ta ca server"
# - For checking if revokation was successfull
# -
_CHECK_DIR="$(mktemp -d)"
_RT_CERT="${_CHECK_DIR}/revoke-test.pem"
#---------------------------------------
#-----------------------------
# Some functions
@ -17,6 +22,7 @@ clean_up() {
# Perform program exit housekeeping
rm $log_file
rm -rf $_CHECK_DIR
blank_line
exit $1
}
@ -61,7 +67,7 @@ fatal(){
echo ""
echo -e "\t[ \033[31m\033[1mFatal\033[m ]: $*"
echo ""
echo -e "\t\033[37m\033[1mInstalllation will be interrupted\033[m\033[m"
echo -e "\t\033[37m\033[1mscript will be interrupted\033[m\033[m"
echo ""
clean_up 1
}
@ -96,6 +102,22 @@ echo_skipped() {
trap clean_up SIGHUP SIGINT SIGTERM
# -------------
# --- Check some prerequisites
# -------------
# -Is systemd supported on this system?
# -
systemd_supported=false
systemd=$(which systemd)
systemctl=$(which systemctl)
if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then
systemd_supported=true
fi
clear
echo ""
echo -e "\033[21G\033[32mRevoke OpenVPN key.. \033[m"
@ -221,6 +243,8 @@ else
_CLIENT_CERT="${OPENVPN_KEY_DIR}/${KEY_NAME_TO_REVOKE}.crt"
_CLIENT_KEY="${OPENVPN_KEY_DIR}/${KEY_NAME_TO_REVOKE}.key"
fi
_CRL="${OPENVPN_KEY_DIR}/crl.pem"
_CA_CERT="${OPENVPN_KEY_DIR}/ca.crt"
for _name in $key_names_reserverd ; do
@ -272,6 +296,16 @@ else
fatal "OpenVPN directory '$OPENVPN_BASE_DIR' not found!"
fi
echononl "Backup cert to revoke for further check. (see below"
cp -a "$_CLIENT_CERT" "$_CHECK_DIR" > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fatal "$(cat $log_file)"
fi
if $EASYRSA_LAYOUT_NEW ; then
# ---
@ -345,34 +379,18 @@ else
echo -e "\033[32m--\033[m"
echo ""
echononl "Change into key directory '$KEY_DIR'.."
cd "$KEY_DIR" > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fatal "$(cat $log_file)"
fi
echononl "Set Defaults .."
CRL="crl.pem"
RT="revoke-test.pem"
export KEY_CN=""
export KEY_OU=""
export KEY_NAME=""
echo_ok
echononl "Remove file '$RT'.."
rm -f "$RT" > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fatal "$(cat $log_file)"
fi
#echononl "Change into key directory '$KEY_DIR'.."
#cd "$KEY_DIR" > "$log_file" 2>&1
#if [[ $? -eq 0 ]] ; then
# echo_ok
#else
# echo_failed
# fatal "$(cat $log_file)"
#fi
echononl "Revoke key ${KEY_NAME_TO_REVOKE}.key and update data base .."
$OPENSSL ca -revoke "${KEY_NAME_TO_REVOKE}.crt" -config "$KEY_CONFIG" > "$log_file" 2>&1
#$OPENSSL ca -revoke "${KEY_NAME_TO_REVOKE}.crt" -config "$KEY_CONFIG" > "$log_file" 2>&1
$OPENSSL ca -revoke "${_CLIENT_KEY}" -config "$KEY_CONFIG" > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
@ -381,48 +399,67 @@ else
fi
echononl "Generate a new CRL -- try to be compatible with intermediate PKIs"
$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" > "$log_file" 2>&1
#$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" > "$log_file" 2>&1
$OPENSSL ca -gencrl -out "$_CRL" -config "$KEY_CONFIG" > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fatal "$(cat $log_file)"
fi
# ---
# - Check if Revokation was sucessfully.
# ---
echo ""
echo -e "\033[32m--\033[m"
echo "Check if Revokation of Key $(basename "$_CLIENT_KEY") was sucessfully.."
echo -e "\033[32m--\033[m"
echo ""
echononl "Create CA file '$RT' from $CRL to check against.."
if [ -e export-ca.crt ]; then
cat export-ca.crt "$CRL" >"$RT" 2> "$log_file"
_retval=$?
else
cat ca.crt "$CRL" >"$RT" 2> "$log_file"
_retval=$?
fi
if [[ $_retval -eq 0 ]]; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fatal "Verifying the revocation is not possible!"
fi
echononl "Verify the revocation.."
$OPENSSL verify -CAfile "$RT" -crl_check "${KEY_NAME_TO_REVOKE}.crt" > "$log_file" 2>&1
if [[ $? -eq 2 ]]; then
echo_ok
info "Key \033[37m\033[1m${KEY_NAME_TO_REVOKE}.key\033[m successfully revoked."
else
echo_failed
error "$(cat $log_file)"
fi
fi
# ---
# - Check if Revokation was sucessfully.
# ---
echo ""
echo -e "\033[32m--\033[m"
echo "Check if Revokation of Key $(basename "$_CLIENT_KEY") was sucessfully.."
echo -e "\033[32m--\033[m"
echo ""
# - "Create CA file '$_RT_CERT' including (new) $_CRL to check against..
# -
echononl "Create CA file '$_RT_CERT' to check against.."
cat "$_CA_CERT" "$_CRL" >"$_RT_CERT" 2> "$log_file"
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fatal "Verifying the revocation is not possible!"
fi
[[ -z "$OPENSSL" ]] && OPENSSL="$(which openssl)"
echononl "Verify the revocation.."
$OPENSSL verify -CAfile "$_RT_CERT" -crl_check "${_CHECK_DIR}/$(basename "$_CLIENT_CERT")" > "$log_file" 2>&1
if [[ $? -eq 2 ]]; then
echo_ok
info "Key \033[37m\033[1m$(basename "$_CLIENT_KEY")\033[m successfully revoked."
else
echo_failed
error "$(cat $log_file)"
fi
# ---
# - Start apache webservice
# ---
echo ""
echononl "\tRestart OpenVPN Service.."
if $systemd_supported ; then
systemctl restart openvpn > $log_file 2>&1
else
/etc/init.d/openvpn restart > $log_file 2>&1
fi
if [ "$?" = "0" ]; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
warn "Restarting OpenVPN Service failed!."
fi
clean_up 0