diff --git a/conf/get_revoked_keys.conf.sample b/conf/get_revoked_keys.conf.sample new file mode 100644 index 0000000..99f663e --- /dev/null +++ b/conf/get_revoked_keys.conf.sample @@ -0,0 +1,21 @@ +#--------------------------------------- +#----------------------------- +# Settings for script get_revoked_keys.sh +#----------------------------- +#--------------------------------------- + + +# - KEY_DIR +# - +# - Directory where all the keys are stored. +# - +# - Defaults to: KEY_DIR="/etc/openvpn/keys" +KEY_DIR="/etc/openvpn/keys" + +# - CRL_PEM +# - +# - The control revokation list +# - +# - Defaults to: CRL_PEM="${KEY_DIR}/crl.pem" +# - +CRL_PEM="${KEY_DIR}/crl.pem" diff --git a/get_revoked_keys.sh b/get_revoked_keys.sh new file mode 100755 index 0000000..5caf76f --- /dev/null +++ b/get_revoked_keys.sh @@ -0,0 +1,133 @@ +#!/usr/bin/env bash + +working_dir="$(dirname $(realpath $0))" +conf_file="${working_dir}/conf/get_revoked_keys.conf" + +log_file=$(mktemp) + +# ------------- +# --- Some functions +# ------------- +clean_up() { + + # Perform program exit housekeeping + rm -f "$log_file" + exit $1 +} + +fatal(){ + echo "" + if $terminal ; then + echo -e "[ \033[31m\033[1mError\033[m ]: $*" + echo "" + echo -e " \033[31m\033[1mScript was interupted\033[m!" + else + echo " [ Fatal ]: $*" + echo "" + echo " Script was terminated...." + fi + echo "" + clean_up 1 +} + +error (){ + echo "" + if $terminal ; then + echo -e " [ \033[31m\033[1mError\033[m ]: $*" + else + echo "[ Error ]: $*" + fi + echo "" +} + +warn (){ + echo "" + if $terminal ; then + echo -e " [ \033[33m\033[1mWarning\033[m ]: $*" + else + echo "[ Warning ]: $*" + fi + echo "" +} + +info (){ + if $terminal ; then + echo "" + echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" + echo "" + fi +} + + + +# ------------- +# --- Check some prerequisites +# ------------- + +# - Running in a terminal? +# - +if [[ -t 1 ]] ; then + terminal=true +else + terminal=false +fi + + +# ------------- +# --- Read Configurations from $conf_file +# ------------- + +if [[ -f "$conf_file" ]] ; then + source "$conf_file" +else + warn "No configuration file 'conf_file' not found.\n Loading defaults.." +fi + + +[[ -n "$KEY_DIR" ]] || KEY_DIR="/etc/openvpn/keys" +[[ -n "$CRL_PEM" ]] || CRL_PEM="${KEY_DIR}/crl.pem" + +if [[ ! -d "$KEY_DIR" ]] ; then + fatal "Key directory '$KEY_DIR' not found. (See var 'KEY_DIR')" +fi +if [[ ! -f "$CRL_PEM" ]] ; then + fatal "Revokation list '$CRL_PEM' not found. (See var 'CRL_PEM')" +fi + +declare -a revoked_serial_arr +declare -a revoked_cn_arr + +while read -r _serial ; do + revoked_serial_arr+=("$_serial") +done < <(openssl crl -inform PEM -text -noout -in $CRL_PEM 2>> $log_file | grep -E "^\s+Serial Number:" | awk '{print$3}') +if [[ -s "$log_file" ]]; then + fatal "$(cat "$log_file")" +fi + +if [[ ${#revoked_serial_arr[@]} -gt 0 ]]; then + for _serial in ${revoked_serial_arr[@]} ; do + _cn="$(openssl x509 -noout -text -in ${KEY_DIR}/${_serial}.pem 2> $log_file \ + | grep -i subject | grep CN | grep -o -E "CN=[^/]*" | cut -d'=' -f2)" + if [[ -s "$log_file" ]]; then + error "$(cat "$log_file")" + else + revoked_cn_arr+=("${_serial}:${_cn}") + fi + done +else + info "No revoked OpenVPN keys exists" +fi + +echo +for _val in ${revoked_cn_arr[@]} ; do + IFS=':' read -a _val_arr <<< "${_val}" + if $terminal ; then + echo -e " Serial: \033[1m${_val_arr[0]}\033[m CN: \033[1m${_val_arr[1]}\033[m" + else + echo " Serial: ${_val_arr[0]} CN: ${_val_arr[1]}" + fi +done + +echo +exit +