diff --git a/revoke_key.sh b/revoke_key.sh index 4f1f434..77dd7d4 100755 --- a/revoke_key.sh +++ b/revoke_key.sh @@ -17,9 +17,16 @@ clean_up() { # Perform program exit housekeeping rm $log_file + blank_line exit $1 } +blank_line() { + if $terminal ; then + echo "" + fi +} + is_number() { return $(test ! -z "${1##*[!0-9]*}" > /dev/null 2>&1); @@ -169,6 +176,20 @@ fi EASY_RSA_DIR="${OPENVPN_BASE_DIR}/easy-rsa" +if [[ -d "${OPENVPN_BASE_DIR}/pki" ]] ; then + EASYRSA_LAYOUT_NEW=true +else + EASYRSA_LAYOUT_NEW=false +fi + +if [[ -z "$OPENVPN_KEY_DIR" ]] ; then + if $EASYRSA_LAYOUT_NEW ; then + OPENVPN_KEY_DIR="${OPENVPN_BASE_DIR}/pki" + else + OPENVPN_KEY_DIR="${OPENVPN_BASE_DIR}/keys" + fi +fi + echo "" @@ -188,20 +209,34 @@ if [ -z "$KEY_NAME_TO_REVOKE" ]; then done fi +# - Remove '${KEY_CN}-' from key name +# - +KEY_NAME_TO_REVOKE="${KEY_NAME_TO_REVOKE/${KEY_CN}-/}" + +_CLIENT_CN="${KEY_CN}-${KEY_NAME_TO_REVOKE}" +if $EASYRSA_LAYOUT_NEW ; then + _CLIENT_CERT="${OPENVPN_KEY_DIR}/issued/${_CLIENT_CN}.crt" + _CLIENT_KEY="${OPENVPN_KEY_DIR}/private/${_CLIENT_CN}.key" +else + _CLIENT_CERT="${OPENVPN_KEY_DIR}/${NEW_KEY_NAME}.crt" + _CLIENT_KEY="${OPENVPN_KEY_DIR}/${NEW_KEY_NAME}.key" +fi + + for _name in $key_names_reserverd ; do [[ "$_name" = "$KEY_NAME_TO_REVOKE" ]] && fatal "Name '$KEY_NAME_TO_REVOKE' cannot be used - its a reserved name!" done -if [[ ! -f "${OPENVPN_BASE_DIR}/keys/${KEY_NAME_TO_REVOKE}.key" ]]; then +if [[ ! -f "${_CLIENT_CERT}" ]]; then fatal "Key '$KEY_NAME_TO_REVOKE' not found!" fi echo "" echo -e "\033[32m--\033[m" echo "" -echo "Key Name to revoke......: $KEY_NAME_TO_REVOKE" +echo "Key to revoke...........: $(basename "$_CLIENT_KEY")" -info "Going to revoke key \033[37m\033[1m${KEY_NAME_TO_REVOKE}.key\033[m.." +info "Going to revoke key \033[37m\033[1m$(basename "$_CLIENT_KEY")\033[m.." echo -n "To continue type uppercase 'YES': " read OK echo "" @@ -221,6 +256,7 @@ fi echo "" # --- +# - Backup existing OpenVPN directory # --- echononl "Backup existing OpenVPN directory '$OPENVPN_BASE_DIR'.." if [[ -d "$OPENVPN_BASE_DIR" ]]; then @@ -236,106 +272,157 @@ else fatal "OpenVPN directory '$OPENVPN_BASE_DIR' not found!" fi -# --- -# - source file vars -# --- -echononl " Load configuration '${EASY_RSA_DIR}/vars'.." -source ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 -if [[ $? -eq 0 ]] ; then - echo_ok +if $EASYRSA_LAYOUT_NEW ; then + + # --- + # - Revoke Key + # --- + echononl "Revoke key '$(basename "$_CLIENT_KEY")'.." + $EASY_RSA_DIR/easyrsa revoke "$_CLIENT_CN" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + + # --- + # - Generate new crl.pem + # --- + echononl "Generate new CRL (Certificate Revokation List) 'crl.pem'.." + $EASY_RSA_DIR/easyrsa gen-crl > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + + # --- + # - Change group (nogroup) for file 'crl.pem' + # --- + echononl "Change group (to nogroup) for '${OPENVPN_KEY_DIR}/crl.pem'.." + chgrp nogroup "${OPENVPN_KEY_DIR}/crl.pem" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + + # --- + # - Change permission (640) for file 'crl.pem' + # --- + echononl "Change permissions (640) for ${OPENVPN_KEY_DIR}/crl.pem" + chmod 644 ${OPENVPN_KEY_DIR}/crl.pem > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + else - echo_failed - error "$(cat $log_file)" -fi + # --- + # - source file vars + # --- + echononl " Load configuration '${EASY_RSA_DIR}/vars'.." + source ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi -# --- -# - Revoke Key -# --- -echo "" -echo -e "\033[32m--\033[m" -echo "Revoke Key ${KEY_NAME_TO_REVOKE}.key .." -echo -e "\033[32m--\033[m" -echo "" + # --- + # - Revoke Key + # --- + echo "" + echo -e "\033[32m--\033[m" + echo "Revoke Key ${KEY_NAME_TO_REVOKE}.key .." + echo -e "\033[32m--\033[m" + echo "" -echononl "Change into key directory '$KEY_DIR'.." -cd "$KEY_DIR" > "$log_file" 2>&1 -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - fatal "$(cat $log_file)" -fi + echononl "Change into key directory '$KEY_DIR'.." + cd "$KEY_DIR" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fatal "$(cat $log_file)" + fi -echononl "Set Defaults .." -CRL="crl.pem" -RT="revoke-test.pem" -export KEY_CN="" -export KEY_OU="" -export KEY_NAME="" -echo_ok + echononl "Set Defaults .." + CRL="crl.pem" + RT="revoke-test.pem" + export KEY_CN="" + export KEY_OU="" + export KEY_NAME="" + echo_ok -echononl "Remove file '$RT'.." -rm -f "$RT" > "$log_file" 2>&1 -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - fatal "$(cat $log_file)" -fi + echononl "Remove file '$RT'.." + rm -f "$RT" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fatal "$(cat $log_file)" + fi -echononl "Revoke key ${KEY_NAME_TO_REVOKE}.key and update data base .." -$OPENSSL ca -revoke "${KEY_NAME_TO_REVOKE}.crt" -config "$KEY_CONFIG" > "$log_file" 2>&1 -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - fatal "$(cat $log_file)" -fi + echononl "Revoke key ${KEY_NAME_TO_REVOKE}.key and update data base .." + $OPENSSL ca -revoke "${KEY_NAME_TO_REVOKE}.crt" -config "$KEY_CONFIG" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fatal "$(cat $log_file)" + fi -echononl "Generate a new CRL -- try to be compatible with intermediate PKIs" -$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" > "$log_file" 2>&1 -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - fatal "$(cat $log_file)" -fi + echononl "Generate a new CRL -- try to be compatible with intermediate PKIs" + $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fatal "$(cat $log_file)" + fi + # --- + # - Check if Revokation was sucessfully. + # --- + echo "" + echo -e "\033[32m--\033[m" + echo "Check if Revokation of Key $(basename "$_CLIENT_KEY") was sucessfully.." + echo -e "\033[32m--\033[m" + echo "" -# --- -# - Check if Revokation was sucessfully. -# --- -echo "" -echo -e "\033[32m--\033[m" -echo "Check if Revokation of Key ${KEY_NAME_TO_REVOKE} was sucessfully.." -echo -e "\033[32m--\033[m" -echo "" + echononl "Create CA file '$RT' from $CRL to check against.." + if [ -e export-ca.crt ]; then + cat export-ca.crt "$CRL" >"$RT" 2> "$log_file" + _retval=$? + else + cat ca.crt "$CRL" >"$RT" 2> "$log_file" + _retval=$? + fi + if [[ $_retval -eq 0 ]]; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fatal "Verifying the revocation is not possible!" + fi -echononl "Create CA file '$RT' from $CRL to check against.." -if [ -e export-ca.crt ]; then - cat export-ca.crt "$CRL" >"$RT" 2> "$log_file" - _retval=$? -else - cat ca.crt "$CRL" >"$RT" 2> "$log_file" - _retval=$? -fi -if [[ $_retval -eq 0 ]]; then - echo_ok -else - echo_failed - error "$(cat $log_file)" - fatal "Verifying the revocation is not possible!" -fi - -echononl "Verify the revocation.." -$OPENSSL verify -CAfile "$RT" -crl_check "${KEY_NAME_TO_REVOKE}.crt" > "$log_file" 2>&1 -if [[ $? -eq 2 ]]; then - echo_ok - info "Key \033[37m\033[1m${KEY_NAME_TO_REVOKE}.key\033[m successfully revoked." -else - echo_failed - error "$(cat $log_file)" + echononl "Verify the revocation.." + $OPENSSL verify -CAfile "$RT" -crl_check "${KEY_NAME_TO_REVOKE}.crt" > "$log_file" 2>&1 + if [[ $? -eq 2 ]]; then + echo_ok + info "Key \033[37m\033[1m${KEY_NAME_TO_REVOKE}.key\033[m successfully revoked." + else + echo_failed + error "$(cat $log_file)" + fi fi clean_up 0