revoke_key.sh: add support for new easyrsa layout.

2019-07-16 03:22:52 +02:00 · 2019-07-16 03:22:52 +02:00 · 8aaf73fa3c
commit 8aaf73fa3c
parent 57a968de51
1 changed files with 179 additions and 92 deletions
--- a/revoke_key.sh
+++ b/revoke_key.sh
@ -17,9 +17,16 @@ clean_up() {
   # Perform program exit housekeeping
   rm $log_file
   blank_line
   exit $1
 }
 blank_line() {
   if $terminal ; then
      echo ""
   fi
 }
 is_number() {
   return $(test ! -z "${1##*[!0-9]*}" > /dev/null 2>&1);
@ -169,6 +176,20 @@ fi
 EASY_RSA_DIR="${OPENVPN_BASE_DIR}/easy-rsa"
 if [[ -d "${OPENVPN_BASE_DIR}/pki" ]] ; then
   EASYRSA_LAYOUT_NEW=true
 else
   EASYRSA_LAYOUT_NEW=false
 fi
 if [[ -z "$OPENVPN_KEY_DIR" ]] ; then
   if $EASYRSA_LAYOUT_NEW ; then
      OPENVPN_KEY_DIR="${OPENVPN_BASE_DIR}/pki"
   else
      OPENVPN_KEY_DIR="${OPENVPN_BASE_DIR}/keys"
   fi
 fi
 echo ""
@ -188,20 +209,34 @@ if [ -z "$KEY_NAME_TO_REVOKE" ]; then
   done
 fi
 # - Remove '${KEY_CN}-' from key name
 # -
 KEY_NAME_TO_REVOKE="${KEY_NAME_TO_REVOKE/${KEY_CN}-/}"
 _CLIENT_CN="${KEY_CN}-${KEY_NAME_TO_REVOKE}"
 if $EASYRSA_LAYOUT_NEW ; then
   _CLIENT_CERT="${OPENVPN_KEY_DIR}/issued/${_CLIENT_CN}.crt"
   _CLIENT_KEY="${OPENVPN_KEY_DIR}/private/${_CLIENT_CN}.key"
 else
   _CLIENT_CERT="${OPENVPN_KEY_DIR}/${NEW_KEY_NAME}.crt"
   _CLIENT_KEY="${OPENVPN_KEY_DIR}/${NEW_KEY_NAME}.key"
 fi
 for _name in $key_names_reserverd ; do
   [[ "$_name" = "$KEY_NAME_TO_REVOKE" ]] && fatal "Name '$KEY_NAME_TO_REVOKE' cannot be used - its a reserved name!"
 done
-if [[ ! -f "${OPENVPN_BASE_DIR}/keys/${KEY_NAME_TO_REVOKE}.key" ]]; then
+if [[ ! -f "${_CLIENT_CERT}" ]]; then
   fatal "Key '$KEY_NAME_TO_REVOKE' not found!"
 fi
 echo ""
 echo -e "\033[32m--\033[m"
 echo ""
-echo "Key Name to revoke......: $KEY_NAME_TO_REVOKE"
+echo "Key to revoke...........: $(basename "$_CLIENT_KEY")"
-info "Going to revoke key \033[37m\033[1m${KEY_NAME_TO_REVOKE}.key\033[m.."
+info "Going to revoke key \033[37m\033[1m$(basename "$_CLIENT_KEY")\033[m.."
 echo -n "To continue type uppercase 'YES': "
 read OK
 echo ""
@ -221,6 +256,7 @@ fi
 echo ""
 # ---
 # - Backup existing OpenVPN directory
 # ---
 echononl "Backup existing OpenVPN directory '$OPENVPN_BASE_DIR'.."
 if [[ -d "$OPENVPN_BASE_DIR" ]]; then
@ -236,106 +272,157 @@ else
   fatal "OpenVPN directory '$OPENVPN_BASE_DIR' not found!"
 fi
-# ---
+if $EASYRSA_LAYOUT_NEW ; then
-# - source file vars
+
-# ---
+	# ---
-echononl "   Load configuration '${EASY_RSA_DIR}/vars'.."
+	# - Revoke Key
-source ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
+	# ---
-if [[ $? -eq 0 ]] ; then
+	echononl "Revoke key '$(basename "$_CLIENT_KEY")'.."
-   echo_ok
+	$EASY_RSA_DIR/easyrsa revoke "$_CLIENT_CN" > "$log_file" 2>&1
 	if [[ $? -eq 0 ]] ; then
 		echo_ok
 	else
 		echo_failed
 		error "$(cat $log_file)"
 	fi
 	# ---
 	# - Generate new crl.pem
 	# ---
 	echononl "Generate new CRL (Certificate Revokation List) 'crl.pem'.."
 	$EASY_RSA_DIR/easyrsa gen-crl > "$log_file" 2>&1
 	if [[ $? -eq 0 ]] ; then
 		echo_ok
 	else
 		echo_failed
 		error "$(cat $log_file)"
 	fi
 	# ---
 	# - Change group (nogroup) for file 'crl.pem'
 	# ---
 	echononl "Change group (to nogroup) for '${OPENVPN_KEY_DIR}/crl.pem'.."
 	chgrp nogroup "${OPENVPN_KEY_DIR}/crl.pem"  > "$log_file" 2>&1
 	if [[ $? -eq 0 ]] ; then
 		echo_ok
 	else
 		echo_failed
 		error "$(cat $log_file)"
 	fi
 	# ---
 	# - Change permission (640) for file 'crl.pem'
 	# ---
 	echononl "Change permissions (640) for ${OPENVPN_KEY_DIR}/crl.pem"
 	chmod 644 ${OPENVPN_KEY_DIR}/crl.pem > "$log_file" 2>&1
 	if [[ $? -eq 0 ]] ; then
 		echo_ok
 	else
 		echo_failed
 		error "$(cat $log_file)"
 	fi
 else
   echo_failed
   error "$(cat $log_file)"
 fi
 	# ---
 	# - source file vars
 	# ---
 	echononl "   Load configuration '${EASY_RSA_DIR}/vars'.."
 	source ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
 	if [[ $? -eq 0 ]] ; then
 		echo_ok
 	else
 		echo_failed
 		error "$(cat $log_file)"
 	fi
-# ---
+	# ---
-# - Revoke Key
+	# - Revoke Key
-# ---
+	# ---
-echo ""
+	echo ""
-echo -e "\033[32m--\033[m"
+	echo -e "\033[32m--\033[m"
-echo "Revoke Key ${KEY_NAME_TO_REVOKE}.key .."
+	echo "Revoke Key ${KEY_NAME_TO_REVOKE}.key .."
-echo -e "\033[32m--\033[m"
+	echo -e "\033[32m--\033[m"
-echo ""
+	echo ""
-echononl "Change into key directory '$KEY_DIR'.."
+	echononl "Change into key directory '$KEY_DIR'.."
-cd "$KEY_DIR" > "$log_file" 2>&1
+	cd "$KEY_DIR" > "$log_file" 2>&1
-if [[ $? -eq 0 ]] ; then
+	if [[ $? -eq 0 ]] ; then
-   echo_ok
+		echo_ok
-else
+	else
-   echo_failed
+		echo_failed
-   fatal "$(cat $log_file)"
+		fatal "$(cat $log_file)"
-fi
+	fi
-echononl "Set Defaults .."
+	echononl "Set Defaults .."
-CRL="crl.pem"
+	CRL="crl.pem"
-RT="revoke-test.pem"
+	RT="revoke-test.pem"
-export KEY_CN=""
+	export KEY_CN=""
-export KEY_OU=""
+	export KEY_OU=""
-export KEY_NAME=""
+	export KEY_NAME=""
-echo_ok
+	echo_ok
-echononl "Remove file '$RT'.."
+	echononl "Remove file '$RT'.."
-rm -f "$RT" > "$log_file" 2>&1
+	rm -f "$RT" > "$log_file" 2>&1
-if [[ $? -eq 0 ]] ; then
+	if [[ $? -eq 0 ]] ; then
-   echo_ok
+		echo_ok
-else
+	else
-   echo_failed
+		echo_failed
-   fatal "$(cat $log_file)"
+		fatal "$(cat $log_file)"
-fi
+	fi
-echononl "Revoke key ${KEY_NAME_TO_REVOKE}.key and update data base .."
+	echononl "Revoke key ${KEY_NAME_TO_REVOKE}.key and update data base .."
-$OPENSSL ca -revoke "${KEY_NAME_TO_REVOKE}.crt" -config "$KEY_CONFIG" > "$log_file" 2>&1
+	$OPENSSL ca -revoke "${KEY_NAME_TO_REVOKE}.crt" -config "$KEY_CONFIG" > "$log_file" 2>&1
-if [[ $? -eq 0 ]] ; then
+	if [[ $? -eq 0 ]] ; then
-   echo_ok
+		echo_ok
-else
+	else
-   echo_failed
+		echo_failed
-   fatal "$(cat $log_file)"
+		fatal "$(cat $log_file)"
-fi
+	fi
-echononl "Generate a new CRL -- try to be compatible with intermediate PKIs"
+	echononl "Generate a new CRL -- try to be compatible with intermediate PKIs"
-$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" > "$log_file" 2>&1
+	$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" > "$log_file" 2>&1
-if [[ $? -eq 0 ]] ; then
+	if [[ $? -eq 0 ]] ; then
-   echo_ok
+		echo_ok
-else
+	else
-   echo_failed
+		echo_failed
-   fatal "$(cat $log_file)"
+		fatal "$(cat $log_file)"
-fi
+	fi
 	# ---
 	# - Check if Revokation was sucessfully.
 	# ---
 	echo ""
 	echo -e "\033[32m--\033[m"
 	echo "Check if Revokation of Key $(basename "$_CLIENT_KEY") was sucessfully.."
 	echo -e "\033[32m--\033[m"
 	echo ""
-# ---
+	echononl "Create CA file '$RT' from $CRL to check against.."
-# - Check if Revokation was sucessfully.
+	if [ -e export-ca.crt ]; then
-# ---
+		cat export-ca.crt "$CRL" >"$RT" 2> "$log_file"
-echo ""
+		_retval=$?
-echo -e "\033[32m--\033[m"
+	else
-echo "Check if Revokation of Key ${KEY_NAME_TO_REVOKE} was sucessfully.."
+		cat ca.crt "$CRL" >"$RT" 2> "$log_file"
-echo -e "\033[32m--\033[m"
+		_retval=$?
-echo ""
+	fi
 	if [[ $_retval -eq 0 ]]; then
 		echo_ok
 	else
 		echo_failed
 		error "$(cat $log_file)"
 		fatal "Verifying the revocation is not possible!"
 	fi
-echononl "Create CA file '$RT' from $CRL to check against.."
+	echononl "Verify the revocation.."
-if [ -e export-ca.crt ]; then
+	$OPENSSL verify -CAfile "$RT" -crl_check "${KEY_NAME_TO_REVOKE}.crt" > "$log_file" 2>&1
-   cat export-ca.crt "$CRL" >"$RT" 2> "$log_file"
+	if [[ $? -eq 2 ]]; then
-   _retval=$?
+		echo_ok
-else
+		info "Key \033[37m\033[1m${KEY_NAME_TO_REVOKE}.key\033[m successfully revoked."
-   cat ca.crt "$CRL" >"$RT" 2> "$log_file"
+	else
-   _retval=$?
+		echo_failed
-fi
+		error "$(cat $log_file)"
-if [[ $_retval -eq 0 ]]; then
+	fi
   echo_ok
 else
   echo_failed
   error "$(cat $log_file)"
   fatal "Verifying the revocation is not possible!"
 fi
 echononl "Verify the revocation.."
 $OPENSSL verify -CAfile "$RT" -crl_check "${KEY_NAME_TO_REVOKE}.crt" > "$log_file" 2>&1
 if [[ $? -eq 2 ]]; then
   echo_ok
   info "Key \033[37m\033[1m${KEY_NAME_TO_REVOKE}.key\033[m successfully revoked."
 else
   echo_failed
   error "$(cat $log_file)"
 fi
 clean_up 0