revoke_key.sh: add support for new easyrsa layout.

2019-07-16 03:22:52 +02:00 · 2019-07-16 03:22:52 +02:00 · 8aaf73fa3c
commit 8aaf73fa3c
parent 57a968de51
1 changed files with 179 additions and 92 deletions
--- a/revoke_key.sh
+++ b/revoke_key.sh
@ -17,9 +17,16 @@ clean_up() {

   # Perform program exit housekeeping
   rm $log_file
+   blank_line
   exit $1
 }

+blank_line() {
+   if $terminal ; then
+      echo ""
+   fi
+}
+
 is_number() {

   return $(test ! -z "${1##*[!0-9]*}" > /dev/null 2>&1);
@ -169,6 +176,20 @@ fi

 EASY_RSA_DIR="${OPENVPN_BASE_DIR}/easy-rsa"

+if [[ -d "${OPENVPN_BASE_DIR}/pki" ]] ; then
+   EASYRSA_LAYOUT_NEW=true
+else
+   EASYRSA_LAYOUT_NEW=false
+fi
+
+if [[ -z "$OPENVPN_KEY_DIR" ]] ; then
+   if $EASYRSA_LAYOUT_NEW ; then
+      OPENVPN_KEY_DIR="${OPENVPN_BASE_DIR}/pki"
+   else
+      OPENVPN_KEY_DIR="${OPENVPN_BASE_DIR}/keys"
+   fi
+fi
+


 echo ""
@ -188,20 +209,34 @@ if [ -z "$KEY_NAME_TO_REVOKE" ]; then
   done
 fi

+# - Remove '${KEY_CN}-' from key name
+# -
+KEY_NAME_TO_REVOKE="${KEY_NAME_TO_REVOKE/${KEY_CN}-/}"
+
+_CLIENT_CN="${KEY_CN}-${KEY_NAME_TO_REVOKE}"
+if $EASYRSA_LAYOUT_NEW ; then
+   _CLIENT_CERT="${OPENVPN_KEY_DIR}/issued/${_CLIENT_CN}.crt"
+   _CLIENT_KEY="${OPENVPN_KEY_DIR}/private/${_CLIENT_CN}.key"
+else
+   _CLIENT_CERT="${OPENVPN_KEY_DIR}/${NEW_KEY_NAME}.crt"
+   _CLIENT_KEY="${OPENVPN_KEY_DIR}/${NEW_KEY_NAME}.key"
+fi
+
+
 for _name in $key_names_reserverd ; do
   [[ "$_name" = "$KEY_NAME_TO_REVOKE" ]] && fatal "Name '$KEY_NAME_TO_REVOKE' cannot be used - its a reserved name!"
 done

-if [[ ! -f "${OPENVPN_BASE_DIR}/keys/${KEY_NAME_TO_REVOKE}.key" ]]; then
+if [[ ! -f "${_CLIENT_CERT}" ]]; then
   fatal "Key '$KEY_NAME_TO_REVOKE' not found!"
 fi

 echo ""
 echo -e "\033[32m--\033[m"
 echo ""
-echo "Key Name to revoke......: $KEY_NAME_TO_REVOKE"
+echo "Key to revoke...........: $(basename "$_CLIENT_KEY")"

-info "Going to revoke key \033[37m\033[1m${KEY_NAME_TO_REVOKE}.key\033[m.."
+info "Going to revoke key \033[37m\033[1m$(basename "$_CLIENT_KEY")\033[m.."
 echo -n "To continue type uppercase 'YES': "
 read OK
 echo ""
@ -221,6 +256,7 @@ fi
 echo ""

 # ---
+# - Backup existing OpenVPN directory
 # ---
 echononl "Backup existing OpenVPN directory '$OPENVPN_BASE_DIR'.."
 if [[ -d "$OPENVPN_BASE_DIR" ]]; then
@ -236,106 +272,157 @@ else
   fatal "OpenVPN directory '$OPENVPN_BASE_DIR' not found!"
 fi

-# ---
-# - source file vars
-# ---
-echononl "   Load configuration '${EASY_RSA_DIR}/vars'.."
-source ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
-if [[ $? -eq 0 ]] ; then
+if $EASYRSA_LAYOUT_NEW ; then
+
+	# ---
+	# - Revoke Key
+	# ---
+	echononl "Revoke key '$(basename "$_CLIENT_KEY")'.."
+	$EASY_RSA_DIR/easyrsa revoke "$_CLIENT_CN" > "$log_file" 2>&1
+	if [[ $? -eq 0 ]] ; then
 		echo_ok
-else
+	else
 		echo_failed
 		error "$(cat $log_file)"
-fi
+	fi

-
-# ---
-# - Revoke Key
-# ---
-echo ""
-echo -e "\033[32m--\033[m"
-echo "Revoke Key ${KEY_NAME_TO_REVOKE}.key .."
-echo -e "\033[32m--\033[m"
-echo ""
-
-echononl "Change into key directory '$KEY_DIR'.."
-cd "$KEY_DIR" > "$log_file" 2>&1
-if [[ $? -eq 0 ]] ; then
+	# ---
+	# - Generate new crl.pem
+	# ---
+	echononl "Generate new CRL (Certificate Revokation List) 'crl.pem'.."
+	$EASY_RSA_DIR/easyrsa gen-crl > "$log_file" 2>&1
+	if [[ $? -eq 0 ]] ; then
 		echo_ok
+	else
+		echo_failed
+		error "$(cat $log_file)"
+	fi
+
+	# ---
+	# - Change group (nogroup) for file 'crl.pem'
+	# ---
+	echononl "Change group (to nogroup) for '${OPENVPN_KEY_DIR}/crl.pem'.."
+	chgrp nogroup "${OPENVPN_KEY_DIR}/crl.pem"  > "$log_file" 2>&1
+	if [[ $? -eq 0 ]] ; then
+		echo_ok
+	else
+		echo_failed
+		error "$(cat $log_file)"
+	fi
+
+	# ---
+	# - Change permission (640) for file 'crl.pem'
+	# ---
+	echononl "Change permissions (640) for ${OPENVPN_KEY_DIR}/crl.pem"
+	chmod 644 ${OPENVPN_KEY_DIR}/crl.pem > "$log_file" 2>&1
+	if [[ $? -eq 0 ]] ; then
+		echo_ok
+	else
+		echo_failed
+		error "$(cat $log_file)"
+	fi
+
 else
+
+	# ---
+	# - source file vars
+	# ---
+	echononl "   Load configuration '${EASY_RSA_DIR}/vars'.."
+	source ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
+	if [[ $? -eq 0 ]] ; then
+		echo_ok
+	else
+		echo_failed
+		error "$(cat $log_file)"
+	fi
+
+	# ---
+	# - Revoke Key
+	# ---
+	echo ""
+	echo -e "\033[32m--\033[m"
+	echo "Revoke Key ${KEY_NAME_TO_REVOKE}.key .."
+	echo -e "\033[32m--\033[m"
+	echo ""
+
+	echononl "Change into key directory '$KEY_DIR'.."
+	cd "$KEY_DIR" > "$log_file" 2>&1
+	if [[ $? -eq 0 ]] ; then
+		echo_ok
+	else
 		echo_failed
 		fatal "$(cat $log_file)"
-fi
+	fi

-echononl "Set Defaults .."
-CRL="crl.pem"
-RT="revoke-test.pem"
-export KEY_CN=""
-export KEY_OU=""
-export KEY_NAME=""
-echo_ok
-
-echononl "Remove file '$RT'.."
-rm -f "$RT" > "$log_file" 2>&1
-if [[ $? -eq 0 ]] ; then
+	echononl "Set Defaults .."
+	CRL="crl.pem"
+	RT="revoke-test.pem"
+	export KEY_CN=""
+	export KEY_OU=""
+	export KEY_NAME=""
 	echo_ok
-else
+
+	echononl "Remove file '$RT'.."
+	rm -f "$RT" > "$log_file" 2>&1
+	if [[ $? -eq 0 ]] ; then
+		echo_ok
+	else
 		echo_failed
 		fatal "$(cat $log_file)"
-fi
+	fi

-echononl "Revoke key ${KEY_NAME_TO_REVOKE}.key and update data base .."
-$OPENSSL ca -revoke "${KEY_NAME_TO_REVOKE}.crt" -config "$KEY_CONFIG" > "$log_file" 2>&1
-if [[ $? -eq 0 ]] ; then
+	echononl "Revoke key ${KEY_NAME_TO_REVOKE}.key and update data base .."
+	$OPENSSL ca -revoke "${KEY_NAME_TO_REVOKE}.crt" -config "$KEY_CONFIG" > "$log_file" 2>&1
+	if [[ $? -eq 0 ]] ; then
 		echo_ok
-else
+	else
 		echo_failed
 		fatal "$(cat $log_file)"
-fi
+	fi

-echononl "Generate a new CRL -- try to be compatible with intermediate PKIs"
-$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" > "$log_file" 2>&1
-if [[ $? -eq 0 ]] ; then
+	echononl "Generate a new CRL -- try to be compatible with intermediate PKIs"
+	$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" > "$log_file" 2>&1
+	if [[ $? -eq 0 ]] ; then
 		echo_ok
-else
+	else
 		echo_failed
 		fatal "$(cat $log_file)"
-fi
+	fi

+	# ---
+	# - Check if Revokation was sucessfully.
+	# ---
+	echo ""
+	echo -e "\033[32m--\033[m"
+	echo "Check if Revokation of Key $(basename "$_CLIENT_KEY") was sucessfully.."
+	echo -e "\033[32m--\033[m"
+	echo ""

-# ---
-# - Check if Revokation was sucessfully.
-# ---
-echo ""
-echo -e "\033[32m--\033[m"
-echo "Check if Revokation of Key ${KEY_NAME_TO_REVOKE} was sucessfully.."
-echo -e "\033[32m--\033[m"
-echo ""
-
-echononl "Create CA file '$RT' from $CRL to check against.."
-if [ -e export-ca.crt ]; then
+	echononl "Create CA file '$RT' from $CRL to check against.."
+	if [ -e export-ca.crt ]; then
 		cat export-ca.crt "$CRL" >"$RT" 2> "$log_file"
 		_retval=$?
-else
+	else
 		cat ca.crt "$CRL" >"$RT" 2> "$log_file"
 		_retval=$?
-fi
-if [[ $_retval -eq 0 ]]; then
+	fi
+	if [[ $_retval -eq 0 ]]; then
 		echo_ok
-else
+	else
 		echo_failed
 		error "$(cat $log_file)"
 		fatal "Verifying the revocation is not possible!"
-fi
+	fi

-echononl "Verify the revocation.."
-$OPENSSL verify -CAfile "$RT" -crl_check "${KEY_NAME_TO_REVOKE}.crt" > "$log_file" 2>&1
-if [[ $? -eq 2 ]]; then
+	echononl "Verify the revocation.."
+	$OPENSSL verify -CAfile "$RT" -crl_check "${KEY_NAME_TO_REVOKE}.crt" > "$log_file" 2>&1
+	if [[ $? -eq 2 ]]; then
 		echo_ok
 		info "Key \033[37m\033[1m${KEY_NAME_TO_REVOKE}.key\033[m successfully revoked."
-else
+	else
 		echo_failed
 		error "$(cat $log_file)"
+	fi
 fi

 clean_up 0