From ecdb3eb9669eff1f01f29b9334374ae9e4377e89 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sun, 18 Aug 2019 11:41:52 +0200 Subject: [PATCH] Add scripts fom easy.rsa old layout. --- easy-rsa.OLD-LAYOUT/scripts/build-ca | 8 + easy-rsa.OLD-LAYOUT/scripts/build-dh | 11 + easy-rsa.OLD-LAYOUT/scripts/build-inter | 7 + easy-rsa.OLD-LAYOUT/scripts/build-key | 7 + easy-rsa.OLD-LAYOUT/scripts/build-key-pass | 7 + easy-rsa.OLD-LAYOUT/scripts/build-key-pkcs12 | 8 + easy-rsa.OLD-LAYOUT/scripts/build-key-server | 10 + easy-rsa.OLD-LAYOUT/scripts/build-req | 7 + easy-rsa.OLD-LAYOUT/scripts/build-req-pass | 7 + easy-rsa.OLD-LAYOUT/scripts/clean-all | 16 + easy-rsa.OLD-LAYOUT/scripts/inherit-inter | 39 ++ easy-rsa.OLD-LAYOUT/scripts/list-crl | 13 + easy-rsa.OLD-LAYOUT/scripts/pkitool | 399 +++++++++++++++++++ easy-rsa.OLD-LAYOUT/scripts/revoke-full | 43 ++ easy-rsa.OLD-LAYOUT/scripts/sign-req | 7 + easy-rsa.OLD-LAYOUT/scripts/whichopensslcnf | 26 ++ 16 files changed, 615 insertions(+) create mode 100755 easy-rsa.OLD-LAYOUT/scripts/build-ca create mode 100755 easy-rsa.OLD-LAYOUT/scripts/build-dh create mode 100755 easy-rsa.OLD-LAYOUT/scripts/build-inter create mode 100755 easy-rsa.OLD-LAYOUT/scripts/build-key create mode 100755 easy-rsa.OLD-LAYOUT/scripts/build-key-pass create mode 100755 easy-rsa.OLD-LAYOUT/scripts/build-key-pkcs12 create mode 100755 easy-rsa.OLD-LAYOUT/scripts/build-key-server create mode 100755 easy-rsa.OLD-LAYOUT/scripts/build-req create mode 100755 easy-rsa.OLD-LAYOUT/scripts/build-req-pass create mode 100755 easy-rsa.OLD-LAYOUT/scripts/clean-all create mode 100755 easy-rsa.OLD-LAYOUT/scripts/inherit-inter create mode 100755 easy-rsa.OLD-LAYOUT/scripts/list-crl create mode 100755 easy-rsa.OLD-LAYOUT/scripts/pkitool create mode 100755 easy-rsa.OLD-LAYOUT/scripts/revoke-full create mode 100755 easy-rsa.OLD-LAYOUT/scripts/sign-req create mode 100755 easy-rsa.OLD-LAYOUT/scripts/whichopensslcnf diff --git a/easy-rsa.OLD-LAYOUT/scripts/build-ca b/easy-rsa.OLD-LAYOUT/scripts/build-ca new file mode 100755 index 0000000..bce29a6 --- /dev/null +++ b/easy-rsa.OLD-LAYOUT/scripts/build-ca @@ -0,0 +1,8 @@ +#!/bin/sh + +# +# Build a root certificate +# + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --initca $* diff --git a/easy-rsa.OLD-LAYOUT/scripts/build-dh b/easy-rsa.OLD-LAYOUT/scripts/build-dh new file mode 100755 index 0000000..4beb127 --- /dev/null +++ b/easy-rsa.OLD-LAYOUT/scripts/build-dh @@ -0,0 +1,11 @@ +#!/bin/sh + +# Build Diffie-Hellman parameters for the server side +# of an SSL/TLS connection. + +if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then + $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/easy-rsa.OLD-LAYOUT/scripts/build-inter b/easy-rsa.OLD-LAYOUT/scripts/build-inter new file mode 100755 index 0000000..87bf98d --- /dev/null +++ b/easy-rsa.OLD-LAYOUT/scripts/build-inter @@ -0,0 +1,7 @@ +#!/bin/sh + +# Make an intermediate CA certificate/private key pair using a locally generated +# root certificate. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --inter $* diff --git a/easy-rsa.OLD-LAYOUT/scripts/build-key b/easy-rsa.OLD-LAYOUT/scripts/build-key new file mode 100755 index 0000000..6c0fed8 --- /dev/null +++ b/easy-rsa.OLD-LAYOUT/scripts/build-key @@ -0,0 +1,7 @@ +#!/bin/sh + +# Make a certificate/private key pair using a locally generated +# root certificate. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact $* diff --git a/easy-rsa.OLD-LAYOUT/scripts/build-key-pass b/easy-rsa.OLD-LAYOUT/scripts/build-key-pass new file mode 100755 index 0000000..8ef8307 --- /dev/null +++ b/easy-rsa.OLD-LAYOUT/scripts/build-key-pass @@ -0,0 +1,7 @@ +#!/bin/sh + +# Similar to build-key, but protect the private key +# with a password. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --pass $* diff --git a/easy-rsa.OLD-LAYOUT/scripts/build-key-pkcs12 b/easy-rsa.OLD-LAYOUT/scripts/build-key-pkcs12 new file mode 100755 index 0000000..ba90e6a --- /dev/null +++ b/easy-rsa.OLD-LAYOUT/scripts/build-key-pkcs12 @@ -0,0 +1,8 @@ +#!/bin/sh + +# Make a certificate/private key pair using a locally generated +# root certificate and convert it to a PKCS #12 file including the +# the CA certificate as well. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --pkcs12 $* diff --git a/easy-rsa.OLD-LAYOUT/scripts/build-key-server b/easy-rsa.OLD-LAYOUT/scripts/build-key-server new file mode 100755 index 0000000..fee0194 --- /dev/null +++ b/easy-rsa.OLD-LAYOUT/scripts/build-key-server @@ -0,0 +1,10 @@ +#!/bin/sh + +# Make a certificate/private key pair using a locally generated +# root certificate. +# +# Explicitly set nsCertType to server using the "server" +# extension in the openssl.cnf file. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --server $* diff --git a/easy-rsa.OLD-LAYOUT/scripts/build-req b/easy-rsa.OLD-LAYOUT/scripts/build-req new file mode 100755 index 0000000..559d512 --- /dev/null +++ b/easy-rsa.OLD-LAYOUT/scripts/build-req @@ -0,0 +1,7 @@ +#!/bin/sh + +# Build a certificate signing request and private key. Use this +# when your root certificate and key is not available locally. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --csr $* diff --git a/easy-rsa.OLD-LAYOUT/scripts/build-req-pass b/easy-rsa.OLD-LAYOUT/scripts/build-req-pass new file mode 100755 index 0000000..b73ee1b --- /dev/null +++ b/easy-rsa.OLD-LAYOUT/scripts/build-req-pass @@ -0,0 +1,7 @@ +#!/bin/sh + +# Like build-req, but protect your private key +# with a password. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --csr --pass $* diff --git a/easy-rsa.OLD-LAYOUT/scripts/clean-all b/easy-rsa.OLD-LAYOUT/scripts/clean-all new file mode 100755 index 0000000..b1d0237 --- /dev/null +++ b/easy-rsa.OLD-LAYOUT/scripts/clean-all @@ -0,0 +1,16 @@ +#!/bin/sh + +# Initialize the $KEY_DIR directory. +# Note that this script does a +# rm -rf on $KEY_DIR so be careful! + +if [ "$KEY_DIR" ]; then + rm -rf "$KEY_DIR" + mkdir "$KEY_DIR" && \ + chmod go-rwx "$KEY_DIR" && \ + touch "$KEY_DIR/index.txt" && \ + echo 01 >"$KEY_DIR/serial" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/easy-rsa.OLD-LAYOUT/scripts/inherit-inter b/easy-rsa.OLD-LAYOUT/scripts/inherit-inter new file mode 100755 index 0000000..1fe3539 --- /dev/null +++ b/easy-rsa.OLD-LAYOUT/scripts/inherit-inter @@ -0,0 +1,39 @@ +#!/bin/sh + +# Build a new PKI which is rooted on an intermediate certificate generated +# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should +# have independent vars settings, and must use a different KEY_DIR directory +# from the parent. This tool can be used to generate arbitrary depth +# certificate chains. +# +# To build an intermediate CA, follow the same steps for a regular PKI but +# replace ./build-key or ./pkitool --initca with this script. + +# The EXPORT_CA file will contain the CA certificate chain and should be +# referenced by the OpenVPN "ca" directive in config files. The ca.crt file +# will only contain the local intermediate CA -- it's needed by the easy-rsa +# scripts but not by OpenVPN directly. +EXPORT_CA="export-ca.crt" + +if [ $# -ne 2 ]; then + echo "usage: $0 " + echo "parent-key-dir: the KEY_DIR directory of the parent PKI" + echo "common-name: the common name of the intermediate certificate in the parent PKI" + exit 1; +fi + +if [ "$KEY_DIR" ]; then + cp "$1/$2.crt" "$KEY_DIR/ca.crt" + cp "$1/$2.key" "$KEY_DIR/ca.key" + + if [ -e "$1/$EXPORT_CA" ]; then + PARENT_CA="$1/$EXPORT_CA" + else + PARENT_CA="$1/ca.crt" + fi + cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA" + cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/easy-rsa.OLD-LAYOUT/scripts/list-crl b/easy-rsa.OLD-LAYOUT/scripts/list-crl new file mode 100755 index 0000000..32c1143 --- /dev/null +++ b/easy-rsa.OLD-LAYOUT/scripts/list-crl @@ -0,0 +1,13 @@ +#!/bin/sh + +# list revoked certificates + +CRL="${1:-crl.pem}" + +if [ "$KEY_DIR" ]; then + cd "$KEY_DIR" && \ + $OPENSSL crl -text -noout -in "$CRL" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/easy-rsa.OLD-LAYOUT/scripts/pkitool b/easy-rsa.OLD-LAYOUT/scripts/pkitool new file mode 100755 index 0000000..44145ad --- /dev/null +++ b/easy-rsa.OLD-LAYOUT/scripts/pkitool @@ -0,0 +1,399 @@ +#!/bin/sh + +# OpenVPN -- An application to securely tunnel IP networks +# over a single TCP/UDP port, with support for SSL/TLS-based +# session authentication and key exchange, +# packet encryption, packet authentication, and +# packet compression. +# +# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program (see the file COPYING included with this +# distribution); if not, write to the Free Software Foundation, Inc., +# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# pkitool is a front-end for the openssl tool. + +# Calling scripts can set the certificate organizational +# unit with the KEY_OU environmental variable. + +# Calling scripts can also set the KEY_NAME environmental +# variable to set the "name" X509 subject field. + +PROGNAME=pkitool +VERSION=2.0 +DEBUG=0 + +die() +{ + local m="$1" + + echo "$m" >&2 + exit 1 +} + +need_vars() +{ + cat < root certificate (--ca) + ca.key -> root key, keep secure (not directly used by OpenVPN) + .crt files -> client/server certificates (--cert) + .key files -> private keys, keep secure (--key) + .csr files -> certificate signing request (not directly used by OpenVPN) + dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh) + +Examples: + $PROGNAME --initca -> Build root certificate + $PROGNAME --initca --pass -> Build root certificate with password-protected key + $PROGNAME --server server1 -> Build "server1" certificate/key + $PROGNAME client1 -> Build "client1" certificate/key + $PROGNAME --pass client2 -> Build password-protected "client2" certificate/key + $PROGNAME --pkcs12 client3 -> Build "client3" certificate/key in PKCS#12 format + $PROGNAME --csr client4 -> Build "client4" CSR to be signed by another CA + $PROGNAME --sign client4 -> Sign "client4" CSR + $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key + Also see ./inherit-inter script. + $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5 + -> Build "client5" certificate/key in PKCS#11 token + +Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys. +Protect client2 key with a password. Build DH parms. Generated files in ./keys : + [edit vars with your site-specific info] + source ./vars + ./clean-all + ./build-dh -> takes a long time, consider backgrounding + ./$PROGNAME --initca + ./$PROGNAME --server myserver + ./$PROGNAME client1 + ./$PROGNAME --pass client2 + +Typical usage for adding client cert to existing PKI: + source ./vars + ./$PROGNAME client-new +EOM +} + +# Set tool defaults +[ -n "$OPENSSL" ] || export OPENSSL="openssl" +[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool" +[ -n "$GREP" ] || export GREP="grep" + +# Set defaults +DO_REQ="1" +REQ_EXT="" +DO_CA="1" +CA_EXT="" +DO_P12="0" +DO_P11="0" +DO_ROOT="0" +NODES_REQ="-nodes" +NODES_P12="" +BATCH="-batch" +CA="ca" +# must be set or errors of openssl.cnf +PKCS11_MODULE_PATH="dummy" +PKCS11_PIN="dummy" + +# Process options +while [ $# -gt 0 ]; do + case "$1" in + --keysize ) KEY_SIZE=$2 + shift;; + --server ) REQ_EXT="$REQ_EXT -extensions server" + CA_EXT="$CA_EXT -extensions server" ;; + --batch ) BATCH="-batch" ;; + --interact ) BATCH="" ;; + --inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;; + --initca ) DO_ROOT="1" ;; + --pass ) NODES_REQ="" ;; + --csr ) DO_CA="0" ;; + --sign ) DO_REQ="0" ;; + --pkcs12 ) DO_P12="1" ;; + --pkcs11 ) DO_P11="1" + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + PKCS11_ID="$4" + PKCS11_LABEL="$5" + shift 4;; + + # standalone + --pkcs11-init) + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + PKCS11_LABEL="$4" + if [ -z "$PKCS11_LABEL" ]; then + die "Please specify library name, slot and label" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ + --label "$PKCS11_LABEL" && + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" + exit $?;; + --pkcs11-slots) + PKCS11_MODULE_PATH="$2" + if [ -z "$PKCS11_MODULE_PATH" ]; then + die "Please specify library name" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots + exit 0;; + --pkcs11-objects) + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + if [ -z "$PKCS11_SLOT" ]; then + die "Please specify library name and slot" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" + exit 0;; + + --help|--usage) + usage + exit ;; + --version) + echo "$PROGNAME $VERSION" + exit ;; + # errors + --* ) die "$PROGNAME: unknown option: $1" ;; + * ) break ;; + esac + shift +done + +if ! [ -z "$BATCH" ]; then + if $OPENSSL version | grep 0.9.6 > /dev/null; then + die "Batch mode is unsupported in openssl<0.9.7" + fi +fi + +if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then + die "PKCS#11 and PKCS#12 cannot be specified together" +fi + +if [ $DO_P11 -eq 1 ]; then + if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then + die "Please edit $KEY_CONFIG and setup PKCS#11 engine" + fi +fi + +# If we are generating pkcs12, only encrypt the final step +if [ $DO_P12 -eq 1 ]; then + NODES_P12="$NODES_REQ" + NODES_REQ="-nodes" +fi + +if [ $DO_P11 -eq 1 ]; then + if [ -z "$PKCS11_LABEL" ]; then + die "PKCS#11 arguments incomplete" + fi +fi + +# If undefined, set default key expiration intervals +if [ -z "$KEY_EXPIRE" ]; then + KEY_EXPIRE=3650 +fi +if [ -z "$CA_EXPIRE" ]; then + CA_EXPIRE=3650 +fi + +# Set organizational unit to empty string if undefined +if [ -z "$KEY_OU" ]; then + KEY_OU="" +fi + +# Set X509 Name string to empty string if undefined +if [ -z "$KEY_NAME" ]; then + KEY_NAME="" +fi + +# Set KEY_CN, FN +if [ $DO_ROOT -eq 1 ]; then + if [ -z "$KEY_CN" ]; then + if [ "$1" ]; then + KEY_CN="$1" + KEY_ALTNAMES="DNS:${KEY_CN}" + elif [ "$KEY_ORG" ]; then + KEY_CN="$KEY_ORG CA" + KEY_ALTNAMES="$KEY_CN" + fi + fi + if [ $BATCH ] && [ "$KEY_CN" ]; then + echo "Using CA Common Name:" "$KEY_CN" + KEY_ALTNAMES="$KEY_CN" + fi + FN="$KEY_CN" +elif [ $BATCH ] && [ "$KEY_CN" ]; then + echo "Using Common Name:" "$KEY_CN" + KEY_ALTNAMES="$KEY_CN" + FN="$KEY_CN" + if [ "$1" ]; then + FN="$1" + fi +else + KEY_CN="$1" + KEY_ALTNAMES="DNS:$1" + shift + while [ "x$1" != "x" ] + do + KEY_ALTNAMES="${KEY_ALTNAMES},DNS:$1" + shift + done + FN="$KEY_CN" +fi + +export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN KEY_ALTNAMES + +# Show parameters (debugging) +if [ $DEBUG -eq 1 ]; then + echo DO_REQ $DO_REQ + echo REQ_EXT $REQ_EXT + echo DO_CA $DO_CA + echo CA_EXT $CA_EXT + echo NODES_REQ $NODES_REQ + echo NODES_P12 $NODES_P12 + echo DO_P12 $DO_P12 + echo KEY_CN $KEY_CN + echo KEY_ALTNAMES $KEY_ALTNAMES + echo BATCH $BATCH + echo DO_ROOT $DO_ROOT + echo KEY_EXPIRE $KEY_EXPIRE + echo CA_EXPIRE $CA_EXPIRE + echo KEY_OU $KEY_OU + echo KEY_NAME $KEY_NAME + echo DO_P11 $DO_P11 + echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH + echo PKCS11_SLOT $PKCS11_SLOT + echo PKCS11_ID $PKCS11_ID + echo PKCS11_LABEL $PKCS11_LABEL +fi + +# Make sure ./vars was sourced beforehand +if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then + cd "$KEY_DIR" + + # Make sure $KEY_CONFIG points to the correct version + # of openssl.cnf + if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then + : + else + echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" + echo "version of openssl.cnf: $KEY_CONFIG" + echo "The correct version should have a comment that says: easy-rsa version 2.x"; + exit 1; + fi + + # Build root CA + if [ $DO_ROOT -eq 1 ]; then + $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ + -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ + chmod 0600 "$CA.key" + else + # Make sure CA key/cert is available + if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then + if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then + echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR" + echo "Try $PROGNAME --initca to build a root certificate/key." + exit 1 + fi + fi + + # Generate key for PKCS#11 token + PKCS11_ARGS= + if [ $DO_P11 -eq 1 ]; then + stty -echo + echo -n "User PIN: " + read -r PKCS11_PIN + stty echo + export PKCS11_PIN + + echo "Generating key pair on PKCS#11 token..." + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ + --login --pin "$PKCS11_PIN" \ + --key-type rsa:1024 \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 + PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID" + fi + + # Build cert/key + ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH $NODES_REQ -new -newkey rsa:$KEY_SIZE \ + -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ + ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \ + -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \ + ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \ + -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \ + ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \ + ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" ) + + # Load certificate into PKCS#11 token + if [ $DO_P11 -eq 1 ]; then + $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \ + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \ + --login --pin "$PKCS11_PIN" \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" + [ -e "$FN.crt.der" ]; rm "$FN.crt.der" + fi + + fi + +# Need definitions +else + need_vars +fi diff --git a/easy-rsa.OLD-LAYOUT/scripts/revoke-full b/easy-rsa.OLD-LAYOUT/scripts/revoke-full new file mode 100755 index 0000000..e9c7d02 --- /dev/null +++ b/easy-rsa.OLD-LAYOUT/scripts/revoke-full @@ -0,0 +1,43 @@ +#!/bin/sh + +# revoke a certificate, regenerate CRL, +# and verify revocation + +CRL="crl.pem" +RT="revoke-test.pem" + +if [ $# -ne 1 ]; then + echo "usage: revoke-full "; + exit 1 +fi + +if [ "$KEY_DIR" ]; then + cd "$KEY_DIR" + rm -f "$RT" + + # set defaults + export KEY_CN="" + export KEY_OU="" + export KEY_NAME="" + + # required due to hack in openssl.cnf that supports Subject Alternative Names + export KEY_ALTNAMES="" + + # revoke key and generate a new CRL + $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG" + + # generate a new CRL -- try to be compatible with + # intermediate PKIs + $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" + if [ -e export-ca.crt ]; then + cat export-ca.crt "$CRL" >"$RT" + else + cat ca.crt "$CRL" >"$RT" + fi + + # verify the revocation + $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt" +else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +fi diff --git a/easy-rsa.OLD-LAYOUT/scripts/sign-req b/easy-rsa.OLD-LAYOUT/scripts/sign-req new file mode 100755 index 0000000..6cae7b4 --- /dev/null +++ b/easy-rsa.OLD-LAYOUT/scripts/sign-req @@ -0,0 +1,7 @@ +#!/bin/sh + +# Sign a certificate signing request (a .csr file) +# with a local root certificate and key. + +export EASY_RSA="${EASY_RSA:-.}" +"$EASY_RSA/pkitool" --interact --sign $* diff --git a/easy-rsa.OLD-LAYOUT/scripts/whichopensslcnf b/easy-rsa.OLD-LAYOUT/scripts/whichopensslcnf new file mode 100755 index 0000000..4c5f3c7 --- /dev/null +++ b/easy-rsa.OLD-LAYOUT/scripts/whichopensslcnf @@ -0,0 +1,26 @@ +#!/bin/sh + +cnf="$1/openssl.cnf" + +if [ "$OPENSSL" ]; then + if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-0.9.6.cnf" + elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-0.9.8.cnf" + elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then + cnf="$1/openssl-1.0.0.cnf" + else + cnf="$1/openssl.cnf" + fi +fi + +echo $cnf + +if [ ! -r $cnf ]; then + echo "**************************************************************" >&2 + echo " No $cnf file could be found" >&2 + echo " Further invocations will fail" >&2 + echo "**************************************************************" >&2 +fi + +exit 0