install/openvpn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add scripts fom easy.rsa old layout.

Browse Source
This commit is contained in:
Christoph 2019-08-18 11:41:52 +02:00
parent 840e1cf9dc
commit ecdb3eb966
16 changed files with 615 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
easy-rsa.OLD-LAYOUT/scripts/build-ca Executable file
View File

@ -0,0 +1,8 @@
#!/bin/sh
#
# Build a root certificate
#
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --initca $*

11
easy-rsa.OLD-LAYOUT/scripts/build-dh Executable file
View File

@ -0,0 +1,11 @@
#!/bin/sh
# Build Diffie-Hellman parameters for the server side
# of an SSL/TLS connection.
if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
$OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

7
easy-rsa.OLD-LAYOUT/scripts/build-inter Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# Make an intermediate CA certificate/private key pair using a locally generated
# root certificate.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --inter $*

7
easy-rsa.OLD-LAYOUT/scripts/build-key Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# Make a certificate/private key pair using a locally generated
# root certificate.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact $*

7
easy-rsa.OLD-LAYOUT/scripts/build-key-pass Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# Similar to build-key, but protect the private key
# with a password.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --pass $*

8
easy-rsa.OLD-LAYOUT/scripts/build-key-pkcs12 Executable file
View File

@ -0,0 +1,8 @@
#!/bin/sh
# Make a certificate/private key pair using a locally generated
# root certificate and convert it to a PKCS #12 file including the
# the CA certificate as well.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --pkcs12 $*

10
easy-rsa.OLD-LAYOUT/scripts/build-key-server Executable file
View File

@ -0,0 +1,10 @@
#!/bin/sh
# Make a certificate/private key pair using a locally generated
# root certificate.
#
# Explicitly set nsCertType to server using the "server"
# extension in the openssl.cnf file.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --server $*

7
easy-rsa.OLD-LAYOUT/scripts/build-req Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# Build a certificate signing request and private key. Use this
# when your root certificate and key is not available locally.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --csr $*

7
easy-rsa.OLD-LAYOUT/scripts/build-req-pass Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# Like build-req, but protect your private key
# with a password.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --csr --pass $*

16
easy-rsa.OLD-LAYOUT/scripts/clean-all Executable file
View File

@ -0,0 +1,16 @@
#!/bin/sh
# Initialize the $KEY_DIR directory.
# Note that this script does a
# rm -rf on $KEY_DIR so be careful!
if [ "$KEY_DIR" ]; then
rm -rf "$KEY_DIR"
mkdir "$KEY_DIR" && \
chmod go-rwx "$KEY_DIR" && \
touch "$KEY_DIR/index.txt" && \
echo 01 >"$KEY_DIR/serial"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

39
easy-rsa.OLD-LAYOUT/scripts/inherit-inter Executable file
View File

@ -0,0 +1,39 @@
#!/bin/sh
# Build a new PKI which is rooted on an intermediate certificate generated
# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should
# have independent vars settings, and must use a different KEY_DIR directory
# from the parent. This tool can be used to generate arbitrary depth
# certificate chains.
#
# To build an intermediate CA, follow the same steps for a regular PKI but
# replace ./build-key or ./pkitool --initca with this script.
# The EXPORT_CA file will contain the CA certificate chain and should be
# referenced by the OpenVPN "ca" directive in config files. The ca.crt file
# will only contain the local intermediate CA -- it's needed by the easy-rsa
# scripts but not by OpenVPN directly.
EXPORT_CA="export-ca.crt"
if [ $# -ne 2 ]; then
echo "usage: $0 <parent-key-dir> <common-name>"
echo "parent-key-dir: the KEY_DIR directory of the parent PKI"
echo "common-name: the common name of the intermediate certificate in the parent PKI"
exit 1;
fi
if [ "$KEY_DIR" ]; then
cp "$1/$2.crt" "$KEY_DIR/ca.crt"
cp "$1/$2.key" "$KEY_DIR/ca.key"
if [ -e "$1/$EXPORT_CA" ]; then
PARENT_CA="$1/$EXPORT_CA"
else
PARENT_CA="$1/ca.crt"
fi
cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

13
easy-rsa.OLD-LAYOUT/scripts/list-crl Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
# list revoked certificates
CRL="${1:-crl.pem}"
if [ "$KEY_DIR" ]; then
cd "$KEY_DIR" && \
$OPENSSL crl -text -noout -in "$CRL"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

399
easy-rsa.OLD-LAYOUT/scripts/pkitool Executable file
View File

@ -0,0 +1,399 @@
#!/bin/sh
# OpenVPN -- An application to securely tunnel IP networks
# over a single TCP/UDP port, with support for SSL/TLS-based
# session authentication and key exchange,
# packet encryption, packet authentication, and
# packet compression.
#
# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program (see the file COPYING included with this
# distribution); if not, write to the Free Software Foundation, Inc.,
# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
# pkitool is a front-end for the openssl tool.
# Calling scripts can set the certificate organizational
# unit with the KEY_OU environmental variable.
# Calling scripts can also set the KEY_NAME environmental
# variable to set the "name" X509 subject field.
PROGNAME=pkitool
VERSION=2.0
DEBUG=0
die()
{
local m="$1"
echo "$m" >&2
exit 1
}
need_vars()
{
cat <<EOM
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool ($PROGNAME) to build certificates/keys.
EOM
}
usage()
{
cat <<EOM
$PROGNAME $VERSION
Usage: $PROGNAME [options...] [common-name]
Options:
--batch : batch mode (default)
--keysize : Set keysize
size : size (default=1024)
--interact : interactive mode
--server : build server cert
--initca : build root CA
--inter : build intermediate CA
--pass : encrypt private key with password
--csr : only generate a CSR, do not sign
--sign : sign an existing CSR
--pkcs12 : generate a combined PKCS#12 file
--pkcs11 : generate certificate on PKCS#11 token
lib : PKCS#11 library
slot : PKCS#11 slot
id : PKCS#11 object id (hex string)
label : PKCS#11 object label
Standalone options:
--pkcs11-slots : list PKCS#11 slots
lib : PKCS#11 library
--pkcs11-objects : list PKCS#11 token objects
lib : PKCS#11 library
slot : PKCS#11 slot
--pkcs11-init : initialize PKCS#11 token DANGEROUS!!!
lib : PKCS#11 library
slot : PKCS#11 slot
label : PKCS#11 token label
Notes:
EOM
need_vars
cat <<EOM
In order to use PKCS#11 interface you must have opensc-0.10.0 or higher.
Generated files and corresponding OpenVPN directives:
(Files will be placed in the \$KEY_DIR directory, defined in ./vars)
ca.crt -> root certificate (--ca)
ca.key -> root key, keep secure (not directly used by OpenVPN)
.crt files -> client/server certificates (--cert)
.key files -> private keys, keep secure (--key)
.csr files -> certificate signing request (not directly used by OpenVPN)
dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)
Examples:
$PROGNAME --initca -> Build root certificate
$PROGNAME --initca --pass -> Build root certificate with password-protected key
$PROGNAME --server server1 -> Build "server1" certificate/key
$PROGNAME client1 -> Build "client1" certificate/key
$PROGNAME --pass client2 -> Build password-protected "client2" certificate/key
$PROGNAME --pkcs12 client3 -> Build "client3" certificate/key in PKCS#12 format
$PROGNAME --csr client4 -> Build "client4" CSR to be signed by another CA
$PROGNAME --sign client4 -> Sign "client4" CSR
$PROGNAME --inter interca -> Build an intermediate key-signing certificate/key
Also see ./inherit-inter script.
$PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5
-> Build "client5" certificate/key in PKCS#11 token
Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys.
Protect client2 key with a password. Build DH parms. Generated files in ./keys :
[edit vars with your site-specific info]
source ./vars
./clean-all
./build-dh -> takes a long time, consider backgrounding
./$PROGNAME --initca
./$PROGNAME --server myserver
./$PROGNAME client1
./$PROGNAME --pass client2
Typical usage for adding client cert to existing PKI:
source ./vars
./$PROGNAME client-new
EOM
}
# Set tool defaults
[ -n "$OPENSSL" ] || export OPENSSL="openssl"
[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool"
[ -n "$GREP" ] || export GREP="grep"
# Set defaults
DO_REQ="1"
REQ_EXT=""
DO_CA="1"
CA_EXT=""
DO_P12="0"
DO_P11="0"
DO_ROOT="0"
NODES_REQ="-nodes"
NODES_P12=""
BATCH="-batch"
CA="ca"
# must be set or errors of openssl.cnf
PKCS11_MODULE_PATH="dummy"
PKCS11_PIN="dummy"
# Process options
while [ $# -gt 0 ]; do
case "$1" in
--keysize ) KEY_SIZE=$2
shift;;
--server ) REQ_EXT="$REQ_EXT -extensions server"
CA_EXT="$CA_EXT -extensions server" ;;
--batch ) BATCH="-batch" ;;
--interact ) BATCH="" ;;
--inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
--initca ) DO_ROOT="1" ;;
--pass ) NODES_REQ="" ;;
--csr ) DO_CA="0" ;;
--sign ) DO_REQ="0" ;;
--pkcs12 ) DO_P12="1" ;;
--pkcs11 ) DO_P11="1"
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
PKCS11_ID="$4"
PKCS11_LABEL="$5"
shift 4;;
# standalone
--pkcs11-init)
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
PKCS11_LABEL="$4"
if [ -z "$PKCS11_LABEL" ]; then
die "Please specify library name, slot and label"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
--label "$PKCS11_LABEL" &&
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
exit $?;;
--pkcs11-slots)
PKCS11_MODULE_PATH="$2"
if [ -z "$PKCS11_MODULE_PATH" ]; then
die "Please specify library name"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
exit 0;;
--pkcs11-objects)
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
if [ -z "$PKCS11_SLOT" ]; then
die "Please specify library name and slot"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
exit 0;;
--help|--usage)
usage
exit ;;
--version)
echo "$PROGNAME $VERSION"
exit ;;
# errors
--* ) die "$PROGNAME: unknown option: $1" ;;
* ) break ;;
esac
shift
done
if ! [ -z "$BATCH" ]; then
if $OPENSSL version | grep 0.9.6 > /dev/null; then
die "Batch mode is unsupported in openssl<0.9.7"
fi
fi
if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
die "PKCS#11 and PKCS#12 cannot be specified together"
fi
if [ $DO_P11 -eq 1 ]; then
if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
fi
fi
# If we are generating pkcs12, only encrypt the final step
if [ $DO_P12 -eq 1 ]; then
NODES_P12="$NODES_REQ"
NODES_REQ="-nodes"
fi
if [ $DO_P11 -eq 1 ]; then
if [ -z "$PKCS11_LABEL" ]; then
die "PKCS#11 arguments incomplete"
fi
fi
# If undefined, set default key expiration intervals
if [ -z "$KEY_EXPIRE" ]; then
KEY_EXPIRE=3650
fi
if [ -z "$CA_EXPIRE" ]; then
CA_EXPIRE=3650
fi
# Set organizational unit to empty string if undefined
if [ -z "$KEY_OU" ]; then
KEY_OU=""
fi
# Set X509 Name string to empty string if undefined
if [ -z "$KEY_NAME" ]; then
KEY_NAME=""
fi
# Set KEY_CN, FN
if [ $DO_ROOT -eq 1 ]; then
if [ -z "$KEY_CN" ]; then
if [ "$1" ]; then
KEY_CN="$1"
KEY_ALTNAMES="DNS:${KEY_CN}"
elif [ "$KEY_ORG" ]; then
KEY_CN="$KEY_ORG CA"
KEY_ALTNAMES="$KEY_CN"
fi
fi
if [ $BATCH ] && [ "$KEY_CN" ]; then
echo "Using CA Common Name:" "$KEY_CN"
KEY_ALTNAMES="$KEY_CN"
fi
FN="$KEY_CN"
elif [ $BATCH ] && [ "$KEY_CN" ]; then
echo "Using Common Name:" "$KEY_CN"
KEY_ALTNAMES="$KEY_CN"
FN="$KEY_CN"
if [ "$1" ]; then
FN="$1"
fi
else
KEY_CN="$1"
KEY_ALTNAMES="DNS:$1"
shift
while [ "x$1" != "x" ]
do
KEY_ALTNAMES="${KEY_ALTNAMES},DNS:$1"
shift
done
FN="$KEY_CN"
fi
export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN KEY_ALTNAMES
# Show parameters (debugging)
if [ $DEBUG -eq 1 ]; then
echo DO_REQ $DO_REQ
echo REQ_EXT $REQ_EXT
echo DO_CA $DO_CA
echo CA_EXT $CA_EXT
echo NODES_REQ $NODES_REQ
echo NODES_P12 $NODES_P12
echo DO_P12 $DO_P12
echo KEY_CN $KEY_CN
echo KEY_ALTNAMES $KEY_ALTNAMES
echo BATCH $BATCH
echo DO_ROOT $DO_ROOT
echo KEY_EXPIRE $KEY_EXPIRE
echo CA_EXPIRE $CA_EXPIRE
echo KEY_OU $KEY_OU
echo KEY_NAME $KEY_NAME
echo DO_P11 $DO_P11
echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
echo PKCS11_SLOT $PKCS11_SLOT
echo PKCS11_ID $PKCS11_ID
echo PKCS11_LABEL $PKCS11_LABEL
fi
# Make sure ./vars was sourced beforehand
if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
cd "$KEY_DIR"
# Make sure $KEY_CONFIG points to the correct version
# of openssl.cnf
if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
:
else
echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
echo "version of openssl.cnf: $KEY_CONFIG"
echo "The correct version should have a comment that says: easy-rsa version 2.x";
exit 1;
fi
# Build root CA
if [ $DO_ROOT -eq 1 ]; then
$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
-x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
chmod 0600 "$CA.key"
else
# Make sure CA key/cert is available
if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
echo "Try $PROGNAME --initca to build a root certificate/key."
exit 1
fi
fi
# Generate key for PKCS#11 token
PKCS11_ARGS=
if [ $DO_P11 -eq 1 ]; then
stty -echo
echo -n "User PIN: "
read -r PKCS11_PIN
stty echo
export PKCS11_PIN
echo "Generating key pair on PKCS#11 token..."
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
--login --pin "$PKCS11_PIN" \
--key-type rsa:1024 \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
fi
# Build cert/key
( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH $NODES_REQ -new -newkey rsa:$KEY_SIZE \
-keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
-in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
-in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \
( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
# Load certificate into PKCS#11 token
if [ $DO_P11 -eq 1 ]; then
$OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
--login --pin "$PKCS11_PIN" \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
[ -e "$FN.crt.der" ]; rm "$FN.crt.der"
fi
fi
# Need definitions
else
need_vars
fi

43
easy-rsa.OLD-LAYOUT/scripts/revoke-full Executable file
View File

@ -0,0 +1,43 @@
#!/bin/sh
# revoke a certificate, regenerate CRL,
# and verify revocation
CRL="crl.pem"
RT="revoke-test.pem"
if [ $# -ne 1 ]; then
echo "usage: revoke-full <cert-name-base>";
exit 1
fi
if [ "$KEY_DIR" ]; then
cd "$KEY_DIR"
rm -f "$RT"
# set defaults
export KEY_CN=""
export KEY_OU=""
export KEY_NAME=""
# required due to hack in openssl.cnf that supports Subject Alternative Names
export KEY_ALTNAMES=""
# revoke key and generate a new CRL
$OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
# generate a new CRL -- try to be compatible with
# intermediate PKIs
$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
if [ -e export-ca.crt ]; then
cat export-ca.crt "$CRL" >"$RT"
else
cat ca.crt "$CRL" >"$RT"
fi
# verify the revocation
$OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

7
easy-rsa.OLD-LAYOUT/scripts/sign-req Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# Sign a certificate signing request (a .csr file)
# with a local root certificate and key.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --sign $*

26
easy-rsa.OLD-LAYOUT/scripts/whichopensslcnf Executable file
View File

@ -0,0 +1,26 @@
#!/bin/sh
cnf="$1/openssl.cnf"
if [ "$OPENSSL" ]; then
if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then
cnf="$1/openssl-0.9.6.cnf"
elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then
cnf="$1/openssl-0.9.8.cnf"
elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then
cnf="$1/openssl-1.0.0.cnf"
else
cnf="$1/openssl.cnf"
fi
fi
echo $cnf
if [ ! -r $cnf ]; then
echo "**************************************************************" >&2
echo " No $cnf file could be found" >&2
echo " Further invocations will fail" >&2
echo "**************************************************************" >&2
fi
exit 0