tflucke
/
SSH-Master-Thesis


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399
							#!/bin/sh

#  OpenVPN -- An application to securely tunnel IP networks
#             over a single TCP/UDP port, with support for SSL/TLS-based
#             session authentication and key exchange,
#             packet encryption, packet authentication, and
#             packet compression.
#
#  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License version 2
#  as published by the Free Software Foundation.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program (see the file COPYING included with this
#  distribution); if not, write to the Free Software Foundation, Inc.,
#  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

# pkitool is a front-end for the openssl tool.

# Calling scripts can set the certificate organizational
# unit with the KEY_OU environmental variable.

# Calling scripts can also set the KEY_NAME environmental
# variable to set the "name" X509 subject field.

PROGNAME=pkitool
VERSION=2.0
DEBUG=0

die()
{
    local m="$1"

    echo "$m" >&2
    exit 1
}

need_vars()
{
    cat <<EOM
  Please edit the vars script to reflect your configuration,
  then source it with "source ./vars".
  Next, to start with a fresh PKI configuration and to delete any
  previous certificates and keys, run "./clean-all".
  Finally, you can run this tool ($PROGNAME) to build certificates/keys.
EOM
}

usage()
{
    cat <<EOM
$PROGNAME $VERSION
Usage: $PROGNAME [options...] [common-name]

Options:
  --batch    : batch mode (default)
  --keysize  : Set keysize
      size   : size (default=1024)
  --interact : interactive mode
  --server   : build server cert
  --initca   : build root CA
  --inter    : build intermediate CA
  --pass     : encrypt private key with password
  --csr      : only generate a CSR, do not sign
  --sign     : sign an existing CSR
  --pkcs12   : generate a combined PKCS#12 file
  --pkcs11   : generate certificate on PKCS#11 token
      lib    : PKCS#11 library
      slot   : PKCS#11 slot
      id     : PKCS#11 object id (hex string)
      label  : PKCS#11 object label

Standalone options:
  --pkcs11-slots   : list PKCS#11 slots
      lib    : PKCS#11 library
  --pkcs11-objects : list PKCS#11 token objects
      lib    : PKCS#11 library
      slot   : PKCS#11 slot
  --pkcs11-init    : initialize PKCS#11 token DANGEROUS!!!
      lib    : PKCS#11 library
      slot   : PKCS#11 slot
      label  : PKCS#11 token label

Notes:
EOM
    need_vars
    cat <<EOM
  In order to use PKCS#11 interface you must have opensc-0.10.0 or higher.

Generated files and corresponding OpenVPN directives:
(Files will be placed in the \$KEY_DIR directory, defined in ./vars)
  ca.crt     -> root certificate (--ca)
  ca.key     -> root key, keep secure (not directly used by OpenVPN)
  .crt files -> client/server certificates (--cert)
  .key files -> private keys, keep secure (--key)
  .csr files -> certificate signing request (not directly used by OpenVPN)
  dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)

Examples:
  $PROGNAME --initca          -> Build root certificate
  $PROGNAME --initca --pass   -> Build root certificate with password-protected key
  $PROGNAME --server server1  -> Build "server1" certificate/key
  $PROGNAME client1           -> Build "client1" certificate/key
  $PROGNAME --pass client2    -> Build password-protected "client2" certificate/key
  $PROGNAME --pkcs12 client3  -> Build "client3" certificate/key in PKCS#12 format
  $PROGNAME --csr client4     -> Build "client4" CSR to be signed by another CA
  $PROGNAME --sign client4    -> Sign "client4" CSR
  $PROGNAME --inter interca   -> Build an intermediate key-signing certificate/key
                               Also see ./inherit-inter script.
  $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5
                              -> Build "client5" certificate/key in PKCS#11 token

Typical usage for initial PKI setup.  Build myserver, client1, and client2 cert/keys.
Protect client2 key with a password.  Build DH parms.  Generated files in ./keys :
  [edit vars with your site-specific info]
  source ./vars
  ./clean-all
  ./build-dh     -> takes a long time, consider backgrounding
  ./$PROGNAME --initca
  ./$PROGNAME --server myserver
  ./$PROGNAME client1
  ./$PROGNAME --pass client2

Typical usage for adding client cert to existing PKI:
  source ./vars
  ./$PROGNAME client-new
EOM
}

# Set tool defaults
[ -n "$OPENSSL" ] || export OPENSSL="openssl"
[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool"
[ -n "$GREP" ] || export GREP="grep"

# Set defaults
DO_REQ="1"
REQ_EXT=""
DO_CA="1"
CA_EXT=""
DO_P12="0"
DO_P11="0"
DO_ROOT="0"
NODES_REQ="-nodes"
NODES_P12=""
BATCH="-batch"
CA="ca"
# must be set or errors of openssl.cnf
PKCS11_MODULE_PATH="dummy"
PKCS11_PIN="dummy"

# Process options
while [ $# -gt 0 ]; do
    case "$1" in
        --keysize  ) KEY_SIZE=$2
                     shift;;
        --server   ) REQ_EXT="$REQ_EXT -extensions server"
                     CA_EXT="$CA_EXT -extensions server" ;;
        --batch    ) BATCH="-batch" ;;
        --interact ) BATCH="" ;;
        --inter    ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
        --initca   ) DO_ROOT="1" ;;
        --pass     ) NODES_REQ="" ;;
        --csr      ) DO_CA="0" ;;
        --sign     ) DO_REQ="0" ;;
        --pkcs12   ) DO_P12="1" ;;
        --pkcs11   ) DO_P11="1"
                     PKCS11_MODULE_PATH="$2"
                     PKCS11_SLOT="$3"
                     PKCS11_ID="$4"
                     PKCS11_LABEL="$5"
                     shift 4;;

        # standalone
        --pkcs11-init)
                     PKCS11_MODULE_PATH="$2"
                     PKCS11_SLOT="$3"
                     PKCS11_LABEL="$4"
                     if [ -z "$PKCS11_LABEL" ]; then
                       die "Please specify library name, slot and label"
                     fi
                     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
                             --label "$PKCS11_LABEL" &&
                        $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
                     exit $?;;
        --pkcs11-slots)
                     PKCS11_MODULE_PATH="$2"
                     if [ -z "$PKCS11_MODULE_PATH" ]; then
                       die "Please specify library name"
                     fi
                     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
                     exit 0;;
        --pkcs11-objects)
                     PKCS11_MODULE_PATH="$2"
                     PKCS11_SLOT="$3"
                     if [ -z "$PKCS11_SLOT" ]; then
                       die "Please specify library name and slot"
                     fi
                     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
                     exit 0;;

        --help|--usage)
                    usage
                    exit ;;
        --version)
                    echo "$PROGNAME $VERSION"
                    exit ;;
        # errors
        --*        ) die "$PROGNAME: unknown option: $1" ;;
        *          ) break ;;
    esac
    shift
done

if ! [ -z "$BATCH" ]; then
        if $OPENSSL version | grep 0.9.6 > /dev/null; then
                die "Batch mode is unsupported in openssl<0.9.7"
        fi
fi

if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
        die "PKCS#11 and PKCS#12 cannot be specified together"
fi

if [ $DO_P11 -eq 1 ]; then
        if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
                die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
        fi
fi

# If we are generating pkcs12, only encrypt the final step
if [ $DO_P12 -eq 1 ]; then
    NODES_P12="$NODES_REQ"
    NODES_REQ="-nodes"
fi

if [ $DO_P11 -eq 1 ]; then
    if [ -z "$PKCS11_LABEL" ]; then
        die "PKCS#11 arguments incomplete"
    fi
fi

# If undefined, set default key expiration intervals
if [ -z "$KEY_EXPIRE" ]; then
    KEY_EXPIRE=3650
fi
if [ -z "$CA_EXPIRE" ]; then
    CA_EXPIRE=3650
fi

# Set organizational unit to empty string if undefined
if [ -z "$KEY_OU" ]; then
    KEY_OU=""
fi

# Set X509 Name string to empty string if undefined
if [ -z "$KEY_NAME" ]; then
    KEY_NAME=""
fi

# Set KEY_CN, FN
if [ $DO_ROOT -eq 1 ]; then
    if [ -z "$KEY_CN" ]; then
        if [ "$1" ]; then
            KEY_CN="$1"
	    KEY_ALTNAMES="DNS:${KEY_CN}"
        elif [ "$KEY_ORG" ]; then
            KEY_CN="$KEY_ORG CA"
	    KEY_ALTNAMES="$KEY_CN"
        fi
    fi
    if [ $BATCH ] && [ "$KEY_CN" ]; then
        echo "Using CA Common Name:" "$KEY_CN"
	KEY_ALTNAMES="$KEY_CN"
    fi
    FN="$KEY_CN"
elif [ $BATCH ] && [ "$KEY_CN" ]; then
    echo "Using Common Name:" "$KEY_CN"
    KEY_ALTNAMES="$KEY_CN"
    FN="$KEY_CN"
    if [ "$1" ]; then
        FN="$1"
    fi
else
    KEY_CN="$1"
    KEY_ALTNAMES="DNS:$1"
    shift
    while [ "x$1" != "x" ]
    do
        KEY_ALTNAMES="${KEY_ALTNAMES},DNS:$1"
        shift
    done
    FN="$KEY_CN"
fi

export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN KEY_ALTNAMES

# Show parameters (debugging)
if [ $DEBUG -eq 1 ]; then
    echo DO_REQ $DO_REQ
    echo REQ_EXT $REQ_EXT
    echo DO_CA $DO_CA
    echo CA_EXT $CA_EXT
    echo NODES_REQ $NODES_REQ
    echo NODES_P12 $NODES_P12
    echo DO_P12 $DO_P12
    echo KEY_CN $KEY_CN
    echo KEY_ALTNAMES $KEY_ALTNAMES
    echo BATCH $BATCH
    echo DO_ROOT $DO_ROOT
    echo KEY_EXPIRE $KEY_EXPIRE
    echo CA_EXPIRE $CA_EXPIRE
    echo KEY_OU $KEY_OU
    echo KEY_NAME $KEY_NAME
    echo DO_P11 $DO_P11
    echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
    echo PKCS11_SLOT $PKCS11_SLOT
    echo PKCS11_ID $PKCS11_ID
    echo PKCS11_LABEL $PKCS11_LABEL
fi

# Make sure ./vars was sourced beforehand
if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
    cd "$KEY_DIR"

    # Make sure $KEY_CONFIG points to the correct version
    # of openssl.cnf
    if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
        :
    else
        echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
        echo "version of openssl.cnf: $KEY_CONFIG"
        echo "The correct version should have a comment that says: easy-rsa version 2.x";
        exit 1;
    fi

    # Build root CA
    if [ $DO_ROOT -eq 1 ]; then
        $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
            -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
            chmod 0600 "$CA.key"
    else
        # Make sure CA key/cert is available
        if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
            if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
                echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
                echo "Try $PROGNAME --initca to build a root certificate/key."
                exit 1
            fi
        fi

        # Generate key for PKCS#11 token
        PKCS11_ARGS=
        if [ $DO_P11 -eq 1 ]; then
                stty -echo
                echo -n "User PIN: "
                read -r PKCS11_PIN
                stty echo
                export PKCS11_PIN

                echo "Generating key pair on PKCS#11 token..."
                $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
                        --login --pin "$PKCS11_PIN" \
                        --key-type rsa:1024 \
                        --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
                PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
        fi

        # Build cert/key
        ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH $NODES_REQ -new -newkey rsa:$KEY_SIZE \
                -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
            ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
                -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
            ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
                -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
            ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ]  || chmod 0600 "$FN.key" ) && \
            ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )

        # Load certificate into PKCS#11 token
        if [ $DO_P11 -eq 1 ]; then
                $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
                  $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
                        --login --pin "$PKCS11_PIN" \
                        --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
                [ -e "$FN.crt.der" ]; rm "$FN.crt.der"
        fi

    fi

# Need definitions
else
    need_vars
fi