aboutsummaryrefslogtreecommitdiff
path: root/easy-rsa/2.0/pkitool
blob: 4e0442de195df0a00ea4a42c3a51b6b84afd1792 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
#!/bin/sh

#  OpenVPN -- An application to securely tunnel IP networks
#             over a single TCP/UDP port, with support for SSL/TLS-based
#             session authentication and key exchange,
#             packet encryption, packet authentication, and
#             packet compression.
#
#  Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License version 2
#  as published by the Free Software Foundation.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program (see the file COPYING included with this
#  distribution); if not, write to the Free Software Foundation, Inc.,
#  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

# pkitool is a front-end for the openssl tool.

# Calling scripts can set the certificate organizational 
# unit with the KEY_OU environmental variable. 

PROGNAME=pkitool
VERSION=2.0
DEBUG=0

die()
{
    local m="$1"

    echo "$m" >&2
    exit 1
}

need_vars()
{
    echo '  Please edit the vars script to reflect your configuration,'
    echo '  then source it with "source ./vars".'
    echo '  Next, to start with a fresh PKI configuration and to delete any'
    echo '  previous certificates and keys, run "./clean-all".'
    echo "  Finally, you can run this tool ($PROGNAME) to build certificates/keys."
}

usage()
{
    echo "$PROGNAME $VERSION"
    echo "Usage: $PROGNAME [options...] [common-name]"
    echo "Options:"
    echo "  --batch    : batch mode (default)"
    echo "  --keysize  : Set keysize"
    echo "      size   : size (default=1024)"
    echo "  --interact : interactive mode"
    echo "  --server   : build server cert"
    echo "  --initca   : build root CA"
    echo "  --inter    : build intermediate CA"
    echo "  --pass     : encrypt private key with password"
    echo "  --csr      : only generate a CSR, do not sign"
    echo "  --sign     : sign an existing CSR"
    echo "  --pkcs12   : generate a combined PKCS#12 file"
    echo "  --pkcs11   : generate certificate on PKCS#11 token"
    echo "      lib    : PKCS#11 library"
    echo "      slot   : PKCS#11 slot"
    echo "      id     : PKCS#11 object id (hex string)"
    echo "      label  : PKCS#11 object label"
    echo "Standalone options:"
    echo "  --pkcs11-slots   : list PKCS#11 slots"
    echo "      lib    : PKCS#11 library"
    echo "  --pkcs11-objects : list PKCS#11 token objects"
    echo "      lib    : PKCS#11 library"
    echo "      slot   : PKCS#11 slot"
    echo "  --pkcs11-init    : initialize PKCS#11 token DANGEROUS!!!"
    echo "      lib    : PKCS#11 library"
    echo "      slot   : PKCS#11 slot"
    echo "      label  : PKCS#11 token label"
    echo "Notes:"
    need_vars
    echo "  In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."
    echo "Generated files and corresponding OpenVPN directives:"
    echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
    echo "  ca.crt     -> root certificate (--ca)"
    echo "  ca.key     -> root key, keep secure (not directly used by OpenVPN)"
    echo "  .crt files -> client/server certificates (--cert)"
    echo "  .key files -> private keys, keep secure (--key)"
    echo "  .csr files -> certificate signing request (not directly used by OpenVPN)"
    echo "  dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
    echo "Examples:"
    echo "  $PROGNAME --initca          -> Build root certificate"
    echo "  $PROGNAME --initca --pass   -> Build root certificate with password-protected key"
    echo "  $PROGNAME --server server1  -> Build \"server1\" certificate/key"
    echo "  $PROGNAME client1           -> Build \"client1\" certificate/key"
    echo "  $PROGNAME --pass client2    -> Build password-protected \"client2\" certificate/key"
    echo "  $PROGNAME --pkcs12 client3  -> Build \"client3\" certificate/key in PKCS#12 format"
    echo "  $PROGNAME --csr client4     -> Build \"client4\" CSR to be signed by another CA"
    echo "  $PROGNAME --sign client4    -> Sign \"client4\" CSR"
    echo "  $PROGNAME --inter interca   -> Build an intermediate key-signing certificate/key"
    echo "                               Also see ./inherit-inter script."
    echo "  $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"
    echo "                              -> Build \"client5\" certificate/key in PKCS#11 token"
    echo "Typical usage for initial PKI setup.  Build myserver, client1, and client2 cert/keys."
    echo "Protect client2 key with a password.  Build DH parms.  Generated files in ./keys :"
    echo "  [edit vars with your site-specific info]"
    echo "  source ./vars"
    echo "  ./clean-all"
    echo "  ./build-dh     -> takes a long time, consider backgrounding"
    echo "  ./$PROGNAME --initca"
    echo "  ./$PROGNAME --server myserver"
    echo "  ./$PROGNAME client1"
    echo "  ./$PROGNAME --pass client2"
    echo "Typical usage for adding client cert to existing PKI:"
    echo "  source ./vars"
    echo "  ./$PROGNAME client-new"
}

# Set tool defaults
[ -n "$OPENSSL" ] || export OPENSSL="openssl"
[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool"
[ -n "$GREP" ] || export GREP="grep"

# Set defaults
DO_REQ="1"
REQ_EXT=""
DO_CA="1"
CA_EXT=""
DO_P12="0"
DO_P11="0"
DO_ROOT="0"
NODES_REQ="-nodes"
NODES_P12=""
BATCH="-batch"
CA="ca"
# must be set or errors of openssl.cnf
PKCS11_MODULE_PATH="dummy"
PKCS11_PIN="dummy"

# Process options
while [ $# -gt 0 ]; do
    case "$1" in
        --keysize  ) KEY_SIZE=$2
		     shift;;
	--server   ) REQ_EXT="$REQ_EXT -extensions server"
	             CA_EXT="$CA_EXT -extensions server" ;;
	--batch    ) BATCH="-batch" ;;
	--interact ) BATCH="" ;;
        --inter    ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
        --initca   ) DO_ROOT="1" ;;
	--pass     ) NODES_REQ="" ;;
        --csr      ) DO_CA="0" ;;
        --sign     ) DO_REQ="0" ;;
        --pkcs12   ) DO_P12="1" ;;
	--pkcs11   ) DO_P11="1"
	             PKCS11_MODULE_PATH="$2"
		     PKCS11_SLOT="$3"
		     PKCS11_ID="$4"
		     PKCS11_LABEL="$5"
		     shift 4;;

	# standalone
	--pkcs11-init)
	             PKCS11_MODULE_PATH="$2"
	             PKCS11_SLOT="$3"
	             PKCS11_LABEL="$4"
		     if [ -z "$PKCS11_LABEL" ]; then
		       die "Please specify library name, slot and label"
		     fi
		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
		     	--label "$PKCS11_LABEL" &&
			$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
		     exit $?;;
	--pkcs11-slots)
	             PKCS11_MODULE_PATH="$2"
		     if [ -z "$PKCS11_MODULE_PATH" ]; then
		       die "Please specify library name"
		     fi
		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
		     exit 0;;
	--pkcs11-objects)
	             PKCS11_MODULE_PATH="$2"
	             PKCS11_SLOT="$3"
		     if [ -z "$PKCS11_SLOT" ]; then
		       die "Please specify library name and slot"
		     fi
		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
		     exit 0;;

	# errors
	--*        ) die "$PROGNAME: unknown option: $1" ;;
	*          ) break ;;
    esac
    shift   
done

if ! [ -z "$BATCH" ]; then
	if $OPENSSL version | grep 0.9.6 > /dev/null; then
		die "Batch mode is unsupported in openssl<0.9.7"
	fi
fi

if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
	die "PKCS#11 and PKCS#12 cannot be specified together"
fi

if [ $DO_P11 -eq 1 ]; then
	if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
		die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
	fi
fi

# If we are generating pkcs12, only encrypt the final step
if [ $DO_P12 -eq 1 ]; then
    NODES_P12="$NODES_REQ"
    NODES_REQ="-nodes"
fi

if [ $DO_P11 -eq 1 ]; then
	if [ -z "$PKCS11_LABEL" ]; then
		die "PKCS#11 arguments incomplete"
	fi
fi

# If undefined, set default key expiration intervals
if [ -z "$KEY_EXPIRE" ]; then
    KEY_EXPIRE=3650
fi
if [ -z "$CA_EXPIRE" ]; then
    CA_EXPIRE=3650
fi

# Set organizational unit to empty string if undefined
if [ -z "$KEY_OU" ]; then
    KEY_OU=""
fi

# Set KEY_CN
if [ $DO_ROOT -eq 1 ]; then
    if [ -z "$KEY_CN" ]; then
	if [ "$1" ]; then
	    KEY_CN="$1"
	elif [ "$KEY_ORG" ]; then
	    KEY_CN="$KEY_ORG CA"
	fi
    fi
    if [ $BATCH ] && [ "$KEY_CN" ]; then
	echo "Using CA Common Name:" $KEY_CN
    fi
elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then
    echo "Using Common Name:" $KEY_CN
else
    if [ $# -ne 1 ]; then
	usage
	exit 1
    else
	KEY_CN="$1"
    fi
fi

export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN PKCS11_MODULE_PATH PKCS11_PIN

# Show parameters (debugging)
if [ $DEBUG -eq 1 ]; then
    echo DO_REQ $DO_REQ
    echo REQ_EXT $REQ_EXT
    echo DO_CA $DO_CA
    echo CA_EXT $CA_EXT
    echo NODES_REQ $NODES_REQ
    echo NODES_P12 $NODES_P12
    echo DO_P12 $DO_P12
    echo KEY_CN $KEY_CN
    echo BATCH $BATCH
    echo DO_ROOT $DO_ROOT
    echo KEY_EXPIRE $KEY_EXPIRE
    echo CA_EXPIRE $CA_EXPIRE
    echo KEY_OU $KEY_OU
    echo DO_P11 $DO_P11
    echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
    echo PKCS11_SLOT $PKCS11_SLOT
    echo PKCS11_ID $PKCS11_ID
    echo PKCS11_LABEL $PKCS11_LABEL
fi

# Make sure ./vars was sourced beforehand
if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
    cd "$KEY_DIR"

    # Make sure $KEY_CONFIG points to the correct version
    # of openssl.cnf
    if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
	:
    else
	echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
        echo "version of openssl.cnf: $KEY_CONFIG"
	echo "The correct version should have a comment that says: easy-rsa version 2.x";
	exit 1;
    fi

    # Build root CA
    if [ $DO_ROOT -eq 1 ]; then
	$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
	    -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
	    chmod 0600 "$CA.key"
    else        
        # Make sure CA key/cert is available
	if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
	    if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
		echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
		echo "Try $PROGNAME --initca to build a root certificate/key."
		exit 1
	    fi
	fi

	# Generate key for PKCS#11 token
	PKCS11_ARGS=
	if [ $DO_P11 -eq 1 ]; then
	        stty -echo
	        echo -n "User PIN: "
	        read -r PKCS11_PIN
	        stty echo
		export PKCS11_PIN

		echo "Generating key pair on PKCS#11 token..."
		$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
			--login --pin "$PKCS11_PIN" \
			--key-type rsa:1024 \
			--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
		PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
	fi

        # Build cert/key
	( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
	        -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
	    ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
	        -in "$KEY_CN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
	    ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \
	        -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \
	    ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ]  || chmod 0600 "$KEY_CN.key" ) && \
	    ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )

	# Load certificate into PKCS#11 token
	if [ $DO_P11 -eq 1 ]; then
		$OPENSSL x509 -in "$KEY_CN.crt" -inform PEM -out "$KEY_CN.crt.der" -outform DER && \
		  $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \
			--login --pin "$PKCS11_PIN" \
			--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" 
		[ -e "$KEY_CN.crt.der" ]; rm "$KEY_CN.crt.der"
	fi

    fi

# Need definitions
else
    need_vars
fi