SHARE
TWEET

Untitled

a guest Sep 11th, 2019 227 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. root@vps727493:~# cat /etc/openvpn/server/easyrsa
  2. #!/bin/sh
  3.  
  4. # Easy-RSA 3 -- A Shell-based CA Utility
  5. #
  6. # Copyright (C) 2018 by the Open-Source OpenVPN development community.
  7. # A full list of contributors can be found in the ChangeLog.
  8. #
  9. # This code released under version 2 of the GNU GPL; see COPYING and the
  10. # Licensing/ directory of this project for full licensing details.
  11.  
  12. # Help/usage output to stdout
  13. usage() {
  14.         # command help:
  15.         print "
  16. Easy-RSA 3 usage and overview
  17.  
  18. USAGE: easyrsa [options] COMMAND [command-options]
  19.  
  20. A list of commands is shown below. To get detailed usage and help for a
  21. command, run:
  22.   ./easyrsa help COMMAND
  23.  
  24. For a listing of options that can be supplied before the command, use:
  25.   ./easyrsa help options
  26.  
  27. Here is the list of commands available with a short syntax reminder. Use the
  28. 'help' command above to get full usage details.
  29.  
  30.   init-pki
  31.   build-ca [ cmd-opts ]
  32.   gen-dh
  33.   gen-req <filename_base> [ cmd-opts ]
  34.   sign-req <type> <filename_base>
  35.   build-client-full <filename_base> [ cmd-opts ]
  36.   build-server-full <filename_base> [ cmd-opts ]
  37.   revoke <filename_base>
  38.   gen-crl
  39.   update-db
  40.   show-req <filename_base> [ cmd-opts ]
  41.   show-cert <filename_base> [ cmd-opts ]
  42.   import-req <request_file_path> <short_basename>
  43.   export-p7 <filename_base> [ cmd-opts ]
  44.   export-p12 <filename_base> [ cmd-opts ]
  45.   set-rsa-pass <filename_base> [ cmd-opts ]
  46.   set-ec-pass <filename_base> [ cmd-opts ]
  47. "
  48.  
  49.         # collect/show dir status:
  50.         err_source="Not defined: vars autodetect failed and no value provided"
  51.         work_dir="${EASYRSA:-$err_source}"
  52.         pki_dir="${EASYRSA_PKI:-$err_source}"
  53.         print "\
  54. DIRECTORY STATUS (commands would take effect on these locations)
  55.   EASYRSA: $work_dir
  56.       PKI: $pki_dir
  57. "
  58. } # => usage()
  59.  
  60. # Detailed command help
  61. # When called with no args, calls usage(), otherwise shows help for a command
  62. cmd_help() {
  63.         text=""
  64.         opts=""
  65.         case "$1" in
  66.                 init-pki|clean-all) text="
  67.   init-pki [ cmd-opts ]
  68.       Removes & re-initializes the PKI dir for a clean PKI" ;;
  69.                 build-ca) text="
  70.   build-ca [ cmd-opts ]
  71.       Creates a new CA"
  72.                         opts="
  73.         nopass  - do not encrypt the CA key (default is encrypted)
  74.         subca   - create a sub-CA keypair and request (default is a root CA)" ;;
  75.                 gen-dh) text="
  76.   gen-dh
  77.       Generates DH (Diffie-Hellman) parameters" ;;
  78.                 gen-req) text="
  79.   gen-req <filename_base> [ cmd-opts ]
  80.       Generate a standalone keypair and request (CSR)
  81.  
  82.       This request is suitable for sending to a remote CA for signing."
  83.                         opts="
  84.         nopass  - do not encrypt the private key (default is encrypted)" ;;
  85.                 sign|sign-req) text="
  86.   sign-req <type> <filename_base>
  87.       Sign a certificate request of the defined type. <type> must be a known
  88.       type such as 'client', 'server', or 'ca' (or a user-added type.)
  89.  
  90.       This request file must exist in the reqs/ dir and have a .req file
  91.       extension. See import-req below for importing reqs from other sources." ;;
  92.                 build|build-client-full|build-server-full) text="
  93.   build-client-full <filename_base> [ cmd-opts ]
  94.   build-server-full <filename_base> [ cmd-opts ]
  95.       Generate a keypair and sign locally for a client or server
  96.  
  97.       This mode uses the <filename_base> as the X509 CN."
  98.                         opts="
  99.         nopass  - do not encrypt the private key (default is encrypted)" ;;
  100.                 revoke) text="
  101.   revoke <filename_base>
  102.       Revoke a certificate specified by the filename_base" ;;
  103.                 gen-crl) text="
  104.   gen-crl
  105.       Generate a CRL" ;;
  106.                 update-db) text="
  107.   update-db
  108.       Update the index.txt database
  109.  
  110.       This command will use the system time to update the status of issued
  111.       certificates." ;;
  112.                 show-req|show-cert) text="
  113.   show-req  <filename_base> [ cmd-opts ]
  114.   show-cert <filename_base> [ cmd-opts ]
  115.       Shows details of the req or cert referenced by filename_base
  116.  
  117.       Human-readable output is shown, including any requested cert options when
  118.       showing a request."
  119.                         opts="
  120.           full   - show full req/cert info, including pubkey/sig data" ;;
  121.                 import-req) text="
  122.   import-req <request_file_path> <short_basename>
  123.       Import a certificate request from a file
  124.  
  125.       This will copy the specified file into the reqs/ dir in
  126.       preparation for signing.
  127.       The <short_basename> is the filename base to create.
  128.  
  129.       Example usage:
  130.         import-req /some/where/bob_request.req bob" ;;
  131.                 export-p12) text="
  132.   export-p12 <filename_base> [ cmd-opts ]
  133.       Export a PKCS#12 file with the keypair specified by <filename_base>"
  134.                         opts="
  135.         noca  - do not include the ca.crt file in the PKCS12 output
  136.         nokey - do not include the private key in the PKCS12 output" ;;
  137.                 export-p7) text="
  138.   export-p7 <filename_base> [ cmd-opts ]
  139.       Export a PKCS#7 file with the pubkey specified by <filename_base>"
  140.                         opts="
  141.         noca  - do not include the ca.crt file in the PKCS7 output" ;;
  142.                 set-rsa-pass|set-ec-pass) text="
  143.   set-rsa-pass <filename_base> [ cmd-opts ]
  144.   set-ec-pass <filename_base> [ cmd-opts ]
  145.       Set a new passphrase on an RSA or EC key for the listed <filename_base>."
  146.                         opts="
  147.         nopass - use no password and leave the key unencrypted
  148.         file   - (advanced) treat the file as a raw path, not a short-name" ;;
  149.                 altname|subjectaltname|san) text="
  150.   --subject-alt-name=SAN_FORMAT_STRING
  151.       This global option adds a subjectAltName to the request or issued
  152.       certificate. It MUST be in a valid format accepted by openssl or
  153.       req/cert generation will fail. Note that including multiple such names
  154.       requires them to be comma-separated; further invocations of this
  155.       option will REPLACE the value.
  156.  
  157.       Examples of the SAN_FORMAT_STRING shown below:
  158.         DNS:alternate.example.net
  159.         DNS:primary.example.net,DNS:alternate.example.net
  160.         IP:203.0.113.29
  161.         email:alternate@example.net" ;;
  162.                 options)
  163.                         opt_usage ;;
  164.                 "")
  165.                         usage ;;
  166.                 *) text="
  167.   Unknown command: '$1' (try without commands for a list of commands)" ;;
  168.         esac
  169.  
  170.         # display the help text
  171.         print "$text"
  172.         [ -n "$opts" ] && print "
  173.       cmd-opts is an optional set of command options from this list:
  174. $opts"
  175. } # => cmd_help()
  176.  
  177. # Options usage
  178. opt_usage() {
  179.         print "
  180. Easy-RSA Global Option Flags
  181.  
  182. The following options may be provided before the command. Options specified
  183. at runtime override env-vars and any 'vars' file in use. Unless noted,
  184. non-empty values to options are mandatory.
  185.  
  186. General options:
  187.  
  188. --batch         : set automatic (no-prompts when possible) mode
  189. --pki-dir=DIR   : declares the PKI directory
  190. --vars=FILE     : define a specific 'vars' file to use for Easy-RSA config
  191.  
  192. Certificate & Request options: (these impact cert/req field values)
  193.  
  194. --days=#        : sets the signing validity to the specified number of days
  195. --digest=ALG    : digest to use in the requests & certificates
  196. --dn-mode=MODE  : DN mode to use (cn_only or org)
  197. --keysize=#     : size in bits of keypair to generate
  198. --req-cn=NAME   : default CN to use
  199. --subca-len=#   : path length of signed sub-CA certs; must be >= 0 if used
  200. --subject-alt-name : Add a subjectAltName. For more info and syntax, see:
  201.                      ./easyrsa help altname
  202. --use-algo=ALG  : crypto alg to use: choose rsa (default) or ec
  203. --curve=NAME    : for elliptic curve, sets the named curve to use
  204. --copy-ext      : Copy included request X509 extensions (namely subjAltName
  205.  
  206. Organizational DN options: (only used with the 'org' DN mode)
  207.   (values may be blank for org DN options)
  208.  
  209. --req-c=CC        : country code (2-letters)
  210. --req-st=NAME     : State/Province
  211. --req-city=NAME   : City/Locality
  212. --req-org=NAME    : Organization
  213. --req-email=NAME  : Email addresses
  214. --req-ou=NAME     : Organizational Unit
  215.  
  216. Deprecated features:
  217.  
  218. --ns-cert=YESNO       : yes or no to including deprecated NS extensions
  219. --ns-comment=COMMENT  : NS comment to include (value may be blank)
  220. "
  221. } # => opt_usage()
  222.  
  223. # Wrapper around printf - clobber print since it's not POSIX anyway
  224. # shellcheck disable=SC1117
  225. print() { printf "%s\n" "$*"; }
  226.  
  227. # Exit fatally with a message to stderr
  228. # present even with EASYRSA_BATCH as these are fatal problems
  229. die() {
  230.         print "
  231. Easy-RSA error:
  232.  
  233. $1" 1>&2
  234.         exit "${2:-1}"
  235. } # => die()
  236.  
  237. # non-fatal warning output
  238. warn() {
  239.         [ ! "$EASYRSA_BATCH" ] && \
  240.                 print "
  241. $1" 1>&2
  242. } # => warn()
  243.  
  244. # informational notices to stdout
  245. notice() {
  246.         [ ! "$EASYRSA_BATCH" ] && \
  247.                 print "
  248. $1"
  249. } # => notice()
  250.  
  251. # yes/no case-insensitive match (operates on stdin pipe)
  252. # Returns 0 when input contains yes, 1 for no, 2 for no match
  253. # If both strings are present, returns 1; first matching line returns.
  254. awk_yesno() {
  255.         #shellcheck disable=SC2016
  256.         awkscript='
  257. BEGIN {IGNORECASE=1; r=2}
  258. {       if(match($0,"no")) {r=1; exit}
  259.         if(match($0,"yes")) {r=0; exit}
  260. } END {exit r}'
  261.         awk "$awkscript"
  262. } # => awk_yesno()
  263.  
  264. # intent confirmation helper func
  265. # returns without prompting in EASYRSA_BATCH
  266. confirm() {
  267.         [ "$EASYRSA_BATCH" ] && return
  268.         prompt="$1"
  269.         value="$2"
  270.         msg="$3"
  271.         input=""
  272.         print "
  273. $msg
  274.  
  275. Type the word '$value' to continue, or any other input to abort."
  276.         printf %s "  $prompt"
  277.         #shellcheck disable=SC2162
  278.         read input
  279.         [ "$input" = "$value" ] && return
  280.         notice "Aborting without confirmation."
  281.         exit 9
  282. } # => confirm()
  283.  
  284. # remove temp files
  285. clean_temp() {
  286.         for f in "$EASYRSA_TEMP_CONF" "$EASYRSA_TEMP_EXT" "$EASYRSA_TEMP_FILE_2"                                                                                                              "$EASYRSA_TEMP_FILE_3"
  287.         do      [ -f "$f" ] && rm "$f" 2>/dev/null
  288.         done
  289. } # => clean_temp()
  290.  
  291. # Make LibreSSL safe config file from OpenSSL config file
  292. make_ssl_config() {
  293. sed     -e "s,ENV::,,g" \
  294.         -e "s,\$dir,$EASYRSA_PKI,g" \
  295.         -e "s,\$EASYRSA_PKI,$EASYRSA_PKI,g" \
  296.         -e "s,\$EASYRSA_CERT_EXPIRE,$EASYRSA_CERT_EXPIRE,g" \
  297.         -e "s,\$EASYRSA_CRL_DAYS,$EASYRSA_CRL_DAYS,g" \
  298.         -e "s,\$EASYRSA_DIGEST,$EASYRSA_DIGEST,g" \
  299.         -e "s,\$EASYRSA_KEY_SIZE,$EASYRSA_KEY_SIZE,g" \
  300.         -e "s,\$EASYRSA_DIGEST,$EASYRSA_DIGEST,g" \
  301.         -e "s,\$EASYRSA_DN,$EASYRSA_DN,g" \
  302.         -e "s,\$EASYRSA_REQ_COUNTRY,$EASYRSA_REQ_COUNTRY,g" \
  303.         -e "s,\$EASYRSA_REQ_PROVINCE,$EASYRSA_REQ_PROVINCE,g" \
  304.         -e "s,\$EASYRSA_REQ_CITY,$EASYRSA_REQ_CITY,g" \
  305.         -e "s,\$EASYRSA_REQ_ORG,$EASYRSA_REQ_ORG,g" \
  306.         -e "s,\$EASYRSA_REQ_OU,$EASYRSA_REQ_OU,g" \
  307.         -e "s,\$EASYRSA_REQ_CN,$EASYRSA_REQ_CN,g" \
  308.         -e "s,\$EASYRSA_REQ_EMAIL,$EASYRSA_REQ_EMAIL,g" \
  309.         "$EASYRSA_SSL_CONF" > "$EASYRSA_SAFE_CONF" || die "\
  310. Failed to update $EASYRSA_SAFE_CONF"
  311. } # => make_ssl_config()
  312.  
  313. vars_source_check() {
  314.         # Check for defined EASYRSA_PKI
  315.         [ -n "$EASYRSA_PKI" ] || die "\
  316. EASYRSA_PKI env-var undefined"
  317.  
  318.         # make safessl-easyrsa.cnf
  319.         make_ssl_config
  320.  
  321.         # Verify EASYRSA_OPENSSL command gives expected output
  322.         if [ -z "$EASYRSA_SSL_OK" ]; then
  323.                 val="$("$EASYRSA_OPENSSL" version)"
  324.                 case "${val%% *}" in
  325.                         OpenSSL|LibreSSL)
  326.                                 notice "\
  327. Using SSL: $EASYRSA_OPENSSL $("$EASYRSA_OPENSSL" version)" ;;
  328.                         *) die "\
  329. Missing or invalid OpenSSL
  330. Expected to find openssl command at: $EASYRSA_OPENSSL" ;;
  331.                 esac
  332.         fi
  333.         EASYRSA_SSL_OK=1
  334.  
  335.         # Verify EASYRSA_SSL_CONF file exists
  336.         [ -f "$EASYRSA_SSL_CONF" ] || die "\
  337. The OpenSSL config file cannot be found.
  338. Expected location: $EASYRSA_SSL_CONF"
  339. } # => vars_source_check()
  340.  
  341. # Verify supplied curve exists and generate curve file if needed
  342. verify_curve() {
  343.         if ! "$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" > /dev/null; then
  344.                 die "\
  345. Curve $EASYRSA_CURVE not found. Run openssl ecparam -list_curves to show a
  346. list of supported curves."
  347.         fi
  348.  
  349.         # Check that the ecparams dir exists
  350.         [ -d "$EASYRSA_EC_DIR" ] || mkdir "$EASYRSA_EC_DIR" || die "\
  351. Failed creating ecparams dir (permissions?) at:
  352. $EASYRSA_EC_DIR"
  353.  
  354.         # Check that the required ecparams file exists
  355.         out="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem"
  356.         [ -f "$out" ] && return 0
  357.         "$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" -out "$out" || die "\
  358. Failed to generate ecparam file (permissions?) when writing to:
  359. $out"
  360.  
  361.         # Explicitly return success for caller
  362.         return 0
  363. }
  364.  
  365. # Basic sanity-check of PKI init and complain if missing
  366. verify_pki_init() {
  367.         help_note="Run easyrsa without commands for usage and command help."
  368.  
  369.         # check that the pki dir exists
  370.         vars_source_check
  371.         [ -d "$EASYRSA_PKI" ] || die "\
  372. EASYRSA_PKI does not exist (perhaps you need to run init-pki)?
  373. Expected to find the EASYRSA_PKI at: $EASYRSA_PKI
  374. $help_note"
  375.  
  376.         # verify expected dirs present:
  377.         for i in private reqs; do
  378.                 [ -d "$EASYRSA_PKI/$i" ] || die "\
  379. Missing expected directory: $i (perhaps you need to run init-pki?)
  380. $help_note"
  381.         done
  382. } # => verify_pki_init()
  383.  
  384. # Verify core CA files present
  385. verify_ca_init() {
  386.         help_note="Run without commands for usage and command help."
  387.  
  388.         # First check the PKI has been initialized
  389.         verify_pki_init
  390.  
  391.         # verify expected files present:
  392.         for i in serial index.txt ca.crt private/ca.key; do
  393.                 if [ ! -f "$EASYRSA_PKI/$i" ]; then
  394.                         [ "$1" = "test" ] && return 1
  395.                         die "\
  396. Missing expected CA file: $i (perhaps you need to run build-ca?)
  397. $help_note"
  398.                 fi
  399.         done
  400.  
  401.         # When operating in 'test' mode, return success.
  402.         # test callers don't care about CA-specific dir structure
  403.         [ "$1" = "test" ] && return 0
  404.  
  405.         # verify expected CA-specific dirs:
  406.         for i in issued certs_by_serial; do
  407.                 [ -d "$EASYRSA_PKI/$i" ] || die "\
  408. Missing expected CA dir: $i (perhaps you need to run build-ca?)
  409. $help_note"
  410.         done
  411.  
  412.         # explicitly return success for callers
  413.         return 0
  414.  
  415. } # => verify_ca_init()
  416.  
  417. # init-pki backend:
  418. init_pki() {
  419.         vars_source_check
  420.  
  421.         # If EASYRSA_PKI exists, confirm before we rm -rf (skiped with EASYRSA_B                                                                                                             ATCH)
  422.         if [ -e "$EASYRSA_PKI" ]; then
  423.                 confirm "Confirm removal: " "yes" "
  424. WARNING!!!
  425.  
  426. You are about to remove the EASYRSA_PKI at: $EASYRSA_PKI
  427. and initialize a fresh PKI here."
  428.                 # now remove it:
  429.                 rm -rf "$EASYRSA_PKI" || die "Removal of PKI dir failed. Check/c                                                                                                             orrect errors above"
  430.         fi
  431.  
  432.         # new dirs:
  433.         for i in private reqs; do
  434.                 mkdir -p "$EASYRSA_PKI/$i" || die "Failed to create PKI file str                                                                                                             ucture (permissions?)"
  435.         done
  436.  
  437.         notice "\
  438. init-pki complete; you may now create a CA or requests.
  439. Your newly created PKI dir is: $EASYRSA_PKI
  440. "
  441.         return 0
  442. } # => init_pki()
  443.  
  444. # build-ca backend:
  445. build_ca() {
  446.         opts=""
  447.         sub_ca=""
  448.         nopass=""
  449.         crypto="-aes256"
  450.         crypto_opts=""
  451.         while [ -n "$1" ]; do
  452.                 case "$1" in
  453.                         subca) sub_ca=1 ;;
  454.                         nopass) nopass=1 ;;
  455.                         *) warn "Ignoring unknown command option: '$1'" ;;
  456.                 esac
  457.                 shift
  458.         done
  459.  
  460.         verify_pki_init
  461.         [ "$EASYRSA_ALGO" = "ec" ] && verify_curve
  462.  
  463.         # setup for the simpler sub-CA situation and overwrite with root-CA if n                                                                                                             eeded:
  464.         out_file="$EASYRSA_PKI/reqs/ca.req"
  465.         out_key="$EASYRSA_PKI/private/ca.key"
  466.         if [ ! $sub_ca ]; then
  467.                 out_file="$EASYRSA_PKI/ca.crt"
  468.                 opts="$opts -x509 -days $EASYRSA_CA_EXPIRE "
  469.         fi
  470.  
  471.         # Test for existing CA, and complain if already present
  472.         if verify_ca_init test; then
  473.                 die "\
  474. Unable to create a CA as you already seem to have one set up.
  475. If you intended to start a new CA, run init-pki first."
  476.         fi
  477.         # If a private key exists here, a sub-ca was created but not signed.
  478.         # Notify the user and require a signed ca.crt or a init-pki:
  479.         [ -f "$out_key" ] && \
  480.                 die "\
  481. A CA private key exists but no ca.crt is found in your PKI dir of:
  482. $EASYRSA_PKI
  483. Refusing to create a new CA keypair as this operation would overwrite your
  484. current CA keypair. If you intended to start a new CA, run init-pki first."
  485.  
  486.         # create necessary files and dirs:
  487.         err_file="Unable to create necessary PKI files (permissions?)"
  488.         for i in issued certs_by_serial; do
  489.                 mkdir -p "$EASYRSA_PKI/$i" || die "$err_file"
  490.         done
  491.         printf "" > "$EASYRSA_PKI/index.txt" || die "$err_file"
  492.         print "01" > "$EASYRSA_PKI/serial" || die "$err_file"
  493.  
  494.         # Default CN only when not in global EASYRSA_BATCH mode:
  495.         # shellcheck disable=SC2015
  496.         [ "$EASYRSA_BATCH" ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Ea                                                                                                             sy-RSA CA"
  497.  
  498.         out_key_tmp="$(mktemp "$out_key.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out                                                                                                             _key_tmp"
  499.         out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$o                                                                                                             ut_file_tmp"
  500.         # Get password from user if necessary
  501.         if [ ! $nopass ]; then
  502.                 out_key_pass_tmp="$(mktemp)"; EASYRSA_TEMP_FILE_3="$out_key_pass                                                                                                             _tmp"
  503.                 printf "Enter New CA Key Passphrase: "
  504.                 stty -echo
  505.                 read -r kpass
  506.                 stty echo
  507.                 echo
  508.                 printf "Re-Enter New CA Key Passphrase: "
  509.                 stty -echo
  510.                 read -r kpass2
  511.                 stty echo
  512.                 echo
  513.                 if [ "$kpass" = "$kpass2" ];
  514.                 then
  515.                         printf "%s" "$kpass" > "$out_key_pass_tmp"
  516.                 else
  517.                         die "Passphrases do not match."
  518.                 fi
  519.         fi
  520.  
  521.         # create the CA key using AES256
  522.         [ ! $nopass ] && crypto_opts="$crypto -passout file:$out_key_pass_tmp"
  523.         if [ "$EASYRSA_ALGO" = "rsa" ]; then
  524.                 #shellcheck disable=SC2086
  525.                 "$EASYRSA_OPENSSL" genrsa -out "$out_key_tmp" $crypto_opts "$EAS                                                                                                             YRSA_ALGO_PARAMS"
  526.         elif [ "$EASYRSA_ALGO" = "ec" ]; then
  527.                 #shellcheck disable=SC2086
  528.                 "$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey |                                                                                                              \
  529.                         "$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts
  530.         fi
  531.  
  532.         # make safessl-easyrsa.cnf
  533.         make_ssl_config
  534.  
  535.         # create the CA keypair:
  536.         [ ! $nopass ] && crypto_opts="-passin file:$out_key_pass_tmp"
  537.         #shellcheck disable=SC2086
  538.         "$EASYRSA_OPENSSL" req -utf8 -new -key "$out_key_tmp" \
  539.                 -config "$EASYRSA_SAFE_CONF" -keyout "$out_key_tmp" -out "$out_f                                                                                                             ile_tmp" $crypto_opts $opts || \
  540.                 die "Failed to build the CA"
  541.  
  542.         mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2=
  543.         mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_3=
  544.         [ -f "$out_key_pass_tmp" ] && rm "$out_key_pass_tmp"
  545.  
  546.         # Success messages
  547.         if [ $sub_ca ]; then
  548.                 notice "\
  549. NOTE: Your sub-CA request is at $out_file
  550. and now must be sent to you parent CA for signing. Place your resulting cert
  551. at $EASYRSA_PKI/ca.crt prior to signing operations.
  552. "
  553.         else    notice "\
  554. CA creation complete and you may now import and sign cert requests.
  555. Your new CA certificate file for publishing is at:
  556. $out_file
  557. "
  558.         fi
  559.         return 0
  560. } # => build_ca()
  561.  
  562. # gen-dh backend:
  563. gen_dh() {
  564.         verify_pki_init
  565.  
  566.         out_file="$EASYRSA_PKI/dh.pem"
  567.         "$EASYRSA_OPENSSL" dhparam -out "$out_file" "$EASYRSA_KEY_SIZE" || \
  568.                 die "Failed to build DH params"
  569.         notice "\
  570. DH parameters of size $EASYRSA_KEY_SIZE created at $out_file
  571. "
  572.         return 0
  573. } # => gen_dh()
  574.  
  575. # gen-req backend:
  576. gen_req() {
  577.         # pull filename base and use as default interactive CommonName:
  578.         [ -n "$1" ] || die "\
  579. Error: gen-req must have a file base as the first argument.
  580. Run easyrsa without commands for usage and commands."
  581.         key_out="$EASYRSA_PKI/private/$1.key"
  582.         req_out="$EASYRSA_PKI/reqs/$1.req"
  583.         [ ! "$EASYRSA_BATCH" ] && EASYRSA_REQ_CN="$1"
  584.         shift
  585.  
  586.         # function opts support
  587.         opts=
  588.         while [ -n "$1" ]; do
  589.                 case "$1" in
  590.                         nopass) opts="$opts -nodes" ;;
  591.                         # batch flag supports internal callers needing silent op                                                                                                             eration
  592.                         batch) EASYRSA_BATCH=1 ;;
  593.                         *) warn "Ignoring unknown command option: '$1'" ;;
  594.                 esac
  595.                 shift
  596.         done
  597.  
  598.         verify_pki_init
  599.         [ "$EASYRSA_ALGO" = "ec" ] && verify_curve
  600.  
  601.         # don't wipe out an existing private key without confirmation
  602.         [ -f "$key_out" ] && confirm "Confirm key overwrite: " "yes" "\
  603.  
  604. WARNING!!!
  605.  
  606. An existing private key was found at $key_out
  607. Continuing with key generation will replace this key."
  608.  
  609.         # When EASYRSA_EXTRA_EXTS is defined, append it to openssl's [req] secti                                                                                                             on:
  610.         if [ -n "$EASYRSA_EXTRA_EXTS" ]; then
  611.                 # Setup & insert the extra ext data keyed by a magic line
  612.                 extra_exts="
  613. req_extensions = req_extra
  614. [ req_extra ]
  615. $EASYRSA_EXTRA_EXTS"
  616.                 #shellcheck disable=SC2016
  617.                 awkscript='
  618. {if ( match($0, "^#%EXTRA_EXTS%") )
  619.         { while ( getline<"/dev/stdin" ) {print} next }
  620.  {print}
  621. }'
  622.                 print "$extra_exts" | \
  623.                         awk "$awkscript" "$EASYRSA_SSL_CONF" \
  624.                         > "$EASYRSA_TEMP_CONF" \
  625.                         || die "Copying SSL config to temp file failed"
  626.                 # Use this new SSL config for the rest of this function
  627.                 EASYRSA_SSL_CONF="$EASYRSA_TEMP_CONF"
  628.         fi
  629.  
  630.         # make safessl-easyrsa.cnf
  631.         make_ssl_config
  632.  
  633.         key_out_tmp="$(mktemp "$key_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$key                                                                                                             _out_tmp"
  634.         req_out_tmp="$(mktemp "$req_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$req                                                                                                             _out_tmp"
  635.         # generate request
  636.         [ $EASYRSA_BATCH ] && opts="$opts -batch"
  637.         # shellcheck disable=SC2086
  638.         "$EASYRSA_OPENSSL" req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO                                                                                                             _PARAMS" \
  639.                 -config "$EASYRSA_SAFE_CONF" -keyout "$key_out_tmp" -out "$req_o                                                                                                             ut_tmp" $opts \
  640.                 || die "Failed to generate request"
  641.         mv "$key_out_tmp" "$key_out"; EASYRSA_TEMP_FILE_2=
  642.         mv "$req_out_tmp" "$req_out"; EASYRSA_TEMP_FILE_3=
  643.         notice "\
  644. Keypair and certificate request completed. Your files are:
  645. req: $req_out
  646. key: $key_out
  647. "
  648.         return 0
  649. } # => gen_req()
  650.  
  651. # common signing backend
  652. sign_req() {
  653.         crt_type="$1"
  654.         opts=""
  655.         req_in="$EASYRSA_PKI/reqs/$2.req"
  656.         crt_out="$EASYRSA_PKI/issued/$2.crt"
  657.  
  658.         # Randomize Serial number
  659.         i=""
  660.         serial=""
  661.         check_serial=""
  662.         for i in 1 2 3 4 5; do
  663.                 "$EASYRSA_OPENSSL" rand -hex -out "$EASYRSA_PKI/serial" 16
  664.                 serial="$(cat "$EASYRSA_PKI/serial")"
  665.                 check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF                                                                                                             " -status "$serial" 2>&1)"
  666.                 case "$check_serial" in
  667.                         *"not present in db"*) break ;;
  668.                         *) continue ;;
  669.                 esac
  670.         done
  671.  
  672.         # Support batch by internal caller:
  673.         [ "$3" = "batch" ] && EASYRSA_BATCH=1
  674.  
  675.         verify_ca_init
  676.  
  677.         # Check argument sanity:
  678.         [ -n "$2" ] || die "\
  679. Incorrect number of arguments provided to sign-req:
  680. expected 2, got $# (see command help for usage)"
  681.  
  682.         # Cert type must exist under the EASYRSA_EXT_DIR
  683.         [ -r "$EASYRSA_EXT_DIR/$crt_type" ] || die "\
  684. Unknown cert type '$crt_type'"
  685.  
  686.         # Request file must exist
  687.         [ -f "$req_in" ] || die "\
  688. No request found for the input: '$2'
  689. Expected to find the request at: $req_in"
  690.  
  691.         # Confirm input is a cert req
  692.         verify_file req "$req_in" || die "\
  693. The certificate request file is not in a valid X509 request format.
  694. Offending file: $req_in"
  695.  
  696.         # Display the request subject in an easy-to-read format
  697.         # Confirm the user wishes to sign this request
  698.         confirm "Confirm request details: " "yes" "
  699. You are about to sign the following certificate.
  700. Please check over the details shown below for accuracy. Note that this request
  701. has not been cryptographically verified. Please be sure it came from a trusted
  702. source or that you have verified the request checksum with the sender.
  703.  
  704. Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIR                                                                                                             E days:
  705.  
  706. $(display_dn req "$req_in")
  707. "       # => confirm end
  708.  
  709.         # Generate the extensions file for this cert:
  710.         {
  711.                 # Append first any COMMON file (if present) then the cert-type e                                                                                                             xtensions
  712.                 cat "$EASYRSA_EXT_DIR/COMMON"
  713.                 cat "$EASYRSA_EXT_DIR/$crt_type"
  714.                 # copy req extensions
  715.                 [ "$EASYRSA_CP_EXT" ] && print "copy_extensions = copy"
  716.  
  717.                 # Support a dynamic CA path length when present:
  718.                 [ "$crt_type" = "ca" ] && [ -n "$EASYRSA_SUBCA_LEN" ] && \
  719.                         print "basicConstraints = CA:TRUE, pathlen:$EASYRSA_SUBC                                                                                                             A_LEN"
  720.  
  721.                 # Deprecated Netscape extension support, if enabled
  722.                 if print "$EASYRSA_NS_SUPPORT" | awk_yesno; then
  723.                         [ -n "$EASYRSA_NS_COMMENT" ] && \
  724.                                 print "nsComment = \"$EASYRSA_NS_COMMENT\""
  725.                         case "$crt_type" in
  726.                                 server) print "nsCertType = server" ;;
  727.                                 client) print "nsCertType = client" ;;
  728.                                 ca)     print "nsCertType = sslCA" ;;
  729.                         esac
  730.                 fi
  731.  
  732.                 # If type is server and no subjectAltName was requested,
  733.                 # add one to the extensions file
  734.                 if [ "$crt_type" = 'server' ];
  735.                 then
  736.                         echo "$EASYRSA_EXTRA_EXTS" |
  737.                                 grep -q subjectAltName ||
  738.                                 default_server_san "$req_in"
  739.                 fi
  740.  
  741.                 # Add any advanced extensions supplied by env-var:
  742.                 [ -n "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS"
  743.  
  744.                 : # needed to keep die from inherting the above test
  745.         } > "$EASYRSA_TEMP_EXT" || die "\
  746. Failed to create temp extension file (bad permissions?) at:
  747. $EASYRSA_TEMP_EXT"
  748.  
  749.         # make safessl-easyrsa.cnf
  750.         make_ssl_config
  751.  
  752.         # sign request
  753.         # shellcheck disable=SC2086
  754.         crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt                                                                                                             _out_tmp"
  755.         "$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$                                                                                                             EASYRSA_SAFE_CONF" \
  756.                 -extfile "$EASYRSA_TEMP_EXT" -days "$EASYRSA_CERT_EXPIRE" -batch                                                                                                              $opts \
  757.                 || die "signing failed (openssl output above may have more detai                                                                                                             l)"
  758.         mv "$crt_out_tmp" "$crt_out"; EASYRSA_TEMP_FILE_2=
  759.         notice "\
  760. Certificate created at: $crt_out
  761. "
  762.         return 0
  763. } # => sign_req()
  764.  
  765. # common build backend
  766. # used to generate+sign in 1 step
  767. build_full() {
  768.         verify_ca_init
  769.  
  770.         # pull filename base:
  771.         [ -n "$2" ] || die "\
  772. Error: didn't find a file base name as the first argument.
  773. Run easyrsa without commands for usage and commands."
  774.         crt_type="$1" name="$2"
  775.         req_out="$EASYRSA_PKI/reqs/$2.req"
  776.         key_out="$EASYRSA_PKI/private/$2.key"
  777.         crt_out="$EASYRSA_PKI/issued/$2.crt"
  778.         shift 2
  779.  
  780.         # function opts support
  781.         req_opts=
  782.         while [ -n "$1" ]; do
  783.                 case "$1" in
  784.                         nopass) req_opts="$req_opts nopass" ;;
  785.                         *) warn "Ignoring unknown command option: '$1'" ;;
  786.                 esac
  787.                 shift
  788.         done
  789.  
  790.         # abort on existing req/key/crt files
  791.         err_exists="\
  792. file already exists. Aborting build to avoid overwriting this file.
  793. If you wish to continue, please use a different name or remove the file.
  794. Matching file found at: "
  795.         [ -f "$req_out" ] && die "Request $err_exists $req_out"
  796.         [ -f "$key_out" ] && die "Key $err_exists $key_out"
  797.         [ -f "$crt_out" ] && die "Certificate $err_exists $crt_out"
  798.  
  799.         # create request
  800.         EASYRSA_REQ_CN="$name"
  801.         #shellcheck disable=SC2086
  802.         gen_req "$name" batch $req_opts
  803.  
  804.         # Sign it
  805.         sign_req "$crt_type" "$name" batch
  806.  
  807. } # => build_full()
  808.  
  809. # revoke backend
  810. revoke() {
  811.         verify_ca_init
  812.  
  813.         # pull filename base:
  814.         [ -n "$1" ] || die "\
  815. Error: didn't find a file base name as the first argument.
  816. Run easyrsa without commands for usage and command help."
  817.         crt_in="$EASYRSA_PKI/issued/$1.crt"
  818.  
  819.         verify_file x509 "$crt_in" || die "\
  820. Unable to revoke as the input file is not a valid certificate. Unexpected
  821. input in file: $crt_in"
  822.  
  823.         # confirm operation by displaying DN:
  824.         confirm "Continue with revocation: " "yes" "
  825. Please confirm you wish to revoke the certificate with the following subject:
  826.  
  827. $(display_dn x509 "$crt_in")
  828. "       # => confirm end
  829.  
  830.         # referenced cert must exist:
  831.         [ -f "$crt_in" ] || die "\
  832. Unable to revoke as no certificate was found. Certificate was expected
  833. at: $crt_in"
  834.  
  835.         # make safessl-easyrsa.cnf
  836.         make_ssl_config
  837.  
  838.         "$EASYRSA_OPENSSL" ca -utf8 -revoke "$crt_in" -config "$EASYRSA_SAFE_CON                                                                                                             F" || die "\
  839. Failed to revoke certificate: revocation command failed."
  840.  
  841.         notice "\
  842. IMPORTANT!!!
  843.  
  844. Revocation was successful. You must run gen-crl and upload a CRL to your
  845. infrastructure in order to prevent the revoked cert from being accepted.
  846. "       # => notice end
  847.         return 0
  848. } #= revoke()
  849.  
  850. # gen-crl backend
  851. gen_crl() {
  852.         verify_ca_init
  853.  
  854.         # make safessl-easyrsa.cnf
  855.         make_ssl_config
  856.  
  857.         out_file="$EASYRSA_PKI/crl.pem"
  858.         out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$o                                                                                                             ut_file_tmp"
  859.         "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYR                                                                                                             SA_SAFE_CONF" || die "\
  860. CRL Generation failed.
  861. "
  862.         mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_2=
  863.  
  864.         notice "\
  865. An updated CRL has been created.
  866. CRL file: $out_file
  867. "
  868.         return 0
  869. } # => gen_crl()
  870.  
  871. # import-req backend
  872. import_req() {
  873.         verify_pki_init
  874.  
  875.         # pull passed paths
  876.         in_req="$1" short_name="$2"
  877.         out_req="$EASYRSA_PKI/reqs/$2.req"
  878.  
  879.         [ -n "$short_name" ] || die "\
  880. Unable to import: incorrect command syntax.
  881. Run easyrsa without commands for usage and command help."
  882.  
  883.         verify_file req "$in_req" || die "\
  884. The input file does not appear to be a certificate request. Aborting import.
  885. Offending file: $in_req"
  886.  
  887.         # destination must not exist
  888.         [ -f "$out_req" ] && die "\
  889. Unable to import the request as the destination file already exists.
  890. Please choose a different name for your imported request file.
  891. Existing file at: $out_req"
  892.  
  893.         # now import it
  894.         cp "$in_req" "$out_req"
  895.  
  896.         notice "\
  897. The request has been successfully imported with a short name of: $short_name
  898. You may now use this name to perform signing operations on this request.
  899. "
  900.         return 0
  901. } # => import_req()
  902.  
  903. # export pkcs#12 or pkcs#7
  904. export_pkcs() {
  905.         pkcs_type="$1"
  906.         shift
  907.  
  908.         [ -n "$1" ] || die "\
  909. Unable to export p12: incorrect command syntax.
  910. Run easyrsa without commands for usage and command help."
  911.  
  912.         short_name="$1"
  913.         crt_in="$EASYRSA_PKI/issued/$1.crt"
  914.         key_in="$EASYRSA_PKI/private/$1.key"
  915.         crt_ca="$EASYRSA_PKI/ca.crt"
  916.         shift
  917.  
  918.         verify_pki_init
  919.  
  920.         # opts support
  921.         want_ca=1
  922.         want_key=1
  923.         while [ -n "$1" ]; do
  924.                 case "$1" in
  925.                         noca) want_ca= ;;
  926.                         nokey) want_key= ;;
  927.                         *) warn "Ignoring unknown command option: '$1'" ;;
  928.                 esac
  929.                 shift
  930.         done
  931.  
  932.         pkcs_opts=
  933.         if [ $want_ca ]; then
  934.                 verify_file x509 "$crt_ca" || die "\
  935. Unable to include CA cert in the $pkcs_type output (missing file, or use noca op                                                                                                             tion.)
  936. Missing file expected at: $crt_ca"
  937.                 pkcs_opts="$pkcs_opts -certfile $crt_ca"
  938.         fi
  939.  
  940.         # input files must exist
  941.         verify_file x509 "$crt_in" || die "\
  942. Unable to export $pkcs_type for short name '$short_name' without the certificate                                                                                                             .
  943. Missing cert expected at: $crt_in"
  944.  
  945.         case "$pkcs_type" in
  946.         p12)
  947.                 pkcs_out="$EASYRSA_PKI/private/$short_name.p12"
  948.  
  949.                 if [ $want_key ]; then
  950.                         [ -f "$key_in" ] || die "\
  951. Unable to export p12 for short name '$short_name' without the key
  952. (if you want a p12 without the private key, use nokey option.)
  953. Missing key expected at: $key_in"
  954.                 else
  955.                         pkcs_opts="$pkcs_opts -nokeys"
  956.                 fi
  957.  
  958.                 # export the p12:
  959.                 # shellcheck disable=SC2086
  960.                 "$EASYRSA_OPENSSL" pkcs12 -in "$crt_in" -inkey "$key_in" -export                                                                                                              \
  961.                         -out "$pkcs_out" $pkcs_opts || die "\
  962. Export of p12 failed: see above for related openssl errors."
  963.         ;;
  964.         p7)
  965.                 pkcs_out="$EASYRSA_PKI/issued/$short_name.p7b"
  966.  
  967.                 # export the p7:
  968.                 # shellcheck disable=SC2086
  969.                 "$EASYRSA_OPENSSL" crl2pkcs7 -nocrl -certfile "$crt_in" \
  970.                         -out "$pkcs_out" $pkcs_opts || die "\
  971. Export of p7 failed: see above for related openssl errors."
  972.         ;;
  973. esac
  974.  
  975.         notice "\
  976. Successful export of $pkcs_type file. Your exported file is at the following
  977. location: $pkcs_out
  978. "
  979.         return 0
  980. } # => export_pkcs()
  981.  
  982. # set-pass backend
  983. set_pass() {
  984.         verify_pki_init
  985.  
  986.         # key type, supplied internally from frontend command call (rsa/ec)
  987.         key_type="$1"
  988.  
  989.         # values supplied by the user:
  990.         raw_file="$2"
  991.         file="$EASYRSA_PKI/private/$raw_file.key"
  992.         [ -n "$raw_file" ] || die "\
  993. Missing argument to 'set-$key_type-pass' command: no name/file supplied.
  994. See help output for usage details."
  995.  
  996.         # parse command options
  997.         shift 2
  998.         crypto="-aes256"
  999.         while [ -n "$1" ]; do
  1000.                 case "$1" in
  1001.                         nopass) crypto= ;;
  1002.                         file)   file="$raw_file" ;;
  1003.                         *)      warn "Ignoring unknown command option: '$1'" ;;
  1004.                 esac
  1005.                 shift
  1006.         done
  1007.  
  1008.         [ -f "$file" ] || die "\
  1009. Missing private key: expected to find the private key component at:
  1010. $file"
  1011.  
  1012.         notice "\
  1013. If the key is currently encrypted you must supply the decryption passphrase.
  1014. ${crypto:+You will then enter a new PEM passphrase for this key.$NL}"
  1015.  
  1016.         "$EASYRSA_OPENSSL" "$key_type" -in "$file" -out "$file" $crypto || die "                                                                                                             \
  1017. Failed to change the private key passphrase. See above for possible openssl
  1018. error messages."
  1019.  
  1020.         notice "Key passphrase successfully changed"
  1021.  
  1022. } # => set_pass()
  1023.  
  1024. # update-db backend
  1025. update_db() {
  1026.         verify_ca_init
  1027.  
  1028.         "$EASYRSA_OPENSSL" ca -utf8 -updatedb -config "$EASYRSA_SSL_CONF" || die                                                                                                              "\
  1029. Failed to perform update-db: see above for related openssl errors."
  1030.         return 0
  1031. } # => update_db()
  1032.  
  1033. # display cert DN info on a req/X509, passed by full pathname
  1034. display_dn() {
  1035.         format="$1" path="$2"
  1036.         print "$("$EASYRSA_OPENSSL" "$format" -in "$path" -noout -subject -nameo                                                                                                             pt multiline)"
  1037. } # => display_dn()
  1038.  
  1039. # generate default SAN from req/X509, passed by full pathname
  1040. default_server_san() {
  1041.         path="$1"
  1042.         cn=$(
  1043.                 "$EASYRSA_OPENSSL" req -in "$path" -noout -subject -nameopt sep_                                                                                                             multiline |
  1044.                 awk -F'=' '/^  *CN=/{print $2}'
  1045.                 )
  1046.         echo "$cn" | grep -E -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$'
  1047.         #shellcheck disable=SC2181
  1048.         if [ $? -eq 0 ]; then
  1049.                 print "subjectAltName = IP:$cn"
  1050.         else
  1051.                 print "subjectAltName = DNS:$cn"
  1052.         fi
  1053. } # => default_server_san()
  1054.  
  1055. # verify a file seems to be a valid req/X509
  1056. verify_file() {
  1057.         format="$1"
  1058.         path="$2"
  1059.         "$EASYRSA_OPENSSL" "$format" -in "$path" -noout 2>/dev/null || return 1
  1060.         return 0
  1061. } # => verify_file()
  1062.  
  1063. # show-* command backend
  1064. # Prints req/cert details in a readable format
  1065. show() {
  1066.         type="$1"
  1067.         name="$2"
  1068.         in_file=""
  1069.         format=""
  1070.         [ -n "$name" ] || die "\
  1071. Missing expected filename_base argument.
  1072. Run easyrsa without commands for usage help."
  1073.         shift 2
  1074.  
  1075.         # opts support
  1076.         opts="-${type}opt no_pubkey,no_sigdump"
  1077.         while [ -n "$1" ]; do
  1078.                 case "$1" in
  1079.                         full)
  1080.                                 opts=""
  1081.                                 ;;
  1082.                         *)
  1083.                                 warn "Ignoring unknown command option: '$1'"
  1084.                                 ;;
  1085.                 esac
  1086.                 shift
  1087.         done
  1088.  
  1089.         # Determine cert/req type
  1090.         if [ "$type" = "cert" ]; then
  1091.                 verify_ca_init
  1092.                 in_file="$EASYRSA_PKI/issued/${name}.crt"
  1093.                 format="x509"
  1094.         else
  1095.                 verify_pki_init
  1096.                 in_file="$EASYRSA_PKI/reqs/${name}.req"
  1097.                 format="req"
  1098.         fi
  1099.  
  1100.         # Verify file exists and is of the correct type
  1101.         [ -f "$in_file" ] || die "\
  1102. No such $type file with a basename of '$name' is present.
  1103. Expected to find this file at:
  1104. $in_file"
  1105.         verify_file $format "$in_file" || die "\
  1106. This file is not a valid $type file:
  1107. $in_file"
  1108.  
  1109.         notice "\
  1110. Showing $type details for '$name'.
  1111. This file is stored at:
  1112. $in_file
  1113. "
  1114.         "$EASYRSA_OPENSSL" $format -in "$in_file" -noout -text\
  1115.                 -nameopt multiline $opts || die "\
  1116. OpenSSL failure to process the input"
  1117. } # => show()
  1118.  
  1119. # vars setup
  1120. # Here sourcing of 'vars' if present occurs. If not present, defaults are used
  1121. # to support running without a sourced config format
  1122. vars_setup() {
  1123.         # Try to locate a 'vars' file in order of location preference.
  1124.         # If one is found, source it
  1125.         vars=
  1126.  
  1127.         # set up program path
  1128.         prog_vars="${0%/*}/vars"
  1129.         # set up PKI path
  1130.         pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars"
  1131.  
  1132.         # command-line path:
  1133.         if [ -f "$EASYRSA_VARS_FILE" ]; then
  1134.                 vars="$EASYRSA_VARS_FILE"
  1135.         # PKI location, if present:
  1136.         elif [ -f "$pki_vars" ]; then
  1137.                 vars="$pki_vars"
  1138.         # EASYRSA, if defined:
  1139.         elif [ -n "$EASYRSA" ] && [ -f "$EASYRSA/vars" ]; then
  1140.                 vars="$EASYRSA/vars"
  1141.         # program location:
  1142.         elif [ -f "$prog_vars" ]; then
  1143.                 vars="$prog_vars"
  1144.         fi
  1145.  
  1146.         # If a vars file was located, source it
  1147.         # If $EASYRSA_NO_VARS is defined (not blank) this is skipped
  1148.         if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then
  1149.                 #shellcheck disable=SC2034
  1150.                 EASYRSA_CALLER=1
  1151.                 # shellcheck disable=SC1090
  1152.                 . "$vars"
  1153.                 notice "\
  1154. Note: using Easy-RSA configuration from: $vars"
  1155.         fi
  1156.  
  1157.         # Set defaults, preferring existing env-vars if present
  1158.         set_var EASYRSA         "${0%/*}"
  1159.         set_var EASYRSA_OPENSSL openssl
  1160.         set_var EASYRSA_PKI     "$PWD/pki"
  1161.         set_var EASYRSA_DN      cn_only
  1162.         set_var EASYRSA_REQ_COUNTRY     "US"
  1163.         set_var EASYRSA_REQ_PROVINCE    "California"
  1164.         set_var EASYRSA_REQ_CITY        "San Francisco"
  1165.         set_var EASYRSA_REQ_ORG         "Copyleft Certificate Co"
  1166.         set_var EASYRSA_REQ_EMAIL       me@example.net
  1167.         set_var EASYRSA_REQ_OU          "My Organizational Unit"
  1168.         set_var EASYRSA_ALGO            rsa
  1169.         set_var EASYRSA_KEY_SIZE        2048
  1170.         set_var EASYRSA_CURVE           secp384r1
  1171.         set_var EASYRSA_EC_DIR          "$EASYRSA_PKI/ecparams"
  1172.         set_var EASYRSA_CA_EXPIRE       3650
  1173.         set_var EASYRSA_CERT_EXPIRE     1080 # new default of 36 months
  1174.         set_var EASYRSA_CRL_DAYS        180
  1175.         set_var EASYRSA_NS_SUPPORT      no
  1176.         set_var EASYRSA_NS_COMMENT      "Easy-RSA (3.0.5) Generated Certificate"
  1177.         set_var EASYRSA_TEMP_CONF       "$EASYRSA_PKI/openssl-easyrsa.temp"
  1178.         set_var EASYRSA_TEMP_EXT        "$EASYRSA_PKI/extensions.temp"
  1179.         set_var EASYRSA_TEMP_FILE_2     ""
  1180.         set_var EASYRSA_TEMP_FILE_3     ""
  1181.         set_var EASYRSA_REQ_CN          ChangeMe
  1182.         set_var EASYRSA_DIGEST          sha256
  1183.  
  1184.         # Detect openssl config, preferring EASYRSA_PKI over EASYRSA
  1185.         if [ -f "$EASYRSA_PKI/openssl-easyrsa.cnf" ]; then
  1186.                 set_var EASYRSA_SSL_CONF        "$EASYRSA_PKI/openssl-easyrsa.cn                                                                                                             f"
  1187.                 set_var EASYRSA_SAFE_CONF       "$EASYRSA_PKI/safessl-easyrsa.cn                                                                                                             f"
  1188.         else    set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"
  1189.                 set_var EASYRSA_SAFE_CONF       "$EASYRSA/safessl-easyrsa.cnf"
  1190.         fi
  1191.  
  1192.         # Same as above for the x509-types extensions dir
  1193.         if [ -d "$EASYRSA_PKI/x509-types" ]; then
  1194.                 set_var EASYRSA_EXT_DIR         "$EASYRSA_PKI/x509-types"
  1195.         else    set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
  1196.         fi
  1197.  
  1198.         # EASYRSA_ALGO_PARAMS must be set depending on selected algo
  1199.         if [ "ec" = "$EASYRSA_ALGO" ]; then
  1200.                 EASYRSA_ALGO_PARAMS="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem"
  1201.         elif [ "rsa" = "$EASYRSA_ALGO" ]; then
  1202.                 EASYRSA_ALGO_PARAMS="${EASYRSA_KEY_SIZE}"
  1203.         else
  1204.                 die "Alg '$EASYRSA_ALGO' is invalid: must be 'rsa' or 'ec'"
  1205.         fi
  1206.  
  1207.         # Setting OPENSSL_CONF prevents bogus warnings (especially useful on win                                                                                                             32)
  1208.         export OPENSSL_CONF="$EASYRSA_SAFE_CONF"
  1209. } # vars_setup()
  1210.  
  1211. # variable assignment by indirection when undefined; merely exports
  1212. # the variable when it is already defined (even if currently null)
  1213. # Sets $1 as the value contained in $2 and exports (may be blank)
  1214. set_var() {
  1215.         var=$1
  1216.         shift
  1217.         value="$*"
  1218.         eval "export $var=\"\${$var-$value}\""
  1219. } #=> set_var()
  1220.  
  1221. ########################################
  1222. # Invocation entry point:
  1223.  
  1224. NL='
  1225. '
  1226.  
  1227. # Be secure with a restrictive umask
  1228. [ -z "$EASYRSA_NO_UMASK" ] && umask 077
  1229.  
  1230. # Parse options
  1231. while :; do
  1232.         # Separate option from value:
  1233.         opt="${1%%=*}"
  1234.         val="${1#*=}"
  1235.         empty_ok= # Empty values are not allowed unless excepted
  1236.  
  1237.         case "$opt" in
  1238.         --days)
  1239.                 export EASYRSA_CERT_EXPIRE="$val"
  1240.                 export EASYRSA_CA_EXPIRE="$val"
  1241.                 export EASYRSA_CRL_DAYS="$val"
  1242.                 ;;
  1243.         --pki-dir)
  1244.                 export EASYRSA_PKI="$val" ;;
  1245.         --use-algo)
  1246.                 export EASYRSA_ALGO="$val" ;;
  1247.         --keysize)
  1248.                 export EASYRSA_KEY_SIZE="$val" ;;
  1249.         --curve)
  1250.                 export EASYRSA_CURVE="$val" ;;
  1251.         --dn-mode)
  1252.                 export EASYRSA_DN="$val" ;;
  1253.         --req-cn)
  1254.                 export EASYRSA_REQ_CN="$val" ;;
  1255.         --digest)
  1256.                 export EASYRSA_DIGEST="$val" ;;
  1257.         --req-c)
  1258.                 empty_ok=1
  1259.                 export EASYRSA_REQ_COUNTRY="$val" ;;
  1260.         --req-st)
  1261.                 empty_ok=1
  1262.                 export EASYRSA_REQ_PROVINCE="$val" ;;
  1263.         --req-city)
  1264.                 empty_ok=1
  1265.                 export EASYRSA_REQ_CITY="$val" ;;
  1266.         --req-org)
  1267.                 empty_ok=1
  1268.                 export EASYRSA_REQ_ORG="$val" ;;
  1269.         --req-email)
  1270.                 empty_ok=1
  1271.                 export EASYRSA_REQ_EMAIL="$val" ;;
  1272.         --req-ou)
  1273.                 empty_ok=1
  1274.                 export EASYRSA_REQ_OU="$val" ;;
  1275.         --ns-cert)
  1276.                 export EASYRSA_NS_SUPPORT="$val" ;;
  1277.         --ns-comment)
  1278.                 empty_ok=1
  1279.                 export EASYRSA_NS_COMMENT="$val" ;;
  1280.         --batch)
  1281.                 empty_ok=1
  1282.                 export EASYRSA_BATCH=1 ;;
  1283.         --subca-len)
  1284.                 export EASYRSA_SUBCA_LEN="$val" ;;
  1285.         --vars)
  1286.                 export EASYRSA_VARS_FILE="$val" ;;
  1287.         --copy-ext)
  1288.                 empty_ok=1
  1289.                 export EASYRSA_CP_EXT=1 ;;
  1290.         --subject-alt-name)
  1291.                 export EASYRSA_EXTRA_EXTS="\
  1292. $EASYRSA_EXTRA_EXTS
  1293. subjectAltName = $val" ;;
  1294.         *)
  1295.                 break ;;
  1296.         esac
  1297.  
  1298.         # fatal error when no value was provided
  1299.         if [ ! $empty_ok ] && { [ "$val" = "$1" ] || [ -z "$val" ]; }; then
  1300.                 die "Missing value to option: $opt"
  1301.         fi
  1302.  
  1303.         shift
  1304. done
  1305.  
  1306. # Intelligent env-var detection and auto-loading:
  1307. vars_setup
  1308.  
  1309. # Register clean_temp on EXIT
  1310. trap "clean_temp" EXIT
  1311.  
  1312. # determine how we were called, then hand off to the function responsible
  1313. cmd="$1"
  1314. [ -n "$1" ] && shift # scrape off command
  1315. case "$cmd" in
  1316.         init-pki|clean-all)
  1317.                 init_pki "$@"
  1318.                 ;;
  1319.         build-ca)
  1320.                 build_ca "$@"
  1321.                 ;;
  1322.         gen-dh)
  1323.                 gen_dh
  1324.                 ;;
  1325.         gen-req)
  1326.                 gen_req "$@"
  1327.                 ;;
  1328.         sign|sign-req)
  1329.                 sign_req "$@"
  1330.                 ;;
  1331.         build-client-full)
  1332.                 build_full client "$@"
  1333.                 ;;
  1334.         build-server-full)
  1335.                 build_full server "$@"
  1336.                 ;;
  1337.         gen-crl)
  1338.                 gen_crl
  1339.                 ;;
  1340.         revoke)
  1341.                 revoke "$@"
  1342.                 ;;
  1343.         import-req)
  1344.                 import_req "$@"
  1345.                 ;;
  1346.         export-p12)
  1347.                 export_pkcs p12 "$@"
  1348.                 ;;
  1349.         export-p7)
  1350.                 export_pkcs p7 "$@"
  1351.                 ;;
  1352.         set-rsa-pass)
  1353.                 set_pass rsa "$@"
  1354.                 ;;
  1355.         set-ec-pass)
  1356.                 set_pass ec "$@"
  1357.                 ;;
  1358.         update-db)
  1359.                 update_db
  1360.                 ;;
  1361.         show-req)
  1362.                 show req "$@"
  1363.                 ;;
  1364.         show-cert)
  1365.                 show cert "$@"
  1366.                 ;;
  1367.         ""|help|-h|--help|--usage)
  1368.                 cmd_help "$1"
  1369.                 exit 0
  1370.                 ;;
  1371.         *)
  1372.                 die "Unknown command '$cmd'. Run without commands for usage help                                                                                                             ."
  1373.                 ;;
  1374. esac
  1375.  
  1376. # vim: ft=sh nu ai sw=8 ts=8 noet
  1377. root@vps727493:~#
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top