API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 27th, 2019
112
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.62 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env bash
  2. # Parameters: <db_host> <db_name> <db_username> <db_password> <pem_cert> <revocation_reason>
  3.  
  4. #
  5. # TODOS:
  6. #
  7. # - Look for (or develop) something better integrated with EJBCA, e.g. an EJBCA CLI command. Related notes at the top of 'TODOS-EjbcaCt'.
  8. # - If later this script is to be allowed to be executed remotely (not from EJBCA CA as required now), create a dedicated DB user per person with the minimum required DB privileges.
  9. # - Check all commands for their exit status and only continue if the command executed succesfully.
  10. #
  11.  
  12. MYSQL_BIN=/usr/bin/mysql
  13. EJBCA_CLI=ejbca.sh
  14.  
  15. DEVMODE=0
  16.  
  17. # EJBCA CA DB parameters (not EJBCA OCSP).
  18. caDbHost=$1
  19. caDbName=$2
  20. caDbUsername=$3
  21. caDbPassword=$4
  22. pemCertFile=$5
  23. revocationReason=$6
  24.  
  25. fingerprint=$(openssl x509 -in $pemCertFile -outform DER | openssl dgst -sha1 | sed -e 's/(stdin)= //')
  26. serialHex=$(openssl x509 -in $pemCertFile -serial -noout | sed -e 's/serial=//')
  27. serialNumber=$(echo $serialHex | awk '{print "ibase=16; " $1}' | bc)
  28. # All the following -nameopt options are a subset of the 'default'. See 'man x509'.
  29. subjectDN=$(openssl x509 -in $pemCertFile -noout -subject -nameopt esc_2253,esc_ctrl,esc_msb,utf8,dump_nostr,dump_der,use_quote,sep_comma_plus,sname | sed -e 's/subject=//')
  30. issuerDN=$(openssl x509 -in $pemCertFile -noout -issuer -nameopt esc_2253,esc_ctrl,esc_msb,utf8,dump_nostr,dump_der,use_quote,sep_comma_plus,sname | sed -e 's/issuer=//')
  31. base64Cert=$(openssl x509 -in $pemCertFile -outform DER | base64 -w 64)
  32. expireDateStr=$(openssl x509 -in $pemCertFile -enddate -noout | sed -e 's/notAfter=//')
  33. expireDate=$(($(date --date "$expireDateStr" +"%s%N" )/1000000))
  34.  
  35. if [ $DEVMODE -eq 1 ]
  36. then
  37. $MYSQL_BIN -h $caDbHost -u $caDbUsername --password=$caDbPassword -e "delete from CertificateData where fingerprint='$fingerprint';" $caDbName
  38. fi
  39.  
  40. # TODO validate that the issuerDN corresponds to a CA being managed by this EJBCA and maybe get the 'cAFingerprint' in the process.
  41.  
  42. echo "Trying to insert (pre)certificate into DB..."
  43.  
  44. existsRealCert=$($MYSQL_BIN -h $caDbHost -u $caDbUsername --password=$caDbPassword -N -s -e "select count(*) from CertificateData where issuerDN='$issuerDN' and serialNumber = $serialNumber;" $caDbName)
  45. if [ "$existsRealCert" = "0" ]
  46. then
  47. # TODO expect only one result (use the username if the query returns only one record1) and maybe try to match in this step to the right issuing CA, that maybe the same DN could be used for different users with different CAs... is it possible in EJBCA?.
  48. matchingUsername=$($MYSQL_BIN -h $caDbHost -u $caDbUsername --password=$caDbPassword -N -s -e "select username from ejbca.UserData where subjectDN='$subjectDN';" $caDbName)
  49. if [ -n "$matchingUsername" ]
  50. then
  51. # TODO try to insert all the field inserted in 'org.ejbca.va.publisher.EnterpriseValidationAuthorityPublisher.insertCertificateSQL': base64Cert,subjectDN,issuerDN,cAFingerprint,serialNumber,status,type,username,expireDate,revocationDate,revocationReason,tag,certificateProfileId,updateTime,subjectKeyId,fingerprint,rowVersion. The specially important are the ones that could affect CRL generation or OCSP processing, but consider usages for other fields from EJBCA Admin GUI or other places. Maybe look the source code for usages for the remaining fields.
  52. if $MYSQL_BIN -h $caDbHost -u $caDbUsername --password=$caDbPassword -e "insert into CertificateData \
  53. (base64Cert,subjectDN,issuerDN,serialNumber,username,expireDate,revocationReason,fingerprint) values \
  54. ('$base64Cert', '$subjectDN', '$issuerDN', '$serialNumber', '$matchingUsername', $expireDate, -1, '$fingerprint');" $caDbName ; then
  55. echo "(Pre)certificate succesfully inserted."
  56.  
  57. echo "Revoking (pre)certificate in EJBCA..."
  58. # NOTE that this will trigger publishing.
  59. # TODO determine if EJBCA CLI can be executed remotely.
  60. sudo $EJBCA_CLI ra revokecert --dn \"$issuerDN\" -s $serialHex -r $revocationReason
  61. else
  62. # TODO manage all errors connecting to MySQL (there are some previous statements) in an uniform way.
  63. echo "Error!."
  64. fi
  65.  
  66. else
  67. # The prefix for every certificate which has been MANually REVoked and for which a matching username couldn't be found: USERNAME_PREFIX=manually_revoked_precert_*
  68. # TODO default to use $USERNAME_PREFIX for creating a new username... but what about republishing certs to external OCSP?, it seems that 'ejbca.sh ra revokecert' wouldn't trigger publishing for these certificates by default. Debug EJBCA publishing code to determine what to do here.
  69. echo "No matching username in EJBCA DB. Please ask for support to analyze EJBCA database manually."
  70. fi
  71.  
  72. else
  73. echo "(Pre)certificate exists in EJBCA DB. Revoke it from Admin GUI."
  74. fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!