summaryrefslogtreecommitdiffstats
path: root/easy-rsa/2.0/pkitool
diff options
context:
space:
mode:
Diffstat (limited to 'easy-rsa/2.0/pkitool')
-rwxr-xr-xeasy-rsa/2.0/pkitool146
1 files changed, 133 insertions, 13 deletions
diff --git a/easy-rsa/2.0/pkitool b/easy-rsa/2.0/pkitool
index 2d2d764..5f95162 100755
--- a/easy-rsa/2.0/pkitool
+++ b/easy-rsa/2.0/pkitool
@@ -31,8 +31,13 @@ PROGNAME=pkitool
VERSION=2.0
DEBUG=0
-GREP=grep
-OPENSSL=openssl
+die()
+{
+ local m="$1"
+
+ echo "$m" >&2
+ exit 1
+}
need_vars()
{
@@ -49,6 +54,8 @@ usage()
echo "Usage: $PROGNAME [options...] [common-name]"
echo "Options:"
echo " --batch : batch mode (default)"
+ echo " --keysize : Set keysize"
+ echo " size : size (default=1024)"
echo " --interact : interactive mode"
echo " --server : build server cert"
echo " --initca : build root CA"
@@ -56,9 +63,25 @@ usage()
echo " --pass : encrypt private key with password"
echo " --csr : only generate a CSR, do not sign"
echo " --sign : sign an existing CSR"
- echo " --pkcs12 : generate a combined pkcs12 file"
+ echo " --pkcs12 : generate a combined PKCS#12 file"
+ echo " --pkcs11 : generate certificate on PKCS#11 token"
+ echo " lib : PKCS#11 library"
+ echo " slot : PKCS#11 slot"
+ echo " id : PKCS#11 object id (hex string)"
+ echo " label : PKCS#11 object label"
+ echo "Standalone options:"
+ echo " --pkcs11-slots : list PKCS#11 slots"
+ echo " lib : PKCS#11 library"
+ echo " --pkcs11-objects : list PKCS#11 token objects"
+ echo " lib : PKCS#11 library"
+ echo " slot : PKCS#11 slot"
+ echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!"
+ echo " lib : PKCS#11 library"
+ echo " slot : PKCS#11 slot"
+ echo " label : PKCS#11 token label"
echo "Notes:"
need_vars
+ echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."
echo "Generated files and corresponding OpenVPN directives:"
echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
echo " ca.crt -> root certificate (--ca)"
@@ -73,11 +96,13 @@ usage()
echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key"
echo " $PROGNAME client1 -> Build \"client1\" certificate/key"
echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key"
- echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS #12 format"
+ echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format"
echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA"
echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR"
echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key"
echo " Also see ./inherit-inter script."
+ echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"
+ echo " -> Build \"client5\" certificate/key in PKCS#11 token"
echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys."
echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :"
echo " [edit vars with your site-specific info]"
@@ -99,15 +124,21 @@ REQ_EXT=""
DO_CA="1"
CA_EXT=""
DO_P12="0"
+DO_P11="0"
DO_ROOT="0"
NODES_REQ="-nodes"
NODES_P12=""
BATCH="-batch"
CA="ca"
+# must be set or errors of openssl.cnf
+PKCS11_MODULE_PATH="dummy"
+PKCS11_PIN="dummy"
# Process options
while [ $# -gt 0 ]; do
case "$1" in
+ --keysize ) KEY_SIZE=$2
+ shift;;
--server ) REQ_EXT="$REQ_EXT -extensions server"
CA_EXT="$CA_EXT -extensions server" ;;
--batch ) BATCH="-batch" ;;
@@ -118,19 +149,76 @@ while [ $# -gt 0 ]; do
--csr ) DO_CA="0" ;;
--sign ) DO_REQ="0" ;;
--pkcs12 ) DO_P12="1" ;;
- --* ) echo "$PROGNAME: unknown option: $1"
- exit 1 ;;
+ --pkcs11 ) DO_P11="1"
+ PKCS11_MODULE_PATH="$2"
+ PKCS11_SLOT="$3"
+ PKCS11_ID="$4"
+ PKCS11_LABEL="$5"
+ shift 4;;
+
+ # standalone
+ --pkcs11-init)
+ PKCS11_MODULE_PATH="$2"
+ PKCS11_SLOT="$3"
+ PKCS11_LABEL="$4"
+ if [ -z "$PKCS11_LABEL" ]; then
+ die "Please specify library name, slot and label"
+ fi
+ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
+ --label "$PKCS11_LABEL" &&
+ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
+ exit $?;;
+ --pkcs11-slots)
+ PKCS11_MODULE_PATH="$2"
+ if [ -z "$PKCS11_MODULE_PATH" ]; then
+ die "Please specify library name"
+ fi
+ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
+ exit 0;;
+ --pkcs11-objects)
+ PKCS11_MODULE_PATH="$2"
+ PKCS11_SLOT="$3"
+ if [ -z "$PKCS11_SLOT" ]; then
+ die "Please specify library name and slot"
+ fi
+ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
+ exit 0;;
+
+ # errors
+ --* ) die "$PROGNAME: unknown option: $1" ;;
* ) break ;;
esac
shift
done
+if ! [ -z "$BATCH" ]; then
+ if $OPENSSL version | grep 0.9.6 > /dev/null; then
+ die "Batch mode is unsupported in openssl<0.9.7"
+ fi
+fi
+
+if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
+ die "PKCS#11 and PKCS#12 cannot be specified together"
+fi
+
+if [ $DO_P11 -eq 1 ]; then
+ if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
+ die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
+ fi
+fi
+
# If we are generating pkcs12, only encrypt the final step
if [ $DO_P12 -eq 1 ]; then
NODES_P12="$NODES_REQ"
NODES_REQ="-nodes"
fi
+if [ $DO_P11 -eq 1 ]; then
+ if [ -z "$PKCS11_LABEL" ]; then
+ die "PKCS#11 arguments incomplete"
+ fi
+fi
+
# If undefined, set default key expiration intervals
if [ -z "$KEY_EXPIRE" ]; then
KEY_EXPIRE=3650
@@ -166,7 +254,8 @@ else
KEY_CN="$1"
fi
fi
-export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN
+
+export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
# Show parameters (debugging)
if [ $DEBUG -eq 1 ]; then
@@ -183,6 +272,11 @@ if [ $DEBUG -eq 1 ]; then
echo KEY_EXPIRE $KEY_EXPIRE
echo CA_EXPIRE $CA_EXPIRE
echo KEY_OU $KEY_OU
+ echo DO_P11 $DO_P11
+ echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
+ echo PKCS11_SLOT $PKCS11_SLOT
+ echo PKCS11_ID $PKCS11_ID
+ echo PKCS11_LABEL $PKCS11_LABEL
fi
# Make sure ./vars was sourced beforehand
@@ -202,8 +296,8 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
# Build root CA
if [ $DO_ROOT -eq 1 ]; then
- $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -x509 \
- -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
+ $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
+ -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
chmod 0600 "$CA.key"
else
# Make sure CA key/cert is available
@@ -215,16 +309,42 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
fi
fi
+ # Generate key for PKCS#11 token
+ PKCS11_ARGS=
+ if [ $DO_P11 -eq 1 ]; then
+ stty -echo
+ echo -n "User PIN: "
+ read -r PKCS11_PIN
+ stty echo
+ export PKCS11_PIN
+
+ echo "Generating key pair on PKCS#11 token..."
+ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
+ --login --pin "$PKCS11_PIN" \
+ --key-type rsa:1024 \
+ --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
+ PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
+ fi
+
# Build cert/key
- ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new \
- -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" ) && \
+ ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
+ -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
- -in "$KEY_CN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
+ -in "$KEY_CN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \
-in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \
- ( [ $DO_CA -eq 0 ] || chmod 0600 "$KEY_CN.key" ) && \
+ ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$KEY_CN.key" ) && \
( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )
+ # Load certificate into PKCS#11 token
+ if [ $DO_P11 -eq 1 ]; then
+ $OPENSSL x509 -in "$KEY_CN.crt" -inform PEM -out "$KEY_CN.crt.der" -outform DER && \
+ $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \
+ --login --pin "$PKCS11_PIN" \
+ --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
+ [ -e "$KEY_CN.crt.der" ]; rm "$KEY_CN.crt.der"
+ fi
+
fi
# Need definitions