From a8105c67473b78923a2cadae41e01ad3f4934b4e Mon Sep 17 00:00:00 2001 From: james Date: Thu, 13 Apr 2006 10:20:43 +0000 Subject: Merged PKCS#11 extensions to easy-rsa/2.0 (Alon Bar-Lev). svn merge -r 995:998 https://svn.openvpn.net/projects/openvpn/contrib/alon/easy-rsa git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1006 e7ae566f-a301-0410-adde-c780ea21d3b5 --- easy-rsa/2.0/README | 63 ++++++++-- easy-rsa/2.0/build-dh | 2 +- easy-rsa/2.0/list-crl | 2 +- easy-rsa/2.0/openssl-0.9.6.cnf | 265 +++++++++++++++++++++++++++++++++++++++++ easy-rsa/2.0/openssl.cnf | 26 +++- easy-rsa/2.0/pkitool | 146 +++++++++++++++++++++-- easy-rsa/2.0/revoke-full | 6 +- easy-rsa/2.0/vars | 11 +- easy-rsa/2.0/whichopensslcnf | 13 ++ 9 files changed, 501 insertions(+), 33 deletions(-) create mode 100755 easy-rsa/2.0/openssl-0.9.6.cnf create mode 100755 easy-rsa/2.0/whichopensslcnf (limited to 'easy-rsa') diff --git a/easy-rsa/2.0/README b/easy-rsa/2.0/README index 92c550c..68e6bcb 100644 --- a/easy-rsa/2.0/README +++ b/easy-rsa/2.0/README @@ -61,6 +61,8 @@ Release Notes for easy-rsa-2.0 the crl.pem file to all clients as well, and have them include "crl-verify crl.pem" in their configuration files. +* PKCS#11 support was added. + INSTALL easy-rsa 1. Edit vars. @@ -80,9 +82,17 @@ INSTALL easy-rsa must be compatible across both peers participating in a secure SSL/TLS connection. -5 . vars -6. ./clean-all -7. As you create certificates, keys, and +5. (Optional) If you intend to use PKCS#11, + install openssl >= 0.9.7, install the + following components from www.opensc.org: + - opensc >= 0.10.0 + - engine_pkcs11 >= 0.1.3 + Update the openssl.cnf to load the engine: + - Uncomment pkcs11 under engine_section. + - Validate path at dynamic_path under pkcs11_section. +6. . vars +7. ./clean-all +8. As you create certificates, keys, and certificate signing requests, understand that only .key files should be kept confidential. .crt and .csr files can be sent over insecure @@ -96,21 +106,30 @@ server, make sure to enforce some kind of server certificate verification by clients. There are currently four different ways of accomplishing this, listed in the order of preference: -(1) Build your server certificates with the build-key-server - script, or using the --server option to pkitool. - This will designate the certificate as a - server-only certificate by setting nsCertType=server. +(1) Build your server certificates with specific key usage and + extended key usage. The RFC3280 determine that the following + attributes should be provided for TLS connections: + + Mode Key usage Extended key usage + --------------------------------------------------------------------------- + Client digitalSignature TLS Web Client Authentication + keyAgreement + digitalSignature, keyAgreement + + Server digitalSignature, keyEncipherment TLS Web Server Authentication + digitalSignature, keyAgreement + Now add the following line to your client configuration: - ns-cert-type server + remote-cert-tls server This will block clients from connecting to any - server which lacks the nsCertType=server designation + server which lacks the required extension designation in its certificate, even if the certificate has been signed by the CA which is cited in the OpenVPN configuration file (--ca directive). -(2) Use the --tls-remote directive on the client to +(3) Use the --tls-remote directive on the client to accept/reject the server connection based on the common name of the server certificate. @@ -134,6 +153,8 @@ pkitool 2.0 Usage: pkitool [options...] [common-name] Options: --batch : batch mode (default) + --keysize : Set keysize + size : size (default=1024) --interact : interactive mode --server : build server cert --initca : build root CA @@ -141,13 +162,29 @@ Options: --pass : encrypt private key with password --csr : only generate a CSR, do not sign --sign : sign an existing CSR - --pkcs12 : generate a combined pkcs12 file + --pkcs12 : generate a combined PKCS#12 file + --pkcs11 : generate certificate on PKCS#11 token + lib : PKCS#11 library + slot : PKCS#11 slot + id : PKCS#11 object id (hex string) + label : PKCS#11 object label +Standalone options: + --pkcs11-slots : list PKCS#11 slots + lib : PKCS#11 library + --pkcs11-objects : list PKCS#11 token objects + lib : PKCS#11 library + slot : PKCS#11 slot + --pkcs11-init : initialize PKCS#11 token DANGEROUS!!! + lib : PKCS#11 library + slot : PKCS#11 slot + label : PKCS#11 token label Notes: Please edit the vars script to reflect your configuration, then source it with "source ./vars". Next, to start with a fresh PKI configuration and to delete any previous certificates and keys, run "./clean-all". Finally, you can run this tool (pkitool) to build certificates/keys. + In order to use PKCS#11 interface you must have opensc-0.10.0 or higher. Generated files and corresponding OpenVPN directives: (Files will be placed in the $KEY_DIR directory, defined in ./vars) ca.crt -> root certificate (--ca) @@ -162,11 +199,13 @@ Examples: pkitool --server server1 -> Build "server1" certificate/key pkitool client1 -> Build "client1" certificate/key pkitool --pass client2 -> Build password-protected "client2" certificate/key - pkitool --pkcs12 client3 -> Build "client3" certificate/key in PKCS #12 format + pkitool --pkcs12 client3 -> Build "client3" certificate/key in PKCS#12 format pkitool --csr client4 -> Build "client4" CSR to be signed by another CA pkitool --sign client4 -> Sign "client4" CSR pkitool --inter interca -> Build an intermediate key-signing certificate/key Also see ./inherit-inter script. + pkitool --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5 + -> Build "client5" certificate/key in PKCS#11 token Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys. Protect client2 key with a password. Build DH parms. Generated files in ./keys : [edit vars with your site-specific info] diff --git a/easy-rsa/2.0/build-dh b/easy-rsa/2.0/build-dh index ec7a805..f019222 100755 --- a/easy-rsa/2.0/build-dh +++ b/easy-rsa/2.0/build-dh @@ -4,7 +4,7 @@ # of an SSL/TLS connection. if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then - openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} + $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} else echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Make sure you have edited it to reflect your configuration.' diff --git a/easy-rsa/2.0/list-crl b/easy-rsa/2.0/list-crl index 7736fa8..afc0cd6 100755 --- a/easy-rsa/2.0/list-crl +++ b/easy-rsa/2.0/list-crl @@ -6,7 +6,7 @@ CRL="${1:-crl.pem}" if [ "$KEY_DIR" ]; then cd "$KEY_DIR" && \ - openssl crl -text -noout -in "$CRL" + $OPENSSL crl -text -noout -in "$CRL" else echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Make sure you have edited it to reflect your configuration.' diff --git a/easy-rsa/2.0/openssl-0.9.6.cnf b/easy-rsa/2.0/openssl-0.9.6.cnf new file mode 100755 index 0000000..d28341d --- /dev/null +++ b/easy-rsa/2.0/openssl-0.9.6.cnf @@ -0,0 +1,265 @@ +# For use with easy-rsa version 2.0 + +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::KEY_DIR # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = md5 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = $ENV::KEY_SIZE +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::KEY_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::KEY_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::KEY_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::KEY_ORG + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_default = $ENV::KEY_EMAIL +emailAddress_max = 40 + +# JY -- added for batch mode +organizationalUnitName_default = $ENV::KEY_OU +commonName_default = $ENV::KEY_CN + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Easy-RSA Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=clientAuth +keyUsage = digitalSignature + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ server ] + +# JY ADDED -- Make a cert with nsCertType set to "server" +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "Easy-RSA Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/easy-rsa/2.0/openssl.cnf b/easy-rsa/2.0/openssl.cnf index b430b83..a781dda 100755 --- a/easy-rsa/2.0/openssl.cnf +++ b/easy-rsa/2.0/openssl.cnf @@ -9,10 +9,13 @@ # defined. HOME = . RANDFILE = $ENV::HOME/.rnd +openssl_conf = openssl_init +[ openssl_init ] # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids +engines = engine_section # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the @@ -179,11 +182,13 @@ basicConstraints=CA:FALSE # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" +nsComment = "Easy-RSA Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=clientAuth +keyUsage = digitalSignature # This stuff is for subjectAltName and issuerAltname. # Import the email address. @@ -204,7 +209,7 @@ authorityKeyIdentifier=keyid,issuer:always # JY ADDED -- Make a cert with nsCertType set to "server" basicConstraints=CA:FALSE nsCertType = server -nsComment = "OpenSSL Generated Server Certificate" +nsComment = "Easy-RSA Generated Server Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth @@ -261,3 +266,20 @@ basicConstraints = CA:true # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always + +[ engine_section ] +# +# If you are using PKCS#11 +# Install engine_pkcs11 of opensc (www.opensc.org) +# And uncomment the following +# verify that dynamic_path points to the correct location +# +#pkcs11 = pkcs11_section + +[ pkcs11_section ] +engine_id = pkcs11 +dynamic_path = /usr/lib/engines/engine_pkcs11.so +MODULE_PATH = $ENV::PKCS11_MODULE_PATH +PIN = $ENV::PKCS11_PIN +init = 0 + diff --git a/easy-rsa/2.0/pkitool b/easy-rsa/2.0/pkitool index 2d2d764..5f95162 100755 --- a/easy-rsa/2.0/pkitool +++ b/easy-rsa/2.0/pkitool @@ -31,8 +31,13 @@ PROGNAME=pkitool VERSION=2.0 DEBUG=0 -GREP=grep -OPENSSL=openssl +die() +{ + local m="$1" + + echo "$m" >&2 + exit 1 +} need_vars() { @@ -49,6 +54,8 @@ usage() echo "Usage: $PROGNAME [options...] [common-name]" echo "Options:" echo " --batch : batch mode (default)" + echo " --keysize : Set keysize" + echo " size : size (default=1024)" echo " --interact : interactive mode" echo " --server : build server cert" echo " --initca : build root CA" @@ -56,9 +63,25 @@ usage() echo " --pass : encrypt private key with password" echo " --csr : only generate a CSR, do not sign" echo " --sign : sign an existing CSR" - echo " --pkcs12 : generate a combined pkcs12 file" + echo " --pkcs12 : generate a combined PKCS#12 file" + echo " --pkcs11 : generate certificate on PKCS#11 token" + echo " lib : PKCS#11 library" + echo " slot : PKCS#11 slot" + echo " id : PKCS#11 object id (hex string)" + echo " label : PKCS#11 object label" + echo "Standalone options:" + echo " --pkcs11-slots : list PKCS#11 slots" + echo " lib : PKCS#11 library" + echo " --pkcs11-objects : list PKCS#11 token objects" + echo " lib : PKCS#11 library" + echo " slot : PKCS#11 slot" + echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!" + echo " lib : PKCS#11 library" + echo " slot : PKCS#11 slot" + echo " label : PKCS#11 token label" echo "Notes:" need_vars + echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher." echo "Generated files and corresponding OpenVPN directives:" echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)' echo " ca.crt -> root certificate (--ca)" @@ -73,11 +96,13 @@ usage() echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key" echo " $PROGNAME client1 -> Build \"client1\" certificate/key" echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key" - echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS #12 format" + echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format" echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA" echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR" echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key" echo " Also see ./inherit-inter script." + echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5" + echo " -> Build \"client5\" certificate/key in PKCS#11 token" echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys." echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :" echo " [edit vars with your site-specific info]" @@ -99,15 +124,21 @@ REQ_EXT="" DO_CA="1" CA_EXT="" DO_P12="0" +DO_P11="0" DO_ROOT="0" NODES_REQ="-nodes" NODES_P12="" BATCH="-batch" CA="ca" +# must be set or errors of openssl.cnf +PKCS11_MODULE_PATH="dummy" +PKCS11_PIN="dummy" # Process options while [ $# -gt 0 ]; do case "$1" in + --keysize ) KEY_SIZE=$2 + shift;; --server ) REQ_EXT="$REQ_EXT -extensions server" CA_EXT="$CA_EXT -extensions server" ;; --batch ) BATCH="-batch" ;; @@ -118,19 +149,76 @@ while [ $# -gt 0 ]; do --csr ) DO_CA="0" ;; --sign ) DO_REQ="0" ;; --pkcs12 ) DO_P12="1" ;; - --* ) echo "$PROGNAME: unknown option: $1" - exit 1 ;; + --pkcs11 ) DO_P11="1" + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + PKCS11_ID="$4" + PKCS11_LABEL="$5" + shift 4;; + + # standalone + --pkcs11-init) + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + PKCS11_LABEL="$4" + if [ -z "$PKCS11_LABEL" ]; then + die "Please specify library name, slot and label" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ + --label "$PKCS11_LABEL" && + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" + exit $?;; + --pkcs11-slots) + PKCS11_MODULE_PATH="$2" + if [ -z "$PKCS11_MODULE_PATH" ]; then + die "Please specify library name" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots + exit 0;; + --pkcs11-objects) + PKCS11_MODULE_PATH="$2" + PKCS11_SLOT="$3" + if [ -z "$PKCS11_SLOT" ]; then + die "Please specify library name and slot" + fi + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" + exit 0;; + + # errors + --* ) die "$PROGNAME: unknown option: $1" ;; * ) break ;; esac shift done +if ! [ -z "$BATCH" ]; then + if $OPENSSL version | grep 0.9.6 > /dev/null; then + die "Batch mode is unsupported in openssl<0.9.7" + fi +fi + +if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then + die "PKCS#11 and PKCS#12 cannot be specified together" +fi + +if [ $DO_P11 -eq 1 ]; then + if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then + die "Please edit $KEY_CONFIG and setup PKCS#11 engine" + fi +fi + # If we are generating pkcs12, only encrypt the final step if [ $DO_P12 -eq 1 ]; then NODES_P12="$NODES_REQ" NODES_REQ="-nodes" fi +if [ $DO_P11 -eq 1 ]; then + if [ -z "$PKCS11_LABEL" ]; then + die "PKCS#11 arguments incomplete" + fi +fi + # If undefined, set default key expiration intervals if [ -z "$KEY_EXPIRE" ]; then KEY_EXPIRE=3650 @@ -166,7 +254,8 @@ else KEY_CN="$1" fi fi -export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN + +export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN PKCS11_MODULE_PATH PKCS11_PIN # Show parameters (debugging) if [ $DEBUG -eq 1 ]; then @@ -183,6 +272,11 @@ if [ $DEBUG -eq 1 ]; then echo KEY_EXPIRE $KEY_EXPIRE echo CA_EXPIRE $CA_EXPIRE echo KEY_OU $KEY_OU + echo DO_P11 $DO_P11 + echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH + echo PKCS11_SLOT $PKCS11_SLOT + echo PKCS11_ID $PKCS11_ID + echo PKCS11_LABEL $PKCS11_LABEL fi # Make sure ./vars was sourced beforehand @@ -202,8 +296,8 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then # Build root CA if [ $DO_ROOT -eq 1 ]; then - $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -x509 \ - -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ + $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \ + -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ chmod 0600 "$CA.key" else # Make sure CA key/cert is available @@ -215,16 +309,42 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then fi fi + # Generate key for PKCS#11 token + PKCS11_ARGS= + if [ $DO_P11 -eq 1 ]; then + stty -echo + echo -n "User PIN: " + read -r PKCS11_PIN + stty echo + export PKCS11_PIN + + echo "Generating key pair on PKCS#11 token..." + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ + --login --pin "$PKCS11_PIN" \ + --key-type rsa:1024 \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 + PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID" + fi + # Build cert/key - ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new \ - -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" ) && \ + ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ + -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \ - -in "$KEY_CN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \ + -in "$KEY_CN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \ ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \ -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \ - ( [ $DO_CA -eq 0 ] || chmod 0600 "$KEY_CN.key" ) && \ + ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$KEY_CN.key" ) && \ ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" ) + # Load certificate into PKCS#11 token + if [ $DO_P11 -eq 1 ]; then + $OPENSSL x509 -in "$KEY_CN.crt" -inform PEM -out "$KEY_CN.crt.der" -outform DER && \ + $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \ + --login --pin "$PKCS11_PIN" \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" + [ -e "$KEY_CN.crt.der" ]; rm "$KEY_CN.crt.der" + fi + fi # Need definitions diff --git a/easy-rsa/2.0/revoke-full b/easy-rsa/2.0/revoke-full index 9dc9b1e..bf3e5fb 100755 --- a/easy-rsa/2.0/revoke-full +++ b/easy-rsa/2.0/revoke-full @@ -20,11 +20,11 @@ if [ "$KEY_DIR" ]; then export KEY_OU="" # revoke key and generate a new CRL - openssl ca -revoke "$1.crt" -config "$KEY_CONFIG" + $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG" # generate a new CRL -- try to be compatible with # intermediate PKIs - openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG" + $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" if [ -e export-ca.crt ]; then cat export-ca.crt "$CRL" >"$RT" else @@ -32,7 +32,7 @@ if [ "$KEY_DIR" ]; then fi # verify the revocation - openssl verify -CAfile "$RT" -crl_check "$1.crt" + $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt" else echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Make sure you have edited it to reflect your configuration.' diff --git a/easy-rsa/2.0/vars b/easy-rsa/2.0/vars index a4bd149..a904547 100755 --- a/easy-rsa/2.0/vars +++ b/easy-rsa/2.0/vars @@ -14,10 +14,19 @@ # tree. export EASY_RSA="`pwd`" +# +# This variable should point to +# the requested executables +# +export OPENSSL="openssl" +export PKCS11TOOL="pkcs11-tool" +export GREP="grep" + + # This variable should point to # the openssl.cnf file included # with easy-rsa. -export KEY_CONFIG="$EASY_RSA/openssl.cnf" +export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` # Edit this variable to point to # your soon-to-be-created key diff --git a/easy-rsa/2.0/whichopensslcnf b/easy-rsa/2.0/whichopensslcnf new file mode 100755 index 0000000..2260aa8 --- /dev/null +++ b/easy-rsa/2.0/whichopensslcnf @@ -0,0 +1,13 @@ +#!/bin/sh + +if [ "$OPENSSL" ]; then + if $OPENSSL version | grep 0.9.6 > /dev/null; then + echo "$1/openssl-0.9.6.cnf" + else + echo "$1/openssl.cnf" + fi +else + echo "$1/openssl.cnf" +fi + +exit 0 -- cgit