OpenVPN/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2025-05-10 05:59:10 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merged PKCS#11 extensions to easy-rsa/2.0 (Alon Bar-Lev).

Browse Source 
svn merge -r 995:998 https://svn.openvpn.net/projects/openvpn/contrib/alon/easy-rsa


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1006 e7ae566f-a301-0410-adde-c780ea21d3b5
This commit is contained in:
james 2006-04-13 10:20:43 +00:00
parent 428b827967
commit a8105c6747
9 changed files with 501 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
easy-rsa/2.0/README
View File

@ -61,6 +61,8 @@ Release Notes for easy-rsa-2.0
the crl.pem file to all clients as well, and have them include the crl.pem file to all clients as well, and have them include
"crl-verify crl.pem" in their configuration files. "crl-verify crl.pem" in their configuration files.
* PKCS#11 support was added.
INSTALL easy-rsa INSTALL easy-rsa
1. Edit vars. 1. Edit vars.
@ -80,9 +82,17 @@ INSTALL easy-rsa
must be compatible across both peers must be compatible across both peers
participating in a secure SSL/TLS participating in a secure SSL/TLS
connection. connection.
5 . vars 5. (Optional) If you intend to use PKCS#11,
6. ./clean-all install openssl >= 0.9.7, install the
7. As you create certificates, keys, and following components from www.opensc.org:
- opensc >= 0.10.0
- engine_pkcs11 >= 0.1.3
Update the openssl.cnf to load the engine:
- Uncomment pkcs11 under engine_section.
- Validate path at dynamic_path under pkcs11_section.
6. . vars
7. ./clean-all
8. As you create certificates, keys, and
certificate signing requests, understand that certificate signing requests, understand that
only .key files should be kept confidential. only .key files should be kept confidential.
.crt and .csr files can be sent over insecure .crt and .csr files can be sent over insecure
@ -96,21 +106,30 @@ server, make sure to enforce some kind of server certificate
verification by clients. There are currently four different ways verification by clients. There are currently four different ways
of accomplishing this, listed in the order of preference: of accomplishing this, listed in the order of preference:
(1) Build your server certificates with the build-key-server (1) Build your server certificates with specific key usage and
script, or using the --server option to pkitool. extended key usage. The RFC3280 determine that the following
This will designate the certificate as a attributes should be provided for TLS connections:
server-only certificate by setting nsCertType=server.
Mode Key usage Extended key usage
---------------------------------------------------------------------------
Client digitalSignature TLS Web Client Authentication
keyAgreement
digitalSignature, keyAgreement
Server digitalSignature, keyEncipherment TLS Web Server Authentication
digitalSignature, keyAgreement
Now add the following line to your client configuration: Now add the following line to your client configuration:
ns-cert-type server remote-cert-tls server
This will block clients from connecting to any This will block clients from connecting to any
server which lacks the nsCertType=server designation server which lacks the required extension designation
in its certificate, even if the certificate has been in its certificate, even if the certificate has been
signed by the CA which is cited in the OpenVPN configuration signed by the CA which is cited in the OpenVPN configuration
file (--ca directive). file (--ca directive).
(2) Use the --tls-remote directive on the client to (3) Use the --tls-remote directive on the client to
accept/reject the server connection based on the common accept/reject the server connection based on the common
name of the server certificate. name of the server certificate.
@ -134,6 +153,8 @@ pkitool 2.0
Usage: pkitool [options...] [common-name] Usage: pkitool [options...] [common-name]
Options: Options:
--batch : batch mode (default) --batch : batch mode (default)
--keysize : Set keysize
size : size (default=1024)
--interact : interactive mode --interact : interactive mode
--server : build server cert --server : build server cert
--initca : build root CA --initca : build root CA
@ -141,13 +162,29 @@ Options:
--pass : encrypt private key with password --pass : encrypt private key with password
--csr : only generate a CSR, do not sign --csr : only generate a CSR, do not sign
--sign : sign an existing CSR --sign : sign an existing CSR
--pkcs12 : generate a combined pkcs12 file --pkcs12 : generate a combined PKCS#12 file
--pkcs11 : generate certificate on PKCS#11 token
lib : PKCS#11 library
slot : PKCS#11 slot
id : PKCS#11 object id (hex string)
label : PKCS#11 object label
Standalone options:
--pkcs11-slots : list PKCS#11 slots
lib : PKCS#11 library
--pkcs11-objects : list PKCS#11 token objects
lib : PKCS#11 library
slot : PKCS#11 slot
--pkcs11-init : initialize PKCS#11 token DANGEROUS!!!
lib : PKCS#11 library
slot : PKCS#11 slot
label : PKCS#11 token label
Notes: Notes:
Please edit the vars script to reflect your configuration, Please edit the vars script to reflect your configuration,
then source it with "source ./vars". then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all". previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys. Finally, you can run this tool (pkitool) to build certificates/keys.
In order to use PKCS#11 interface you must have opensc-0.10.0 or higher.
Generated files and corresponding OpenVPN directives: Generated files and corresponding OpenVPN directives:
(Files will be placed in the $KEY_DIR directory, defined in ./vars) (Files will be placed in the $KEY_DIR directory, defined in ./vars)
ca.crt -> root certificate (--ca) ca.crt -> root certificate (--ca)
@ -162,11 +199,13 @@ Examples:
pkitool --server server1 -> Build "server1" certificate/key pkitool --server server1 -> Build "server1" certificate/key
pkitool client1 -> Build "client1" certificate/key pkitool client1 -> Build "client1" certificate/key
pkitool --pass client2 -> Build password-protected "client2" certificate/key pkitool --pass client2 -> Build password-protected "client2" certificate/key
pkitool --pkcs12 client3 -> Build "client3" certificate/key in PKCS #12 format pkitool --pkcs12 client3 -> Build "client3" certificate/key in PKCS#12 format
pkitool --csr client4 -> Build "client4" CSR to be signed by another CA pkitool --csr client4 -> Build "client4" CSR to be signed by another CA
pkitool --sign client4 -> Sign "client4" CSR pkitool --sign client4 -> Sign "client4" CSR
pkitool --inter interca -> Build an intermediate key-signing certificate/key pkitool --inter interca -> Build an intermediate key-signing certificate/key
Also see ./inherit-inter script. Also see ./inherit-inter script.
pkitool --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5
-> Build "client5" certificate/key in PKCS#11 token
Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys. Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys.
Protect client2 key with a password. Build DH parms. Generated files in ./keys : Protect client2 key with a password. Build DH parms. Generated files in ./keys :
[edit vars with your site-specific info] [edit vars with your site-specific info]

2
easy-rsa/2.0/build-dh
View File

@ -4,7 +4,7 @@
# of an SSL/TLS connection. # of an SSL/TLS connection.
if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
else else
echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.' echo 'Make sure you have edited it to reflect your configuration.'

2
easy-rsa/2.0/list-crl
View File

@ -6,7 +6,7 @@ CRL="${1:-crl.pem}"
if [ "$KEY_DIR" ]; then if [ "$KEY_DIR" ]; then
cd "$KEY_DIR" && \ cd "$KEY_DIR" && \
openssl crl -text -noout -in "$CRL" $OPENSSL crl -text -noout -in "$CRL"
else else
echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.' echo 'Make sure you have edited it to reflect your configuration.'

265
easy-rsa/2.0/openssl-0.9.6.cnf Executable file
View File

@ -0,0 +1,265 @@
# For use with easy-rsa version 2.0
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

26
easy-rsa/2.0/openssl.cnf
View File

@ -9,10 +9,13 @@
# defined. # defined.
HOME = . HOME = .
RANDFILE = $ENV::HOME/.rnd RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
# Extra OBJECT IDENTIFIER info: # Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid #oid_file = $ENV::HOME/.oid
oid_section = new_oids oid_section = new_oids
engines = engine_section
# To use this configuration file with the "-extfile" option of the # To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the # "openssl x509" utility, name here the section containing the
@ -179,11 +182,13 @@ basicConstraints=CA:FALSE
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox. # This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate" nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates. # PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname. # This stuff is for subjectAltName and issuerAltname.
# Import the email address. # Import the email address.
@ -204,7 +209,7 @@ authorityKeyIdentifier=keyid,issuer:always
# JY ADDED -- Make a cert with nsCertType set to "server" # JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE basicConstraints=CA:FALSE
nsCertType = server nsCertType = server
nsComment = "OpenSSL Generated Server Certificate" nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth extendedKeyUsage=serverAuth
@ -261,3 +266,20 @@ basicConstraints = CA:true
# issuerAltName=issuer:copy # issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

146
easy-rsa/2.0/pkitool
View File

@ -31,8 +31,13 @@ PROGNAME=pkitool
VERSION=2.0 VERSION=2.0
DEBUG=0 DEBUG=0
GREP=grep die()
OPENSSL=openssl {
local m="$1"
echo "$m" >&2
exit 1
}
need_vars() need_vars()
{ {
@ -49,6 +54,8 @@ usage()
echo "Usage: $PROGNAME [options...] [common-name]" echo "Usage: $PROGNAME [options...] [common-name]"
echo "Options:" echo "Options:"
echo " --batch : batch mode (default)" echo " --batch : batch mode (default)"
echo " --keysize : Set keysize"
echo " size : size (default=1024)"
echo " --interact : interactive mode" echo " --interact : interactive mode"
echo " --server : build server cert" echo " --server : build server cert"
echo " --initca : build root CA" echo " --initca : build root CA"
@ -56,9 +63,25 @@ usage()
echo " --pass : encrypt private key with password" echo " --pass : encrypt private key with password"
echo " --csr : only generate a CSR, do not sign" echo " --csr : only generate a CSR, do not sign"
echo " --sign : sign an existing CSR" echo " --sign : sign an existing CSR"
echo " --pkcs12 : generate a combined pkcs12 file" echo " --pkcs12 : generate a combined PKCS#12 file"
echo " --pkcs11 : generate certificate on PKCS#11 token"
echo " lib : PKCS#11 library"
echo " slot : PKCS#11 slot"
echo " id : PKCS#11 object id (hex string)"
echo " label : PKCS#11 object label"
echo "Standalone options:"
echo " --pkcs11-slots : list PKCS#11 slots"
echo " lib : PKCS#11 library"
echo " --pkcs11-objects : list PKCS#11 token objects"
echo " lib : PKCS#11 library"
echo " slot : PKCS#11 slot"
echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!"
echo " lib : PKCS#11 library"
echo " slot : PKCS#11 slot"
echo " label : PKCS#11 token label"
echo "Notes:" echo "Notes:"
need_vars need_vars
echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."
echo "Generated files and corresponding OpenVPN directives:" echo "Generated files and corresponding OpenVPN directives:"
echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)' echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
echo " ca.crt -> root certificate (--ca)" echo " ca.crt -> root certificate (--ca)"
@ -73,11 +96,13 @@ usage()
echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key" echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key"
echo " $PROGNAME client1 -> Build \"client1\" certificate/key" echo " $PROGNAME client1 -> Build \"client1\" certificate/key"
echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key" echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key"
echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS #12 format" echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format"
echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA" echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA"
echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR" echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR"
echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key" echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key"
echo " Also see ./inherit-inter script." echo " Also see ./inherit-inter script."
echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"
echo " -> Build \"client5\" certificate/key in PKCS#11 token"
echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys." echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys."
echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :" echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :"
echo " [edit vars with your site-specific info]" echo " [edit vars with your site-specific info]"
@ -99,15 +124,21 @@ REQ_EXT=""
DO_CA="1" DO_CA="1"
CA_EXT="" CA_EXT=""
DO_P12="0" DO_P12="0"
DO_P11="0"
DO_ROOT="0" DO_ROOT="0"
NODES_REQ="-nodes" NODES_REQ="-nodes"
NODES_P12="" NODES_P12=""
BATCH="-batch" BATCH="-batch"
CA="ca" CA="ca"
# must be set or errors of openssl.cnf
PKCS11_MODULE_PATH="dummy"
PKCS11_PIN="dummy"
# Process options # Process options
while [ $# -gt 0 ]; do while [ $# -gt 0 ]; do
case "$1" in case "$1" in
--keysize ) KEY_SIZE=$2
shift;;
--server ) REQ_EXT="$REQ_EXT -extensions server" --server ) REQ_EXT="$REQ_EXT -extensions server"
CA_EXT="$CA_EXT -extensions server" ;; CA_EXT="$CA_EXT -extensions server" ;;
--batch ) BATCH="-batch" ;; --batch ) BATCH="-batch" ;;
@ -118,19 +149,76 @@ while [ $# -gt 0 ]; do
--csr ) DO_CA="0" ;; --csr ) DO_CA="0" ;;
--sign ) DO_REQ="0" ;; --sign ) DO_REQ="0" ;;
--pkcs12 ) DO_P12="1" ;; --pkcs12 ) DO_P12="1" ;;
--* ) echo "$PROGNAME: unknown option: $1" --pkcs11 ) DO_P11="1"
exit 1 ;; PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
PKCS11_ID="$4"
PKCS11_LABEL="$5"
shift 4;;
# standalone
--pkcs11-init)
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
PKCS11_LABEL="$4"
if [ -z "$PKCS11_LABEL" ]; then
die "Please specify library name, slot and label"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
--label "$PKCS11_LABEL" &&
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
exit $?;;
--pkcs11-slots)
PKCS11_MODULE_PATH="$2"
if [ -z "$PKCS11_MODULE_PATH" ]; then
die "Please specify library name"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
exit 0;;
--pkcs11-objects)
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
if [ -z "$PKCS11_SLOT" ]; then
die "Please specify library name and slot"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
exit 0;;
# errors
--* ) die "$PROGNAME: unknown option: $1" ;;
* ) break ;; * ) break ;;
esac esac
shift shift
done done
if ! [ -z "$BATCH" ]; then
if $OPENSSL version | grep 0.9.6 > /dev/null; then
die "Batch mode is unsupported in openssl<0.9.7"
fi
fi
if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
die "PKCS#11 and PKCS#12 cannot be specified together"
fi
if [ $DO_P11 -eq 1 ]; then
if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
fi
fi
# If we are generating pkcs12, only encrypt the final step # If we are generating pkcs12, only encrypt the final step
if [ $DO_P12 -eq 1 ]; then if [ $DO_P12 -eq 1 ]; then
NODES_P12="$NODES_REQ" NODES_P12="$NODES_REQ"
NODES_REQ="-nodes" NODES_REQ="-nodes"
fi fi
if [ $DO_P11 -eq 1 ]; then
if [ -z "$PKCS11_LABEL" ]; then
die "PKCS#11 arguments incomplete"
fi
fi
# If undefined, set default key expiration intervals # If undefined, set default key expiration intervals
if [ -z "$KEY_EXPIRE" ]; then if [ -z "$KEY_EXPIRE" ]; then
KEY_EXPIRE=3650 KEY_EXPIRE=3650
@ -166,7 +254,8 @@ else
KEY_CN="$1" KEY_CN="$1"
fi fi
fi fi
export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN
export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
# Show parameters (debugging) # Show parameters (debugging)
if [ $DEBUG -eq 1 ]; then if [ $DEBUG -eq 1 ]; then
@ -183,6 +272,11 @@ if [ $DEBUG -eq 1 ]; then
echo KEY_EXPIRE $KEY_EXPIRE echo KEY_EXPIRE $KEY_EXPIRE
echo CA_EXPIRE $CA_EXPIRE echo CA_EXPIRE $CA_EXPIRE
echo KEY_OU $KEY_OU echo KEY_OU $KEY_OU
echo DO_P11 $DO_P11
echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
echo PKCS11_SLOT $PKCS11_SLOT
echo PKCS11_ID $PKCS11_ID
echo PKCS11_LABEL $PKCS11_LABEL
fi fi
# Make sure ./vars was sourced beforehand # Make sure ./vars was sourced beforehand
@ -202,8 +296,8 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
# Build root CA # Build root CA
if [ $DO_ROOT -eq 1 ]; then if [ $DO_ROOT -eq 1 ]; then
$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -x509 \ $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
-keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
chmod 0600 "$CA.key" chmod 0600 "$CA.key"
else else
# Make sure CA key/cert is available # Make sure CA key/cert is available
@ -215,16 +309,42 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
fi fi
fi fi
# Generate key for PKCS#11 token
PKCS11_ARGS=
if [ $DO_P11 -eq 1 ]; then
stty -echo
echo -n "User PIN: "
read -r PKCS11_PIN
stty echo
export PKCS11_PIN
echo "Generating key pair on PKCS#11 token..."
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
--login --pin "$PKCS11_PIN" \
--key-type rsa:1024 \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
fi
# Build cert/key # Build cert/key
( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new \ ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
-keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" ) && \ -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \ ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
-in "$KEY_CN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \ -in "$KEY_CN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \ ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \
-in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \ -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \
( [ $DO_CA -eq 0 ] || chmod 0600 "$KEY_CN.key" ) && \ ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$KEY_CN.key" ) && \
( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" ) ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )
# Load certificate into PKCS#11 token
if [ $DO_P11 -eq 1 ]; then
$OPENSSL x509 -in "$KEY_CN.crt" -inform PEM -out "$KEY_CN.crt.der" -outform DER && \
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \
--login --pin "$PKCS11_PIN" \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
[ -e "$KEY_CN.crt.der" ]; rm "$KEY_CN.crt.der"
fi
fi fi
# Need definitions # Need definitions

6
easy-rsa/2.0/revoke-full
View File

@ -20,11 +20,11 @@ if [ "$KEY_DIR" ]; then
export KEY_OU="" export KEY_OU=""
# revoke key and generate a new CRL # revoke key and generate a new CRL
openssl ca -revoke "$1.crt" -config "$KEY_CONFIG" $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
# generate a new CRL -- try to be compatible with # generate a new CRL -- try to be compatible with
# intermediate PKIs # intermediate PKIs
openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG" $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
if [ -e export-ca.crt ]; then if [ -e export-ca.crt ]; then
cat export-ca.crt "$CRL" >"$RT" cat export-ca.crt "$CRL" >"$RT"
else else
@ -32,7 +32,7 @@ if [ "$KEY_DIR" ]; then
fi fi
# verify the revocation # verify the revocation
openssl verify -CAfile "$RT" -crl_check "$1.crt" $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
else else
echo 'Please source the vars script first (i.e. "source ./vars")' echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.' echo 'Make sure you have edited it to reflect your configuration.'

11
easy-rsa/2.0/vars
View File

@ -14,10 +14,19 @@
# tree. # tree.
export EASY_RSA="`pwd`" export EASY_RSA="`pwd`"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to # This variable should point to
# the openssl.cnf file included # the openssl.cnf file included
# with easy-rsa. # with easy-rsa.
export KEY_CONFIG="$EASY_RSA/openssl.cnf" export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to # Edit this variable to point to
# your soon-to-be-created key # your soon-to-be-created key

13
easy-rsa/2.0/whichopensslcnf Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
if [ "$OPENSSL" ]; then
if $OPENSSL version | grep 0.9.6 > /dev/null; then
echo "$1/openssl-0.9.6.cnf"
else
echo "$1/openssl.cnf"
fi
else
echo "$1/openssl.cnf"
fi
exit 0