#!/bin/bash set -eo pipefail : ' -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ' DN42CA_PKCS12=${DN42CA_PKCS12-"0"} VERSION="0.3.9" BASE_URL=${DN42CA_BASEURL-"https://ca.dn42"} GPG_KEY="$BASE_URL/ca.dn42.key" CURL=$(command -v curl) # Some versions of openssl don't like the name constraints we use. We need to ignore cert errors for them. CURL="$CURL -k -s" CUR_VERSION=$($CURL "$BASE_URL/ca.dn42.version") ver() { printf "%03d%03d%03d%03d" $(echo "$1" | tr '.' ' ') 0 0 0; } check_version() { if [ "$(ver "$VERSION")" -lt "$(ver "$CUR_VERSION")" ]; then echo "Current script version is $CUR_VERSION. You are running $VERSION" echo "Get it here: https://ca.dn42/ca.dn42" exit 1 fi } usage() { cat 2>&1 < /dev/null exit 0 ;; user-sign) check_version OWNER=${1-"DUMMY-MNT"} STATUS=$(mktemp) $CURL -X POST \ -H "Content-Type: text/plain" \ --data-binary @"${OWNER}.csr" \ "$BASE_URL/user.php" > "$STATUS" cat "$STATUS"; echo CERT_OK=$(grep OK "$STATUS" | cut -c1-2) if [ "$CERT_OK" = "OK" ]; then $CURL "$(grep OK "$STATUS" | cut -d' ' -f2)" > "${OWNER}.crt" $CURL "$BASE_URL/crt/ca-chain.crt" > ca-chain.crt if [ "$DN42CA_PKCS12" -eq "1" ]; then echo "=" echo "= Create a pkcs12 bundle" echo "=" openssl pkcs12 -export \ -name "${OWNER} (ca.dn42 mnter)" \ -caname "dn42 Internal CA (VERIFIED)" \ -caname "dn42 Root Authority CA" \ -inkey "${OWNER}.key" \ -in "${OWNER}.crt" \ -certfile ca-chain.crt \ -out "${OWNER}.p12" fi rm "$STATUS" exit 0 fi rm "$STATUS" exit 1 ;; tls-gen) check_version DNS=${1-"dummy.dn42"} OWNER=${2-"DUMMY-MNT"} EMAIL=${3-"dn42@dummy.tld"} SAN=$4 FILE="${OWNER}_${DNS}" if [ "$DN42CA_NEWKEY" = "1" ] || [ ! -f "${FILE}.key" ]; then KEYOUT="-keyout" else echo "Reusing key: ${FILE}.key" fi SANCONFIG="" if [ ! -z "$SAN" ]; then SANCONFIG="subjectAltName = \$ENV::SAN" fi SAN=$SAN \ openssl req -new \ -subj "/C=XD/O=dn42/OU=dn42 Certificate Authority/CN=${DNS}/emailAddress=${EMAIL}/owner=${OWNER}" \ -out "${FILE}.csr" \ "$KEYOUT" "${FILE}.key" \ -config <(cat < /dev/null) echo "=" echo "= |DNS Key Pin| You need to have this pin added to your dns records before proceeding to the next step." echo "=" (echo "_dn42_tlsverify.${DNS}. IN TXT ${OWNER}:pin-sha256:${KEYPIN}"; for i in ${SAN//,/ }; do echo "_dn42_tlsverify.${i//DNS:/}. IN TXT ${OWNER}:pin-sha256:${KEYPIN}"; done) | sort | uniq ;; tls-sign) check_version DNS=${1-"dummy.dn42"} OWNER=${2-"DUMMY-MNT"} STATUS=$(mktemp) FILE="${OWNER}_${DNS}" $CURL -X POST \ --cert "./${OWNER}.crt" \ --key "./$OWNER.key" \ -H "Content-Type: text/plain" \ --data-binary @"${FILE}.csr" \ "$BASE_URL/server.php" > "$STATUS" cat "$STATUS"; echo CERT_OK=$(grep OK "$STATUS" | cut -c1-2) if [ "$CERT_OK" = "OK" ]; then $CURL "$(grep OK "$STATUS" | cut -d' ' -f2)" > "${FILE}.crt" $CURL "$BASE_URL/crt/ca-chain.crt" > ca-chain.crt sed -n "/BEGIN/,/END/p;/END/q" < ca-chain.crt >> "${FILE}.crt" if [ "$DN42CA_PKCS12" -eq "1" ]; then echo "=" echo "= Create a pkcs12 bundle" echo "=" openssl pkcs12 -export \ -name "${DNS} (${OWNER} from ca.dn42 tls)" \ -caname "dn42 Internal CA (VERIFIED)" \ -caname "dn42 Root Authority CA" \ -inkey "${FILE}.key" \ -in "${FILE}.crt" \ -certfile ca-chain.crt \ -out "${FILE}.p12" fi rm "$STATUS" exit 0 fi echo "Run Failed" cat "$STATUS" rm "$STATUS" exit 1 ;; revoke) check_version OWNER=${1-"DUMMY-MNT"} FILE=${2-"filename.crt"} REASON=${3-"unspecified"} STATUS=$(mktemp) SERIAL=$(openssl x509 -serial -noout -in "${FILE}" | cut -d'=' -f2) $CURL -X POST \ --cert "./${OWNER}.crt" \ --key "./$OWNER.key" \ -H "Content-Type: text/plain" \ "$BASE_URL/revoke.php?serial=${SERIAL}&reason=${REASON}" > "$STATUS" cat "$STATUS"; echo CERT_OK=$(grep OK "$STATUS" | cut -c1-2) if [ "$CERT_OK" = "OK" ]; then exit 0 fi rm "$STATUS" exit 1 ;; reg-edit) check_version OWNER=${1-"DUMMY-MNT"} TYPE=${2-"person"} OBJECT=${3-"DUMMY-DN42"} REG_EDIT=${VISUAL-${EDITOR-"vi"}} REG_ORIG=$(mktemp) REG_CHNG=$(mktemp) STATUS=$(mktemp) echo "GET: $BASE_URL/reg/$TYPE/$OBJECT" echo "Make desired changes and save to submit. Do not save changes to abort." $CURL -X GET \ "$BASE_URL/reg/$TYPE/$OBJECT" > "$REG_ORIG" cp "$REG_ORIG" "$REG_CHNG" $REG_EDIT "$REG_CHNG" if cmp "$REG_ORIG" "$REG_CHNG" >/dev/null 2>&1 then echo "No change detected. Aborting." rm "$REG_ORIG" "$REG_CHNG" "$STATUS" exit 1 fi echo "Posting updates to server." $CURL -X PUT \ --cert "./$OWNER.crt" \ --key "./$OWNER.key" \ -H "Content-Type: text/plain" \ --data-binary @"$REG_CHNG" \ "$BASE_URL/reg.php/$TYPE/$OBJECT" > "$STATUS" cat "$STATUS"; echo CERT_OK=$(grep OK "$STATUS" | cut -c1-2) if [ "$CERT_OK" = "OK" ]; then rm "$REG_ORIG" "$REG_CHNG" "$STATUS" exit 0 fi rm "$REG_ORIG" "$REG_CHNG" "$STATUS" ;; check-gpg) check_version $CURL "$GPG_KEY" | gpg --import gpg --verify "$0" ;; update) if [ "$(ver "$VERSION")" -lt "$(ver "$CUR_VERSION")" ] && [ -w "$0" ] then TMP=$(mktemp) $CURL "$BASE_URL/ca.dn42" > "$TMP" bash "$TMP" check-gpg || exit 1 cat "$TMP" > "$0" rm "$TMP" fi ;; *) usage ;; esac exit 0 :' -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEIK4vMQp06nzsOuafizsGBPFk4E8FAltD7LUACgkQizsGBPFk 4E8nNRAAh9iA1OHf9EahUzLEn/Q7HdSiFbNv39iOC7oqdn5RRxAL2Q1wf/s4K6rf 6PQ2NFu4eFMIsjnzMOELwuWW+thZ9VHuGFPQaxy/c3nWazZRTlc5yo8TgpAadMOV 7AbtqoGWSenaJVbEfpUYftS1cyvsjSBI8wJiyxlK09hdfsbY3vXMVqWjyRan6e7C MGRtBQAI8ulkGxWWmcAZmyRD2kgpYS3AIs3wVCu3iwPEHiVelsvV7ppkMhuHCM1E /vS7Zl6BvJHZpaw+BpD39q3MFc3rIUmhL9D4ZTFFsuIXf9m0/YpOtAOoFJ4dgb3j r6c86/m16CRtEXJKPhc0Oyk/qF9KCXzebJch7Zus5VE2zEvJGUOXojiIXA08reh/ lZPQTjXEbHsH8NbPd6XBXjS6U0EgOH1FwvEbnCdki1+mwrdX7cNiJQmu/E3l2n5r 9c239+NpVWsowyNlGh00Pd4wqPMVuge+eVmgKcQavUbeDs2A1NKCXXUz0xwLSun9 vuUHrlpvVbtEm9Kr7n6PUD1OHMN4rqngpxMLtj+7xsje2zhXULqE19IxCePbNhLk qhJzLw5l+6rU5/alYrZjlZ7IavK1ertZlokmcrepoTUAHkb/Fp+cB83JA50Rdoc4 bUjrwsdxy1ruYCSiWNdDle8I4zlLxNe6h/aSZNwubhl1IacRWB4= =NzIs -----END PGP SIGNATURE----- '