#!/bin/sh#  OpenVPN -- An application to securely tunnel IP networks#             over a single TCP/UDP port, with support for SSL/TLS-based#             session authentication and key exchange,#             packet encryption, packet authentication, and#             packet compression.##  Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>##  This program is free software; you can redistribute it and/or modify#  it under the terms of the GNU General Public License version 2#  as published by the Free Software Foundation.##  This program is distributed in the hope that it will be useful,#  but WITHOUT ANY WARRANTY; without even the implied warranty of#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the#  GNU General Public License for more details.##  You should have received a copy of the GNU General Public License#  along with this program (see the file COPYING included with this#  distribution); if not, write to the Free Software Foundation, Inc.,#  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA# pkitool is a front-end for the openssl tool.# Calling scripts can set the certificate organizational # unit with the KEY_OU environmental variable. PROGNAME=pkitoolVERSION=2.0DEBUG=0die(){    local m="$1"    echo "$m" >&2    exit 1}need_vars(){    echo '  Please edit the vars script to reflect your configuration,'    echo '  then source it with "source ./vars".'    echo '  Next, to start with a fresh PKI configuration and to delete any'    echo '  previous certificates and keys, run "./clean-all".'    echo "  Finally, you can run this tool ($PROGNAME) to build certificates/keys."}usage(){    echo "$PROGNAME $VERSION"    echo "Usage: $PROGNAME [options...] [common-name]"    echo "Options:"    echo "  --batch    : batch mode (default)"    echo "  --keysize  : Set keysize"    echo "      size   : size (default=1024)"    echo "  --interact : interactive mode"    echo "  --server   : build server cert"    echo "  --initca   : build root CA"    echo "  --inter    : build intermediate CA"    echo "  --pass     : encrypt private key with password"    echo "  --csr      : only generate a CSR, do not sign"    echo "  --sign     : sign an existing CSR"    echo "  --pkcs12   : generate a combined PKCS#12 file"    echo "  --pkcs11   : generate certificate on PKCS#11 token"    echo "      lib    : PKCS#11 library"    echo "      slot   : PKCS#11 slot"    echo "      id     : PKCS#11 object id (hex string)"    echo "      label  : PKCS#11 object label"    echo "Standalone options:"    echo "  --pkcs11-slots   : list PKCS#11 slots"    echo "      lib    : PKCS#11 library"    echo "  --pkcs11-objects : list PKCS#11 token objects"    echo "      lib    : PKCS#11 library"    echo "      slot   : PKCS#11 slot"    echo "  --pkcs11-init    : initialize PKCS#11 token DANGEROUS!!!"    echo "      lib    : PKCS#11 library"    echo "      slot   : PKCS#11 slot"    echo "      label  : PKCS#11 token label"    echo "Notes:"    need_vars    echo "  In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."    echo "Generated files and corresponding OpenVPN directives:"    echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'    echo "  ca.crt     -> root certificate (--ca)"    echo "  ca.key     -> root key, keep secure (not directly used by OpenVPN)"    echo "  .crt files -> client/server certificates (--cert)"    echo "  .key files -> private keys, keep secure (--key)"    echo "  .csr files -> certificate signing request (not directly used by OpenVPN)"    echo "  dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"    echo "Examples:"    echo "  $PROGNAME --initca          -> Build root certificate"    echo "  $PROGNAME --initca --pass   -> Build root certificate with password-protected key"    echo "  $PROGNAME --server server1  -> Build \"server1\" certificate/key"    echo "  $PROGNAME client1           -> Build \"client1\" certificate/key"    echo "  $PROGNAME --pass client2    -> Build password-protected \"client2\" certificate/key"    echo "  $PROGNAME --pkcs12 client3  -> Build \"client3\" certificate/key in PKCS#12 format"    echo "  $PROGNAME --csr client4     -> Build \"client4\" CSR to be signed by another CA"    echo "  $PROGNAME --sign client4    -> Sign \"client4\" CSR"    echo "  $PROGNAME --inter interca   -> Build an intermediate key-signing certificate/key"    echo "                               Also see ./inherit-inter script."    echo "  $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"    echo "                              -> Build \"client5\" certificate/key in PKCS#11 token"    echo "Typical usage for initial PKI setup.  Build myserver, client1, and client2 cert/keys."    echo "Protect client2 key with a password.  Build DH parms.  Generated files in ./keys :"    echo "  [edit vars with your site-specific info]"    echo "  source ./vars"    echo "  ./clean-all"    echo "  ./build-dh     -> takes a long time, consider backgrounding"    echo "  ./$PROGNAME --initca"    echo "  ./$PROGNAME --server myserver"    echo "  ./$PROGNAME client1"    echo "  ./$PROGNAME --pass client2"    echo "Typical usage for adding client cert to existing PKI:"    echo "  source ./vars"    echo "  ./$PROGNAME client-new"}# Set defaultsDO_REQ="1"REQ_EXT=""DO_CA="1"CA_EXT=""DO_P12="0"DO_P11="0"DO_ROOT="0"NODES_REQ="-nodes"NODES_P12=""BATCH="-batch"CA="ca"# must be set or errors of openssl.cnfPKCS11_MODULE_PATH="dummy"PKCS11_PIN="dummy"# Process optionswhile [ $# -gt 0 ]; do    case "$1" in        --keysize  ) KEY_SIZE=$2		     shift;;	--server   ) REQ_EXT="$REQ_EXT -extensions server"	             CA_EXT="$CA_EXT -extensions server" ;;	--batch    ) BATCH="-batch" ;;	--interact ) BATCH="" ;;        --inter    ) CA_EXT="$CA_EXT -extensions v3_ca" ;;        --initca   ) DO_ROOT="1" ;;	--pass     ) NODES_REQ="" ;;        --csr      ) DO_CA="0" ;;        --sign     ) DO_REQ="0" ;;        --pkcs12   ) DO_P12="1" ;;	--pkcs11   ) DO_P11="1"	             PKCS11_MODULE_PATH="$2"		     PKCS11_SLOT="$3"		     PKCS11_ID="$4"		     PKCS11_LABEL="$5"		     shift 4;;	# standalone	--pkcs11-init)	             PKCS11_MODULE_PATH="$2"	             PKCS11_SLOT="$3"	             PKCS11_LABEL="$4"		     if [ -z "$PKCS11_LABEL" ]; then		       die "Please specify library name, slot and label"		     fi		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \		     	--label "$PKCS11_LABEL" &&			$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"		     exit $?;;	--pkcs11-slots)	             PKCS11_MODULE_PATH="$2"		     if [ -z "$PKCS11_MODULE_PATH" ]; then		       die "Please specify library name"		     fi		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots		     exit 0;;	--pkcs11-objects)	             PKCS11_MODULE_PATH="$2"	             PKCS11_SLOT="$3"		     if [ -z "$PKCS11_SLOT" ]; then		       die "Please specify library name and slot"		     fi		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"		     exit 0;;	# errors	--*        ) die "$PROGNAME: unknown option: $1" ;;	*          ) break ;;    esac    shift   doneif ! [ -z "$BATCH" ]; then	if $OPENSSL version | grep 0.9.6 > /dev/null; then		die "Batch mode is unsupported in openssl<0.9.7"	fifiif [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then	die "PKCS#11 and PKCS#12 cannot be specified together"fiif [ $DO_P11 -eq 1 ]; then	if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then		die "Please edit $KEY_CONFIG and setup PKCS#11 engine"	fifi# If we are generating pkcs12, only encrypt the final stepif [ $DO_P12 -eq 1 ]; then    NODES_P12="$NODES_REQ"    NODES_REQ="-nodes"fiif [ $DO_P11 -eq 1 ]; then	if [ -z "$PKCS11_LABEL" ]; then		die "PKCS#11 arguments incomplete"	fifi# If undefined, set default key expiration intervalsif [ -z "$KEY_EXPIRE" ]; then    KEY_EXPIRE=3650fiif [ -z "$CA_EXPIRE" ]; then    CA_EXPIRE=3650fi# Set organizational unit to empty string if undefinedif [ -z "$KEY_OU" ]; then    KEY_OU=""fi# Set KEY_CNif [ $DO_ROOT -eq 1 ]; then    if [ -z "$KEY_CN" ]; then	if [ "$1" ]; then	    KEY_CN="$1"	elif [ "$KEY_ORG" ]; then	    KEY_CN="$KEY_ORG CA"	fi    fi    if [ $BATCH ] && [ "$KEY_CN" ]; then	echo "Using CA Common Name:" $KEY_CN    fielif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then    echo "Using Common Name:" $KEY_CNelse    if [ $# -ne 1 ]; then	usage	exit 1    else	KEY_CN="$1"    fifiexport CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN PKCS11_MODULE_PATH PKCS11_PIN# Show parameters (debugging)if [ $DEBUG -eq 1 ]; then    echo DO_REQ $DO_REQ    echo REQ_EXT $REQ_EXT    echo DO_CA $DO_CA    echo CA_EXT $CA_EXT    echo NODES_REQ $NODES_REQ    echo NODES_P12 $NODES_P12    echo DO_P12 $DO_P12    echo KEY_CN $KEY_CN    echo BATCH $BATCH    echo DO_ROOT $DO_ROOT    echo KEY_EXPIRE $KEY_EXPIRE    echo CA_EXPIRE $CA_EXPIRE    echo KEY_OU $KEY_OU    echo DO_P11 $DO_P11    echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH    echo PKCS11_SLOT $PKCS11_SLOT    echo PKCS11_ID $PKCS11_ID    echo PKCS11_LABEL $PKCS11_LABELfi# Make sure ./vars was sourced beforehandif [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then    cd "$KEY_DIR"    # Make sure $KEY_CONFIG points to the correct version    # of openssl.cnf    if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then	:    else	echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"        echo "version of openssl.cnf: $KEY_CONFIG"	echo "The correct version should have a comment that says: easy-rsa version 2.x";	exit 1;    fi    # Build root CA    if [ $DO_ROOT -eq 1 ]; then	$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \	    -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \	    chmod 0600 "$CA.key"    else                # Make sure CA key/cert is available	if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then	    if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then		echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"		echo "Try $PROGNAME --initca to build a root certificate/key."		exit 1	    fi	fi	# Generate key for PKCS#11 token	PKCS11_ARGS=	if [ $DO_P11 -eq 1 ]; then	        stty -echo	        echo -n "User PIN: "	        read -r PKCS11_PIN	        stty echo		export PKCS11_PIN		echo "Generating key pair on PKCS#11 token..."		$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \			--login --pin "$PKCS11_PIN" \			--key-type rsa:1024 \			--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1		PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"	fi        # Build cert/key	( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \	        -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \	    ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \	        -in "$KEY_CN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \	    ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \	        -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \	    ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ]  || chmod 0600 "$KEY_CN.key" ) && \	    ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )	# Load certificate into PKCS#11 token	if [ $DO_P11 -eq 1 ]; then		$OPENSSL x509 -in "$KEY_CN.crt" -inform PEM -out "$KEY_CN.crt.der" -outform DER && \		  $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \			--login --pin "$PKCS11_PIN" \			--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" 		[ -e "$KEY_CN.crt.der" ]; rm "$KEY_CN.crt.der"	fi    fi# Need definitionselse    need_varsfi