Skip to content

Commit

Permalink
Merge pull request #55 from petrsnd/pemutils
Browse files Browse the repository at this point in the history
PEM file utilities and test CA script updates
petrsnd authored Oct 19, 2022
2 parents a5a5448 + 4492d3f commit 9507159
Showing 5 changed files with 176 additions and 46 deletions.
36 changes: 36 additions & 0 deletions src/utils/add-pem-password.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#!/bin/bash

if [[ "$1" == "-h" ]]; then
cat <<EOF
USAGE: add-pem-password.sh [pemFilePath]
pemFilePath Provide the path to a PEM-formatted private key file
Running this will read the current PEM file password then rewrite the file
with AES-256 password encryption.
EOF
exit 0
fi

set -e

cleanup()
{
set +e
}

trap cleanup EXIT

if [ -z "$1" ]; then
read -p "Enter PEM private key file path:" PemFile
else
PemFile=$1
fi
if [ ! -f "$PemFile" ]; then
>&2 echo "$PemFile does not exist"
exit 1
fi

openssl rsa -aes256 -in "$PemFile" -out "$PemFile"
46 changes: 46 additions & 0 deletions src/utils/convert-pfx-to-pem.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
#!/bin/bash

if [[ "$1" == "-h" ]]; then
cat <<EOF
USAGE: convert-pfx-to-pem.sh [pfxFilePath]
pfxFilePath Provide the path to a PFX or PKCS#12 file
Running this prompt for the current PFX password if needed then write a PEM-formatted
certificate file and a PEM-formatted private key file (no password).
EOF
exit 0
fi

set -e

cleanup()
{
set +e
}

trap cleanup EXIT

if [ -z "$1" ]; then
read -p "Enter PFX or PKCS#12 file path:" PfxFile
else
PfxFile=$1
fi
if [ ! -f "$PfxFile" ]; then
>&2 echo "$PfxFile does not exist"
exit 1
fi

if [[ "$PfxFile" == *.p12 || "$PfxFile" == *.pfx ]]; then
PemBase=${PfxFile::-4}
else
PemBase=$PfxFile
fi

>&2 echo "Extracting the private key to ${PemBase}.key.pem..."
openssl pkcs12 -in "$PfxFile" -nocerts -out "${PemBase}.key.pem" -nodes

>&2 echo "Extracting the certificate to ${PemBase}.cert.pem..."
openssl pkcs12 -in "$PfxFile" -clcerts -nokeys -out "${PemBase}.cert.pem"
31 changes: 28 additions & 3 deletions src/utils/new-test-ca.sh
Original file line number Diff line number Diff line change
@@ -1,5 +1,21 @@
#!/bin/bash

if [[ "$1" == "-h" ]]; then
cat <<EOF
USAGE: new-test-ca.sh [caFriendlyName]
caFriendlyName Provide a partial name for CA subject DN
Running this command will generate a directory representing a root CA and an
intermediate CA from which you can create certificates for use with SPP. The
friendly name will be used in the subject DN for the root CA and given a
'-issuing' suffix for the intermediate CA.
EOF
exit 0
fi

CurDir="$(pwd)"
ScriptDir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

@@ -13,13 +29,13 @@ cleanup()

trap cleanup EXIT

if [ ! -z "$1" ]; then
CaName=$1
else
if [ -z "$1" ]; then
read -p "Enter CA friendly name:" CaName
if [ -z "$CaName" ]; then
CaName="test-ca"
fi
else
CaName=$1
fi
IntermediateCaName="issuing-$CaName"

@@ -292,6 +308,15 @@ authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ tsa_cert ]
# Extensions for tsa certificate (man x509v3_config).
basicConstraints = CA:FALSE
nsComment = "Generated TSA Certificate from $IntermediateCaName"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = timeStamping
[ audit_cert ]
# Extensions for audit certificate (man x509v3_config).
basicConstraints = CA:FALSE
73 changes: 30 additions & 43 deletions src/utils/new-test-cert.sh
Original file line number Diff line number Diff line change
@@ -13,8 +13,8 @@ cleanup()

trap cleanup EXIT

for dir in $(find $CurDir -type d); do
if [ -d "$dir/certs" -a -d "$dir/issuing-$(basename $dir)" ]; then
for dir in $(find $CurDir -type d); do
if [ -d "$dir/certs" -a -d "$dir/issuing-$(basename $dir)" ]; then
CaName=$(basename $dir)
break
fi
@@ -29,11 +29,14 @@ IntermediateCaName="issuing-$(basename $CaName)"
print_usage()
{
cat <<EOF
USAGE: new-test-cert.sh [-h]
new-test-cert.sh [client|server|audit]
USAGE: new-test-cert.sh [client|server|audit|tsa]
This script is meant to be run after running new-test-ca.sh. It should be
run from the same directory where new-test-ca.sh created your test CA.
run from the same directory where new-test-ca.sh created your test CA. It
will generate a client TLS (user authentication), server TLS (SSL), or
audit log signing certificate for use with SPP.
EOF
exit 1
}
@@ -62,11 +65,11 @@ if [ ! -z "$1" ]; then
Type=$(echo "$1" | tr '[:upper:]' '[:lower:]')
fi
if [ -z "$Type" ]; then
read -p "Certificate Type [client/server/audit]:" Type
read -p "Certificate Type [client/server/audit/tsa]:" Type
fi
case $Type in
client|server|audit) ;;
*) echo "Must specify type of either client, server, or audit!"; print_usage ;;
client|server|audit|tsa) ;;
*) echo "Must specify type of either client, server, audit, or tsa!"; print_usage ;;
esac

read -p "Friendly Name:" Name
@@ -75,15 +78,13 @@ if [ -z "$Name" ]; then
exit 1
fi

if [ "$Type" != "audit" ]; then
echo -e "OPTIONAL: Subject Alternative Names\n <Just enter an empty string for none>"
if [ "$Type" = "client" ]; then
echo -e " Ex. 'email:me@foo.baz,URI:http://my.url.here/\n"
else
echo -e " Ex. 'DNS:srv.domain.com,DNS:*.foo.baz,IP:1.2.3.4'\n"
fi
read -p "Enter all SANs, comma-delimited:" SubjAltNames
echo -e "OPTIONAL: Subject Alternative Names\n <Just enter an empty string for none>"
if [ "$Type" = "client" ]; then
echo -e " Ex. 'email:me@foo.baz,URI:http://my.url.here/\n"
else
echo -e " Ex. 'DNS:srv.domain.com,DNS:*.foo.baz,IP:1.2.3.4'\n"
fi
read -p "Enter all SANs, comma-delimited:" SubjAltNames

read -s -p "Specify password to protect private key:" Pass

@@ -98,7 +99,7 @@ if [ -z "$SubjAltNames" ]; then
openssl req -config <(sed -e "s<= $IntermediateCaName<= $Name<g" $IntermediateCaName/openssl.cnf) \
-key $IntermediateCaName/private/$Name.key.pem \
-new -sha256 -out $IntermediateCaName/csr/$Name.csr.pem -passin file:<(echo $Pass)
else
else
openssl req -reqexts reqexts -config <(sed -e "s<= $IntermediateCaName<= $Name<g" \
-e "s<\[ req \]<[ reqexts ]\nsubjectAltName=$SubjAltNames\n\n[ req ]<g" $IntermediateCaName/openssl.cnf) \
-key $IntermediateCaName/private/$Name.key.pem \
@@ -108,32 +109,19 @@ fi
echo -e "\nSigning CSR..."
read -s -p "$IntermediateCaName private key password:" CaPass
case $Type in
client)
if [ -z "$SubjAltNames" ]; then
openssl ca -extensions usr_cert -config $IntermediateCaName/openssl.cnf -days 730 -notext -md sha256 \
-in $IntermediateCaName/csr/$Name.csr.pem -out $IntermediateCaName/certs/$Name.cert.pem -passin file:<(echo $CaPass)
else
openssl ca -extensions usr_cert -config <(sed -e "s<\[ usr_cert \]<[ usr_cert ]\nsubjectAltName=$SubjAltNames\n<g" \
$IntermediateCaName/openssl.cnf) -days 730 -notext -md sha256 \
-in $IntermediateCaName/csr/$Name.csr.pem -out $IntermediateCaName/certs/$Name.cert.pem -passin file:<(echo $CaPass)
fi
;;
server)
if [ -z "$SubjAltNames" ]; then
openssl ca -extensions usr_cert -config $IntermediateCaName/openssl.cnf -days 730 -notext -md sha256 \
-in $IntermediateCaName/csr/$Name.csr.pem -out $IntermediateCaName/certs/$Name.cert.pem -passin file:<(echo $CaPass)
else
openssl ca -extensions server_cert -config <( sed -e "s<\[ server_cert \]<[ server_cert ]\nsubjectAltName=$SubjAltNames\n<g" \
$IntermediateCaName/openssl.cnf) -days 730 -notext -md sha256 \
-in $IntermediateCaName/csr/$Name.csr.pem -out $IntermediateCaName/certs/$Name.cert.pem -passin file:<(echo $CaPass)
fi
;;
audit)
openssl ca -extensions audit_cert -config $IntermediateCaName/openssl.cnf -days 730 -notext -md sha256 \
-in $IntermediateCaName/csr/$Name.csr.pem -out $IntermediateCaName/certs/$Name.cert.pem -passin file:<(echo $CaPass)
;;

client) T=usr ;;
server) T=server ;;
audit) T=audit ;;
tsa) T=tsa ;;
esac
if [ -z "$SubjAltNames" ]; then
openssl ca -extensions "${T}_cert" -config $IntermediateCaName/openssl.cnf -days 730 -notext -md sha256 \
-in $IntermediateCaName/csr/$Name.csr.pem -out $IntermediateCaName/certs/$Name.cert.pem -passin file:<(echo $CaPass)
else
openssl ca -extensions "${T}_cert" -config <( sed -e "s<\[ ${T}_cert \]<[ ${T}_cert ]\nsubjectAltName=$SubjAltNames\n<g" \
$IntermediateCaName/openssl.cnf) -days 730 -notext -md sha256 \
-in $IntermediateCaName/csr/$Name.csr.pem -out $IntermediateCaName/certs/$Name.cert.pem -passin file:<(echo $CaPass)
fi
chmod 444 $IntermediateCaName/certs/$Name.cert.pem
openssl verify -CAfile $IntermediateCaName/certs/ca-chain.cert.pem $IntermediateCaName/certs/$Name.cert.pem

@@ -147,4 +135,3 @@ case $YN in
cp $IntermediateCaName/private/$Name.key.pem $IntermediateCaName/certs/$Name.cert.pem $IntermediateCaName/private/$Name.p12 $CurDir
;;
esac

36 changes: 36 additions & 0 deletions src/utils/remove-pem-password.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#!/bin/bash

if [[ "$1" == "-h" ]]; then
cat <<EOF
USAGE: remove-pem-password.sh [pemFilePath]
pemFilePath Provide the path to a PEM-formatted private key file
Running this prompt for the current PEM file password then rewrite the file
without password encryption.
EOF
exit 0
fi

set -e

cleanup()
{
set +e
}

trap cleanup EXIT

if [ -z "$1" ]; then
read -p "Enter PEM private key file path:" PemFile
else
PemFile=$1
fi
if [ ! -f "$PemFile" ]; then
>&2 echo "$PemFile does not exist"
exit 1
fi

openssl rsa -in "$PemFile" -out "$PemFile"

0 comments on commit 9507159

Please sign in to comment.