PEM file utilities and test CA script updates

src/utils/add-pem-password.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+if [[ "$1" == "-h" ]]; then
+    cat <<EOF
+
+USAGE: add-pem-password.sh [pemFilePath]
+
+pemFilePath  Provide the path to a PEM-formatted private key file
+
+Running this will read the current PEM file password then rewrite the file
+with AES-256 password encryption.
+
+EOF
+    exit 0
+fi
+
+set -e
+
+cleanup()
+{
+    set +e
+}
+
+trap cleanup EXIT
+
+if [ -z "$1" ]; then
+    read -p "Enter PEM private key file path:" PemFile
+else
+    PemFile=$1
+fi
+if [ ! -f "$PemFile" ]; then
+    >&2 echo "$PemFile does not exist"
+    exit 1
+fi
+
+openssl rsa  -aes256 -in "$PemFile" -out "$PemFile"

src/utils/convert-pfx-to-pem.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+if [[ "$1" == "-h" ]]; then
+    cat <<EOF
+
+USAGE: convert-pfx-to-pem.sh [pfxFilePath]
+
+pfxFilePath  Provide the path to a PFX or PKCS#12 file
+
+Running this prompt for the current PFX password if needed then write a PEM-formatted
+certificate file and a PEM-formatted private key file (no password).
+
+EOF
+    exit 0
+fi
+
+set -e
+
+cleanup()
+{
+    set +e
+}
+
+trap cleanup EXIT
+
+if [ -z "$1" ]; then
+    read -p "Enter PFX or PKCS#12 file path:" PfxFile
+else
+    PfxFile=$1
+fi
+if [ ! -f "$PfxFile" ]; then
+    >&2 echo "$PfxFile does not exist"
+    exit 1
+fi
+
+if [[ "$PfxFile" == *.p12 || "$PfxFile" == *.pfx ]]; then
+    PemBase=${PfxFile::-4}
+else
+    PemBase=$PfxFile
+fi
+
+>&2 echo "Extracting the private key to ${PemBase}.key.pem..."
+openssl pkcs12 -in "$PfxFile" -nocerts -out "${PemBase}.key.pem" -nodes
+
+>&2 echo "Extracting the certificate to ${PemBase}.cert.pem..."
+openssl pkcs12 -in "$PfxFile" -clcerts -nokeys -out "${PemBase}.cert.pem"

src/utils/new-test-ca.sh

@@ -1,5 +1,21 @@
 #!/bin/bash
 
+if [[ "$1" == "-h" ]]; then
+    cat <<EOF
+
+USAGE: new-test-ca.sh [caFriendlyName]
+
+caFriendlyName  Provide a partial name for CA subject DN
+
+Running this command will generate a directory representing a root CA and an
+intermediate CA from which you can create certificates for use with SPP. The
+friendly name will be used in the subject DN for the root CA and given a
+'-issuing' suffix for the intermediate CA.
+
+EOF
+    exit 0
+fi
+
 CurDir="$(pwd)"
 ScriptDir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
@@ -13,13 +29,13 @@ cleanup()
 
 trap cleanup EXIT
 
-if [ ! -z "$1" ]; then
-    CaName=$1
-else
+if [ -z "$1" ]; then
     read -p "Enter CA friendly name:" CaName
     if [ -z "$CaName" ]; then
         CaName="test-ca"
     fi
+else
+    CaName=$1
 fi
 IntermediateCaName="issuing-$CaName"
 
@@ -292,6 +308,15 @@ authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:true, pathlen:0
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 
+[ tsa_cert ]
+# Extensions for tsa certificate (man x509v3_config).
+basicConstraints = CA:FALSE
+nsComment = "Generated TSA Certificate from $IntermediateCaName"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = timeStamping
+
 [ audit_cert ]
 # Extensions for audit certificate (man x509v3_config).
 basicConstraints = CA:FALSE

src/utils/new-test-cert.sh

@@ -13,8 +13,8 @@ cleanup()
 
 trap cleanup EXIT
 
-for dir in $(find $CurDir -type d); do 
-    if [ -d "$dir/certs" -a -d "$dir/issuing-$(basename $dir)" ]; then 
+for dir in $(find $CurDir -type d); do
+    if [ -d "$dir/certs" -a -d "$dir/issuing-$(basename $dir)" ]; then
         CaName=$(basename $dir)
         break
     fi
@@ -29,11 +29,14 @@ IntermediateCaName="issuing-$(basename $CaName)"
 print_usage()
 {
     cat <<EOF
-USAGE: new-test-cert.sh [-h]
-       new-test-cert.sh [client|server|audit]
+
+USAGE: new-test-cert.sh [client|server|audit|tsa]
 
 This script is meant to be run after running new-test-ca.sh.  It should be
-run from the same directory where new-test-ca.sh created your test CA.
+run from the same directory where new-test-ca.sh created your test CA. It
+will generate a client TLS (user authentication), server TLS (SSL), or
+audit log signing certificate for use with SPP.
+
 EOF
     exit 1
 }
@@ -62,11 +65,11 @@ if [ ! -z "$1" ]; then
     Type=$(echo "$1" | tr '[:upper:]' '[:lower:]')
 fi
 if [ -z "$Type" ]; then
-    read -p "Certificate Type [client/server/audit]:" Type
+    read -p "Certificate Type [client/server/audit/tsa]:" Type
 fi
 case $Type in
-    client|server|audit) ;;
-    *) echo "Must specify type of either client, server, or audit!"; print_usage ;;
+    client|server|audit|tsa) ;;
+    *) echo "Must specify type of either client, server, audit, or tsa!"; print_usage ;;
 esac
 
 read -p "Friendly Name:" Name
@@ -75,15 +78,13 @@ if [ -z "$Name" ]; then
     exit 1
 fi
 
-if [ "$Type" != "audit" ]; then
-    echo -e "OPTIONAL: Subject Alternative Names\n  <Just enter an empty string for none>"
-    if [ "$Type" = "client" ]; then
-        echo -e "  Ex. 'email:[email protected],URI:http://my.url.here/\n"
-    else
-        echo -e "  Ex. 'DNS:srv.domain.com,DNS:*.foo.baz,IP:1.2.3.4'\n"
-    fi
-    read -p "Enter all SANs, comma-delimited:" SubjAltNames
+echo -e "OPTIONAL: Subject Alternative Names\n  <Just enter an empty string for none>"
+if [ "$Type" = "client" ]; then
+    echo -e "  Ex. 'email:[email protected],URI:http://my.url.here/\n"
+else
+    echo -e "  Ex. 'DNS:srv.domain.com,DNS:*.foo.baz,IP:1.2.3.4'\n"
 fi
+read -p "Enter all SANs, comma-delimited:" SubjAltNames
 
 read -s -p "Specify password to protect private key:" Pass
 
@@ -98,7 +99,7 @@ if [ -z "$SubjAltNames" ]; then
     openssl req -config <(sed -e "s<= $IntermediateCaName<= $Name<g" $IntermediateCaName/openssl.cnf) \
         -key $IntermediateCaName/private/$Name.key.pem \
         -new -sha256 -out $IntermediateCaName/csr/$Name.csr.pem -passin file:<(echo $Pass)
-else 
+else
     openssl req -reqexts reqexts -config <(sed -e "s<= $IntermediateCaName<= $Name<g" \
             -e "s<\[ req \]<[ reqexts ]\nsubjectAltName=$SubjAltNames\n\n[ req ]<g" $IntermediateCaName/openssl.cnf) \
         -key $IntermediateCaName/private/$Name.key.pem \
@@ -108,32 +109,19 @@ fi
 echo -e "\nSigning CSR..."
 read -s -p "$IntermediateCaName private key password:" CaPass
 case $Type in
-    client)
-        if [ -z "$SubjAltNames" ]; then
-            openssl ca -extensions usr_cert -config $IntermediateCaName/openssl.cnf -days 730 -notext -md sha256 \
-                -in $IntermediateCaName/csr/$Name.csr.pem -out $IntermediateCaName/certs/$Name.cert.pem -passin file:<(echo $CaPass)
-        else
-            openssl ca -extensions usr_cert -config <(sed -e "s<\[ usr_cert \]<[ usr_cert ]\nsubjectAltName=$SubjAltNames\n<g" \
-                    $IntermediateCaName/openssl.cnf) -days 730 -notext -md sha256 \
-                -in $IntermediateCaName/csr/$Name.csr.pem -out $IntermediateCaName/certs/$Name.cert.pem -passin file:<(echo $CaPass)
-        fi
-        ;;
-    server)
-        if [ -z "$SubjAltNames" ]; then
-            openssl ca -extensions usr_cert -config $IntermediateCaName/openssl.cnf -days 730 -notext -md sha256 \
-                -in $IntermediateCaName/csr/$Name.csr.pem -out $IntermediateCaName/certs/$Name.cert.pem -passin file:<(echo $CaPass)
-        else
-            openssl ca -extensions server_cert -config <( sed -e "s<\[ server_cert \]<[ server_cert ]\nsubjectAltName=$SubjAltNames\n<g" \
-                    $IntermediateCaName/openssl.cnf) -days 730 -notext -md sha256 \
-                -in $IntermediateCaName/csr/$Name.csr.pem -out $IntermediateCaName/certs/$Name.cert.pem -passin file:<(echo $CaPass)
-        fi
-        ;;
-    audit)
-            openssl ca -extensions audit_cert -config $IntermediateCaName/openssl.cnf -days 730 -notext -md sha256 \
-                -in $IntermediateCaName/csr/$Name.csr.pem -out $IntermediateCaName/certs/$Name.cert.pem -passin file:<(echo $CaPass)
-        ;;
-
+    client) T=usr ;;
+    server) T=server ;;
+    audit) T=audit ;;
+    tsa) T=tsa ;;
 esac
+if [ -z "$SubjAltNames" ]; then
+    openssl ca -extensions "${T}_cert" -config $IntermediateCaName/openssl.cnf -days 730 -notext -md sha256 \
+        -in $IntermediateCaName/csr/$Name.csr.pem -out $IntermediateCaName/certs/$Name.cert.pem -passin file:<(echo $CaPass)
+else
+    openssl ca -extensions "${T}_cert" -config <( sed -e "s<\[ ${T}_cert \]<[ ${T}_cert ]\nsubjectAltName=$SubjAltNames\n<g" \
+            $IntermediateCaName/openssl.cnf) -days 730 -notext -md sha256 \
+        -in $IntermediateCaName/csr/$Name.csr.pem -out $IntermediateCaName/certs/$Name.cert.pem -passin file:<(echo $CaPass)
+fi
 chmod 444 $IntermediateCaName/certs/$Name.cert.pem
 openssl verify -CAfile $IntermediateCaName/certs/ca-chain.cert.pem $IntermediateCaName/certs/$Name.cert.pem
 
@@ -147,4 +135,3 @@ case $YN in
          cp $IntermediateCaName/private/$Name.key.pem $IntermediateCaName/certs/$Name.cert.pem $IntermediateCaName/private/$Name.p12 $CurDir
          ;;
 esac
-

src/utils/remove-pem-password.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+if [[ "$1" == "-h" ]]; then
+    cat <<EOF
+
+USAGE: remove-pem-password.sh [pemFilePath]
+
+pemFilePath  Provide the path to a PEM-formatted private key file
+
+Running this prompt for the current PEM file password then rewrite the file
+without password encryption.
+
+EOF
+    exit 0
+fi
+
+set -e
+
+cleanup()
+{
+    set +e
+}
+
+trap cleanup EXIT
+
+if [ -z "$1" ]; then
+    read -p "Enter PEM private key file path:" PemFile
+else
+    PemFile=$1
+fi
+if [ ! -f "$PemFile" ]; then
+    >&2 echo "$PemFile does not exist"
+    exit 1
+fi
+
+openssl rsa -in "$PemFile" -out "$PemFile"