|
Xdev Host Manager
authored
2 days ago
|
1
|
#!/usr/bin/env bash
|
|
|
2
|
#
|
|
|
3
|
# ca_manager.sh - Local host certificate authority helper.
|
|
|
4
|
#
|
|
|
5
|
|
|
|
6
|
set -euo pipefail
|
|
|
7
|
|
|
|
8
|
CA_DIR="${HOST_MANAGER_CA_DIR:-/usr/local/xdev-host-manager/var/ca}"
|
|
|
9
|
OPENSSL="${OPENSSL:-openssl}"
|
|
|
10
|
DEFAULT_SUBJECT="/O=Xdev/OU=Madagascar/CN=Xdev Madagascar Local Host CA"
|
|
|
11
|
DEFAULT_DAYS=3650
|
|
|
12
|
HOST_CERT_DAYS=825
|
|
|
13
|
|
|
|
14
|
usage() {
|
|
|
15
|
cat <<EOF
|
|
|
16
|
Usage:
|
|
|
17
|
$0 init [subject]
|
|
|
18
|
$0 status-json
|
|
|
19
|
$0 list-json
|
|
|
20
|
$0 export-ca
|
|
|
21
|
$0 sign-csr name csr-file dns-name [dns-name...]
|
|
|
22
|
|
|
|
23
|
Notes:
|
|
|
24
|
- Run init/sign-csr as root.
|
|
|
25
|
- CA private key is stored outside git in \$HOST_MANAGER_CA_DIR/private.
|
|
|
26
|
- The web app only reads status, issued cert metadata, and the public CA cert.
|
|
|
27
|
EOF
|
|
|
28
|
}
|
|
|
29
|
|
|
|
30
|
die() {
|
|
|
31
|
printf '[ERROR] %s\n' "$*" >&2
|
|
|
32
|
exit 1
|
|
|
33
|
}
|
|
|
34
|
|
|
|
35
|
need_openssl() {
|
|
|
36
|
command -v "$OPENSSL" >/dev/null 2>&1 || die "openssl not found"
|
|
|
37
|
}
|
|
|
38
|
|
|
|
39
|
json_escape() {
|
|
|
40
|
perl -Mstrict -Mwarnings -e '
|
|
|
41
|
my $s = join("", <>);
|
|
|
42
|
$s =~ s/\\/\\\\/g;
|
|
|
43
|
$s =~ s/"/\\"/g;
|
|
|
44
|
$s =~ s/\n/\\n/g;
|
|
|
45
|
$s =~ s/\r/\\r/g;
|
|
|
46
|
$s =~ s/\t/\\t/g;
|
|
|
47
|
print qq{"$s"};
|
|
|
48
|
' <<< "${1:-}"
|
|
|
49
|
}
|
|
|
50
|
|
|
|
51
|
safe_name() {
|
|
|
52
|
local name="${1:-}"
|
|
|
53
|
[[ "$name" =~ ^[A-Za-z0-9_.-]+$ ]] || die "unsafe name: $name"
|
|
|
54
|
printf '%s' "$name"
|
|
|
55
|
}
|
|
|
56
|
|
|
|
57
|
ca_cert="$CA_DIR/certs/ca.cert.pem"
|
|
|
58
|
ca_key="$CA_DIR/private/ca.key.pem"
|
|
|
59
|
serial_file="$CA_DIR/serial.srl"
|
|
|
60
|
|
|
|
61
|
init_ca() {
|
|
|
62
|
need_openssl
|
|
|
63
|
local subject="${1:-$DEFAULT_SUBJECT}"
|
|
|
64
|
[[ ! -e "$ca_key" ]] || die "CA key already exists: $ca_key"
|
|
|
65
|
|
|
|
66
|
install -d -m 0755 "$CA_DIR" "$CA_DIR/certs" "$CA_DIR/csr" "$CA_DIR/issued" "$CA_DIR/requests"
|
|
|
67
|
install -d -m 0700 "$CA_DIR/private"
|
|
|
68
|
|
|
|
69
|
"$OPENSSL" genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out "$ca_key"
|
|
|
70
|
chmod 0600 "$ca_key"
|
|
|
71
|
|
|
|
72
|
"$OPENSSL" req -new -x509 -days "$DEFAULT_DAYS" -sha256 \
|
|
|
73
|
-key "$ca_key" \
|
|
|
74
|
-out "$ca_cert" \
|
|
|
75
|
-subj "$subject" \
|
|
|
76
|
-addext "basicConstraints=critical,CA:TRUE,pathlen:0" \
|
|
|
77
|
-addext "keyUsage=critical,keyCertSign,cRLSign" \
|
|
|
78
|
-addext "subjectKeyIdentifier=hash"
|
|
|
79
|
|
|
|
80
|
chmod 0644 "$ca_cert"
|
|
|
81
|
chown -R root:host-manager "$CA_DIR" 2>/dev/null || true
|
|
|
82
|
chown root:root "$ca_key" 2>/dev/null || true
|
|
|
83
|
chmod 0600 "$ca_key"
|
|
|
84
|
}
|
|
|
85
|
|
|
|
86
|
cert_field() {
|
|
|
87
|
local cert="$1"
|
|
|
88
|
local field="$2"
|
|
|
89
|
case "$field" in
|
|
|
90
|
subject) "$OPENSSL" x509 -in "$cert" -noout -subject | sed 's/^subject=//' ;;
|
|
|
91
|
issuer) "$OPENSSL" x509 -in "$cert" -noout -issuer | sed 's/^issuer=//' ;;
|
|
|
92
|
not_before) "$OPENSSL" x509 -in "$cert" -noout -startdate | sed 's/^notBefore=//' ;;
|
|
|
93
|
not_after) "$OPENSSL" x509 -in "$cert" -noout -enddate | sed 's/^notAfter=//' ;;
|
|
|
94
|
fingerprint) "$OPENSSL" x509 -in "$cert" -noout -fingerprint -sha256 | sed 's/^sha256 Fingerprint=//' ;;
|
|
|
95
|
serial) "$OPENSSL" x509 -in "$cert" -noout -serial | sed 's/^serial=//' ;;
|
|
|
96
|
*) return 1 ;;
|
|
|
97
|
esac
|
|
|
98
|
}
|
|
|
99
|
|
|
|
100
|
status_json() {
|
|
|
101
|
need_openssl
|
|
|
102
|
if [[ ! -f "$ca_cert" ]]; then
|
|
|
103
|
printf '{"initialized":false,"ca_dir":'
|
|
|
104
|
json_escape "$CA_DIR"
|
|
|
105
|
printf ',"certificates":0}\n'
|
|
|
106
|
return
|
|
|
107
|
fi
|
|
|
108
|
|
|
|
109
|
local count=0
|
|
|
110
|
shopt -s nullglob
|
|
|
111
|
local cert
|
|
|
112
|
for cert in "$CA_DIR"/issued/*.cert.pem; do
|
|
|
113
|
count=$((count + 1))
|
|
|
114
|
done
|
|
|
115
|
shopt -u nullglob
|
|
|
116
|
|
|
|
117
|
printf '{"initialized":true'
|
|
|
118
|
printf ',"ca_dir":'; json_escape "$CA_DIR"
|
|
|
119
|
printf ',"subject":'; json_escape "$(cert_field "$ca_cert" subject)"
|
|
|
120
|
printf ',"not_before":'; json_escape "$(cert_field "$ca_cert" not_before)"
|
|
|
121
|
printf ',"not_after":'; json_escape "$(cert_field "$ca_cert" not_after)"
|
|
|
122
|
printf ',"fingerprint_sha256":'; json_escape "$(cert_field "$ca_cert" fingerprint)"
|
|
|
123
|
printf ',"certificates":%s' "$count"
|
|
|
124
|
printf '}\n'
|
|
|
125
|
}
|
|
|
126
|
|
|
|
127
|
list_json() {
|
|
|
128
|
need_openssl
|
|
|
129
|
printf '['
|
|
|
130
|
local first=1 cert name
|
|
|
131
|
shopt -s nullglob
|
|
|
132
|
for cert in "$CA_DIR"/issued/*.cert.pem; do
|
|
|
133
|
name="$(basename "$cert" .cert.pem)"
|
|
|
134
|
if [[ "$first" -eq 0 ]]; then
|
|
|
135
|
printf ','
|
|
|
136
|
fi
|
|
|
137
|
first=0
|
|
|
138
|
printf '{"name":'; json_escape "$name"
|
|
|
139
|
printf ',"subject":'; json_escape "$(cert_field "$cert" subject)"
|
|
|
140
|
printf ',"issuer":'; json_escape "$(cert_field "$cert" issuer)"
|
|
|
141
|
printf ',"serial":'; json_escape "$(cert_field "$cert" serial)"
|
|
|
142
|
printf ',"not_before":'; json_escape "$(cert_field "$cert" not_before)"
|
|
|
143
|
printf ',"not_after":'; json_escape "$(cert_field "$cert" not_after)"
|
|
|
144
|
printf ',"fingerprint_sha256":'; json_escape "$(cert_field "$cert" fingerprint)"
|
|
|
145
|
printf '}'
|
|
|
146
|
done
|
|
|
147
|
shopt -u nullglob
|
|
|
148
|
printf ']\n'
|
|
|
149
|
}
|
|
|
150
|
|
|
|
151
|
export_ca() {
|
|
|
152
|
[[ -f "$ca_cert" ]] || die "CA is not initialized"
|
|
|
153
|
cat "$ca_cert"
|
|
|
154
|
}
|
|
|
155
|
|
|
|
156
|
sign_csr() {
|
|
|
157
|
need_openssl
|
|
|
158
|
[[ -f "$ca_key" && -f "$ca_cert" ]] || die "CA is not initialized"
|
|
|
159
|
local name csr days ext cert
|
|
|
160
|
name="$(safe_name "${1:-}")"
|
|
|
161
|
csr="${2:-}"
|
|
|
162
|
shift 2 || true
|
|
|
163
|
[[ -f "$csr" ]] || die "missing CSR file: $csr"
|
|
|
164
|
[[ "$#" -ge 1 ]] || die "at least one DNS SAN is required"
|
|
|
165
|
|
|
|
166
|
cert="$CA_DIR/issued/$name.cert.pem"
|
|
|
167
|
[[ ! -e "$cert" ]] || die "certificate already exists: $cert"
|
|
|
168
|
ext="$(mktemp)"
|
|
|
169
|
{
|
|
|
170
|
printf 'basicConstraints=critical,CA:FALSE\n'
|
|
|
171
|
printf 'keyUsage=critical,digitalSignature,keyEncipherment\n'
|
|
|
172
|
printf 'extendedKeyUsage=serverAuth,clientAuth\n'
|
|
|
173
|
printf 'subjectAltName='
|
|
|
174
|
local first=1 dns
|
|
|
175
|
for dns in "$@"; do
|
|
|
176
|
[[ "$dns" =~ ^[A-Za-z0-9_.-]+$ ]] || die "unsafe DNS SAN: $dns"
|
|
|
177
|
if [[ "$first" -eq 0 ]]; then
|
|
|
178
|
printf ','
|
|
|
179
|
fi
|
|
|
180
|
first=0
|
|
|
181
|
printf 'DNS:%s' "$dns"
|
|
|
182
|
done
|
|
|
183
|
printf '\n'
|
|
|
184
|
} > "$ext"
|
|
|
185
|
|
|
|
186
|
cp "$csr" "$CA_DIR/csr/$name.csr.pem"
|
|
|
187
|
"$OPENSSL" x509 -req -sha256 \
|
|
|
188
|
-in "$csr" \
|
|
|
189
|
-CA "$ca_cert" \
|
|
|
190
|
-CAkey "$ca_key" \
|
|
|
191
|
-CAserial "$serial_file" \
|
|
|
192
|
-CAcreateserial \
|
|
|
193
|
-days "$HOST_CERT_DAYS" \
|
|
|
194
|
-extfile "$ext" \
|
|
|
195
|
-out "$cert"
|
|
|
196
|
rm -f "$ext"
|
|
|
197
|
chmod 0644 "$cert" "$CA_DIR/csr/$name.csr.pem"
|
|
|
198
|
chown root:host-manager "$cert" "$CA_DIR/csr/$name.csr.pem" 2>/dev/null || true
|
|
|
199
|
printf '%s\n' "$cert"
|
|
|
200
|
}
|
|
|
201
|
|
|
|
202
|
cmd="${1:-}"
|
|
|
203
|
case "$cmd" in
|
|
|
204
|
init) shift; init_ca "$@" ;;
|
|
|
205
|
status-json) status_json ;;
|
|
|
206
|
list-json) list_json ;;
|
|
|
207
|
export-ca) export_ca ;;
|
|
|
208
|
sign-csr) shift; sign_csr "$@" ;;
|
|
|
209
|
-h|--help|help|'') usage ;;
|
|
|
210
|
*) die "unknown command: $cmd" ;;
|
|
|
211
|
esac
|