Author: Paolo Lulli <paolo@lulli.net>
Clean up + VPN feature
iron-vpn/openvpn-create-client.sh | 113 -------------------- iron-vpn/openvpn-create-server.sh | 95 ---------------- | 0 | 0 iron/bin/Makefile.in | 2 iron/debian/control | 4 iron/libexec/Makefile.am | 9 iron/libexec/Makefile.in | 5 iron/libexec/iron/iron-ca | 87 +++++++------- iron/libexec/iron/iron-ca~ | 88 +++++++++++++++ iron/libexec/iron/iron-certificate | 16 +- iron/libexec/iron/iron-certificate~ | 175 +++++++++++++++++------------- iron/libexec/iron/iron-client | 10 iron/libexec/iron/iron-pkcs12 | 142 ++++++++++++------------ iron/libexec/iron/iron-pkcs12~ | 109 +++++++++++++++++++ iron/libexec/iron/iron-service | 139 +++++++++++++----------- iron/libexec/iron/iron-service~ | 134 +++++++++++++++++++++++ iron/libexec/iron/iron-ssh-ca~ | 34 +++--
diff --git a/iron/bin/Makefile.in b/iron/bin/Makefile.in index 2b82b82b5fb7bf278e283f0859a275465660f5ae..8aeadbb4ccd2d8eab41e55cadfcdf6b36b523dbb 100644 --- a/iron/bin/Makefile.in +++ b/iron/bin/Makefile.in @@ -221,7 +221,7 @@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ -dist_bin_SCRIPTS = iron +dist_bin_SCRIPTS = iron ironcrypt drawer all: all-am .SUFFIXES: diff --git a/iron/debian/control b/iron/debian/control index e176ae3ee2126c6a8e3b2eb716921bce736b83e5..01255c843c9a5bd3ce7eee1a241bca17a04aa6c9 100644 --- a/iron/debian/control +++ b/iron/debian/control @@ -1,9 +1,9 @@ Package: iron -Version: 1.0-2 +Version: 1.0-4 Section: base Priority: optional Architecture: all -Depends: openssl +Depends: openssl, easy-rsa Maintainer: Paolo Lulli <paolo@lulli.net> Description: Iron CA, server and client cert management manage a local CA, create server certificates, create client CSR diff --git a/iron/libexec/Makefile.am b/iron/libexec/Makefile.am index 7ec1253861104762370c488f36d99bc6bacda10f..38b3e8935600855d708e3857fb09beff59895ec8 100644 --- a/iron/libexec/Makefile.am +++ b/iron/libexec/Makefile.am @@ -13,7 +13,8 @@ iron/iron-service\ iron/iron-keystore\ iron/iron-pkcs12\ iron/iron-debug\ - iron-ssh-host\ - iron-ssh-user\ - iron-ssh-ca - + iron/iron-ssh-host\ + iron/iron-ssh-user\ + iron/iron-ssh-ca\ + iron/iron-vpn-server\ + iron/iron-vpn-client diff --git a/iron/libexec/Makefile.in b/iron/libexec/Makefile.in index a746c01bc6964f663f9ef83be5c9153ce62f6a8a..586965c3d621ed3194e4090b0686a8635971af1a 100644 --- a/iron/libexec/Makefile.in +++ b/iron/libexec/Makefile.in @@ -236,7 +236,10 @@ iron/iron-client\ iron/iron-service\ iron/iron-keystore\ iron/iron-pkcs12\ - iron/iron-debug + iron/iron-debug\ + iron/iron-ssh-host\ + iron/iron-ssh-user\ + iron/iron-ssh-ca all: all-am diff --git a/iron/libexec/iron/iron-ca b/iron/libexec/iron/iron-ca index ae29d3c293b1f81e305d56542fb9bbe9a3e7f92b..7d2c1176e88fa692dd5432aecf4991a662514530 100755 --- a/iron/libexec/iron/iron-ca +++ b/iron/libexec/iron/iron-ca @@ -1,4 +1,4 @@ -#! /bin/bash +#! /bin/bash # Usage: iron ca <setup|create|delete|reset> # Summary: manage CA # Help: This command groups commands used to setup config create delete a CA @@ -13,37 +13,37 @@ CURRENT_TSTAMP=$(date '+%Y%m%d%H%M') function ca_create() { - test -d $CAPATH || mkdir -p ./$CAPATH - CA_DAYS=3650 - openssl genrsa -out $CAPATH/ca.key 2048 - openssl req -batch -new -key $CAPATH/ca.key -out $CAPATH/ca.csr -config $CA_CONFIG_FILE - openssl x509 -req -days ${CA_DAYS} -in $CAPATH/ca.csr -signkey $CAPATH/ca.key -out $CAPATH/ca.crt + test -d $CAPATH || mkdir -p ./$CAPATH + CA_DAYS=3650 + openssl genrsa -out $CAPATH/ca.key 2048 + openssl req -batch -new -key $CAPATH/ca.key -out $CAPATH/ca.csr -config $CA_CONFIG_FILE + openssl x509 -req -days ${CA_DAYS} -in $CAPATH/ca.csr -signkey $CAPATH/ca.key -out $CAPATH/ca.crt } function ca_home_setup_delete() { - echo "About to DELETE ca: are you sure? y/n" - read confirmation - if [ "$confirmation" = "y" ]; then - (rm -fr $RCDIR/CA ; rm $RCFILE) && echo "CA DELETED" - else - echo "SKIPPING" - exit -1 - fi + echo "About to DELETE ca: are you sure? y/n" + read confirmation + if [ "$confirmation" = "y" ]; then + (rm -fr $RCDIR/CA ; rm $RCFILE) && echo "CA DELETED" + else + echo "SKIPPING" + exit -1 + fi } function ca_home_setup_write() { - test -d $RCDIR/CA && ( echo "CA exist, please delete before" && exit -1) - test -d $RCDIR/CA || mkdir -p $RCDIR/CA - test -d $RCDIR/CA/conf || mkdir -p $RCDIR/CA/conf - echo "CAPATH=$RCDIR/CA">${RCFILE} - echo "CA_CONFIG_FILE=$RCDIR/CA/conf/openssl-ca.conf">>${RCFILE} + test -d $RCDIR/CA && ( echo "CA exist, please delete before" && exit -1) + test -d $RCDIR/CA || mkdir -p $RCDIR/CA + test -d $RCDIR/CA/conf || mkdir -p $RCDIR/CA/conf + echo "CAPATH=$RCDIR/CA">${RCFILE} + echo "CA_CONFIG_FILE=$RCDIR/CA/conf/openssl-ca.conf">>${RCFILE} cat<<__EOF__ >$RCDIR/CA/conf/openssl-ca.conf RANDFILE = $ENV::HOME/.rnd [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = keyfile.pem distinguished_name = req_distinguished_name attributes = req_attributes @@ -52,14 +52,13 @@ #output_password = abadpass default_days =3650 [ req_distinguished_name ] -C = IT -ST = Italia -L = Roma -O = service.lulli.net -OU = service.lulli.net -#CN = ca.service.lulli.net -CN = service.lulli.net -emailAddress = info@service.lulli.net +C = SE +ST = Sweden +L = Göteborg +O = kevwe.se +OU = kevwe.se +CN = kevwe.se +emailAddress = cto@kevwe.se [ req_attributes ] challengePassword = blablabla @@ -67,22 +66,22 @@ __EOF__ } if [ "$#" = 1 ];then - operation=$1 - RCFILE="$HOME/"."$APPNAME/default-ca"".env" - if [ "$operation" = "create" ]; then - test -f ${RCFILE} || ( ca_home_setup_write ; echo "Edit values in ${RCFILE}"; exit -1) - source ${RCFILE} - ca_create - fi - if [ "$operation" = "setup" ]; then - test -f ${RCFILE} || ( ca_home_setup_write ; echo "Edit values in ${RCFILE}"; exit 0) - #source ${RCFILE} - fi - if [ "$operation" = "delete" ]; then - ca_home_setup_delete - fi + operation=$1 + RCFILE="$HOME/"."$APPNAME/default-ca"".env" + if [ "$operation" = "create" ]; then + test -f ${RCFILE} || ( ca_home_setup_write ; echo "Edit values in ${RCFILE}"; exit -1) + source ${RCFILE} + ca_create + fi + if [ "$operation" = "setup" ]; then + test -f ${RCFILE} || ( ca_home_setup_write ; echo "Edit values in ${RCFILE}"; exit 0) + #source ${RCFILE} + fi + if [ "$operation" = "delete" ]; then + ca_home_setup_delete + fi else - echo "Usage: iron ca <create|setup|delete>" - exit -1 + echo "Usage: iron ca <create|setup|delete>" + exit -1 fi diff --git a/iron/libexec/iron/iron-ca~ b/iron/libexec/iron/iron-ca~ new file mode 100644 index 0000000000000000000000000000000000000000..ae29d3c293b1f81e305d56542fb9bbe9a3e7f92b --- /dev/null +++ b/iron/libexec/iron/iron-ca~ @@ -0,0 +1,88 @@ +#! /bin/bash +# Usage: iron ca <setup|create|delete|reset> +# Summary: manage CA +# Help: This command groups commands used to setup config create delete a CA + + +APPNAME="iron" +CURRDIR=$(pwd) + +RCDIR=$HOME/.$APPNAME +test -d $RCDIR || mkdir -p $RCDIR +CURRENT_TSTAMP=$(date '+%Y%m%d%H%M') + +function ca_create() +{ + test -d $CAPATH || mkdir -p ./$CAPATH + CA_DAYS=3650 + openssl genrsa -out $CAPATH/ca.key 2048 + openssl req -batch -new -key $CAPATH/ca.key -out $CAPATH/ca.csr -config $CA_CONFIG_FILE + openssl x509 -req -days ${CA_DAYS} -in $CAPATH/ca.csr -signkey $CAPATH/ca.key -out $CAPATH/ca.crt +} + +function ca_home_setup_delete() +{ + echo "About to DELETE ca: are you sure? y/n" + read confirmation + if [ "$confirmation" = "y" ]; then + (rm -fr $RCDIR/CA ; rm $RCFILE) && echo "CA DELETED" + else + echo "SKIPPING" + exit -1 + fi +} + +function ca_home_setup_write() +{ + test -d $RCDIR/CA && ( echo "CA exist, please delete before" && exit -1) + test -d $RCDIR/CA || mkdir -p $RCDIR/CA + test -d $RCDIR/CA/conf || mkdir -p $RCDIR/CA/conf + echo "CAPATH=$RCDIR/CA">${RCFILE} + echo "CA_CONFIG_FILE=$RCDIR/CA/conf/openssl-ca.conf">>${RCFILE} + cat<<__EOF__ >$RCDIR/CA/conf/openssl-ca.conf +RANDFILE = $ENV::HOME/.rnd + +[ req ] +default_bits = 1024 +default_keyfile = keyfile.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no +#output_password = abadpass +default_days =3650 + +[ req_distinguished_name ] +C = IT +ST = Italia +L = Roma +O = service.lulli.net +OU = service.lulli.net +#CN = ca.service.lulli.net +CN = service.lulli.net +emailAddress = info@service.lulli.net + +[ req_attributes ] +challengePassword = blablabla +__EOF__ +} + +if [ "$#" = 1 ];then + operation=$1 + RCFILE="$HOME/"."$APPNAME/default-ca"".env" + if [ "$operation" = "create" ]; then + test -f ${RCFILE} || ( ca_home_setup_write ; echo "Edit values in ${RCFILE}"; exit -1) + source ${RCFILE} + ca_create + fi + if [ "$operation" = "setup" ]; then + test -f ${RCFILE} || ( ca_home_setup_write ; echo "Edit values in ${RCFILE}"; exit 0) + #source ${RCFILE} + fi + if [ "$operation" = "delete" ]; then + ca_home_setup_delete + fi +else + echo "Usage: iron ca <create|setup|delete>" + exit -1 +fi + diff --git a/iron/libexec/iron/iron-certificate b/iron/libexec/iron/iron-certificate index d0ad3add0782e95a72dbacf1c5311969766cd466..682a2fb72e7394f7f95c50f88440695de5c9c681 100755 --- a/iron/libexec/iron/iron-certificate +++ b/iron/libexec/iron/iron-certificate @@ -1,7 +1,7 @@ #! /bin/bash # Usage: $iron certificate <sign> <filename> # Summary: create certificates -# Help: This command groups commands used to setup config create delete a CA +# Help: This command groups commands used to setup config create delete a certificate APPNAME="iron" CURRDIR=$(pwd) @@ -18,9 +18,6 @@ client=$(basename $csrfile | sed -e 's/.csr$//') CLIENT_CERTPATH=$RCDIR/$service/certs CP=$CLIENT_CERTPATH/$client test -d ${CP} || mkdir -p ${CP} -# TODO: add v3 extension -# https://stackoverflow.com/questions/18233835/creating-an-x509-v3-user-certificate-by-signing-csr -# https://medium.com/@tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15 openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $csrfile -out $CP/$client.crt } @@ -55,9 +52,9 @@ scp -i $remote_ssh_identity_file $remote_csr_user@$remote_csr_host:$remote_csrfile $CP/$client.csr else scp $remote_csr_user@$remote_csr_host:$remote_csrfile $CP/$client.csr fi - + openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CP/$client.csr -out $CP/$client.crt - + if [ -f $remote_ssh_identity_file ]; then scp -i $remote_ssh_identity_file $CP/$client.crt $REMOTE_USER@$REMOTE_HOST:$remote_certdir else @@ -98,14 +95,13 @@ if [ "$operation" = "sign" ]; then csrfile=$3 certificate_sign $service $csrfile fi - if [ "$operation" = "create" ]; then client=$3 certificate_create $service $client pkcs12_create $service $client fi - + if [ "$operation" = "renew" ]; then client=$3 certificate_create $service $client @@ -115,8 +111,8 @@ if [ "$operation" = "remotesign" ]; then client=$3 CLIENT_RCFILE="$RCDIR/$service/client-$client"".env" - test -f $CLIENT_RCFILE || echo "Edit $CLIENT_RCFILE first" - test -f $CLIENT_RCFILE || remote_client_write_setup "$service"; + test -f $CLIENT_RCFILE || echo "Edit $CLIENT_RCFILE first" + test -f $CLIENT_RCFILE || remote_client_write_setup "$service"; test -f $CLIENT_RCFILE && source ${CLIENT_RCFILE} test -f $CLIENT_RCFILE && echo "Reading RC from: ${CLIENT_RCFILE}" remote_ssh_identity_file=$REMOTE_SSH_IDENTITY_FILE diff --git a/iron/libexec/iron/iron-certificate~ b/iron/libexec/iron/iron-certificate~ index 203fed370bc11e1c7d8f6ef5b805d38dad2ad732..b8b983460baa366b8ef85da9dd16c387205efac5 100644 --- a/iron/libexec/iron/iron-certificate~ +++ b/iron/libexec/iron/iron-certificate~ @@ -1,8 +1,7 @@ -#! /bin/bash +#! /bin/bash # Usage: $iron certificate <sign> <filename> -# Summary: create certificates -# Help: This command groups commands used to setup config create delete a CA - +# Summary: create certificates +# Help: This command groups commands used to setup config create delete a certificate APPNAME="iron" CURRDIR=$(pwd) @@ -13,100 +12,120 @@ CURRENT_TSTAMP=$(date '+%Y%m%d%H%M') function certificate_sign() { - service=$1 - csrfile=$2 - client=$(basename $csrfile | sed -e 's/.csr$//') - CLIENT_CERTPATH=$RCDIR/$service/certs - CP=$CLIENT_CERTPATH/$client - test -d ${CP} || mkdir -p ${CP} - openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $csrfile -out $CP/$client.crt + service=$1 + csrfile=$2 + client=$(basename $csrfile | sed -e 's/.csr$//') + CLIENT_CERTPATH=$RCDIR/$service/certs + CP=$CLIENT_CERTPATH/$client + test -d ${CP} || mkdir -p ${CP} + openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $csrfile -out $CP/$client.crt } function remote_client_write_setup() { - CLIENT_RCFILE="$RCDIR/client-$client"".env" - echo "REMOTE_RCDIR=$RCDIR">${CLIENT_RCFILE} - echo "REMOTE_USER=">>${CLIENT_RCFILE} - echo "REMOTE_HOST=">>${CLIENT_RCFILE} + service=$1 + mkdir -p $RCDIR/$service + CLIENT_RCFILE="$RCDIR/$service/client-$client"".env" + echo "REMOTE_RCDIR=$RCDIR">${CLIENT_RCFILE} + echo "REMOTE_USER=">>${CLIENT_RCFILE} + echo "REMOTE_HOST=">>${CLIENT_RCFILE} + echo "REMOTE_SSH_IDENTITY_FILE=">>${CLIENT_RCFILE} + exit 1 } function remote_certificate_sign() { - service=$1 - remote_csr_user=$2 - remote_csr_host=$3 - remote_csrfile=$4 - csrfile=$(basename $remote_csrfile) - remote_certdir=$(dirname $remote_csrfile) - client=$(basename $csrfile | sed -e 's/.csr$//') - CLIENT_CERTPATH=$RCDIR/$service/certs - CP=$CLIENT_CERTPATH/$client - test -d ${CP} || mkdir -p ${CP} - scp $remote_csr_user@$remote_csr_host:$remote_csrfile $CP/$client.csr - openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CP/$client.csr -out $CP/$client.crt - scp $CP/$client.crt $REMOTE_USER@$REMOTE_HOST:$remote_certdir + service=$1 + remote_csr_user=$2 + remote_csr_host=$3 + remote_csrfile=$4 + remote_ssh_identity_file=$5 + csrfile=$(basename $remote_csrfile) + remote_certdir=$(dirname $remote_csrfile) + client=$(basename $csrfile | sed -e 's/.csr$//') + CLIENT_CERTPATH=$RCDIR/$service/certs + CP=$CLIENT_CERTPATH/$client + test -d ${CP} || mkdir -p ${CP} + if [ -f $remote_ssh_identity_file ]; then + scp -i $remote_ssh_identity_file $remote_csr_user@$remote_csr_host:$remote_csrfile $CP/$client.csr + else + scp $remote_csr_user@$remote_csr_host:$remote_csrfile $CP/$client.csr + fi + + openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CP/$client.csr -out $CP/$client.crt + + if [ -f $remote_ssh_identity_file ]; then + scp -i $remote_ssh_identity_file $CP/$client.crt $REMOTE_USER@$REMOTE_HOST:$remote_certdir + else + scp $CP/$client.crt $REMOTE_USER@$REMOTE_HOST:$remote_certdir + fi } function certificate_create() { - service=$1 - client=$2 - CLIENT_CERTPATH=$RCDIR/$service/certs - CP=$CLIENT_CERTPATH/$client - test -d ${CP} || mkdir -p ${CP} - openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CP/$client.csr -out $CP/$client.crt - test -f $CP/$client.crt && echo "Created certificate in [$CP/$client.crt]" + service=$1 + client=$2 + CLIENT_CERTPATH=$RCDIR/$service/certs + CP=$CLIENT_CERTPATH/$client + test -d ${CP} || mkdir -p ${CP} + openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CP/$client.csr -out $CP/$client.crt + test -f $CP/$client.crt && echo "Created certificate in [$CP/$client.crt]" } - function pkcs12_create() { - service=$1 - client=$2 - CLIENT_CERTPATH=$RCDIR/$service/certs - CP=$CLIENT_CERTPATH/$client - test -d ${CP} || mkdir -p ${CP} - openssl pkcs12 -export -clcerts -in $CP/$client.crt -inkey $CP/$client.key -out $CP/$client.p12\ - -name "${client}"\ - -CAfile ${CAPATH}/ca.crt -caname root - test -f $CP/$client.p12 && echo "Created PKCS12 (*.p12) in [$CP/$client.p12]" + service=$1 + client=$2 + CLIENT_CERTPATH=$RCDIR/$service/certs + CP=$CLIENT_CERTPATH/$client + test -d ${CP} || mkdir -p ${CP} + openssl pkcs12 -export -clcerts -in $CP/$client.crt -inkey $CP/$client.key -out $CP/$client.p12\ + -name "${client}"\ + -CAfile ${CAPATH}/ca.crt -caname root + test -f $CP/$client.p12 && echo "Created PKCS12 (*.p12) in [$CP/$client.p12]" } - - - if [ "$#" = 3 ];then - operation=$1 - service=$2 - CA_RCFILE="$HOME/"."$APPNAME/default-ca"".env" - source ${CA_RCFILE} - if [ "$operation" = "sign" ]; then - csrfile=$3 - certificate_sign $service $csrfile - fi + operation=$1 + service=$2 + CA_RCFILE="$HOME/"."$APPNAME/default-ca"".env" + source ${CA_RCFILE} + if [ "$operation" = "sign" ]; then + csrfile=$3 + certificate_sign $service $csrfile + fi + + if [ "$operation" = "create" ]; then + client=$3 + certificate_create $service $client + pkcs12_create $service $client + fi - if [ "$operation" = "create" ]; then - client=$3 - certificate_create $service $client - pkcs12_create $service $client - fi - - if [ "$operation" = "remotesign" ]; then - client=$3 - CLIENT_RCFILE="$RCDIR/client-$client"".env" - test -f $CLIENT_RCFILE || ( echo "Edit $CLIENT_RCFILE first" ; remote_client_write_setup ; exit -1) - test -f $CLIENT_RCFILE && source ${CLIENT_RCFILE} - test -f $CLIENT_RCFILE && echo "Reading RC from: ${CLIENT_RCFILE}" - remote_csr_user=$REMOTE_USER - remote_csr_host=$REMOTE_HOST - remote_csrfile=$REMOTE_RCDIR/$service/certs/$client/$client.csr - remote_certificate_sign $service $remote_csr_user $remote_csr_host $remote_csrfile - fi + if [ "$operation" = "renew" ]; then + client=$3 + certificate_create $service $client + pkcs12_create $service $client + fi + + if [ "$operation" = "remotesign" ]; then + client=$3 + CLIENT_RCFILE="$RCDIR/$service/client-$client"".env" + test -f $CLIENT_RCFILE || echo "Edit $CLIENT_RCFILE first" + test -f $CLIENT_RCFILE || remote_client_write_setup "$service"; + test -f $CLIENT_RCFILE && source ${CLIENT_RCFILE} + test -f $CLIENT_RCFILE && echo "Reading RC from: ${CLIENT_RCFILE}" + remote_ssh_identity_file=$REMOTE_SSH_IDENTITY_FILE + remote_csr_user=$REMOTE_USER + remote_csr_host=$REMOTE_HOST + remote_csrfile=$REMOTE_RCDIR/$service/certs/$client/$client.csr + remote_certificate_sign $service $remote_csr_user $remote_csr_host $remote_csrfile $remote_ssh_identity_file + fi else - echo "Usage:" - echo "\$iron certificate <sign> <service> <CSR-file>" - echo "\$iron certificate <create> <service> <client-id>" - echo "\$iron certificate <remotesign> <service><client-id>" - exit -1 + echo "Usage:" + echo "\$iron certificate <sign> <service> <CSR-file>" + echo "\$iron certificate <create> <service> <client-id>" + echo "\$iron certificate <renew> <service> <client-id>" + echo "\$iron certificate <remotesign> <service><client-id>" + exit -1 fi diff --git a/iron/libexec/iron/iron-client b/iron/libexec/iron/iron-client index c491b364b8d34105572d15915764018ce1645fce..329ab803159af90e5ccecd64c115bee3818c0471 100755 --- a/iron/libexec/iron/iron-client +++ b/iron/libexec/iron/iron-client @@ -19,7 +19,7 @@ CLIENT_CONFIG_FILE=${CLIENT_CONFIG_DIR}/client-${client}.conf test -f $CLIENT_CONFIG_FILE || (echo "missing client config file"; exit -1) CP=$CLIENT_CERTPATH/$client mkdir -p $CP - openssl genrsa -out $CP/$client.key 1024 + openssl genrsa -out $CP/$client.key 2048 openssl req -new -key $CP/$client.key -out $CP/$client.csr -config $CLIENT_CONFIG_FILE } @@ -75,7 +75,7 @@ cat<<__EOF__ >$RCDIR/${DOMAIN}/conf/client-${client}.conf RANDFILE = $ENV::HOME/.rnd [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = keyfile.pem distinguished_name = req_distinguished_name attributes = req_attributes @@ -83,9 +83,9 @@ prompt = no #output_password = bliblablu [ req_distinguished_name ] -C = IT -ST = Italia -L = Roma +C = SE +ST = Sweden +L = Göteborg O = ${DOMAIN} OU = ${DOMAIN} CN = ${client} diff --git a/iron/libexec/iron/iron-pkcs12 b/iron/libexec/iron/iron-pkcs12 index 5cc66b2182b2dd1e51899b2e0d34c90207d740e7..dcdfbdda56d4db0d6a6246bb66647ca928c56825 100755 --- a/iron/libexec/iron/iron-pkcs12 +++ b/iron/libexec/iron/iron-pkcs12 @@ -1,4 +1,4 @@ -#! /bin/bash +#! /bin/bash # Usage: $iron pkcs12 create <service> [<client>] # Summary: create *.p12 keystore # Help: This command groups commands used to create pkcs#12 for distribution @@ -12,98 +12,98 @@ CURRENT_TSTAMP=$(date '+%Y%m%d%H%M') function certificate_sign() { - service=$1 - csrfile=$2 - client=$(basename $csrfile | sed -e 's/.csr$//') - CLIENT_CERTPATH=$RCDIR/$service/certs - CP=$CLIENT_CERTPATH/$client - test -d ${CP} || mkdir -p ${CP} - openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $csrfile -out $CP/$client.crt + service=$1 + csrfile=$2 + client=$(basename $csrfile | sed -e 's/.csr$//') + CLIENT_CERTPATH=$RCDIR/$service/certs + CP=$CLIENT_CERTPATH/$client + test -d ${CP} || mkdir -p ${CP} + openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $csrfile -out $CP/$client.crt } function remote_client_write_setup() { - CLIENT_RCFILE="$RCDIR/client-$client"".env" - echo "REMOTE_RCDIR=$RCDIR">${CLIENT_RCFILE} - echo "REMOTE_USER=">>${CLIENT_RCFILE} - echo "REMOTE_HOST=">>${CLIENT_RCFILE} + CLIENT_RCFILE="$RCDIR/client-$client"".env" + echo "REMOTE_RCDIR=$RCDIR">${CLIENT_RCFILE} + echo "REMOTE_USER=">>${CLIENT_RCFILE} + echo "REMOTE_HOST=">>${CLIENT_RCFILE} } function remote_certificate_sign() { - service=$1 - remote_csr_user=$2 - remote_csr_host=$3 - remote_csrfile=$4 - csrfile=$(basename $remote_csrfile) - remote_certdir=$(dirname $remote_csrfile) - client=$(basename $csrfile | sed -e 's/.csr$//') - CLIENT_CERTPATH=$RCDIR/$service/certs - CP=$CLIENT_CERTPATH/$client - test -d ${CP} || mkdir -p ${CP} - scp $remote_csr_user@$remote_csr_host:$remote_csrfile $CP/$client.csr - openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CP/$client.csr -out $CP/$client.crt - scp $CP/$client.crt $REMOTE_USER@$REMOTE_HOST:$remote_certdir + service=$1 + remote_csr_user=$2 + remote_csr_host=$3 + remote_csrfile=$4 + csrfile=$(basename $remote_csrfile) + remote_certdir=$(dirname $remote_csrfile) + client=$(basename $csrfile | sed -e 's/.csr$//') + CLIENT_CERTPATH=$RCDIR/$service/certs + CP=$CLIENT_CERTPATH/$client + test -d ${CP} || mkdir -p ${CP} + scp $remote_csr_user@$remote_csr_host:$remote_csrfile $CP/$client.csr + openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CP/$client.csr -out $CP/$client.crt + scp $CP/$client.crt $REMOTE_USER@$REMOTE_HOST:$remote_certdir } function certificate_create() { - service=$1 - client=$2 - CLIENT_CERTPATH=$RCDIR/$service/certs - CP=$CLIENT_CERTPATH/$client - test -d ${CP} || mkdir -p ${CP} - openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CP/$client.csr -out $CP/$client.crt - test -f $CP/$client.crt && echo "Created certificate in [$CP/$client.crt]" + service=$1 + client=$2 + CLIENT_CERTPATH=$RCDIR/$service/certs + CP=$CLIENT_CERTPATH/$client + test -d ${CP} || mkdir -p ${CP} + openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CP/$client.csr -out $CP/$client.crt + test -f $CP/$client.crt && echo "Created certificate in [$CP/$client.crt]" } function pkcs12_create_service() { - service=$1 - SERVICE_CERTPATH=$RCDIR/$service - CP=$SERVICE_CERTPATH/certs - test -d ${CP} || mkdir -p ${CP} - openssl pkcs12 -export -clcerts -in $CP/server.crt -inkey $CP/server.key -out $CP/server.p12\ - -name "${service}"\ - -CAfile ${CAPATH}/ca.crt -caname root - test -f $CP/server.p12 && echo "Created PKCS12 (*.p12) in [$CP/server.p12]" + service=$1 + SERVICE_CERTPATH=$RCDIR/$service + CP=$SERVICE_CERTPATH/certs + test -d ${CP} || mkdir -p ${CP} + openssl pkcs12 -export -clcerts -in $CP/server.crt -inkey $CP/server.key -out $CP/server.p12\ + -name "${service}"\ + -CAfile ${CAPATH}/ca.crt -caname root + test -f $CP/server.p12 && echo "Created PKCS12 (*.p12) in [$CP/server.p12]" } function pkcs12_create() { - service=$1 - client=$2 - CLIENT_CERTPATH=$RCDIR/$service/certs - CP=$CLIENT_CERTPATH/$client - test -d ${CP} || mkdir -p ${CP} - openssl pkcs12 -export -clcerts -in $CP/$client.crt -inkey $CP/$client.key -out $CP/$client.p12\ - -name "${client}"\ - -CAfile ${CAPATH}/ca.crt -caname root - test -f $CP/$client.p12 && echo "Created PKCS12 (*.p12) in [$CP/$client.p12]" + service=$1 + client=$2 + CLIENT_CERTPATH=$RCDIR/$service/certs + CP=$CLIENT_CERTPATH/$client + test -d ${CP} || mkdir -p ${CP} + openssl pkcs12 -export -clcerts -in $CP/$client.crt -inkey $CP/$client.key -out $CP/$client.p12\ + -name "${client}"\ + -CAfile ${CAPATH}/ca.crt -caname root + test -f $CP/$client.p12 && echo "Created PKCS12 (*.p12) in [$CP/$client.p12]" } if [ "$#" = 3 ];then - operation=$1 - service=$2 - CA_RCFILE="$HOME/"."$APPNAME/default-ca"".env" - source ${CA_RCFILE} - - if [ "$operation" = "create" ]; then - client=$3 - pkcs12_create $service $client - fi -elif [ "$#" = 2 ];then - operation=$1 - service=$2 - CA_RCFILE="$HOME/"."$APPNAME/default-ca"".env" - source ${CA_RCFILE} - - if [ "$operation" = "create" ]; then - pkcs12_create_service $service - fi - + operation=$1 + service=$2 + CA_RCFILE="$HOME/"."$APPNAME/default-ca"".env" + source ${CA_RCFILE} + + if [ "$operation" = "create" ]; then + client=$3 + pkcs12_create $service $client + fi + elif [ "$#" = 2 ];then + operation=$1 + service=$2 + CA_RCFILE="$HOME/"."$APPNAME/default-ca"".env" + source ${CA_RCFILE} + + if [ "$operation" = "create" ]; then + pkcs12_create_service $service + fi + else - echo "Usage:" - echo "\$iron pkcs12 <create> <service> [<client-id>]" - exit -1 + echo "Usage:" + echo "\$iron pkcs12 <create> <service> [<client-id>]" + exit -1 fi diff --git a/iron/libexec/iron/iron-pkcs12~ b/iron/libexec/iron/iron-pkcs12~ new file mode 100644 index 0000000000000000000000000000000000000000..5cc66b2182b2dd1e51899b2e0d34c90207d740e7 --- /dev/null +++ b/iron/libexec/iron/iron-pkcs12~ @@ -0,0 +1,109 @@ +#! /bin/bash +# Usage: $iron pkcs12 create <service> [<client>] +# Summary: create *.p12 keystore +# Help: This command groups commands used to create pkcs#12 for distribution + +APPNAME="iron" +CURRDIR=$(pwd) + +RCDIR=$HOME/.$APPNAME +test -d $RCDIR || mkdir -p $RCDIR +CURRENT_TSTAMP=$(date '+%Y%m%d%H%M') + +function certificate_sign() +{ + service=$1 + csrfile=$2 + client=$(basename $csrfile | sed -e 's/.csr$//') + CLIENT_CERTPATH=$RCDIR/$service/certs + CP=$CLIENT_CERTPATH/$client + test -d ${CP} || mkdir -p ${CP} + openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $csrfile -out $CP/$client.crt +} + +function remote_client_write_setup() +{ + CLIENT_RCFILE="$RCDIR/client-$client"".env" + echo "REMOTE_RCDIR=$RCDIR">${CLIENT_RCFILE} + echo "REMOTE_USER=">>${CLIENT_RCFILE} + echo "REMOTE_HOST=">>${CLIENT_RCFILE} +} + + +function remote_certificate_sign() +{ + service=$1 + remote_csr_user=$2 + remote_csr_host=$3 + remote_csrfile=$4 + csrfile=$(basename $remote_csrfile) + remote_certdir=$(dirname $remote_csrfile) + client=$(basename $csrfile | sed -e 's/.csr$//') + CLIENT_CERTPATH=$RCDIR/$service/certs + CP=$CLIENT_CERTPATH/$client + test -d ${CP} || mkdir -p ${CP} + scp $remote_csr_user@$remote_csr_host:$remote_csrfile $CP/$client.csr + openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CP/$client.csr -out $CP/$client.crt + scp $CP/$client.crt $REMOTE_USER@$REMOTE_HOST:$remote_certdir +} + +function certificate_create() +{ + service=$1 + client=$2 + CLIENT_CERTPATH=$RCDIR/$service/certs + CP=$CLIENT_CERTPATH/$client + test -d ${CP} || mkdir -p ${CP} + openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CP/$client.csr -out $CP/$client.crt + test -f $CP/$client.crt && echo "Created certificate in [$CP/$client.crt]" +} + +function pkcs12_create_service() +{ + service=$1 + SERVICE_CERTPATH=$RCDIR/$service + CP=$SERVICE_CERTPATH/certs + test -d ${CP} || mkdir -p ${CP} + openssl pkcs12 -export -clcerts -in $CP/server.crt -inkey $CP/server.key -out $CP/server.p12\ + -name "${service}"\ + -CAfile ${CAPATH}/ca.crt -caname root + test -f $CP/server.p12 && echo "Created PKCS12 (*.p12) in [$CP/server.p12]" +} +function pkcs12_create() +{ + service=$1 + client=$2 + CLIENT_CERTPATH=$RCDIR/$service/certs + CP=$CLIENT_CERTPATH/$client + test -d ${CP} || mkdir -p ${CP} + openssl pkcs12 -export -clcerts -in $CP/$client.crt -inkey $CP/$client.key -out $CP/$client.p12\ + -name "${client}"\ + -CAfile ${CAPATH}/ca.crt -caname root + test -f $CP/$client.p12 && echo "Created PKCS12 (*.p12) in [$CP/$client.p12]" +} + +if [ "$#" = 3 ];then + operation=$1 + service=$2 + CA_RCFILE="$HOME/"."$APPNAME/default-ca"".env" + source ${CA_RCFILE} + + if [ "$operation" = "create" ]; then + client=$3 + pkcs12_create $service $client + fi +elif [ "$#" = 2 ];then + operation=$1 + service=$2 + CA_RCFILE="$HOME/"."$APPNAME/default-ca"".env" + source ${CA_RCFILE} + + if [ "$operation" = "create" ]; then + pkcs12_create_service $service + fi + +else + echo "Usage:" + echo "\$iron pkcs12 <create> <service> [<client-id>]" + exit -1 +fi diff --git a/iron/libexec/iron/iron-service b/iron/libexec/iron/iron-service index 744d049af4e980e88f8552fd088351fbeaf44fd1..c59f7700d43aa934b01b2edff3041fb791ab3d97 100755 --- a/iron/libexec/iron/iron-service +++ b/iron/libexec/iron/iron-service @@ -1,4 +1,4 @@ -#! /bin/bash +#! /bin/bash # Usage: iron service <service-name> <setup|create|delete> # Summary: manage service/server certificate creation # Help: This command groups commands used to setup config create delete a CA @@ -12,55 +12,56 @@ CURRENT_TSTAMP=$(date '+%Y%m%d%H%M') function service_create() { - test -d $CERTPATH || mkdir -p $CERTPATH - openssl genrsa -out $CERTPATH/server.key 2048 - openssl req -batch -new -key $CERTPATH/server.key -out $CERTPATH/server.csr -config $SERVER_CONFIG_FILE - #OLD::openssl x509 -req -days 365 -in $CERTPATH/server.csr -signkey $CERTPATH/server.key -out $CERTPATH/server.crt - openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CERTPATH/server.csr \ - -signkey $CERTPATH/server.key -out $CERTPATH/server.crt - #openssl ca -cert $CAPATH/ca.crt -keyfile $CAPATH/ca.key -in $CERTPATH/server.csr -out $CERTPATH/server.crt -config /home/paolo/.iron/dev.lulli.net/conf/openssl-server.conf - + service=$1 + extfile="${RCDIR}/${service}/conf/v3.ext" + + test -d $CERTPATH || mkdir -p $CERTPATH + openssl genrsa -out $CERTPATH/server.key 2048 + openssl req -batch -new -key $CERTPATH/server.key -out $CERTPATH/server.csr -config $SERVER_CONFIG_FILE + openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CERTPATH/server.csr \ + -signkey $CERTPATH/server.key -out $CERTPATH/server.crt #-extfile ${extfile} + } function service_renew() { - test -d $CERTPATH || mkdir -p $CERTPATH - openssl req -batch -new -key $CERTPATH/server.key -out $CERTPATH/server.csr -config $SERVER_CONFIG_FILE - #OLD::openssl x509 -req -days 365 -in $CERTPATH/server.csr -signkey $CERTPATH/server.key -out $CERTPATH/server.crt - openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CERTPATH/server.csr \ - -signkey $CERTPATH/server.key -out $CERTPATH/server.crt - #openssl ca -cert $CAPATH/ca.crt -keyfile $CAPATH/ca.key -in $CERTPATH/server.csr -out $CERTPATH/server.crt -config /home/paolo/.iron/dev.lulli.net/conf/openssl-server.conf - + service=$1 + extfile="${RCDIR}/${service}/conf/v3.ext" + + test -d $CERTPATH || mkdir -p $CERTPATH + openssl req -batch -new -key $CERTPATH/server.key -out $CERTPATH/server.csr -config $SERVER_CONFIG_FILE + openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CERTPATH/server.csr \ + -signkey $CERTPATH/server.key -out $CERTPATH/server.crt #-extfile ${extfile} } function service_home_setup_delete() { - DOMAIN=$1 - echo "About to DELETE cert path: [$RCDIR/${DOMAIN}] are you sure? y/n" - read confirmation - if [ "$confirmation" = "y" ]; then - (rm -fr $RCDIR/${DOMAIN} ; rm -fr $RCFILE) && echo "CA DELETED" - else - echo "SKIPPING" - exit -1 - fi + DOMAIN=$1 + echo "About to DELETE cert path: [$RCDIR/${DOMAIN}] are you sure? y/n" + read confirmation + if [ "$confirmation" = "y" ]; then + (rm -fr $RCDIR/${DOMAIN} ; rm -fr $RCFILE) && echo "CA DELETED" + else + echo "SKIPPING" + exit -1 + fi } function service_home_setup_write() { - DOMAIN=$1 - test -d $RCDIR/${DOMAIN} && ( echo "Dir $RCDIR/${DOMAIN} exist, please delete before" && exit -1) - test -d $RCDIR/${DOMAIN} || mkdir -p $RCDIR/${DOMAIN} - test -d $RCDIR/${DOMAIN}/conf || mkdir -p $RCDIR/${DOMAIN}/conf - echo "CERTPATH=${RCDIR}/${DOMAIN}/certs" >> ${RCFILE} - echo "CAPATH=${RCDIR}/CA" >> ${RCFILE} - echo "SERVER_CONFIG_FILE=${RCDIR}/${DOMAIN}/conf/openssl-server.conf" >> ${RCFILE} - + DOMAIN=$1 + test -d $RCDIR/${DOMAIN} && ( echo "Dir $RCDIR/${DOMAIN} exist, please delete before" && exit -1) + test -d $RCDIR/${DOMAIN} || mkdir -p $RCDIR/${DOMAIN} + test -d $RCDIR/${DOMAIN}/conf || mkdir -p $RCDIR/${DOMAIN}/conf + echo "CERTPATH=${RCDIR}/${DOMAIN}/certs" >> ${RCFILE} + echo "CAPATH=${RCDIR}/CA" >> ${RCFILE} + echo "SERVER_CONFIG_FILE=${RCDIR}/${DOMAIN}/conf/openssl-server.conf" >> ${RCFILE} + cat<<__EOF__ >$RCDIR/${DOMAIN}/conf/openssl-server.conf RANDFILE = $ENV::HOME/.rnd [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = keyfile.pem distinguished_name = req_distinguished_name attributes = req_attributes @@ -68,9 +69,9 @@ prompt = no #output_password = bliblablu [ req_distinguished_name ] -C = IT -ST = Italia -L = Roma +C = SE +ST = Sweden +L = Göteborg O = ${DOMAIN} OU = ${DOMAIN} CN = ${DOMAIN} @@ -79,37 +80,47 @@ [ req_attributes ] #challengePassword = blablabla __EOF__ + + cat<<__EOF__ >$RCDIR/${DOMAIN}/conf/v3.ext +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names +[alt_names] +DNS.1 = ${DOMAIN} +DNS.2 = www.${DOMAIN} +__EOF__ } if [ "$#" = 2 ];then - operation=$1 - service=$2 - RCFILE="$HOME/"."$APPNAME/service-${service}"".env" - - if [ "$operation" = "create" ]; then - echo "BEFORE" - test -f ${RCFILE} || ( service_home_setup_write $service; echo "Edit values in ${RCFILE}"; exit -1) - echo "AFTER" - source ${RCFILE} - service_create $service - fi - if [ "$operation" = "renew" ]; then - echo "BEFORE" - test -f ${RCFILE} || ( service_home_setup_write $service; echo "Edit values in ${RCFILE}"; exit -1) - echo "AFTER" - source ${RCFILE} - service_renew $service - fi - if [ "$operation" = "setup" ]; then - test -f ${RCFILE} || ( service_home_setup_write $service; echo "Edit values in ${RCFILE}"; exit 0) - fi - if [ "$operation" = "delete" ]; then - source ${RCFILE} - service_home_setup_delete $service - fi + operation=$1 + service=$2 + RCFILE="$HOME/"."$APPNAME/service-${service}"".env" + + if [ "$operation" = "create" ]; then + echo "BEFORE" + test -f ${RCFILE} || ( service_home_setup_write $service; echo "Edit values in ${RCFILE}"; exit -1) + echo "AFTER" + source ${RCFILE} + service_create $service + fi + if [ "$operation" = "renew" ]; then + echo "BEFORE" + test -f ${RCFILE} || ( service_home_setup_write $service; echo "Edit values in ${RCFILE}"; exit -1) + echo "AFTER" + source ${RCFILE} + service_renew $service + fi + if [ "$operation" = "setup" ]; then + test -f ${RCFILE} || ( service_home_setup_write $service; echo "Edit values in ${RCFILE}"; exit 0) + fi + if [ "$operation" = "delete" ]; then + source ${RCFILE} + service_home_setup_delete $service + fi else - echo "Usage: \$iron service <setup|create|renew|delete> <service>" - exit -1 + echo "Usage: \$iron service <setup|create|renew|delete> <service>" + exit -1 fi diff --git a/iron/libexec/iron/iron-service~ b/iron/libexec/iron/iron-service~ new file mode 100644 index 0000000000000000000000000000000000000000..27e1eb65cebf436068aeb3c3d8df7763946aa6fc --- /dev/null +++ b/iron/libexec/iron/iron-service~ @@ -0,0 +1,134 @@ +#! /bin/bash +# Usage: iron service <service-name> <setup|create|delete> +# Summary: manage service/server certificate creation +# Help: This command groups commands used to setup config create delete a CA + +APPNAME="iron" +CURRDIR=$(pwd) + +RCDIR=$HOME/.$APPNAME +test -d $RCDIR || mkdir -p $RCDIR +CURRENT_TSTAMP=$(date '+%Y%m%d%H%M') + +function service_create() +{ + service=$1 + extfile="${RCDIR}/${service}/conf/v3.ext" + + test -d $CERTPATH || mkdir -p $CERTPATH + openssl genrsa -out $CERTPATH/server.key 2048 + openssl req -batch -new -key $CERTPATH/server.key -out $CERTPATH/server.csr -config $SERVER_CONFIG_FILE + #OLD::openssl x509 -req -days 365 -in $CERTPATH/server.csr -signkey $CERTPATH/server.key -out $CERTPATH/server.crt +# TODO: add v3 extension +# https://stackoverflow.com/questions/18233835/creating-an-x509-v3-user-certificate-by-signing-csr +# https://medium.com/@tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15 + openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CERTPATH/server.csr \ + -signkey $CERTPATH/server.key -out $CERTPATH/server.crt -extfile ${extfile} + #openssl ca -cert $CAPATH/ca.crt -keyfile $CAPATH/ca.key -in $CERTPATH/server.csr -out $CERTPATH/server.crt -config /home/paolo/.iron/dev.lulli.net/conf/openssl-server.conf + +} + +function service_renew() +{ + service=$1 + extfile="${RCDIR}/${service}/conf/v3.ext" + + test -d $CERTPATH || mkdir -p $CERTPATH + openssl req -batch -new -key $CERTPATH/server.key -out $CERTPATH/server.csr -config $SERVER_CONFIG_FILE + #OLD::openssl x509 -req -days 365 -in $CERTPATH/server.csr -signkey $CERTPATH/server.key -out $CERTPATH/server.crt + openssl x509 -req -days 365 -CA $CAPATH/ca.crt -CAkey $CAPATH/ca.key -CAcreateserial -in $CERTPATH/server.csr \ + -signkey $CERTPATH/server.key -out $CERTPATH/server.crt -extfile ${extfile} + #openssl ca -cert $CAPATH/ca.crt -keyfile $CAPATH/ca.key -in $CERTPATH/server.csr -out $CERTPATH/server.crt -config /home/paolo/.iron/dev.lulli.net/conf/openssl-server.conf + +} + +function service_home_setup_delete() +{ + DOMAIN=$1 + echo "About to DELETE cert path: [$RCDIR/${DOMAIN}] are you sure? y/n" + read confirmation + if [ "$confirmation" = "y" ]; then + (rm -fr $RCDIR/${DOMAIN} ; rm -fr $RCFILE) && echo "CA DELETED" + else + echo "SKIPPING" + exit -1 + fi +} + +function service_home_setup_write() +{ + DOMAIN=$1 + test -d $RCDIR/${DOMAIN} && ( echo "Dir $RCDIR/${DOMAIN} exist, please delete before" && exit -1) + test -d $RCDIR/${DOMAIN} || mkdir -p $RCDIR/${DOMAIN} + test -d $RCDIR/${DOMAIN}/conf || mkdir -p $RCDIR/${DOMAIN}/conf + echo "CERTPATH=${RCDIR}/${DOMAIN}/certs" >> ${RCFILE} + echo "CAPATH=${RCDIR}/CA" >> ${RCFILE} + echo "SERVER_CONFIG_FILE=${RCDIR}/${DOMAIN}/conf/openssl-server.conf" >> ${RCFILE} + + cat<<__EOF__ >$RCDIR/${DOMAIN}/conf/openssl-server.conf +RANDFILE = $ENV::HOME/.rnd + +[ req ] +default_bits = 1024 +default_keyfile = keyfile.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no +#output_password = bliblablu + +[ req_distinguished_name ] +C = IT +ST = Italia +L = Roma +O = ${DOMAIN} +OU = ${DOMAIN} +CN = ${DOMAIN} +emailAddress = info@${DOMAIN} + +[ req_attributes ] +#challengePassword = blablabla +__EOF__ + + cat<<__EOF__ >$RCDIR/${DOMAIN}/conf/v3.ext +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = ${DOMAIN} +DNS.2 = www.${DOMAIN} +__EOF__ +} + +if [ "$#" = 2 ];then + operation=$1 + service=$2 + RCFILE="$HOME/"."$APPNAME/service-${service}"".env" + + if [ "$operation" = "create" ]; then + echo "BEFORE" + test -f ${RCFILE} || ( service_home_setup_write $service; echo "Edit values in ${RCFILE}"; exit -1) + echo "AFTER" + source ${RCFILE} + service_create $service + fi + if [ "$operation" = "renew" ]; then + echo "BEFORE" + test -f ${RCFILE} || ( service_home_setup_write $service; echo "Edit values in ${RCFILE}"; exit -1) + echo "AFTER" + source ${RCFILE} + service_renew $service + fi + if [ "$operation" = "setup" ]; then + test -f ${RCFILE} || ( service_home_setup_write $service; echo "Edit values in ${RCFILE}"; exit 0) + fi + if [ "$operation" = "delete" ]; then + source ${RCFILE} + service_home_setup_delete $service + fi +else + echo "Usage: \$iron service <setup|create|renew|delete> <service>" + exit -1 +fi + diff --git a/iron/libexec/iron/iron-ssh-ca~ b/iron/libexec/iron/iron-ssh-ca~ index b818d86cbd09186aeac174b13ccc05729cca5eec..96a85972a6bc3f5105d1b165e6d74ba737f8e43e 100644 --- a/iron/libexec/iron/iron-ssh-ca~ +++ b/iron/libexec/iron/iron-ssh-ca~ @@ -1,4 +1,4 @@ -#! /bin/bash +#! /bin/bash # Usage: $iron ssh-ca <host|user> <name> # Summary: create ssh CAs for hosts and users # Help: This command groups commands used to setup config create an ssh CA @@ -11,21 +11,27 @@ test -d $RCDIR || mkdir -p $RCDIR CURRENT_TSTAMP=$(date '+%Y%m%d%H%M') if [ "$#" = 2 ];then - subject=$1 - name=$2 - - if [ "$subject" = "host" ];then - ssh-keygen -t rsa -b 4096 -f "${name}-host-ca" -C "Host CA: $name" - exit 0; - fi + subject=$1 + name=$2 + + if [ "$subject" = "host" ];then - if [ "$subject" = "user" ];then - ssh-keygen -t rsa -b 4096 -f "${name}-user-ca" -C "Host CA: $name" - exit 0; - fi + hostname_dir=$RCDIR/hosts/${name} + test -d ${hostname_dir} || mkdir -p ${hostname_dir} - echo "Usage: iron ssh-ca <host|user> <name>" - exit -1 + ssh-keygen -t rsa -b 4096 -f "${hostname_dir}/${name}-host-ca" -C "Host CA: $name" + exit 0; + fi + + if [ "$subject" = "user" ];then + user_dir=$RCDIR/users/${name} + test -d ${user_dir} || mkdir -p ${hostname_dir} + ssh-keygen -t rsa -b 4096 -f "${name}-user-ca" -C "Host CA: $name" + exit 0; + fi + + echo "Usage: iron ssh-ca <host|user> <name>" + exit -1 fi echo "Usage: iron ssh-ca <host|user> <name>" diff --git a/iron/libexec/iron/iron-vpn-client b/iron/libexec/iron/iron-vpn-client new file mode 100755 index 0000000000000000000000000000000000000000..385489240e626d28589d6f38335be8e014c72c4b --- /dev/null +++ b/iron/libexec/iron/iron-vpn-client @@ -0,0 +1,125 @@ +#! /bin/bash +# Usage: $iron vpn-client <servername> <clientname> +# Summary: create OpenVPN client config +# Help: OpenVPN client config generator + +APPNAME="iron" + +if [ "$#" != "2" ]; then + echo "Usage: vpn-client <servername> <clientname>" + exit 1 +fi + +servername=$1 +vpn_client=$2 +CFG_FILE=$HOME/.${APPNAME}/vpn/${servername}/${servername}.cfg +CFGDIR=$(dirname ${CFG_FILE}) + +CURRDIR=$(pwd) +EASY_RSA_HOME=/usr/share/easy-rsa/ + +test -f $CFG_FILE || echo "No such config: [${CFG_FILE}]" +test -f $CFG_FILE || exit 1 +source ${CFG_FILE} + +function ovpn_generate_client_nopass() +{ + cd $CFGDIR + client_dn=$1 + export KEY_CN=${client_dn} + + ${EASY_RSA_HOME}/easyrsa build-client-full ${client_dn} nopass +} + +function ovpn_generate_client_assembly() +{ + cd $CFGDIR + mkdir -p "$CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}" + cp $CFGDIR/pki/ca.crt $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} + cp $CFGDIR/pki/issued/${vpn_client}.crt $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} + cp $CFGDIR/pki/private/${vpn_client}.key $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} + +cat<<__EOT__>$CFGDIR/server/${code_organization}-client/${vpn_client}/${code_organization}.conf +client +dev tun +proto tcp +remote ${code_organization} 1194 +resolv-retry infinite +nobind +comp-lzo +persist-key +persist-tun +askpass /etc/openvpn/passwordfile +ca /etc/openvpn/${vpn_client}/ca.crt +cert /etc/openvpn/${vpn_client}/${vpn_client}.crt +key /etc/openvpn/${vpn_client}/${vpn_client}.key +verb 3 +log-append /var/log/openvpn.${code_organization}-client.log +__EOT__ + + cd ./server/${code_organization}-client/${vpn_client} + tar cvfz $CURRDIR/${code_organization}-${vpn_client}.tar.gz . +} + +function ovpn_generate_client_android() +{ + ovpnfile=$CFGDIR/server/${code_organization}-client/${vpn_client}/${code_organization}-${vpn_client}.ovpn + cd $CFGDIR + mkdir -p "$CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}" + cp $CFGDIR/pki/ca.crt $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} + cp $CFGDIR/pki/issued/${vpn_client}.crt $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} + cp $CFGDIR/pki/private/${vpn_client}.key $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} + +cat<<__EOT__>$ovpnfile +client +dev tun +proto tcp +remote ${code_organization} 1194 +resolv-retry infinite +nobind +comp-lzo +persist-key +persist-tun +askpass /etc/openvpn/passwordfile +verb 3 +log-append /var/log/openvpn.${code_organization}-client.log +#ca /etc/openvpn/${vpn_client}/ca.crt +#cert /etc/openvpn/${vpn_client}/${vpn_client}.crt +#key /etc/openvpn/${vpn_client}/${vpn_client}.key +__EOT__ + + echo "<ca>" >> $ovpnfile + cat $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/ca.crt >> $ovpnfile + echo "</ca>" >> $ovpnfile + + echo "<cert>" >> $ovpnfile + cat $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/${vpn_client}.crt \ + | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \ + >> $ovpnfile + echo "</cert>" >> $ovpnfile + + echo "<key>" >> $ovpnfile + cat $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/${vpn_client}.key \ + >> $ovpnfile + echo "</key>" >> $ovpnfile +} + +# MAIN + +client_password=$(uuidgen) +client_credentials="$CFGDIR/client-${vpn_client}-credentials.txt" +test -d ${CFGDIR} || mkdir -p ${CFGDIR} +echo "credentials for ${code_organization}:${vpn_client}:[${client_password}]">>$client_credentials + +ovpn_generate_client_nopass ${vpn_client} + + +openssl rsa -aes256 -in $CFGDIR/pki/private/${vpn_client}.key\ +-out $CFGDIR/pki/private/encrypted-${vpn_client}.key \ +-passout pass:${client_password}\ +&& \ +mv $CFGDIR/pki/private/encrypted-${vpn_client}.key \ +$CFGDIR/pki/private/${vpn_client}.key + +ovpn_generate_client_android +ovpn_generate_client_assembly diff --git a/iron/libexec/iron/iron-vpn-server b/iron/libexec/iron/iron-vpn-server new file mode 100755 index 0000000000000000000000000000000000000000..ca833c9de10c808677d636903f8222fca22a99e8 --- /dev/null +++ b/iron/libexec/iron/iron-vpn-server @@ -0,0 +1,143 @@ +#! /bin/bash +# Usage: $iron vpn-server <servername> +# Summary: create OpenVPN CA and server config +# Help: OpenVPN CA and server config generator + +APPNAME="iron" + +if [ "$#" != "1" ]; then + echo "Usage: vpn-server <servername>" + exit 1 +fi + +servername=$1 +CFG_FILE=$HOME/.${APPNAME}/vpn/${servername}/${servername}.cfg +CFGDIR=$(dirname ${CFG_FILE}) + +CURRDIR=$(pwd) +cd $(dirname $0) +#EASY_RSA_HOME=$CURRDIR/easy-rsa/easyrsa3 +EASY_RSA_HOME=/usr/share/easy-rsa/ + +function write_empty_config() +{ + test -d ${CFGDIR} || mkdir -p ${CFGDIR} + echo "code_country="> $CFG_FILE + echo "code_province=">> $CFG_FILE + echo "code_city=">> $CFG_FILE + echo "code_organization=${servername}">> $CFG_FILE + echo "code_email=">> $CFG_FILE + echo "vpn_port=1194">> $CFG_FILE + echo "Edit config file: [$CFG_FILE]" + exit 1 +} + +function test_config() +{ + test -f $CFG_FILE || write_empty_config +} + +function ovpn_generate_ca_nopass() +{ + cd ${CFGDIR}; + +VARS_CONTENT=$(cat<<__EOT__ +export KEY_SIZE=2048 +export CA_EXPIRE=3650 +export KEY_EXPIRE=3650 + +export KEY_COUNTRY="${code_country}" +export KEY_PROVINCE="${code_province}" +export KEY_CITY="${code_city}" +export KEY_ORG="${code_organization}" +export KEY_EMAIL="${code_email}" +export KEY_CN=${code_organization} +export KEY_NAME=${code_organization} +export KEY_OU=${code_organization} +__EOT__) + + echo ${VARS_CONTENT} > $CFGDIR/vars + source $CFGDIR/vars + + ${EASY_RSA_HOME}/easyrsa init-pki + #${EASY_RSA_HOME}/easyrsa build-ca + ${EASY_RSA_HOME}/easyrsa build-ca nopass + ${EASY_RSA_HOME}/easyrsa gen-dh + +} + +function ovpn_generate_server_nopass() +{ + cd ${CFGDIR}; + ${EASY_RSA_HOME}/easyrsa build-server-full ${code_organization} nopass + # DISCOURAGED: not to give it a pass + #./easyrsa build-server-full ${code_organization} nopass +} + +function ovpn_generate_server_assembly() +{ + cd ${CFGDIR} + mkdir -p "$CFGDIR/server/${code_organization}/${code_organization}" + cp $CFGDIR/pki/ca.crt $CFGDIR/server/${code_organization}/${code_organization} + cp $CFGDIR/pki/dh.pem $CFGDIR/server/${code_organization}/${code_organization} + cp $CFGDIR/pki/issued/${code_organization}.crt $CFGDIR/server/${code_organization}/${code_organization} + cp $CFGDIR/pki/private/${code_organization}.key $CFGDIR/server/${code_organization}/${code_organization} + +cat<<__EOT__>$CFGDIR/server/${code_organization}/${code_organization}.conf +port ${vpn_port} +proto tcp +dev tun +#askpass /etc/openvpn/passwordfile +ca /etc/openvpn/${code_organization}/ca.crt +cert /etc/openvpn/${code_organization}/${code_organization}.crt +key /etc/openvpn/${code_organization}/${code_organization}.key +dh /etc/openvpn/${code_organization}/dh.pem +server 10.0.0.0 255.255.0.0 +# GOOD IP RANGES: +# 10.0.0.0 - 10.255.255.255 +# 172.16.0.0 - 172.31.255.255 +# 192.168.0.0 - 192.168.255.255 + +ifconfig-pool-persist /etc/openvpn/${code_organization}/ipp.txt +keepalive 10 120 +comp-lzo +user nobody +group users +persist-key +persist-tun +status /var/log/openvpn-status.log +log-append /var/log/openvpn.log +verb 3 +client-to-client +__EOT__ + + cd $CFGDIR/server/${code_organization} + tar cvfz $CURRDIR/${code_organization}-server.tar.gz . +} + +# MAIN + +test_config +source ${CFG_FILE} + + +ca_password=$(uuidgen) +server_password=$(uuidgen) +server_credentials="$CFGDIR/server-credentials.txt" +test -d ${CFGDIR} || mkdir -p ${CFGDIR} +echo "CA password:[${ca_password}]">>$server_credentials +echo "server [$servername] priv key password:[${server_password}]">>$server_credentials + + +ovpn_generate_ca_nopass +ovpn_generate_server_nopass + +openssl rsa -aes256 -in ${CFGDIR}/pki/private/ca.key -out ${CFGDIR}/pki/private/encrypted-ca.key \ + -passout pass:${ca_password}\ + && mv ${CFGDIR}/pki/private/encrypted-ca.key ${CFGDIR}/pki/private/ca.key + +openssl rsa -aes256 -in ${CFGDIR}/pki/private/${code_organization}.key -out ${CFGDIR}/pki/private/encrypted-${code_organization}.key\ + -passout pass:${server_password}\ + && mv ${CFGDIR}/pki/private/encrypted-${code_organization}.key $CFGDIR/pki/private/${code_organization}.key + +ovpn_generate_server_assembly diff --git a/iron-vpn/openvpn-create-client.sh b/iron-vpn/openvpn-create-client.sh deleted file mode 100755 index b6296568616a48bf50ef4976ffd6c8167338e8a5..0000000000000000000000000000000000000000 --- a/iron-vpn/openvpn-create-client.sh +++ /dev/null @@ -1,113 +0,0 @@ -#! /bin/bash -x - -cd $(dirname $0) -CURRDIR=$(pwd) -#EASY_RSA_HOME=$CURRDIR/easy-rsa/easyrsa3 -EASY_RSA_HOME=/usr/share/easy-rsa/ - -#.............................. -code_country="IT" -code_province="RM" -code_city="Roma" -code_organization="vpn.augentelematica.it" -code_email="paolo@lulli.net" -vpn_port="1194" - -#.............................. -vpn_client="strange" -#.............................. - -source $EASY_RSA_HOME/vars - -#cd $EASY_RSA_HOME - - -function ovpn_generate_client() -{ - client_dn=$1 - #cd $EASY_RSA_HOME - export KEY_CN=${client_dn} - - ${EASY_RSA_HOME}/easyrsa build-client-full ${client_dn} -} - -function ovpn_generate_client_assembly() -{ - cd $CURRDIR - mkdir -p "$CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}" - cp $CURRDIR/pki/ca.crt $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} - cp $CURRDIR/pki/issued/${vpn_client}.crt $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} - cp $CURRDIR/pki/private/${vpn_client}.key $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} - -cat<<__EOT__>$CURRDIR/server/${code_organization}-client/${vpn_client}/${code_organization}.conf -client -dev tun -proto tcp -#remote ${code_organization} -remote 62.171.171.30 1194 -resolv-retry infinite -nobind -comp-lzo -persist-key -persist-tun -askpass /etc/openvpn/passwordfile -ca /etc/openvpn/${vpn_client}/ca.crt -cert /etc/openvpn/${vpn_client}/${vpn_client}.crt -key /etc/openvpn/${vpn_client}/${vpn_client}.key -verb 3 -log-append /var/log/openvpn.${code_organization}-client.log -__EOT__ - - cd ./server/${code_organization}-client/${vpn_client} - tar cvfz $CURRDIR/${code_organization}-${vpn_client}.tar.gz . -} - -function ovpn_generate_client_android() -{ - ovpnfile=$CURRDIR/server/${code_organization}-client/${vpn_client}/${code_organization}-${vpn_client}.ovpn - cd $CURRDIR - mkdir -p "$CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}" - cp $CURRDIR/pki/ca.crt $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} - cp $CURRDIR/pki/issued/${vpn_client}.crt $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} - cp $CURRDIR/pki/private/${vpn_client}.key $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} - -cat<<__EOT__>$ovpnfile -client -dev tun -proto tcp -#remote ${code_organization} -remote 62.171.171.30 1194 -resolv-retry infinite -nobind -comp-lzo -persist-key -persist-tun -askpass /etc/openvpn/passwordfile -verb 3 -log-append /var/log/openvpn.${code_organization}-client.log -#ca /etc/openvpn/${vpn_client}/ca.crt -#cert /etc/openvpn/${vpn_client}/${vpn_client}.crt -#key /etc/openvpn/${vpn_client}/${vpn_client}.key -__EOT__ - - echo "<ca>" >> $ovpnfile - cat $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/ca.crt >> $ovpnfile - echo "</ca>" >> $ovpnfile - - echo "<cert>" >> $ovpnfile - cat $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/${vpn_client}.crt \ - | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \ - >> $ovpnfile - echo "</cert>" >> $ovpnfile - - echo "<key>" >> $ovpnfile - cat $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/${vpn_client}.key \ - >> $ovpnfile - echo "</key>" >> $ovpnfile -} - -# MAIN - -ovpn_generate_client ${vpn_client} -ovpn_generate_client_android -ovpn_generate_client_assembly diff --git a/iron-vpn/openvpn-create-server.sh b/iron-vpn/openvpn-create-server.sh deleted file mode 100755 index a0195b12c8bf33d71bf8e79055970c5172159715..0000000000000000000000000000000000000000 --- a/iron-vpn/openvpn-create-server.sh +++ /dev/null @@ -1,95 +0,0 @@ -#! /bin/bash -x - -cd $(dirname $0) -CURRDIR=$(pwd) -#EASY_RSA_HOME=$CURRDIR/easy-rsa/easyrsa3 -EASY_RSA_HOME=/usr/share/easy-rsa/ - -#.............................. -code_country="IT" -code_province="RM" -code_city="Roma" -code_organization="vpn.augentelematica.it" -code_email="paolo@lulli.net" -vpn_port="1194" -#.............................. - -function ovpn_generate_ca() -{ - -VARS_CONTENT=$(cat<<__EOT__ -export KEY_SIZE=2048 -export CA_EXPIRE=3650 -export KEY_EXPIRE=3650 - -export KEY_COUNTRY="${code_country}" -export KEY_PROVINCE="${code_province}" -export KEY_CITY="${code_city}" -export KEY_ORG="${code_organization}" -export KEY_EMAIL="${code_email}" -export KEY_CN=${code_organization} -export KEY_NAME=${code_organization} -export KEY_OU=${code_organization} -__EOT__) - - echo ${VARS_CONTENT} > $CURRDIR/vars - source $CURRDIR/vars - - ${EASY_RSA_HOME}/easyrsa init-pki - ${EASY_RSA_HOME}/easyrsa build-ca - ${EASY_RSA_HOME}/easyrsa gen-dh - -} - -function ovpn_generate_server() -{ - ${EASY_RSA_HOME}/easyrsa build-server-full ${code_organization} - # DISCOURAGED: not to give it a pass - #./easyrsa build-server-full ${code_organization} nopass -} - -function ovpn_generate_server_assembly() -{ - cd $CURRDIR - mkdir -p "$CURRDIR/server/${code_organization}/${code_organization}" - cp $CURRDIR/pki/ca.crt $CURRDIR/server/${code_organization}/${code_organization} - cp $CURRDIR/pki/dh.pem $CURRDIR/server/${code_organization}/${code_organization} - cp $CURRDIR/pki/issued/${code_organization}.crt $CURRDIR/server/${code_organization}/${code_organization} - cp $CURRDIR/pki/private/${code_organization}.key $CURRDIR/server/${code_organization}/${code_organization} - -cat<<__EOT__>$CURRDIR/server/${code_organization}/${code_organization}.conf -port ${vpn_port} -proto tcp -dev tun -#askpass /etc/openvpn/passwordfile -ca /etc/openvpn/${code_organization}/ca.crt -cert /etc/openvpn/${code_organization}/${code_organization}.crt -key /etc/openvpn/${code_organization}/${code_organization}.key -dh /etc/openvpn/${code_organization}/dh.pem -server 10.0.0.0 255.255.0.0 -# GOOD IP RANGES: -# 10.0.0.0 - 10.255.255.255 -# 172.16.0.0 - 172.31.255.255 -# 192.168.0.0 - 192.168.255.255 - -ifconfig-pool-persist /etc/openvpn/${code_organization}/ipp.txt -keepalive 10 120 -comp-lzo -user nobody -group users -persist-key -persist-tun -status /var/log/openvpn-status.log -log-append /var/log/openvpn.log -verb 3 -client-to-client -__EOT__ - - cd $CURRDIR/server/${code_organization} - tar cvfz $CURRDIR/${code_organization}-server.tar.gz . -} -# MAIN - -ovpn_generate_ca -ovpn_generate_server -ovpn_generate_server_assembly diff --git a/iron-vpn/vpn-client b/iron-vpn/vpn-client deleted file mode 100755 index 385489240e626d28589d6f38335be8e014c72c4b..0000000000000000000000000000000000000000 --- a/iron-vpn/vpn-client +++ /dev/null @@ -1,125 +0,0 @@ -#! /bin/bash -# Usage: $iron vpn-client <servername> <clientname> -# Summary: create OpenVPN client config -# Help: OpenVPN client config generator - -APPNAME="iron" - -if [ "$#" != "2" ]; then - echo "Usage: vpn-client <servername> <clientname>" - exit 1 -fi - -servername=$1 -vpn_client=$2 -CFG_FILE=$HOME/.${APPNAME}/vpn/${servername}/${servername}.cfg -CFGDIR=$(dirname ${CFG_FILE}) - -CURRDIR=$(pwd) -EASY_RSA_HOME=/usr/share/easy-rsa/ - -test -f $CFG_FILE || echo "No such config: [${CFG_FILE}]" -test -f $CFG_FILE || exit 1 -source ${CFG_FILE} - -function ovpn_generate_client_nopass() -{ - cd $CFGDIR - client_dn=$1 - export KEY_CN=${client_dn} - - ${EASY_RSA_HOME}/easyrsa build-client-full ${client_dn} nopass -} - -function ovpn_generate_client_assembly() -{ - cd $CFGDIR - mkdir -p "$CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}" - cp $CFGDIR/pki/ca.crt $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} - cp $CFGDIR/pki/issued/${vpn_client}.crt $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} - cp $CFGDIR/pki/private/${vpn_client}.key $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} - -cat<<__EOT__>$CFGDIR/server/${code_organization}-client/${vpn_client}/${code_organization}.conf -client -dev tun -proto tcp -remote ${code_organization} 1194 -resolv-retry infinite -nobind -comp-lzo -persist-key -persist-tun -askpass /etc/openvpn/passwordfile -ca /etc/openvpn/${vpn_client}/ca.crt -cert /etc/openvpn/${vpn_client}/${vpn_client}.crt -key /etc/openvpn/${vpn_client}/${vpn_client}.key -verb 3 -log-append /var/log/openvpn.${code_organization}-client.log -__EOT__ - - cd ./server/${code_organization}-client/${vpn_client} - tar cvfz $CURRDIR/${code_organization}-${vpn_client}.tar.gz . -} - -function ovpn_generate_client_android() -{ - ovpnfile=$CFGDIR/server/${code_organization}-client/${vpn_client}/${code_organization}-${vpn_client}.ovpn - cd $CFGDIR - mkdir -p "$CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}" - cp $CFGDIR/pki/ca.crt $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} - cp $CFGDIR/pki/issued/${vpn_client}.crt $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} - cp $CFGDIR/pki/private/${vpn_client}.key $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} - -cat<<__EOT__>$ovpnfile -client -dev tun -proto tcp -remote ${code_organization} 1194 -resolv-retry infinite -nobind -comp-lzo -persist-key -persist-tun -askpass /etc/openvpn/passwordfile -verb 3 -log-append /var/log/openvpn.${code_organization}-client.log -#ca /etc/openvpn/${vpn_client}/ca.crt -#cert /etc/openvpn/${vpn_client}/${vpn_client}.crt -#key /etc/openvpn/${vpn_client}/${vpn_client}.key -__EOT__ - - echo "<ca>" >> $ovpnfile - cat $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/ca.crt >> $ovpnfile - echo "</ca>" >> $ovpnfile - - echo "<cert>" >> $ovpnfile - cat $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/${vpn_client}.crt \ - | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \ - >> $ovpnfile - echo "</cert>" >> $ovpnfile - - echo "<key>" >> $ovpnfile - cat $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/${vpn_client}.key \ - >> $ovpnfile - echo "</key>" >> $ovpnfile -} - -# MAIN - -client_password=$(uuidgen) -client_credentials="$CFGDIR/client-${vpn_client}-credentials.txt" -test -d ${CFGDIR} || mkdir -p ${CFGDIR} -echo "credentials for ${code_organization}:${vpn_client}:[${client_password}]">>$client_credentials - -ovpn_generate_client_nopass ${vpn_client} - - -openssl rsa -aes256 -in $CFGDIR/pki/private/${vpn_client}.key\ --out $CFGDIR/pki/private/encrypted-${vpn_client}.key \ --passout pass:${client_password}\ -&& \ -mv $CFGDIR/pki/private/encrypted-${vpn_client}.key \ -$CFGDIR/pki/private/${vpn_client}.key - -ovpn_generate_client_android -ovpn_generate_client_assembly diff --git a/iron-vpn/vpn-server b/iron-vpn/vpn-server deleted file mode 100755 index ca833c9de10c808677d636903f8222fca22a99e8..0000000000000000000000000000000000000000 --- a/iron-vpn/vpn-server +++ /dev/null @@ -1,143 +0,0 @@ -#! /bin/bash -# Usage: $iron vpn-server <servername> -# Summary: create OpenVPN CA and server config -# Help: OpenVPN CA and server config generator - -APPNAME="iron" - -if [ "$#" != "1" ]; then - echo "Usage: vpn-server <servername>" - exit 1 -fi - -servername=$1 -CFG_FILE=$HOME/.${APPNAME}/vpn/${servername}/${servername}.cfg -CFGDIR=$(dirname ${CFG_FILE}) - -CURRDIR=$(pwd) -cd $(dirname $0) -#EASY_RSA_HOME=$CURRDIR/easy-rsa/easyrsa3 -EASY_RSA_HOME=/usr/share/easy-rsa/ - -function write_empty_config() -{ - test -d ${CFGDIR} || mkdir -p ${CFGDIR} - echo "code_country="> $CFG_FILE - echo "code_province=">> $CFG_FILE - echo "code_city=">> $CFG_FILE - echo "code_organization=${servername}">> $CFG_FILE - echo "code_email=">> $CFG_FILE - echo "vpn_port=1194">> $CFG_FILE - echo "Edit config file: [$CFG_FILE]" - exit 1 -} - -function test_config() -{ - test -f $CFG_FILE || write_empty_config -} - -function ovpn_generate_ca_nopass() -{ - cd ${CFGDIR}; - -VARS_CONTENT=$(cat<<__EOT__ -export KEY_SIZE=2048 -export CA_EXPIRE=3650 -export KEY_EXPIRE=3650 - -export KEY_COUNTRY="${code_country}" -export KEY_PROVINCE="${code_province}" -export KEY_CITY="${code_city}" -export KEY_ORG="${code_organization}" -export KEY_EMAIL="${code_email}" -export KEY_CN=${code_organization} -export KEY_NAME=${code_organization} -export KEY_OU=${code_organization} -__EOT__) - - echo ${VARS_CONTENT} > $CFGDIR/vars - source $CFGDIR/vars - - ${EASY_RSA_HOME}/easyrsa init-pki - #${EASY_RSA_HOME}/easyrsa build-ca - ${EASY_RSA_HOME}/easyrsa build-ca nopass - ${EASY_RSA_HOME}/easyrsa gen-dh - -} - -function ovpn_generate_server_nopass() -{ - cd ${CFGDIR}; - ${EASY_RSA_HOME}/easyrsa build-server-full ${code_organization} nopass - # DISCOURAGED: not to give it a pass - #./easyrsa build-server-full ${code_organization} nopass -} - -function ovpn_generate_server_assembly() -{ - cd ${CFGDIR} - mkdir -p "$CFGDIR/server/${code_organization}/${code_organization}" - cp $CFGDIR/pki/ca.crt $CFGDIR/server/${code_organization}/${code_organization} - cp $CFGDIR/pki/dh.pem $CFGDIR/server/${code_organization}/${code_organization} - cp $CFGDIR/pki/issued/${code_organization}.crt $CFGDIR/server/${code_organization}/${code_organization} - cp $CFGDIR/pki/private/${code_organization}.key $CFGDIR/server/${code_organization}/${code_organization} - -cat<<__EOT__>$CFGDIR/server/${code_organization}/${code_organization}.conf -port ${vpn_port} -proto tcp -dev tun -#askpass /etc/openvpn/passwordfile -ca /etc/openvpn/${code_organization}/ca.crt -cert /etc/openvpn/${code_organization}/${code_organization}.crt -key /etc/openvpn/${code_organization}/${code_organization}.key -dh /etc/openvpn/${code_organization}/dh.pem -server 10.0.0.0 255.255.0.0 -# GOOD IP RANGES: -# 10.0.0.0 - 10.255.255.255 -# 172.16.0.0 - 172.31.255.255 -# 192.168.0.0 - 192.168.255.255 - -ifconfig-pool-persist /etc/openvpn/${code_organization}/ipp.txt -keepalive 10 120 -comp-lzo -user nobody -group users -persist-key -persist-tun -status /var/log/openvpn-status.log -log-append /var/log/openvpn.log -verb 3 -client-to-client -__EOT__ - - cd $CFGDIR/server/${code_organization} - tar cvfz $CURRDIR/${code_organization}-server.tar.gz . -} - -# MAIN - -test_config -source ${CFG_FILE} - - -ca_password=$(uuidgen) -server_password=$(uuidgen) -server_credentials="$CFGDIR/server-credentials.txt" -test -d ${CFGDIR} || mkdir -p ${CFGDIR} -echo "CA password:[${ca_password}]">>$server_credentials -echo "server [$servername] priv key password:[${server_password}]">>$server_credentials - - -ovpn_generate_ca_nopass -ovpn_generate_server_nopass - -openssl rsa -aes256 -in ${CFGDIR}/pki/private/ca.key -out ${CFGDIR}/pki/private/encrypted-ca.key \ - -passout pass:${ca_password}\ - && mv ${CFGDIR}/pki/private/encrypted-ca.key ${CFGDIR}/pki/private/ca.key - -openssl rsa -aes256 -in ${CFGDIR}/pki/private/${code_organization}.key -out ${CFGDIR}/pki/private/encrypted-${code_organization}.key\ - -passout pass:${server_password}\ - && mv ${CFGDIR}/pki/private/encrypted-${code_organization}.key $CFGDIR/pki/private/${code_organization}.key - -ovpn_generate_server_assembly