iron.git

commit d27125cad9f0e0c6c7710121a480a4830c19396d

Author: Paolo Lulli <paolo@lulli.net>

Add intermediate CA feature


 iron/libexec/iron/iron-ca | 113 +++++++++++++++++++++++++++++++++++++++-


diff --git a/iron/libexec/iron/iron-ca b/iron/libexec/iron/iron-ca
index f1b5271c9d5098a986e51b989345f300fe30b058..7a010d2a9d76b02b0aaf0688d3dedf8d97cbe9fd 100755
--- a/iron/libexec/iron/iron-ca
+++ b/iron/libexec/iron/iron-ca
@@ -1,5 +1,5 @@
 #! /bin/bash
-# Usage: iron ca <setup|create|delete|reset>
+# Usage: iron ca <setup|create|delete|reset> [intermediate]
 # Summary: manage CA
 # Help: This command groups commands used to setup config create delete a CA
 
@@ -21,6 +21,22 @@   openssl req    -batch -new -key $CAPATH/ca.key -out $CAPATH/ca.csr -config $CA_CONFIG_FILE
   openssl x509   -req   -days ${CA_DAYS} -in $CAPATH/ca.csr -signkey $CAPATH/ca.key -out $CAPATH/ca.crt -extensions v3_ca -extfile $RCDIR/CA/conf/openssl-ca-extensions.conf
 }
 
+function intermediate_create()
+{
+  intermediate=$1
+  test -d $CAPATH/$intermediate   || mkdir -p ./$CAPATH/$intermediate
+  CA_DAYS=3650
+  openssl genrsa -out $CAPATH/$intermediate-ca.key ${KEYSIZE}
+  openssl req    -batch -new -key $CAPATH/$intermediate-ca.key \
+  -out $CAPATH/$intermediate-ca.csr -config $CA_CONFIG_FILE
+  openssl x509 -req -days ${CA_DAYS} \
+  -in $CAPATH/$intermediate-ca.csr \
+  -signkey $CAPATH/$intermediate-ca.key \
+  -out $CAPATH/$intermediate-ca.crt \
+  -extensions v3_intermediate_ca \
+  -extfile $RCDIR/CA/$intermediate/conf/openssl-intermediate-extensions.conf
+}
+
 function ca_home_setup_delete()
 {
   echo "About to DELETE ca: are you sure? y/n"
@@ -33,6 +49,73 @@     exit -1
   fi
 }
 
+function intermediate_home_setup_delete()
+{
+  intermediate=$1
+  echo "About to DELETE ca: are you sure? y/n"
+  read confirmation
+  if [ "$confirmation" = "y" ]; then
+    (rm -fr  $RCDIR/CA/$intermediate ;  rm $RCFILE) && echo "CA DELETED"
+  else
+    echo "SKIPPING"
+    exit -1
+  fi
+}
+
+function intermediate_home_setup_write()
+{
+  intermediate=$1
+  test -d $RCDIR/CA/$intermediate && ( echo "CA exist, please delete before" && exit -1)
+  test -d $RCDIR/CA/$intermediate || mkdir -p $RCDIR/CA/$intermediate
+  test -d $RCDIR/CA/$intermediate/conf || mkdir -p $RCDIR/CA/$intermediate/conf
+  echo "CAPATH=$RCDIR/CA/$intermediate">${RCFILE}
+  echo "CA_CONFIG_FILE=$RCDIR/CA/$intermediate/conf/openssl-intermediate.conf">>${RCFILE}
+	cat<<__EOF__ >$RCDIR/CA/$intermediate/conf/openssl-intermediate-extensions.conf
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+__EOF__
+  
+  
+	cat<<__EOF__ >$RCDIR/CA/$intermediate/conf/openssl-intermediate.conf
+#RANDFILE               = $ENV::HOME/.rnd
+
+[ req ]
+default_bits           = ${KEYSIZE}
+default_keyfile        = keyfile.pem
+distinguished_name     = req_distinguished_name
+attributes             = req_attributes
+prompt                 = no
+#output_password        = abadpass
+default_days		=3650
+#x509_extensions     = v3_ca
+
+
+[ req_distinguished_name ]
+C                      = SE
+ST                     = Sweden
+L                      = Gotenburg
+O                      = kevwe.se
+OU                     = kevwe.se
+CN                     = kevwe.se
+emailAddress           = cto@kevwe.se
+
+[ req_attributes ]
+challengePassword      = blablabla
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+__EOF__
+}
+
 function ca_home_setup_write()
 {
   test -d $RCDIR/CA && ( echo "CA exist, please delete before" && exit -1)
@@ -119,6 +202,26 @@
 __EOF__
 }
 
+if [ "$#" = 2 ];then
+  operation=$1
+  intermediate=$2
+  RCFILE="$HOME/"."$APPNAME/$intermediate-ca"".env"
+  if [ "$operation" = "create" ]; then
+    test -f ${RCFILE} || ( intermediate_home_setup_write $intermediate; echo "Edit values in ${RCFILE}"; exit -1)
+    source ${RCFILE}
+    intermediate_create $intermediate
+    exit 0
+  fi
+  if [ "$operation" = "setup" ]; then
+    test -f ${RCFILE} || ( intermediate_home_setup_write $intermediate ; echo "Edit values in ${RCFILE}"; exit 0)
+    exit 0
+  fi
+  if [ "$operation" = "delete" ]; then
+    intermediate_home_setup_delete $intermediate
+    exit 0
+  fi
+fi
+
 if [ "$#" = 1 ];then
   operation=$1
   RCFILE="$HOME/"."$APPNAME/default-ca"".env"
@@ -126,16 +229,18 @@   if [ "$operation" = "create" ]; then
     test -f ${RCFILE} || ( ca_home_setup_write ; echo "Edit values in ${RCFILE}"; exit -1)
     source ${RCFILE}
     ca_create
+    exit 0
   fi
   if [ "$operation" = "setup" ]; then
     test -f ${RCFILE} || ( ca_home_setup_write ; echo "Edit values in ${RCFILE}"; exit 0)
     #source ${RCFILE}
+    exit 0
   fi
   if [ "$operation" = "delete" ]; then
     ca_home_setup_delete
+    exit 0
   fi
-else
-  echo "Usage: iron ca <create|setup|delete>"
-  exit -1
 fi
 
+echo "Usage: iron ca <create|setup|delete> [intermediate]"
+exit -1