-
Notifications
You must be signed in to change notification settings - Fork 13
Expand file tree
/
Copy pathca.sh
More file actions
executable file
·258 lines (246 loc) · 7.64 KB
/
ca.sh
File metadata and controls
executable file
·258 lines (246 loc) · 7.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
#!/bin/bash
# include other bash scripts (libraries)
. ./inc/ssl_config_parser.sh
. ./inc/output.sh
# include "config file"
. ./conf.sh
# little bugfix
export ALTNAME=""
VERSION="1.1.1"
OPENSSLCONF="openssl.cnf" # path to openssl.cnf
#
# CA variables
#
CURRENTCA="" # name of current used CA
CURRENTCADIR="" # path to current used CA
CURRENTCACERTDIR="" # path to cert folder of current used CA
CURRENTCADB="" # path to database of current used CA
CURRENTCANEWCERTDIR="" # path to new cert folder of current used CA
CURRENTCACERT="" # path to certificate of current used CA
CURRENTCASERIAL="" # path to serial of current used CA
CURRENTCACRLDIR="" # path to crl folder of current used CA
CURRENTCACRLNUMBER="" # path to crl number of current used CA
CURRENTCACRL="" # path to certivicate revocation list of current used CA
CURRENTCAPRIVATEKEY="" # path to private key of current used CA
CURRENTCARANDFILE="" # path to rand file of current used CA
CURRENTCACSRDIR="" # path to Certificate signing requests files
###############################################################################
#
# FUNCTIONS
#
###############################################################################
#
# changes the CA / the values of CURRENTCA*
#
change_ca()
{
PS3="Select a CA: "
select ca in ${CAarray[@]}
do
break
done
ca_section_content=$(ssl_get_ca_dir $ssl_filecontent $ca)
set_ca_variables $ca_section_content
CURRENTCA=$ca
check_ca_file_structure
}
#
# checks wether the file structure for CURRENTCA exists.
# If it does not exists it asks to create it.
#
check_ca_file_structure()
{
if [ ! -d "$CURRENTCADIR" ];then
echo_warning
echo "[+] The CA directory does not exist, it'll be created"
# create directories
mkdir $CURRENTCADIR
mkdir $CURRENTCACERTDIR
mkdir $CURRENTCANEWCERTDIR
mkdir $CURRENTCACRLDIR
mkdir ${CURRENTCAPRIVATEKEY%/*}
mkdir ${CURRENTCACSRDIR}
# create index/database
touch $CURRENTCADB
# create file with cert serials
echo $FIRSTSERIAL > $CURRENTCASERIAL
# create file with crl serials
echo $FIRSTCRLSERIAL > $CURRENTCACRLNUMBER
else
echo_success
echo "[+] The CA directory exists"
if [ ! -d $CURRENTCACERTDIR ]; then
echo_warning
echo "[+] The cert directory does not exist, it'll be created"
mkdir $CURRENTCACERTDIR
fi
if [ ! -d $CURRENTCANEWCERTDIR ]; then
echo_warning
echo "[+] The new cert directory does not exist, it'll be created"
mkdir $CURRENTCANEWCERTDIR
fi
if [ ! -d $CURRENTCACRLDIR ]; then
echo_warning
echo "[+] The crl directory does not exist, it'll be created"
mkdir $CURRENTCACRLDIR
fi
if [ ! -d ${CURRENTCAPRIVATEKEY%/*} ]; then
echo_warning
echo "[+] The private directory does not exist, it'll be created"
mkdir ${CURRENTCAPRIVATEKEY%/*}
fi
if [ ! -d ${CURRENTCACSRDIR} ]; then
echo_warning
echo "[+] The CSR directory does not exist, it'll be created"
mkdir ${CURRENTCACSRDIR}
fi
if [ ! -e $CURRENTCASERIAL ]; then
echo_warning
echo "[+] The serial file does not exist, it'll be created"
touch $CURRENTCASERIAL
fi
if [ ! -e $CURRENTCADB ]; then
echo_warning
echo "[+] The database does not exist, it'll be created"
echo $FIRSTSERIAL > $CURRENTCADB
fi
if [ ! -e $CURRENTCACRLNUMBER ]; then
echo_warning
echo "[+] The crl number file does not exist, it'll be created"
echo $FIRSTCRLSERIAL > $CURRENTCACRLNUMBER
fi
fi
}
###############################################################################
#
# INITAL CHECKS
#
###############################################################################
#
# check whether openssl.cnf exists and is readable
#
if [ -f $OPENSSLCONF ] && [ -r $OPENSSLCONF ]; then
echo_success
echo "[+] ${OPENSSLCONF} exists and is readable"
else
echo_failure
echo "[X] ERROR: ${OPENSSLCONF} does not exist or is not readable"
exit 1
fi
#
# get default CA
#
ssl_filecontent=$(ssl_read_config $OPENSSLCONF)
DEFAULTCA=$(ssl_get_default_ca $ssl_filecontent)
if [ -z $DEFAULTCA ]; then
echo_failure
echo "[X] ERROR: ${OPENSSLCONF} contains no default CA"
exit 1
else
echo_success
echo "[-] Found default CA: ${DEFAULTCA}"
CURRENTCA=$DEFAULTCA
fi
#
# get all defined CA's
#
ssl_CAS=$(ssl_get_all_cas $ssl_filecontent)
oldIFS=$IFS # save field separator
# convert CAS to an array
IFS=' ' read -a CAarray <<< "$ssl_CAS"
IFS=$oldIFS # restore old field separator
if [ ${#CAarray[@]} -eq 0 ]; then
echo_failure
echo "[X] ERROR: No CA definition found"
exit 1
else
echo_success
echo "[-] Found ${#CAarray[@]} CA sections"
fi
###############################################################################
#
# MAIN
#
###############################################################################
#
# VARIABLES
#
GREET="LinuxM0nk3y's Certificate Authority Management\n\t\t\t\tVersion $VERSION"
# Strings for the main menu
MAINMENU=("Create a self signed certificate" "Create a certificate signing request" "Create a certificate revocation list" "Sign a certificate" "Revoke a certificate" "Verify a certificate" "Print content of a certificate" "Export a certificate to PKCS#12" "Change CA" "Split private key" "Combine private key" "Shred private key" "Quit")
#
# Read CA variables (path, path to files, etc.) and check file structure
#
ca_section_content=$(ssl_get_ca_dir $ssl_filecontent $CURRENTCA)
set_ca_variables $ca_section_content
# check file structure for DEFAULTCA
check_ca_file_structure
#
# clear screen
clear
#
# show menu
#
# display greeter
echo -e "\t\t$GREET\n\n"
# display current ca infos
echo_ca_info $CURRENTCA $CURRENTCAPRIVATEKEY $CURRENTCACERT
# change the input text#
PS3="Select an option: "
# show main menu
select opt in "${MAINMENU[@]}"
do
case $REPLY in
1) # Create a self signed certificate
ssl_create_selfsigned_cert
;;
2) # Create a certificate signing request
ssl_create_signing_request
;;
3) # Create a certificate revocation list
ssl_create_crl
;;
4) # Sign a certificate"
ssl_sign_certificate
;;
5) # Revoke a certificate"
ssl_revoke_cert
;;
6) # Verify/Display a certificate
ssl_verify_cert
;;
7) # Print content of a certificate
ssl_print_cert
;;
8) # Convert a certificate
ssl_export_cert
;;
9) # Change CA
change_ca
;;
10) # Split private key
ssl_split_key
;;
11) # Combine private key
ssl_combine_key
;;
12) # Delete private key (shred)
ssl_shred_key
;;
13) # Quit
exit 0
;;
*) # invalid option
echo "Invalid option"
;;
esac
echo -e "\n"
read -p "Press ENTER to go back to the main menu" -n 1
clear
# display greeter
echo -e "\t\t$GREET\n\n"
# display current ca infos
echo_ca_info $CURRENTCA $CURRENTCAPRIVATEKEY $CURRENTCACERT
# change the input text
PS3="Select an option: "
done