forked from cgzones/easy-ca
-
Notifications
You must be signed in to change notification settings - Fork 11
/
revoke-cert
executable file
·169 lines (142 loc) · 4.72 KB
/
revoke-cert
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
#!/usr/bin/env bash
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Derek Moore <[email protected]>
# Christian Göttsche <[email protected]>
set -eu
set -o pipefail
umask 0077
BIN_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
source "${BIN_DIR}/functions"
source "${BIN_DIR}/defaults.conf"
usage() {
echo "Usage: $0 -c CERT"
echo "Revokes a certificate issued by this CA"
echo
echo "Options:"
echo " -c CERT Path the the certificate file to be revoked"
echo
}
if [ ! -f ca/ca.crt ]; then
echo -e "$ERR Must be run inside a CA directory!"
exit 2
fi
CERT=
while getopts c:h FLAG; do
case $FLAG in
c) CERT=${OPTARG} ;;
h) echo -e -n "$SUCC " && usage && exit 0 ;;
*) echo -e -n "$ERR " && usage && exit 2;;
esac
done
if [ $OPTIND -le $# ]; then
echo -e -n "$ERR " && usage && exit 2
elif [ "${CERT}" = "" ]; then
echo -e -n "$ERR " && usage && exit 1
fi
# Fully-qualify path to cert
CERT_PATH=$( fullpath "${CERT}" )
echo -e "$SUCC Revoking certificate '${CERT_PATH}'"
if [ ! -f "${CERT_PATH}" ]; then
echo -e "$ERR Can not find certificate '${CERT_PATH}', exiting."
exit 1
fi
if ssh-keygen -lvf "$CERT_PATH" 2>/dev/null; then
if ssh-keygen -Lf "$CERT_PATH" 2>/dev/null; then
echo -e "$NOTE Detected SSH certificate; revoke by serial."
SSH_REVOKE="serial: $(ssh-keygen -Lf "$CERT_PATH" | grep Serial | awk '{print $2;}')"
elif ssh-keygen -y -f $CERT_PATH >/dev/null 2>/dev/null ; then
REPLY=$(ssh-keygen -y -f $CERT_PATH)
echo -e "$NOTE Detected SSH [private] key; revoke by sha1."
SSH_REVOKE="sha1: $REPLY"
else
echo -e "$NOTE Detected SSH [public] key; revoke by sha1."
SSH_REVOKE="sha1: $(cat "$CERT_PATH")"
fi
pushd "${BIN_DIR}/.." > /dev/null
echo -e "$SUCC You are about to revoke this."
echo -e -n "$INPUT Are you SURE you wish to continue? [y/N]: "
read -r SURE
if [ "${SURE}" != "y" ] && [ "${SURE}" != "Y" ]; then
echo -e "$ERR Exiting."
exit 1
fi
REVOKE_TMP=$(mktemp -u)
mkfifo -m 600 $REVOKE_TMP
echo $SSH_REVOKE > $REVOKE_TMP &
ssh-keygen -k $( [ -f ca/ssh/revoke ] && echo "-u" ) -s ca/ssh/ca.ssh.pub -f ca/ssh/revoke $REVOKE_TMP
rm $REVOKE_TMP
! ssh-keygen -Q -f ca/ssh/revoke "$CERT_PATH"
popd > /dev/null
echo -e "$NOTE Remember to update sshd_config with: RevokedKeys ca/ssh/revoke"
echo -e "$SUCC Server certificate '${CERT_PATH}' revoked."
exit 0
fi
echo -e "$NOTE Verifying trusted chain"
openssl verify -CAfile ca/chain.pem "$CERT_PATH"
issuer_hash=$(openssl x509 -in "$CERT_PATH" -issuer_hash -noout)
ca_hash=$(openssl x509 -in ca/ca.crt -hash -noout)
if [ "x$issuer_hash" != "x$ca_hash" ]; then
echo -e "$ERR certificate was not issued by current CA, exiting. ($issuer_hash vs. $ca_hash)"
exit 1
fi
pushd "${BIN_DIR}/.." > /dev/null
echo "Reason for revocation: "
echo
echo "1. unspecified"
echo "2. keyCompromise"
echo "3. CACompromise"
echo "4. affiliationChanged"
echo "5. superseded"
echo "6. cessationOfOperation"
echo "7. certificateHold"
echo
echo -e -n "$INPUT Enter 1-7 [1]: "
read -r INDEX
[ -z "${INDEX}" ] && INDEX="1"
case $INDEX in
1) REASON="unspecified" ;;
2) REASON="keyCompromise" ;;
3) REASON="CACompromise" ;;
4) REASON="affiliationChanged" ;;
5) REASON="superseded" ;;
6) REASON="cessationOfOperation" ;;
7) REASON="certificateHold" ;;
*) echo -e "$ERR Unknown reason, exiting."; exit 1 ;;
esac
echo
echo -e "$SUCC You are about to revoke this certificate with reason '${REASON}'."
echo
echo -e -n "$INPUT Are you SURE you wish to continue? [y/N]: "
read -r SURE
if [ "${SURE}" != "y" ] && [ "${SURE}" != "Y" ]; then
echo -e "$ERR Exiting."
exit 1
fi
echo >&2
export CA_PASS=$(ask_pass_once "Enter passphase for signing CA key:" "CA_ROOT_PASS_DEFAULT" "${ROOT_PASS:-""}")
echo >&2
echo -e "$NOTE Revoke the certificate"
openssl_engine_cmd="\
-engine pkcs11 \
-keyform engine \
-keyfile pkcs11:object=SIGN%20key"
openssl ca \
${CA_ENABLE_ENGINE:+$openssl_engine_cmd} \
-config ca/ca.conf \
-revoke "${CERT_PATH}" \
-crl_reason "${REASON}" \
-passin env:CA_PASS
echo -e "$NOTE Regenerate the CRL"
openssl_engine_cmd="\
-engine pkcs11 \
-keyform engine \
-keyfile pkcs11:object=SIGN%20key"
openssl ca -gencrl \
${CA_ENABLE_ENGINE:+$openssl_engine_cmd} \
-config ca/ca.conf \
-out ca/ca.crl \
-passin env:CA_PASS
popd > /dev/null
echo -e "$SUCC Server certificate '${CERT_PATH}' revoked."