-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathroot.sh
executable file
·152 lines (133 loc) · 4.92 KB
/
root.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#!/usr/bin/env bash
set -eou pipefail
# ARG_POSITIONAL_SINGLE([root_domain],[domain for the root CA],[])
# ARG_OPTIONAL_BOOLEAN([keep-private-key],[],[keep the private key around after importing it to the YubiKey])
# ARG_OPTIONAL_SINGLE([ttl],[],[root CA ttl in days],[7300])
# ARG_HELP([Generate an X.509 Root CA keypair for the specified domain and load it into your YubiKey.])
# ARGBASH_GO()
# needed because of Argbash --> m4_ignore([
### START OF CODE GENERATED BY Argbash v2.10.0 one line above ###
# Argbash is a bash code generator used to get arguments parsing right.
# Argbash is FREE SOFTWARE, see https://argbash.io for more info
die() {
local _ret="${2:-1}"
test "${_PRINT_HELP:-no}" = yes && print_help >&2
echo "$1" >&2
exit "${_ret}"
}
begins_with_short_option() {
local first_option all_short_options='h'
first_option="${1:0:1}"
test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0
}
# THE DEFAULTS INITIALIZATION - POSITIONALS
_positionals=()
# THE DEFAULTS INITIALIZATION - OPTIONALS
_arg_keep_private_key="off"
_arg_ttl="7300"
print_help() {
printf '%s\n' "Generate an X.509 Root CA keypair for the specified domain and load it into your YubiKey."
printf 'Usage: %s [--(no-)keep-private-key] [--ttl <arg>] [-h|--help] <root_domain>\n' "$0"
printf '\t%s\n' "<root_domain>: domain for the root CA"
printf '\t%s\n' "--keep-private-key, --no-keep-private-key: keep the private key around after importing it to the YubiKey (off by default)"
printf '\t%s\n' "--ttl: root CA ttl in days (default: '7300')"
printf '\t%s\n' "-h, --help: Prints help"
}
parse_commandline() {
_positionals_count=0
while test $# -gt 0; do
_key="$1"
case "$_key" in
--no-keep-private-key | --keep-private-key)
_arg_keep_private_key="on"
test "${1:0:5}" = "--no-" && _arg_keep_private_key="off"
;;
--ttl)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_ttl="$2"
shift
;;
--ttl=*)
_arg_ttl="${_key##--ttl=}"
;;
-h | --help)
print_help
exit 0
;;
-h*)
print_help
exit 0
;;
*)
_last_positional="$1"
_positionals+=("$_last_positional")
_positionals_count=$((_positionals_count + 1))
;;
esac
shift
done
}
handle_passed_args_count() {
local _required_args_string="'root_domain'"
test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
}
assign_positional_args() {
local _positional_name _shift_for=$1
_positional_names="_arg_root_domain "
shift "$_shift_for"
for _positional_name in ${_positional_names}; do
test $# -gt 0 || break
eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
shift
done
}
parse_commandline "$@"
handle_passed_args_count
assign_positional_args 1 "${_positionals[@]}"
# OTHER STUFF GENERATED BY Argbash
### END OF CODE GENERATED BY Argbash (sortof) ### ])
# [ <-- needed because of Argbash
mkdir -p $_arg_root_domain
openssl genrsa -out $_arg_root_domain/key.pem 2048
cat >$_arg_root_domain/crt.conf <<EOF
[ req ]
x509_extensions = v3_ca
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
CN=$_arg_root_domain Root CA
[ v3_ca ]
subjectKeyIdentifier=hash
basicConstraints=critical,CA:true,pathlen:1
keyUsage=critical,keyCertSign,cRLSign
nameConstraints=critical,@nc
[ nc ]
permitted;otherName=1.3.6.1.5.5.7.8.7;IA5:$_arg_root_domain
permitted;email.0=$_arg_root_domain
permitted;email.1=.$_arg_root_domain
permitted;DNS=$_arg_root_domain
permitted;URI.0=$_arg_root_domain
permitted;URI.1=.$_arg_root_domain
permitted;IP.0=0.0.0.0/255.255.255.255
permitted;IP.1=::/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
EOF
keyOut=$_arg_root_domain/key.pem
crtOut=$_arg_root_domain/crt.pem
confOut=$_arg_root_domain/crt.conf
openssl req -new -sha256 -x509 -set_serial 1 -days $_arg_ttl -config $confOut -key $keyOut -out $crtOut
echo 01 >$_arg_root_domain/crt.srl
echo WARNING: Slot 9c on your YubiKey PIV application will be overwritten!
yubico-piv-tool -k $keyOut -a import-key -s 9c --pin-policy=always --touch-policy=always <$keyOut
yubico-piv-tool -k $keyOut -a import-certificate -s 9c <$crtOut
if [ $_arg_keep_private_key == "off" ]; then
rm $keyOut
fi
echo You can view the contents of your certificate. Run:
echo \# On Nix:
echo $ nix-shell --run \"openssl x509 -in $crtOut -text -noout\"
echo \# Otherwise:
echo $ openssl x509 -in $crtOut -text -noout
echo You should add the root CA to your trusted CA store. On Mac, run:
echo $ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain $_arg_root_domain/crt.pem
# ] <-- needed because of Argbash