From ff7a3622bc6b8002a2ca6c8c26668f4e1daa70df Mon Sep 17 00:00:00 2001
From: Erich Eckner <git@eckner.net>
Date: Mon, 2 Sep 2019 11:47:33 +0200
Subject: sign-ca functional

---
 sign-ca.in | 96 ++++++++++++++++++++++++++++++++++++--------------------------
 1 file changed, 56 insertions(+), 40 deletions(-)

(limited to 'sign-ca.in')

diff --git a/sign-ca.in b/sign-ca.in
index 8d2f4b2..beab6da 100755
--- a/sign-ca.in
+++ b/sign-ca.in
@@ -1,11 +1,9 @@
 #!/bin/bash
 
-# generate new ca certificate, roll over the old one(s)
+# generate new ca certificates, roll over the old one(s)
 
 set -e
 
-key_dir='#ETCDIR#/simple-pki/keys'
-
 if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then
   . '#ETCDIR#/simple-pki/ca.conf'
 fi
@@ -15,54 +13,72 @@ if [ -n "${ca_user}" ] \
   exec su "${ca_user}" -c "$0"
 fi
 
-if [ -f "${key_dir}/${ca_name}.key.new" ] \
-&& [ -f "${key_dir}/${ca_name}.crt.new" ]; then
-  if [ "$(stat -c%Y "${key_dir}/${ca_name}.key.new")" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ] \
-  || [ ! -f "${key_dir}/${ca_name}.key" ] \
-  || [ "$(stat -c%Y "${key_dir}/${ca_name}.crt.new")" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ] \
-  || [ ! -f "${key_dir}/${ca_name}.crt" ]; then
-    mv "${key_dir}/${ca_name}.key"{.new,}
-    mv "${key_dir}/${ca_name}.crt"{.new,}
+for ca in root signing; do
+  mkdir -p '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/private' '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db' '#ETCDIR#/simple-pki/crl' '#ETCDIR#/simple-pki/certs'
+  chmod 700 '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/private'
+  if [ ! -f '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db' ]; then
+    cp /dev/null '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db'
+    cp /dev/null '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db.attr'
+    echo 01 > '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.crt.srl'
+    echo 01 > '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.crl.srl'
   fi
-fi
+done
 
-if [ ! -f "${key_dir}/${ca_name}.key.new" ] \
-|| [ ! -f "${key_dir}/${ca_name}.crt.new" ]; then
-  openssl req -new \
-    -newkey rsa:4096 -sha256 \
-    -keyout "${key_dir}/${ca_name}.key.new" \
-    -out "${key_dir}/${ca_name}.csr.new" \
-    -nodes \
-    -subj "${ca_subject_prefix}"'/CN=Certification Authority' \
-    -addext 'subjectKeyIdentifier = hash' \
-    -addext 'basicConstraints       = critical, CA:true' \
-    -addext 'keyUsage               = keyCertSign, cRLSign'
-  if [ -f "${key_dir}/${ca_name}.key" ]; then
-    previous_key="${key_dir}/${ca_name}.key"
+if [ -f '#ETCDIR#/simple-pki/ca/root-ca.crt' ]; then
+  if [ ! -f '#ETCDIR#/simple-pki/ca/root-ca.crt.old' ] \
+  || [ "$(stat -c%Y '#ETCDIR#/simple-pki/ca/root-ca.crt.old')" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ]; then
+    mv \
+      '#ETCDIR#/simple-pki/ca/root-ca.crt' \
+      '#ETCDIR#/simple-pki/ca/root-ca.crt.old'
   else
-    previous_key="${key_dir}/${ca_name}.key.new"
+    >&2 echo 'nothing to do: "old" root certificate is too new'
+    exit
   fi
-  openssl req -x509 \
-    -sha256 \
-    -in "${key_dir}/${ca_name}.csr.new" \
-    -key "${previous_key}" \
-    -out "${key_dir}/${ca_name}.crt.new" \
-    -days 365 -nodes \
-    -addext 'subjectKeyIdentifier = hash' \
-    -addext 'authorityKeyIdentifier = keyid:always, issuer' \
-    -addext 'basicConstraints       = critical, CA:true' \
-    -addext 'keyUsage               = keyCertSign, cRLSign'
-  rm "${key_dir}/${ca_name}.csr.new"
 fi
 
+if [ -f '#ETCDIR#/simple-pki/ca/signing-ca.crt' ]; then
+  mv \
+    '#ETCDIR#/simple-pki/ca/signing-ca.crt' \
+    '#ETCDIR#/simple-pki/ca/signing-ca.crt.old'
+fi
+
+CA=root-ca openssl req -new \
+  -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
+  -out '#ETCDIR#/simple-pki/ca/root-ca.csr' \
+  -keyout '#ETCDIR#/simple-pki/ca/root-ca/private/root-ca.key'
+
+CA=root-ca openssl ca -batch -name root_ca -selfsign \
+  -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
+  -in '#ETCDIR#/simple-pki/ca/root-ca.csr' \
+  -out '#ETCDIR#/simple-pki/ca/root-ca.crt' \
+  -extensions root_ca_ext
+
+CA=signing-ca openssl req -new \
+  -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
+  -out '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
+  -keyout '#ETCDIR#/simple-pki/ca/signing-ca/private/signing-ca.key'
+
+CA=root-ca openssl ca -batch -name root_ca \
+  -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
+  -in '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
+  -out '#ETCDIR#/simple-pki/ca/signing-ca.crt' \
+  -extensions signing_ca_ext
+
+rm \
+  '#ETCDIR#/simple-pki/ca/root-ca.csr' \
+  '#ETCDIR#/simple-pki/ca/signing-ca.csr'
+
 rsync --ignore-missing-args \
-  "${key_dir}/${ca_name}.crt"{.new,} \
+  '#ETCDIR#/simple-pki/ca/root-ca.crt'{,.old} \
   "${remote_host}:${remote_dir}/"
 
 (
-  cd "${key_dir}"
+  cd '#ETCDIR#/simple-pki/ca/'
   find . -maxdepth 1 \
-    -type f \( -name "${ca_name}"'.crt' -o -name "${ca_name}"'.crt.new' \) \
+    -type f \( \
+      -name root-ca.crt -o \
+      -name root-ca.crt.old \
+    \) \
     -printf '%TY-%Tm-%TdT%TT ' \
     -exec sha512sum {} \; \
   | sed '
-- 
cgit v1.2.3-54-g00ecf