blob: a8302209483ef6f936c9048f0cdd56475f2ee185 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
#!/bin/bash
# generate new ca certificates, roll over the old one(s)
set -e
if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then
. '#ETCDIR#/simple-pki/ca.conf'
fi
if [ -n "${ca_user}" ] \
&& [ "$(whoami)" != "${ca_user}" ]; then
chown -R "${ca_user}" '#ETCDIR#/simple-pki/ca'
exec su "${ca_user}" -c "$0"
fi
move_old_ca() {
mv \
'#ETCDIR#/simple-pki/ca/'"$1"'.crt' \
'#ETCDIR#/simple-pki/ca/'"$1"'.old.crt'
rm -rf --one-file-system \
'#ETCDIR#/simple-pki/ca/'"$1"'.old'
mv \
'#ETCDIR#/simple-pki/ca/'"$1" \
'#ETCDIR#/simple-pki/ca/'"$1"'.old'
find '#ETCDIR#/simple-pki/ca/'"$1"'.old' \
-type f \
-name "$1"'.*' \
| sed 's@^\(.*/'"$1"'\)\(\..*\)$@\0 \1.old\2@' \
| while read -r from to; do
mv "${from}" "${to}"
done
}
level_ground_for_new_ca() {
install -d -m0755 '#ETCDIR#/simple-pki/ca/'"$1"'/db'
install -d -m0700 '#ETCDIR#/simple-pki/ca/'"$1"'/private'
touch \
'#ETCDIR#/simple-pki/ca/'"$1"'/db/'"$1"'.db' \
'#ETCDIR#/simple-pki/ca/'"$1"'/db/'"$1"'.db.attr'
for srl in 'crl' 'crt'; do
old='#ETCDIR#/simple-pki/ca/'"$1"'.old/db/'"$1"'.old.'"${srl}"'.srl'
new='#ETCDIR#/simple-pki/ca/'"$1"'/db/'"$1"'.'"${srl}"'.srl'
if [ -f "${old}" ]; then
cp "${old}" "${new}"
else
echo '01' \
>"${new}"
fi
done
}
if [ -f '#ETCDIR#/simple-pki/ca/root-ca.crt' ]; then
if [ ! -f '#ETCDIR#/simple-pki/ca/root-ca.old.crt' ] \
|| [ "$(stat -c%Y '#ETCDIR#/simple-pki/ca/root-ca.old.crt')" -lt "$(($(date +%s)-60*60*24*ca_keep_duration))" ]; then
move_old_ca 'root-ca'
else
>&2 echo 'nothing to do: "old" root certificate is too new'
exit
fi
fi
level_ground_for_new_ca 'root-ca'
if [ -f '#ETCDIR#/simple-pki/ca/signing-ca.crt' ]; then
move_old_ca 'signing-ca'
fi
level_ground_for_new_ca 'signing-ca'
CA=root-ca CA_TYPE='Root' openssl req -new \
-config '#ETCDIR#/simple-pki/ca-ssl.conf' \
-out '#ETCDIR#/simple-pki/ca/root-ca.csr' \
-keyout '#ETCDIR#/simple-pki/ca/root-ca/private/root-ca.key'
CA=root-ca CA_TYPE='Root' openssl ca -batch -name root_ca -selfsign \
-config '#ETCDIR#/simple-pki/ca-ssl.conf' \
-in '#ETCDIR#/simple-pki/ca/root-ca.csr' \
-out '#ETCDIR#/simple-pki/ca/root-ca.crt' \
-extensions root_ca_ext
CA=signing-ca CA_TYPE='Intermediate' openssl req -new \
-config '#ETCDIR#/simple-pki/ca-ssl.conf' \
-out '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
-keyout '#ETCDIR#/simple-pki/ca/signing-ca/private/signing-ca.key'
CA=root-ca CA_TYPE='Root' openssl ca -batch -name root_ca \
-config '#ETCDIR#/simple-pki/ca-ssl.conf' \
-in '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
-out '#ETCDIR#/simple-pki/ca/signing-ca.crt' \
-extensions signing_ca_ext
rm \
'#ETCDIR#/simple-pki/ca/root-ca.csr' \
'#ETCDIR#/simple-pki/ca/signing-ca.csr'
rsync --ignore-missing-args \
'#ETCDIR#/simple-pki/ca/root-ca'{,.old}'.crt' \
"${remote_host}:${remote_dir}/"
(
cd '#ETCDIR#/simple-pki/ca/'
find . -maxdepth 1 \
-type f \( \
-name root-ca.crt -o \
-name root-ca.old.crt \
\) \
-printf '%TY-%Tm-%TdT%TT ' \
-exec sha512sum {} \; \
| sed '
s/\.[0-9]\+ / /
s@\s\s\+\(\S\+/\)\?@ @
'
) \
| ssh "${remote_host}" '
cd "'"${remote_dir}"'"
while read -r time sum file; do
for f in ????-??-??T??\:??\:??".${file}"; do
[ -f "${f}" ] || continue
if [ $(date -d"$(openssl x509 -noout -enddate -in "${f}" | cut -d= -f2)" +%s) -ge $(($(date +%s)-24*60*60*30)) ]; then
rm "${f}"
sed -i '"'"'
/^[0-9a-f]\{128\} '"'"'"${f//./\\.}"'"'"'$/d
'"'"' sha512sums
fi
done
mv "${file}" "${time}.${file}"
printf '"'"'%s %s\n'"'"' "${sum}" "${time}.${file}" \
>> sha512sums
done
'
|
