aboutsummaryrefslogtreecommitdiff
path: root/files/certreq.sh
diff options
context:
space:
mode:
Diffstat (limited to 'files/certreq.sh')
-rwxr-xr-xfiles/certreq.sh31
1 files changed, 27 insertions, 4 deletions
diff --git a/files/certreq.sh b/files/certreq.sh
index 5093f5d..bacdf75 100755
--- a/files/certreq.sh
+++ b/files/certreq.sh
@@ -11,13 +11,14 @@
# 2018-04-16 Add --list and --csr options
# 2018-05-07 Add actions for using a CA with manually-approved certs
# 2018-06-19 Fix get number of ca cert
+# 2018-07-30 add error check for "Denied" messages
# Usage: in ansible role certreq
# Microsoft CA cert templates have permissions on them. A user must be able to "enroll" on the template.
# Reference: ftemplate.sh 2017-10-10x; framework.sh 2017-10-09a
# fundamental curl statements https://stackoverflow.com/questions/31283476/submitting-base64-csr-to-a-microsoft-ca-via-curl/39722983#39722983
# Improve:
fiversion="2017-10-10x"
-certreqversion="2018-06-19a"
+certreqversion="2018-07-30a"
usage() {
less -F >&2 <<ENDUSAGE
@@ -46,6 +47,7 @@ Return values under 1000: A non-zero value is the sum of the items listed here:
4 Return code of curl statement that saves cert file is non-zero
8 Cert file does not contain whole certificate
16 Cert does not contain an issuer
+32 Request denied.
Return values above 1000:
1001 Help or version info displayed
1002 Count or type of flaglessvals is incorrect
@@ -63,6 +65,7 @@ openssl_req() {
# outputs:
# vars: ${CSR} ${DATA} ${CERTATTRIB}
# files: ${CERTREQ_WORKDIR}/${this_filename}.crt ${CERTREQ_WORKDIR}/${thisfilename}.key
+ debuglev 9 && ferror "$FUNCNAME $@"
local this_filename="${1}"
local this_subject="${2}"
@@ -104,6 +107,7 @@ openssl_req() {
submit_csr() {
# call: submit_csr "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CSR}" "${CERTATTRIB}" "${CERTREQ_ACTION}"
# outputs: ${CERTLINK}
+ debuglev 9 && ferror "$FUNCNAME $@"
local this_user_string="${1}"
local this_ca="${2}"
@@ -116,7 +120,7 @@ submit_csr() {
request)
# request-only
- REQUESTID="$( curl -k -u "${this_user_string}" --ntlm \
+ FULLPAGE="$( curl -k -u "${this_user_string}" --ntlm \
"${this_ca}/certsrv/certfnsh.asp" \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
-H 'Accept-Encoding: gzip, deflate' \
@@ -126,12 +130,13 @@ submit_csr() {
-H "Referer: ${this_ca}/certsrv/certrqxt.asp" \
-H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' \
-H 'Content-Type: application/x-www-form-urlencoded' \
- --data "Mode=newreq&CertRequest=${this_cert}&CertAttrib=${this_cert_attrib}&TargetStoreFlags=0&SaveCert=yes&ThumbPrint=" | grep "' nReqId" | awk -F'= ' '{print $2}' | sed -e 's/\r//g' )"
+ --data "Mode=newreq&CertRequest=${this_cert}&CertAttrib=${this_cert_attrib}&TargetStoreFlags=0&SaveCert=yes&ThumbPrint=" )"
+ REQUESTID="$( echo "${FULLPAGE}" | grep "' nReqId" | awk -F'= ' '{print $2}' | sed -e 's/\r//g' )"
CERTLINK="${CERTREQ_CA}/certsrv/certnew.cer?ReqID=${REQUESTID}"
-
;;
*)
+ # get cert
FULLPAGE="$( curl -k -u "${this_user_string}" --ntlm \
"${this_ca}/certsrv/certfnsh.asp" \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
@@ -149,6 +154,8 @@ submit_csr() {
esac
+ DISPOSITION="$( echo "${FULLPAGE}" | grep -oiE "The disposition message is.*" | grep -oiE "\".*\"" )"
+
}
fetch_signed_cert() {
@@ -156,6 +163,7 @@ fetch_signed_cert() {
# output:
# vars: ${finaloutput}
# files: ${CERTREQ_WORKDIR}/${this_filename}.crt
+ debuglev 9 && ferror "$FUNCNAME $@"
local this_user_string="${1}"
local this_ca="${2}"
@@ -195,6 +203,7 @@ fetch_signed_cert() {
get_number_of_current_ca_cert() {
# call: get_number_of_current_ca_cert "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}"
# outputs: ${CURRENTNUM}
+ debuglev 9 && ferror "$FUNCNAME $@"
local this_user_string="${1}"
local this_ca="${2}"
@@ -218,6 +227,7 @@ get_latest_ca_cert_chain() {
# call: get_latest_ca_cert_chain "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CURRENTNUM}"
# outputs:
# files: ${CHAIN_FILE}
+ debuglev 9 && ferror "$FUNCNAME $@"
local this_user_string="${1}"
local this_ca="${2}"
@@ -251,6 +261,7 @@ action_get_cert() {
# outputs:
# vars: ${finaloutput}
# files: ${CHAIN_FILE} ${CERTREQ_CNPARAM}.crt and .key and
+ debuglev 9 && ferror "$FUNCNAME $@"
local this_cnparam="${1}"
local this_subject="${2}"
@@ -274,6 +285,7 @@ action_get_cert() {
echo "FULLPAGE=${FULLPAGE}"
echo "OUTPUTLINK=${OUTPUTLINK}"
echo "CERTLINK=${CERTLINK}"
+ echo "DISPOSITION=${DISPOSITION}"
}
# FETCH SIGNED CERTIFICATE
@@ -303,6 +315,7 @@ action_get_cert() {
action_request() {
# call: action_request "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}"
+ debuglev 9 && ferror "$FUNCNAME $@"
local this_cnparam="${1}"
local this_subject="${2}"
@@ -326,12 +339,14 @@ action_request() {
echo "FULLPAGE=${FULLPAGE}"
echo "OUTPUTLINK=${OUTPUTLINK}"
echo "CERTLINK=${CERTLINK}"
+ echo "DISPOSITION=${DISPOSITION}"
}
}
action_fetch() {
# call: action_fetch "${CERTREQ_CNPARAM}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_REQID}"
+ debuglev 9 && ferror "$FUNCNAME $@"
local this_cnparam="${1}"
local this_user_string="${2}"
@@ -366,6 +381,7 @@ action_fetch() {
action_list_templates() {
# call: action_list_templates "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}"
+ debuglev 9 && ferror "$FUNCNAME $@"
local this_user_string="${1}"
local this_ca="${2}"
@@ -605,6 +621,7 @@ debuglev 5 && {
# default action="generate"
# also catches "generate-csr"
action_get_cert "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}"
+
# CHECK EVERYTHING
failed=0
openssloutput="$( openssl x509 -in "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" -noout -subject -issuer -startdate -enddate 2>/dev/null )"
@@ -614,6 +631,7 @@ debuglev 5 && {
grep -qE -- '--END CERTIFICATE--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" || failed=$(( failed + 8 ))
#echo "${openssloutput}" | grep -qE "subject.*${CERTREQ_SUBJECT}" || failed=$(( failed + 16 ))
echo "${openssloutput}" | grep -qE "issuer.*" || failed=$(( failed + 16 ))
+ echo "${DISPOSITION}" | grep -qiE 'denied' && failed=$(( failed + 32 ))
;;
esac
@@ -632,6 +650,8 @@ case "${CERTREQ_ACTION}" in
echo "csr: ${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.csr"
echo "key: ${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.key"
echo "reqid: ${REQUESTID}"
+ echo "disposition: ${DISPOSITION}"
+ echo "rc: ${failed}"
;;
fetch)
@@ -639,6 +659,7 @@ case "${CERTREQ_ACTION}" in
echo "logfile: ${logfile}"
echo "certificate: ${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt"
! fistruthy "${CERTREQ_SKIP_CACERTS}" && echo "chain: ${CERTREQ_WORKDIR}/${CHAIN_FILE}"
+ echo "rc: ${failed}"
;;
generate*)
@@ -649,6 +670,8 @@ case "${CERTREQ_ACTION}" in
echo "certificate: ${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt"
echo "key: ${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.key"
! fistruthy "${CERTREQ_SKIP_CACERTS}" && echo "chain: ${CERTREQ_WORKDIR}/${CHAIN_FILE}"
+ echo "disposition: ${DISPOSITION}"
+ echo "rc: ${failed}"
;;
bgstack15