diff options
Diffstat (limited to 'files')
-rwxr-xr-x | files/certreq.sh | 31 |
1 files changed, 27 insertions, 4 deletions
diff --git a/files/certreq.sh b/files/certreq.sh index 5093f5d..bacdf75 100755 --- a/files/certreq.sh +++ b/files/certreq.sh @@ -11,13 +11,14 @@ # 2018-04-16 Add --list and --csr options # 2018-05-07 Add actions for using a CA with manually-approved certs # 2018-06-19 Fix get number of ca cert +# 2018-07-30 add error check for "Denied" messages # Usage: in ansible role certreq # Microsoft CA cert templates have permissions on them. A user must be able to "enroll" on the template. # Reference: ftemplate.sh 2017-10-10x; framework.sh 2017-10-09a # fundamental curl statements https://stackoverflow.com/questions/31283476/submitting-base64-csr-to-a-microsoft-ca-via-curl/39722983#39722983 # Improve: fiversion="2017-10-10x" -certreqversion="2018-06-19a" +certreqversion="2018-07-30a" usage() { less -F >&2 <<ENDUSAGE @@ -46,6 +47,7 @@ Return values under 1000: A non-zero value is the sum of the items listed here: 4 Return code of curl statement that saves cert file is non-zero 8 Cert file does not contain whole certificate 16 Cert does not contain an issuer +32 Request denied. Return values above 1000: 1001 Help or version info displayed 1002 Count or type of flaglessvals is incorrect @@ -63,6 +65,7 @@ openssl_req() { # outputs: # vars: ${CSR} ${DATA} ${CERTATTRIB} # files: ${CERTREQ_WORKDIR}/${this_filename}.crt ${CERTREQ_WORKDIR}/${thisfilename}.key + debuglev 9 && ferror "$FUNCNAME $@" local this_filename="${1}" local this_subject="${2}" @@ -104,6 +107,7 @@ openssl_req() { submit_csr() { # call: submit_csr "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CSR}" "${CERTATTRIB}" "${CERTREQ_ACTION}" # outputs: ${CERTLINK} + debuglev 9 && ferror "$FUNCNAME $@" local this_user_string="${1}" local this_ca="${2}" @@ -116,7 +120,7 @@ submit_csr() { request) # request-only - REQUESTID="$( curl -k -u "${this_user_string}" --ntlm \ + FULLPAGE="$( curl -k -u "${this_user_string}" --ntlm \ "${this_ca}/certsrv/certfnsh.asp" \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ -H 'Accept-Encoding: gzip, deflate' \ @@ -126,12 +130,13 @@ submit_csr() { -H "Referer: ${this_ca}/certsrv/certrqxt.asp" \ -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' \ -H 'Content-Type: application/x-www-form-urlencoded' \ - --data "Mode=newreq&CertRequest=${this_cert}&CertAttrib=${this_cert_attrib}&TargetStoreFlags=0&SaveCert=yes&ThumbPrint=" | grep "' nReqId" | awk -F'= ' '{print $2}' | sed -e 's/\r//g' )" + --data "Mode=newreq&CertRequest=${this_cert}&CertAttrib=${this_cert_attrib}&TargetStoreFlags=0&SaveCert=yes&ThumbPrint=" )" + REQUESTID="$( echo "${FULLPAGE}" | grep "' nReqId" | awk -F'= ' '{print $2}' | sed -e 's/\r//g' )" CERTLINK="${CERTREQ_CA}/certsrv/certnew.cer?ReqID=${REQUESTID}" - ;; *) + # get cert FULLPAGE="$( curl -k -u "${this_user_string}" --ntlm \ "${this_ca}/certsrv/certfnsh.asp" \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ @@ -149,6 +154,8 @@ submit_csr() { esac + DISPOSITION="$( echo "${FULLPAGE}" | grep -oiE "The disposition message is.*" | grep -oiE "\".*\"" )" + } fetch_signed_cert() { @@ -156,6 +163,7 @@ fetch_signed_cert() { # output: # vars: ${finaloutput} # files: ${CERTREQ_WORKDIR}/${this_filename}.crt + debuglev 9 && ferror "$FUNCNAME $@" local this_user_string="${1}" local this_ca="${2}" @@ -195,6 +203,7 @@ fetch_signed_cert() { get_number_of_current_ca_cert() { # call: get_number_of_current_ca_cert "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" # outputs: ${CURRENTNUM} + debuglev 9 && ferror "$FUNCNAME $@" local this_user_string="${1}" local this_ca="${2}" @@ -218,6 +227,7 @@ get_latest_ca_cert_chain() { # call: get_latest_ca_cert_chain "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CURRENTNUM}" # outputs: # files: ${CHAIN_FILE} + debuglev 9 && ferror "$FUNCNAME $@" local this_user_string="${1}" local this_ca="${2}" @@ -251,6 +261,7 @@ action_get_cert() { # outputs: # vars: ${finaloutput} # files: ${CHAIN_FILE} ${CERTREQ_CNPARAM}.crt and .key and + debuglev 9 && ferror "$FUNCNAME $@" local this_cnparam="${1}" local this_subject="${2}" @@ -274,6 +285,7 @@ action_get_cert() { echo "FULLPAGE=${FULLPAGE}" echo "OUTPUTLINK=${OUTPUTLINK}" echo "CERTLINK=${CERTLINK}" + echo "DISPOSITION=${DISPOSITION}" } # FETCH SIGNED CERTIFICATE @@ -303,6 +315,7 @@ action_get_cert() { action_request() { # call: action_request "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" + debuglev 9 && ferror "$FUNCNAME $@" local this_cnparam="${1}" local this_subject="${2}" @@ -326,12 +339,14 @@ action_request() { echo "FULLPAGE=${FULLPAGE}" echo "OUTPUTLINK=${OUTPUTLINK}" echo "CERTLINK=${CERTLINK}" + echo "DISPOSITION=${DISPOSITION}" } } action_fetch() { # call: action_fetch "${CERTREQ_CNPARAM}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_REQID}" + debuglev 9 && ferror "$FUNCNAME $@" local this_cnparam="${1}" local this_user_string="${2}" @@ -366,6 +381,7 @@ action_fetch() { action_list_templates() { # call: action_list_templates "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" + debuglev 9 && ferror "$FUNCNAME $@" local this_user_string="${1}" local this_ca="${2}" @@ -605,6 +621,7 @@ debuglev 5 && { # default action="generate" # also catches "generate-csr" action_get_cert "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" + # CHECK EVERYTHING failed=0 openssloutput="$( openssl x509 -in "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" -noout -subject -issuer -startdate -enddate 2>/dev/null )" @@ -614,6 +631,7 @@ debuglev 5 && { grep -qE -- '--END CERTIFICATE--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" || failed=$(( failed + 8 )) #echo "${openssloutput}" | grep -qE "subject.*${CERTREQ_SUBJECT}" || failed=$(( failed + 16 )) echo "${openssloutput}" | grep -qE "issuer.*" || failed=$(( failed + 16 )) + echo "${DISPOSITION}" | grep -qiE 'denied' && failed=$(( failed + 32 )) ;; esac @@ -632,6 +650,8 @@ case "${CERTREQ_ACTION}" in echo "csr: ${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.csr" echo "key: ${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.key" echo "reqid: ${REQUESTID}" + echo "disposition: ${DISPOSITION}" + echo "rc: ${failed}" ;; fetch) @@ -639,6 +659,7 @@ case "${CERTREQ_ACTION}" in echo "logfile: ${logfile}" echo "certificate: ${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" ! fistruthy "${CERTREQ_SKIP_CACERTS}" && echo "chain: ${CERTREQ_WORKDIR}/${CHAIN_FILE}" + echo "rc: ${failed}" ;; generate*) @@ -649,6 +670,8 @@ case "${CERTREQ_ACTION}" in echo "certificate: ${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" echo "key: ${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.key" ! fistruthy "${CERTREQ_SKIP_CACERTS}" && echo "chain: ${CERTREQ_WORKDIR}/${CHAIN_FILE}" + echo "disposition: ${DISPOSITION}" + echo "rc: ${failed}" ;; |