From fef075f317533013664d9b890e3a7705b674b8dc Mon Sep 17 00:00:00 2001 From: B Stack Date: Mon, 10 Sep 2018 10:15:33 -0400 Subject: add OPENSSL_BIN and OPENSSL_CONF options these will support the subjectAltName extension coming soon Please enter the commit message for your changes. Lines starting --- .gitignore | 1 + files/certreq.sh | 41 ++++++++++++++++++++++++++++++----------- 2 files changed, 31 insertions(+), 11 deletions(-) diff --git a/.gitignore b/.gitignore index fee9217..7eace93 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ *.conf +.*.swp diff --git a/files/certreq.sh b/files/certreq.sh index 5a21205..132c049 100755 --- a/files/certreq.sh +++ b/files/certreq.sh @@ -13,6 +13,7 @@ # 2018-06-19 Fix get number of ca cert # 2018-07-30 add error checking on the request and authorization # 2018-08-16 update error checking and exit codes +# 2018-09-10 add CERTREQ_OPENSSL_BIN and CERTREQ_OPENSSL_CONF values # Usage: in ansible role certreq # Microsoft CA cert templates have permissions on them. A user must be able to "enroll" on the template. # Reference: ftemplate.sh 2017-10-10x; framework.sh 2017-10-09a @@ -36,6 +37,8 @@ version ${certreqversion} --ca CA hostname or base URL. Example: ca2.example.com --reqid Request ID. Needed by --fetch action. --no-ca Skip downloading the CA cert chain. + --openssl-bin Use this binary for openssl. Default is "openssl" + --openssl-conf Use this config for openssl. Default is none. ACTIONS: --list list available templates and exit. --csr filename Provide a .csr file instead of making a new csr. Accepts "stdin" to read from standard in. @@ -59,7 +62,7 @@ ENDUSAGE # DEFINE FUNCTIONS openssl_req() { - # call: openssl_req "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" + # call: openssl_req "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" "${CERTREQ_OPENSSL_BIN}" "${CERTREQ_openssl_config}" # outputs: # vars: ${CSR} ${DATA} ${CERTATTRIB} # files: ${CERTREQ_WORKDIR}/${this_filename}.crt ${CERTREQ_WORKDIR}/${thisfilename}.key @@ -69,6 +72,8 @@ openssl_req() { local this_subject="${2}" local this_action="${3}" local this_csr="${4}" + local this_openssl_bin="${5}" + local this_openssl_config="${6}" debuglev 8 && echo "Action ${this_action}" case "${this_action}" in @@ -88,7 +93,7 @@ openssl_req() { esac ;; *) - openssl req -new -nodes \ + "${this_openssl_bin}" req ${this_openssl_config} -new -nodes \ -out "${CERTREQ_WORKDIR}/${this_filename}.csr" \ -keyout "${CERTREQ_WORKDIR}/${this_filename}.key" \ -subj "${this_subject}" @@ -246,18 +251,18 @@ get_latest_ca_cert_chain() { -H 'Content-Type: application/x-www-form-urlencoded' )" # CONVERT TO PEM - echo "${CURRENT_P7B}" | openssl pkcs7 -print_certs -out "${CERTREQ_TEMPFILE}" + echo "${CURRENT_P7B}" | "${CERTREQ_OPENSSL_BIN}" pkcs7 -print_certs -out "${CERTREQ_TEMPFILE}" # RENAME TO PROPER FILENAME # will read only the first cert, so get domain of issuer of it. - CA_DOMAIN="$( openssl x509 -in "${CERTREQ_TEMPFILE}" -noout -issuer 2>/dev/null | sed -r -e 's/^.*CN=[A-Za-z0-9]+\.//;' )" + CA_DOMAIN="$( "${CERTREQ_OPENSSL_BIN}" x509 -in "${CERTREQ_TEMPFILE}" -noout -issuer 2>/dev/null | sed -r -e 's/^.*CN=[A-Za-z0-9]+\.//;' )" CHAIN_FILE="chain-${CA_DOMAIN}.crt" mv -f "${CERTREQ_TEMPFILE}" "${CERTREQ_WORKDIR}/${CHAIN_FILE}" 1>/dev/null 2>&1 } action_get_cert() { - # call: action_get_cert "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" + # call: action_get_cert "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" "${CERTREQ_OPENSSL_BIN}" "${CERTREQ_config_string}" # outputs: # vars: ${curloutput} # files: ${CHAIN_FILE} ${CERTREQ_CNPARAM}.crt and .key and @@ -270,9 +275,11 @@ action_get_cert() { local this_ca_host="${5}" local this_action="${6}" local this_csr="${7}" + local this_openssl_bin="${8}" + local this_openssl_config="${9}" # GENERATE PRIVATE KEY - openssl_req "${this_cnparam}" "${this_subject}" "${this_action}" "${this_csr}" + openssl_req "${this_cnparam}" "${this_subject}" "${this_action}" "${this_csr}" "${this_openssl_bin}" "${this_openssl_config}" debuglev 8 && { echo "CSR=${CSR}" echo "DATA=${DATA}" @@ -315,7 +322,7 @@ action_get_cert() { } action_request() { - # call: action_request "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" + # call: action_request "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" "${CERTREQ_OPENSSL_BIN}" "${CERTREQ_openssl_config}" debuglev 9 && ferror "$FUNCNAME $@" local this_cnparam="${1}" @@ -325,9 +332,11 @@ action_request() { local this_ca_host="${5}" local this_action="${6}" local this_csr="${7}" + local this_openssl_bin="${8}" + local this_openssl_config="${9}" # GENERATE PRIVATE KEY - openssl_req "${this_cnparam}" "${this_subject}" "${this_action}" "${this_csr}" + openssl_req "${this_cnparam}" "${this_subject}" "${this_action}" "${this_csr}" "${this_openssl_bin}" "${this_openssl_config}" debuglev 8 && { echo "CSR=${CSR}" echo "DATA=${DATA}" @@ -453,6 +462,8 @@ parseFlag() { "request" | "request-only" ) CERTREQ_ACTION="request";; "no-ca" | "noca" ) CERTREQ_SKIP_CACERTS=1;; "req" | "reqid" | "req-id" | "request" | "requestid" | "request-id" ) getval; CERTREQ_REQID="${tempval}";; + "openssl-bin" | "openssl" | "opensslbin" | "openssl-binary" | "opensslexec" | "openssl-exec" ) getval; CERTREQ_OPENSSL_BIN="${tempval}";; + "openssl-conf" | "opensslconf" | "openssl_conf" ) getval; CERTREQ_OPENSSL_CONF="${tempval}";; esac debuglev 10 && { test ${hasval} -eq 1 && ferror "flag: ${flag} = ${tempval}" || ferror "flag: ${flag}"; } @@ -546,6 +557,8 @@ define_if_new CERTREQ_CLEANUP_SEC 300 logfile="$( TMPDIR="${CERTREQ_WORKDIR}" mktemp -t tmp.XXXXXXXXXX )" CERTREQ_TEMPFILE="$( TMPDIR="${CERTREQ_WORKDIR}" mktemp -t tmp.XXXXXXXXXX )" define_if_new CERTREQ_ACTION "generate" +define_if_new CERTREQ_OPENSSL_BIN "openssl" +# no CERTREQ_OPENSSL_CONF defined by default. Just use the system default unless specified. # calculate the subject if test -n "${CERTREQ_CNPARAM}"; @@ -573,6 +586,12 @@ define_if_new CERTREQ_CA "http://ca2.ad.example.com" # generate cahost CERTREQ_CAHOST="$( echo "${CERTREQ_CA}" | sed -r -e 's/https?:\/\///g' -e 's/(\.[a-z]{2,3})\/$/\1/;' )" +# calculate openssl_conf string if necessary +if test -n "${CERTREQ_OPENSSL_CONF}" ; +then + CERTREQ_openssl_config="-config ${CERTREQ_OPENSSL_CONF}" +fi + ## REACT TO BEING A CRONJOB #if test ${is_cronjob} -eq 1; #then @@ -611,7 +630,7 @@ debuglev 5 && { request) # alias of "request-only" - action_request "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" + action_request "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" "${CERTREQ_OPENSSL_BIN}" "${CERTREQ_openssl_config}" ;; fetch) @@ -622,14 +641,14 @@ debuglev 5 && { *) # default action="generate" # also catches "generate-csr" - action_get_cert "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" + action_get_cert "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" "${CERTREQ_OPENSSL_BIN}" "${CERTREQ_openssl_config}" ;; esac # CHECK EVERYTHING failed=0 # start out with everything worked - openssloutput="$( openssl x509 -in "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" -noout -subject -issuer -startdate -enddate 2>/dev/null )" + openssloutput="$( "${CERTREQ_OPENSSL_BIN}" x509 -in "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" -noout -subject -issuer -startdate -enddate 2>/dev/null )" # 1 interaction with website failed: invalid login credentials or curl returned non-zero value if echo "${MESSAGE}" | grep -qiE 'unauthorized' || test ${curloutput} -ne 0 ; -- cgit