functions

#!/usr/bin/env bash
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

# Derek Moore <derek@ripple.com>
# Christian Göttsche <cgzones@googlemail.com>

export TZ=
# Binaries copied during install
export BINARIES_ROOT="
create-signing-ca
create-server
create-client
create-csr
create-codesign
sign-csr
sign-ssh
revoke-cert
import-ca
functions
show-status
gen-html
update-crl
make-client-ovpn
list-expiring-certs
"

export TEMPLATES_ROOT="
clients.tpl
server.tpl
signing.tpl
codesign.tpl
root_index.tpl
sign_index.tpl
"

export BINARIES_SIGN="
create-signing-ca
create-server
create-client
create-csr
create-codesign
sign-csr
sign-ssh
revoke-cert
import-ca
functions
show-status
gen-html
update-crl
make-client-ovpn
list-expiring-certs
"

export TEMPLATES_SIGN="
clients.tpl
server.tpl
sign_index.tpl
signing.tpl
codesign.tpl
"

# Output highlighting

NOTE="\033[35;1m[*]\033[0m"
SUCC="\033[32;1m[!]\033[0m"
INPUT="\033[36;1m[>]\033[0m"
ERR="\033[31;1m[!]\033[0m"

# Configuration file variables in openssl config that need to be set even if
# not used, otherwise openssl will error out on reading it.
export SAN=""

fullpath() {
    cd "$(dirname "$1")" || exit 2
    echo "$PWD/$(basename "$1")"
}

##
## template TEMPLATE_FILE DESTINATION_FILE
##
## Performs variable interpolation on TEMPLATE_FILE and copies
## the result to DESTINATION_FILE. All strings in TEMPLATE_FILE
## that match {{CA_*}} will be replaced with the contents of the
## environment variable with the same name.
##
template() {
    local REGEX=""
    for VAR in ${!CA_*}; do
        REGEX="${REGEX}s#{{\s*${VAR}\s*}}#${!VAR}#g; "
    done
    sed -e "${REGEX}" < "$1" > "$2"
}


##
## init_ca_home CA_PATH
##
## Initializes a CA directory skeleton at PATH
##
init_ca_home() {
    CA_HOME="$1"

    # Ensure we're initializing an empty directory
    if [ -d "${CA_HOME}" ]; then
        echo -e "$ERR Directory '${CA_HOME}' already exists, exiting."
        exit 1
    fi

    if ! mkdir -p "${CA_HOME}"; then
        echo -e "$ERR Unable to create directory '${CA_HOME}', exiting."
        exit 1
    fi

    echo -e "$NOTE Initializing CA home"

    pushd "${CA_HOME}" > /dev/null

    # Create top-level CA structure
    mkdir ca
    mkdir ca/archive
    touch ca/archive/.keep
    mkdir ca/crl
    touch ca/crl/.keep
    mkdir ca/db
    mkdir ca/private

    mkdir bin
    mkdir certs
    mkdir certs/clients
    mkdir certs/server
    mkdir certs/codesign

    # Create empty databases
    touch ca/db/certificate.db
    touch ca/db/certificate.db.attr
    echo 01 > ca/db/crt.srl
    echo 01 > ca/db/crl.srl

    popd > /dev/null
}

##
## generate_conf CONF
##
## Generate the ca.conf for new root and signing CAs
##
generate_conf() {
    DEST="$1"

    SURE=`ask "$INPUT Enable PKCS11 Engine for this CA? [y/N]: " CA_USE_PKCS11 "N"`
    if [ "$SURE" == "y" ] || [ "$SURE" == "Y" ]; then
        CA_ENABLE_ENGINE=1
    else
        CA_ENABLE_ENGINE=
    fi

    CA_NAME=`ask "$INPUT Short label for new CA [${CA_NAME}]: " CA_NAME_DEFAULT "$CA_NAME"`
    CA_NAME="$(echo "$CA_NAME" | sed 's/[^A-Za-z0-9-]/-/g')"

    CA_DOMAIN=`ask "$INPUT Domain name for new CA [${CA_DOMAIN}]: " CA_DOMAIN_DEFAULT "$CA_DOMAIN"`
    if [ -z "${CA_DOMAIN}" ]; then
        echo -e "$ERR Domain is required." >&2
        exit 1
    fi

    echo >&2
    echo -e "$SUCC CRL URL will be https://${CA_DOMAIN}/ca/${CA_NAME}.crl" >&2
    echo >&2

    CA_CERT_C=`ask "$INPUT Country code for new certificates [${CA_CERT_C}]: " CA_CERT_C_DEFAULT "${CA_CERT_C}"`
    CA_CERT_ST=`ask "$INPUT State for new certificates [${CA_CERT_ST}]: " CA_CERT_ST_DEFAULT "${CA_CERT_ST}"`
    CA_CERT_L=`ask "$INPUT City for new certificates [${CA_CERT_L}]: " CA_CERT_L_DEFAULT "${CA_CERT_L}"`
    CA_CERT_O=`ask "$INPUT Organization for new certificates [${CA_CERT_O}]: " CA_CERT_O_DEFAULT "${CA_CERT_O}"`
    CA_CERT_OU=`ask "$INPUT Organization unit for new certificates [${CA_CERT_OU}]: " CA_CERT_OU_DEFAULT "${CA_CERT_OU}"`

    # Place all CA_* vars into defaults.conf, except CA_DIR and CA_HOME that should be calculated dynamically
    { echo ${!CA_*} | xargs -n1 | grep -v '^CA_DIR\|CA_HOME$' | for word in $(cat -) ; do echo "$word=\"${!word:-}\"" ; done ; }  > "${DEST}"
    echo 'export CA_DIR="$(readlink -f "$(dirname -- "${BASH_SOURCE[0]}")/..")"' >> "${DEST}"
    echo 'CA_HOME="${CA_DIR}"' >> "${DEST}"
}
generate_conf_import() {
    DEST="$1"
    local CRT="$2"

    CA_NAME=`ask "$INPUT Short label for new CA [${CA_NAME}]: " CA_NAME_DEFAULT "$CA_NAME"`
    CA_NAME="$(echo "$CA_NAME" | sed 's/[^A-Za-z0-9-]/-/g')"

    CA_DOMAIN=$(openssl x509 -in "$CRT" -noout -subject -nameopt multiline | sed -n 's/ *commonName *= //p')
    if [ -z "${CA_DOMAIN}" ]; then
        echo -e "$ERR Domain is required." >&2
        exit 1
    fi
    echo >&2
    echo -e "$SUCC CRL URL will be https://${CA_DOMAIN}/ca/${CA_NAME}.crl" >&2
    echo >&2

    export CA_CERT_CN="$CA_DOMAIN"

    echo -e "$SUCC Common name for new certificates:         ${CA_DOMAIN}" >&2
    CA_CERT_C=$(openssl x509 -in "$CRT" -noout -subject -nameopt multiline | sed -n 's/ *countryName *= //p')
    echo -e "$SUCC Country code for new certificates:        ${CA_CERT_C}" >&2
    CA_CERT_ST=$(openssl x509 -in "$CRT" -noout -subject -nameopt multiline | sed -n 's/ *stateOrProvinceName *= //p')
    echo -e "$SUCC State code for new certificates:          ${CA_CERT_ST}" >&2
    CA_CERT_L=$(openssl x509 -in "$CRT" -noout -subject -nameopt multiline | sed -n 's/ *localityName *= //p')
    echo -e "$SUCC City for new certificates:                ${CA_CERT_L}" >&2
    CA_CERT_O=$(openssl x509 -in "$CRT" -noout -subject -nameopt multiline | sed -n 's/ *organizationName *= //p')
    echo -e "$SUCC Organization for new certificates:        ${CA_CERT_O}" >&2
    CA_CERT_OU=$(openssl x509 -in "$CRT" -noout -subject -nameopt multiline | sed -n 's/ *organizationalUnitName *= //p')
    echo -e "$SUCC Organizational Unit for new certificates: ${CA_CERT_OU}" >&2

    echo >&2

    { echo ${!CA_*} | for word in $(cat -) ; do echo "$word=\"${!word:-}\"" ; done ; }  > "${DEST}"
}

##
## Ask a question if variable not defined
## Usage: [-s] question env_variable default_value
##    -s begining of allowing read opts
ask(){
    if [ "$1" == "-s" ]; then
        local readopts=-s
        shift 1
    else
        local readopts=
    fi
    local question="$1"
    local variable="$2"
    local default="$3"
    if [ -n "$variable" ] && [ -n "${!variable+x}" ] ; then
        echo -e "$NOTE Using $variable from environment: ${!variable}" >&2
        echo "${!variable}"
        return
    fi
    echo -e -n "$question" >&2
    read -r $readopts REPLY
    if [ -n "${default}" ] && [ -z "${REPLY:-}" ]; then
        echo -e "$NOTE Using default: $default" >&2
        echo "$default"
    else
        echo "$REPLY"
    fi
}
##
## ask_server_cert_quesetions
##
## Ask questions to fill a server certifcate
##
ask_server_cert_questions() {
    #CA_CERT_C=`ask "$INPUT Country code for new certificates [${CA_CERT_C}]: " CA_SERVER_CERT_C "${CA_CERT_C}"`
    CA_CERT_ST=`ask "$INPUT State for new certificates [${CA_CERT_ST}]: " CA_SERVER_CERT_ST "${CA_CERT_ST}"`
    CA_CERT_L=`ask "$INPUT City for new certificates [${CA_CERT_L}]: " CA_SERVER_CERT_L "${CA_CERT_L}"`
    #CA_CERT_O=`ask "$INPUT Organization for new certificates [${CA_CERT_O}]: " SERVER_CERT_O "${CA_CERT_O}"`
    CA_CERT_OU=`ask "$INPUT Organization unit for new certificates [${CA_CERT_OU}]: " CA_SERVER_CERT_OU "${CA_CERT_OU}"`
}

##
## ask_client_cert_quesetions
##
## Ask questions to fill a client certifcate
##
ask_client_cert_questions() {
    #CA_CERT_C=`ask "$INPUT Country code for new certificates [${CA_CERT_C}]: " CLIENT_CERT_C "${CA_CERT_C}"`
    #CA_CERT_ST=`ask "$INPUT State for new certificates [${CA_CERT_ST}]: " CLIENT_CERT_ST "${CA_CERT_ST}"`
    CA_CERT_L=`ask "$INPUT City for new certificates [${CA_CERT_L}]: " CA_CLIENT_CERT_L "${CA_CERT_L}"`
    #CA_CERT_O=`ask "$INPUT Organization for new certificates [${CA_CERT_O}]: " CLIENT_CERT_O "${CA_CERT_O}"`
    CA_CERT_OU=`ask "$INPUT Organization unit for new certificates [${CA_CERT_OU}]: " CA_CLIENT_CERT_OU "${CA_CERT_OU}"`
    CA_CERT_MAIL=`ask "$INPUT Email Address (name@fqdn) for new certificates [${CA_CERT_MAIL}]: " CA_CLIENT_CERT_MAIL "${CA_CERT_MAIL}"`
    if [ -z "${CA_CERT_MAIL}" ]; then
        echo -e "$ERR No email address supplied, exiting." >&2
        exit 1
    fi
}

##
## ask_pass_twice_verify
##
## Ask for a pass twice for verification, and validate length to be at least 4
##
function ask_pass_twice_verify(){
    local question="$1"
    local variable="$2"
    local default="${3-}"
    local pass1=
    local pass2=
    while true; do
        pass1=`ask -s "$INPUT $question " "$variable" "$default"`
        echo >&2
        # Do a quick exit if we are to use the variable value
        if [ -n "${!variable+x}" ] ; then
            # ask would have already informed the user
            echo "${pass1}"
            return
        fi
        if [[ ${#pass1} -lt 4 ]]; then
            echo -e "$ERR Passphrase is too short, please use at least 4 characters!" >&2
            continue
        fi
        pass2=`ask -s "$INPUT Verifying - $question " "$variable" "$default"`
        echo >&2
        if [ "$pass1" == "$pass2" ]; then
            echo "$pass1"
            return 0
        fi
        echo -e "$ERR Passwords did not match" >&2
    done
}

##
## ask_pass_once
##
## Ask for a pass once, and validate length to be at least 4
##
function ask_pass_once(){
    local question="$1"
    local variable="$2"
    local default="${3-}"
    local pass=
    while true; do
        pass=`ask -s "$INPUT $question " "$variable" "$default"`
        # Do a quick exit if we are to use the variable value
        if [ -n "${!variable+x}" ] ; then
            # ask would have already informed the user
            echo "${pass}"
            return
        fi
        echo >&2
        if [[ ${#pass} -lt 4 ]]; then
            echo -e "$ERR Passphrase is too short, please use at least 4 characters!" >&2
            continue
        fi
        echo "$pass"
        return 0
    done
}

function generate_key(){
    local KEYPATH=$1
    echo -e "$NOTE Creating the key (${CA_KEY_ALG} with ${CA_KEY_LENGTH_ROOTCA} bits)" >&2
    openssl genrsa -out $KEYPATH -"${CA_KEY_ALG}" -passout env:CA_PASS "${CA_KEY_LENGTH_ROOTCA}"
    chmod 0400 $KEYPATH
}
function extract_pubkey(){
    local CRTPATH=$1
    local PUBPATH=$2
    local PASS_ARG="-passin env:CA_PASS"
    if [ -z "${CA_PASS-}" ]; then
      PASS_ARG=
    fi
    openssl x509 -in $CRTPATH -pubkey -noout $PASS_ARG > $PUBPATH
}
function generate_pubkey(){
    local KEYPATH=$1
    local PUBPATH=$2
    local PASS_ARG="-passin env:CA_PASS"
    if [ -z "${CA_PASS-}" ]; then
      PASS_ARG=
    fi
    openssl rsa -in $KEYPATH -pubout -out $PUBPATH $PASS_ARG
}
function generate_pubkey_pkcs11(){
    local KEYPATH=$1
    local PUBPATH=$2
    local PASS_ARG="-passin env:CA_PASS"
    if [ -z "${CA_PASS-}" ]; then
      PASS_ARG=
    fi
    echo -e "$NOTE key should already exist via pkcs11 engine." >&2
    openssl rsa -engine pkcs11 -inform engine \
                -in $KEYPATH -pubout -out $PUBPATH $PASS_ARG
}

function generate_pubkey_ssh(){
    local PUBPATH=$1
    local SSHPUBPATH=$2
    local NAME=$3
    echo -e "$NOTE Creating SSH pub ($SSHPUBPATH)" >&2
    echo -e "$NOTE Example in sshd_config: TrustedUserCAKeys ca.ssh.pub" >&2

    ssh-keygen -f $PUBPATH -i -mPKCS8 \
            | awk "{printf \$0;print \" $NAME\"}" > $SSHPUBPATH
    ssh-keygen -lvf $SSHPUBPATH
}
##
## PKCS11 support functions, currently hard coded to support yubikeys using ykman
##
function init_slot(){
    local SLOT=$1
    local PUB=$2
    local SLOTPKCS=$3
    local SURE=`ask "$INPUT Do you wish to create a new key in slot $SLOT? [y/N]: " CA_INIT_SLOT_SURE ""`
    if [ "${SURE}" == "y" ] || [ "${SURE}" == "Y" ]; then
        ykman piv generate-key "$SLOT" "$PUB"
        # This cert is to make PKCS11 happy.
        # Should replace this with the proper cert later in the process.
        ykman piv generate-certificate "$SLOT" "$PUB" -s 'bootstrap'
    else
        generate_pubkey_pkcs11 "$SLOTPKCS" "$PUB"
    fi
}
function replace_crt(){
    local SLOT=$1
    local CERT=$2
    local SURE=`ask "$INPUT Do you wish to upload this cert to $SLOT? [y/N]: " CA_REPLACE_SLOT_SURE ""`
    if [ "${SURE}" == "y" ] || [ "${SURE}" == "Y" ]; then
        ykman piv import-certificate "$SLOT" "$CERT"
    fi
}
function extract_crt(){
    local SLOT=$1
    local CERT=$2
    ykman piv export-certificate "$SLOT" "$CERT"
}
function init_engine(){
    echo -e "$NOTE THIS WILL RESET YOUR YUBIKEY USING YKMAN" >&2
    echo -e "$NOTE Run 'ykman piv reset' on your own to set PIN/PUK/management keys properly." >&2
    local SURE=`ask "$INPUT Do you wish to reset your device? [y/N]: " CA_INIT_ENGINE_SURE ""`
    if [ "${SURE}" == "y" ] || [ "${SURE}" == "Y" ]; then
        ykman piv reset
    fi
}
#function openssl_engine() {
    #[ -z $ENABLE_ENGINE ] || echo "engine dynamic -pre \"SO_PATH:${cfg_file_engine_pkcs11}\" -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre \"MODULE_PATH:${cfg_file_opensc_pkcs11}\" ${ENGINE_VERBOSE:+"-pre VERBOSE"}"
#}