mk-ovpn2

#!/bin/bash
if [ -z "$BASH_VERSION" ];then exec bash "$0" "$@";else set +o posix;fi

set -e
umask 077
export OPENSSL_CONF=/dev/null
[ "$CERT_DIR" = "" ] && [ "$1" != "" ] && [ -d "$1" ] && CERT_DIR="$1"
CERT_DIR="${CERT_DIR:-certs}"

CONF_DIR="$CERT_DIR-conf"
TMP=/tmp/ca_tmp.$$
trap 'rm -rf "$TMP"' 0 1 2

[ -d "$CERT_DIR" ] || { echo >&2 ERROR: Certificate directory missing ; exit 1;}

build_files() {
rm -rf "$TMP"
mkdir "$TMP"
mkdir -p "$CONF_DIR"

SERVERCOUNT=0
SERVERNAME=
SERVEROU=

rm -f "$TMP"/clients.CA-list.pem "$TMP"/servers.CA-list.pem ||:

# Add all the server CA certificates.
for cert in "$CERT_DIR"/*.crt
do
    CN="$(basename "$cert" .crt)"
    echo >&2 Checking "$CN"
    fetch_pems "$CN" >&2
    [ -s "$TMP"/client.ca ] || continue

    save_certs "$CN"
    restore_certs "$CN"

    SUSAGE=$(openssl x509 -purpose -noout -in "$TMP"/client.crt 2>/dev/null |
	    grep -q 'SSL server *: *Yes' &&
	echo yes || echo no)

    CUSAGE=$(openssl x509 -purpose -noout -in "$TMP"/client.crt 2>/dev/null |
	    grep -q 'SSL client *: *Yes' &&
	echo yes || echo no)

    [ "$SUSAGE" = yes ] &&
	SUSAGE=$(openssl verify -check_ss_sig -purpose sslserver \
		-CAfile "$TMP"/client.ca "$TMP"/client.crt 2>&1 | grep -iq ^error &&
	    echo no || echo yes)

    [ "$CUSAGE" = yes ] &&
	CUSAGE=$(openssl verify -check_ss_sig -purpose sslclient \
	    -CAfile "$TMP"/client.ca "$TMP"/client.crt 2>&1 | grep -iq ^error &&
	echo no || echo yes)

    DESC="$(openssl x509 -subject -issuer -in "$TMP"/client.crt)"

    case "$CUSAGE$SUSAGE" in
    yesyes )
	case "$DESC" in
	*lient* ) touch "$TMP"/type.client."$CN".flg ;;
	*erver* ) touch "$TMP"/type.server."$CN".flg ;;
	* ) touch "$TMP"/type.client."$CN".flg ;;
	esac
	;;
    yesno ) touch "$TMP"/type.client."$CN".flg ;;
    noyes ) touch "$TMP"/type.server."$CN".flg ;;
    * )
	 openssl verify -check_ss_sig -purpose sslserver \
                -CAfile "$TMP"/client.ca "$TMP"/client.crt >&2 ||:
	 echo >&2 "ERROR: Skipped $CN, unusable certificate."
	 continue
	 ;;
    esac

    # Dup check
    ISSU="$(openssl x509 -issuer_hash -noout < "$TMP"/client.crt 2>/dev/null)"
    CAPUB="$(openssl x509 -pubkey -noout < "$TMP"/client.ca 2>/dev/null |
		openssl md5 | awk '{print $NF;}' )"

    [ -f "$TMP"/type.server."$CN".flg ] && {

	SERVERCOUNT=$((SERVERCOUNT+1))
	SERVERNAME="$(openssl x509 -noout -in "$TMP"/client.crt \
	    -subject -nameopt multiline | sed -n 's/ *commonName *= //p')"

	OU="$(openssl x509 -noout -in "$TMP"/client.crt -subject \
	    -nameopt multiline | sed -n 's/ *organizationalUnitName *= //p')"

	# If they have a common (simple) OU
	if [ "$SERVERCOUNT" = 1 ]
	then SERVEROU="$OU"
	else [ "$OU" != "$SERVEROU" ] && SERVEROU=""
	fi
	[ "$(echo "$OU" | wc -l)" != 1 ] && SERVEROU=""

	[ -f "$TMP/dup.server.$ISSU.$CAPUB.flg" ] || {

	    touch "$TMP/dup.server.$ISSU.flg"
	    touch "$TMP/dup.server.$ISSU.$CAPUB.flg"
	    openssl x509 -subject -serial -dates -in "$TMP"/client.ca >> "$TMP"/servers.CA-list.pem
	}
    }

    [ -f "$TMP"/type.client."$CN".flg ] && {
	[ -f "$TMP/dup.client.$ISSU.$CAPUB.flg" ] || {
	    touch "$TMP/dup.client.$ISSU.flg"
	    touch "$TMP/dup.client.$ISSU.$CAPUB.flg"
	    {
		openssl x509 -subject -serial -dates -in "$TMP"/client.ca
		echo
	    } >> "$TMP"/clients.CA-list.pem
	}
    }
done

[ -s "$TMP"/servers.CA-list.pem ] || {
    echo >&2 ERROR: No servers have been defined.
    exit 1
}

[ -s "$TMP"/clients.CA-list.pem ] || {
    echo >&2 ERROR: No clients have been defined.
    exit 1
}

FLG=1
for file in "$CERT_DIR"/*pattern*.ovpn
do
    if [ -f "$file" ]
    then tfile="$(basename "$file")"
	 tfile="${tfile/pattern/$CN}"
    else continue
    fi
    FLG=0
done

[ "$FLG" = 0 ] || {
    echo >&2 ERROR: No ovpn pattern files defined.
    exit 1
}

# Protect the TLS handshake from s-kiddies.
[ -f "$CERT_DIR"/tls-crypt.pvk ] ||
    openvpn --genkey --secret "$CERT_DIR"/tls-crypt.pvk

# For all the client CA certificates
for cert in "$CERT_DIR"/*.crt
do
    CN="$(basename "$cert" .crt)"
    [ "$CN" = "*" ] && continue
    [ -f "$TMP"/type.client."$CN".flg ] || continue

    echo Client "$CN"
    restore_certs "$CN"
    [ -s "$TMP"/client.ca ] || continue

    CLIENTNAME="$(openssl x509 -noout -in "$TMP"/client.crt \
	-subject -nameopt multiline | sed -n 's/ *commonName *= //p')"

    [ "$CLIENTNAME" != "$CN" ] &&
	echo "WARNING: Certificate common name is '$CLIENTNAME'"

    ISSU="$(openssl x509 -issuer_hash -noout < "$TMP"/client.crt 2>/dev/null)"
    [ -f "$TMP/dup.server.$ISSU.flg" ] &&
	echo WARNING: This client has the same CA as a server.

    for file in "$CERT_DIR"/*pattern*.ovpn
    do
	if [ -f "$file" ]
	then tfile="$(basename "$file")"
	     tfile="${tfile/pattern/$CN}"
	else continue
	fi

	{
	    echo "# Name: $CN"
	    cat "$file"
	    echo

	    # Stop the deamon whinging.
	    # This has NO security effect as the CAs are unique.
	    # (Even if the clients are the same OU)
	    if [ "$SERVERCOUNT" -eq 1 ] && [ "$SERVERNAME" != "" ]
	    then
		# Not on 2.4.1 Windows, ENABLE_X509ALTUSERNAME missing
		# echo x509-username-field CN
		echo "verify-x509-name '$SERVERNAME' name"
	    elif [ "$SERVEROU" != "" ]
	    then
		echo x509-username-field OU
		echo "verify-x509-name '$SERVEROU' name"
	    fi
	    echo

	    [ -s "$CERT_DIR"/tls-crypt.pvk ] && {
		if ! grep -q tls-auth "$file"
		then
		    echo '<tls-crypt>'
		    cat "$CERT_DIR"/tls-crypt.pvk
		    echo '</tls-crypt>'
		fi
	    }

	    echo '<cert>'
	    openssl x509 -subject -serial -dates -in "$TMP"/client.crt
	    echo '</cert>'

	    echo '<key>'
	    openssl pkey -in "$TMP"/client.key
	    echo '</key>'

	    echo '<ca>'
	    cat "$TMP"/servers.CA-list.pem
	    echo '</ca>'

	} | sed 's/$/
/' > "$TMP"/"$tfile"

	try_file "$CONF_DIR" "$tfile"
    done

    rm -f "$TMP"/client.key "$TMP"/client.crt ||:
done

# Copy all the certificates and keys for the servers.
for cert in "$CERT_DIR"/*.crt
do
    CN="$(basename "$cert" .crt)"
    [ -f "$TMP"/type.server."$CN".flg ] || continue

    echo "Server $CN"
    restore_certs "$CN"
    [ -s "$TMP"/client.ca ] || continue

    ISSU="$(openssl x509 -issuer_hash -noout < "$TMP"/client.crt 2>/dev/null)"
    [ -f "$TMP/dup.client.$ISSU.flg" ] &&
	echo WARNING: This server has the same CA as a client.

    openssl x509 -subject -serial -dates -in "$TMP"/client.crt > "$TMP"/"$CN".crt
    openssl pkey -in "$TMP"/client.key > "$TMP"/"$CN".key

    cp -p "$TMP"/clients.CA-list.pem "$TMP"/"$CN".ca-list.pem

    cp -p "$CERT_DIR"/tls-crypt.pvk "$TMP"/"$CN".tls-crypt.pvk

    try_file "$CONF_DIR" "$CN".crt
    try_file "$CONF_DIR" "$CN".key
    try_file "$CONF_DIR" "$CN".ca-list.pem
    try_file "$CONF_DIR" "$CN".tls-crypt.pvk

    [ -f "$CERT_DIR"/dhparam.pem ] && {
	cp -p "$CERT_DIR"/dhparam.pem "$TMP"/"$CN".dhparam.pem
	try_file "$CONF_DIR" "$CN".dhparam.pem
    }
done
}

fetch_pems() {
    CN="$1"
    # This checks the certificates and allows us to put them anywhere

    rm -f "$TMP"/client.key "$TMP"/client.crt "$TMP"/client.ca \
	"$TMP"/client.pfx "$TMP"/client.pem "$TMP"/client.ca.pem

    touch "$TMP"/client.crt "$TMP"/client.key
    for i in "$CERT_DIR"/"$CN".key "$CERT_DIR"/"$CN".crt "$CERT_DIR"/"$CN".pem "$CERT_DIR"/"$CN".ca.crt "$CERT_DIR"/"$CN".ca.cer
    do
	[ -s "$i" ] || continue
	[ -s "$TMP"/client.crt ] || {
	    openssl x509 -in "$i" > "$TMP"/client.crt 2>/dev/null ||:
	}
	[ -s "$TMP"/client.key ] || {
	    openssl pkey -in "$i" > "$TMP"/client.key 2>/dev/null ||:
	}

	cat "$i" >> "$TMP"/client.ca.pem
    done

    [ -s "$CERT_DIR"/ca.crt ] && cat "$CERT_DIR"/ca.crt >> "$TMP"/client.ca.pem
    [ -s "$CERT_DIR"/ca.pem ] && cat "$CERT_DIR"/ca.pem >> "$TMP"/client.ca.pem
    for i in "$CERT_DIR"/*[-.]ca.*
    do [ -s "$i" ] && cat "$i" >> "$TMP"/client.ca.pem
    done

    CERTPUB="$(openssl x509 -pubkey -noout -in "$TMP"/client.crt 2>/dev/null ||:)"
    if [ "$CERTPUB" = '' ]
    then echo "ERROR: Skipped $CN, no certificate."
	 rm -f "$TMP"/client.pfx "$TMP"/client.pem "$TMP"/client.ca.pem
	 rm -f "$TMP"/client.crt "$TMP"/client.ca "$TMP"/client.key
         return
    fi

    PKEYPUB="$(openssl pkey -pubout -in "$TMP"/client.key 2>/dev/null ||:)"
    if [ "$CERTPUB" != "$PKEYPUB" ]
    then echo "ERROR: Skipped $CN, public keys don't match"
	 rm -f "$TMP"/client.pfx "$TMP"/client.pem "$TMP"/client.ca.pem
	 rm -f "$TMP"/client.crt "$TMP"/client.ca "$TMP"/client.key
         return
    fi

    ISSU="$(openssl x509 -issuer_hash -noout -in "$TMP"/client.crt 2>/dev/null ||:)"
    SUBJ="#"

    k=0
    while :
    do  ((k+=1))
        awk -v k=$k '/^-----BEGIN/ && k>1 {k--;next;} /^-----BEGIN/&& k {disp=1;} disp{print;} /^-----END/&&disp{disp=0;k=0;}' \
	    < "$TMP"/client.ca.pem > "$TMP"/client.ca

        [ -s "$TMP"/client.ca ] || break

	SUBJ="$(openssl x509 -subject_hash -noout < "$TMP"/client.ca 2>/dev/null ||:)"

	[ "$SUBJ" == "$ISSU" ] && break
    done

    rm -f "$TMP"/client.pem "$TMP"/client.ca.pem

    # Check them.
    SUBJ="$(openssl x509 -subject_hash -noout < "$TMP"/client.ca 2>/dev/null ||:)"
    # CASER="$(openssl x509 -serial -noout < "$TMP"/client.ca 2>/dev/null ||:)"

    if [ "$SUBJ" != "$ISSU" ]
    then echo "ERROR: Skipped $CN, issuer not found"
	 rm -f "$TMP"/client.crt "$TMP"/client.ca "$TMP"/client.key
         return 0
    fi
    return 0
}

save_certs() {
    CN="$1"
    mv "$TMP"/client.crt "$TMP"/saved."$CN".crt
    mv "$TMP"/client.key "$TMP"/saved."$CN".key
    mv "$TMP"/client.ca "$TMP"/saved."$CN".ca
}

restore_certs() {
    CN="$1"
    rm -f "$TMP"/client.key "$TMP"/client.crt "$TMP"/client.ca "$TMP"/client.pfx "$TMP"/client.pem "$TMP"/client.ca.pem
    cp "$TMP"/saved."$CN".crt "$TMP"/client.crt
    cp "$TMP"/saved."$CN".key "$TMP"/client.key
    cp "$TMP"/saved."$CN".ca "$TMP"/client.ca
}

try_file() {
    [ ! -s "$1"/"$2" ] &&
	cp -p "$TMP"/"$2" "$1"/"$2"
    if ! cmp -s "$TMP"/"$2" "$1"/"$2"
    then cp -p "$TMP"/"$2" "$1"/"$2"
    fi
    [ -f "$TMP"/"$2" ] && rm "$TMP"/"$2"
}

build_files