Commit 31657c71 authored by ssrq's avatar ssrq

[type/__easy_rsa_cert] Implement certificate renewal

Functions that generate the Easy-RSA command lines to execute are split into a
separate script.
parent a3f7460e
# shellcheck shell=sh
if test -s "${__object:?}/parameter/common-name"
then
common_name=$(cat "${__object:?}/parameter/common-name")
else
common_name=${__object_id:?}
fi
cert_type=$(cat "${__object:?}/parameter/cert-type")
easyrsa_request_options() (
while read -r param option
do
test -s "${__object:?}/parameter/${param}" || continue
value=$(head -n 1 "${__object:?}/parameter/${param}")
printf '%s--%s=%s' "${i:+ }" "${option}" "$(quote "${value}")"
: $((i+=1))
done <"${__type:?}/files/param_mapping.txt"
printf '\n'
)
easyrsa_sign_options() (
if test -s "${__object:?}/parameter/cert-expiration-days"
then
value=$(head -n 1 "${__object:?}/parameter/cert-expiration-days")
# shellcheck disable=SC2234
if ! (test $((value > 0)) -gt 0) 2>&-
then
printf 'Invalid --cert-expiration-days: %s\n' "${value}" >&2
printf 'Value must be a positive integer.\n' >&2
exit 1
fi
printf '%s--%s=%s' '' 'days' "$(quote "${value}")"
fi
printf '\n'
)
easyrsa_base_cmd="./easyrsa --pki-dir=$(quote "${base_dir:?}/pki") --vars=$(quote "${base_dir:?}/vars") --batch"
cd_basedir_cmd() {
${cd_done:-false} || {
printf 'cd %s\n' "$(quote "${base_dir:?}")"
cd_done=true
}
}
easyrsa_gen_req_cmd() {
cd_basedir_cmd
printf '%s --req-cn=%s %s gen-req %s nopass\n' \
"${easyrsa_base_cmd}" \
"$(quote "${common_name}")" \
"$(easyrsa_request_options)" \
"$(quote "${__object_id:?}")"
}
easyrsa_sign_req_cmd() {
cd_basedir_cmd
printf '%s %s sign-req %s %s\n' \
"${easyrsa_base_cmd}" \
"$(easyrsa_sign_options)" \
"${cert_type:?}" \
"$(quote "${__object_id:?}")"
}
easyrsa_build_cmd() {
case ${state_is:?}
in
(absent)
easyrsa_gen_req_cmd
easyrsa_sign_req_cmd
;;
(unsigned)
easyrsa_sign_req_cmd
;;
esac
}
easyrsa_update_db_cmd() {
cd_basedir_cmd
printf '%s update-db\n' "${easyrsa_base_cmd}"
}
easyrsa_renew_cmd() {
cd_basedir_cmd
printf '%s %s %s renew %s nopass\n' \
"${easyrsa_base_cmd}" \
"$(easyrsa_request_options)" \
"$(easyrsa_sign_options)" \
"${__object_id:?}"
}
easyrsa_revoke_cmd() {
cd_basedir_cmd
printf '%s revoke %s \n' "${easyrsa_base_cmd}" "$(quote "${__object_id:?}")"
printf '%s gen-crl\n' "${easyrsa_base_cmd}"
}
......@@ -27,13 +27,6 @@ base_dir=$(cat "${__object:?}/parameter/dir")
state_should=$(cat "${__object:?}/parameter/state")
state_is=$(cat "${__object:?}/explorer/state")
if test -s "${__object:?}/parameter/common-name"
then
common_name=$(cat "${__object:?}/parameter/common-name")
else
common_name=${__object_id:?}
fi
# Check validity of the supplied parameters
# shellcheck source=/dev/null
. "${__type:?}/files/check_parameter_validity.sh"
......@@ -41,18 +34,6 @@ fi
check_parameter_validity_digest
check_parameter_validity_usealgo
## Check required parameters for sanity
cert_type=$(cat "${__object:?}/parameter/cert-type")
case ${cert_type}
in
(server|client)
;; # These two are okay
(*)
echo 'cert-type should be either "server" or "client".' >&2
exit 1
;;
esac
# NOTE: The following block is a bit of a "hack" to work around the fact that
# requirements in cdist only work for code, but not for explorers. Due to
......@@ -75,61 +56,51 @@ then
state_is='absent'
fi
easyrsa_cmd="./easyrsa --pki-dir=$(quote "${base_dir}/pki") --vars=$(quote "${base_dir}/vars") --batch"
# shellcheck source=/dev/null
. "${__type:?}/files/easyrsa_cmds.sh"
case ${state_should}
in
(signed|valid)
if test "${state_is}" = 'valid' \
|| test "${state_should}" = 'signed' -a "${state_is}" = 'expired'
then
exit 0
fi
printf 'cd %s\n' "$(quote "${base_dir}")"
if test "${state_is}" = 'absent'
then
req_options=
while read -r param option
do
test -s "${__object:?}/parameter/${param}" || continue
value=$(head -n 1 "${__object:?}/parameter/${param}")
req_options="${req_options} --${option}=$(quote "${value}")"
done <"${__type:?}/files/param_mapping.txt"
unset param option value
printf '%s --req-cn=%s %s gen-req %s nopass\n' \
"${easyrsa_cmd}" "$(quote "${common_name}")" "${req_options# }" "$(quote "${__object_id:?}")"
fi
sign_options=
if test -s "${__object:?}/parameter/cert-expiration-days"
then
value=$(head -n 1 "${__object:?}/parameter/cert-expiration-days")
# shellcheck disable=SC2234
if ! (test $((value > 0)) -gt 0) 2>&-
then
printf 'Invalid --cert-expiration-days: %s\n' "${value}" >&2
printf 'Value must be a positive integer.\n' >&2
exit 1
fi
sign_options="${sign_options} --days=$(quote "${value}")"
fi
unset value
printf '%s %s sign-req %s %s\n' \
"${easyrsa_cmd}" "${sign_options# }" "${cert_type}" "$(quote "${__object_id:?}")"
(valid)
case ${state_is}
in
(absent|unsigned)
easyrsa_build_cmd
;;
(expired)
easyrsa_update_db_cmd
easyrsa_renew_cmd
;;
(valid)
# nothing to do
;;
esac
;;
(signed)
case ${state_is}
in
(absent|unsigned)
easyrsa_build_cmd
;;
(expired|valid)
# nothing to do
;;
esac
;;
(revoked)
if test "${state_is}" = 'absent'
then
exit 0
fi
printf 'cd %s\n' "$(quote "${base_dir}")"
printf '%s revoke %s \n' "${easyrsa_cmd}" "$(quote "${__object_id:?}")"
printf '%s gen-crl\n' "${easyrsa_cmd}"
case ${state_is}
in
(absent|unsigned)
# nothing to do
;;
(expired|valid)
easyrsa_revoke_cmd
;;
esac
;;
(*)
printf 'Invalid --state: %s\n' "${state_should}" >&2
printf 'Must be one of: valid, signed, revoked\n' >&2
exit 1
;;
esac
......@@ -48,6 +48,8 @@ state
the certificate has been created and signed by the CA.
valid
like signed, but will renew the certificate if it expired.
*NB:* Easy-RSA will also generate a new private key when renewing the
certificate.
revoked
either the certificate is no defined, or will be revoked.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment