Skip to content

Commit

Permalink
Merge branch 'TinCanTech-tls-key-system-v1'
Browse files Browse the repository at this point in the history
Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Aug 18, 2024
2 parents 788c2ed + 07f8c0d commit 7cf1f1e
Show file tree
Hide file tree
Showing 3 changed files with 214 additions and 46 deletions.
3 changes: 3 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ Easy-RSA 3 ChangeLog

3.2.1 (TBD)

* inline: OpenVPN TLS Keys inlining for TLS-AUTH, TLS-CRYPT-V1 (6e9e4a2) (#1185)
Note: Command inline only writes directly to inline file not stdout.
* easyrsa-tools.lib: OpenVPN TLS Key gen. TLS-AUTH, TLS-CRYPT-V1 (cf0da16) (#1185)
* easyrsa-tools.lib: expire_status_v2() (show-expire version 2) (1e43bf5) (#1214)
* sign-req: Require 128bit serial number (806ee19) (#1213)
* Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut (ddbf304) (#1209)
Expand Down
74 changes: 74 additions & 0 deletions dev/easyrsa-tools.lib
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,80 @@ fi
# Set tools version
export EASYRSA_TOOLS_VERSION=321

# Verify OpenVPN binary
verify_openvpn() {
# Try to find openvpn
set_var EASYRSA_OPENVPN "$(which openvpn)"
if [ -f "$EASYRSA_OPENVPN" ]; then
verbose "verify_openvpn - $EASYRSA_OPENVPN"
else
user_error "Cannot find an OpenVPN binary."
fi
} # => verify_openvpn()

# OpenVPN TLS Auth/Crypt Key
tls_key_gen() {
case "$1" in
tls-auth)
tls_key_type=TLS-AUTH
;;
tls-crypt)
tls_key_type=TLS-CRYPT
;;
tls-crypt-v2)
print "Unavailable."
cleanup
;;
*)
die "Unknown key type: '$1'"
esac
tls_key_file="$EASYRSA_PKI/private/easyrsa-tls.key"

# Forbid overwrite
if [ -f "$tls_key_file" ]; then
tls_key_data="$(cat "$tls_key_file")"
case "$tls_key_data" in
*'TLS-AUTH'*)
tls_key_type=TLS-AUTH
;;
*'TLS-CRYPT'*)
tls_key_type=TLS-CRYPT
;;
*)
tls_key_type=UNKNOWN
esac

user_error "\
Cannot overwrite existing $tls_key_type Key:
* $tls_key_file
If this file is changed then it MUST be redistributed to ALL servers
AND clients, to be in effect. Do NOT change the existing file."
fi

verify_openvpn

tls_key_tmp=
easyrsa_mktemp tls_key_tmp || \
die "tls_key_gen - easyrsa_mktemp tls_key_tmp"

# Generate TLS Key
"$EASYRSA_OPENVPN" --genkey "$1" "$tls_key_tmp" || \
die "tls_key_gen - --genkey $tls_key_type FAIL"

# Insert type label
{
print "# Easy-RSA $tls_key_type Key"
cat "$tls_key_tmp"
} > "$tls_key_file" || \
die "tls_key_gen - Insert type label FAIL"

notice "\
$tls_key_type Key generated at:
* $tls_key_file"
verbose "tls_key_gen: openvpn --genkey $tls_key_type OK"
} # => tls_key_gen()

# Get certificate start date
# shellcheck disable=2317 # Unreach - ssl_cert_not_before_date()
ssl_cert_not_before_date() {
Expand Down
Loading

0 comments on commit 7cf1f1e

Please sign in to comment.