/[pdpsoft]/nl.nikhef.pdp.tcs/nl.nikhef.pdp.tcs.tcsg4-tools/trunk/tcsg4-install-servercert.sh
ViewVC logotype

Contents of /nl.nikhef.pdp.tcs/nl.nikhef.pdp.tcs.tcsg4-tools/trunk/tcsg4-install-servercert.sh

Parent Directory Parent Directory | Revision Log Revision Log


Revision 3283 - (show annotations) (download) (as text)
Tue May 12 11:55:53 2020 UTC (2 years, 1 month ago) by davidg
File MIME type: application/x-shellscript
File size: 7070 byte(s)
Add initial version of the TCSG4 convertion tools for PKCS12 and PKCS7

1 #! /bin/sh
2 #
3 # @(#)$Id$
4 # rev 2
5 #
6 # TCS G4 client certificate format management tool for POSIX systems
7 # including installation to Grid Community Toolkit (formerly Globus)
8 # user credential directory formats
9 #
10 # Requirements: sh, awk, sed, openssl, date, mktemp, ls,
11 # mkdir, rmdir, mv, basename, grep, chmod
12 #
13 #
14 destdir=.
15 DATE=`date +%Y%m%d-%H%M%S`
16 progname=`basename "$0"`
17 bckprefix=backup
18 makecsr=0
19 nameformat=friendly
20 certfn=
21
22 # ############################################################################
23 # usage help and instructions
24 #
25 help() { cat <<EOF
26 Usage: tcsg4-install-servercert.sh [-d destdir] [-r|-R] [-f]
27 [-b backupprefix] <PKCS7.p7b>
28
29 -d destdir write result files to <destdir>
30 if <destdir> contains "globus", also make the
31 symlinks userkey.pem and usercert.pem for GCT tools
32 -r use EEC commonName as basis for new filenames
33 --no-rename use the base filename of the P7B file for new filenames
34 -R use EEC commonName and date as basis for filenames
35 -f do not make backups of existing files
36 -b bckprefix prefix of the filename to use when making backups
37
38 <PKCS7.p7b> filename of the blob produced by Sectigo
39
40 EOF
41 return;
42 }
43
44 # ############################################################################
45 #
46 while [ $# -gt 0 ]; do
47 case "$1" in
48 -r | --rename ) nameformat="friendly"; shift 1 ;;
49 -x | --no-rename ) nameformat=""; shift 1 ;;
50 -R | --rename-with-date ) nameformat="dated"; shift 1 ;;
51 -f | --force ) bckprefix=""; shift 1 ;;
52 -h | --help ) help ; exit 0 ;;
53 -b | --backupprefix ) bckprefix="$2"; shift 2 ;;
54 -d | --destination ) destdir="$2"; shift 2 ;;
55 -* ) echo "Unknown option $1, exiting" >&2 ; exit 1 ;;
56 * ) break ;;
57 esac
58 done
59
60 case $# in
61 0 ) help ; exit 0 ;;
62 1 ) pkfile="$1"; break ;;
63 * ) echo "Too many arguments." >&2 ; exit 1 ;;
64 esac
65
66 # ############################################################################
67 # input validation
68 #
69 if [ ! -r "$pkfile" ]; then echo "Cannot read $pkfile" >&2; exit 1; fi
70
71 case "$pkfile" in
72 *.p7b ) credbase=`basename "$pkfile" .p7b` ;;
73 * ) echo "Unlikely PKCS#12 file: $pkfile" >&2 ; exit 2 ;;
74 esac
75
76 # ############################################################################
77 # extraction of Sectigo blob of p7b
78 #
79 tempdir=`mktemp -d tcsg4unpack.XXXXXX`
80
81 if [ ! -d "$tempdir" ]; then
82 echo "Error creating temporary working directory here" >&2
83 exit 1
84 fi
85
86 openssl pkcs7 -inform der -in "$pkfile" -print_certs \
87 -out "$tempdir/p7b-$credbase.pem"
88
89 if [ $? -ne 0 ]; then
90 echo "Error: cannot extract data from PKCS7 file $pkfile" >&2
91 echo " PASSPHRASE INCORRECT?" >&2
92 exit 3
93 fi
94
95 if [ ! -s "$tempdir/p7b-$credbase.pem" ]; then
96 echo "Error: cannot extract data from PKCS7 file $pkfile" >&2
97 echo " resulting direct-rendered p7b file not found" >&2
98 exit 4
99 fi
100
101 if [ `grep -c CERTIFICATE "$tempdir/p7b-$credbase.pem"` -eq 0 ]; then
102 echo "Error: cannot extract data from PKCS7 file $pkfile" >&2
103 echo " resulting p7b file has no certificate material" >&2
104 exit 4
105 fi
106
107 # extract
108 awk '
109 BEGIN { icert = 0; }
110 /^-----BEGIN CERTIFICATE-----$/ {
111 icert++;
112 print $0 > "'$tempdir/cert-'"icert"'-$credbase.pem'";
113 do {
114 getline ln;
115 print ln > "'$tempdir/cert-'"icert"'-$credbase.pem'";
116 } while ( ln != "-----END CERTIFICATE-----" );
117 }
118 ' "$tempdir/p7b-$credbase.pem"
119
120 # ############################################################################
121 # generate per-certificate and key output files
122 #
123 [ -d "$destdir" ] || mkdir -p "$destdir"
124
125 havewrittenchain=0
126 for i in "$tempdir"/cert-*-"$credbase".pem
127 do
128 certcn=`openssl x509 -noout -subject -nameopt oneline,sep_comma_plus \
129 -in "$i" | \
130 sed -e 's/.*CN = \([a-zA-Z0-9\._][- a-zA-Z0-9:\._@]*\).*/\1/'`
131 issuercn=`openssl x509 -noout -issuer -nameopt oneline,sep_comma_plus \
132 -in "$i" | \
133 sed -e 's/.*CN = \([a-zA-Z0-9\._][- a-zA-Z0-9:\._@]*\).*/\1/'`
134
135 certdate=`openssl x509 -noout -text -in "$i" | \
136 awk '/ Not Before:/ { print $4,$3,$6; }'`
137 certisca=`openssl x509 -noout -text -in "$i" | \
138 awk 'BEGIN { ca=0; }
139 /CA:FALSE/ { ca=0; } /CA:TRUE/ { ca=1; }
140 END {print ca;}'`
141
142 if [ "$certcn" = "$issuercn" -o "$issuercn" = "AddTrust External CA Root" ]
143 then
144 continue
145 fi
146
147 # these CAs as intermediate subjects are known useless
148 case "$certcn" in
149 "AAA Certificate Services" ) continue ;;
150 "USERTrust RSA Certification Authority" ) continue ;;
151 * ) ;;
152 esac
153
154 if [ $certisca -eq 0 ]; then
155 certfn=`echo "$certcn" | sed -e 's/[^-a-zA-Z0-9_\.]/_/g'`
156 certfndated=`echo "$certcn issued $certdate" | \
157 sed -e 's/[^-a-zA-Z0-9_]/_/g'`
158 echo "Processing EEC certificate: $certcn"
159 friendlyname="${friendlyname:-$certcn issued $certdate}"
160 echo " (friendly name: $friendlyname)"
161 fi
162
163 if [ $certisca -eq 1 ]; then
164 echo "Processing CA certificate: $certcn"
165 if [ $havewrittenchain -eq 0 ]; then
166 if [ -f "$destdir/chain-$credbase.pem" -a -n "$bckprefix" ]; then
167 mv "$destdir/chain-$credbase.pem" \
168 "$destdir/$bckprefix.$DATE.chain-$credbase.pem"
169 fi
170 havewrittenchain=1
171 echo -ne "" > "$destdir/chain-$credbase.pem"
172 fi
173 cat $i >> "$destdir/chain-$credbase.pem"
174 fi
175
176 if [ $certisca -eq 0 ]; then
177 if [ -f "$destdir/cert-$credbase.pem" ]; then
178 mv "$destdir/cert-$credbase.pem" "$destdir/$bckprefix.$DATE.cert-$credbase.pem"
179 fi
180 cat $i > "$destdir/cert-$credbase.pem"
181 fi
182
183 done
184
185 # ############################################################################
186 # cleanup intermate files and name output properly
187 #
188 rm "$tempdir"/cert-*-$credbase.pem
189 rm "$tempdir"/p7b-$credbase.pem
190 rmdir "$tempdir"
191 if [ $? -ne 0 ]; then
192 echo "Error: cannot remove working directory $tempdir" >&2
193 echo " internal inconsistency or prior error encountered" >&2
194 fi
195
196 # rename, if so required
197 if [ -n "$nameformat" ]; then
198 if [ "$nameformat" = "friendly" ]; then
199 certfn="${certfn:-$credbase}"
200 elif [ "$nameformat" = "dated" ]; then
201 certfn="${certfndated:-$credbase}"
202 else
203 echo "Unknown filename format, error" >&2
204 exit 2
205 fi
206 mv "$destdir/cert-$credbase.pem" "$destdir/cert-$certfn.pem"
207 mv "$destdir/chain-$credbase.pem" "$destdir/chain-$certfn.pem"
208 else
209 certfn="$credbase"
210 fi
211
212 # ############################################################################
213 # create the nginx compatible single file: cert+chain concatenated
214 #
215 cat "$destdir/cert-$certfn.pem" "$destdir/chain-$certfn.pem" \
216 > "$destdir/nginx-$certfn.pem"
217
218 # ############################################################################
219 # inform user of result and of globus compatibility
220 #
221 echo "The following files have been created for you:"
222 echo -ne " " ; ls -l1a "$destdir/cert-$certfn.pem"
223 echo -ne " " ; ls -l1a "$destdir/chain-$certfn.pem"
224
225 #
226 #
227 # ############################################################################

Properties

Name Value
svn:executable *

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28