Introduce inline-tls-crypt-v2-group-server

Signed-off-by: Richard T Bonhomme <[email protected]>

easytls

@@ -4011,19 +4011,247 @@ inline_tls_crypt_v2 ()
 	easytls_verbose
 } # => inline_tls_crypt_v2 ()
 
-#
+# Inline TLS-Crypt-V2 Group Server Key with X509 Certificate
 inline_tls_crypt_v2_group_server ()
 {
-	#
-	:
-}
+	[ $# -ge 2 ] || \
+		die "Required option(s): <server_common_name> <server_group_key>"
 
-#
+	name="${1}"
+	file_name_stub="${1}-gs"
+	shift
+
+	group_key="${1}"
+	shift
+
+	cmd_opts=""
+	while [ -n "${1}" ]; do
+		case "${1}" in
+			add-dh) cmd_opts="${cmd_opts} add-dh" ;;
+			no-key) cmd_opts="${cmd_opts} no-key" ;;
+			no-md) no_metadata=1 ;;
+			add-hw) add_hardware=1 ;;
+			*) warn "Ignoring unknown command option: '${1}'" ;;
+		esac
+		shift
+	done
+
+	cert_file="${EASYRSA_PKI}/issued/${name}.crt"
+	[ $EASYTLS_NO_CA ] && cert_file="${EASYTLS_PKI}/${name}.crt"
+	[ -f "${cert_file}" ] || missing_file "${cert_file}"
+
+	# Cert purpose
+	verify_cert_purpose "${cert_file}" cert_purpose || {
+		error_msg "verify_cert_purpose failed"
+		return 1
+		}
+
+	# Set file names
+	tlskey_file="${EASYTLS_PKI}/${group_key}-grp-srv-tls-crypt-v2.key"
+	inline_file="${EASYTLS_PKI}/${file_name_stub}.inline"
+	inline_temp="${EASYTLS_PKI}/${file_name_stub}.temp"
+	inline_base="${EASYTLS_PKI}/${file_name_stub}.base"
+	metadata_file="${EASYTLS_MD_DIR}/${group_key}-grp-srv-tls-crypt-v2.metadata"
+	fpr_file="${EASYTLS_PKI}/${name}.fpr"
+
+	sub_name="${name}-${TLSKEY_SUBNAME}"
+	[ "${TLSKEY_SUBNAME}" = 'NOSUBKEY' ] || {
+		# Temporarily disable this
+		die "TLS-Crypt-V2 Client Group Keys do not support --subkey"
+		tlskey_file="${EASYTLS_PKI}/${sub_name}-tls-crypt-v2.key"
+		metadata_file="${EASYTLS_MD_DIR}/${sub_name}-tls-crypt-v2.metadata"
+		inline_file="${EASYTLS_PKI}/${sub_name}-gc.inline"
+		}
+
+	# Check inline file does not exist
+	if [ -f "${inline_file}" ]
+	then
+		if "${EASYTLS_GREP}" -q \
+			'# Easy-TLS self-signed certificate base-inline file' \
+			"${inline_file}"
+		then
+			# This file can be over-writen
+			confirm "Are you sure you want to over-write the file? " "yes" \
+				"This base-inline-file already exists: ${inline_file}"
+		else
+			help_note="Use 'easytls remove' to delete the old inline file."
+			die "Inline file already exists: ${inline_file}"
+		fi
+	fi
+
+	# Check tls-crypt key exists
+	[ -f "${tlskey_file}" ] || {
+		help_note="Use 'easytls build' to create a TLS-Crypt-V2 key."
+		die "TLS key file does not exist: ${tlskey_file}"
+		}
+
+	if [ "${cert_purpose}" = 'Client' ]
+	then
+		# Must be a client
+		[ -f "${metadata_file}" ] || missing_file "${metadata_file}"
+
+		# Get metadata
+		metadata_string="$("${EASYTLS_CAT}" "${metadata_file}")" || \
+			die "Failed to read metadata_file: ${metadata_file}"
+
+		# Set tlskey-serial
+		tlskey_serial="${metadata_string%%-*}"
+
+		# Drop EasyTLS header and version
+		metadata_string="${metadata_string#* }"
+
+		# Drop CA fingerprint
+		metadata_string="${metadata_string#*-}"
+
+		# Set Server name
+		srv_name="${metadata_string%% *}"
+		# Drop Server name
+		metadata_string="${metadata_string#* }"
+
+		# Drop x509 cert-serial
+		metadata_string="${metadata_string#* }"
+
+		# Set creation Date
+		MD_date_sec="${metadata_string%% *}"
+		MD_date=
+		easytls_sec_to_date "${MD_date_sec}" MD_date || \
+			die "Failed to create metadata date"
+		# Drop Date
+		metadata_string="${metadata_string#* }"
+
+		# Set custom-group
+		MD_cgroup="${metadata_string%% *}"
+		# Drop custom-group
+		metadata_string="${metadata_string#* }"
+
+		# Verify Custom-Group
+		[ "${TLSKEY_CUSTOM_GRP}" = "${MD_cgroup}" ] || {
+			help_note="This key was built with a different Custom-Group"
+			die "Custom-group mismatch: ${TLSKEY_CUSTOM_GRP} <> ${MD_cgroup}"
+			}
+
+		# Set common-name
+		MD_cn="${metadata_string%% *}"
+		# Drop common-name
+		metadata_string="${metadata_string#* }"
+
+		# Set subkey-name
+		MD_subkey="${metadata_string%% *}"
+		# Drop subkey-name
+		metadata_string="${metadata_string#* }"
+
+		# Set OPT
+		MD_opt="${metadata_string%% *}"
+		# Drop OPT
+		metadata_string="${metadata_string#* }"
+
+		# Set hardware-address
+		MD_hw="${metadata_string%% *}"
+		# Drop hardware-address
+		metadata_string="${metadata_string#* }"
+
+		if [ $EASYTLS_NO_CA ]
+		then
+			# Get the server serial number
+			cert_file="${EASYTLS_PKI}/${srv_name}.crt"
+			x509_cert_serial "${cert_file}" cert_serial || \
+				die "inline_tls_crypt_v2 - cert_serial"
+			srv_serial="${cert_serial}"
+		else
+			# Get the CA serial number
+			ca_cert="${EASYRSA_PKI}/ca.crt"
+			ca_serial=
+			x509_cert_serial "${ca_cert}" ca_serial || \
+				die "inline_tls_crypt_v2 - ca_serial"
+		fi
+	else
+		# Must be a server
+		no_metadata=1
+		tlskey_serial="${cv2_Srv_Serial}"
+	fi
+
+	# Inline base file
+	inline_base "${name}" ${cmd_opts} || die "Failed to create inline base file"
+
+	# Append TLS-Crypt-V2 key
+	{
+		"${EASYTLS_PRINTF}" "%s\n" \
+			"# metadata Easy-TLS-version ${EASYTLS_VERSION} - TLS-Crypt-v2 key"
+
+		if [ $no_metadata ]
+		then
+			# If this is a defined sub-key name then add the name anyway
+			if [ "${cert_purpose}" = 'Client' ]
+			then
+				[ "${MD_subkey}" = 'NOSUBKEY' ] || "${EASYTLS_PRINTF}" \
+					'%s\n\n' "# metadata Sub-key-name: ${MD_subkey}"
+			fi
+		else
+			if [ $EASYTLS_NO_CA ]
+			then
+				"${EASYTLS_PRINTF}" '%s\n' \
+					"# metadata Server-serial: ${srv_serial}"
+			else
+				"${EASYTLS_PRINTF}" '%s\n' "# metadata CA-serial: ${ca_serial}"
+			fi
+			"${EASYTLS_PRINTF}" '%s\n' "# metadata tlskey-serial: ${tlskey_serial}"
+			"${EASYTLS_PRINTF}" '%s\n' "# metadata Creation-Date: ${MD_date}"
+			"${EASYTLS_PRINTF}" '%s\n' "# metadata Custom-Group: ${MD_cgroup}"
+			"${EASYTLS_PRINTF}" '%s\n' "# metadata Server-Common-Name: ${srv_name}"
+			"${EASYTLS_PRINTF}" '%s\n' "# metadata Client-Common-Name: ${MD_cn}"
+			[ "${MD_subkey}" = 'NOSUBKEY' ] || \
+				"${EASYTLS_PRINTF}" '%s\n' "# metadata Sub-key-name: ${MD_subkey}"
+			[ "${MD_opt}" = "OPT" ] || \
+				"${EASYTLS_PRINTF}" '%s\n' "# metadata Opt: ${MD_opt}"
+			"${EASYTLS_PRINTF}" '%s' "# metadata Key-status: "
+			if [ "${MD_hw}" = "=000000000000=" ]
+			then
+				"${EASYTLS_PRINTF}" '%s\n' "Open"
+			else
+				if [ $add_hardware ]
+				then
+					"${EASYTLS_PRINTF}" '%s\n' "Locked ${MD_hw}"
+				else
+					"${EASYTLS_PRINTF}" '%s\n' "Closed"
+				fi
+			fi
+		fi
+
+		# push-peer-info
+		[ "${cert_purpose}" = 'Client' ] && {
+			"${EASYTLS_PRINTF}" '\n%s\n' "setenv UV_TLSKEY_SERIAL ${tlskey_serial}"
+			"${EASYTLS_PRINTF}" "%s\n\n" "push-peer-info"
+			}
+		# Add key
+		"${EASYTLS_PRINTF}" "%s\n" "<tls-crypt-v2>"
+		"${EASYTLS_CAT}" "${tlskey_file}"
+		"${EASYTLS_PRINTF}" "%s\n\n" "</tls-crypt-v2>"
+		# Share fingerprint template
+		inline_share_fingerprint
+	} > "${inline_temp}" || die "Failed to create inline file: ${inline_temp}"
+
+	# Use cat for its intended porpose
+	"${EASYTLS_CAT}" "${inline_base}" "${inline_temp}" > "${inline_file}"
+
+	# Remove temp files
+	rm -f "${inline_base}" "${inline_temp}"
+
+	# Hash inline file and add hash to index
+	save_name="${name}"
+	name="${file_name_stub}"
+	inline_index_update add || die "Failed to update inline-index"
+	name="${save_name}"
+	unset save_name
+
+	inline_share_fingerprint "${name}" || die "Failed to share fingerprint"
+
+	notice "TLS-Crypt-V2 GROUP Server Inline file created: ${inline_file}"
+	easytls_verbose
+} # => inline_tls_crypt_v2_group_server ()
+
+# Inline TLS-Crypt-V2 Group Client Key with X509 Certificate
 inline_tls_crypt_v2_group_client ()
 {
-	#
-	:
-
 	[ $# -ge 2 ] || \
 		die "Required option(s): <client_common_name> <client_group_key>"
 
@@ -4248,13 +4476,13 @@ inline_tls_crypt_v2_group_client ()
 	name="${file_name_stub}"
 	inline_index_update add || die "Failed to update inline-index"
 	name="${save_name}"
-	unsset save_name
+	unset save_name
 
 	inline_share_fingerprint "${name}" || die "Failed to share fingerprint"
 
-	notice "Inline TLS crypt v2 file created: ${inline_file}"
+	notice "TLS-Crypt-V2 GROUP Client Inline file created: ${inline_file}"
 	easytls_verbose
-}
+} # => inline_tls_crypt_v2_group_client ()
 
 # Share peer fingerprints
 inline_share_fingerprint ()
@@ -4695,7 +4923,7 @@ build_tls_crypt_v2_client ()
 # Build group TLS-Crypt-v2 Server
 build_tls_cv2_group_server ()
 {
-	[ $# -ge 1 ] || die "Required option(s): <group_name>"
+	[ $# -ge 1 ] || die "Required option(s): <server_group_name>"
 
 	# Verify OpenVPN version and use correct syntax to --genkey
 	verify_openvpn
@@ -4719,7 +4947,7 @@ build_tls_cv2_group_server ()
 	cli_name="${grp_name}" # Improve this
 	tlskey_index_update add || die "Failed to update tlskey-index"
 
-	notice "TLS crypt v2 server key created: ${tlskey_file}"
+	notice "TLS-Crypt-V2 GROUP Server Key created: ${tlskey_file}"
 	easytls_verbose
 
 	# Explicit return success
@@ -4730,7 +4958,7 @@ build_tls_cv2_group_server ()
 build_tls_cv2_group_client ()
 {
 	[ $# -ge 2 ] || \
-	die "Required option(s): <server_filename_base> <client_filename_base>"
+	die "Required option(s): <server_group_name> <client_group_name>"
 
 	# Verify OpenVPN version and use correct syntax to --genkey
 	verify_openvpn
@@ -4843,7 +5071,7 @@ build_tls_cv2_group_client ()
 	# Save serial number to key-index
 	tlskey_index_update add || die "Failed to update tlskey-index"
 
-	notice "TLS crypt v2 client key created: ${tlskey_file}"
+	notice "TLS-Crypt-V2 GROUP Client Key created: ${tlskey_file}"
 	easytls_verbose
 
 	if [ $EASYTLS_BINLINE ]