diff --git a/easytls b/easytls index 1fe9781..e9c8411 100755 --- a/easytls +++ b/easytls @@ -4011,19 +4011,247 @@ inline_tls_crypt_v2 () easytls_verbose } # => inline_tls_crypt_v2 () -# +# Inline TLS-Crypt-V2 Group Server Key with X509 Certificate inline_tls_crypt_v2_group_server () { - # - : -} + [ $# -ge 2 ] || \ + die "Required option(s): " -# + name="${1}" + file_name_stub="${1}-gs" + shift + + group_key="${1}" + shift + + cmd_opts="" + while [ -n "${1}" ]; do + case "${1}" in + add-dh) cmd_opts="${cmd_opts} add-dh" ;; + no-key) cmd_opts="${cmd_opts} no-key" ;; + no-md) no_metadata=1 ;; + add-hw) add_hardware=1 ;; + *) warn "Ignoring unknown command option: '${1}'" ;; + esac + shift + done + + cert_file="${EASYRSA_PKI}/issued/${name}.crt" + [ $EASYTLS_NO_CA ] && cert_file="${EASYTLS_PKI}/${name}.crt" + [ -f "${cert_file}" ] || missing_file "${cert_file}" + + # Cert purpose + verify_cert_purpose "${cert_file}" cert_purpose || { + error_msg "verify_cert_purpose failed" + return 1 + } + + # Set file names + tlskey_file="${EASYTLS_PKI}/${group_key}-grp-srv-tls-crypt-v2.key" + inline_file="${EASYTLS_PKI}/${file_name_stub}.inline" + inline_temp="${EASYTLS_PKI}/${file_name_stub}.temp" + inline_base="${EASYTLS_PKI}/${file_name_stub}.base" + metadata_file="${EASYTLS_MD_DIR}/${group_key}-grp-srv-tls-crypt-v2.metadata" + fpr_file="${EASYTLS_PKI}/${name}.fpr" + + sub_name="${name}-${TLSKEY_SUBNAME}" + [ "${TLSKEY_SUBNAME}" = 'NOSUBKEY' ] || { + # Temporarily disable this + die "TLS-Crypt-V2 Client Group Keys do not support --subkey" + tlskey_file="${EASYTLS_PKI}/${sub_name}-tls-crypt-v2.key" + metadata_file="${EASYTLS_MD_DIR}/${sub_name}-tls-crypt-v2.metadata" + inline_file="${EASYTLS_PKI}/${sub_name}-gc.inline" + } + + # Check inline file does not exist + if [ -f "${inline_file}" ] + then + if "${EASYTLS_GREP}" -q \ + '# Easy-TLS self-signed certificate base-inline file' \ + "${inline_file}" + then + # This file can be over-writen + confirm "Are you sure you want to over-write the file? " "yes" \ + "This base-inline-file already exists: ${inline_file}" + else + help_note="Use 'easytls remove' to delete the old inline file." + die "Inline file already exists: ${inline_file}" + fi + fi + + # Check tls-crypt key exists + [ -f "${tlskey_file}" ] || { + help_note="Use 'easytls build' to create a TLS-Crypt-V2 key." + die "TLS key file does not exist: ${tlskey_file}" + } + + if [ "${cert_purpose}" = 'Client' ] + then + # Must be a client + [ -f "${metadata_file}" ] || missing_file "${metadata_file}" + + # Get metadata + metadata_string="$("${EASYTLS_CAT}" "${metadata_file}")" || \ + die "Failed to read metadata_file: ${metadata_file}" + + # Set tlskey-serial + tlskey_serial="${metadata_string%%-*}" + + # Drop EasyTLS header and version + metadata_string="${metadata_string#* }" + + # Drop CA fingerprint + metadata_string="${metadata_string#*-}" + + # Set Server name + srv_name="${metadata_string%% *}" + # Drop Server name + metadata_string="${metadata_string#* }" + + # Drop x509 cert-serial + metadata_string="${metadata_string#* }" + + # Set creation Date + MD_date_sec="${metadata_string%% *}" + MD_date= + easytls_sec_to_date "${MD_date_sec}" MD_date || \ + die "Failed to create metadata date" + # Drop Date + metadata_string="${metadata_string#* }" + + # Set custom-group + MD_cgroup="${metadata_string%% *}" + # Drop custom-group + metadata_string="${metadata_string#* }" + + # Verify Custom-Group + [ "${TLSKEY_CUSTOM_GRP}" = "${MD_cgroup}" ] || { + help_note="This key was built with a different Custom-Group" + die "Custom-group mismatch: ${TLSKEY_CUSTOM_GRP} <> ${MD_cgroup}" + } + + # Set common-name + MD_cn="${metadata_string%% *}" + # Drop common-name + metadata_string="${metadata_string#* }" + + # Set subkey-name + MD_subkey="${metadata_string%% *}" + # Drop subkey-name + metadata_string="${metadata_string#* }" + + # Set OPT + MD_opt="${metadata_string%% *}" + # Drop OPT + metadata_string="${metadata_string#* }" + + # Set hardware-address + MD_hw="${metadata_string%% *}" + # Drop hardware-address + metadata_string="${metadata_string#* }" + + if [ $EASYTLS_NO_CA ] + then + # Get the server serial number + cert_file="${EASYTLS_PKI}/${srv_name}.crt" + x509_cert_serial "${cert_file}" cert_serial || \ + die "inline_tls_crypt_v2 - cert_serial" + srv_serial="${cert_serial}" + else + # Get the CA serial number + ca_cert="${EASYRSA_PKI}/ca.crt" + ca_serial= + x509_cert_serial "${ca_cert}" ca_serial || \ + die "inline_tls_crypt_v2 - ca_serial" + fi + else + # Must be a server + no_metadata=1 + tlskey_serial="${cv2_Srv_Serial}" + fi + + # Inline base file + inline_base "${name}" ${cmd_opts} || die "Failed to create inline base file" + + # Append TLS-Crypt-V2 key + { + "${EASYTLS_PRINTF}" "%s\n" \ + "# metadata Easy-TLS-version ${EASYTLS_VERSION} - TLS-Crypt-v2 key" + + if [ $no_metadata ] + then + # If this is a defined sub-key name then add the name anyway + if [ "${cert_purpose}" = 'Client' ] + then + [ "${MD_subkey}" = 'NOSUBKEY' ] || "${EASYTLS_PRINTF}" \ + '%s\n\n' "# metadata Sub-key-name: ${MD_subkey}" + fi + else + if [ $EASYTLS_NO_CA ] + then + "${EASYTLS_PRINTF}" '%s\n' \ + "# metadata Server-serial: ${srv_serial}" + else + "${EASYTLS_PRINTF}" '%s\n' "# metadata CA-serial: ${ca_serial}" + fi + "${EASYTLS_PRINTF}" '%s\n' "# metadata tlskey-serial: ${tlskey_serial}" + "${EASYTLS_PRINTF}" '%s\n' "# metadata Creation-Date: ${MD_date}" + "${EASYTLS_PRINTF}" '%s\n' "# metadata Custom-Group: ${MD_cgroup}" + "${EASYTLS_PRINTF}" '%s\n' "# metadata Server-Common-Name: ${srv_name}" + "${EASYTLS_PRINTF}" '%s\n' "# metadata Client-Common-Name: ${MD_cn}" + [ "${MD_subkey}" = 'NOSUBKEY' ] || \ + "${EASYTLS_PRINTF}" '%s\n' "# metadata Sub-key-name: ${MD_subkey}" + [ "${MD_opt}" = "OPT" ] || \ + "${EASYTLS_PRINTF}" '%s\n' "# metadata Opt: ${MD_opt}" + "${EASYTLS_PRINTF}" '%s' "# metadata Key-status: " + if [ "${MD_hw}" = "=000000000000=" ] + then + "${EASYTLS_PRINTF}" '%s\n' "Open" + else + if [ $add_hardware ] + then + "${EASYTLS_PRINTF}" '%s\n' "Locked ${MD_hw}" + else + "${EASYTLS_PRINTF}" '%s\n' "Closed" + fi + fi + fi + + # push-peer-info + [ "${cert_purpose}" = 'Client' ] && { + "${EASYTLS_PRINTF}" '\n%s\n' "setenv UV_TLSKEY_SERIAL ${tlskey_serial}" + "${EASYTLS_PRINTF}" "%s\n\n" "push-peer-info" + } + # Add key + "${EASYTLS_PRINTF}" "%s\n" "" + "${EASYTLS_CAT}" "${tlskey_file}" + "${EASYTLS_PRINTF}" "%s\n\n" "" + # Share fingerprint template + inline_share_fingerprint + } > "${inline_temp}" || die "Failed to create inline file: ${inline_temp}" + + # Use cat for its intended porpose + "${EASYTLS_CAT}" "${inline_base}" "${inline_temp}" > "${inline_file}" + + # Remove temp files + rm -f "${inline_base}" "${inline_temp}" + + # Hash inline file and add hash to index + save_name="${name}" + name="${file_name_stub}" + inline_index_update add || die "Failed to update inline-index" + name="${save_name}" + unset save_name + + inline_share_fingerprint "${name}" || die "Failed to share fingerprint" + + notice "TLS-Crypt-V2 GROUP Server Inline file created: ${inline_file}" + easytls_verbose +} # => inline_tls_crypt_v2_group_server () + +# Inline TLS-Crypt-V2 Group Client Key with X509 Certificate inline_tls_crypt_v2_group_client () { - # - : - [ $# -ge 2 ] || \ die "Required option(s): " @@ -4248,13 +4476,13 @@ inline_tls_crypt_v2_group_client () name="${file_name_stub}" inline_index_update add || die "Failed to update inline-index" name="${save_name}" - unsset save_name + unset save_name inline_share_fingerprint "${name}" || die "Failed to share fingerprint" - notice "Inline TLS crypt v2 file created: ${inline_file}" + notice "TLS-Crypt-V2 GROUP Client Inline file created: ${inline_file}" easytls_verbose -} +} # => inline_tls_crypt_v2_group_client () # Share peer fingerprints inline_share_fingerprint () @@ -4695,7 +4923,7 @@ build_tls_crypt_v2_client () # Build group TLS-Crypt-v2 Server build_tls_cv2_group_server () { - [ $# -ge 1 ] || die "Required option(s): " + [ $# -ge 1 ] || die "Required option(s): " # Verify OpenVPN version and use correct syntax to --genkey verify_openvpn @@ -4719,7 +4947,7 @@ build_tls_cv2_group_server () cli_name="${grp_name}" # Improve this tlskey_index_update add || die "Failed to update tlskey-index" - notice "TLS crypt v2 server key created: ${tlskey_file}" + notice "TLS-Crypt-V2 GROUP Server Key created: ${tlskey_file}" easytls_verbose # Explicit return success @@ -4730,7 +4958,7 @@ build_tls_cv2_group_server () build_tls_cv2_group_client () { [ $# -ge 2 ] || \ - die "Required option(s): " + die "Required option(s): " # Verify OpenVPN version and use correct syntax to --genkey verify_openvpn @@ -4843,7 +5071,7 @@ build_tls_cv2_group_client () # Save serial number to key-index tlskey_index_update add || die "Failed to update tlskey-index" - notice "TLS crypt v2 client key created: ${tlskey_file}" + notice "TLS-Crypt-V2 GROUP Client Key created: ${tlskey_file}" easytls_verbose if [ $EASYTLS_BINLINE ]