Introduce inline-tls-crypt-v2-group-client

Signed-off-by: Richard T Bonhomme <[email protected]>

easytls

@@ -4019,10 +4019,241 @@ inline_tls_crypt_v2_group_server ()
 }
 
 #
-inline_tsl_crypt_v2_group_client ()
+inline_tls_crypt_v2_group_client ()
 {
 	#
 	:
+
+	[ $# -ge 2 ] || \
+		die "Required option(s): <client_common_name> <client_group_key>"
+
+	name="${1}"
+	file_name_stub="${1}-gc"
+	shift
+
+	group_key="${1}"
+	shift
+
+	cmd_opts=""
+	while [ -n "${1}" ]; do
+		case "${1}" in
+			add-dh) cmd_opts="${cmd_opts} add-dh" ;;
+			no-key) cmd_opts="${cmd_opts} no-key" ;;
+			no-md) no_metadata=1 ;;
+			add-hw) add_hardware=1 ;;
+			*) warn "Ignoring unknown command option: '${1}'" ;;
+		esac
+		shift
+	done
+
+	cert_file="${EASYRSA_PKI}/issued/${name}.crt"
+	[ $EASYTLS_NO_CA ] && cert_file="${EASYTLS_PKI}/${name}.crt"
+	[ -f "${cert_file}" ] || missing_file "${cert_file}"
+
+	# Cert purpose
+	verify_cert_purpose "${cert_file}" cert_purpose || {
+		error_msg "verify_cert_purpose failed"
+		return 1
+		}
+
+	# Set file names
+	tlskey_file="${EASYTLS_PKI}/${group_key}-grp-cli-tls-crypt-v2.key"
+	inline_file="${EASYTLS_PKI}/${file_name_stub}.inline"
+	inline_temp="${EASYTLS_PKI}/${file_name_stub}.temp"
+	inline_base="${EASYTLS_PKI}/${file_name_stub}.base"
+	metadata_file="${EASYTLS_MD_DIR}/${group_key}-grp-cli-tls-crypt-v2.metadata"
+	fpr_file="${EASYTLS_PKI}/${name}.fpr"
+
+	sub_name="${name}-${TLSKEY_SUBNAME}"
+	[ "${TLSKEY_SUBNAME}" = 'NOSUBKEY' ] || {
+		# Temporarily disable this
+		die "TLS-Crypt-V2 Client Group Keys do not support --subkey"
+		tlskey_file="${EASYTLS_PKI}/${sub_name}-tls-crypt-v2.key"
+		metadata_file="${EASYTLS_MD_DIR}/${sub_name}-tls-crypt-v2.metadata"
+		inline_file="${EASYTLS_PKI}/${sub_name}-gc.inline"
+		}
+
+	# Check inline file does not exist
+	if [ -f "${inline_file}" ]
+	then
+		if "${EASYTLS_GREP}" -q \
+			'# Easy-TLS self-signed certificate base-inline file' \
+			"${inline_file}"
+		then
+			# This file can be over-writen
+			confirm "Are you sure you want to over-write the file? " "yes" \
+				"This base-inline-file already exists: ${inline_file}"
+		else
+			help_note="Use 'easytls remove' to delete the old inline file."
+			die "Inline file already exists: ${inline_file}"
+		fi
+	fi
+
+	# Check tls-crypt key exists
+	[ -f "${tlskey_file}" ] || {
+		help_note="Use 'easytls build' to create a TLS-Crypt-V2 key."
+		die "TLS key file does not exist: ${tlskey_file}"
+		}
+
+	if [ "${cert_purpose}" = 'Client' ]
+	then
+		# Must be a client
+		[ -f "${metadata_file}" ] || missing_file "${metadata_file}"
+
+		# Get metadata
+		metadata_string="$("${EASYTLS_CAT}" "${metadata_file}")" || \
+			die "Failed to read metadata_file: ${metadata_file}"
+
+		# Set tlskey-serial
+		tlskey_serial="${metadata_string%%-*}"
+
+		# Drop EasyTLS header and version
+		metadata_string="${metadata_string#* }"
+
+		# Drop CA fingerprint
+		metadata_string="${metadata_string#*-}"
+
+		# Set Server name
+		srv_name="${metadata_string%% *}"
+		# Drop Server name
+		metadata_string="${metadata_string#* }"
+
+		# Drop x509 cert-serial
+		metadata_string="${metadata_string#* }"
+
+		# Set creation Date
+		MD_date_sec="${metadata_string%% *}"
+		MD_date=
+		easytls_sec_to_date "${MD_date_sec}" MD_date || \
+			die "Failed to create metadata date"
+		# Drop Date
+		metadata_string="${metadata_string#* }"
+
+		# Set custom-group
+		MD_cgroup="${metadata_string%% *}"
+		# Drop custom-group
+		metadata_string="${metadata_string#* }"
+
+		# Verify Custom-Group
+		[ "${TLSKEY_CUSTOM_GRP}" = "${MD_cgroup}" ] || {
+			help_note="This key was built with a different Custom-Group"
+			die "Custom-group mismatch: ${TLSKEY_CUSTOM_GRP} <> ${MD_cgroup}"
+			}
+
+		# Set common-name
+		MD_cn="${metadata_string%% *}"
+		# Drop common-name
+		metadata_string="${metadata_string#* }"
+
+		# Set subkey-name
+		MD_subkey="${metadata_string%% *}"
+		# Drop subkey-name
+		metadata_string="${metadata_string#* }"
+
+		# Set OPT
+		MD_opt="${metadata_string%% *}"
+		# Drop OPT
+		metadata_string="${metadata_string#* }"
+
+		# Set hardware-address
+		MD_hw="${metadata_string%% *}"
+		# Drop hardware-address
+		metadata_string="${metadata_string#* }"
+
+		if [ $EASYTLS_NO_CA ]
+		then
+			# Get the server serial number
+			cert_file="${EASYTLS_PKI}/${srv_name}.crt"
+			x509_cert_serial "${cert_file}" cert_serial || \
+				die "inline_tls_crypt_v2 - cert_serial"
+			srv_serial="${cert_serial}"
+		else
+			# Get the CA serial number
+			ca_cert="${EASYRSA_PKI}/ca.crt"
+			ca_serial=
+			x509_cert_serial "${ca_cert}" ca_serial || \
+				die "inline_tls_crypt_v2 - ca_serial"
+		fi
+	else
+		# Must be a server
+		no_metadata=1
+		tlskey_serial="${cv2_Srv_Serial}"
+	fi
+
+	# Inline base file
+	inline_base "${name}" ${cmd_opts} || die "Failed to create inline base file"
+
+	# Append TLS-Crypt-V2 key
+	{
+		"${EASYTLS_PRINTF}" "%s\n" \
+			"# metadata Easy-TLS-version ${EASYTLS_VERSION} - TLS-Crypt-v2 key"
+
+		if [ $no_metadata ]
+		then
+			# If this is a defined sub-key name then add the name anyway
+			[ "${MD_subkey}" = 'NOSUBKEY' ] || "${EASYTLS_PRINTF}" '%s\n\n' \
+				"# metadata Sub-key-name: ${MD_subkey}"
+		else
+			if [ $EASYTLS_NO_CA ]
+			then
+				"${EASYTLS_PRINTF}" '%s\n' \
+					"# metadata Server-serial: ${srv_serial}"
+			else
+				"${EASYTLS_PRINTF}" '%s\n' "# metadata CA-serial: ${ca_serial}"
+			fi
+			"${EASYTLS_PRINTF}" '%s\n' "# metadata tlskey-serial: ${tlskey_serial}"
+			"${EASYTLS_PRINTF}" '%s\n' "# metadata Creation-Date: ${MD_date}"
+			"${EASYTLS_PRINTF}" '%s\n' "# metadata Custom-Group: ${MD_cgroup}"
+			"${EASYTLS_PRINTF}" '%s\n' "# metadata Server-Common-Name: ${srv_name}"
+			"${EASYTLS_PRINTF}" '%s\n' "# metadata Client-Common-Name: ${MD_cn}"
+			[ "${MD_subkey}" = 'NOSUBKEY' ] || \
+				"${EASYTLS_PRINTF}" '%s\n' "# metadata Sub-key-name: ${MD_subkey}"
+			[ "${MD_opt}" = "OPT" ] || \
+				"${EASYTLS_PRINTF}" '%s\n' "# metadata Opt: ${MD_opt}"
+			"${EASYTLS_PRINTF}" '%s' "# metadata Key-status: "
+			if [ "${MD_hw}" = "=000000000000=" ]
+			then
+				"${EASYTLS_PRINTF}" '%s\n' "Open"
+			else
+				if [ $add_hardware ]
+				then
+					"${EASYTLS_PRINTF}" '%s\n' "Locked ${MD_hw}"
+				else
+					"${EASYTLS_PRINTF}" '%s\n' "Closed"
+				fi
+			fi
+		fi
+
+		# push-peer-info
+		[ "${cert_purpose}" = 'Client' ] && {
+			"${EASYTLS_PRINTF}" '\n%s\n' "setenv UV_TLSKEY_SERIAL ${tlskey_serial}"
+			"${EASYTLS_PRINTF}" "%s\n\n" "push-peer-info"
+			}
+		# Add key
+		"${EASYTLS_PRINTF}" "%s\n" "<tls-crypt-v2>"
+		"${EASYTLS_CAT}" "${tlskey_file}"
+		"${EASYTLS_PRINTF}" "%s\n\n" "</tls-crypt-v2>"
+		# Share fingerprint template
+		inline_share_fingerprint
+	} > "${inline_temp}" || die "Failed to create inline file: ${inline_temp}"
+
+	# Use cat for its intended porpose
+	"${EASYTLS_CAT}" "${inline_base}" "${inline_temp}" > "${inline_file}"
+
+	# Remove temp files
+	rm -f "${inline_base}" "${inline_temp}"
+
+	# Hash inline file and add hash to index
+	save_name="${name}"
+	name="${file_name_stub}"
+	inline_index_update add || die "Failed to update inline-index"
+	name="${save_name}"
+	unsset save_name
+
+	inline_share_fingerprint "${name}" || die "Failed to share fingerprint"
+
+	notice "Inline TLS crypt v2 file created: ${inline_file}"
+	easytls_verbose
 }
 
 # Share peer fingerprints
@@ -4513,7 +4744,7 @@ build_tls_cv2_group_client ()
 
 	in_file="${EASYTLS_PKI}/${srv_grp_name}-tls-crypt-v2.key"
 	tlskey_file="${EASYTLS_PKI}/${cli_grp_name}-tls-crypt-v2.key"
-	metadata_debug="${EASYTLS_MD_DIR}/${cli_name}-tls-crypt-v2.metadata"
+	metadata_debug="${EASYTLS_MD_DIR}/${cli_grp_name}-tls-crypt-v2.metadata"
 
 	#[ "${TLSKEY_SUBNAME}" = 'NOSUBKEY' ] || {
 	#	full_name="${cli_name}-${TLSKEY_SUBNAME}"
@@ -8176,17 +8407,27 @@ main ()
 				build_tls_crypt_v2_client "$@" || \
 					die "Error: build_tls_crypt_v2_client"
 			;;
+			itc2|itv2|itcv2|inline-tls-crypt-v2)
+				inline_tls_crypt_v2 "$@" || \
+					die "Error: inline_tls_crypt_v2"
+			;;
+			# GROUP Server
 			bc2gs|btc2gs|btv2gs|btcv2gs|build-tls-crypt-v2-group-server)
 				build_tls_cv2_group_server "$@" || \
 					die "Error: build_tls_crypt_v2_group_server"
 			;;
+			ic2gs|itc2gs|itcv2gs|inline-tls-crypt-v2-group-server)
+				inline_tls_crypt_v2_group_server "$@" || \
+					die "Error: inline_tls_crypt_v2_group_server"
+			;;
+			# GROUP Client
 			bc2gc|btc2gc|btv2gc|btcv2gc|build-tls-crypt-v2-group-client)
 				build_tls_cv2_group_client "$@" || \
 					die "Error: build_tls_crypt_v2_group_client"
 			;;
-			itc2|itv2|itcv2|inline-tls-crypt-v2)
-				inline_tls_crypt_v2 "$@" || \
-					die "Error: inline_tls_crypt_v2"
+			ic2gc|itc2gc|itcv2gc|inline-tls-crypt-v2-group-client)
+				inline_tls_crypt_v2_group_client "$@" || \
+					die "Error: inline_tls_crypt_v2_group_server"
 			;;
 			is|inline-show)
 				inline_show "$@" || \