client_maker_erg.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316

#!/usr/bin/env bash
##############################################################################
#                                   HEADER                                   #
##############################################################################
# Script for generating SSL certificates.
##############################################################################
#                                END_OF_HEADER                               #
##############################################################################

usage() {
    echo "Script name: $0";
    echo "";
    echo "Usage: $0 --key-type [ RSA | EC | EX25519 ]";
    echo "                      --curve [ P-256 | P-384 | P512 ]";
    echo "                      --rsa-bits [ 2048 | 4096 ]";
    echo "                      --days <n>";
    echo "";
    echo "Options: ";
    echo "      --key-type [ RSA | EC | EC25519 ]";
    echo "          Note: Pico W can use EC or RSA keys only, not EC25519,";
    echo "                and Tasmota can only use 2048 bit RSA keys.";
    echo "      --curve [ P-256 | P-384 | P512 ]";
    echo "      --rsa-bits [ 2048 | 4096 ]";
    echo "      --days [ <integer> ]";
    echo "      --dir [ <mosquitto directory> ]";
    echo "      --output-format [ PEM | DER ]";
    echo "      --user <string>";
    echo "      --config <path-to-cnf-file>";
    echo "      --ca_key <path-to-CA_key>";
    echo "      --ca_cert <path-to-CA_cert>";
 }

TEMP="$(getopt -o hkcrd --long help,key-type:,curve:,rsa-bits:,days:,dir:,output-format:,user:,config:,ca_key:,ca_cert: -- "$@")"

eval set -- "$TEMP"

if [ $# == 0 ] ; then
    usage;
    exit 1;
fi

KEY_TYPE="EC"
CURVE="P-256"
RSA_BITS=2048
DAYS=365
MOSQUITTO_DIR="/home/erg/cert_test"
OUTPUT_FORMAT=
MOSQUITTO_USER=
PKEYOPT=
SSL_CNF=
SSL_CA_KEY=
SSL_CA_CRT=

while true
do
  case "$1" in
    -h|--help)
        usage
        exit 0;
        ;;
    --key-type) KEY_TYPE="$2"; echo "Key type: $KEY_TYPE"; shift 2;;
        # Note: Pico W can use EC or RSA keys only, not EC25519, and Tasmota can only use 2048 bit RSA keys.
        # Default choice of Key Types: RSA, EC, or ED25519
    --curve) CURVE="$2"; echo "Curve: $CURVE"; shift 2;;
        # Choice of NIST Curves for EC Keys: P-256, P-384 or P-521
    --rsa-bits) RSA_BITS="$2"; echo "RSA bits: $RSA_BITS"; shift 2;;
        # Choice of Bits for RSA Keys: 2048 or 4096
    --days) DAYS="$2"; echo "Valid for: $DAYS"; shift 2;;
        # How many days is the Cert valid for?
    --dir) MOSQUITTO_DIR="$2"; echo "Working directory: $MOSQUITTO_DIR"; shift 2;;
    --output-format) OUTPUT_FORMAT="$2"; echo "Output format: $OUTPUT_FORMAT"; shift 2;;
    --user) MOSQUITTO_USER="$2"; echo "Mosquitto user: $MOSQUITTO_USER"; shift 2;;
    --config) SSL_CNF="$2"; shift 2;;
    --ca_key) SSL_CA_KEY="$2"; shift 2;;
    --ca_cert) SSL_CA_CRT="$2"; shift 2;;
    -- ) shift; break;;
    * ) break;;
  esac
done

##############################################################################
#                    Checks that sane arguments passed:                      #
##############################################################################

# Check key type:
if [ "$KEY_TYPE" != 'EC' ] && [ "$KEY_TYPE" != 'RSA' ] && [ "$KEY_TYPE" != 'EC25519' ]; then
    echo "Wrong key type specified: '$KEY_TYPE'"
    echo "Valid keys: [ EC | RSA | EC25519 ]"
    usage
    exit 1;
fi

# Set the specific PKEYOPT for the chosen algorithm (BLANK for ED25519)
if [ "${KEY_TYPE}" == "EC" ]; then
  echo 'Create EC Key'
  PKEYOPT="-pkeyopt ec_paramgen_curve:${CURVE}"
elif [ "${KEY_TYPE}" == "RSA" ]; then
  echo 'Create RSA Key'
  PKEYOPT="-pkeyopt rsa_keygen_bits:${RSA_BITS}"
elif [ "${KEY_TYPE}" == "ED25519" ]; then
  echo 'Create ED25519 Key'
  PKEYOPT=""
else
  echo "Setting -PKEYOPT to defaults: -pkeyopt ec_paramgen_curve:${CURVE}"
fi

# Check curve:
if [ "$CURVE" != 'P-256' ] && [ "$CURVE" != 'P-384' ] && [ "$CURVE" != 'P-521' ]; then
    echo "Wrong NIST curve specified: '$CURVE'"
    echo "Curve must be one of: [ P-256 | P-384 | P-521 ]"
    usage
    exit 1;
fi

# Check RSA bits:
if [ "$RSA_BITS" != '2048' ] && [ "$RSA_BITS" != '4096' ]; then
    echo "Wrong RSA bits specified: '$RSA_BITS'"
    echo "Must be one of: [ 2048 | 4096 ]"
    usage
    exit 1;
fi

# Check days parameter is a number:
if [ -n "$DAYS" ] && [ "$DAYS" -eq "$DAYS" ] 2>/dev/null; then
  echo "Certificate will be valid for: '$DAYS' days"
else
  echo "Not a number: $DAYS"
  usage
  exit 1;
fi

# Check output format:
if [ "${OUTPUT_FORMAT}" == 'PEM' ] || [ "${OUTPUT_FORMAT}" == 'pem' ]; then # I: Double quote to prevent globbing and word splitting.
  OUTPUT_FORMAT="pem"
elif [ "$OUTPUT_FORMAT" == 'DER' ] || [ "$OUTPUT_FORMAT" == 'der' ]; then # I: Double quote to prevent globbing and word splitting.
  OUTPUT_FORMAT="der"
else echo "Incorrect certificate format type specified: $OUTPUT_FORMAT";
    usage
    exit 1;
fi

# Check user supplied:
if [ -z "$MOSQUITTO_USER" ] && [ "$MOSQUITTO_USER" != " " ]; then
    echo "Specified: '$MOSQUITTO_USER' as user."
    echo "Need to specify a non-empty username for the certificate!";
    usage
    exit 1;
fi

# Check CA key and cert exist:
if [ ! -f ${SSL_CA_CRT} ] || [ ! -f ${SSL_CA_KEY} ]; then
    echo "CA certificate does not exist, exiting!"
    exit 1
fi
# Check CA certificate is still valid:
# Date format we get from openssl:
#  Nov 18 13:47:56 2034 GMT
#  %b %d  %H:%M:%S %Y %Z
#  compare dates from the CA cert and current one:
CERT_VALID_UNTIL=$(openssl x509 -enddate -noout -in "${SSL_CA_CRT}" | cut -d'=' -f2)
echo "CA certificate valid until: ${CERT_VALID_UNTIL}"
if [ ! $(($(date -d "$CERT_VALID_UNTIL" +"%s") > $(date +"%s"))) ];then
    echo "CA certificate expired, exiting!"
    exit 1
fi


##############################################################################
#                               Set up variables                             #
##############################################################################

# Set the algorithm
ALGORITHM="-algorithm ${KEY_TYPE}"

# Output client key, CSR request and certificate
CLIENT_KEY="${MOSQUITTO_DIR}/certs/clients/${MOSQUITTO_USER}/${MOSQUITTO_USER}_key.${OUTPUT_FORMAT}"
CLIENT_CSR="${MOSQUITTO_DIR}/certs/clients/${MOSQUITTO_USER}/${MOSQUITTO_USER}_req.csr"
CLIENT_CERT="${MOSQUITTO_DIR}/certs/clients/${MOSQUITTO_USER}/${MOSQUITTO_USER}_crt.${OUTPUT_FORMAT}"

##############################################################################
#                                   Locks                                    #
##############################################################################

LOCK_FILE=/tmp/$SUBJECT.lock
if [ -f "$LOCK_FILE" ]; then
   echo "Script is already running"
   exit
fi

trap 'rm -f $LOCK_FILE' EXIT
touch "$LOCK_FILE"

##############################################################################
#              Backup existing certs and create dir structure                #
##############################################################################

# If our user certs dir already exists, rename it so we don't
# overwrite anything important.

time_stamp=$(date +"%Y-%m-%d_%H-%M")
mv "${MOSQUITTO_DIR}/certs/csr_files/${MOSQUITTO_USER}_req.csr" "${MOSQUITTO_DIR}/certs/clients/${MOSQUITTO_USER}" 2>/dev/null
mv "${MOSQUITTO_DIR}/certs/clients/${MOSQUITTO_USER}req" "${MOSQUITTO_DIR}/certs/clients/${MOSQUITTO_USER}-${time_stamp}" 2>/dev/null

mkdir -p "${MOSQUITTO_DIR}/certs/clients/${MOSQUITTO_USER}"

##############################################################################
#              Create the key in the requested format                        #
##############################################################################

echo "Running:"
echo "
openssl genpkey ${ALGORITHM} ${PKEYOPT} \
-outform ${OUTPUT_FORMAT} \
-out ${CLIENT_KEY} \
-config ${SSL_CNF}
"

openssl genpkey ${ALGORITHM} ${PKEYOPT} \
    -outform "${OUTPUT_FORMAT}" \
    -out "${CLIENT_KEY}" \
    -config "${SSL_CNF}"

retval=$?
if [ $retval -ne 0 ]; then
    echo "Generating key failed!"
    exit $retval
fi
printf '\n\n'
echo "#######################################################################"
printf '\n\n'
echo "Successfully generated client key."
##############################################################################
#                      Create the cert signing request                       #
##############################################################################


echo "Running:"
echo "
openssl req \
-new \
-nodes \
-key $CLIENT_KEY \
-subj /CN=${MOSQUITTO_USER} \
-out $CLIENT_CSR \
-config ${SSL_CNF}
"
openssl req \
    -new \
    -nodes \
    -key "${CLIENT_KEY}" \
    -subj "/CN=${MOSQUITTO_USER}" \
    -out "${CLIENT_CSR}" \
    -config "${SSL_CNF}"

retval=$?
if [ $retval -ne 0 ]; then
    echo "Generating CSR request failed!"
    exit $retval
fi
echo "Successfully generated CSR request"

printf '\n\n'
echo "#######################################################################"
printf '\n\n'

##############################################################################
#                          Cert signing and creation                         #
##############################################################################

echo "Running:"
echo "openssl x509 \
-req \
-in ${CLIENT_CSR} \
-CA ${SSL_CA_CRT} \
-CAkey ${SSL_CA_KEY} \
-CAcreateserial \
-out ${CLIENT_CERT} \
-outform ${OUTPUT_FORMAT} \
-days ${DAYS} \
-config ${SSL_CNF}
"
openssl x509 \
    -req \
    -in "${CLIENT_CSR}" \
    -CA "${SSL_CA_CRT}" \
    -CAkey "${SSL_CA_KEY}" \
    -CAcreateserial \
    -out "${CLIENT_CERT}" \
    -outform "${OUTPUT_FORMAT}" \
    -days "${DAYS}" \

retval=$?
if [ $retval -ne 0 ]; then
    echo "Signing CSR and certificate creation failed!"
    exit $retval
fi
echo "Successfully signed CSR and created client certificate."

printf '\n\n'
echo "#######################################################################"
printf '\n\n'

##############################################################################
#                                  Check the cert                            #
##############################################################################

printf '#   This is your new client certificate\n\n\n'

openssl x509 \
    -text \
    -in "${CLIENT_CERT}" \
    -noout

printf '\n\n'
echo "#######################################################################"
printf '\n\n'