Changeset - 379929d21e92
[Not reviewed]
0 1 0
Branko Majic (branko) - 4 years ago 2020-06-29 04:18:17
branko@majic.rs
Implemented archiver CRL publisher for storing copies of a CRL.
1 file changed with 60 insertions and 9 deletions:
0 comments (0 inline, 0 general) First comment
x509/crlpublisher.sh
Show inline comments
 
@@ -34,12 +34,21 @@ be provided either in DER or PEM encoding.
 
The script is written to support several types of publishers. Currently
 
supported publishers are:
 

	
 
    - scp - Publishes to a remote server using public-key authentication through
 
      SSH's scp command.
 

	
 
    - archiver - Archives CRLs to a local directory. This publisher will output
 
      the CRLs to a specific directory using the filename pattern
 
      'issuerdn_fulldateutc_crlnumber.format' where issuerdn is replaced by the
 
      issuer DN of the CRL, fulldateutc is replaced with last update date of CRL
 
      in format YYYY-MM-DD-HH:MM:SS:TZ (e.g. 2013-01-01-00:00:00:+00:00),
 
      crlnumber is replaced with the CRL number in decimal format, and format is
 
      replaced by the format of the CRL file (PEM for OpenSSL-style
 
      base64-encoded CRLs, DER for binary CRLs).
 

	
 
Publishing options are kept within configuration files. Configuration files
 
should be placed in one of the following directories:
 

	
 
    - /etc/crlpublisher/
 
    - ~/.crlpublisher/
 

	
 
@@ -69,12 +78,15 @@ Configuration options for 'scp' publisher:
 
    privateKey (optional) - Path to the private key which should be used for
 
    logging-in onto remote server. Default is ~/.ssh/id_rsa.
 

	
 
    remotePort (optional) - Remote port that should be used for connecting to
 
    the SSH server on remote host. Default is to use port 22.
 

	
 
Configuration options for 'archiver' publisher:
 

	
 
    acrhiveDir (mandatory) - Directory where the CRLs will be archived.
 

	
 
$program accepts the following options:
 

	
 
    -v        show script version and licensing information
 
    -h        show usage help
 

	
 
@@ -109,26 +121,36 @@ EOF
 

	
 
#
 
# Helper function that parses a CRL.
 
#
 
# Sets:
 
#     crlIssuerDn - to the value of the CRL issuer's distinguished name.
 
#     crlNumber - to the value of CRL number.
 
#     crlFormat - to the type of CRL (PEM/DER).
 
#     crlLastUpdate - to the last update time of CRL.
 
#     crlNextUpdate - to the next update time of CRL.
 
#
 
function readCrlInfo() {
 
    local crlFile="$1"
 
    unset crlIssuerDn
 

	
 
    # Assume that the CRL is in DER format
 
    if ! crlIssuerDn="$(openssl crl -issuer -inform DER -noout -in "$crlFile")"; then
 
        if ! crlIssuerDn="$(openssl crl -issuer -inform PEM -noout -in "$crlFile")"; then
 
            echo "Invalid CRL file '$crlFile'" >&2
 
            return 1
 
        fi
 
    unset crlIssuerDn crlNumber crlFormat crlLastUpdate crlNextUpdate
 
 
 
    # Detect format of the CRL.
 
    if openssl crl -noout -inform DER -in "$crlFile" 2>/dev/null; then
 
        crlFormat="DER"
 
    elif openssl crl -noout -inform PEM -in "$crlFile" 2>/dev/null; then
 
        crlFormat="PEM"
 
    else
 
        echo "Invalid CRL file '$crlFile'" >&2
 
        return 1
 
    fi
 

	
 
    crlIssuerDn="$(echo "$crlIssuerDn" | sed -e 's#^issuer=/##;s#/#,#g')"
 
    # Read the CRL information
 
    crlIssuerDn=$(openssl crl -issuer -inform "$crlFormat" -noout -in "$crlFile" | sed -e 's#^issuer=/##;s#/#,#g')
 
    crlNumber=$(echo "ibase=16;obase=A;$(openssl crl -crlnumber -inform "$crlFormat" -noout -in "$crlFile" | sed -e 's/crlNumber=//')" | bc)
 
    crlLastUpdate=$(openssl crl -lastupdate -inform "$crlFormat" -noout -in "$crlFile" | sed -e 's/lastUpdate=//')
 
    crlNextUpdate=$(openssl crl -nextupdate -inform "$crlFormat" -noout -in "$crlFile" | sed -e 's/nextUpdate=//')
 

	
 
    return 0
 
}
 

	
 
#
 
# Helper function for clearing the common parameters. This function output
 
@@ -188,12 +210,41 @@ function publish_through_scp() {
 
            echo "SCP publisher ($configFile): failed to publish CRL for '$crlIssuerDn'." >&2
 
	    return 2
 
        fi
 
    fi
 
}
 

	
 
#
 
# Implementation of archiver.
 
#
 
function publish_through_archiver() {
 
    local configFile="$1" crlFile="$2"
 
    local archiveDir crlLastUpdateParsed
 

	
 
    $(clearCommonParameters)
 

	
 
    . "$configFile"
 

	
 
    verifyCommonParameters || return 1
 

	
 
    if ! [[ -d $archiveDir ]]; then
 
        echo "Archiver publisher ($configFile): invalid archive directory - '$archiveDir'" >&2
 
        return 1
 
    fi
 

	
 
    crlLastUpdateParsed=$(TZ=UTC date -d "$crlLastUpdate" +%F-%T:%z)
 

	
 
    echo "$crlIssuerDn"
 
    echo "$crlNumber"
 
    echo "$crlLastUpdate"
 
    echo "$crlNextUpdate"
 
    echo "$crlLastUpdateParsed"
 
    filename="${crlIssuerDn}_${crlLastUpdateParsed}_${crlNumber}.$crlFormat"
 
    echo "$filename"
 
}
 

	
 
# If no arguments were given, just show usage help.
 
if [[ -z $1 ]]; then
 
    usage
 
    exit 0
 
fi
 

	
0 comments (0 inline, 0 general) First comment
You need to be logged in to comment. Login now