| #!/bin/bash |
| # Copyright 2021 The HIBA Authors |
| # Use of this source code is governed by a BSD-style |
| # license that can be found in the LICENSE file or at |
| # https://developers.google.com/open-source/licenses/bsd |
| # |
| # hiba-ca is a tool to manage a simple CA via command line. |
| # It provides common CA operations like creating and signing identities. The |
| # user is responsible for distributing the identities to the relevant hosts and |
| # users. |
| # |
| # IMPORTANT: hiba-ca.sh generates the users & hosts private keys for |
| # convenience only. It is not required to leave the private keys in the capath. |
| # Users can even generate their own key pairs, copy the public part into the |
| # capath, then call the sign method on it. |
| # |
| # The structure of a CA is as follows: |
| # * root/ |
| # * CA public key (to be distributed globally) |
| # * CA private key (secret) |
| # * logs of signed certificates |
| # * krl: certificate revocation list |
| # * grl: grant revocation list |
| # * hosts/ |
| # * <hostname> public key (to be kept by CA) |
| # * <hostname> private key (to be distributed to the host and removed from CA) |
| # * <hostname> certificate (to be distrubuted to the host) |
| # * users/ |
| # * <username> public key (to be kept by CA) |
| # * <username> private key (to be distributed to the user and removed from CA) |
| # * <username> certificate (to be distrubuted to the user) |
| # * policy/ |
| # * identities/ |
| # * <identityname> HIBA identity extension to be attached to host certificates |
| # * grants/ |
| # * <grantname> HIBA grant extension to be attached to user certificates |
| # * principals/ |
| # * <principalname>/ |
| # * symlinks to a grant from grants/ that this principal is allowed to |
| # request |
| # |
| # The structure of the logs is the following (comma separated): |
| # * timestamp |
| # * serial |
| # * principals |
| # * ordered list of grants |
| |
| usage() { |
| if [ "$1" != "" ]; then |
| echo "ERROR: $1" |
| echo "" |
| fi |
| |
| echo "Usage:" |
| echo " Create a CA" |
| echo " $0 -c -d <root CA path> -- <ssh-keygen extra args>" |
| echo " Create an identity (user / host)" |
| echo " $0 -c -u -I name -d <root CA path> -- <ssh-keygen extra args>" |
| echo " $0 -c -h -I name -d <root CA path> -- <ssh-keygen extra args>" |
| echo " Import an identity (user / host)" |
| echo " $0 -i -u -f <path to a public key> -I name -d <root CA path>" |
| echo " $0 -i -h -f <path to a public key> -I name -d <root CA path>" |
| echo " Remove an identity (user / host)" |
| echo " $0 -r -u -I name -d <root CA path>" |
| echo " $0 -r -h -I name -d <root CA path>" |
| echo " Set policy permissions (allow / disallow a grant for a user)" |
| echo " $0 -p -H grant -I name -d <root CA path>" |
| echo " $0 -p -r -H grant -I name -d <root CA path>" |
| echo " Sign an identity" |
| echo " $0 -s -u -I name -n principal -H <hiba extensions> -V <validity> -d <root CA path> -- <ssh-keygen extra args>" |
| echo " $0 -s -h -I name -n principal -H <hiba extension> -V <validity> -d <root CA path> -- <ssh-keygen extra args>" |
| echo " Show the CA content (no secrets are displayed): all, users, hosts, HIBA policy, revocations" |
| echo " $0 -l -d <root CA path>" |
| echo " $0 -l -u -d <root CA path>" |
| echo " $0 -l -h -d <root CA path>" |
| echo " $0 -l -p -d <root CA path>" |
| echo " $0 -l -k -d <root CA path>" |
| echo " List or clean up old signing request logs (keep the last N days):" |
| echo " $0 -k -N <ndays> -d <root CA path>" |
| echo " $0 -k -c -N <ndays> -d <root CA path>" |
| echo " Revoke certificates:" |
| echo " $0 -k -r -z <revocation spec> -d <root CA path>" |
| echo " Revoke grants:" |
| echo " $0 -k -r -H grant -d <root CA path>" |
| echo "" |
| echo "Note:" |
| echo "* -H can be repeated to include more than one grant in user certificates" |
| echo "* -n can be repeated to include more than one principal" |
| echo "* -z uses the KEY REVOCATION LISTS format (see man ssh-keygen)" |
| echo "" |
| echo "Defaults:" |
| echo "* <root CA path>: default to ~/.hiba-ca/" |
| echo "* <ndays>: default to 90" |
| echo "* <validity>: default to 1h. The format is similar to" |
| echo " ssh-keygen's \`-v validity_interval\`" |
| echo " (see man ssh-keygen)." |
| echo "" |
| |
| exit 1 |
| } |
| |
| error() { |
| echo "== ERROR ==" |
| exit 1 |
| } |
| |
| get_next_serial() { |
| if [ ! -f $dest/logs ]; then |
| echo 1 |
| return |
| fi |
| serial=$(tail -n 1 $dest/logs | cut -f2 -d,) |
| echo $((serial+1)) |
| } |
| |
| get_logs() { |
| DAYS=$1 |
| FIELDS=$2 |
| |
| PGM='{if ($1 >= cutoff) {print '$FIELDS'}}' |
| now=$(date +%s) |
| cutoff=$((now - 86400 * DAYS)) |
| awk -F, -v cutoff=$cutoff "$PGM" <"$dest/logs" |
| } |
| |
| cleanup_logs() { |
| DAYS=$1 |
| |
| rm -f "$dest/.logs.new" |
| |
| get_logs "$DAYS" '$0' > "$dest/.logs.new" |
| old=$(wc -l "$dest/logs" | cut -f1 -d" ") |
| new=$(wc -l "$dest/.logs.new" | cut -f1 -d" ") |
| COUNT=$((old - new)) |
| if [ "$COUNT" -gt 0 ]; then |
| echo "== Do you want to remove $COUNT entries before $(date --date=@$cutoff)? (y|N)" |
| read ans |
| if [ "$ans" = "y" ]; then |
| mv "$dest/.logs.new" "$dest/logs" |
| echo "== Confirmed ==" |
| else |
| rm "$dest/.logs.new" |
| echo "== Aborted ==" |
| fi |
| else |
| echo "== Nothing to do" |
| fi |
| } |
| |
| revoke_grants() { |
| NAME="$1" |
| GRANT="$2" |
| |
| SERIALS=$(awk -F, -v NAME=$NAME -v GRANT=$GRANT '{ if(($3 ~ NAME) && ($4 ~ GRANT)) {print $2}}' <"$dest/logs") |
| COUNT=$(echo $SERIALS | wc -w) |
| echo "== This action will revoke grants in $COUNT certificate(s)." |
| if [ "$COUNT" -gt 0 ]; then |
| echo "Do you want to continue? (y|N)" |
| read ans |
| if [ "$ans" != "y" ]; then |
| return -1 |
| fi |
| fi |
| for s in $SERIALS; do |
| GRANTS_BY_SERIAL=$(awk -F, -v serial=$s '{ if ($2 == serial) { print $4 }}' <"$dest/logs") |
| IDS=$(echo $GRANTS_BY_SERIAL | xargs -n 1 | grep -n $GRANT | cut -f1 -d:| awk '{print $1 -1}') |
| hiba-grl -f "$dest/grl" -c "$dest $(ssh-keygen -lf $dest/ca.pub)" -r -s "$s" $IDS |
| done |
| } |
| |
| revoke_cert() { |
| MODE="$1" |
| SERIAL="$2" |
| |
| echo "== Revoking certification serial $SERIAL" |
| ssh-keygen -k -f "$dest/krl" -s "$dest/ca.pub" $MODE -z "$(date +%s)" "$SERIAL" |
| } |
| |
| create_key() { |
| TYPE="$1" |
| TARGET="$2" |
| shift 2 |
| |
| echo "== Generating $TYPE keys in $TARGET" |
| ssh-keygen -q -f "$TARGET" "$@" |
| } |
| |
| sign() { |
| TYPE="$1" |
| ID="$2" |
| TARGET="$3" |
| PRINCIPAL="$4" |
| VALIDITY="$5" |
| HIBA="$6" |
| shift 6 |
| |
| PRINCIPALS="${PRINCIPAL// /,}" |
| |
| if [ "$TYPE" = "host" ]; then |
| EXT="identity" |
| SUB="identities" |
| T="-h" |
| else |
| EXT="grant" |
| SUB="grants" |
| T="" |
| fi |
| |
| HIBAEXTS=() |
| for ext in $HIBA; do |
| if [ ! -f "$dest/policy/$SUB/$ext" ]; then |
| echo "cannot find requested HIBA $EXT $ext" |
| return 1 |
| fi |
| if [ "$TYPE" = "user" -a ! -f "$dest/policy/principals/$ID/$ext" ]; then |
| echo "user $ID not eligible for grant $ext" |
| return 1 |
| fi |
| HIBAEXTS+=("$(cat $dest/policy/$SUB/$ext)") |
| done |
| HIBAOPTS=("-O" extension:$EXT@hibassh.dev=$(IFS=,; echo "${HIBAEXTS[*]}")) |
| |
| serial=$(get_next_serial) |
| echo "== Signing $TYPE key ID $ID" |
| if ssh-keygen -I "$ID" -s "$dest/ca" $T -z "$serial" -n "$PRINCIPALS" -V "$VALIDITY" "${HIBAOPTS[@]}" "$@" "$TARGET.pub"; then |
| echo "$(date +%s),$serial,$PRINCIPAL,$HIBA" >> $dest/logs |
| fi |
| } |
| |
| # |
| # Main |
| # |
| ca= |
| create= |
| dest="$HOME/.hiba-ca" |
| host= |
| hiba= |
| name= |
| file= |
| principal= |
| sign= |
| import= |
| remove= |
| list= |
| manage= |
| cleanup= |
| revoke= |
| policy= |
| policy_remove= |
| list_policy= |
| list_revocations= |
| user= |
| serial= |
| validity="+1h" |
| verbose=0 |
| days=90 |
| |
| while getopts "cilprskuhvf:I:n:N:d:H:V:z:" opt; do |
| case $opt in |
| c) create=1;; |
| i) import=1;; |
| l) list=1;; |
| p) policy=1;; |
| r) remove=1;; |
| s) sign=1;; |
| k) manage=1;; |
| u) user=1;; |
| h) host=1;; |
| f) file="$OPTARG";; |
| I) name="$OPTARG";; |
| z) serial="$OPTARG";; |
| n) principal="$principal $OPTARG";; |
| N) days="$OPTARG";; |
| d) dest="$OPTARG";; |
| H) hiba="$hiba $OPTARG";; |
| V) validity="$OPTARG";; |
| v) verbose=1;; |
| ?) usage "Unknown option $opt";; |
| esac |
| done |
| |
| principal=$(echo "$name $principal" | xargs) |
| hiba=$(echo "$hiba" | xargs) |
| shift $((OPTIND - 1)) |
| |
| # Remove (-r) is a modifier of policy and manage subcommand: |
| if [ "${policy}${remove}" = "11" ]; then |
| remove= |
| policy= |
| policy_remove=1 |
| fi |
| if [ "${manage}${remove}" = "11" ]; then |
| remove= |
| manage= |
| revoke=1 |
| fi |
| |
| # Cleanup (-c) is a modifier of manage subcommand: |
| if [ "${manage}${create}" = "11" ]; then |
| create= |
| manage= |
| cleanup=1 |
| fi |
| |
| # Policy (-p) and Manage (-k) are modifiers of list subcommand: |
| if [ "${policy}${list}" = "11" ]; then |
| policy= |
| list_policy=1 |
| fi |
| if [ "${manage}${list}" = "11" ]; then |
| manage= |
| list_revocations=1 |
| fi |
| |
| # Sanity check command line |
| action="${create}${sign}${import}${remove}${list}${policy}${manage}${policy_remove}${cleanup}${revoke}" |
| if [ -z "$action" ]; then |
| usage "at least one action out of [-s | -c | -i | -a | -r | -l | -k] required." |
| fi |
| if [ "$action" != "1" ]; then |
| usage "only one action out of [-s | -c | -i | -a | -r | -l | -k] required." |
| fi |
| if [ -z "$user" ] && [ -z "$host" ]; then |
| ca=1 |
| fi |
| if [ -n "$user" ] && [ -n "$host" ] && [ -z "$list" ]; then |
| usage "only one type out of [-u | -h] required." |
| fi |
| |
| # Check create required command line parameters |
| if [ "$create" = 1 ]; then |
| # If creating a user of host identity, a name is required. |
| if [ -z "$ca" ] && [ -z "$name" ]; then |
| usage "missing -I <name> for user or host identity creation." |
| fi |
| if [ -n "$ca" ] && [ -n "$name" ]; then |
| usage "unexpected -I <name> for CA identity creation." |
| fi |
| fi |
| |
| # Check list required command line parameters |
| if [ "$list" = 1 ]; then |
| # If none of -u -h -p -k is given, display them all |
| if [ -z "${user}${host}${list_policy}${list_revocations}" ]; then |
| user=1 |
| host=1 |
| list_policy=1 |
| list_revocations=1 |
| fi |
| fi |
| |
| # Check import required command line parameters |
| if [ "$import" = 1 ]; then |
| # Only user / host identities can be imported. |
| if [ -n "$ca" ]; then |
| usage "missing -u or -h parameter for identity import." |
| fi |
| # If importing a user of host identity, pubkey is required. |
| if [ -z "$file" ]; then |
| usage "missing -f <pubkey path> for importing identity." |
| fi |
| # If the username is missing use the pubkey filename. |
| if [ -z "$name" ] ; then |
| fname=$(basename $file) |
| name=${file%.pub} |
| echo "missing -I <name> option, assuming $name" |
| fi |
| # The username should not already exist |
| if [ -n "$user" -a -f "$dest/users/$name.pub" ]; then |
| usage "user $name already exists." |
| elif [ -n "$host" -a -f "$dest/hosts/$name.pub" ]; then |
| usage "host $name already exists." |
| fi |
| fi |
| |
| # Check remove required command line parameters |
| if [ "$remove" = 1 ]; then |
| # Only user / host identities can be removed. |
| if [ -n "$ca" ]; then |
| usage "missing -u or -h parameter for identity removal." |
| fi |
| # If removing a user, the user name is required. |
| if [ -z "$name" ]; then |
| usage "missing -I <name> for removing identity." |
| fi |
| # The username should already exist |
| if [ -n "$user" -a ! -f "$dest/users/$name.pub" ]; then |
| usage "user $name doesn't exist." |
| elif [ -n "$host" -a ! -f "$dest/hosts/$name.pub" ]; then |
| usage "host $name doesn't exist." |
| fi |
| fi |
| |
| # Check policy required command line parameters |
| if [ "${policy}${policy_remove}" = 1 ]; then |
| # policy permission need a target name |
| if [ -z "$name" ] ; then |
| usage "missing -I <name> for managing policy permissions." |
| fi |
| if [ -z "$hiba" ] ; then |
| usage "missing -H <grant> for managing policy permissions." |
| fi |
| # the user and grant should exist |
| if [ ! -f "$dest/users/$name.pub" ]; then |
| usage "user $name doesn't exist." |
| fi |
| for grant in $hiba; do |
| if [ ! -f "$dest/policy/grants/$grant" ]; then |
| usage "grant $grant doesn't exist." |
| fi |
| # For removal the eligibility must exist |
| if [ -n "$policy_remove" -a ! -f "$dest/policy/principals/$name/$grant" ]; then |
| usage "user $name not eligible for grant $grant." |
| fi |
| # For additions, the eligibility must not exist |
| if [ -n "$policy" -a -f "$dest/policy/principals/$name/$grant" ]; then |
| usage "user $name s already eligible for grant $grant." |
| fi |
| done |
| fi |
| |
| # Check sign required command line parameters |
| if [ "$sign" = 1 ]; then |
| if [ -z "$user" ] && [ -z "$host" ]; then |
| usage "at least one type out of [-U | -h] required." |
| fi |
| if [ -z "$name" ]; then |
| usage "missing -I <name> for user or host signing." |
| fi |
| if [ -z "$principal" ]; then |
| usage "missing -n <principal> for user or host signing." |
| fi |
| if [ -z "$validity" ]; then |
| usage "missing -V <validity> for user or host signing." |
| fi |
| fi |
| |
| # Check revoke required command line parameters |
| if [ "$revoke" = 1 ]; then |
| # the certificate serial is required. |
| if [ -z "$serial" -a -z "$hiba" ]; then |
| usage "missing -z <revocation spec> or -H grant for revocation." |
| elif [ -n "$serial" -a -n "$hiba" ]; then |
| usage "only one of -z <serial> or -H grant allowed at once for revocation." |
| fi |
| fi |
| |
| # Check log required command line parameters |
| if [ "$manage" = 1 ]; then |
| # the cut off must by a number of days. |
| if [ "$days" -eq 0 ]; then |
| usage "-N must be a integer representing the number of days to display." |
| fi |
| fi |
| |
| # Check cleanup required command line parameters |
| if [ "$cleanup" = 1 ]; then |
| # the cut off must by a number of days. |
| if [ "$days" -eq 0 ]; then |
| usage "-N must be a integer representing the number of days to keep." |
| fi |
| fi |
| |
| if [ "$verbose" = 1 ]; then |
| set -x |
| fi |
| |
| # Init the CA |
| mkdir -p "$dest/policy/principals" |
| mkdir -p "$dest/policy/identities" |
| mkdir -p "$dest/policy/grants" |
| mkdir -p "$dest/hosts" |
| mkdir -p "$dest/users" |
| |
| # Run required action |
| if [ "$list" = 1 ]; then |
| echo "== Certificate Authority location ==" |
| echo "$dest" |
| echo "" |
| if [ -n "$user" ]; then |
| echo "== Users ==" |
| for u in $(find "$dest/users/" -name '*.pub'); do |
| userpub=$(basename $u) |
| user=${userpub%.pub} |
| [[ "$user" = *-cert ]] && continue |
| eligible=$(ls "$dest/policy/principals/$user" | xargs) |
| echo "* $user: eligible for [$eligible]" |
| done |
| echo "" |
| fi |
| if [ -n "$host" ]; then |
| echo "== Hosts ==" |
| for h in $(find $dest/hosts/ -name '*.pub'); do |
| hostpub=$(basename $h) |
| host=${userpub%.pub} |
| [[ "$host" = *-cert ]] && continue |
| echo "* $host" |
| done |
| echo "" |
| fi |
| if [ -n "$list_policy" ]; then |
| echo "== HIBA identities (decode using hiba-gen -d -f <filename>) ==" |
| for i in $(ls $dest/policy/identities/); do |
| echo "* $dest/policy/identities/$i" |
| done |
| echo "" |
| echo "== HIBA grants (decode using hiba-gen -d -f <filename>) ==" |
| for i in $(ls $dest/policy/grants/); do |
| echo "* $dest/policy/grants/$i" |
| done |
| echo "" |
| fi |
| if [ -n "$list_revocations" ]; then |
| echo "== KRL ==" |
| ssh-keygen -Q -f "$dest/krl" -l | tr "#" "*" | sed '/^$/d' |
| echo "" |
| echo "== GRL ==" |
| hiba-grl -f "$dest/grl" -d -c "$dest $(ssh-keygen -lf $dest/ca.pub)" |
| fi |
| elif [ "$create" = 1 ]; then |
| if [ "$ca" = 1 ]; then |
| rm -f "$dest/logs" |
| create_key "CA" "$dest/ca" -C "$dest CA" "$@" || error |
| echo "" | revoke_cert "" "-" &> /dev/null |
| echo "== Done ==" |
| elif [ "$host" = 1 ]; then |
| create_key "host" "$dest/hosts/$name" "$@" || error |
| echo "== Done ==" |
| echo "Identity created: Private: $dest/hosts/$name" |
| echo " Public: $dest/hosts/$name.pub" |
| elif [ "$user" = 1 ]; then |
| create_key "user" "$dest/users/$name" "$@" || error |
| mkdir -p "$dest/policy/principals/$name" |
| echo "== Done ==" |
| echo "Identity created: Private: $dest/users/$name" |
| echo " Public: $dest/users/$name.pub" |
| fi |
| elif [ "$import" = 1 ]; then |
| if [ "$host" = 1 ]; then |
| cp "$file" "$dest/hosts/$name.pub" |
| echo "== Done ==" |
| echo "Identity imported: $dest/hosts/$name.pub" |
| elif [ "$user" = 1 ]; then |
| cp "$file" "$dest/users/$name.pub" |
| mkdir -p "$dest/policy/principals/$name" |
| echo "== Done ==" |
| echo "Identity imported: Public: $dest/users/$name.pub" |
| fi |
| elif [ "$remove" = 1 ]; then |
| if [ "$host" = 1 ]; then |
| echo "key: $(cat $dest/hosts/$name.pub)" | revoke_cert "-u" "-" |
| rm -f "$dest/hosts/$name" |
| rm -f "$dest/hosts/$name.pub" |
| rm -f "$dest/hosts/$name-cert.pub" |
| echo "== Done ==" |
| echo "Identity removed: $name" |
| elif [ "$user" = 1 ]; then |
| echo "key: $(cat $dest/users/$name.pub)" | revoke_cert "-u" "-" |
| rm -f "$dest/users/$name" |
| rm -f "$dest/users/$name.pub" |
| rm -f "$dest/users/$name-cert.pub" |
| rm -rf "$dest/policy/principals/$name" |
| echo "== Done ==" |
| echo "Identity removed: $name" |
| fi |
| elif [ "$policy" = 1 ]; then |
| for grant in $hiba; do |
| ln -s "$dest/policy/grants/$grant" "$dest/policy/principals/$name/$grant" |
| done |
| echo "== Done ==" |
| echo "User $name is now eligible for [$hiba]" |
| elif [ "$policy_remove" = 1 ]; then |
| for grant in $hiba; do |
| revoke_grants "$name" "$grant" || error |
| rm "$dest/policy/principals/$name/$grant" |
| done |
| echo "== Done ==" |
| echo "User $name is not eligible anymore for [$hiba]" |
| elif [ "$sign" = 1 ]; then |
| if [ "$host" = 1 ]; then |
| sign "host" "$name" "$dest/hosts/$name" "$principal" "$validity" "$hiba" "$@" || error |
| echo "== Done ==" |
| echo "Certificate created: $dest/hosts/$name-cert.pub" |
| elif [ "$user" = 1 ]; then |
| sign "user" "$name" "$dest/users/$name" "$principal" "$validity" "$hiba" "$@" || error |
| echo "== Done ==" |
| echo "Certificate created: $dest/users/$name-cert.pub" |
| fi |
| elif [ "$revoke" = 1 ]; then |
| if [ -n "$serial" ]; then |
| revoke_cert "-u" "$serial" || error |
| else |
| for h in $hiba; do |
| revoke_grants ".*" "$h" || error |
| done |
| fi |
| echo "== Done ==" |
| elif [ "$manage" = 1 ]; then |
| echo "Signed certificates log for the last $days days:" |
| get_logs "$days" '$1 " " $2' | while read d s; do |
| echo " [$(date --date=@$d)]: serial $s" |
| done |
| echo "== Done ==" |
| elif [ "$cleanup" = 1 ]; then |
| cleanup_logs "$days" |
| echo "== Done ==" |
| fi |
