cgzones · tomberek · Oct 8, 2018 · Oct 8, 2018 · Oct 8, 2018 · Oct 8, 2018
diff --git a/.travis.yml b/.travis.yml
@@ -11,6 +11,7 @@ before_install:
 script:
   - |
       bash --posix ./create-root-ca -l -d travis-ca <<EOF
+      n
       travis-ca
       bogus.com
       US
@@ -28,13 +29,15 @@ script:
       rootCA_password
       San Francisco
       Jurisdiction of travis-server.bogus-com
+      n
       EOF
   - |
       bash --posix ./bin/create-client -c travis-client << EOF
       rootCA_password
       San Francisco
       private
       [email protected]
+      n
       EOF
   - |
       bash --posix ./bin/revoke-cert -c certs/server/travis-server-bogus-com/travis-server-bogus-com.crt << EOF
@@ -45,6 +48,7 @@ script:
   - |
       bash --posix ./bin/create-signing-ca -d travis-signing << EOF
       rootCA_password
+      n
       travis-signing
       bogus.com
       US
@@ -64,13 +68,15 @@ script:
       signCA_password
       San Francisco
       Jurisdiction of travis-server.bogus-com
+      n
       EOF
   - |
       bash --posix ./bin/create-client -c travis-client << EOF
       signCA_password
       San Francisco
       private
       [email protected]
+      n
       EOF
   - |
       bash --posix ./bin/revoke-cert -c certs/server/travis-server-bogus-com/travis-server-bogus-com.crt << EOF

diff --git a/README.md b/README.md
@@ -10,6 +10,8 @@ A suite of bash scripts for automating very basic OpenSSL Certificate Authority
 * Creating Server certificates
 * Creating Client certificates
 * Revoking certificates and maintaining CRLs
+* Creating CSRs
+* Managing SSH keys
 
 ## Usage
 
@@ -27,6 +29,7 @@ A suite of bash scripts for automating very basic OpenSSL Certificate Authority
 | revoke-cert       | Revoke a (client\|server) certificate                             |
 | show-status       | Show the infos about the current CA (signed certificates...)      |
 | sign-csr          | Sign an imported client certificate                               |
+| create-csr        | Create a client certificate                                       |
 
 #### Important files:
 
@@ -49,6 +52,8 @@ create-root-ca -d $ROOT_CA_DIR
 
 ```
 $ROOT_CA_DIR/ca/ca.crt
+$ROOT_CA_DIR/ca/ca.pub
+$ROOT_CA_DIR/ca/ca.ssh.pub
 $ROOT_CA_DIR/ca/private/ca.key
 $ROOT_CA_DIR/ca/ca.crl
 ```
@@ -65,6 +70,8 @@ $ROOT_CA_DIR/bin/create-signing-ca -d $SIGNING_CA_DIR
 
 ```
 $SIGNING_CA_DIR/ca/ca.crt
+$SIGNING_CA_DIR/ca/ca.pub
+$SIGNING_CA_DIR/ca/ca.ssh.pub
 $SIGNING_CA_DIR/ca/private/ca.key
 $SIGNING_CA_DIR/ca/ca.crl
 $SIGNING_CA_DIR/ca/root.crt
@@ -86,6 +93,8 @@ All addresses **must** be supplied via the *-a* flag.
 ```
 $CA_DIR/certs/server/FQDN-Description/FQDN-Description.crt
 $CA_DIR/certs/server/FQDN-Description/FQDN-Description.key
+$CA_DIR/certs/server/FQDN-Description/FQDN-Description.pub
+$CA_DIR/certs/server/FQDN-Description/FQDN-Description.ssh.pub
 $CA_DIR/certs/server/FQDN-Description/FQDN-Description.csr
 ```
 
@@ -102,6 +111,8 @@ $CA_DIR/bin/create-client -c [email protected]
 ```
 $CA_DIR/certs/clients/user-domain-com/user-domain-com.crt
 $CA_DIR/certs/clients/user-domain-com/user-domain-com.key
+$CA_DIR/certs/clients/user-domain-com/user-domain-com.pub
+$CA_DIR/certs/clients/user-domain-com/user-domain-com.ssh.pub
 $CA_DIR/certs/clients/user-domain-com/user-domain-com.csr
 ```
 
@@ -130,6 +141,7 @@ These scripts are very simple, and make some hard-coded assumptions about behavi
 * Client and Server certificates have 3072-bit RSA keys (configurable in *defaults.conf*)
 * Client and Server keys are not encrypted
 * There is no wrapper *yet* for renewing certificates
+* PKCS11 support is in beta
 
 ## License
 

diff --git a/create-client b/create-client
@@ -6,6 +6,7 @@
 
 # Derek Moore <[email protected]>
 # Christian Göttsche <[email protected]>
+# Tom Bereknyei <[email protected]>
 
 set -eu
 set -o pipefail
@@ -59,49 +60,121 @@ fi
 
 
 echo
+if [ -n "$CA_ENABLE_ENGINE" ]; then
+    echo -e "$NOTE Your CA key is on PKCS11 device, enter PIN."
+fi
 echo -e -n "$INPUT Enter passphase for signing CA key: "
 read -r -s PASS
 echo
 export CA_PASS="${PASS}"
-openssl rsa -check \
-            -in ca/private/ca.key \
-            -passin env:CA_PASS \
-            -noout
+
+openssl_engine_cmd='
+    -engine pkcs11 
+    -inform engine
+    -in pkcs11:object=SIGN%20key'
+openssl rsa \
+            ${CA_ENABLE_ENGINE:+$openssl_engine_cmd} \
+            $( [ -z $CA_ENABLE_ENGINE ] && echo "-check -in ca/private/ca.key") \
+            -noout \
+            -passin env:CA_PASS
 
 trap 'rm -Rf "certs/clients/$SAFE_NAME"' 0
-mkdir "certs/clients/$SAFE_NAME"
+mkdir -p "certs/clients/$SAFE_NAME/ssh"
 
 # Generate the client cert openssl config
 export CA_USERNAME="${CLIENT_NAME}"
 export CA_CERT_MAIL=""
 ask_client_cert_questions
 export SAN="email:$CA_CERT_MAIL"
-template "${BIN_DIR}/templates/client.tpl" "certs/clients/$SAFE_NAME/$SAFE_NAME.conf"
+template "${BIN_DIR}/templates/clients.tpl" "certs/clients/$SAFE_NAME/$SAFE_NAME.conf"
+
+echo -e -n "$INPUT Create csr on pkcs11 device? (key must be in \"PIV AUTH key\" or 9a): [yN]"
+read -r SURE
+if [ "${SURE}" != "y" ] && [ "${SURE}" != "Y" ]; then
+    ENABLE_ENGINE=
+else
+    echo -e -n "$INPUT Enter PIN for PIV key: "
+    read -r -s PASS
+    echo
+    export PIV_PASS="${PASS}"
+    ENABLE_ENGINE=1
+    CA_PASS=$PIV_PASS init_slot 9a "certs/clients/$SAFE_NAME/$SAFE_NAME.pub" "pkcs11:object=PIV%20AUTH%20key"
+fi
 
 echo -e "$NOTE Creating the client key and csr"
 
 # Create the client key and csr
-openssl req -new -nodes \
-            -batch \
+openssl_engine_cmd='
+    -engine pkcs11 
+    -keyform engine
+    -key pkcs11:object=PIV%20AUTH%20key
+    -passin env:PIV_PASS'
+openssl req -new -batch \
+            ${ENABLE_ENGINE:+$openssl_engine_cmd} \
             -config "certs/clients/$SAFE_NAME/$SAFE_NAME.conf" \
-            -keyout "certs/clients/$SAFE_NAME/$SAFE_NAME.key" \
-            -out "certs/clients/$SAFE_NAME/$SAFE_NAME.csr"
-openssl rsa -noout -check -in "certs/clients/$SAFE_NAME/$SAFE_NAME.key"
-chmod 0400 "certs/clients/$SAFE_NAME/$SAFE_NAME.key"
+            -out "certs/clients/$SAFE_NAME/$SAFE_NAME.csr" \
+            $( [ -z $ENABLE_ENGINE ] && echo "
+            -nodes
+            -keyout certs/clients/$SAFE_NAME/$SAFE_NAME.key")
+
+openssl_engine_cmd='
+    -engine pkcs11 
+    -inform engine
+    -in pkcs11:object=PIV%20AUTH%20key
+    -passin env:PIV_PASS'
+openssl rsa \
+            ${ENABLE_ENGINE:+$openssl_engine_cmd} \
+            $( [ -z $ENABLE_ENGINE ] && echo "-check -in certs/clients/$SAFE_NAME/$SAFE_NAME.key") \
+            -noout
+
+if [ -z "$ENABLE_ENGINE" ]; then
+    chmod 0400 "certs/clients/$SAFE_NAME/$SAFE_NAME.key"
+    ln -s ../"$SAFE_NAME".key "certs/clients/$SAFE_NAME/ssh/$SAFE_NAME.ssh"
+    openssl rsa -in "certs/clients/$SAFE_NAME/$SAFE_NAME.key" \
+        -pubout -out "certs/clients/$SAFE_NAME/$SAFE_NAME.pub"
+fi
+
+echo -e "$NOTE Creating client SSH ($SAFE_NAME.ssh.pub)"
+echo -e "$NOTE Example sshd_config: TrustedUserCAKeys ca.ssh.pub"
+echo -e "$NOTE Example sshd_config: AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u"
+echo -e "$NOTE Example known_hosts: @cert-authority *.example.com <ca.ssh.pub>"
+
+ssh-keygen -f "certs/clients/$SAFE_NAME/$SAFE_NAME.pub" -i -mPKCS8 \
+        | awk "{printf \$0;print \" ${SAFE_NAME}\"}" > "certs/clients/$SAFE_NAME/ssh/$SAFE_NAME.ssh.pub"
+ssh-keygen -lvf "certs/clients/$SAFE_NAME/ssh/$SAFE_NAME.ssh.pub"
+
 
 echo -e "$NOTE Creating the client certificate"
 
 # Create the client certificate
+openssl_engine_cmd="\
+    -engine pkcs11 \
+    -keyform engine \
+    -keyfile pkcs11:object=SIGN%20key"
 openssl ca -batch -notext \
+           ${CA_ENABLE_ENGINE:+$openssl_engine_cmd} \
            -config ca/ca.conf \
            -in "certs/clients/$SAFE_NAME/$SAFE_NAME.csr" \
            -out "certs/clients/$SAFE_NAME/$SAFE_NAME.crt" \
-           -extensions client_ext \
+           -extensions clients_ext \
            -passin env:CA_PASS
 
+if [[ -n "$ENABLE_ENGINE" ]]; then
+    replace_crt 9a certs/clients/"$SAFE_NAME"/"$SAFE_NAME".crt
+fi
+
 echo -e "$NOTE Verifying certificate/key pair"
 
-key_mod=$(openssl rsa -noout -modulus -in "certs/clients/$SAFE_NAME/$SAFE_NAME.key")
+openssl_engine_cmd="\
+    -engine pkcs11 \
+    -inform engine \
+    -in pkcs11:object=PIV%20AUTH%20key \
+    -passin env:PIV_PASS"
+key_mod=$(openssl rsa \
+    ${ENABLE_ENGINE:+$openssl_engine_cmd} -noout -modulus \
+    $( [ -z $ENABLE_ENGINE ] && echo "-in certs/clients/$SAFE_NAME/$SAFE_NAME.key")
+)
+
 cert_mod=$(openssl x509 -noout -modulus -in "certs/clients/$SAFE_NAME/$SAFE_NAME.crt")
 
 if [ ! "$key_mod" = "$cert_mod" ];then