strongswan: add certificate generation utility

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile
index ff7d5cefe6c9193097c3cd0cd2e6c31fb68bf23f..3b45a2222f886c5fa4940f0cb9de64183d8679e0 100644 (file)
--- a/net/strongswan/Makefile
+++ b/net/strongswan/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=strongswan
 PKG_VERSION:=5.9.2
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/
@@ -418,6 +418,17 @@ $(call Package/strongswan/description/Default)
  This package contains the swanctl utility.
 endef
 
+define Package/strongswan-gencerts
+$(call Package/strongswan/Default)
+  TITLE+= X.509 certificate generation utility
+  DEPENDS:= strongswan +strongswan-pki bash
+endef
+
+define Package/strongswan-gencerts/description
+$(call Package/strongswan/description/Default)
+ This package contains the X.509 certificate generation utility.
+endef
+
 define Package/strongswan-libtls
 $(call Package/strongswan/Default)
   TITLE+= libtls
@@ -576,6 +587,11 @@ define Package/strongswan-swanctl/install
        $(INSTALL_BIN) ./files/swanctl.init $(1)/etc/init.d/swanctl
 endef
 
+define Package/strongswan-gencerts/install
+       $(INSTALL_DIR) $(1)/usr/bin
+       $(INSTALL_BIN) ./files/gencerts.sh $(1)/usr/bin/gencerts
+endef
+
 define Package/strongswan-libtls/install
        $(INSTALL_DIR) $(1)/usr/lib/ipsec
        $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libtls.so.* $(1)/usr/lib/ipsec/
@@ -651,6 +667,7 @@ $(eval $(call BuildPackage,strongswan-libnttfft))
 $(eval $(call BuildPackage,strongswan-pki))
 $(eval $(call BuildPackage,strongswan-scepclient))
 $(eval $(call BuildPackage,strongswan-swanctl))
+$(eval $(call BuildPackage,strongswan-gencerts))
 $(eval $(call BuildPackage,strongswan-libtls))
 $(eval $(call BuildPlugin,addrblock,RFC 3779 address block constraint support,))
 $(eval $(call BuildPlugin,aes,AES crypto,))

diff --git a/net/strongswan/files/gencerts.sh b/net/strongswan/files/gencerts.sh
new file mode 100755 (executable)
index 0000000..57dc0df
--- /dev/null
+++ b/net/strongswan/files/gencerts.sh
@@ -0,0 +1,155 @@
+#!/bin/sh
+
+#
+# see:
+#      https://www.howtoforge.com/tutorial/strongswan-based-ipsec-vpn-using-certificates-and-pre-shared-key-on-ubuntu-16-04/
+#
+
+PROG=$(basename "$0")
+
+[ -z "$EUID" ] && EUID=$(id -u)
+
+if [ $# -lt 5 ]; then
+       echo "Usage: $PROG { -s | -c | -u } country domain organization identities [ ... ]" >&2
+       exit 1
+fi
+
+case "$1" in
+-s)
+       S_OPT=1 ;;
+-c)
+       C_OPT=1 ;;
+-u)
+       U_OPT=1 ;;
+*)
+       echo "$PROG: require an option specifying server/client/user credential type" >&2
+       exit 1
+       ;;
+esac
+shift
+
+C="$1"; shift
+DOMAIN="$1"; shift
+SHORT_DOMAIN="${DOMAIN%%.*}"
+ORG="$1"; shift
+
+# invariants...
+STRONGSWANDIR=/etc
+SWANCTL_DIR=$STRONGSWANDIR/swanctl
+: ${KEYINFO:="rsa:4096"}
+: ${CADAYS:=3650}
+: ${CRTDAYS:=730}
+
+makeDN()
+{
+       printf "C=%s, O=%s, CN=%s" "$1" "$2" "$3"
+}
+
+field()
+{
+       local arg="$1"
+       local nth="$2"
+
+       echo "$arg" | cut -d ':' -f "$nth"
+}
+
+genmasterkey()
+{
+       local keytype keybits
+
+       keytype=$(field "$KEYINFO" 1)
+       keybits=$(field "$KEYINFO" 2)
+
+       pki --gen --type "$keytype" --size "$keybits" --outform pem > "$SWANCTL_DIR/private/$SHORT_DOMAIN.key"
+       chmod 0400 "$SWANCTL_DIR/private/$SHORT_DOMAIN.key"
+}
+
+genca()
+{
+       local keytype
+
+       keytype=$(field "$KEYINFO" 1)
+
+       pki --self --ca --lifetime "$CADAYS" --in "$SWANCTL_DIR/private/$SHORT_DOMAIN.key" --type "$keytype" \
+               --dn "$ROOTDN" --outform pem > "$SWANCTL_DIR/x509ca/$SHORT_DOMAIN.crt"
+       chmod 0444 "$SWANCTL_DIR/cacerts/$SHORT_DOMAIN.crt"
+}
+
+genclientkey()
+{
+       local name="$1" keytype keybits
+
+       keytype=$(field "$KEYINFO" 1)
+       keybits=$(field "$KEYINFO" 2)
+
+       pki --gen --type "$keytype" --size "$keybits" --outform pem > "$SWANCTL_DIR/private/$name.key"
+       chmod 0400 "$SWANCTL_DIR/private/$name.key"
+}
+
+gendevcert()
+{
+       local dn="$1"
+       local san="$2"
+       local name="$3"
+
+       # reads key from input
+       pki --issue --lifetime "$CRTDAYS" \
+             --cacert "$SWANCTL_DIR/x509ca/$SHORT_DOMAIN.crt" \
+             --cakey "$SWANCTL_DIR/private/$SHORT_DOMAIN.key" \
+             --dn "$dn" --san "$san" \
+             ${S_OPT:+--flag serverAuth} \
+             ${S_OPT:---flag clientAuth} \
+             --flag ikeIntermediate \
+             --outform pem > "$SWANCTL_DIR/x509/$name.crt"
+       chmod 0444 "$SWANCTL_DIR/x509/$name.crt"
+}
+
+gendev()
+{
+       local keytype
+
+       keytype=$(field "$KEYINFO" 1)
+
+       [ -f "$SWANCTL_DIR/private/$NAME.key" ] || genclientkey "$NAME"
+
+       [ -f "$SWANCTL_DIR/x509/$NAME.crt" ] || \
+               pki --pub --in "$SWANCTL_DIR/private/$NAME.key" --type "$keytype" \
+                       | gendevcert "$DEVDN" "$DEVSAN" "$NAME"
+}
+
+setparams()
+{
+       NAME="$1"
+
+       if [ -n "$U_OPT" ]; then
+               DEVSAN="$NAME@$DOMAIN"
+               DEVDN="$(makeDN "$C" "$ORG" "$DEVSAN")"
+       else
+               DEVSAN="$NAME.$DOMAIN"
+               DEVDN="$(makeDN "$C" "$ORG" "$NAME")"
+       fi
+}
+
+umask 077
+
+[ "$EUID" -eq 0 ] || { echo "Must run as root!" >&2 ; exit 1; }
+
+ROOTDN="$(makeDN "$C" "$ORG" "Root CA")"
+
+[ -f "$SWANCTL_DIR/private/$SHORT_DOMAIN.key" ] || genmasterkey
+
+[ -f "$SWANCTL_DIR/x509ca/$SHORT_DOMAIN.crt" ] || genca
+
+PARENT="$STRONGSWANDIR"
+BASEDIR="${SWANCTL_DIR##$PARENT/}"
+
+for name in "$@"; do
+       setparams "$name"
+       gendev
+
+       tar -zcf "$name-certs.tar.gz" -C "$PARENT" "$BASEDIR/x509ca/$SHORT_DOMAIN.crt" "$BASEDIR/x509/$name.crt" "$BASEDIR/private/$name.key"
+       chmod 600 "$name-certs.tar.gz"
+       echo "Generated as $name-certs.tar.gz"
+done
+
+exit 0