Menu
At the moment I am about to change a script called "pkitool" (if anybody who doesn't use openvpn, but wants to help me as well, this is how the pkitool looks like: https://joinup.ec.europa.eu/svn/cube/trunk/cube/cube-integration/src/main/scripts/openvpn/pkitool). My aim is, that I am able to pass the variable $1 (Keyname) and the Password which I export in the same script. It looks like this:
export KEY_PASSWORD=$2
./pkitool --pass $1
At the moment I am getting asked to type in a password and verify it then. I want to change that and just pass the password and to the script and I want that the script asks me to enter a pass phrase... (The reason I export the varibale KEY_PASSWORD is because I want to use it later on.) This is an extract of my modified pkitool:
# Process options while [ $# -gt 0 ]; do
case "$1" in
--keysize ) KEY_SIZE=$2
shift;;
--server ) REQ_EXT="$REQ_EXT -extensions server"
CA_EXT="$CA_EXT -extensions server" ;;
--batch ) BATCH="-batch" ;;
--interact ) BATCH="" ;;
--inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
--initca ) DO_ROOT="1" ;;
--pass ) NODES_REQ="-passin env:KEY_PASSWORD" ;;
--csr ) DO_CA="0" ;;
--sign ) DO_REQ="0" ;;
--pkcs12 ) DO_P12="1" ;;
--pkcs11 ) DO_P11="1"
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
PKCS11_ID="$4"
PKCS11_LABEL="$5"
shift 4;;
I used the variable obviously for the parameter "--pass". The reason I used "-passin env:KEY_PASSWORD" was this man page I prolly misunderstood...
PASS PHRASE ARGUMENTS
Several commands accept password arguments, typically using -passin and -passout for
input and output passwords respectively. These allow the password to be obtained from a
variety of sources. Both of these options take a single argument whose format is
described below. If no password argument is given and a password is required then the
user is prompted to enter one: this will typically be read from the current terminal with
env:var obtain the password from the environment variable var. Since the environment of
other processes is visible on certain platforms (e.g. ps under certain Unix
OSes) this option should be used with caution.
This is the part of the pkitool, where the NODES_REQ is used again:
# Build cert/key
( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
-keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
-in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
-in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \
( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
The rest of the pkitool is not modified and you can watch the link in the description. Hope you guys understood my problem. HALP PLS, can't figure it out :(
Edit: When NODES_REQ is on default it looks like this:
NODES_REQ = "-nodes"
And the two important parts (also the reason I am using -passin) look like this:
-nodes
if this option is specified then if a private key is created it will not be
encrypted.
-passin arg
the input file password source. For more information about the format of arg see the
PASS PHRASE ARGUMENTS section in openssl(1).
275
I had to use -passout instead of -passin... One has to read the man page carefully to understand the subtleties. The reason there are two options, -passin and -passout, is that passin is used when the input file is password protected and a password needs to be supplied to unlock it, and passout is used when password protecting the output file. Since "req" simply generates output, what I needed is -passout, not -passin. :)
192
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
