From: Arturo Buzarra <arturo.buzarra@digi.com>
Date: Wed, 22 Jul 2020 15:10:21 +0200
Subject: [PATCH] ahab_pki_tree.sh: automate script

This commit introduce a new command line argument to specify the
CSF path folder and prepare it to automate the build process.

Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
---
 keys/ahab_pki_tree.sh | 70 +++++++++++++++++++++++++++++--------------
 1 file changed, 47 insertions(+), 23 deletions(-)

diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
index f5ab36c..2c16533 100755
--- a/keys/ahab_pki_tree.sh
+++ b/keys/ahab_pki_tree.sh
@@ -64,6 +64,8 @@ printf "    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"

 stty erase 

+SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)"
+
 if [ $# -gt 0 ]; then
     interactive="n"
 else
@@ -78,7 +80,7 @@ usage()
     echo "$0"
     echo
     echo "Command Line Mode:"
-    echo "$0 -existing-ca <y/n> [-ca-key <CA key name> -ca-cert <CA cert name>] -use-ecc <y/n> -kl <ECC/RSA Key Length> -da <digest algorithm> -duration <years> -srk-ca <y/n>"
+    echo "$0 [-csf-path] <CSF Path> -existing-ca <y/n> [-ca-key <CA key name> -ca-cert <CA cert name>] -use-ecc <y/n> -kl <ECC/RSA Key Length> -da <digest algorithm> -duration <years> -srk-ca <y/n>"
     echo "Options:"
     echo "    -kl: -use-ecc = y then Supported key lengths: p256, p384, p521"
     echo "       : -use-ecc = n then Supported key lengths: 2048, 3072, 4096"
@@ -88,10 +90,18 @@ usage()
     echo
 }

-max_param=16
-min_param=12
+max_param=18
+min_param=1
 num_param=1

+# Default values
+existing_ca="n"
+use_ecc="y"
+kl=p521
+da=sha512
+duration=10
+srk_ca="y"
+
 if [ $interactive = "n" ]
 then
     # Validate command line parameters
@@ -110,6 +120,11 @@ then
     while [ $num_param -le $max_param ] && [ "$1" != "" ]
     do
         case $1 in
+            -csf-path)
+                shift
+                CSF_PATH=$1
+                shift
+                ;;
             -existing-ca)
                 shift
                 existing_ca=$1
@@ -163,9 +178,8 @@ then
                 shift
                 ;;
             *)
-                echo "ERROR: Invalid parameter: $1"
-                usage
-                exit 1
+                CSF_PATH=$1
+                shift
                 ;;
         esac
         num_param=$(( num_param + 2 ))
@@ -255,6 +269,16 @@ then
     read duration
 fi

+# CSF folder structure
+if [ ! -d "${CSF_PATH}" ]; then
+    echo "Invalid CSF_PATH: ${CSF_PATH}"
+    usage
+    exit 1
+fi
+cd "${CSF_PATH}"
+[ -d crts ] || mkdir crts
+[ -d keys ] || mkdir keys
+
 # Compute validity period
 val_period=$((duration*365))

@@ -286,9 +310,9 @@ then
 	script_name=$0
 fi
 script_path=$(cd $(dirname "${script_name}") && pwd -P)
-keys_dir=${script_path}/../keys/
-crts_dir=${script_path}/../crts/
-ca_dir=${script_path}/../ca/
+keys_dir=${CSF_PATH}/keys/
+crts_dir=${CSF_PATH}/crts/
+ca_dir=${CSF_PATH}/ca/

 if [ ! -d "${keys_dir}" ]
 then
@@ -302,11 +326,11 @@ then
     exit 1 
 fi

-if [ ! -d "${ca_dir}" ]
-then
-    echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting <cst>/ca directory to hold openssl configuration files."
-    exit 1 
-fi
+# if [ ! -d "${ca_dir}" ]
+# then
+#     echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting <cst>/ca directory to hold openssl configuration files."
+#     exit 1
+# fi

 # Switch current working directory to keys directory, if needed.
 if [ "${crt_dir}" != "${keys_dir}" ]
@@ -377,7 +401,7 @@ then
                    -x509 -extensions v3_ca \
                    -keyout temp_ca.pem \
                    -out ${ca_cert}.pem \
-                   -days ${val_period} -config ../ca/openssl.cnf
+                   -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf"

     # Generate CA key in PKCS #8 format - both PEM and DER
     openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
@@ -394,7 +418,7 @@ then
     openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der

     # Cleanup
-    \rm temp_ca.pem
+    rm temp_ca.pem
 fi


@@ -468,7 +492,7 @@ then
                       -out ${srk_key}.pem

         # Cleanup
-        \rm ./temp_srk.pem ./temp_srk_req.pem
+        rm ./temp_srk.pem ./temp_srk_req.pem
         i=$((i+1))
     done
 else
@@ -517,10 +541,10 @@ do
                   -in ./temp_srk_req.pem \
                   -cert ${ca_cert}.pem \
                   -keyfile ${ca_key}.pem \
-                  -extfile ../ca/v3_ca.cnf \
+                  -extfile "${SCRIPT_BASEDIR}/v3_ca.cnf" \
                   -out ${srk_crt}.pem \
                   -days ${val_period} \
-                  -config ../ca/openssl.cnf
+                  -config "${SCRIPT_BASEDIR}/openssl.cnf"

     # Convert SRK Certificate to DER format
     openssl x509 -inform PEM -outform DER \
@@ -541,7 +565,7 @@ do
                   -out ${srk_key}.pem

     # Cleanup
-    \rm ./temp_srk.pem ./temp_srk_req.pem
+    rm ./temp_srk.pem ./temp_srk_req.pem

     echo
     echo ++++++++++++++++++++++++++++++++++++++++
@@ -586,10 +610,10 @@ do
                -in ./temp_sgk_req.pem \
                -cert ${srk_crt_i} \
                -keyfile ${srk_key_i} \
-               -extfile ../ca/v3_usr.cnf \
+               -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \
                -out ${sgk_crt}.pem \
                -days ${val_period} \
-               -config ../ca/openssl.cnf
+               -config "${SCRIPT_BASEDIR}/openssl.cnf"

     # Convert SGK Certificate to DER format
     openssl x509 -inform PEM -outform DER \
@@ -608,7 +632,7 @@ do
                   -out ${sgk_key}.pem

     # Cleanup
-    \rm ./temp_sgk.pem ./temp_sgk_req.pem
+    rm ./temp_sgk.pem ./temp_sgk_req.pem

     i=$((i+1))
 done