easytls

#!/bin/sh

# Easy-TLS -- A Shell-based Easy-RSA extension utility to help manage
#               * OpenVPN specific TLS keys
#               * Easy-RSA based x509 security credentials
#               * Verified 'inline' combined OpenVPN node packages
#
# Copyright (C) 2020 Richard Bonhomme (Friday 13th of March 2020)
# https://github.com/TinCanTech
# tincanteksup@gmail.com
# All Rights reserved.
#
# This code is released under version 2 of the GNU GPL
# See LICENSE of this project for full licensing details.
#
# Acknowledgement:
# This utility is "written in the style of" and "borrows heavily from" Easy-RSA
# See: https://github.com/OpenVPN/easy-rsa
#
# Easy-TLS requirements:
# + Easy-RSA Version 3.X
# + OpenVPN Version 2.X
#


# Help/usage output to stdout
usage()
{
	# command help:
	print "
Easy-TLS usage and overview

NOTE: Easy-TLS requires that you have a working EasyRSA PKI in place.
NOTE: Easy-TLS requires that you have OpenVPN installed.

USAGE: easytls [options] COMMAND [command-options]

A list of commands is shown below. To get detailed usage and help for a
command, run:
  ./easytls help COMMAND

For a listing of options that can be supplied before the command, use:
  ./easytls help options

Here is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.

  init-tls
  build-tls-auth
  build-tls-crypt
  build-tls-crypt-v2-server <filename_base>
  build-tls-crypt-v2-client <server_filename_base> <client_filename_base>
  inline-base <filename_base> [ cmd-opts ]
  inline-tls-auth <filename_base> <key_direction> [ cmd-opts ]
  inline-tls-crypt <filename_base> [ cmd-opts ]
  inline-tls-crypt-v2 <filename_base> [ cmd-opts ]
  inline-remove <filename_base>
  inline-renew <filename_base> [ cmd-opts ]
  inline-status [update?]
  test-inline (Requires root) (TODO)
"

	# collect/show dir status:
	err_source="Not defined: vars autodetect failed and no value provided"
	work_dir="${EASYRSA:-$err_source}"
	pki_dir="${EASYRSA_PKI:-$err_source}"
	tls_dir="${EASYTLS_PKI:-$err_source}"
	print "\
DIRECTORY STATUS (commands would take effect on these locations)
  EASYRSA: $work_dir
      PKI: $pki_dir
      TLS: $tls_dir
"
} # => usage()

# Detailed command help
# When called with no args, calls usage(), otherwise shows help for a command
cmd_help()
{
	text=""
	opts=""
	case "$1" in
		init-tls) text="
  init-tls
      Removes & re-initializes the TLS key dir" ;;
		build-tls-auth) text="
  build-tls-auth
      Create an OpenVPN TLS auth PSK (tls-auth.key)" ;;
		build-tls-crypt) text="
  build-tls-crypt
      Create an OpenVPN TLS crypt PSK (tls-crypt.key)" ;;
		build-tls-crypt-v2-server) text="
  build-tls-crypt-v2-server <server_filename_base>
      Create an OpenVPN TLS crypt V2 Server key" ;;
		build-tls-crypt-v2-client) text="
  build-tls-crypt-v2-client <server_filename_base> <client_filename_base>
      Create an OpenVPN TLS crypt V2 Client key" ;;
		inline-base) text="
  inline-base <filename_base> [ cmd-opts ]
      Create a complete OpenVPN node package from Easy-RSA files only
      for VPN node <filename_base>"
			opts="
        nokey   - do not require an x509 key (default: key is required)" ;;
		inline-tls-auth) text="
  inline-tls-auth <filename_base> <key_direction> [ cmd-opts ]
      Create a complete OpenVPN node package from Easy-RSA and Easy-TLS files
      for VPN node <filename_base> using the Easy-TLS TLS auth file
      <key_direction> either '0' (For server) or '1' (For client)"
			opts="
        nokey   - do not require an x509 key (default: key is required)" ;;
		inline-tls-crypt) text="
  inline-tls-crypt <filename_base> [ cmd-opts ]
      Create a complete OpenVPN node package from Easy-RSA and Easy-TLS files
      for VPN node <filename_base> using the Easy-TLS TLS crypt file"
			opts="
        nokey   - do not require an x509 key (default: key is required)" ;;
		inline-tls-crypt-v2) text="
  inline-tls-crypt-v2 <filename_base> [ cmd-opts ]
      Create a complete OpenVPN node package from Easy-RSA and Easy-TLS files
      for VPN node <filename_base> using the Easy-TLS TLS crypt v2 file"
			opts="
        nokey   - do not require an x509 key (default: key is required)" ;;
		inline-remove) text="
  inline-remove <filename_base>
      Delete <filename_base>.inline when Easy-RSA certificate is revoked" ;;
		inline-renew) text="
  inline-renew <filename_base> [ cmd-opts ]
      Renew <filename_base>.inline when Easy-RSA certificate is renewed"
			opts="
        nokey   - do not require an x509 key (default: key is required)" ;;
		inline-status) text="
  inline-status [update]
      Compare Easy-RSA certificate(s) to Easy-TLS inline(s) status
      update - rebuild inline-index.tls (TODO)" ;;
		options)
			opt_usage ;;
		"")
			usage ;;
		*) text="
  Unknown command: '$1' (try without commands for a list of commands)" ;;
	esac

	# display the help text
	print "$text"
	[ -n "$opts" ] && print "
      cmd-opts is an optional set of command options from this list:
$opts"
} # => cmd_help()

# Options usage
opt_usage()
{
	print "
Easy-TLS Global Option Flags

The following options may be provided before the command. Options specified
at runtime override env-vars and any 'vars' file in use. Unless noted,
non-empty values to options are mandatory.

General options:

--batch         : set automatic (no-prompts when possible) mode
--pki-dir=DIR   : declare the PKI directory
--vars=FILE     : define a specific 'vars' file to use for Easy-RSA config
--tls-dir=DIR   : declare the TLS directory

"
} # => opt_usage()

# Wrapper around printf - clobber print since it's not POSIX anyway
print() { printf "%s\n" "$*"; }

# Exit fatally with a message to stderr
# present even with EASYRSA_BATCH as these are fatal problems
die()
{
	easy_tls_version
	print "
Easy-TLS error:

$1" 1>&2
	exit "${2:-1}"
} # => die()

# remove temp files and do terminal cleanups
cleanup()
{
	[ -z "$EASYRSA_TEMP_DIR_session" ] || rm -rf "$EASYRSA_TEMP_DIR_session"
	(stty echo 2>/dev/null) || { (set -o echo 2>/dev/null) && set -o echo; }
	echo "" # just to get a clean line
} # => cleanup()

# non-fatal warning output
warn()
{
	[ ! "$EASYTLS_BATCH" ] && \
		print "
$1" 1>&2
} # => warn()

# informational notices to stdout
notice()
{
	[ ! "$EASYTLS_BATCH" ] && \
		print "
$1"
} # => notice()

# intent confirmation helper func
# returns without prompting in EASYTLS_BATCH
confirm()
{
	[ "$EASYTLS_BATCH" ] && return
	prompt="$1"
	value="$2"
	msg="$3"
	input=""
	print "
$msg

Type the word '$value' to continue, or any other input to abort."
	printf %s "  $prompt"
	read input
	[ "$input" = "$value" ] && return
	notice "Aborting without confirmation."
	exit 9
} # => confirm()

vars_source_check() {
	# Check for defined EASYRSA_PKI
	[ -n "$EASYRSA_PKI" ] || die "\
EASYRSA_PKI env-var undefined"
} # => vars_source_check()

# Basic sanity-check of PKI init and complain if missing
verify_pki_init () {
	help_note="Run easyrsa without commands for usage and command help."

	# check that the pki dir exists
	vars_source_check
	[ -d "$EASYRSA_PKI" ] || die "\
Easy-TLS requires that you have initialised your Easy-RSA PKI.

Easy-RSA error:

EASYRSA_PKI does not exist (perhaps you need to run init-pki)?
Expected to find the EASYRSA_PKI at: $EASYRSA_PKI
$help_note"

	# verify expected dirs present:
	for i in private reqs; do
		[ -d "$EASYRSA_PKI/$i" ] || die "\
Easy-TLS requires that you have initialised your Easy-RSA PKI.

Easy-RSA error:

Missing expected directory: $i (perhaps you need to run init-pki?)
$help_note"
	done
} # => verify_pki_init()

# Verify core CA files present
verify_ca_init () {
	help_note="Run without commands for usage and command help."

	# First check the PKI has been initialized
	verify_pki_init

	# Verify expected files are present. Allow files to be regular files
	# (or symlinks), but also pipes, for flexibility with ca.key
	for i in serial index.txt index.txt.attr ca.crt private/ca.key; do
		if [ ! -f "$EASYRSA_PKI/$i" ] && [ ! -p "$EASYRSA_PKI/$i" ]; then
			[ "$1" = "test" ] && return 1
			die "\
Easy-TLS TLS crypt v2 requires that you have built your EASY-RSA PKI node certificates.

Easy-RSA error:

Missing expected CA file: $i (perhaps you need to run build-ca?)
$help_note"
		fi
	done

	# When operating in 'test' mode, return success.
	# test callers don't care about CA-specific dir structure
	#[ "$1" = "test" ] && return 0

	# verify expected CA-specific dirs:
	for i in issued certs_by_serial
	do
		[ -d "$EASYRSA_PKI/$i" ] || die "\
Easy-RSA error:

Missing expected CA dir: $i (perhaps you need to run build-ca?)
$help_note"
	done

	# explicitly return success for callers
	return 0

} # => verify_ca_init()

# Verify Openvpn is available
verify_openvpn ()
{
	if which "$EASYTLS_OPENVPN" > /dev/null
	then
		return 0
	else
		die "OpenVPN not found: $EASYTLS_OPENVPN"
	fi
} # => verify_openvpn ()

# Verify Openvpn version, 2.5 required for TLS crypt v2, 2.4 required for TLS crypt v1
verify_openvpn_version ()
{
	ovpn_ver_req_maj="$1"
	[ -z "$ovpn_ver_req_maj" ] && die "Openvpn Major Version required not set."
	ovpn_ver_str="$("$EASYTLS_OPENVPN" --version | grep ^OpenVPN | awk '{print $2}')"
	ovpn_ver_ints="$(printf "%s" "$ovpn_ver_str" | sed "s/[^0123456789]/\ /g")"

	# SC2039: In POSIX sh, lexicographical < is undefined.

	ovpn_ver_main="$(printf "%s" "$ovpn_ver_ints" | awk '{print $1}')"
	ovpn_ver_major="$(printf "%s" "$ovpn_ver_ints" | awk '{print $2}')"
	ovpn_ver_minor="$(printf "%s" "$ovpn_ver_ints" | awk '{print $3}')"

	ovpn_ver_main="${ovpn_ver_main:-0}"
	ovpn_ver_major="${ovpn_ver_major:-0}"
	ovpn_ver_minor="${ovpn_ver_minor:-0}"

	[ $ovpn_ver_main -lt 2 ] && die "Openvpn 2.5 required, Found $ovpn_ver_str"
	[ $ovpn_ver_major -lt $ovpn_ver_req_maj ] && \
		die "Openvpn 2.$ovpn_ver_req_maj required, Found $ovpn_ver_str"
	[ $ovpn_ver_minor -lt 0 ] && die "Openvpn 2.X.X required, Found $ovpn_ver_str"
} # => verify_openvpn_version ()

# Verify TLS has been initialised
verify_tls_init ()
{
	verify_openvpn
	[ -d "$EASYTLS_PKI" ] || die "TLS has not been initialised, run init-tls"
	[ -f "$EASYTLS_INLINE_INDEX" ] || die "TLS has not been initialised, run init-tls"
} # => verify_tls_init ()

# init-tls backend:
init_tls ()
{
	# Easy-TLS requires that your Easy-RSA PKI is initialised
	verify_pki_init
	# If EASYTLS_PKI exists, confirm before we rm -rf (skiped with EASYTLS_BATCH)
	if [ -d "$EASYTLS_PKI" ]; then
		confirm "Confirm removal: " "yes" "
WARNING!!!

You are about to remove the EASYTLS_PKI at: $EASYTLS_PKI
and initialize a fresh TLS PKI here."
		# now remove it:
		rm -rf "$EASYTLS_PKI" \
		|| die "Removal of TLS dir failed. Check/correct errors above"
	fi

	# Create tls dir in Easyrsa PKI dir
	mkdir -p "$EASYTLS_PKI" || die "Failed to create TLS dir (permissions?)"

	# Create tls dir index file
	printf "%s" > "$EASYTLS_INLINE_INDEX" \
		|| die "Failed to create $EASYTLS_INLINE_INDEX (permissions?)"

	notice "\
init-tls complete; you may now create TLS keys.
Your newly created TLS dir is: $EASYTLS_PKI
"
	return 0
} # => init_tls ()

# Show differences between Easy-TLS vs Easy-RSA cert revokation
inline_status ()
{
	EASYRSA_INDEX="$EASYRSA_PKI/index.txt"
	[ -f "$EASYRSA_INDEX" ] || die "Missing Easy-RSA: $EASYRSA_INDEX"

	easyrsa_valid_serial_list=""
	easyrsa_revoked_serial_list=""
	easytls_valid_serial_list=""
	#easytls_revoked_serial_list="" # Not used

	# List Easy-RSA Valid certs
	status_easyrsa_valid

	# List Easy-RSA Revoked certs
	status_easyrsa_revoked

	[ -f "$EASYTLS_INLINE_INDEX" ] || return

	# List Easy-TLS Valid certs
	status_easytls_valid

	# List Easy-TLS Revoked certs
	#status_easytls_revoked # Not used

	# List mismatches
	status_easytls_mismatch
} #=> inline_status ()

# Print Valid certs from Easy-RSA
status_easyrsa_valid ()
{
	print "Easy-RSA: Valid certificates:"
	grep "^V" "$EASYRSA_INDEX" | awk '{ print $5 " " $3 }' | sed "s\`^/CN=\`\`g" | \
		awk '{ print "  Certificate CN: " $1 " is Valid - Serial number:" $2 }'
	temp_var="$(grep "^V" "$EASYRSA_INDEX" | awk '{ print $3 }')"
	easyrsa_valid_serial_list="$(print $temp_var | sed "s\`\n\`\ \`g")"
	print
} # => status_easyrsa_valid ()

# Print Revoked certs from Easy-RSA
status_easyrsa_revoked ()
{
	print "Easy-RSA: Revoked certificates:"
	grep "^R" "$EASYRSA_INDEX" | awk '{ print $6 " " $4 }' | sed "s\`^/CN=\`\`g" | \
		awk '{ print "  Certificate CN: " $1 " is Revoked - Serial number:" $2 }'
	temp_var="$(grep "^R" "$EASYRSA_INDEX" | awk '{ print $4 }')"
	easyrsa_revoked_serial_list="$(print $temp_var | sed "s\`\n\`\ \`g")"
	print
} # => status_easyrsa_revoked ()

# Print Valid certs from Easy-TLS
status_easytls_valid ()
{
	print "Easy-TLS: Known inline files:"
	grep -v "^$" "$EASYTLS_INLINE_INDEX" | \
		awk '{ print "  Inline file CN: " $1 " is Valid - Serial number:" $2 }'
	temp_var="$(awk '{ print $2 }' "$EASYTLS_INLINE_INDEX")"
	easytls_valid_serial_list="$(print $temp_var | sed "s\`\n\`\ \`g")"
	print
} # => status_easytls_valid ()

# Print Revoked certs from Easy-TLS
status_easytls_revoked ()
{
	print "Easy-TLS: Revoked inline files:"
	print "  Easy-TLS does not Revoke certificates."
	print "  If the certificate has been revoked in Easy-RSA then use:"
	print "  'inline-remove <filename_base>' to delete inline file."
	print "* renew (TODO)" # TODO
} # => status_easytls_revoked ()

# Check Easy-TLS valid vs Easy-RSA revoked
status_easytls_mismatch ()
{
	print "Easy-TLS: Invalid inline files:"
	for i in $easytls_valid_serial_list
	do
		search_for_mismatch="$(print $easyrsa_revoked_serial_list | grep -c $i)"
		case $search_for_mismatch in
			0)
				:
			;;

			1)
				temp_error=1
				temp_var="$(grep "$i" "$EASYTLS_INLINE_INDEX")" # "
				# "
				print "  $temp_var"
			;;

			*)
				temp_errors=1
				temp_var="$(grep "$i" "$EASYTLS_INLINE_INDEX")" # "
				# "
				print "  multiple mismatch: $temp_var"
			;;
		esac
	done
	[ $temp_error ] && warn \
"Use 'easytls inline-remove <filename_base>' to delete invalid inline files."
	[ $temp_errors ] && warn \
"Duplicate records detected! Use 'easytls inline-index' to attempt a re-index."
} # => status_easytls_mismatch

# Keep an index file for inline certs to manage revoke/renew
update_inline_index ()
{
	update_index_action="$1"
	easytls_index_backup="$EASYTLS_INLINE_INDEX.bkp"
	easytls_index_temp="$EASYTLS_INLINE_INDEX.tmp"
	[ -f "$EASYTLS_INLINE_INDEX" ] || \
		die "update_inline_index () Missing: $EASYTLS_INLINE_INDEX"

	cp -f "$EASYTLS_INLINE_INDEX" "$easytls_index_backup"

	case "$update_index_action" in
		add)
			{ printf "%s\n" "$name $crt_serial"
			} >> "$EASYTLS_INLINE_INDEX" || \
				die "Failed to update $EASYTLS_INLINE_INDEX"
		;;
		del)
			{ sed "s\`^"$name".*$\`\`g" "$easytls_index_backup"
			} > "$easytls_index_temp" || \
				die "Failed to update $EASYTLS_INLINE_INDEX"

			grep -v "^$" "$easytls_index_temp" > "$EASYTLS_INLINE_INDEX"
		;;
		*)
			die "Unknown index action: $update_index_action"
		;;
	esac
	rm -f "$easytls_index_backup" "$easytls_index_temp"
} # => update_inline_index ()

# Remove .inline file
inline_remove ()
{
	name="$1"
	inline_file="$EASYTLS_PKI/$name.inline"

	[ -f "$inline_file" ] || die "Missing: $inline_file"

	# Confirm remove
	confirm  "Remove inline file (yes/no) ? " "yes" "Remove: $inline_file"

	rm "$inline_file" || die "Failed to remove: $inline_file"

	update_inline_index del

	[ $no_exit_note ] || notice "Inline file removed: $inline_file"
} # => inline_remove ()

# Renew .inline file
inline_renew ()
{
	# Disable completion notices from sub processes
	no_exit_note=1

	name="$1"
	shift

	cmd_opts=""
	while [ -n "$1" ]; do
		case "$1" in
			nokey) cmd_opts="$cmd_opts nokey" ;;
			*) warn "Ignoring unknown command option: '$1'" ;;
		esac
		shift
	done

	inline_file="$EASYTLS_PKI/$name.inline"

	[ -f "$inline_file" ] || die "Missing: $inline_file"

	# Collect the attributes of .inline file
	inline_is_base="$(grep -c 'File name base' "$inline_file")"
	inline_is_tlsauth="$(grep -c '<tls-auth>' "$inline_file")"
	inline_is_tlscrypt="$(grep -c '<tls-crypt>' "$inline_file")"
	inline_is_tlscryptv2="$(grep -c '<tls-crypt-v2>' "$inline_file")"

	# Verify .inline is valid
	[ $inline_is_base -eq 1 ] || die "File is not valid .inline: $inline_file"
	[ $(( inline_is_tlsauth + inline_is_tlscrypt + inline_is_tlscryptv2 )) -le 1 ] || \
		die "File is not valid .inline: $inline_file"

	# Determine the type of .inline file
	inline_type="tls-base"
	[ $inline_is_tlsauth -eq 1 ] && inline_type="tls-auth"
	[ $inline_is_tlscrypt -eq 1 ] && inline_type="tls-crypt"
	[ $inline_is_tlscryptv2 -eq 1 ] && inline_type="tls-crypt-v2"

	# Confirm renew type
	confirm  "Renew inline file (yes/no) ? " "yes" "Renew: $inline_file as Type: $inline_type"

	if [ "$inline_type" = "tls-auth" ]
	then
		# Determine <key-direction>
		key_dir="$(grep 'key-direction' "$inline_file" | awk '{ print $2 }' )"
		case "$key_dir" in
			0|1) : ;;
			*) die "Key direction must be 0 (For server) or 1 (For client): $key_dir" ;;
		esac
	fi

	# Remove the old .inline file
	EASYTLS_BATCH=1
	inline_remove "$name"
	unset EASYTLS_BATCH

	case "$inline_type" in
		tls-base)
			inline_base "$name" $cmd_opts
		;;
		tls-auth)
			inline_tls_auth "$name" "$key_dir" $cmd_opts
		;;
		tls-crypt)
			inline_tls_crypt "$name" $cmd_opts
		;;
		tls-crypt-v2)
			inline_tls_crypt_v2 "$name" $cmd_opts
		;;
		*)
			die "Unknown error inline_type: $inline_type"
		;;
	esac

	notice "Inline file renewed: $inline_file"
} # => inline_renew ()

# Create inline credentials file from Easy-RSA PKI
inline_base ()
{
	# TODO: Improve build_inline integration. eg: renew/revoke
	verify_ca_init

	name="$1"
	shift

	while [ -n "$1" ]; do
		case "$1" in
			nokey) no_x509_key=1 ;;
			*) warn "Ignoring unknown command option: '$1'" ;;
		esac
		shift
	done

	ca_file="$EASYRSA_PKI/ca.crt"
	crt_file="$EASYRSA_PKI/issued/$name.crt"
	key_file="$EASYRSA_PKI/private/$name.key"
	out_file="$EASYTLS_PKI/$name.inline"
	help_note="Run easytls status to verify certificate revokation."

	[ -f "$crt_file" ] || die "\
Certificate file missing or revoked: $crt_file
$help_note"

	if [ "$no_x509_key" ]
	then
		# Key file is not required
		:
	else
		# Key file is required
		[ -f "$key_file" ] || die "\
Key file missing or revoked: $key_file
$help_note"
	fi

	# get the serial number of the certificate -> serial=XXXX
	crt_serial="$("$EASYRSA_OPENSSL" x509 -in "$crt_file" -noout -serial)"
	# remove the serial= part -> we only need the XXXX part
	crt_serial=${crt_serial##*=}

	# Check that the requested certificate is not revoked before inline
	#inline_cert_status || die "Certificate is revoked: $crt_file"

	if [ "$EASYTLS_BATCH" ]
	then
		rm -f "$out_file"
	else
		[ -f "$out_file" ] && die "Inline file exists: $out_file"
	fi

	{	printf "%s\n" "# File name base: $name"
		printf "%s\n" ""
		printf "%s\n" "<cert>"
		cat "$crt_file"
		printf "%s\n" "</cert>"
		printf "%s\n" ""
		printf "%s\n" "<key>"

		if [ "$no_x509_key" ]
		then
			printf "%s\n" "  Delete this line and paste your complete x509 key file here"
		else
			cat "$key_file"
		fi

		printf "%s\n" "</key>"
		printf "%s\n" ""
		printf "%s\n" "<ca>"
		cat "$ca_file"
		printf "%s\n" "</ca>"
		printf "%s\n" ""
	} > "$out_file" || die "Failed to create inline file: $out_file"

	# Update INLINE index
	update_inline_index add

	[ $no_exit_note ] || notice "Inline base file created: $out_file"
} # => inline_base ()

# Append TLS auth file to base file
inline_tls_auth ()
{
	verify_ca_init
	name="$1"
	key_dir="$2"
	shift 2

	cmd_opts=""
	while [ -n "$1" ]; do
		case "$1" in
			nokey) cmd_opts="$cmd_opts nokey" ;;
			*) warn "Ignoring unknown command option: '$1'" ;;
		esac
		shift
	done

	tls_file="$EASYTLS_PKI/tls-auth.key"
	out_file="$EASYTLS_PKI/$name.inline"

	[ -f "$tls_file" ] || die "TLS key file does not exist: $tls_file"
	case "$key_dir" in
		0|1) : ;;
		*) die "Key direction must be 0 (For server) or 1 (For client)." ;;
	esac

	# Inline base file
	EASYTLS_BATCH=1
	inline_base "$name" $cmd_opts
	unset EASYTLS_BATCH

	{	printf "%s\n" "# TLS auth"
		printf "%s\n" ""
		printf "%s\n" "key-direction $key_dir"
		printf "%s\n" ""
		printf "%s\n" "<tls-auth>"
		cat "$tls_file"
		printf "%s\n" "</tls-auth>"
		printf "%s\n" ""
	} >> "$out_file" || die "Failed to create inline file: $out_file"

	[ $no_exit_note ] || notice "Inline TLS auth file created: $out_file"
} # => inline_tls_auth ()

# Append TLS crypt file to base file
inline_tls_crypt ()
{
	verify_ca_init
	name="$1"
	shift

	cmd_opts=""
	while [ -n "$1" ]; do
		case "$1" in
			nokey) cmd_opts="$cmd_opts nokey" ;;
			*) warn "Ignoring unknown command option: '$1'" ;;
		esac
		shift
	done

	tls_file="$EASYTLS_PKI/tls-crypt.key"
	out_file="$EASYTLS_PKI/$name.inline"

	[ -f "$tls_file" ] || die "TLS key file does not exist: $tls_file"

	# Inline base file
	EASYTLS_BATCH=1
	inline_base "$name" $cmd_opts
	unset EASYTLS_BATCH

	{	printf "%s\n" "# TLS crypt"
		printf "%s\n" ""
		printf "%s\n" "<tls-crypt>"
		cat "$tls_file"
		printf "%s\n" "</tls-crypt>"
		printf "%s\n" ""
	} >> "$out_file" || die "Failed to create inline file: $out_file"

	[ $no_exit_note ] || notice "Inline TLS crypt file created: $out_file"
} # => inline_tls_crypt ()

# Append TLS crypt v2 file to base file
inline_tls_crypt_v2 ()
{
	verify_ca_init
	name="$1"
	shift

	cmd_opts=""
	while [ -n "$1" ]; do
		case "$1" in
			nokey) cmd_opts="$cmd_opts nokey" ;;
			*) warn "Ignoring unknown command option: '$1'" ;;
		esac
		shift
	done

	tls_file="$EASYTLS_PKI/tls-crypt-v2-$name.key"
	out_file="$EASYTLS_PKI/$name.inline"

	[ -f "$tls_file" ] || die "TLS key file does not exist: $tls_file"
	[ -f "$out_file" ] && die "TLS Inline file already exist: $out_file"

	# Inline base file
	EASYTLS_BATCH=1
	inline_base "$name" $cmd_opts
	unset EASYTLS_BATCH

	{	printf "%s\n" "# TLS crypt v2"
		printf "%s\n" ""
		printf "%s\n" "<tls-crypt-v2>"
		cat "$tls_file"
		printf "%s\n" "</tls-crypt-v2>"
		printf "%s\n" ""
	} >> "$out_file" || die "Failed to create inline file: $out_file"

	[ $no_exit_note ] || notice "Inline TLS crypt v2 file created: $out_file"
} # => inline_tls_crypt_v2 ()

# Check that the requested certificate is not revoked before inline
inline_cert_status ()
{
	pki_index="$EASYRSA_PKI/index.txt"
	[ -f "$pki_index" ] || die "Missing Easy-RSA: $pki_index"

	crt_valid="$(grep "$name" "$pki_index" | grep -c "^V")"
	[ $crt_valid -eq 1 ] || return 1
} # => inline_cert_status ()

# Creat TLS auth file
build_tls_auth ()
{
	# This is allowed without a complete Easy-RSA PKI
	# Verify Easy-TLS and Easy-RSA have been correctly setup
	verify_tls_init
	out_file="$EASYTLS_PKI/tls-auth.key"

	[ -f "$out_file" ] && \
		die "TLS auth key already exists: $out_file"

	"$EASYTLS_OPENVPN" --genkey --secret "$out_file" || \
		die "Failed to create TLS auth key: $out_file"

	notice "TLS auth key created: $out_file"
} # => build_tls_auth ()

# Create TLS crypt v1 file
build_tls_crypt_v1 ()
{
	# Requires openvpn version 2.4
	verify_openvpn_version 4

	# This is allowed without a complete Easy-RSA PKI
	# Verify Easy-TLS and Easy-RSA have been correctly setup
	verify_tls_init

	out_file="$EASYTLS_PKI/tls-crypt.key"

	[ -f "$out_file" ] && \
		die "TLS crypt v1 key already exists: $out_file"

	"$EASYTLS_OPENVPN" --genkey --secret "$out_file" || \
		die "Failed to create TLS crypt v1 key: $out_file"

	notice "TLS crypt v1 key created: $out_file"
} # => build_tls_crypt_v1 ()

# Create TLS crypt v2 server file
build_tls_crypt_v2_server ()
{
	# Requires openvpn version 2.5
	verify_openvpn_version 5

	# Verify Easy-RSA has been correctly setup
	verify_ca_init

	srv_name="$1"
	srv_cert="$EASYRSA_PKI/issued/$srv_name.crt"
	out_file="$EASYTLS_PKI/tls-crypt-v2-$srv_name.key"

	[ -n "$srv_name" ] || die "Server name required."

	[ -f "$srv_cert" ] || \
		die "Easy-TLS requires that the Easy-RSA certificate has been created.
Missing file: $srv_cert"

	[ -f "$out_file" ] && die "Server file already exists: $out_file"

	"$EASYTLS_OPENVPN" --genkey tls-crypt-v2-server "$out_file" || \
		die "Failed to create tls-crypt-v2-server key: $out_file"

	notice "TLS crypt v2 server key created: $out_file"
} # => build_tls_crypt_v2_server ()

# Create TLS crypt v2 client file
build_tls_crypt_v2_client ()
{
	# Requires openvpn version 2.5
	verify_openvpn_version 5

	# Verify Easy-RSA has been correctly setup
	verify_ca_init

	srv_name="$1"
	srv_cert="$EASYRSA_PKI/issued/$srv_name.crt"
	cli_name="$2"
	cli_cert="$EASYRSA_PKI/issued/$cli_name.crt"

	[ -n "$srv_name" ] || die "Server name required."
	[ -n "$cli_name" ] || die "Client name required."
	[ "$srv_name" = "$cli_name" ] && \
		die "Server name cannot be the same as the client name."

	[ -f "$EASYRSA_PKI/issued/$cli_name.crt" ] || \
		die "Easy-TLS requires that the Easy-RSA certificate has been created.
Missing file: $cli_cert"

	in_file="$EASYTLS_PKI/tls-crypt-v2-$srv_name.key"
	out_file="$EASYTLS_PKI/tls-crypt-v2-$cli_name.key"

	[ -f "$in_file" ] || die "Server file does not exist: $in_file"
	[ -f "$out_file" ] && die "Client file already exists: $out_file"

	"$EASYTLS_OPENVPN" --tls-crypt-v2 "$in_file" \
		--genkey tls-crypt-v2-client "$out_file" || \
		die "Failed to create tls-crypt-v2-client key: $out_file"

	notice "TLS crypt v2 client key created: $out_file"
} # => build_tls_crypt_v2_client ()

# vars setup
# Here sourcing of 'vars' if present occurs. If not present, defaults are used
# to support running without a sourced config format
vars_setup()
{
	# Try to locate a 'vars' file in order of location preference.
	# If one is found, source it
	vars=

	# set up program path
	prog_file="$0"
	prog_file2="$(which -- "$prog_file" 2>/dev/null)" && prog_file="$prog_file2"
	prog_file2="$(readlink -f "$prog_file" 2>/dev/null)" && prog_file="$prog_file2"
	prog_dir="${prog_file%/*}"
	prog_vars="${prog_dir}/vars"
	# set up PKI path
	pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars"

	# command-line path:
	if [ ! -z "$EASYRSA_VARS_FILE" ]; then
	  if [ ! -f "$EASYRSA_VARS_FILE" ]; then
		  # If the --vars option does not point to a file, show helpful error.
			die "The file '$EASYRSA_VARS_FILE' was not found."
		fi
		vars="$EASYRSA_VARS_FILE"
	# PKI location, if present:
	elif [ -f "$pki_vars" ]; then
		vars="$pki_vars"
	# EASYRSA, if defined:
	elif [ -n "$EASYRSA" ] && [ -f "$EASYRSA/vars" ]; then
		vars="$EASYRSA/vars"
	# program location:
	elif [ -f "$prog_vars" ]; then
		vars="$prog_vars"
	fi
	
	# If a vars file was located, source it
	# If $EASYRSA_NO_VARS is defined (not blank) this is skipped
	if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then
		EASYRSA_CALLER=1
		. "$vars"
		notice "\
Note: using Easy-RSA configuration from: $vars"
	fi
	
	# Set defaults, preferring existing env-vars if present
	set_var
	set_var EASYRSA			"$prog_dir"
	set_var EASYRSA_OPENSSL		"openssl"
	set_var EASYRSA_PKI		"$PWD/pki"
	set_var EASYRSA_TEMP_DIR	"$EASYRSA_PKI"

	set_var EASYTLS_PKI		"$EASYRSA_PKI/tls"
	set_var EASYTLS_INLINE_INDEX	"$EASYTLS_PKI/inline-index.tls"
	# TODO: Revert back to "openvpn" when v2.5 is released
	set_var EASYTLS_OPENVPN	"/home/tct/openvpn/master/src/openvpn/openvpn"

	# Assign value to $EASYRSA_TEMP_DIR_session and work around Windows mktemp bug when parent dir is missing
	if [ -z "$EASYRSA_TEMP_DIR_session" ]; then
		if [ -d "$EASYRSA_TEMP_DIR" ]; then
			EASYRSA_TEMP_DIR_session="$(mktemp -du "$EASYRSA_TEMP_DIR/easy-rsa-$$.XXXXXX")"
		else
			# If the directory does not exist then we have not run init-pki
			mkdir -p "$EASYRSA_TEMP_DIR" || die "Cannot create $EASYRSA_TEMP_DIR (permission?)"
			EASYRSA_TEMP_DIR_session="$(mktemp -du "$EASYRSA_TEMP_DIR/easy-rsa-$$.XXXXXX")"
			rm -rf "$EASYRSA_TEMP_DIR"
		fi
	fi
} # vars_setup()

# variable assignment by indirection when undefined; merely exports
# the variable when it is already defined (even if currently null)
# Sets $1 as the value contained in $2 and exports (may be blank)
set_var()
{
	[ $# -eq 0 ] && return
	var=$1
	shift
	value="$*"
	eval "export $var=\"\${$var-$value}\""
} #=> set_var()

# Set the Easy-TLS version
easy_tls_version ()
{
	EASYTLS_VERSION="0.9"
	print "Easy-TLS version: $EASYTLS_VERSION"
} # => easy_tls_version ()

########################################
# Invocation entry point:


# Be secure with a restrictive umask
[ -z "$EASYTLS_NO_UMASK" ] && umask 077

# Parse options
while :; do
	# Separate option from value:
	opt="${1%%=*}"
	val="${1#*=}"
	empty_ok="" # Empty values are not allowed unless excepted

	case "$opt" in
	--batch)
		empty_ok=1
		export EASYTLS_BATCH=1 ;;
	--pki-dir)
		export EASYRSA_PKI="$val" ;;
	--vars)
		export EASYRSA_VARS_FILE="$val" ;;
	--tls-dir)
		export EASYTLS_PKI="$val" ;;
	*)
		break ;;
	esac

	# fatal error when no value was provided
	if [ ! $empty_ok ] && { [ "$val" = "$1" ] || [ -z "$val" ]; }; then
		die "Missing value to option: $opt"
	fi

	shift
done

# Intelligent env-var detection and auto-loading:
vars_setup

# Register cleanup on EXIT
trap "cleanup" EXIT
# When SIGHUP, SIGINT, SIGQUIT, SIGABRT and SIGTERM,
# explicitly exit to signal EXIT (non-bash shells)
trap "exit 1" 1
trap "exit 2" 2
trap "exit 3" 3
trap "exit 6" 6
trap "exit 14" 15

# determine how we were called, then hand off to the function responsible
cmd="$1"
[ -n "$1" ] && shift # scrape off command
case "$cmd" in
	init-tls)
		init_tls "$@"
		;;
	build-tls-auth)
		build_tls_auth "$@"
		;;
	build-tls-crypt)
		build_tls_crypt_v1 "$@"
		;;
	build-tls-crypt-v2-server)
		build_tls_crypt_v2_server "$@"
		;;
	build-tls-crypt-v2-client)
		build_tls_crypt_v2_client "$@"
		;;
	inline-base)
		inline_base "$@"
		;;
	inline-tls-auth)
		inline_tls_auth "$@"
		;;
	inline-tls-crypt)
		inline_tls_crypt_v1 "$@"
		;;
	inline-tls-crypt-v2)
		inline_tls_crypt_v2 "$@"
		;;
	inline-remove)
		inline_remove "$@"
		;;
	inline-renew)
		inline_renew "$@"
		;;
	inline-status)
		inline_status "$@"
		;;
	version|-v|--version)
		easy_tls_version
		exit 0
		;;
	""|help|-h|--help|--usage)
		cmd_help "$1"
		exit 0
		;;
	*)
		die "Unknown command '$cmd'. Run without commands for usage help."
		;;
esac

# vim: ft=sh nu ai sw=8 ts=8 noet