dnoliver/openvpn-pkcs11-test.sh

## openvpn-pkcs11-test.sh
#!/bin/bash

set -euxo pipefail

# This script reproduces https://github.com/tpm2-software/tpm2-pkcs11/issues/67
# WARNING: Clear the TPM and deletes the PKCS11 DB
# REQUIRES:
#  dnf install -y tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools gnutls-utils openvpn

echo "OpenVPN Server Setup"
echo "===================="
echo

rm -fr openvpn-server || true
mkdir -p openvpn-server
cd openvpn-server

# Download Easy RSA
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz \
        -O EasyRSA-nix-3.0.5.tgz
tar -zxvf EasyRSA-nix-3.0.5.tgz
cd EasyRSA-3.0.5

# Create PKI and Initial CA
./easyrsa init-pki
echo -ne '\n' | ./easyrsa build-ca nopass

# Generate Server Certs and Artifacts
./easyrsa build-server-full server nopass
./easyrsa gen-dh

cd ..

# Configure Server
cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf .
cp ./EasyRSA-3.0.5/pki/private/server.key .
cp ./EasyRSA-3.0.5/pki/issued/server.crt .
cp ./EasyRSA-3.0.5/pki/dh.pem dh2048.pem
cp ./EasyRSA-3.0.5/pki/ca.crt .
openvpn --genkey --secret ta.key

cd ..

echo "OpenVPN Client Setup"
echo "===================="
echo

rm -fr openvpn-client || true
mkdir openvpn-client
cd openvpn-client

cat > client.cnf << EOF
[ req ]
default_bits           = 2048
distinguished_name     = req_distinguished_name
prompt                 = no
[ req_distinguished_name ]
C                      = US
ST                     = Oregon
L                      = Hillsboro
O                      = Intel Corp
OU                     = Internet of Things Group
CN                     = $(hostname)
EOF

# Create the TPM2 PKCS11 Key

export TPM2TOOLS_TCTI="device:/dev/tpmrm0"
export TPM2_PKCS11_TCTI="device:/dev/tpmrm0"
export TPM2_PKCS11_STORE=/etc/tpm2_pkcs11
export TPM2_PKCS11_LOG_LEVEL=2

rm ${TPM2_PKCS11_STORE} -fr || true
mkdir -p ${TPM2_PKCS11_STORE} || true
tpm2_clear
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --sopin=sopin --userpin=userpin --label=openvpn
tpm2_ptool addkey --algorithm=rsa2048 --label=openvpn --userpin=userpin
tpm2_ptool config --key tcti --value "device:/dev/tpmrm0" --label=openvpn

# Create the Certificate Signing Request

TOKEN=$(p11tool --list-token-urls | grep "token=openvpn")
export GNUTLS_PIN=userpin
export GNUTLS_SO_PIN=sopin
p11tool --login --list-all "${TOKEN}" --outfile p11tool.out
PRIVATE_KEY=$(cat p11tool.out | grep private | awk '{ print $2 }')
openssl req -new -engine pkcs11 -keyform engine \
        -key "${PRIVATE_KEY};pin-value=userpin" \
        -config client.cnf -out client.csr

cd ..

echo "Generate Client Certificate"
echo "==========================="
echo

cd openvpn-server/EasyRSA-3.0.5
./easyrsa import-req ./../../openvpn-client/client.csr client
echo -ne 'yes' | ./easyrsa sign-req client client
cp ./pki/issued/client.crt ./../../openvpn-client/
cd ../../

cp ./openvpn-server/ca.crt ./openvpn-client
cp ./openvpn-server/ta.key ./openvpn-client
cp /usr/share/doc/openvpn/sample/sample-config-files/client.conf ./openvpn-client
sed -i 's/remote my-server-1 1194/remote 127.0.0.1 1194/g' ./openvpn-client/client.conf

cd ./openvpn-client

TOKEN=$(p11tool --list-token-urls | grep "token=openvpn")
export GNUTLS_PIN=userpin
export GNUTLS_SO_PIN=sopin
KEY_ID=$(p11tool --login --list-all "${TOKEN}" | grep ID: | uniq | awk '{ print $2 }' | sed 's/://g')
tpm2_ptool addcert --label=openvpn --key-id=${KEY_ID} ./client.crt
SERIALIZED_ID=$(openvpn --show-pkcs11-ids /usr/lib64/pkcs11/libtpm2_pkcs11.so.0.0.0 | grep "Serialized id:" | awk '{ print $3 }')

cat << EOF >> client.conf
pkcs11-providers /usr/lib64/pkcs11/libtpm2_pkcs11.so.0.0.0
pkcs11-id '${SERIALIZED_ID}'
EOF

sed 's/cert client.crt/#cert client.crt/g' -i client.conf
sed 's/key client.key/#key client.key/g' -i client.conf

cd ..

echo "Start OpenVPN Server"
echo "===================="

cd openvpn-server
openvpn --config ./server.conf &
SERVER_PID=$!
cd ..

echo "Start OpenVPN Client"
echo "===================="

cd openvpn-client
openvpn --config ./client.conf --verb 11 --nobind
	#!/bin/bash

	set -euxo pipefail

	# This script reproduces https://github.com/tpm2-software/tpm2-pkcs11/issues/67
	# WARNING: Clear the TPM and deletes the PKCS11 DB
	# REQUIRES:
	# dnf install -y tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools gnutls-utils openvpn

	echo "OpenVPN Server Setup"
	echo "===================="
	echo

	rm -fr openvpn-server \|\| true
	mkdir -p openvpn-server
	cd openvpn-server

	# Download Easy RSA
	wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz \
	-O EasyRSA-nix-3.0.5.tgz
	tar -zxvf EasyRSA-nix-3.0.5.tgz
	cd EasyRSA-3.0.5

	# Create PKI and Initial CA
	./easyrsa init-pki
	echo -ne '\n' \| ./easyrsa build-ca nopass

	# Generate Server Certs and Artifacts
	./easyrsa build-server-full server nopass
	./easyrsa gen-dh

	cd ..

	# Configure Server
	cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf .
	cp ./EasyRSA-3.0.5/pki/private/server.key .
	cp ./EasyRSA-3.0.5/pki/issued/server.crt .
	cp ./EasyRSA-3.0.5/pki/dh.pem dh2048.pem
	cp ./EasyRSA-3.0.5/pki/ca.crt .
	openvpn --genkey --secret ta.key

	cd ..

	echo "OpenVPN Client Setup"
	echo "===================="
	echo

	rm -fr openvpn-client \|\| true
	mkdir openvpn-client
	cd openvpn-client

	cat > client.cnf << EOF
	[ req ]
	default_bits = 2048
	distinguished_name = req_distinguished_name
	prompt = no
	[ req_distinguished_name ]
	C = US
	ST = Oregon
	L = Hillsboro
	O = Intel Corp
	OU = Internet of Things Group
	CN = $(hostname)
	EOF

	# Create the TPM2 PKCS11 Key

	export TPM2TOOLS_TCTI="device:/dev/tpmrm0"
	export TPM2_PKCS11_TCTI="device:/dev/tpmrm0"
	export TPM2_PKCS11_STORE=/etc/tpm2_pkcs11
	export TPM2_PKCS11_LOG_LEVEL=2

	rm ${TPM2_PKCS11_STORE} -fr \|\| true
	mkdir -p ${TPM2_PKCS11_STORE} \|\| true
	tpm2_clear
	tpm2_ptool init
	tpm2_ptool addtoken --pid=1 --sopin=sopin --userpin=userpin --label=openvpn
	tpm2_ptool addkey --algorithm=rsa2048 --label=openvpn --userpin=userpin
	tpm2_ptool config --key tcti --value "device:/dev/tpmrm0" --label=openvpn

	# Create the Certificate Signing Request

	TOKEN=$(p11tool --list-token-urls \| grep "token=openvpn")
	export GNUTLS_PIN=userpin
	export GNUTLS_SO_PIN=sopin
	p11tool --login --list-all "${TOKEN}" --outfile p11tool.out
	PRIVATE_KEY=$(cat p11tool.out \| grep private \| awk '{ print $2 }')
	openssl req -new -engine pkcs11 -keyform engine \
	-key "${PRIVATE_KEY};pin-value=userpin" \
	-config client.cnf -out client.csr

	cd ..

	echo "Generate Client Certificate"
	echo "==========================="
	echo

	cd openvpn-server/EasyRSA-3.0.5
	./easyrsa import-req ./../../openvpn-client/client.csr client
	echo -ne 'yes' \| ./easyrsa sign-req client client
	cp ./pki/issued/client.crt ./../../openvpn-client/
	cd ../../

	cp ./openvpn-server/ca.crt ./openvpn-client
	cp ./openvpn-server/ta.key ./openvpn-client
	cp /usr/share/doc/openvpn/sample/sample-config-files/client.conf ./openvpn-client
	sed -i 's/remote my-server-1 1194/remote 127.0.0.1 1194/g' ./openvpn-client/client.conf

	cd ./openvpn-client

	TOKEN=$(p11tool --list-token-urls \| grep "token=openvpn")
	export GNUTLS_PIN=userpin
	export GNUTLS_SO_PIN=sopin
	KEY_ID=$(p11tool --login --list-all "${TOKEN}" \| grep ID: \| uniq \| awk '{ print $2 }' \| sed 's/://g')
	tpm2_ptool addcert --label=openvpn --key-id=${KEY_ID} ./client.crt
	SERIALIZED_ID=$(openvpn --show-pkcs11-ids /usr/lib64/pkcs11/libtpm2_pkcs11.so.0.0.0 \| grep "Serialized id:" \| awk '{ print $3 }')

	cat << EOF >> client.conf
	pkcs11-providers /usr/lib64/pkcs11/libtpm2_pkcs11.so.0.0.0
	pkcs11-id '${SERIALIZED_ID}'
	EOF

	sed 's/cert client.crt/#cert client.crt/g' -i client.conf
	sed 's/key client.key/#key client.key/g' -i client.conf

	cd ..

	echo "Start OpenVPN Server"
	echo "===================="

	cd openvpn-server
	openvpn --config ./server.conf &
	SERVER_PID=$!
	cd ..

	echo "Start OpenVPN Client"
	echo "===================="

	cd openvpn-client
	openvpn --config ./client.conf --verb 11 --nobind