-
Notifications
You must be signed in to change notification settings - Fork 1
/
get-dod-certs.sh
408 lines (377 loc) · 11.2 KB
/
get-dod-certs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
#!/bin/bash
# DoD Root Certificate install 19 July 2019
# to do: add Firefix import
# set cert numbers as variables
# combine fingerprint functions
# check all root CA fingerprints
# compare against CRL
SECONDS='0'
NC='\e[0m'
WHITE='\e[1;37m'
YELLOW='\e[1;33m'
LIGHT_BLUE='\e[1;34m'
CYAN='\e[0;36m'
RED='\e[0;31m'
version='5.6'
filename='certificates_pkcs7_v5-6_dod.zip'
domain=https://dl.dod.cyber.mil
url=${domain}/wp-content/uploads/pki-pke/zip/${filename}
root_pem='DoD_PKE_CA_chain.pem'
list='certutil unzip curl openssl dos2unix crlutil'
# The Root CA cert zip SHA-256 checksum
zip_sum='a073a68ba18eb6e9b31bcb82f3020311869b6a55aa8b93fbaf56b99c88cf503b'
dir=~/.dod_certs
exdir='Certificates_PKCS7_v5.6_DoD'
pki_dir=~/.pki
#cert_num={35..48} {53..65}
cert_url=https://crl.gds.disa.mil
crl_list=${domain}/wp-content/uploads/pki-pke/txt/unclass-dod_eca_crldps_nipr_20190529.txt
# Check if root
if [[ $EUID = 0 ]]; then
echo -e "${RED}Do not run as root. Exiting.${NC}\n"
exit 1
fi
echo -e "\nThis will download. validate, and install the following DoD
certificates:\n\n\
- ${LIGHT_BLUE}DoD Root Certificate Bundle${NC} version
${WHITE}${version}${NC} from ${CYAN}public.cyber.mil\n\
- ${LIGHT_BLUE}DoD ID CAs 33-34, 39-44, 49-52, 59${NC} from
${CYAN}crl.gds.disa.mil${NC}\n\
- ${LIGHT_BLUE}DoD ID SW CAs 35-38, 45-48${NC} from
${CYAN}crl.gds.disa.mil${NC}\n\
- ${LIGHT_BLUE}DoD SW CAs 53-58, 60-611${NC} from
${CYAN}crl.gds.disa.mil${NC}\n\n\
More info:
${CYAN}https://public.cyber.mil/pki-pke/pkipke-document-library/${NC}\n\n\
Required software: ${WHITE}${list}${NC}"
echo -e "\n"
read -p "Do you want to continue? [y/n] " choice
case "$choice" in
[yY]|[yY][eE][sS])
echo ""
echo -e "${YELLOW}Starting...${NC}\n"
;;
n|N|no|No|NO )
echo ""
echo -e "${RED}Exiting.${NC}\n"
exit 1
;;
* )
echo ""
echo -e "${RED}Invalid option. Exiting.${NC}\n"
exit 2
;;
esac
# functions
displaytime () {
local T=$SECONDS
local D=$((T/60/60/24))
local H=$((T/60/60%24))
local M=$((T/60%60))
local S=$((T%60))
[[ $D > 0 ]] && printf '%d days ' $D
[[ $H > 0 ]] && printf '%d hours ' $H
[[ $M > 0 ]] && printf '%d minutes ' $M
[[ $D > 0 || $H > 0 || $M > 0 ]] && printf 'and '
printf '%d seconds\n' $S
}
validate_fingerprint () {
fingerprint2=$(curl --silent \
'https://crl.gds.disa.mil/viewsign?DOD+ROOT+CA+3' \
-H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0)
Gecko/20100101 Firefox/68.0' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'Accept-Language: en-US,en;q=0.5' \
--compressed \
-H 'Referer: https://crl.gds.disa.mil/' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'DNT: 1' \
-H 'Connection: keep-alive' \
-H 'Cookie: sawGDSwarning=1' \
| grep SHA-1 | sed -e 's/<\/b>/-/g' -e 's/<[^>]*>//g' | awk '{ print
$2 }')
}
get_fingerprint_remote () {
format=${1}
num=${2}
if [[ "${format}" == "DODIDCA_" ]]; then
req=DOD+ID+CA-
elif [[ "${format}" == "DODIDSWCA_" ]]; then
req=DOD+ID+SW+CA-
elif [[ "${format}" == "DODSWCA_" ]]; then
req=DOD+SW+CA-
elif [[ "${format}" == "DODROOTCA" ]]; then
req=DOD+ROOT+CA+
else
echo no value
exit 2
fi
fingerprint_remote=$(curl --silent \
"${cert_url}/viewsign?${req}${num}" \
-H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0)
Gecko/20100101 Firefox/68.0' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'Accept-Language: en-US,en;q=0.5' \
--compressed \
-H 'Referer: https://crl.gds.disa.mil/' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'DNT: 1' \
-H 'Connection: keep-alive' \
-H 'Cookie: sawGDSwarning=1' \
| grep SHA-1 | sed -e 's/<\/b>/-/g' -e 's/<[^>]*>//g' | awk '{ print
$2 }')
}
get_fingerprint_local () {
type=${1}
num=${2}
fingerprint_local=$(openssl x509 -noout -fingerprint -sha1 -inform pem
-in ${type}${num}.pem | tr -d ":" | sed -e 's/SHA1\ Fingerprint\=//')
}
compare_fingerprint () {
echo -e "SHA-1 fingerprint local file
${WHITE}${fingerprint_local}${NC}"
echo -e "SHA-1 fingerprint from source
${WHITE}${fingerprint_remote}${NC}"
if [[ "${fingerprint_local}" == "${fingerprint_remote}" ]]; then
local _ret=$?
if [ $_ret -ne 0 ] ; then
echo "compare_fingerprint returned with exit code $_ret,
aborting!" >&2
return $_ret
else
echo " SHA-1 fingerprints match. Safe to proceed."
echo ""
return $_ret
fi
fi
}
download () {
format=${1}
num=${2}
if [[ "${format}" == "DODIDCA_" ]]; then
req=DOD+ID+CA-
elif [[ "${format}" == "DODIDSWCA_" ]]; then
req=DOD+ID+SW+CA-
elif [[ "${format}" == "DODSWCA_" ]]; then
req=DOD+SW+CA-
elif [[ "${format}" == "DODROOTCA" ]]; then
req=DOD+ROOT+CA+
else
echo no value
exit 2
fi
echo -e "Downloading
${LIGHT_BLUE}${LIGHT_BLUE}${type}${x}.cer${NC}..."
cd ${dir}
curl --silent \
"${cert_url}/getsign?${req}${num}" \
-H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0)
Gecko/20100101 Firefox/68.0' \
-H 'Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
-H 'Accept-Language: en-US,en;q=0.5' \
--compressed \
-H 'Referer: https://crl.gds.disa.mil/' \
-H 'DNT: 1' \
-H 'Connection: keep-alive' \
-H 'Cookie: sawGDSwarning=1' \
-H 'Upgrade-Insecure-Requests: 1' \
-o ${type}${num}.cer
local _ret=$?
if [[ $_ret -ne 0 ]] ; then
echo "${RED}Download failed returned with exit code $_ret,
aborting!${NC}" >&2
return $_ret
exit 1
else
echo " Download successful."
echo ""
return $_ret
fi
}
download_root () {
# Download the root CA certs archive file
curl --silent -o ${dir}/${filename} ${url}
# Get the local file checksum
zip_sum_dl=$(sha256sum ${dir}/${filename} | awk '{ print $1 }')
if [[ "${zip_sum}" == "${zip_sum_dl}" ]]; then
echo -e "Download success: ${WHITE}${filename}${NC} SHA 256
matches. Proceeding...\n"
else
echo -e "${RED}Warning: ${filename} SHA 256 does not match
${zip_sum}${NC}"
echo -e "Exiting.\n"
exit 1
fi
# Extract cert
unzip -q ${filename} -d ${dir}
cd ${dir}/${exdir}
}
convert () {
format=${1}
num=${2}
echo -e "Converting ${LIGHT_BLUE}${type}${x}.cer${NC} to
${LIGHT_BLUE}${type}${x}.pem${NC}..."
cd ${dir}
openssl x509 -inform der -in ${format}${num}.cer -outform pem -out
${format}${num}.pem
local _ret=$?
if [[ $_ret -ne 0 ]] ; then
echo "${RED}openssl convert failed and returned with exit code
$_ret, aborting!${NC}" >&2
return $_ret
exit 1
else
echo " Convert successful."
echo ""
return $_ret
fi
}
get_crl_list () {
file='crl_tmp.txt'
curl -o ${file} --silent ${crl_list}
sed -i '/#####\ ECA\ PKI\ #####/,$d' ${file}
sed -i '/#####\ DoD\ PKI\ #####/,$!d' ${file}
sed -i '/#####\ DoD\ PKI\ #####/d' ${file}
# Check for installed software
for sw in ${list}; do
echo -ne "Checking if ${WHITE}${sw}${NC} is installed..."
if ! [ -x "$(command -v ${sw})" ]; then
echo -e "${RED}Error: ${WHITE}${sw}${NC}${RED} is not installed.
Please install ${sw}. Exiting.${NC}\n" >&2
exit 1
else
echo -e " Done."
fi
done
# Check internet connectivity
if curl --output /dev/null --silent --head --fail "${url}"; then
echo -e "\nURL is accessible: ${CYAN}${url}${NC}. Proceeding...\n"
else
echo -e "\n${RED}Warning: Unable to access:
${CYAN}${url}${NC}${RED}. Exiting.${NC}\n"
exit 1
fi
# Cleanup old mess
if [[ -d ${dir} ]]; then
echo -e "Removing old certs download...\n"
rm -rf ${dir}
mkdir -p ${dir}
cd ${dir}
else
echo -e "Creating tmp working dir...\n"
mkdir -p ${dir}
cd ${dir}
fi
# Backup user .pki dir
echo -e "Backing up existing NSS PKI directory (${pki_dir}).\n"
cp -a ${pki_dir} ${pki_dir}_$(date +%Y%m%d)
# # Download the root CA certs archive file
# curl --silent -o ${dir}/${filename} ${url}
# zip_sum_dl=$(sha256sum ${dir}/${filename} | awk '{ print $1 }')
# if [[ "${zip_sum}" == "${zip_sum_dl}" ]]; then
# echo -e "Success: ${WHITE}${filename}${NC} SHA 256 matches.
Proceeding...\n"
# else
# echo -e "${RED}Warning: ${filename} SHA 256 does not match
${zip_sum}${NC}"
# echo -e "Exiting.\n"
# exit 1
# fi#
# # Extract cert
# unzip -q ${filename} -d ${dir}
# cd ${dir}/${exdir}
# Verify
echo -e "Determine the Fingerprint of DoD Root CA 3\n"
fingerprint1=$(openssl x509 -noout -fingerprint -sha1 -inform pem -in
${dir}/${exdir}/${root_pem} | tr -d ":" | sed -e 's/SHA1\
Fingerprint\=//')
validate_fingerprint
#echo -e "Fingerprint 1= ${WHITE}${fingerprint1}${NC}"
#echo -e "Fingerprint 2= ${WHITE}${fingerprint2}${NC}"
echo ""
# Compare DoD Root CA 3 fingerprint
if [[ "${fingerprint1}" == "${fingerprint2}" ]]; then
echo -ne "Comparing SHA1 fingerprints..."
echo -ne " SHA1 fingerprints match."
echo -e " Proceeding...\n"
subjects=$(openssl crl2pkcs7 -nocrl -certfile
${dir}/${exdir}/${root_pem} | openssl pkcs7 -print_certs -noout | sed
'/^[[:space:]]*$/d')
echo -e "Will import following ROOT certificates:\n"
echo -e "${CYAN}${subjects}${NC}"
echo ""
echo -e "Verifying smime SHA256 signature of certificates...\n"
openssl smime -verify -in Certificates_PKCS7_v5.6_DoD.sha256
-inform DER -CAfile ${root_pem} | dos2unix | sha256sum -c
ret_val=$?
echo ""
if [[ $ret_val -ne 0 ]]; then
echo -e "${RED}Warning: SHA 256 signatures do not match.
Exiting.${NC}\n"
exit 1
else
echo -e "Proceeding to import...\n"
fi
for i in ${dir}/${exdir}/*.der.p7b; do
echo -ne "Importing ${i}..."
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n ${i} -i ${i}
echo -e " Done."
done
else
echo -e "${RED}Warning: SHA1 Fingerprints do not match.
Exiting.${NC}\n"
exit 1
fi
# DODIDSWCA
for x in {35..38} {45..48}; do
type='DODIDSWCA_'
download ${type} ${x}
convert ${type} ${x}
get_fingerprint_remote ${type} ${x}
get_fingerprint_local ${type} ${x}
compare_fingerprint
done
# DODIDCA
for x in {33..34} {39..44} {49..52} 59; do
type='DODIDCA_'
download ${type} ${x}
convert ${type} ${x}
get_fingerprint_remote ${type} ${x}
get_fingerprint_local ${type} ${x}
compare_fingerprint
done
# DODSWCA
for x in {53..58} {60..61}; do
type='DODSWCA_'
download ${type} ${x}
convert ${type} ${x}
get_fingerprint_remote ${type} ${x}
get_fingerprint_local ${type} ${x}
compare_fingerprint
done
# DODROOTCA
for x in {1..6}; do
type='DODROOTCA'
download_root
get_fingerprint_remote ${type} ${x}
get_fingerprint_local ${type} ${x}
done
read -p "Delete tmp dir (y/n)?" choice
case "$choice" in
y|Y )
echo -e "Deleting tmp dir (${dir})...\n"
if [[ -d ${dir} ]]; then
echo -e "Cleaning up...\n"
rm -rf ${dir}
fi
;;
n|N )
echo "Preserving tmp dir."
;;
* )
echo -e "${RED}Invalid option. Doing nothing.${NC}\n"
;;
esac
echo "Took $(displaytime) to complete ${0}."
exit 0