paxswill · September 27, 2017 17:41 · dandpg · Nov 20, 2018
diff --git a/pfsense_cert_to_keystore.sh b/pfsense_cert_to_keystore.sh
 #!/bin/sh

 set -eu

 XMLLINT=/usr/local/bin/xmllint
 BASE64_DECODE='/usr/local/bin/python2 -m base64 -d'
 OPENSSL="/usr/bin/openssl"
 KEYTOOL="/usr/local/bin/keytool"

 PFSENSE_CONF=/cf/conf/config.xml

 TEMP_KEY="`/bin/cat /dev/random | /usr/bin/tr -dc 'a-zA-Z0-9' | /usr/bin/fold -w 32 | /usr/bin/head -n1`"

 extract_private_key() {
 	local RAW XPATH
 	XPATH="/pfsense/cert[descr[normalize-space(.) = '$1']]/prv/text()"
 	RAW="`"$XMLLINT" --xpath "$XPATH" "$PFSENSE_CONF"`"
 	printf "%s\n" "`echo "$RAW" | $BASE64_DECODE`"
 }

 extract_certificate() {
 	local RAW XPATH
 	XPATH="/pfsense/cert[descr[normalize-space(.) = '$1']]/crt/text()"
 	RAW="`"$XMLLINT" --xpath "$XPATH" "$PFSENSE_CONF"`"
 	printf "%s\n" "`echo "$RAW" | $BASE64_DECODE`"
 }

 combine_pem() {
 	local PRIVATE_KEY CERTIFICATE
 	PRIVATE_KEY="`extract_private_key "$1"`"
 	CERTIFICATE="`extract_certificate "$1"`"
 	printf '%s\n%s\n' "$PRIVATE_KEY" "$CERTIFICATE"
 }

 extract_pkcs12() {
 	combine_pem "$1" | "$OPENSSL" pkcs12 -export \
 		-name "$2" \
 		-password pass:"$TEMP_KEY"
 }

 main() {
 	local KEYSTORE KEYSTORE_PASSWORD P12_STORE PFSENSE_CERT_NAME ALIAS
 	if [ "$#" -ne 4 ]; then
 		printf "Not enough arguments.\nUsage:\n\t%s\n" \
 			"$0 certificate_name /path/to/keystore keystore_password alias"
 		exit 1
 	fi
 	PFSENSE_CERT_NAME="$1"
 	KEYSTORE="$2"
 	KEYSTORE_PASSWORD="$3"
 	ALIAS="$4"
 echo "Creating temp file"
 	P12_STORE=`mktemp` || exit 2
 echo "Extracting cert+key form pfSense"
 	extract_pkcs12 "$PFSENSE_CERT_NAME" "$ALIAS" > "$P12_STORE"
 echo "Importing to keystore"
 	sudo "$KEYTOOL" -importkeystore \
 		-deststorepass "$KEYSTORE_PASSWORD" \
 		-destkeypass "$KEYSTORE_PASSWORD" \
 		-destkeystore "$KEYSTORE" \
 		-srckeystore "$P12_STORE" \
 		-srcstoretype PKCS12 \
 		-srcstorepass "$TEMP_KEY" \
 		-alias "$ALIAS" \
 		-noprompt
 echo "Cleaning up"
 	rm "$P12_STORE"
 }

 main $@
	#!/bin/sh

	set -eu

	XMLLINT=/usr/local/bin/xmllint
	BASE64_DECODE='/usr/local/bin/python2 -m base64 -d'
	OPENSSL="/usr/bin/openssl"
	KEYTOOL="/usr/local/bin/keytool"

	PFSENSE_CONF=/cf/conf/config.xml

	TEMP_KEY="`/bin/cat /dev/random \| /usr/bin/tr -dc 'a-zA-Z0-9' \| /usr/bin/fold -w 32 \| /usr/bin/head -n1`"

	extract_private_key() {
	local RAW XPATH
	XPATH="/pfsense/cert[descr[normalize-space(.) = '$1']]/prv/text()"
	RAW="`"$XMLLINT" --xpath "$XPATH" "$PFSENSE_CONF"`"
	printf "%s\n" "`echo "$RAW" \| $BASE64_DECODE`"
	}

	extract_certificate() {
	local RAW XPATH
	XPATH="/pfsense/cert[descr[normalize-space(.) = '$1']]/crt/text()"
	RAW="`"$XMLLINT" --xpath "$XPATH" "$PFSENSE_CONF"`"
	printf "%s\n" "`echo "$RAW" \| $BASE64_DECODE`"
	}

	combine_pem() {
	local PRIVATE_KEY CERTIFICATE
	PRIVATE_KEY="`extract_private_key "$1"`"
	CERTIFICATE="`extract_certificate "$1"`"
	printf '%s\n%s\n' "$PRIVATE_KEY" "$CERTIFICATE"
	}

	extract_pkcs12() {
	combine_pem "$1" \| "$OPENSSL" pkcs12 -export \
	-name "$2" \
	-password pass:"$TEMP_KEY"
	}

	main() {
	local KEYSTORE KEYSTORE_PASSWORD P12_STORE PFSENSE_CERT_NAME ALIAS
	if [ "$#" -ne 4 ]; then
	printf "Not enough arguments.\nUsage:\n\t%s\n" \
	"$0 certificate_name /path/to/keystore keystore_password alias"
	exit 1
	fi
	PFSENSE_CERT_NAME="$1"
	KEYSTORE="$2"
	KEYSTORE_PASSWORD="$3"
	ALIAS="$4"
	echo "Creating temp file"
	P12_STORE=`mktemp` \|\| exit 2
	echo "Extracting cert+key form pfSense"
	extract_pkcs12 "$PFSENSE_CERT_NAME" "$ALIAS" > "$P12_STORE"
	echo "Importing to keystore"
	sudo "$KEYTOOL" -importkeystore \
	-deststorepass "$KEYSTORE_PASSWORD" \
	-destkeypass "$KEYSTORE_PASSWORD" \
	-destkeystore "$KEYSTORE" \
	-srckeystore "$P12_STORE" \
	-srcstoretype PKCS12 \
	-srcstorepass "$TEMP_KEY" \
	-alias "$ALIAS" \
	-noprompt
	echo "Cleaning up"
	rm "$P12_STORE"
	}

	main $@