目前我正要更改一个名为“pkitool”的脚本(如果有人不使用 openvpn,但也想帮助我,这就是 pkitool 的样子:https://joinup.ec.europa。 eu/svn/cube/trunk/cube/cube-integration/src/main/scripts/openvpn/pkitool)。我的目标是,我能够传递变量 $1(密钥名)和我在同一个脚本中导出的密码。它看起来像这样:
export KEY_PASSWORD=$2
./pkitool --pass $1
目前,我被要求输入密码并进行验证。我想更改它并将密码传递给脚本,并且我希望脚本要求我输入密码短语......(我导出变量 KEY_PASSWORD 的原因是因为我想稍后使用它。)这个是我修改后的 pkitool 的摘录:
# Process options while [ $# -gt 0 ]; do
case "$1" in
--keysize ) KEY_SIZE=$2
shift;;
--server ) REQ_EXT="$REQ_EXT -extensions server"
CA_EXT="$CA_EXT -extensions server" ;;
--batch ) BATCH="-batch" ;;
--interact ) BATCH="" ;;
--inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
--initca ) DO_ROOT="1" ;;
--pass ) NODES_REQ="-passin env:KEY_PASSWORD" ;;
--csr ) DO_CA="0" ;;
--sign ) DO_REQ="0" ;;
--pkcs12 ) DO_P12="1" ;;
--pkcs11 ) DO_P11="1"
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
PKCS11_ID="$4"
PKCS11_LABEL="$5"
shift 4;;
我显然将变量用于参数“--pass”。我使用“-passin env:KEY_PASSWORD”的原因是我误解了这个手册页......
PASS PHRASE ARGUMENTS
Several commands accept password arguments, typically using -passin and -passout for
input and output passwords respectively. These allow the password to be obtained from a
variety of sources. Both of these options take a single argument whose format is
described below. If no password argument is given and a password is required then the
user is prompted to enter one: this will typically be read from the current terminal with
env:var obtain the password from the environment variable var. Since the environment of
other processes is visible on certain platforms (e.g. ps under certain Unix
OSes) this option should be used with caution.
这是 pkitool 的一部分,再次使用 NODES_REQ:
# Build cert/key
( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
-keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
-in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
-in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \
( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
pkitool 的其余部分没有修改,您可以观看描述中的链接。希望你们理解我的问题。HALP PLS,想不通:(
编辑:当 NODES_REQ 默认时,它看起来像这样:
NODES_REQ = "-nodes"
两个重要部分(也是我使用 -passin 的原因)如下所示:
-nodes
if this option is specified then if a private key is created it will not be
encrypted.
-passin arg
the input file password source. For more information about the format of arg see the
PASS PHRASE ARGUMENTS section in openssl(1).