Test OpenVPN PKCS11 Support

openvpn-pkcs11-test.sh

#!/bin/bash

set -euxo pipefail

# This script reproduces https://github.com/tpm2-software/tpm2-pkcs11/issues/67
# WARNING: Clear the TPM and deletes the PKCS11 DB
# REQUIRES:
#  dnf install -y tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools gnutls-utils openvpn

echo "OpenVPN Server Setup"
echo "===================="
echo

rm -fr openvpn-server || true
mkdir -p openvpn-server
cd openvpn-server

# Download Easy RSA
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz \
        -O EasyRSA-nix-3.0.5.tgz
tar -zxvf EasyRSA-nix-3.0.5.tgz
cd EasyRSA-3.0.5

# Create PKI and Initial CA
./easyrsa init-pki
echo -ne '\n' | ./easyrsa build-ca nopass

# Generate Server Certs and Artifacts
./easyrsa build-server-full server nopass
./easyrsa gen-dh

cd ..

# Configure Server
cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf .
cp ./EasyRSA-3.0.5/pki/private/server.key .
cp ./EasyRSA-3.0.5/pki/issued/server.crt .
cp ./EasyRSA-3.0.5/pki/dh.pem dh2048.pem
cp ./EasyRSA-3.0.5/pki/ca.crt .
openvpn --genkey --secret ta.key

cd ..

echo "OpenVPN Client Setup"
echo "===================="
echo

rm -fr openvpn-client || true
mkdir openvpn-client
cd openvpn-client

cat > client.cnf << EOF
[ req ]
default_bits           = 2048
distinguished_name     = req_distinguished_name
prompt                 = no
[ req_distinguished_name ]
C                      = US
ST                     = Oregon
L                      = Hillsboro
O                      = Intel Corp
OU                     = Internet of Things Group
CN                     = $(hostname)
EOF

# Create the TPM2 PKCS11 Key

export TPM2TOOLS_TCTI="device:/dev/tpmrm0"
export TPM2_PKCS11_TCTI="device:/dev/tpmrm0"
export TPM2_PKCS11_STORE=/etc/tpm2_pkcs11
export TPM2_PKCS11_LOG_LEVEL=2

rm ${TPM2_PKCS11_STORE} -fr || true
mkdir -p ${TPM2_PKCS11_STORE} || true
tpm2_clear
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --sopin=sopin --userpin=userpin --label=openvpn
tpm2_ptool addkey --algorithm=rsa2048 --label=openvpn --userpin=userpin
tpm2_ptool config --key tcti --value "device:/dev/tpmrm0" --label=openvpn

# Create the Certificate Signing Request

TOKEN=$(p11tool --list-token-urls | grep "token=openvpn")
export GNUTLS_PIN=userpin
export GNUTLS_SO_PIN=sopin
p11tool --login --list-all "${TOKEN}" --outfile p11tool.out
PRIVATE_KEY=$(cat p11tool.out | grep private | awk '{ print $2 }')
openssl req -new -engine pkcs11 -keyform engine \
        -key "${PRIVATE_KEY};pin-value=userpin" \
        -config client.cnf -out client.csr

cd ..

echo "Generate Client Certificate"
echo "==========================="
echo

cd openvpn-server/EasyRSA-3.0.5
./easyrsa import-req ./../../openvpn-client/client.csr client
echo -ne 'yes' | ./easyrsa sign-req client client
cp ./pki/issued/client.crt ./../../openvpn-client/
cd ../../

cp ./openvpn-server/ca.crt ./openvpn-client
cp ./openvpn-server/ta.key ./openvpn-client
cp /usr/share/doc/openvpn/sample/sample-config-files/client.conf ./openvpn-client
sed -i 's/remote my-server-1 1194/remote 127.0.0.1 1194/g' ./openvpn-client/client.conf

cd ./openvpn-client

TOKEN=$(p11tool --list-token-urls | grep "token=openvpn")
export GNUTLS_PIN=userpin
export GNUTLS_SO_PIN=sopin
KEY_ID=$(p11tool --login --list-all "${TOKEN}" | grep ID: | uniq | awk '{ print $2 }' | sed 's/://g')
tpm2_ptool addcert --label=openvpn --key-id=${KEY_ID} ./client.crt
SERIALIZED_ID=$(openvpn --show-pkcs11-ids /usr/lib64/pkcs11/libtpm2_pkcs11.so.0.0.0 | grep "Serialized id:" | awk '{ print $3 }')

cat << EOF >> client.conf
pkcs11-providers /usr/lib64/pkcs11/libtpm2_pkcs11.so.0.0.0
pkcs11-id '${SERIALIZED_ID}'
EOF

sed 's/cert client.crt/#cert client.crt/g' -i client.conf
sed 's/key client.key/#key client.key/g' -i client.conf

cd ..

echo "Start OpenVPN Server"
echo "===================="

cd openvpn-server
openvpn --config ./server.conf &
SERVER_PID=$!
cd ..

echo "Start OpenVPN Client"
echo "===================="

cd openvpn-client
openvpn --config ./client.conf --verb 11 --nobind