forked from MoeClub/Note
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mac.sh
89 lines (80 loc) · 3.8 KB
/
mac.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/bin/bash
[[ "$#" -ge "1" ]] || exit 1
CERT_URL="${1:-}"
CERT_PWD="${2:-}"
CERT_TMP="/tmp/MacOS"
# DO NOT EDIT
[[ -n "${CERT_URL}" ]] || exit 1
[[ "$(sudo whoami)" == "root" ]] || exit 1
CERT_PWD=`echo "${CERT_PWD}" |tr -d ' '`
USER_HOME=`echo "$HOME"`
[[ -e "${USER_HOME}/.cisco" ]] && rm -rf "${USER_HOME}/.cisco"
[[ -e "${USER_HOME}/.anyconnect" ]] && rm -rf "${USER_HOME}/.anyconnect"
cat >"${USER_HOME}/.anyconnect"<<EOF
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser></DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint></ClientCertificateThumbprint>
<MultipleClientCertificateThumbprints></MultipleClientCertificateThumbprints>
<ServerCertificateThumbprint></ServerCertificateThumbprint>
<DefaultHostName></DefaultHostName>
<DefaultHostAddress></DefaultHostAddress>
<DefaultGroup>Default</DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences>
<AutoConnectOnStart>true</AutoConnectOnStart>
<LocalLanAccess>true</LocalLanAccess>
<BlockUntrustedServers>false</BlockUntrustedServers>
<DisableCaptivePortalDetection>true</DisableCaptivePortalDetection>
</ControllablePreferences>
</AnyConnectPreferences>
EOF
chmod 777 "${USER_HOME}/.anyconnect"
cp -f "${USER_HOME}/.anyconnect" "/opt/cisco/anyconnect/.anyconnect_global"
chmod 777 "/opt/cisco/anyconnect/.anyconnect_global"
cat >"/opt/cisco/anyconnect/profile/profile.xml"<<EOF
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
<StrictCertificateTrust>false</StrictCertificateTrust>
<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
<RestrictTunnelProtocols>false</RestrictTunnelProtocols>
<BypassDownloader>true</BypassDownloader>
<AutoUpdate>false</AutoUpdate>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreLinux>All</CertificateStoreLinux>
<CertificateStoreOverride>true</CertificateStoreOverride>
<AuthenticationTimeout>16</AuthenticationTimeout>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
<LinuxVPNEstablishment>AllowRemoteUsers</LinuxVPNEstablishment>
<CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
<CertificateMatch>
<KeyUsage>
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<ExtendedKeyUsage>
<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
</ExtendedKeyUsage>
</CertificateMatch>
</ClientInitialization>
</AnyConnectProfile>
EOF
chmod 777 "/opt/cisco/anyconnect/profile/profile.xml"
[[ -f "${CERT_URL}" ]] && cp -f "${CERT_URL}" "${CERT_TMP}.p12" || curl -ksSL -H "User-Agent: wget/1.0" -o "${CERT_TMP}.p12" "${CERT_URL}"
if [[ -f "${CERT_TMP}.p12" ]]; then
openssl pkcs12 -in "${CERT_TMP}.p12" -nodes -nokeys -nocerts -clcerts -cacerts -password pass:"${CERT_PWD}"
[[ "$?" -ne "0" ]] && rm -rf "${CERT_TMP}.p12" && exit 1
openssl pkcs12 -in "${CERT_TMP}.p12" -nodes -nokeys -clcerts -out "${CERT_TMP}_Cert.pem" -password pass:"${CERT_PWD}"
openssl pkcs12 -in "${CERT_TMP}.p12" -nodes -nocerts -out "${CERT_TMP}_Key.pem" -password pass:"${CERT_PWD}"
openssl pkcs12 -in "${CERT_TMP}.p12" -nodes -nokeys -cacerts -out "${CERT_TMP}_CA.pem" -password pass:"${CERT_PWD}"
openssl pkcs12 -export -inkey "${CERT_TMP}_Key.pem" -in "${CERT_TMP}_Cert.pem" -certfile "${CERT_TMP}_CA.pem" -out "${CERT_TMP}_New.p12" -passout pass:NewCert
security import "${CERT_TMP}_New.p12" -P "NewCert"
rm -rf "${CERT_TMP}.p12" "${CERT_TMP}_New.p12" "${CERT_TMP}_CA.pem" "${CERT_TMP}_Cert.pem" "${CERT_TMP}_Key.pem"
exit 0
fi
exit 1