Annotation of embedaddon/libpdel/http/test/cert/rc.sslkey, revision 1.1

1.1     ! misho       1: #!/bin/sh
        !             2: 
        !             3: #
        !             4: # Copyright (c) 2001-2002 Packet Design, LLC.
        !             5: # All rights reserved.
        !             6: # 
        !             7: # Subject to the following obligations and disclaimer of warranty,
        !             8: # use and redistribution of this software, in source or object code
        !             9: # forms, with or without modifications are expressly permitted by
        !            10: # Packet Design; provided, however, that:
        !            11: # 
        !            12: #    (i)  Any and all reproductions of the source or object code
        !            13: #         must include the copyright notice above and the following
        !            14: #         disclaimer of warranties; and
        !            15: #    (ii) No rights are granted, in any manner or form, to use
        !            16: #         Packet Design trademarks, including the mark "PACKET DESIGN"
        !            17: #         on advertising, endorsements, or otherwise except as such
        !            18: #         appears in the above copyright notice or in the software.
        !            19: # 
        !            20: # THIS SOFTWARE IS BEING PROVIDED BY PACKET DESIGN "AS IS", AND
        !            21: # TO THE MAXIMUM EXTENT PERMITTED BY LAW, PACKET DESIGN MAKES NO
        !            22: # REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, REGARDING
        !            23: # THIS SOFTWARE, INCLUDING WITHOUT LIMITATION, ANY AND ALL IMPLIED
        !            24: # WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
        !            25: # OR NON-INFRINGEMENT.  PACKET DESIGN DOES NOT WARRANT, GUARANTEE,
        !            26: # OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF, OR THE RESULTS
        !            27: # OF THE USE OF THIS SOFTWARE IN TERMS OF ITS CORRECTNESS, ACCURACY,
        !            28: # RELIABILITY OR OTHERWISE.  IN NO EVENT SHALL PACKET DESIGN BE
        !            29: # LIABLE FOR ANY DAMAGES RESULTING FROM OR ARISING OUT OF ANY USE
        !            30: # OF THIS SOFTWARE, INCLUDING WITHOUT LIMITATION, ANY DIRECT,
        !            31: # INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL
        !            32: # DAMAGES, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF
        !            33: # USE, DATA OR PROFITS, HOWEVER CAUSED AND UNDER ANY THEORY OF
        !            34: # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
        !            35: # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
        !            36: # THE USE OF THIS SOFTWARE, EVEN IF PACKET DESIGN IS ADVISED OF
        !            37: # THE POSSIBILITY OF SUCH DAMAGE.
        !            38: #
        !            39: # Author: Archie Cobbs <archie@freebsd.org>
        !            40: #
        !            41: # $Id: rc.sslkey,v 1.5 2004/06/02 17:24:37 archie Exp $
        !            42: #
        !            43: # This script is used to verify/create keys and certificates for SSL.
        !            44: #
        !            45: 
        !            46: # Our OpenSSL config file
        !            47: CONFIG_FILE="cert.cfg"
        !            48: 
        !            49: # Our CA key and self-signed cert
        !            50: CA_DIR="ca"
        !            51: CA_KEY="${CA_DIR}/ca.key"
        !            52: CA_CRT="${CA_DIR}/ca.crt"
        !            53: 
        !            54: #
        !            55: # Create a new certificate authority if needed
        !            56: #
        !            57: check_ca()
        !            58: {
        !            59:        HOSTNAME=`hostname`
        !            60:        check_cert "${CA_KEY}" "${CA_CRT}" "${HOSTNAME} Certificate Authority"
        !            61: }
        !            62: 
        !            63: #
        !            64: # This verifies that we have a valid RSA key pair and creates one if not.
        !            65: #
        !            66: # Args:
        !            67: #      $1      Key file
        !            68: #
        !            69: check_key()
        !            70: {
        !            71:        if [ ! -r "${1}" ]; then
        !            72:                rm -f "${1}"
        !            73:        elif ! openssl rsa -check -in "${1}" -noout >/dev/null 2>&1; then
        !            74:                echo rc.sslkey: RSA key is invalid
        !            75:                rm -f "${1}"
        !            76:        fi
        !            77:        if [ ! -r "${1}" ]; then
        !            78:                echo rc.sslkey: Generating new RSA key pair for "${1}"
        !            79:                openssl genrsa -out "${1}" 1024 \
        !            80:                    >/dev/null 2>&1
        !            81:        fi
        !            82: }
        !            83: 
        !            84: #
        !            85: # Sign a public key using our semi-bogus certificate authority
        !            86: #
        !            87: # Args:
        !            88: #      $1      Key file
        !            89: #      $2      Certificate file
        !            90: #      $3      CN (Common Name, e.g., web site hostname)
        !            91: #
        !            92: sign_key()
        !            93: {
        !            94:        CSR="/tmp/csr.$$"
        !            95: 
        !            96:        # Make sure we have a valid certificate authority
        !            97:        check_ca
        !            98: 
        !            99:        # Generate a certificate signing request
        !           100:        printf '\n\n\n%s\n\n' "${3}" | openssl req -config "${CONFIG_FILE}" \
        !           101:            -new -key "${1}" -out "${CSR}" >/dev/null 2>&1
        !           102: 
        !           103:        # Zero out index in case we need to regenerate a cert
        !           104:        cat /dev/null > ${CA_DIR}/index
        !           105: 
        !           106:        # Now sign the key using built-in CA
        !           107:        printf 'y\ny\n' | openssl ca -config "${CONFIG_FILE}" \
        !           108:            -extensions x509v3 -in "${CSR}" -out "${2}" >/dev/null 2>&1
        !           109: 
        !           110:        # Done
        !           111:        rm -f "${CSR}"
        !           112: }
        !           113: 
        !           114: #
        !           115: # This verifies that we have a valid certificate and creates one if not.
        !           116: #
        !           117: # Args:
        !           118: #      $1      Key file
        !           119: #      $2      Cert file
        !           120: #      $3      CN (Common Name, e.g., web site hostname)
        !           121: #
        !           122: check_cert()
        !           123: {
        !           124:        # Check private key
        !           125:        #
        !           126:        check_key $1
        !           127: 
        !           128:        # Verify certificate and delete it if it's not valid
        !           129:        #
        !           130:        if [ -r "${2}" ]; then
        !           131:                DIG1=`openssl rsa -noout -modulus -in "${1}" \
        !           132:                    2>/dev/null | openssl md5`
        !           133:                DIG2=`openssl x509 -noout -modulus -in "${2}" \
        !           134:                    2>/dev/null | openssl md5`
        !           135:                if [ "${DIG1}" != "${DIG2}" ]; then \
        !           136:                        echo rc.sslkey: certificate "${2}" \
        !           137:                            does not match key "${1}"
        !           138:                        rm -f "${2}"
        !           139:                elif ! openssl x509 -noout -in "${2}" \
        !           140:                    -checkend 43200 >/dev/null 2>&1; then
        !           141:                        echo rc.sslkey: certificate "${2}" has expired
        !           142:                        rm -f "${2}"
        !           143:                else
        !           144:                        CCN=`openssl x509 -noout -in "${2}" -subject \
        !           145:                            | sed -e 's,^.*CN=,,g' -e 's,/.*$,,g' 2>&1`
        !           146:                        if [ "${CCN}" != "${3}" ]; then
        !           147:                                echo rc.sslkey: certificate "${2}" incorrect \
        !           148:                                    CN: \""${CCN}"\" instead of \""${3}"\"
        !           149:                                rm -f "${2}"
        !           150:                        fi
        !           151:                fi
        !           152:        else
        !           153:                rm -f "${2}"
        !           154:        fi
        !           155: 
        !           156:        # Create new certificate if none. Handle special case of
        !           157:        # self-signing our own cert (to avoid infinite recursion).
        !           158:        #
        !           159:        if [ ! -r "${2}" -a "${2}" = "${CA_CRT}" -a "${1}" = "${CA_KEY}" ]; then
        !           160:                echo rc.sslkey: creating new CA certificate
        !           161:                find "${CA_DIR}/certs" -type f -print | xargs rm -f
        !           162:                cat /dev/null > "${CA_DIR}/index"
        !           163:                echo 01 > "${CA_DIR}/serial"
        !           164:                printf '\n\n\n%s\n\n' "${3}" | openssl req -new -x509 \
        !           165:                    -config "${CONFIG_FILE}" -key "${1}" -out "${2}" \
        !           166:                    > /dev/null 2>&1
        !           167:        elif [ ! -r "${2}" ]; then
        !           168:                echo rc.sslkey: creating new certificate for "${3}"
        !           169:                sign_key "${1}" "${2}" "${3}"
        !           170:        fi
        !           171: }
        !           172: 
        !           173: #
        !           174: # Main entry point
        !           175: #
        !           176: # Usage:
        !           177: #      rc.sslkey keyfile [ certfile CN ]
        !           178: #
        !           179: # If this script is called with one argument, it just verifies the
        !           180: # CA and SSL RSA keys. Otherwise, there must be three arguments:
        !           181: #
        !           182: #      $1      RSA key file
        !           183: #      $2      SSL certificate file
        !           184: #      $3      CN (Common Name, e.g., web site hostname)
        !           185: #
        !           186: # and the $2 certificate file is also verified/created.
        !           187: #
        !           188: 
        !           189: if [ $# -eq 1 ]; then
        !           190:        check_key "${CA_KEY}"
        !           191:        check_key "${1}"
        !           192:        exit 0
        !           193: fi
        !           194: 
        !           195: if [ $# -ne 3 ]; then
        !           196:        echo Usage: rc.sslkey keyfile \[ certfile common-name \]
        !           197:        exit 1
        !           198: fi
        !           199: 
        !           200: check_cert "${1}" "${2}" "${3}"
        !           201: 

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>