Annotation of embedaddon/libpdel/http/test/cert/rc.sslkey, revision 1.1
1.1 ! misho 1: #!/bin/sh
! 2:
! 3: #
! 4: # Copyright (c) 2001-2002 Packet Design, LLC.
! 5: # All rights reserved.
! 6: #
! 7: # Subject to the following obligations and disclaimer of warranty,
! 8: # use and redistribution of this software, in source or object code
! 9: # forms, with or without modifications are expressly permitted by
! 10: # Packet Design; provided, however, that:
! 11: #
! 12: # (i) Any and all reproductions of the source or object code
! 13: # must include the copyright notice above and the following
! 14: # disclaimer of warranties; and
! 15: # (ii) No rights are granted, in any manner or form, to use
! 16: # Packet Design trademarks, including the mark "PACKET DESIGN"
! 17: # on advertising, endorsements, or otherwise except as such
! 18: # appears in the above copyright notice or in the software.
! 19: #
! 20: # THIS SOFTWARE IS BEING PROVIDED BY PACKET DESIGN "AS IS", AND
! 21: # TO THE MAXIMUM EXTENT PERMITTED BY LAW, PACKET DESIGN MAKES NO
! 22: # REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, REGARDING
! 23: # THIS SOFTWARE, INCLUDING WITHOUT LIMITATION, ANY AND ALL IMPLIED
! 24: # WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
! 25: # OR NON-INFRINGEMENT. PACKET DESIGN DOES NOT WARRANT, GUARANTEE,
! 26: # OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF, OR THE RESULTS
! 27: # OF THE USE OF THIS SOFTWARE IN TERMS OF ITS CORRECTNESS, ACCURACY,
! 28: # RELIABILITY OR OTHERWISE. IN NO EVENT SHALL PACKET DESIGN BE
! 29: # LIABLE FOR ANY DAMAGES RESULTING FROM OR ARISING OUT OF ANY USE
! 30: # OF THIS SOFTWARE, INCLUDING WITHOUT LIMITATION, ANY DIRECT,
! 31: # INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL
! 32: # DAMAGES, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF
! 33: # USE, DATA OR PROFITS, HOWEVER CAUSED AND UNDER ANY THEORY OF
! 34: # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
! 35: # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
! 36: # THE USE OF THIS SOFTWARE, EVEN IF PACKET DESIGN IS ADVISED OF
! 37: # THE POSSIBILITY OF SUCH DAMAGE.
! 38: #
! 39: # Author: Archie Cobbs <archie@freebsd.org>
! 40: #
! 41: # $Id: rc.sslkey,v 1.5 2004/06/02 17:24:37 archie Exp $
! 42: #
! 43: # This script is used to verify/create keys and certificates for SSL.
! 44: #
! 45:
! 46: # Our OpenSSL config file
! 47: CONFIG_FILE="cert.cfg"
! 48:
! 49: # Our CA key and self-signed cert
! 50: CA_DIR="ca"
! 51: CA_KEY="${CA_DIR}/ca.key"
! 52: CA_CRT="${CA_DIR}/ca.crt"
! 53:
! 54: #
! 55: # Create a new certificate authority if needed
! 56: #
! 57: check_ca()
! 58: {
! 59: HOSTNAME=`hostname`
! 60: check_cert "${CA_KEY}" "${CA_CRT}" "${HOSTNAME} Certificate Authority"
! 61: }
! 62:
! 63: #
! 64: # This verifies that we have a valid RSA key pair and creates one if not.
! 65: #
! 66: # Args:
! 67: # $1 Key file
! 68: #
! 69: check_key()
! 70: {
! 71: if [ ! -r "${1}" ]; then
! 72: rm -f "${1}"
! 73: elif ! openssl rsa -check -in "${1}" -noout >/dev/null 2>&1; then
! 74: echo rc.sslkey: RSA key is invalid
! 75: rm -f "${1}"
! 76: fi
! 77: if [ ! -r "${1}" ]; then
! 78: echo rc.sslkey: Generating new RSA key pair for "${1}"
! 79: openssl genrsa -out "${1}" 1024 \
! 80: >/dev/null 2>&1
! 81: fi
! 82: }
! 83:
! 84: #
! 85: # Sign a public key using our semi-bogus certificate authority
! 86: #
! 87: # Args:
! 88: # $1 Key file
! 89: # $2 Certificate file
! 90: # $3 CN (Common Name, e.g., web site hostname)
! 91: #
! 92: sign_key()
! 93: {
! 94: CSR="/tmp/csr.$$"
! 95:
! 96: # Make sure we have a valid certificate authority
! 97: check_ca
! 98:
! 99: # Generate a certificate signing request
! 100: printf '\n\n\n%s\n\n' "${3}" | openssl req -config "${CONFIG_FILE}" \
! 101: -new -key "${1}" -out "${CSR}" >/dev/null 2>&1
! 102:
! 103: # Zero out index in case we need to regenerate a cert
! 104: cat /dev/null > ${CA_DIR}/index
! 105:
! 106: # Now sign the key using built-in CA
! 107: printf 'y\ny\n' | openssl ca -config "${CONFIG_FILE}" \
! 108: -extensions x509v3 -in "${CSR}" -out "${2}" >/dev/null 2>&1
! 109:
! 110: # Done
! 111: rm -f "${CSR}"
! 112: }
! 113:
! 114: #
! 115: # This verifies that we have a valid certificate and creates one if not.
! 116: #
! 117: # Args:
! 118: # $1 Key file
! 119: # $2 Cert file
! 120: # $3 CN (Common Name, e.g., web site hostname)
! 121: #
! 122: check_cert()
! 123: {
! 124: # Check private key
! 125: #
! 126: check_key $1
! 127:
! 128: # Verify certificate and delete it if it's not valid
! 129: #
! 130: if [ -r "${2}" ]; then
! 131: DIG1=`openssl rsa -noout -modulus -in "${1}" \
! 132: 2>/dev/null | openssl md5`
! 133: DIG2=`openssl x509 -noout -modulus -in "${2}" \
! 134: 2>/dev/null | openssl md5`
! 135: if [ "${DIG1}" != "${DIG2}" ]; then \
! 136: echo rc.sslkey: certificate "${2}" \
! 137: does not match key "${1}"
! 138: rm -f "${2}"
! 139: elif ! openssl x509 -noout -in "${2}" \
! 140: -checkend 43200 >/dev/null 2>&1; then
! 141: echo rc.sslkey: certificate "${2}" has expired
! 142: rm -f "${2}"
! 143: else
! 144: CCN=`openssl x509 -noout -in "${2}" -subject \
! 145: | sed -e 's,^.*CN=,,g' -e 's,/.*$,,g' 2>&1`
! 146: if [ "${CCN}" != "${3}" ]; then
! 147: echo rc.sslkey: certificate "${2}" incorrect \
! 148: CN: \""${CCN}"\" instead of \""${3}"\"
! 149: rm -f "${2}"
! 150: fi
! 151: fi
! 152: else
! 153: rm -f "${2}"
! 154: fi
! 155:
! 156: # Create new certificate if none. Handle special case of
! 157: # self-signing our own cert (to avoid infinite recursion).
! 158: #
! 159: if [ ! -r "${2}" -a "${2}" = "${CA_CRT}" -a "${1}" = "${CA_KEY}" ]; then
! 160: echo rc.sslkey: creating new CA certificate
! 161: find "${CA_DIR}/certs" -type f -print | xargs rm -f
! 162: cat /dev/null > "${CA_DIR}/index"
! 163: echo 01 > "${CA_DIR}/serial"
! 164: printf '\n\n\n%s\n\n' "${3}" | openssl req -new -x509 \
! 165: -config "${CONFIG_FILE}" -key "${1}" -out "${2}" \
! 166: > /dev/null 2>&1
! 167: elif [ ! -r "${2}" ]; then
! 168: echo rc.sslkey: creating new certificate for "${3}"
! 169: sign_key "${1}" "${2}" "${3}"
! 170: fi
! 171: }
! 172:
! 173: #
! 174: # Main entry point
! 175: #
! 176: # Usage:
! 177: # rc.sslkey keyfile [ certfile CN ]
! 178: #
! 179: # If this script is called with one argument, it just verifies the
! 180: # CA and SSL RSA keys. Otherwise, there must be three arguments:
! 181: #
! 182: # $1 RSA key file
! 183: # $2 SSL certificate file
! 184: # $3 CN (Common Name, e.g., web site hostname)
! 185: #
! 186: # and the $2 certificate file is also verified/created.
! 187: #
! 188:
! 189: if [ $# -eq 1 ]; then
! 190: check_key "${CA_KEY}"
! 191: check_key "${1}"
! 192: exit 0
! 193: fi
! 194:
! 195: if [ $# -ne 3 ]; then
! 196: echo Usage: rc.sslkey keyfile \[ certfile common-name \]
! 197: exit 1
! 198: fi
! 199:
! 200: check_cert "${1}" "${2}" "${3}"
! 201:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>