Annotation of embedaddon/libpdel/http/test/cert/rc.sslkey, revision 1.1.1.1
1.1 misho 1: #!/bin/sh
2:
3: #
4: # Copyright (c) 2001-2002 Packet Design, LLC.
5: # All rights reserved.
6: #
7: # Subject to the following obligations and disclaimer of warranty,
8: # use and redistribution of this software, in source or object code
9: # forms, with or without modifications are expressly permitted by
10: # Packet Design; provided, however, that:
11: #
12: # (i) Any and all reproductions of the source or object code
13: # must include the copyright notice above and the following
14: # disclaimer of warranties; and
15: # (ii) No rights are granted, in any manner or form, to use
16: # Packet Design trademarks, including the mark "PACKET DESIGN"
17: # on advertising, endorsements, or otherwise except as such
18: # appears in the above copyright notice or in the software.
19: #
20: # THIS SOFTWARE IS BEING PROVIDED BY PACKET DESIGN "AS IS", AND
21: # TO THE MAXIMUM EXTENT PERMITTED BY LAW, PACKET DESIGN MAKES NO
22: # REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, REGARDING
23: # THIS SOFTWARE, INCLUDING WITHOUT LIMITATION, ANY AND ALL IMPLIED
24: # WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
25: # OR NON-INFRINGEMENT. PACKET DESIGN DOES NOT WARRANT, GUARANTEE,
26: # OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF, OR THE RESULTS
27: # OF THE USE OF THIS SOFTWARE IN TERMS OF ITS CORRECTNESS, ACCURACY,
28: # RELIABILITY OR OTHERWISE. IN NO EVENT SHALL PACKET DESIGN BE
29: # LIABLE FOR ANY DAMAGES RESULTING FROM OR ARISING OUT OF ANY USE
30: # OF THIS SOFTWARE, INCLUDING WITHOUT LIMITATION, ANY DIRECT,
31: # INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL
32: # DAMAGES, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF
33: # USE, DATA OR PROFITS, HOWEVER CAUSED AND UNDER ANY THEORY OF
34: # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35: # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
36: # THE USE OF THIS SOFTWARE, EVEN IF PACKET DESIGN IS ADVISED OF
37: # THE POSSIBILITY OF SUCH DAMAGE.
38: #
39: # Author: Archie Cobbs <archie@freebsd.org>
40: #
41: # $Id: rc.sslkey,v 1.5 2004/06/02 17:24:37 archie Exp $
42: #
43: # This script is used to verify/create keys and certificates for SSL.
44: #
45:
46: # Our OpenSSL config file
47: CONFIG_FILE="cert.cfg"
48:
49: # Our CA key and self-signed cert
50: CA_DIR="ca"
51: CA_KEY="${CA_DIR}/ca.key"
52: CA_CRT="${CA_DIR}/ca.crt"
53:
54: #
55: # Create a new certificate authority if needed
56: #
57: check_ca()
58: {
59: HOSTNAME=`hostname`
60: check_cert "${CA_KEY}" "${CA_CRT}" "${HOSTNAME} Certificate Authority"
61: }
62:
63: #
64: # This verifies that we have a valid RSA key pair and creates one if not.
65: #
66: # Args:
67: # $1 Key file
68: #
69: check_key()
70: {
71: if [ ! -r "${1}" ]; then
72: rm -f "${1}"
73: elif ! openssl rsa -check -in "${1}" -noout >/dev/null 2>&1; then
74: echo rc.sslkey: RSA key is invalid
75: rm -f "${1}"
76: fi
77: if [ ! -r "${1}" ]; then
78: echo rc.sslkey: Generating new RSA key pair for "${1}"
79: openssl genrsa -out "${1}" 1024 \
80: >/dev/null 2>&1
81: fi
82: }
83:
84: #
85: # Sign a public key using our semi-bogus certificate authority
86: #
87: # Args:
88: # $1 Key file
89: # $2 Certificate file
90: # $3 CN (Common Name, e.g., web site hostname)
91: #
92: sign_key()
93: {
94: CSR="/tmp/csr.$$"
95:
96: # Make sure we have a valid certificate authority
97: check_ca
98:
99: # Generate a certificate signing request
100: printf '\n\n\n%s\n\n' "${3}" | openssl req -config "${CONFIG_FILE}" \
101: -new -key "${1}" -out "${CSR}" >/dev/null 2>&1
102:
103: # Zero out index in case we need to regenerate a cert
104: cat /dev/null > ${CA_DIR}/index
105:
106: # Now sign the key using built-in CA
107: printf 'y\ny\n' | openssl ca -config "${CONFIG_FILE}" \
108: -extensions x509v3 -in "${CSR}" -out "${2}" >/dev/null 2>&1
109:
110: # Done
111: rm -f "${CSR}"
112: }
113:
114: #
115: # This verifies that we have a valid certificate and creates one if not.
116: #
117: # Args:
118: # $1 Key file
119: # $2 Cert file
120: # $3 CN (Common Name, e.g., web site hostname)
121: #
122: check_cert()
123: {
124: # Check private key
125: #
126: check_key $1
127:
128: # Verify certificate and delete it if it's not valid
129: #
130: if [ -r "${2}" ]; then
131: DIG1=`openssl rsa -noout -modulus -in "${1}" \
132: 2>/dev/null | openssl md5`
133: DIG2=`openssl x509 -noout -modulus -in "${2}" \
134: 2>/dev/null | openssl md5`
135: if [ "${DIG1}" != "${DIG2}" ]; then \
136: echo rc.sslkey: certificate "${2}" \
137: does not match key "${1}"
138: rm -f "${2}"
139: elif ! openssl x509 -noout -in "${2}" \
140: -checkend 43200 >/dev/null 2>&1; then
141: echo rc.sslkey: certificate "${2}" has expired
142: rm -f "${2}"
143: else
144: CCN=`openssl x509 -noout -in "${2}" -subject \
145: | sed -e 's,^.*CN=,,g' -e 's,/.*$,,g' 2>&1`
146: if [ "${CCN}" != "${3}" ]; then
147: echo rc.sslkey: certificate "${2}" incorrect \
148: CN: \""${CCN}"\" instead of \""${3}"\"
149: rm -f "${2}"
150: fi
151: fi
152: else
153: rm -f "${2}"
154: fi
155:
156: # Create new certificate if none. Handle special case of
157: # self-signing our own cert (to avoid infinite recursion).
158: #
159: if [ ! -r "${2}" -a "${2}" = "${CA_CRT}" -a "${1}" = "${CA_KEY}" ]; then
160: echo rc.sslkey: creating new CA certificate
161: find "${CA_DIR}/certs" -type f -print | xargs rm -f
162: cat /dev/null > "${CA_DIR}/index"
163: echo 01 > "${CA_DIR}/serial"
164: printf '\n\n\n%s\n\n' "${3}" | openssl req -new -x509 \
165: -config "${CONFIG_FILE}" -key "${1}" -out "${2}" \
166: > /dev/null 2>&1
167: elif [ ! -r "${2}" ]; then
168: echo rc.sslkey: creating new certificate for "${3}"
169: sign_key "${1}" "${2}" "${3}"
170: fi
171: }
172:
173: #
174: # Main entry point
175: #
176: # Usage:
177: # rc.sslkey keyfile [ certfile CN ]
178: #
179: # If this script is called with one argument, it just verifies the
180: # CA and SSL RSA keys. Otherwise, there must be three arguments:
181: #
182: # $1 RSA key file
183: # $2 SSL certificate file
184: # $3 CN (Common Name, e.g., web site hostname)
185: #
186: # and the $2 certificate file is also verified/created.
187: #
188:
189: if [ $# -eq 1 ]; then
190: check_key "${CA_KEY}"
191: check_key "${1}"
192: exit 0
193: fi
194:
195: if [ $# -ne 3 ]; then
196: echo Usage: rc.sslkey keyfile \[ certfile common-name \]
197: exit 1
198: fi
199:
200: check_cert "${1}" "${2}" "${3}"
201:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to rc.sslkey CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / libpdel / http / test / cert