kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/www/ap-ssl/patches/patch-ab

455 lines
18 KiB
Text
Raw Blame History

$NetBSD: patch-ab,v 1.4 2002/12/03 14:31:33 grant Exp $
--- pkg.sslsup/mkcert.sh.in.orig Sun Apr 16 19:21:24 2000
+++ pkg.sslsup/mkcert.sh.in
@@ -1,39 +1,57 @@
-#!/bin/sh
+#!@SH@
##
## mkcert.sh -- SSL Certificate Generation Utility
## Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.
##
# parameters
-make="$1"
-mflags="$2"
-openssl="$3"
-support="$4"
-type="$5"
-algo="$6"
-crt="$7"
-key="$8"
-view="$9"
-
-# we can operate only inside the Apache 1.3 source
-# tree and only when mod_ssl+OpenSSL is actually configured.
-if [ ! -f "../README.configure" ]; then
- echo "mkcert.sh:Error: Cannot operate outside the Apache 1.3 source tree." 1>&2
- echo "mkcert.sh:Hint: You have to stay inside apache_1.3.x/src." 1>&2
- exit 1
-fi
-if [ ".$openssl" = . ]; then
- echo "mkcert.sh:Error: mod_ssl/OpenSSL has to be configured before using this utility." 1>&2
- echo "mkcert.sh:Hint: Configure mod_ssl with --enable-module=ssl in APACI, first." 1>&2
- exit 1
+parameters=`getopt a:c:t:k:v $*`
+if [ $# = 0 ]; then
+ cat << EOF
+Usage:
+ mkcert.sh [-t type] [-a algo] [-c crtfile ] [-k keyfile] [-v]
+
+Options:
+ -t type Type of certificates to generate. Valid types are:
+ dummy self-signed Snake Oil cert
+ test test cert signed by Snake Oil CA
+ custom custom cert signed by own CA
+ existing existing cert
+
+ -a algo Signature algorithm for generated certificate. Valid
+ algorithms are RSA or DSA.
+
+ -c crtfile Path to an existing certificate
+
+ -k keyfile Path to an existing key file
+
+ -v Display the certificate and key, then exit.
+
+EOF
+ exit 2
fi
+set -- $parameters
+for param; do
+ case $param in
+ -a) algo=$2 ;;
+ -c) crt=$2 ;;
+ -t) type=$2 ;;
+ -k) key=$2 ;;
+ -v) view=1 ;;
+ --) break ;;
+ esac
+ shift
+done
+
+openssl="openssl"
+confdir=@PKG_SYSCONFDIR@
+
# configuration
-# WE ARE CALLED FROM THE PARENT DIR!
-sslcrtdir="../conf/ssl.crt"
-sslcsrdir="../conf/ssl.csr"
-sslkeydir="../conf/ssl.key"
-sslprmdir="../conf/ssl.prm"
+sslcrtdir="$confdir/ssl.crt"
+sslcsrdir="$confdir/ssl.csr"
+sslkeydir="$confdir/ssl.key"
+sslprmdir="$confdir/ssl.prm"
# some optional terminal sequences
case $TERM in
@@ -93,11 +111,11 @@ if [ ".$view" != . ]; then
fi
# find some random files
-# (do not use /dev/random here, because this device
-# doesn't work as expected on all platforms)
-randfiles=''
+# We will always generate a /tmp/randfile using /dev/urandom
+# before passing $randfile to openssl.
+randfiles='/tmp/randfile'
for file in /var/log/messages /var/adm/messages /var/log/system.log /var/wtmp \
- /kernel /kernel/genunix /vmunix /vmlinuz /mach \
+ /kernel /kernel/genunix /vmunix /vmlinuz /mach /netbsd \
/etc/hosts /etc/group /etc/resolv.conf /bin/ls; do
if [ -r $file ]; then
if [ ".$randfiles" = . ]; then
@@ -112,7 +130,7 @@ done
if [ -f $HOME/.rnd ]; then
RANDFILE="$HOME/.rnd"
else
- RANDFILE=".mkcert.rnd"
+ RANDFILE="/tmp/.mkcert.rnd"
(ps; date) >$RANDFILE
fi
export RANDFILE
@@ -156,12 +174,12 @@ case $type in
fi
echo "${T_MD}RESULT: Server Certification Files${T_ME}"
echo ""
- echo "o ${T_MD}conf/ssl.key/server.key${T_ME}"
+ echo "o ${T_MD}$confdir/ssl.key/server.key${T_ME}"
echo " The PEM-encoded $algo private key file which you configure"
echo " with the 'SSLCertificateKeyFile' directive (automatically done"
echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}"
echo ""
- echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}"
+ echo "o ${T_MD}$confdir/ssl.crt/server.crt${T_ME}"
echo " The PEM-encoded X.509 certificate file which you configure"
echo " with the 'SSLCertificateFile' directive (automatically done"
echo " when you install via APACI)."
@@ -211,6 +229,7 @@ case $type in
echo "______________________________________________________________________"
echo ""
echo "${T_MD}STEP 1: Generating $algo private key (1024 bit) [server.key]${T_ME}"
+ (umask 077; head -500 /dev/urandom > randfile)
if [ ".$algo" = .RSA ]; then
if [ ".$randfiles" != . ]; then
$openssl genrsa -rand $randfiles -out $sslkeydir/server.key 1024
@@ -238,10 +257,11 @@ case $type in
exit 1
fi
fi
+ rm -f randfile
echo "______________________________________________________________________"
echo ""
echo "${T_MD}STEP 2: Generating X.509 certificate signing request [server.csr]${T_ME}"
- cat >.mkcert.cfg <<EOT
+ cat >/tmp/.mkcert.cfg <<EOT
[ req ]
default_bits = 1024
distinguished_name = req_DN
@@ -265,7 +285,7 @@ emailAddress = "7. Em
emailAddress_max = 40
emailAddress_default = www@snakeoil.dom
EOT
- $openssl req -config .mkcert.cfg \
+ $openssl req -config /tmp/.mkcert.cfg \
-new \
-key $sslkeydir/server.key \
-out $sslcsrdir/server.csr
@@ -273,7 +293,7 @@ EOT
echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2
exit 1
fi
- rm -f .mkcert.cfg
+ rm -f /tmp/.mkcert.cfg
prompt="8. Certificate Validity (days) [365]:"
echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt"
read days
@@ -287,8 +307,8 @@ EOT
read certversion
extfile=""
if [ ".$certversion" = .3 -o ".$certversion" = . ]; then
- extfile="-extfile .mkcert.cfg"
- cat >.mkcert.cfg <<EOT
+ extfile="-extfile /tmp/.mkcert.cfg"
+ cat >/tmp/.mkcert.cfg <<EOT
extensions = x509v3
[ x509v3 ]
subjectAltName = email:copy
@@ -296,13 +316,13 @@ nsComment = "mod_ssl generated te
nsCertType = server
EOT
fi
- if [ ! -f .mkcert.serial ]; then
- echo '01' >.mkcert.serial
+ if [ ! -f /tmp/.mkcert.serial ]; then
+ echo '01' >/tmp/.mkcert.serial
fi
if [ ".$algo" = .RSA ]; then
$openssl x509 $extfile \
-days $days \
- -CAserial .mkcert.serial \
+ -CAserial /tmp/.mkcert.serial \
-CA $sslcrtdir/snakeoil-ca-rsa.crt \
-CAkey $sslkeydir/snakeoil-ca-rsa.key \
-in $sslcsrdir/server.csr -req \
@@ -310,7 +330,7 @@ EOT
else
$openssl x509 $extfile \
-days $days \
- -CAserial .mkcert.serial \
+ -CAserial /tmp/.mkcert.serial \
-CA $sslcrtdir/snakeoil-ca-dsa.crt \
-CAkey $sslkeydir/snakeoil-ca-dsa.key \
-in $sslcsrdir/server.csr -req \
@@ -320,7 +340,7 @@ EOT
echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2
exit 1
fi
- rm -f .mkcert.cfg
+ rm -f /tmp/.mkcert.cfg
echo "Verify: matching certificate & key modulus"
modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/server.crt | sed -e 's;.*Modulus=;;'`
if [ ".$algo" = .RSA ]; then
@@ -387,22 +407,22 @@ EOT
echo ""
echo "${T_MD}RESULT: Server Certification Files${T_ME}"
echo ""
- echo "o ${T_MD}conf/ssl.key/server.key${T_ME}"
+ echo "o ${T_MD}$confdir/ssl.key/server.key${T_ME}"
echo " The PEM-encoded $algo private key file which you configure"
echo " with the 'SSLCertificateKeyFile' directive (automatically done"
echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}"
echo ""
- echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}"
+ echo "o ${T_MD}$confdir/ssl.crt/server.crt${T_ME}"
echo " The PEM-encoded X.509 certificate file which you configure"
echo " with the 'SSLCertificateFile' directive (automatically done"
echo " when you install via APACI)."
echo ""
- echo "o ${T_MD}conf/ssl.csr/server.csr${T_ME}"
+ echo "o ${T_MD}$confdir/ssl.csr/server.csr${T_ME}"
echo " The PEM-encoded X.509 certificate signing request file which"
echo " you can send to an official Certificate Authority (CA) in order"
echo " to request a real server certificate (signed by this CA instead"
echo " of our demonstration-only Snake Oil CA) which later can replace"
- echo " the conf/ssl.crt/server.crt file."
+ echo " the $confdir/ssl.crt/server.crt file."
echo ""
echo "WARNING: Do not use this for real-life/production systems"
echo ""
@@ -448,6 +468,7 @@ EOT
echo "______________________________________________________________________"
echo ""
echo "${T_MD}STEP 1: Generating $algo private key for CA (1024 bit) [ca.key]${T_ME}"
+ (umask 077; head -500 /dev/urandom > randfile)
if [ ".$algo" = .RSA ]; then
if [ ".$randfiles" != . ]; then
$openssl genrsa -rand $randfiles -out $sslkeydir/ca.key 1024
@@ -475,10 +496,11 @@ EOT
exit 1
fi
fi
+ rm -f randfile
echo "______________________________________________________________________"
echo ""
echo "${T_MD}STEP 2: Generating X.509 certificate signing request for CA [ca.csr]${T_ME}"
- cat >.mkcert.cfg <<EOT
+ cat >/tmp/.mkcert.cfg <<EOT
[ req ]
default_bits = 1024
distinguished_name = req_DN
@@ -502,7 +524,7 @@ emailAddress = "7. Em
emailAddress_max = 40
emailAddress_default = ca@snakeoil.dom
EOT
- $openssl req -config .mkcert.cfg \
+ $openssl req -config /tmp/.mkcert.cfg \
-new \
-key $sslkeydir/ca.key \
-out $sslcsrdir/ca.csr
@@ -510,7 +532,7 @@ EOT
echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2
exit 1
fi
- rm -f .mkcert.cfg
+ rm -f /tmp/.mkcert.cfg
prompt="8. Certificate Validity (days) [365]:"
echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt"
read days
@@ -524,8 +546,8 @@ EOT
read certversion
extfile=""
if [ ".$certversion" = .3 -o ".$certversion" = . ]; then
- extfile="-extfile .mkcert.cfg"
- cat >.mkcert.cfg <<EOT
+ extfile="-extfile /tmp/.mkcert.cfg"
+ cat >/tmp/.mkcert.cfg <<EOT
extensions = x509v3
[ x509v3 ]
subjectAltName = email:copy
@@ -543,7 +565,7 @@ EOT
echo "mkcert.sh:Error: Failed to generate self-signed CA certificate" 1>&2
exit 1
fi
- rm -f .mkcert.cfg
+ rm -f /tmp/.mkcert.cfg
echo "Verify: matching certificate & key modulus"
modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/ca.crt | sed -e 's;.*Modulus=;;'`
if [ ".$algo" = .RSA ]; then
@@ -564,6 +586,7 @@ EOT
echo "______________________________________________________________________"
echo ""
echo "${T_MD}STEP 4: Generating $algo private key for SERVER (1024 bit) [server.key]${T_ME}"
+ (umask 077; head -500 /dev/urandom > randfile)
if [ ".$algo" = .RSA ]; then
if [ ".$randfiles" != . ]; then
$openssl genrsa -rand $randfiles -out $sslkeydir/server.key 1024
@@ -588,10 +611,11 @@ EOT
exit 1
fi
fi
+ rm -f randfile
echo "______________________________________________________________________"
echo ""
echo "${T_MD}STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]${T_ME}"
- cat >.mkcert.cfg <<EOT
+ cat >/tmp/.mkcert.cfg <<EOT
[ req ]
default_bits = 1024
distinguished_name = req_DN
@@ -615,7 +639,7 @@ emailAddress = "7. Em
emailAddress_max = 40
emailAddress_default = www@snakeoil.dom
EOT
- $openssl req -config .mkcert.cfg \
+ $openssl req -config /tmp/.mkcert.cfg \
-new \
-key $sslkeydir/server.key \
-out $sslcsrdir/server.csr
@@ -623,7 +647,7 @@ EOT
echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2
exit 1
fi
- rm -f .mkcert.cfg
+ rm -f /tmp/.mkcert.cfg
prompt="8. Certificate Validity (days) [365]:"
echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt"
read days
@@ -637,8 +661,8 @@ EOT
read certversion
extfile=""
if [ ".$certversion" = .3 -o ".$certversion" = . ]; then
- extfile="-extfile .mkcert.cfg"
- cat >.mkcert.cfg <<EOT
+ extfile="-extfile /tmp/.mkcert.cfg"
+ cat >/tmp/.mkcert.cfg <<EOT
extensions = x509v3
[ x509v3 ]
subjectAltName = email:copy
@@ -646,12 +670,12 @@ nsComment = "mod_ssl generated cu
nsCertType = server
EOT
fi
- if [ ! -f .mkcert.serial ]; then
- echo '01' >.mkcert.serial
+ if [ ! -f /tmp/.mkcert.serial ]; then
+ echo '01' >/tmp/.mkcert.serial
fi
$openssl x509 $extfile \
-days $days \
- -CAserial .mkcert.serial \
+ -CAserial /tmp/.mkcert.serial \
-CA $sslcrtdir/ca.crt \
-CAkey $sslkeydir/ca.key \
-in $sslcsrdir/server.csr -req \
@@ -660,7 +684,7 @@ EOT
echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2
exit 1
fi
- rm -f .mkcert.cfg
+ rm -f /tmp/.mkcert.cfg
echo "Verify: matching certificate & key modulus"
modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/server.crt | sed -e 's;.*Modulus=;;'`
if [ ".$algo" = .RSA ]; then
@@ -764,31 +788,31 @@ EOT
echo ""
echo "${T_MD}RESULT: CA and Server Certification Files${T_ME}"
echo ""
- echo "o ${T_MD}conf/ssl.key/ca.key${T_ME}"
+ echo "o ${T_MD}$confdir/ssl.key/ca.key${T_ME}"
echo " The PEM-encoded $algo private key file of the CA which you can"
echo " use to sign other servers or clients. ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}"
echo ""
- echo "o ${T_MD}conf/ssl.crt/ca.crt${T_ME}"
+ echo "o ${T_MD}$confdir/ssl.crt/ca.crt${T_ME}"
echo " The PEM-encoded X.509 certificate file of the CA which you use to"
echo " sign other servers or clients. When you sign clients with it (for"
echo " SSL client authentication) you can configure this file with the"
echo " 'SSLCACertificateFile' directive."
echo ""
- echo "o ${T_MD}conf/ssl.key/server.key${T_ME}"
+ echo "o ${T_MD}$confdir/ssl.key/server.key${T_ME}"
echo " The PEM-encoded $algo private key file of the server which you configure"
echo " with the 'SSLCertificateKeyFile' directive (automatically done"
echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}"
echo ""
- echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}"
+ echo "o ${T_MD}$confdir/ssl.crt/server.crt${T_ME}"
echo " The PEM-encoded X.509 certificate file of the server which you configure"
echo " with the 'SSLCertificateFile' directive (automatically done"
echo " when you install via APACI)."
echo ""
- echo "o ${T_MD}conf/ssl.csr/server.csr${T_ME}"
+ echo "o ${T_MD}$confdir/ssl.csr/server.csr${T_ME}"
echo " The PEM-encoded X.509 certificate signing request of the server file which"
echo " you can send to an official Certificate Authority (CA) in order"
echo " to request a real server certificate (signed by this CA instead"
- echo " of our own CA) which later can replace the conf/ssl.crt/server.crt"
+ echo " of our own CA) which later can replace the $confdir/ssl.crt/server.crt"
echo " file."
echo ""
echo "Congratulations that you establish your server with real certificates."
@@ -808,14 +832,26 @@ EOT
echo "mkcert.sh: Cannot find certificate file: $crt" 1>&2
exit 1
fi
+ if [ $crt -ef $sslcrtdir/server.crt ]; then
+ mv -f $crt $crt.backup
+ crt="$crt.backup"
+ fi
if [ ".$key" != . ]; then
if [ ! -f "$key" ]; then
echo "mkcert.sh: Cannot find private key file: $key" 1>&2
exit 1
fi
+ if [ $key -ef $sslkeydir/server.key ]; then
+ mv -f $key $key.backup
+ key="$key.backup"
+ fi
cp $crt $sslcrtdir/server.crt
(umask 077; cp $key $sslkeydir/server.key)
else
+ if [ $crt -ef $sslcrtdir/server.crt ]; then
+ mv -f $crt $crt.backup
+ crt="$crt.backup"
+ fi
key=$crt
umask 077
touch $sslkeydir/server.key
@@ -836,12 +872,12 @@ EOT
fi
echo "${T_MD}RESULT: Server Certification Files${T_ME}"
echo ""
- echo "o ${T_MD}conf/ssl.key/server.key${T_ME}"
+ echo "o ${T_MD}$confdir/ssl.key/server.key${T_ME}"
echo " The PEM-encoded $algo private key file which you configure"
echo " with the 'SSLCertificateKeyFile' directive (automatically done"
echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}"
echo ""
- echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}"
+ echo "o ${T_MD}$confdir/ssl.crt/server.crt${T_ME}"
echo " The PEM-encoded X.509 certificate file which you configure"
echo " with the 'SSLCertificateFile' directive (automatically done"
echo " when you install via APACI)."
Reference in a new issue View git blame Copy permalink