$NetBSD: patch-ab,v 1.1 2000/09/12 14:05:16 jlam Exp $ --- pkg.sslsup/mkcert.sh.in.orig Sun Apr 16 05:21:24 2000 +++ pkg.sslsup/mkcert.sh.in @@ -5,35 +5,53 @@ ## # parameters -make="$1" -mflags="$2" -openssl="$3" -support="$4" -type="$5" -algo="$6" -crt="$7" -key="$8" -view="$9" - -# we can operate only inside the Apache 1.3 source -# tree and only when mod_ssl+OpenSSL is actually configured. -if [ ! -f "../README.configure" ]; then - echo "mkcert.sh:Error: Cannot operate outside the Apache 1.3 source tree." 1>&2 - echo "mkcert.sh:Hint: You have to stay inside apache_1.3.x/src." 1>&2 - exit 1 -fi -if [ ".$openssl" = . ]; then - echo "mkcert.sh:Error: mod_ssl/OpenSSL has to be configured before using this utility." 1>&2 - echo "mkcert.sh:Hint: Configure mod_ssl with --enable-module=ssl in APACI, first." 1>&2 - exit 1 +parameters=`getopt a:c:t:k:v $*` +if [ $# = 0 ]; then + cat << EOF +Usage: + mkcert.sh [-t type] [-a algo] [-c crtfile ] [-k keyfile] [-v] + +Options: + -t type Type of certificates to generate. Valid types are: + dummy self-signed Snake Oil cert + test test cert signed by Snake Oil CA + custom custom cert signed by own CA + existing existing cert + + -a algo Signature algorithm for generated certificate. Valid + algorithms are RSA or DSA. + + -c crtfile Path to an existing certificate + + -k keyfile Path to an existing key file + + -v Display the certificate and key, then exit. + +EOF + exit 2 fi +set -- $parameters +for param; do + case $param in + -a) algo=$2 ;; + -c) crt=$2 ;; + -t) type=$2 ;; + -k) key=$2 ;; + -v) view=1 ;; + --) break ;; + esac + shift +done + +openssl="openssl" +confdir=@PREFIX@/etc/httpd + # configuration -# WE ARE CALLED FROM THE PARENT DIR! -sslcrtdir="../conf/ssl.crt" -sslcsrdir="../conf/ssl.csr" -sslkeydir="../conf/ssl.key" -sslprmdir="../conf/ssl.prm" +sslcrtdir="$confdir/ssl.crt" +sslcsrdir="$confdir/ssl.csr" +sslkeydir="$confdir/ssl.key" +sslprmdir="$confdir/ssl.prm" # some optional terminal sequences case $TERM in @@ -93,11 +111,11 @@ fi # find some random files -# (do not use /dev/random here, because this device -# doesn't work as expected on all platforms) -randfiles='' +# We will always generate a /tmp/randfile using /dev/urandom +# before passing $randfile to openssl. +randfiles='/tmp/randfile' for file in /var/log/messages /var/adm/messages /var/log/system.log /var/wtmp \ - /kernel /kernel/genunix /vmunix /vmlinuz /mach \ + /kernel /kernel/genunix /vmunix /vmlinuz /mach /netbsd \ /etc/hosts /etc/group /etc/resolv.conf /bin/ls; do if [ -r $file ]; then if [ ".$randfiles" = . ]; then @@ -112,7 +130,7 @@ if [ -f $HOME/.rnd ]; then RANDFILE="$HOME/.rnd" else - RANDFILE=".mkcert.rnd" + RANDFILE="/tmp/.mkcert.rnd" (ps; date) >$RANDFILE fi export RANDFILE @@ -156,12 +174,12 @@ fi echo "${T_MD}RESULT: Server Certification Files${T_ME}" echo "" - echo "o ${T_MD}conf/ssl.key/server.key${T_ME}" + echo "o ${T_MD}$confdir/ssl.key/server.key${T_ME}" echo " The PEM-encoded $algo private key file which you configure" echo " with the 'SSLCertificateKeyFile' directive (automatically done" echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" echo "" - echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}" + echo "o ${T_MD}$confdir/ssl.crt/server.crt${T_ME}" echo " The PEM-encoded X.509 certificate file which you configure" echo " with the 'SSLCertificateFile' directive (automatically done" echo " when you install via APACI)." @@ -211,6 +229,7 @@ echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 1: Generating $algo private key (1024 bit) [server.key]${T_ME}" + (umask 077; head -500 /dev/urandom > randfile) if [ ".$algo" = .RSA ]; then if [ ".$randfiles" != . ]; then $openssl genrsa -rand $randfiles -out $sslkeydir/server.key 1024 @@ -238,10 +257,11 @@ exit 1 fi fi + rm -f randfile echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 2: Generating X.509 certificate signing request [server.csr]${T_ME}" - cat >.mkcert.cfg </tmp/.mkcert.cfg <&2 exit 1 fi - rm -f .mkcert.cfg + rm -f /tmp/.mkcert.cfg prompt="8. Certificate Validity (days) [365]:" echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt" read days @@ -287,8 +307,8 @@ read certversion extfile="" if [ ".$certversion" = .3 -o ".$certversion" = . ]; then - extfile="-extfile .mkcert.cfg" - cat >.mkcert.cfg </tmp/.mkcert.cfg <.mkcert.serial + if [ ! -f /tmp/.mkcert.serial ]; then + echo '01' >/tmp/.mkcert.serial fi if [ ".$algo" = .RSA ]; then $openssl x509 $extfile \ -days $days \ - -CAserial .mkcert.serial \ + -CAserial /tmp/.mkcert.serial \ -CA $sslcrtdir/snakeoil-ca-rsa.crt \ -CAkey $sslkeydir/snakeoil-ca-rsa.key \ -in $sslcsrdir/server.csr -req \ @@ -310,7 +330,7 @@ else $openssl x509 $extfile \ -days $days \ - -CAserial .mkcert.serial \ + -CAserial /tmp/.mkcert.serial \ -CA $sslcrtdir/snakeoil-ca-dsa.crt \ -CAkey $sslkeydir/snakeoil-ca-dsa.key \ -in $sslcsrdir/server.csr -req \ @@ -320,7 +340,7 @@ echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2 exit 1 fi - rm -f .mkcert.cfg + rm -f /tmp/.mkcert.cfg echo "Verify: matching certificate & key modulus" modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/server.crt | sed -e 's;.*Modulus=;;'` if [ ".$algo" = .RSA ]; then @@ -387,22 +407,22 @@ echo "" echo "${T_MD}RESULT: Server Certification Files${T_ME}" echo "" - echo "o ${T_MD}conf/ssl.key/server.key${T_ME}" + echo "o ${T_MD}$confdir/ssl.key/server.key${T_ME}" echo " The PEM-encoded $algo private key file which you configure" echo " with the 'SSLCertificateKeyFile' directive (automatically done" echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" echo "" - echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}" + echo "o ${T_MD}$confdir/ssl.crt/server.crt${T_ME}" echo " The PEM-encoded X.509 certificate file which you configure" echo " with the 'SSLCertificateFile' directive (automatically done" echo " when you install via APACI)." echo "" - echo "o ${T_MD}conf/ssl.csr/server.csr${T_ME}" + echo "o ${T_MD}$confdir/ssl.csr/server.csr${T_ME}" echo " The PEM-encoded X.509 certificate signing request file which" echo " you can send to an official Certificate Authority (CA) in order" echo " to request a real server certificate (signed by this CA instead" echo " of our demonstration-only Snake Oil CA) which later can replace" - echo " the conf/ssl.crt/server.crt file." + echo " the $confdir/ssl.crt/server.crt file." echo "" echo "WARNING: Do not use this for real-life/production systems" echo "" @@ -448,6 +468,7 @@ echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 1: Generating $algo private key for CA (1024 bit) [ca.key]${T_ME}" + (umask 077; head -500 /dev/urandom > randfile) if [ ".$algo" = .RSA ]; then if [ ".$randfiles" != . ]; then $openssl genrsa -rand $randfiles -out $sslkeydir/ca.key 1024 @@ -475,10 +496,11 @@ exit 1 fi fi + rm -f randfile echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 2: Generating X.509 certificate signing request for CA [ca.csr]${T_ME}" - cat >.mkcert.cfg </tmp/.mkcert.cfg <&2 exit 1 fi - rm -f .mkcert.cfg + rm -f /tmp/.mkcert.cfg prompt="8. Certificate Validity (days) [365]:" echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt" read days @@ -524,8 +546,8 @@ read certversion extfile="" if [ ".$certversion" = .3 -o ".$certversion" = . ]; then - extfile="-extfile .mkcert.cfg" - cat >.mkcert.cfg </tmp/.mkcert.cfg <&2 exit 1 fi - rm -f .mkcert.cfg + rm -f /tmp/.mkcert.cfg echo "Verify: matching certificate & key modulus" modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/ca.crt | sed -e 's;.*Modulus=;;'` if [ ".$algo" = .RSA ]; then @@ -564,6 +586,7 @@ echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 4: Generating $algo private key for SERVER (1024 bit) [server.key]${T_ME}" + (umask 077; head -500 /dev/urandom > randfile) if [ ".$algo" = .RSA ]; then if [ ".$randfiles" != . ]; then $openssl genrsa -rand $randfiles -out $sslkeydir/server.key 1024 @@ -588,10 +611,11 @@ exit 1 fi fi + rm -f randfile echo "______________________________________________________________________" echo "" echo "${T_MD}STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]${T_ME}" - cat >.mkcert.cfg </tmp/.mkcert.cfg <&2 exit 1 fi - rm -f .mkcert.cfg + rm -f /tmp/.mkcert.cfg prompt="8. Certificate Validity (days) [365]:" echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt" read days @@ -637,8 +661,8 @@ read certversion extfile="" if [ ".$certversion" = .3 -o ".$certversion" = . ]; then - extfile="-extfile .mkcert.cfg" - cat >.mkcert.cfg </tmp/.mkcert.cfg <.mkcert.serial + if [ ! -f /tmp/.mkcert.serial ]; then + echo '01' >/tmp/.mkcert.serial fi $openssl x509 $extfile \ -days $days \ - -CAserial .mkcert.serial \ + -CAserial /tmp/.mkcert.serial \ -CA $sslcrtdir/ca.crt \ -CAkey $sslkeydir/ca.key \ -in $sslcsrdir/server.csr -req \ @@ -660,7 +684,7 @@ echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2 exit 1 fi - rm -f .mkcert.cfg + rm -f /tmp/.mkcert.cfg echo "Verify: matching certificate & key modulus" modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/server.crt | sed -e 's;.*Modulus=;;'` if [ ".$algo" = .RSA ]; then @@ -764,31 +788,31 @@ echo "" echo "${T_MD}RESULT: CA and Server Certification Files${T_ME}" echo "" - echo "o ${T_MD}conf/ssl.key/ca.key${T_ME}" + echo "o ${T_MD}$confdir/ssl.key/ca.key${T_ME}" echo " The PEM-encoded $algo private key file of the CA which you can" echo " use to sign other servers or clients. ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" echo "" - echo "o ${T_MD}conf/ssl.crt/ca.crt${T_ME}" + echo "o ${T_MD}$confdir/ssl.crt/ca.crt${T_ME}" echo " The PEM-encoded X.509 certificate file of the CA which you use to" echo " sign other servers or clients. When you sign clients with it (for" echo " SSL client authentication) you can configure this file with the" echo " 'SSLCACertificateFile' directive." echo "" - echo "o ${T_MD}conf/ssl.key/server.key${T_ME}" + echo "o ${T_MD}$confdir/ssl.key/server.key${T_ME}" echo " The PEM-encoded $algo private key file of the server which you configure" echo " with the 'SSLCertificateKeyFile' directive (automatically done" echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" echo "" - echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}" + echo "o ${T_MD}$confdir/ssl.crt/server.crt${T_ME}" echo " The PEM-encoded X.509 certificate file of the server which you configure" echo " with the 'SSLCertificateFile' directive (automatically done" echo " when you install via APACI)." echo "" - echo "o ${T_MD}conf/ssl.csr/server.csr${T_ME}" + echo "o ${T_MD}$confdir/ssl.csr/server.csr${T_ME}" echo " The PEM-encoded X.509 certificate signing request of the server file which" echo " you can send to an official Certificate Authority (CA) in order" echo " to request a real server certificate (signed by this CA instead" - echo " of our own CA) which later can replace the conf/ssl.crt/server.crt" + echo " of our own CA) which later can replace the $confdir/ssl.crt/server.crt" echo " file." echo "" echo "Congratulations that you establish your server with real certificates." @@ -808,14 +832,26 @@ echo "mkcert.sh: Cannot find certificate file: $crt" 1>&2 exit 1 fi + if [ $crt -ef $sslcrtdir/server.crt ]; then + mv -f $crt $crt.backup + crt="$crt.backup" + fi if [ ".$key" != . ]; then if [ ! -f "$key" ]; then echo "mkcert.sh: Cannot find private key file: $key" 1>&2 exit 1 fi + if [ $key -ef $sslkeydir/server.key ]; then + mv -f $key $key.backup + key="$key.backup" + fi cp $crt $sslcrtdir/server.crt (umask 077; cp $key $sslkeydir/server.key) else + if [ $crt -ef $sslcrtdir/server.crt ]; then + mv -f $crt $crt.backup + crt="$crt.backup" + fi key=$crt umask 077 touch $sslkeydir/server.key @@ -836,12 +872,12 @@ fi echo "${T_MD}RESULT: Server Certification Files${T_ME}" echo "" - echo "o ${T_MD}conf/ssl.key/server.key${T_ME}" + echo "o ${T_MD}$confdir/ssl.key/server.key${T_ME}" echo " The PEM-encoded $algo private key file which you configure" echo " with the 'SSLCertificateKeyFile' directive (automatically done" echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" echo "" - echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}" + echo "o ${T_MD}$confdir/ssl.crt/server.crt${T_ME}" echo " The PEM-encoded X.509 certificate file which you configure" echo " with the 'SSLCertificateFile' directive (automatically done" echo " when you install via APACI)."