From 95fa5b4b476ebb04d27ab633a762f4f2fcdc2ac9 Mon Sep 17 00:00:00 2001 From: Lu zhiping Date: Mon, 15 Aug 2022 16:26:34 +0800 Subject: [PATCH] Import Upstream version 1.0.39 --- README | 4 ++ make-ssl-cert | 132 ++++++++++++++++++++++++++++++++++++++++++++++++ make-ssl-cert.8 | 33 ++++++++++++ ssleay.cnf | 21 ++++++++ 4 files changed, 190 insertions(+) create mode 100644 README create mode 100755 make-ssl-cert create mode 100644 make-ssl-cert.8 create mode 100644 ssleay.cnf diff --git a/README b/README new file mode 100644 index 0000000..c20521d --- /dev/null +++ b/README @@ -0,0 +1,4 @@ +This is a quicky package to enable unattended installs of software that need to +create ssl certificates. +Basically, it's just a wrapper for openssl req that feeds it the correct user +variables to create self-signed certificates. diff --git a/make-ssl-cert b/make-ssl-cert new file mode 100755 index 0000000..152e9f9 --- /dev/null +++ b/make-ssl-cert @@ -0,0 +1,132 @@ +#!/bin/bash -e +# This is a mockup of a script to produce a snakeoil cert +# The aim is to have a debconfisable ssl-certificate script + +. /usr/share/debconf/confmodule +db_version 2.0 +db_capb backup + +ask_via_debconf() { + RET="" + if db_settitle make-ssl-cert/title ; then + : # OK + else + echo Debconf failed with error code $? $RET >&2 + echo Maybe your debconf database is corrupt. >&2 + echo Try re-installing ssl-cert. >&2 + fi + + RET="" + while [ "x$RET" = "x" ]; do + db_fset make-ssl-cert/hostname seen false + db_input high make-ssl-cert/hostname || true + db_go + db_get make-ssl-cert/hostname + done + + db_get make-ssl-cert/hostname + HostName="$RET" + db_fset make-ssl-cert/hostname seen false + + db_fset make-ssl-cert/altname seen false + db_input high make-ssl-cert/altname || true + db_go + db_get make-ssl-cert/altname + AddAltName="$RET" + db_fset make-ssl-cert/altname seen false + SubjectAltName="DNS:$HostName" + [ -z "$AddAltName" ] || SubjectAltName="$SubjectAltName,$AddAltName" +} + +make_snakeoil() { + if ! HostName="$(hostname -f)" ; then + HostName="$(hostname)" + echo make-ssl-cert: Could not get FQDN, using \"$HostName\". + echo make-ssl-cert: You may want to fix your /etc/hosts and/or DNS setup and run + echo make-ssl-cert: 'make-ssl-cert generate-default-snakeoil --force-overwrite' + echo make-ssl-cert: again. + fi + SubjectAltName="DNS:$HostName" + if [ ${#HostName} -gt 64 ] ; then + HostName="$(hostname)" + fi +} + +create_temporary_cnf() { + sed -e s#@HostName@#"$HostName"# -e s#@SubjectAltName@#"$SubjectAltName"# $template > $TMPFILE +} + +# Takes two arguments, the base layout and the output cert. + +if [ $# -lt 2 ] && [ "$1" != "generate-default-snakeoil" ]; then + printf "Usage: $0 template output [--force-overwrite]\n"; + printf "Usage: $0 generate-default-snakeoil [--force-overwrite]\n"; + exit 1; +fi + +if [ "$1" != "generate-default-snakeoil" ]; then + template="$1" + output="$2" + # be anal in manual mode. + if [ ! -f $template ]; then + printf "Could not open template file: $template!\n"; + exit 1; + fi + if [ -f $output ] && [ "$3" != "--force-overwrite" ]; then + printf "$output file already exists!\n"; + exit 1; + fi + ask_via_debconf +else + template="/usr/share/ssl-cert/ssleay.cnf" + if [ -f "/etc/ssl/certs/ssl-cert-snakeoil.pem" ] && [ -f "/etc/ssl/private/ssl-cert-snakeoil.key" ]; then + if [ "$2" != "--force-overwrite" ]; then + exit 0 + fi + fi + make_snakeoil +fi + +# # should be a less common char +# problem is that openssl virtually accepts everything and we need to +# sacrifice one char. + +TMPFILE="$(mktemp)" || exit 1 +TMPOUT="$(mktemp)" || exit 1 + +trap "rm -f $TMPFILE $TMPOUT" EXIT + +create_temporary_cnf + +# create the certificate. + +umask 077 + +if [ "$1" != "generate-default-snakeoil" ]; then + if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \ + -out $output -keyout $output > $TMPOUT 2>&1 + then + echo Could not create certificate. Openssl output was: >&2 + cat $TMPOUT >&2 + exit 1 + fi + chmod 600 $output + # hash symlink + cd $(dirname $output) + ln -sf $(basename $output) $(openssl x509 -hash -noout -in $(basename $output)) +else + if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \ + -out /etc/ssl/certs/ssl-cert-snakeoil.pem \ + -keyout /etc/ssl/private/ssl-cert-snakeoil.key > $TMPOUT 2>&1 + then + echo Could not create certificate. Openssl output was: >&2 + cat $TMPOUT >&2 + exit 1 + fi + chmod 644 /etc/ssl/certs/ssl-cert-snakeoil.pem + chmod 640 /etc/ssl/private/ssl-cert-snakeoil.key + chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key + # hash symlink + cd /etc/ssl/certs/ + ln -sf ssl-cert-snakeoil.pem $(openssl x509 -hash -noout -in ssl-cert-snakeoil.pem) +fi diff --git a/make-ssl-cert.8 b/make-ssl-cert.8 new file mode 100644 index 0000000..7916b25 --- /dev/null +++ b/make-ssl-cert.8 @@ -0,0 +1,33 @@ +.TH make-ssl-cert 8 +.SH NAME +make-ssl-cert - Debconf wrapper for openssl +.SH SYNOPSIS +.B make-ssl-cert +\fItemplate\fR \fIoutput-certificate\fR [\fB\-\-force\-overwrite\fR] +.br +.B make-ssl-cert generate-default-snakeoil +[\fB\-\-force\-overwrite\fR] +.br +.SH "DESCRIPTION" +make-ssl-cert is a simple debconf to openssl wrapper to create self-signed +certificates. +It requires a source template (Ex: /usr/share/ssl-cert/ssleay.cnf) +and it will place the new generated certificate in the specified +output file. +.br +Invoked with "generate-default-snakeoil", it will generate +/etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key. +.SH OPTIONS +A summary of options are included below. +.TP +.B \-\-force\-overwrite +Use this option +.B ONLY +when strictly required since it will overwrite the output certificate. +.SH "SEE ALSO" +.IR "openssl" (1) +.SH AUTHOR +The program author is Thom May , manual +page was written for completness by Fabio M. Di Nitto +, for the Debian GNU/Linux system +(but may be used by others). diff --git a/ssleay.cnf b/ssleay.cnf new file mode 100644 index 0000000..42b7c6d --- /dev/null +++ b/ssleay.cnf @@ -0,0 +1,21 @@ +# +# SSLeay example configuration file. +# + +RANDFILE = /dev/urandom + +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +prompt = no +policy = policy_anything +req_extensions = v3_req +x509_extensions = v3_req + +[ req_distinguished_name ] +commonName = @HostName@ + +[ v3_req ] +basicConstraints = CA:FALSE +subjectAltName = @SubjectAltName@