#!/bin/sh
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#ident "@(#)stunnel_ca_lib.sh 1.1 08/07/09 SMI"
#
# These are common functions used by test_stunnel and setup_CA
setup_ca() {
mkdir -p ${CA_DIR}
mkdir -p ${PEMDIR}
cd ${CA_DIR}
mkdir -p private requests certs newcerts crl
cat /dev/null > index.txt
cat /dev/null > serial
echo ${FIRST_CERT} >> serial
cat /dev/null > ${OPEN_SSL_CONF}
echo "############################################################" \
>> ${OPEN_SSL_CONF}
echo "# This config file autogenerated by $PROGNAME" >> ${OPEN_SSL_CONF}
echo "# Edit this section, change these values to something meaningfull" \
>> ${OPEN_SSL_CONF}
echo "############################################################" \
>> ${OPEN_SSL_CONF}
echo "[ req_distinguished_name ] " >> ${OPEN_SSL_CONF}
echo "countryName = ${COUNTRY} " >> ${OPEN_SSL_CONF}
echo "countryName_default = ${COUNTRY} " >> ${OPEN_SSL_CONF}
echo "countryName_min = 2 " >> ${OPEN_SSL_CONF}
echo "countryName_max = 2 " >> ${OPEN_SSL_CONF}
echo "stateOrProvinceName = ${STATE} " >> ${OPEN_SSL_CONF}
echo "stateOrProvinceName_default = ${STATE} " >> ${OPEN_SSL_CONF}
echo "localityName = ${LOCALITY} " >> ${OPEN_SSL_CONF}
echo "localityName_default = ${LOCALITY} " >> ${OPEN_SSL_CONF}
echo "0.organizationName = ${ORG} " >> ${OPEN_SSL_CONF}
echo "0.organizationName_default = ${ORG} " >> ${OPEN_SSL_CONF}
echo "organizationalUnitName = ${OUNIT} " >> ${OPEN_SSL_CONF}
echo "organizationalUnitName_default = ${OUNIT} " >> ${OPEN_SSL_CONF}
echo " " >> ${OPEN_SSL_CONF}
echo "commonName = ${USER_NAME} " >> ${OPEN_SSL_CONF}
echo "commonName_default = ${USER_NAME} " >> ${OPEN_SSL_CONF}
echo "commonName_max = 64 " >> ${OPEN_SSL_CONF}
echo " " >> ${OPEN_SSL_CONF}
echo "emailAddress = ${EMAIL} " >> ${OPEN_SSL_CONF}
echo "emailAddress_default = ${EMAIL} " >> ${OPEN_SSL_CONF}
echo "emailAddress_max = 64 " >> ${OPEN_SSL_CONF}
echo "############################################################" \
>> ${OPEN_SSL_CONF}
echo "# End of edit section" >> ${OPEN_SSL_CONF}
echo "############################################################" \
>> ${OPEN_SSL_CONF}
echo " " >> ${OPEN_SSL_CONF}
echo "[ req_attributes ] " >> ${OPEN_SSL_CONF}
echo "HOME = ${CA_DIR} " >> ${OPEN_SSL_CONF}
echo "RANDFILE = ${CA_DIR}/.rnd " >> ${OPEN_SSL_CONF}
echo "[ ca ] " >> ${OPEN_SSL_CONF}
echo "default_ca = CA_default " >> ${OPEN_SSL_CONF}
echo " " >> ${OPEN_SSL_CONF}
echo "[ CA_default ] " >> ${OPEN_SSL_CONF}
echo " " >> ${OPEN_SSL_CONF}
echo "dir = ${CA_DIR} " >> ${OPEN_SSL_CONF}
echo "certs = \$dir/certs " >> ${OPEN_SSL_CONF}
echo "crl_dir = \$dir/crl " >> ${OPEN_SSL_CONF}
echo "database = \$dir/index.txt " >> ${OPEN_SSL_CONF}
echo "unique_subject = no " >> ${OPEN_SSL_CONF}
echo "new_certs_dir = \$dir/newcerts " >> ${OPEN_SSL_CONF}
echo " " >> ${OPEN_SSL_CONF}
echo "certificate = \$dir/cacert.pem " >> ${OPEN_SSL_CONF}
echo "serial = \$dir/serial " >> ${OPEN_SSL_CONF}
echo "crl = \$dir/crl.pem " >> ${OPEN_SSL_CONF}
echo "private_key = \$dir/private/cakey.pem " >> ${OPEN_SSL_CONF}
echo "RANDFILE = \$dir/private/.rand " >> ${OPEN_SSL_CONF}
echo " " >> ${OPEN_SSL_CONF}
echo "x509_extensions = usr_cert " >> ${OPEN_SSL_CONF}
echo "name_opt = ca_default " >> ${OPEN_SSL_CONF}
echo "cert_opt = ca_default " >> ${OPEN_SSL_CONF}
echo "default_days = 365" >> ${OPEN_SSL_CONF}
echo "default_crl_days= 30 " >> ${OPEN_SSL_CONF}
echo "default_md = md5" >> ${OPEN_SSL_CONF}
echo "preserve = no " >> ${OPEN_SSL_CONF}
echo "policy = policy_match " >> ${OPEN_SSL_CONF}
echo " " >> ${OPEN_SSL_CONF}
echo "# For the CA policy " >> ${OPEN_SSL_CONF}
echo "[ policy_match ] " >> ${OPEN_SSL_CONF}
echo "countryName = match " >> ${OPEN_SSL_CONF}
echo "stateOrProvinceName = optional " >> ${OPEN_SSL_CONF}
echo "organizationName = optional " >> ${OPEN_SSL_CONF}
echo "organizationalUnitName = optional " >> ${OPEN_SSL_CONF}
echo "commonName = supplied " >> ${OPEN_SSL_CONF}
echo "emailAddress = optional " >> ${OPEN_SSL_CONF}
echo "[ policy_anything ] " >> ${OPEN_SSL_CONF}
echo "countryName = optional " >> ${OPEN_SSL_CONF}
echo "stateOrProvinceName = optional " >> ${OPEN_SSL_CONF}
echo "localityName = optional " >> ${OPEN_SSL_CONF}
echo "organizationName = optional " >> ${OPEN_SSL_CONF}
echo "organizationalUnitName = optional " >> ${OPEN_SSL_CONF}
echo "commonName = supplied " >> ${OPEN_SSL_CONF}
echo "emailAddress = optional " >> ${OPEN_SSL_CONF}
echo "[ req ] " >> ${OPEN_SSL_CONF}
echo "input_password = " >> ${OPEN_SSL_CONF}
echo "output_password = " >> ${OPEN_SSL_CONF}
echo "default_bits = ${DEFAULT_BITS} " >> ${OPEN_SSL_CONF}
echo "default_keyfile = privkey.pem " >> ${OPEN_SSL_CONF}
echo "distinguished_name = req_distinguished_name " >> ${OPEN_SSL_CONF}
echo "attributes = req_attributes " >> ${OPEN_SSL_CONF}
echo "x509_extensions = v3_ca" >> ${OPEN_SSL_CONF}
echo "string_mask = nombstr " >> ${OPEN_SSL_CONF}
echo "[ req_attributes ] " >> ${OPEN_SSL_CONF}
echo "challengePassword = A challenge password " >> ${OPEN_SSL_CONF}
echo "challengePassword_min = 4 " >> ${OPEN_SSL_CONF}
echo "challengePassword_max = 20 " >> ${OPEN_SSL_CONF}
echo "[ usr_cert ] " >> ${OPEN_SSL_CONF}
echo "basicConstraints=CA:FALSE " >> ${OPEN_SSL_CONF}
echo "nsComment = "OpenSSL Generated Certificate" " >> ${OPEN_SSL_CONF}
echo "subjectKeyIdentifier=hash " >> ${OPEN_SSL_CONF}
echo "authorityKeyIdentifier=keyid,issuer:always " >> ${OPEN_SSL_CONF}
echo "[ v3_req ] " >> ${OPEN_SSL_CONF}
echo " " >> ${OPEN_SSL_CONF}
echo "basicConstraints = CA:FALSE " >> ${OPEN_SSL_CONF}
echo "keyUsage = nonRepudiation, digitalSignature, keyEncipherment " \
>> ${OPEN_SSL_CONF}
echo " " >> ${OPEN_SSL_CONF}
echo "[ v3_ca ] " >> ${OPEN_SSL_CONF}
echo " " >> ${OPEN_SSL_CONF}
echo "subjectKeyIdentifier=hash " >> ${OPEN_SSL_CONF}
echo " " >> ${OPEN_SSL_CONF}
echo "authorityKeyIdentifier=keyid:always,issuer:always " >> ${OPEN_SSL_CONF}
echo "basicConstraints = CA:true " >> ${OPEN_SSL_CONF}
echo " " >> ${OPEN_SSL_CONF}
echo "[ crl_ext ] " >> ${OPEN_SSL_CONF}
echo " " >> ${OPEN_SSL_CONF}
echo "authorityKeyIdentifier=keyid:always,issuer:always " >> ${OPEN_SSL_CONF}
echo " " >> ${OPEN_SSL_CONF}
}
create_CA_certificate() {
cd ${CA_DIR}
${OPENSSL} req -rand /dev/urandom -outform PEM -passin pass:${CA_KEY} \
-passout pass:${CA_KEY} -x509 -newkey ${CA_SIG}:${DEFAULT_BITS} \
-days 365 -nodes -keyout ${CA_DIR}/private/cakey.pem \
-out ${CA_DIR}/cacert.pem -config ${OPEN_SSL_CONF}
}
generate_csr() {
cd ${CA_DIR}
${OPENSSL} req -config ${OPEN_SSL_CONF} -batch \
-newkey ${CA_SIG}:${DEFAULT_BITS} -nodes \
-keyout private/stunnel-key.pem -out requests/stunnel-req.pem
}
ca_sign_csr() {
cd ${CA_DIR}
${OPENSSL} ca -config ${OPEN_SSL_CONF} -batch \
-in requests/stunnel-req.pem -out certs/stunnel.pem
}
combine_pem() {
cd ${CA_DIR}
# stunnel needs all private/public key in a single file
cat private/stunnel-key.pem > ${PEMFILE}
echo >> ${PEMFILE}
cat certs/stunnel.pem >> ${PEMFILE}
# This file needs to be secure
chmod 400 ${PEMFILE}
}