OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=1

2006-12-20 17:01:15 +00:00
commit 692583743f
54 changed files with 8646 additions and 0 deletions
--- a/198
+++ b/198
@@ -0,0 +1,198 @@
+#!/bin/bash
+# Peter Poeml <poeml@suse.de>
+#
+# Script to generate ssl keys for mod_ssl, without requiring user input
+# most of it is copied from mkcert.sh of the mod_ssl distribution
+#
+# XXX This is just a hack, it won't be able to do anything you want!
+#
+
+function usage
+{
+	cat <<-EOF
+	`basename $0` will generate a test certificate "the quick way", i.e. without interaction.
+	You can change some defaults however.
+	It will overwrite /root/.mkcert.cfg
+
+	These options are recognized:		Default:
+
+	-C 	Common name 			"$name"
+	-N	comment				"$comment"
+	-c	country (two letters, e.g. DE)	$C
+	-s	state				$ST
+	-l 	city				$L
+	-o 	organisation			"$O"
+	-u 	organisational unit		"$U"
+	-n	fully qualified domain name	$CN (\$FQHOSTNAME)
+	-e 	email address of webmaster	webmaster@$CN
+	-y      days server cert is valid for   $srvdays
+	-Y      days CA cert is valid for       $CAdays
+	-d	run in debug mode			
+	-h      show usage
+	EOF
+}
+
+
+test -t && { BRIGHT='[01m'; RED='[31m'; NORMAL='[00m'; }
+function myecho { echo $BRIGHT$@$NORMAL; }
+function error { echo $RED$@$NORMAL; }
+function myexit { error something ugly seems to have happened in line $1...; exit $2; }
+
+r=$ROOT
+. $r/etc/sysconfig/network/config
+FQHOSTNAME=`cat /etc/HOSTNAME`
+
+# defaults
+  comment="mod_ssl server certificate"
+     name=
+        C=XY
+       ST=unknown
+        L=unknown
+        U="web server"
+	O="SuSE Linux Web Server"
+       CN=$FQHOSTNAME
+    email=webmaster@$FQHOSTNAME
+   CAdays=$((365 * 6))
+  srvdays=$((365 * 2))
+
+while getopts C:N:c:s:l:o:u:n:e:y:dh OPT; do
+    case $OPT in
+        C) name=$OPTARG-;;
+        N) comment=$OPTARG;;
+        c) C=$OPTARG;;
+        s) ST=$OPTARG;;
+        l) L=$OPTARG;;
+        u) U=$OPTARG;;
+        o) O=$OPTARG;;
+        n) CN=$OPTARG;;
+        e) email=$OPTARG;;
+	y) srvdays=$OPTARG;;
+	Y) CAdays=$OPTARG;;
+        d) set -x;;
+	h) usage; exit 2;;
+        *) echo unrecognized option: $OPT; usage; exit 2;;
+    esac
+done
+
+GO_LEFT="\033[80D"
+GO_MIDDLE="$GO_LEFT\033[15C"
+for i in comment name C ST L U O CN email srvdays CAdays; do 
+	eval "echo -e $i\"$GO_MIDDLE\" \$$i;"
+done
+
+
+openssl=$r/usr/bin/openssl
+sslcrtdir=$r/etc/apache2/ssl.crt
+sslcsrdir=$r/etc/apache2/ssl.csr
+sslkeydir=$r/etc/apache2/ssl.key
+sslprmdir=$r/etc/apache2/ssl.prm
+
+#
+# CA
+#
+echo;myecho creating CA key ...
+$openssl genrsa -rand $r/var/log/y2log:$r/var/log/messages -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?
+
+cat >$r/root/.mkcert.cfg <<EOT
+[ req ]
+default_bits           = 1024
+default_keyfile        = keyfile.pem
+distinguished_name     = req_distinguished_name
+attributes             = req_attributes
+prompt                 = no
+output_password        = mypass
+
+[ req_distinguished_name ]
+C                      = $C
+ST                     = $ST
+L                      = $L
+O                      = $O
+OU                     = CA
+CN                     = $CN
+emailAddress           = $email
+
+[ req_attributes ]
+challengePassword              = $RANDOM$RANDOMA challenge password
+EOT
+
+echo;myecho creating CA request/certificate ...
+$openssl req -config $r/root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?
+
+cp -pv $sslcrtdir/${name}ca.crt $r/srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt
+
+#
+# Server CERT
+#
+echo;myecho creating server key ...
+$openssl genrsa -rand $r/etc/rc.config:$r/var/log/messages -out $sslkeydir/${name}server.key 1024 || myexit $LINENO $?
+
+cat >$r/root/.mkcert.cfg <<EOT
+[ req ]
+default_bits           = 1024
+default_keyfile        = keyfile.pem
+distinguished_name     = req_distinguished_name
+attributes             = req_attributes
+prompt                 = no
+output_password        = mypass
+
+[ req_distinguished_name ]
+C                      = $C
+ST                     = $ST
+L                      = $L
+O                      = $O
+OU                     = $U
+CN                     = $CN
+emailAddress           = $email
+
+[ req_attributes ]
+challengePassword              = $RANDOM$RANDOMA challenge password
+EOT
+
+echo;myecho creating server request ...
+$openssl req -config $r/root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?
+
+
+cat >$r/root/.mkcert.cfg <<EOT
+extensions = x509v3
+[ x509v3 ]
+subjectAltName   = email:copy
+nsComment        = $comment
+nsCertType       = server
+EOT
+
+
+test -f $r/root/.mkcert.serial || echo 01 >$r/root/.mkcert.serial
+myecho "creating server certificate ..."
+$openssl x509 					\
+	-extfile $r/root/.mkcert.cfg 			\
+	-days $srvdays 				\
+	-CAserial $r/root/.mkcert.serial 		\
+	-CA $sslcrtdir/${name}ca.crt       	\
+	-CAkey $sslkeydir/${name}ca.key   	\
+	-in $sslcsrdir/${name}server.csr -req 	\
+	-out $sslcrtdir/${name}server.crt || myexit $LINENO $?
+
+rm -f $r/root/.mkcert.cfg
+
+
+
+
+echo;myecho "Verify: matching certificate & key modulus"
+modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/${name}server.crt | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
+modkey=`$openssl rsa -noout -modulus -in $sslkeydir/${name}server.key | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
+
+if [ ".$modcrt" != ".$modkey" ]; then
+    error "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2
+    myexit $LINENO $?
+fi
+
+echo;myecho Verify: matching certificate signature
+    $openssl verify -CAfile $sslcrtdir/${name}ca.crt $sslcrtdir/${name}server.crt || myexit $LINENO $?
+if [ $? -ne 0 ]; then
+    error "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2
+    myexit $LINENO $?
+fi
+
+
+exit 0
+