diff options
Diffstat (limited to 'bin/bbstored/bbstored-certs')
-rwxr-xr-x | bin/bbstored/bbstored-certs | 358 |
1 files changed, 0 insertions, 358 deletions
diff --git a/bin/bbstored/bbstored-certs b/bin/bbstored/bbstored-certs deleted file mode 100755 index 0ef8b325..00000000 --- a/bin/bbstored/bbstored-certs +++ /dev/null @@ -1,358 +0,0 @@ -#!/usr/bin/perl -# distribution boxbackup-0.11rc2 (svn version: 2072) -# -# Copyright (c) 2003 - 2008 -# Ben Summers and contributors. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# 3. All use of this software and associated advertising materials must -# display the following acknowledgment: -# This product includes software developed by Ben Summers. -# 4. The names of the Authors may not be used to endorse or promote -# products derived from this software without specific prior written -# permission. -# -# [Where legally impermissible the Authors do not disclaim liability for -# direct physical injury or death caused solely by defects in the software -# unless it is modified by a third party.] -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, -# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN -# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. -# -# -# -use strict; - -# validity period for root certificates -- default is a very long time -my $root_sign_period = '10000'; - -# but less so for client certificates -my $sign_period = '5000'; - -# check and get command line parameters -if($#ARGV < 1) -{ - print <<__E; - -bbstored certificates utility. - -Bad command line parameters. -Usage: - bbstored-certs certs-dir command [arguments] - -certs-dir is the directory holding the root keys and certificates for the backup system -command is the action to perform, taking parameters. - -Commands are - - init - -- generate initial root certificates (certs-dir must not already exist) - sign certificate-name - -- sign a client certificate - sign-server certificate-name - -- sign a server certificate - -Signing requires confirmation that the certificate is correct and should be signed. - -__E - exit(1); -} - -# check for OPENSSL_CONF environment var being set -if(exists $ENV{'OPENSSL_CONF'}) -{ - print <<__E; - ---------------------------------------- - -WARNING: - You have the OPENSSL_CONF environment variable set. - Use of non-standard openssl configs may cause problems. - ---------------------------------------- - -__E -} - -# directory structure: -# -# roots/ -# clientCA.pem -- root certificate for client (used on server) -# serverCA.pem -- root certificate for servers (used on clients) -# keys/ -# clientRootKey.pem -- root key for clients -# serverRootKey.pem -- root key for servers -# servers/ -# hostname.pem -- certificate for server 'hostname' -# clients/ -# account.pem -- certficiate for account 'account' (ID in hex) -# - - -# check parameters -my ($cert_dir,$command,@args) = @ARGV; - -# check directory exists -if($command ne 'init') -{ - if(!-d $cert_dir) - { - die "$cert_dir does not exist"; - } -} - -# run command -if($command eq 'init') {&cmd_init;} -elsif($command eq 'sign') {&cmd_sign;} -elsif($command eq 'sign-server') {&cmd_sign_server;} -else -{ - die "Unknown command $command" -} - -sub cmd_init -{ - # create directories - unless(mkdir($cert_dir,0700) - && mkdir($cert_dir.'/roots',0700) - && mkdir($cert_dir.'/keys',0700) - && mkdir($cert_dir.'/servers',0700) - && mkdir($cert_dir.'/clients',0700)) - { - die "Failed to create directory structure" - } - - # create root keys and certrs - cmd_init_create_root('client'); - cmd_init_create_root('server'); -} - -sub cmd_init_create_root -{ - my $entity = $_[0]; - - my $cert = "$cert_dir/roots/".$entity.'CA.pem'; - my $serial = "$cert_dir/roots/".$entity.'CA.srl'; - my $key = "$cert_dir/keys/".$entity.'RootKey.pem'; - my $csr = "$cert_dir/keys/".$entity.'RootCSR.pem'; - - # generate key - if(system("openssl genrsa -out $key 2048") != 0) - { - die "Couldn't generate private key." - } - - # make CSR - die "Couldn't run openssl for CSR generation" unless - open(CSR,"|openssl req -new -key $key -sha1 -out $csr"); - print CSR <<__E; -. -. -. -. -. -Backup system $entity root -. -. -. - -__E - close CSR; - print "\n\n"; - die "Certificate request wasn't created.\n" unless -f $csr; - - # sign it to make a self-signed root CA key - if(system("openssl x509 -req -in $csr -sha1 -extensions v3_ca -signkey $key -out $cert -days $root_sign_period") != 0) - { - die "Couldn't generate root certificate." - } - - # write the initial serial number - open SERIAL,">$serial" or die "Can't open $serial for writing"; - print SERIAL "00\n"; - close SERIAL; -} - -sub cmd_sign -{ - my $csr = $args[0]; - - if(!-f $csr) - { - die "$csr does not exist"; - } - - # get the common name specified in this certificate - my $common_name = get_csr_common_name($csr); - - # look OK? - unless($common_name =~ m/\ABACKUP-([A-Fa-f0-9]+)\Z/) - { - die "The certificate presented does not appear to be a backup client certificate" - } - - my $acc = $1; - - # check against filename - if(!($csr =~ m/(\A|\/)([A-Fa-f0-9]+)-/) || $2 ne $acc) - { - die "Certificate request filename does not match name in certificate ($common_name)" - } - - print <<__E; - -This certificate is for backup account - - $acc - -Ensure this matches the account number you are expecting. The filename is - - $csr - -which should include this account number, and additionally, you should check -that you received it from the right person. - -Signing the wrong certificate compromises the security of your backup system. - -Would you like to sign this certificate? (type 'yes' to confirm) -__E - - return unless get_confirmation(); - - # out certificate - my $out_cert = "$cert_dir/clients/$acc"."-cert.pem"; - - # sign it! - if(system("openssl x509 -req -in $csr -sha1 -extensions usr_crt -CA $cert_dir/roots/clientCA.pem -CAkey $cert_dir/keys/clientRootKey.pem -out $out_cert -days $sign_period") != 0) - { - die "Signing failed" - } - - # tell user what to do next - print <<__E; - - -Certificate signed. - -Send the files - - $out_cert - $cert_dir/roots/serverCA.pem - -to the client. - -__E -} - -sub cmd_sign_server -{ - my $csr = $args[0]; - - if(!-f $csr) - { - die "$csr does not exist"; - } - - # get the common name specified in this certificate - my $common_name = get_csr_common_name($csr); - - # look OK? - if($common_name !~ m/\A[-a-zA-Z0-9.]+\Z/) - { - die "Invalid server name" - } - - print <<__E; - -This certificate is for backup server - - $common_name - -Signing the wrong certificate compromises the security of your backup system. - -Would you like to sign this certificate? (type 'yes' to confirm) -__E - - return unless get_confirmation(); - - # out certificate - my $out_cert = "$cert_dir/servers/$common_name"."-cert.pem"; - - # sign it! - if(system("openssl x509 -req -in $csr -sha1 -extensions usr_crt -CA $cert_dir/roots/serverCA.pem -CAkey $cert_dir/keys/serverRootKey.pem -out $out_cert -days $sign_period") != 0) - { - die "Signing failed" - } - - # tell user what to do next - print <<__E; - - -Certificate signed. - -Install the files - - $out_cert - $cert_dir/roots/clientCA.pem - -on the server. - -__E -} - - -sub get_csr_common_name -{ - my $csr = $_[0]; - - open CSRTEXT,"openssl req -text -in $csr |" or die "Can't open openssl for reading"; - - my $subject; - while(<CSRTEXT>) - { - $subject = $1 if m/Subject:.+?CN=([-\.\w]+)/ - } - close CSRTEXT; - - if($subject eq '') - { - die "No subject found in CSR $csr" - } - - return $subject -} - -sub get_confirmation() -{ - my $line = <STDIN>; - chomp $line; - if(lc $line ne 'yes') - { - print "CANCELLED\n"; - return 0; - } - - return 1; -} - - - - - |