1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
|
#!@PERL@
use strict;
# validity period for root certificates -- default is 2038, the best we can do for now
my $root_sign_period = int(((1<<31) - time()) / 86400);
# but less so for client certificates
my $sign_period = '5000';
# check and get command line parameters
if($#ARGV < 1)
{
print <<__E;
bbstored certificates utility.
Bad command line parameters.
Usage:
bbstored-certs certs-dir command [arguments]
certs-dir is the directory holding the root keys and certificates for the backup system
command is the action to perform, taking parameters.
Commands are
init
-- generate initial root certificates (certs-dir must not already exist)
sign certificate-name
-- sign a client certificate
sign-server certificate-name
-- sign a server certificate
Signing requires confirmation that the certificate is correct and should be signed.
__E
exit(1);
}
# check for OPENSSL_CONF environment var being set
if(exists $ENV{'OPENSSL_CONF'})
{
print <<__E;
---------------------------------------
WARNING:
You have the OPENSSL_CONF environment variable set.
Use of non-standard openssl configs may cause problems.
---------------------------------------
__E
}
# directory structure:
#
# roots/
# clientCA.pem -- root certificate for client (used on server)
# serverCA.pem -- root certificate for servers (used on clients)
# keys/
# clientRootKey.pem -- root key for clients
# serverRootKey.pem -- root key for servers
# servers/
# hostname.pem -- certificate for server 'hostname'
# clients/
# account.pem -- certficiate for account 'account' (ID in hex)
#
# check parameters
my ($cert_dir,$command,@args) = @ARGV;
# check directory exists
if($command ne 'init')
{
if(!-d $cert_dir)
{
die "$cert_dir does not exist";
}
}
# run command
if($command eq 'init') {&cmd_init;}
elsif($command eq 'sign') {&cmd_sign;}
elsif($command eq 'sign-server') {&cmd_sign_server;}
else
{
die "Unknown command $command"
}
sub cmd_init
{
# create directories
unless(mkdir($cert_dir,0700)
&& mkdir($cert_dir.'/roots',0700)
&& mkdir($cert_dir.'/keys',0700)
&& mkdir($cert_dir.'/servers',0700)
&& mkdir($cert_dir.'/clients',0700))
{
die "Failed to create directory structure"
}
# create root keys and certrs
cmd_init_create_root('client');
cmd_init_create_root('server');
}
sub cmd_init_create_root
{
my $entity = $_[0];
my $cert = "$cert_dir/roots/".$entity.'CA.pem';
my $serial = "$cert_dir/roots/".$entity.'CA.srl';
my $key = "$cert_dir/keys/".$entity.'RootKey.pem';
my $csr = "$cert_dir/keys/".$entity.'RootCSR.pem';
# generate key
if(system("openssl genrsa -out $key 2048") != 0)
{
die "Couldn't generate private key."
}
# make CSR
die "Couldn't run openssl for CSR generation" unless
open(CSR,"|openssl req -new -key $key -sha256 -out $csr");
print CSR <<__E;
.
.
.
.
.
Backup system $entity root
.
.
.
__E
close CSR;
print "\n\n";
die "Certificate request wasn't created.\n" unless -f $csr;
# sign it to make a self-signed root CA key
if(system("openssl x509 -req -in $csr -sha256 -extensions v3_ca -signkey $key -out $cert -days $root_sign_period") != 0)
{
die "Couldn't generate root certificate."
}
# write the initial serial number
open SERIAL,">$serial" or die "Can't open $serial for writing";
print SERIAL "00\n";
close SERIAL;
}
sub cmd_sign
{
my $csr = $args[0];
if(!-f $csr)
{
die "$csr does not exist";
}
# get the common name specified in this certificate
my $common_name = get_csr_common_name($csr);
# look OK?
unless($common_name =~ m/\ABACKUP-([A-Fa-f0-9]+)\Z/)
{
die "The certificate presented does not appear to be a backup client certificate"
}
my $acc = $1;
# check against filename
if(!($csr =~ m/(\A|\/)([A-Fa-f0-9]+)-/) || $2 ne $acc)
{
die "Certificate request filename does not match name in certificate ($common_name)"
}
print <<__E;
This certificate is for backup account
$acc
Ensure this matches the account number you are expecting. The filename is
$csr
which should include this account number, and additionally, you should check
that you received it from the right person.
Signing the wrong certificate compromises the security of your backup system.
Would you like to sign this certificate? (type 'yes' to confirm)
__E
return unless get_confirmation();
# out certificate
my $out_cert = "$cert_dir/clients/$acc"."-cert.pem";
# sign it!
if(system("openssl x509 -req -in $csr -sha256 -extensions usr_crt -CA $cert_dir/roots/clientCA.pem -CAkey $cert_dir/keys/clientRootKey.pem -out $out_cert -days $sign_period") != 0)
{
die "Signing failed"
}
# tell user what to do next
print <<__E;
Certificate signed.
Send the files
$out_cert
$cert_dir/roots/serverCA.pem
to the client.
__E
}
sub cmd_sign_server
{
my $csr = $args[0];
if(!-f $csr)
{
die "$csr does not exist";
}
# get the common name specified in this certificate
my $common_name = get_csr_common_name($csr);
# look OK?
if($common_name !~ m/\A[-a-zA-Z0-9.]+\Z/)
{
die "Invalid server name"
}
print <<__E;
This certificate is for backup server
$common_name
Signing the wrong certificate compromises the security of your backup system.
Would you like to sign this certificate? (type 'yes' to confirm)
__E
return unless get_confirmation();
# out certificate
my $out_cert = "$cert_dir/servers/$common_name"."-cert.pem";
# sign it!
if(system("openssl x509 -req -in $csr -sha256 -extensions usr_crt -CA $cert_dir/roots/serverCA.pem -CAkey $cert_dir/keys/serverRootKey.pem -out $out_cert -days $sign_period") != 0)
{
die "Signing failed"
}
# tell user what to do next
print <<__E;
Certificate signed.
Install the files
$out_cert
$cert_dir/roots/clientCA.pem
on the server.
__E
}
sub get_csr_common_name
{
my $csr = $_[0];
open CSRTEXT,"openssl req -text -in $csr |" or die "Can't open openssl for reading";
my $subject;
while(<CSRTEXT>)
{
$subject = $1 if m/Subject:.+?CN\s?=\s?([-\.\w]+)/;
}
close CSRTEXT;
if($subject eq '')
{
die "No subject found in CSR $csr"
}
return $subject
}
sub get_confirmation()
{
my $line = <STDIN>;
chomp $line;
if(lc $line ne 'yes')
{
print "CANCELLED\n";
return 0;
}
return 1;
}
|
