From 9bd2d3ef85414a2a66f6f6ad2bcf1e22e19f44ef Mon Sep 17 00:00:00 2001 From: joerg Date: Wed, 6 Aug 2008 23:51:32 +0000 Subject: [PATCH] Get the OpenSSL setup to create a simple CA, pkg-vulnerabilities signing and package signing keys under version control. --- pkgtools/pkg_install/files/x509/pkgsrc.cnf | 136 +++++++++++++++++++++ pkgtools/pkg_install/files/x509/pkgsrc.sh | 63 ++++++++++ 2 files changed, 199 insertions(+) create mode 100644 pkgtools/pkg_install/files/x509/pkgsrc.cnf create mode 100644 pkgtools/pkg_install/files/x509/pkgsrc.sh diff --git a/pkgtools/pkg_install/files/x509/pkgsrc.cnf b/pkgtools/pkg_install/files/x509/pkgsrc.cnf new file mode 100644 index 0000000000000..e9e5f5adbb14a --- /dev/null +++ b/pkgtools/pkg_install/files/x509/pkgsrc.cnf @@ -0,0 +1,136 @@ +# $NetBSD: pkgsrc.cnf,v 1.1.2.1 2008/08/06 23:51:32 joerg Exp $ +# +# OpenSSL sample configuration file for use by pkgsrc.sh +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./pkgsrc # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +default_md = sha1 +distinguished_name = req_distinguished_name +x509_extensions = v3_ca # The extentions to add to the self signed cert + +string_mask = utf8only + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +[ pkgkey ] +nsComment = "Certificate for binary pkgsrc packages" + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +subjectAltName=email:move + +extendedKeyUsage = codeSigning, emailProtection + +[ pkgsec ] +nsComment = "Certificate for pkg-vulnerabilities" + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +subjectAltName=email:move + +[ v3_ca ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints = critical,CA:true diff --git a/pkgtools/pkg_install/files/x509/pkgsrc.sh b/pkgtools/pkg_install/files/x509/pkgsrc.sh new file mode 100644 index 0000000000000..d157f705dd53c --- /dev/null +++ b/pkgtools/pkg_install/files/x509/pkgsrc.sh @@ -0,0 +1,63 @@ +#!/bin/sh +# +# $NetBSD: pkgsrc.sh,v 1.1.2.1 2008/08/06 23:51:32 joerg Exp $ +# + +CA="openssl ca -config pkgsrc.cnf" +REQ="openssl req -config pkgsrc.cnf" + +set -e + +new_ca() { + if [ -f $1/serial ]; then + echo "CA already exists, exiting" >& 2 + exit 1 + fi + + mkdir -p $1/certs $1/crl $1/newcerts $1/private + echo "00" > $1/serial + touch $1/index.txt + + echo "Making CA certificate ..." + $REQ -new -keyout $1/private/cakey.pem \ + -out $1/careq.pem + $CA -out $1/cacert.pem -batch \ + -keyfile $1/private/cakey.pem -selfsign \ + -infiles $1/careq.pem +} + +new_pkgkey() { + $REQ -new -keyout pkgkey_key.pem -out pkgkey_req.pem + $CA -extensions pkgkey -policy policy_match -out pkgkey_cert.pem.pem -infiles pkgkey_req.pem + rm pkgkey_req.pem + echo "Signed certificate is in pkgkey_cert.pem.pem, key in pkgkey_key.pem" +} + +new_pkgsec() { + $REQ -new -keyout pkgsec_key.pem -out pkgsec_req.pem + $CA -extensions pkgsec -policy policy_match -out pkgsec_cert.pem.pem -infiles pkgsec_req.pem + rm pkgsec_req.pem + echo "Signed certificate is in pkgsec_cert.pem.pem, key in pkgsec_key.pem" +} + +usage() { + echo "$0:" + echo "setup - create new CA in ./pkgsrc for use by pkg_install" + echo "pkgkey - create and sign a certificate for binary packages" + echo "pkgsec - create and sign a certificate for pkg-vulnerabilities" +} + +case "$1" in +setup) + new_ca ./pkgsrc + ;; +pkgkey) + new_pkgkey + ;; +pkgsec) + new_pkgsec + ;; +*) + usage + ;; +esac