From d2c24ab6116d8dfcb8a6b8a576313f13b953312b Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 26 Jun 2012 17:53:12 -0300 Subject: Fixing debian/copyright ; removing ssl-cacert from genpair so keyringer do not have any third-party code --- Makefile | 1 - debian/copyright | 14 +++-- lib/keyringer/csr.sh | 145 ------------------------------------------------ share/keyringer/genpair | 29 ++++------ 4 files changed, 20 insertions(+), 169 deletions(-) delete mode 100755 lib/keyringer/csr.sh diff --git a/Makefile b/Makefile index d5675ed..8d98a67 100644 --- a/Makefile +++ b/Makefile @@ -23,7 +23,6 @@ clean: find . -name *~ | xargs rm -f # clean local backups install_lib: - $(INSTALL) -D --mode=0644 lib/keyringer/csr.sh $(DESTDIR)/$(PREFIX)/lib/$(PACKAGE)/csr.sh $(INSTALL) -D --mode=0644 lib/keyringer/functions $(DESTDIR)/$(PREFIX)/lib/$(PACKAGE)/functions install_share: diff --git a/debian/copyright b/debian/copyright index 7fdacff..0c7a7af 100644 --- a/debian/copyright +++ b/debian/copyright @@ -4,21 +4,23 @@ This work was packaged for Debian by: It was downloaded from: - + https://git.sarava.org/?p=keyringer.git;a=summary Upstream Author(s): - - + Silvio Rhatto + Daniel Kahn Gillmor + Jamie McClelland Copyright: - - + + + License: - + GNU AFFERO GENERAL PUBLIC LICENSE Version 3, 19 November 2007 The Debian packaging is: diff --git a/lib/keyringer/csr.sh b/lib/keyringer/csr.sh deleted file mode 100755 index 881a46f..0000000 --- a/lib/keyringer/csr.sh +++ /dev/null @@ -1,145 +0,0 @@ -#!/bin/sh -# csr.sh: Certificate Signing Request Generator -# Copyright(c) 2005 Evaldo Gardenali -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. -# -# ChangeLog: -# Mon May 23 00:14:37 BRT 2005 - evaldo - Initial Release -# Thu Nov 3 10:11:51 GMT 2005 - chrisc - $HOME removed so that key and csr -# are generated in the current directory -# Wed Nov 16 10:42:42 GMT 2005 - chrisc - Updated to match latest version on -# the CAcert wiki, rev #73 -# http://wiki.cacert.org/wiki/VhostTaskForce -# Mon Jan 4 18:37:28 BRST 2010 - rhatto - Support for non-interactive mode - - -# be safe about permissions -LASTUMASK=`umask` -umask 077 - -# OpenSSL for HPUX needs a random file -RANDOMFILE="$HOME/.rnd" - -# create a config file for openssl -CONFIG=`mktemp -q /tmp/openssl-conf.XXXXXXXX` -if [ ! $? -eq 0 ]; then - echo "Could not create temporary config file. exiting" - exit 1 -fi - -echo "Private Key and Certificate Signing Request Generator" -echo "This script was designed to suit the request format needed by" -echo "the CAcert Certificate Authority. www.CAcert.org" -echo - -HOST="$1" -COMMONNAME="$2" -SAN="$3" - -if [ -z "$HOST" ]; then - printf "Short Hostname (ie. imap big_srv www2): " - read HOST -fi - -if [ -z "$COMMONNAME" ]; then - printf "FQDN/CommonName (ie. www.example.com) : " - read COMMONNAME -fi - -if [ -z "$SAN" ]; then - echo "Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish" - SAN=1 # bogus value to begin the loop - SANAMES="" # sanitize - while [ ! "$SAN" = "" ]; do - printf "SubjectAltName: DNS:" - read SAN - if [ "$SAN" = "" ]; then break; fi # end of input - if [ "$SANAMES" = "" ]; then - SANAMES="DNS:$SAN" - else - SANAMES="$SANAMES,DNS:$SAN" - fi - done -else - SANAMES="DNS:$SAN" -fi - -# Config File Generation - -cat < "$CONFIG" -# -------------- BEGIN custom openssl.cnf ----- - HOME = $HOME -EOF - -if [ "`uname -s`" = "HP-UX" ]; then - echo " RANDFILE = $RANDOMFILE" >> "$CONFIG" -fi - -cat <> "$CONFIG" - oid_section = new_oids - [ new_oids ] - [ req ] - default_days = 730 # how long to certify for - default_keyfile = ${HOST}_privatekey.pem - distinguished_name = req_distinguished_name - encrypt_key = no - string_mask = nombstr -EOF - -if [ ! "$SANAMES" = "" ]; then - echo "req_extensions = v3_req # Extensions to add to certificate request" >> "$CONFIG" -fi - -cat <> "$CONFIG" - [ req_distinguished_name ] - commonName = Common Name (eg, YOUR name) - commonName_default = $COMMONNAME - commonName_max = 64 - [ v3_req ] -EOF - -if [ ! "$SANAMES" = "" ]; then - echo "subjectAltName=$SANAMES" >> "$CONFIG" -fi - -echo "# -------------- END custom openssl.cnf -----" >> "$CONFIG" - -echo "Running OpenSSL..." -# The first one doesn't work, the second one does: -#openssl req -batch -config "$CONFIG" -newkey rsa -out ${HOST}_csr.pem -openssl req -batch -config "$CONFIG" -newkey rsa:2048 -out "${HOST}_csr.pem" - -echo "Copy the following Certificate Request and paste into CAcert website to obtain a Certificate." -echo "When you receive your certificate, you 'should' name it something like ${HOST}_server.pem" -echo -cat ${HOST}_csr.pem -echo -printf "The Certificate request is also available in '%s_csr.pem'\n" "$HOST" -printf "The Private Key is stored in '%s_privatekey.pem'\n" "$HOST" -echo - -rm "$CONFIG" - -#restore umask -umask "$LASTUMASK" - diff --git a/share/keyringer/genpair b/share/keyringer/genpair index 140361a..85ec1ac 100755 --- a/share/keyringer/genpair +++ b/share/keyringer/genpair @@ -101,10 +101,6 @@ function genpair_ssl { cd "$TMPWORK" # Generate certificate - if [ "$KEYTYPE" == "ssl-cacert" ]; then - # We use a custom script for CaCert - "$LIB/csr.sh" "$NODE" - else cat <> openssl.conf [ req ] default_keyfile = ${NODE}_privatekey.pem @@ -127,22 +123,21 @@ commonName = Common Name extendedKeyUsage=serverAuth,clientAuth EOF - # Add SubjectAltNames so wildcard certs can work correctly. - if [ "$WILDCARD" == "yes" ]; then + # Add SubjectAltNames so wildcard certs can work correctly. + if [ "$WILDCARD" == "yes" ]; then cat <> openssl.conf subjectAltName=DNS:${NODE}, DNS:${CNAME} EOF - fi + fi - echo "Please review your OpenSSL configuration:" - cat openssl.conf - read -p "Hit ENTER to continue." prompt + echo "Please review your OpenSSL configuration:" + cat openssl.conf + read -p "Hit ENTER to continue." prompt - openssl req -batch -nodes -config openssl.conf -newkey rsa:2048 -sha256 \ - -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem + openssl req -batch -nodes -config openssl.conf -newkey rsa:2048 -sha256 \ + -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem - openssl req -noout -text -in ${NODE}_csr.pem - fi + openssl req -noout -text -in ${NODE}_csr.pem # Self-sign if [ "$KEYTYPE" == "ssl-self" ]; then @@ -199,9 +194,9 @@ CWD="`pwd`" # Verify if [ -z "$NODE" ]; then - echo -e "Usage: keyringer $BASENAME [outfile]" + echo -e "Usage: keyringer $BASENAME [outfile]" echo -e "Options:" - echo -e "\t gpg|ssh|ssl[-cacert,-self]: key type." + echo -e "\t gpg|ssh|ssl[-self]: key type." echo -e "\t file : base file name for encrypted output (relative to keys folder)" echo -e "\t hostname : host for the key pair" echo -e "\t outfile : optional unencrypted output file, useful for deployment" @@ -216,7 +211,7 @@ keyringer_set_tmpfile genpair -d # Dispatch echo "Generating $KEYTYPE key for $NODE..." -if [ "$KEYTYPE" == "ssl-self" ] || [ "$KEYTYPE" == "ssl-cacert" ]; then +if [ "$KEYTYPE" == "ssl-self" ]; then genpair_ssl else genpair_"$KEYTYPE" -- cgit v1.2.3