File: make-ssl-cert

package info (click to toggle)
ssl-cert 1.0.39
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid, stretch
  • size: 228 kB
  • ctags: 3
  • sloc: sh: 163; makefile: 32
file content (132 lines) | stat: -rwxr-xr-x 3,875 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/bin/bash -e
# This is a mockup of a script to produce a snakeoil cert
# The aim is to have a debconfisable ssl-certificate script

. /usr/share/debconf/confmodule
db_version 2.0
db_capb backup

ask_via_debconf() {
    RET=""
    if db_settitle make-ssl-cert/title ; then
	: # OK
    else
	echo Debconf failed with error code $? $RET >&2
	echo Maybe your debconf database is corrupt. >&2
	echo Try re-installing ssl-cert. >&2
    fi

    RET=""
    while [ "x$RET" = "x" ]; do
	db_fset make-ssl-cert/hostname seen false
	db_input high make-ssl-cert/hostname || true
	db_go
	db_get make-ssl-cert/hostname
    done
    
    db_get make-ssl-cert/hostname
    HostName="$RET"
    db_fset make-ssl-cert/hostname seen false

    db_fset make-ssl-cert/altname seen false
    db_input high make-ssl-cert/altname || true
    db_go
    db_get make-ssl-cert/altname
    AddAltName="$RET"
    db_fset make-ssl-cert/altname seen false
    SubjectAltName="DNS:$HostName"
    [ -z "$AddAltName" ] || SubjectAltName="$SubjectAltName,$AddAltName"
}

make_snakeoil() {
    if ! HostName="$(hostname -f)" ; then
        HostName="$(hostname)"
        echo make-ssl-cert: Could not get FQDN, using \"$HostName\".
        echo make-ssl-cert: You may want to fix your /etc/hosts and/or DNS setup and run
        echo make-ssl-cert: 'make-ssl-cert generate-default-snakeoil --force-overwrite'
        echo make-ssl-cert: again.
    fi
    SubjectAltName="DNS:$HostName"
    if [ ${#HostName} -gt 64 ] ; then
        HostName="$(hostname)"
    fi
}

create_temporary_cnf() {
    sed -e s#@HostName@#"$HostName"# -e s#@SubjectAltName@#"$SubjectAltName"# $template > $TMPFILE
}

# Takes two arguments, the base layout and the output cert.

if [ $# -lt 2 ] && [ "$1" != "generate-default-snakeoil" ]; then
    printf "Usage: $0 template output [--force-overwrite]\n";
    printf "Usage: $0 generate-default-snakeoil [--force-overwrite]\n";
    exit 1;
fi

if [ "$1" != "generate-default-snakeoil" ]; then
    template="$1"
    output="$2"
    # be anal in manual mode.
    if [ ! -f $template ]; then
	printf "Could not open template file: $template!\n";
	exit 1;
    fi
    if [ -f $output ] && [ "$3" != "--force-overwrite" ]; then
        printf "$output file already exists!\n";
        exit 1;
    fi
    ask_via_debconf
else
    template="/usr/share/ssl-cert/ssleay.cnf"
    if [ -f "/etc/ssl/certs/ssl-cert-snakeoil.pem" ] && [ -f "/etc/ssl/private/ssl-cert-snakeoil.key" ]; then
        if [ "$2" != "--force-overwrite" ]; then
             exit 0
        fi
    fi
    make_snakeoil
fi

# # should be a less common char
# problem is that openssl virtually accepts everything and we need to
# sacrifice one char.

TMPFILE="$(mktemp)" || exit 1
TMPOUT="$(mktemp)"  || exit 1

trap "rm -f $TMPFILE $TMPOUT" EXIT

create_temporary_cnf

# create the certificate.

umask 077

if [ "$1" != "generate-default-snakeoil" ]; then
    if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \
	-out $output -keyout $output > $TMPOUT 2>&1
    then
	echo Could not create certificate. Openssl output was: >&2
	cat $TMPOUT >&2
	exit 1
    fi
    chmod 600 $output
    # hash symlink
    cd $(dirname $output)
    ln -sf $(basename $output) $(openssl x509 -hash -noout -in $(basename $output))
else
    if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \
	-out /etc/ssl/certs/ssl-cert-snakeoil.pem \
        -keyout /etc/ssl/private/ssl-cert-snakeoil.key > $TMPOUT 2>&1
    then
	echo Could not create certificate. Openssl output was: >&2
	cat $TMPOUT >&2
	exit 1
    fi
    chmod 644 /etc/ssl/certs/ssl-cert-snakeoil.pem
    chmod 640 /etc/ssl/private/ssl-cert-snakeoil.key
    chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
    # hash symlink
    cd /etc/ssl/certs/
    ln -sf ssl-cert-snakeoil.pem $(openssl x509 -hash -noout -in ssl-cert-snakeoil.pem)
fi