1 ## @defgroup on-ssl SSL-Werkzeuge 2 ## @brief Erzeugung und Verwaltung von Schlüsseln, Zertifikaten und Zertifikatsanfragen 3 # Beginn der Doku-Gruppe 6 if [ -x
"/usr/bin/openssl" ]; then
8 elif [ -x
"/usr/bin/gen_key" ]; then
10 elif [ -x
"/usr/bin/certtool" ]; then
16 get_ssl_certificate_cn() {
18 case "$SSL_LIBRARY" in
20 openssl x509 -in
"$filename" -subject -nameopt multiline -noout \
21 | awk
'/commonName/ {print $3}' 24 get_ssl_certificate_subject_components
"$filename" | sed -n
's/^CN //p' 27 msg_info "'get_ssl_certificate_cn': missing implementation for SSL library ('$SSL_LIBRARY')" 33 _filter_multiline_openssl_subject_output() {
34 sed
'/^subject=/d; s/^ *//; s/=/ /' 38 # input: admin@opennet-initiative.de,CN=2.210.aps.on,OU=users,O=Opennet Initiative e.V. / F23,ST=Mecklenburg-Vorpommern,C=de 41 # ST Mecklenburg-Vorpommern 42 # O Opennet Initiative e.V. / F23 45 # admin@opennet-initiative.de 46 _filter_gnutls_subject_output() {
47 # split into lines, separate by space, reverse order of lines 48 tr
',' '\n' | tr
'=' ' ' | sed -n
'1!G;h;$p' 52 # return the components of a certificate's subject 53 # Each resulting line starts with the name of the component followed by a space and the value. 56 # stateOrProvinceName Mecklenburg-Vorpommern 57 # organizationName Foo Bar 58 # organizationalUnitName users 59 # commonName 1.23.aps.on 60 # emailAddress foo@example.org 61 get_ssl_certificate_subject_components() {
63 [ -e
"$filename" ] ||
return 0
64 case "$SSL_LIBRARY" in
66 openssl x509 -nameopt sep_multiline,lname -subject -noout | _filter_multiline_openssl_subject_output
69 certtool --certificate-info | sed -n
's/^\s*Subject: *\(.*\)$/\1/p' | _filter_gnutls_subject_output
72 msg_info "'get_ssl_certificate_subject_components': missing implementation for SSL library ('$SSL_LIBRARY')" 78 # see "get_ssl_certificate_subject_components" for the output format 79 get_ssl_csr_subject_components() {
81 [ -e
"$filename" ] ||
return 0
82 case "$SSL_LIBRARY" in
84 openssl req -nameopt sep_multiline,lname -subject -noout | _filter_multiline_openssl_subject_output
87 certtool --crq-info | sed -n
's/^\s*Subject: *\(.*\)$/\1/p' | _filter_gnutls_subject_output
90 msg_info "'get_ssl_csr_subject_components': missing implementation for SSL library ('$SSL_LIBRARY')" 96 get_ssl_certificate_enddate() {
98 [ -e
"$filename" ] ||
return 0
99 case "$SSL_LIBRARY" in
101 openssl x509 -enddate -noout | cut -f 2- -
d "=" 104 certtool --certificate-info | sed -n
's/^\s*Not After: *\(.*\)$/\1/p' 107 msg_info "'get_ssl_certificate_enddate': missing implementation for SSL library ('$SSL_LIBRARY')" 113 get_ssl_object_hash() {
115 local object_type=
"$2" 116 [ -e
"$filename" ] ||
return 0
117 case "$SSL_LIBRARY" in
119 case "$object_type" in
121 openssl
"$object_type" -noout -modulus | cut -f 2- -
d "=" | md5sum
124 msg_info "Requested invalid object type hash: '$object_type' (should be one of: rsa / req / x509)" 129 case "$object_type" in
131 certtool --
key-info \
132 | sed
'1,/^modulus:$/d; /^$/,$d; s/^\s*//' 135 certtool --crq-info \
136 | sed
's/^\s*//; 1,/^Modulus/d; /^Exponent/,$d' 139 certtool --certificate-info \
140 | sed
's/^\s*//; 1,/^Modulus/d; /^Exponent/,$d' 142 esac | tr -
d ':\n' | sed
's/^0*//' | tr
'a-z' 'A-Z' 145 msg_info "'get_ssl_object_hash': missing implementation for SSL library ('$SSL_LIBRARY')" 153 local num_bits=
"${2:-2048}" 155 tmp_filename=$(mktemp)
156 case "$SSL_LIBRARY" in
158 openssl genrsa -out
"$tmp_filename" "$num_bits" 161 gen_key type=rsa rsa_keysize=
"$num_bits" filename=
"$tmp_filename" 164 msg_info "'generate_ssl_key': missing implementation for SSL library ('$SSL_LIBRARY')" 167 mv
"$tmp_filename" "$filename" 171 generate_ssl_certificate_request() {
173 local existing_key_filename=
"$2" 174 local attribute_country=
"$3" 175 local attribute_province=
"$4" 176 local attribute_locality=
"$5" 177 local attribute_organizational_unit=
"$6" 178 local attribute_organization_name=
"$7" 179 local attribute_cn=
"$8" 180 local attribute_email=
"$9" 182 tmp_filename=$(mktemp)
183 if [ ! -e
"$existing_key_filename" ]; then
184 msg_info "Failed to create certificate request due to missing key file: $existing_key_filename" 185 trap
"" EXIT &&
return 1
187 case "$SSL_LIBRARY" in
189 openssl_countryName=
"$attribute_country" \
190 openssl_provinceName=
"$attribute_province" \
191 openssl_localityName=
"$attribute_locality" \
192 openssl_organizationalUnitName=
"$attribute_organizational_unit" \
193 openssl_organizationName=
"$attribute_organization_name" \
194 openssl_commonName=
"$attribute_cn" \
195 openssl_EmailAddress=
"$attribute_email" \
196 openssl req -config /etc/ssl/on_openssl.cnf -batch -nodes -
new \
197 -
key "$existing_key_filename" \
201 cert_req filename=
"$existing_key_filename" \
202 output_file=
"$tmp_filename" \
203 subject_name=
"$attribute_cn" 206 msg_info "Requested invalid SSL library: '$SSL_LIBRARY' (maybe missing?)" 210 mv
"$tmp_filename" "$filename" 213 # Ende der Doku-Gruppe
msg_info(message)
Informationen und Fehlermeldungen ins syslog schreiben.
set eu on function print_services services log for dir in etc on services d var on services volatile d
1.8.13