pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkg_install-renovation]: pkgsrc/pkgtools/pkg_install/files/x509 Get t...
details: https://anonhg.NetBSD.org/pkgsrc/rev/16a6e68edba5
branches: pkg_install-renovation
changeset: 541592:16a6e68edba5
user: joerg <joerg%pkgsrc.org@localhost>
date: Wed Aug 06 23:51:32 2008 +0000
description:
Get the OpenSSL setup to create a simple CA, pkg-vulnerabilities signing
and package signing keys under version control.
diffstat:
pkgtools/pkg_install/files/x509/pkgsrc.cnf | 136 +++++++++++++++++++++++++++++
pkgtools/pkg_install/files/x509/pkgsrc.sh | 63 +++++++++++++
2 files changed, 199 insertions(+), 0 deletions(-)
diffs (207 lines):
diff -r faaaef9ec320 -r 16a6e68edba5 pkgtools/pkg_install/files/x509/pkgsrc.cnf
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/pkgtools/pkg_install/files/x509/pkgsrc.cnf Wed Aug 06 23:51:32 2008 +0000
@@ -0,0 +1,136 @@
+# $NetBSD: pkgsrc.cnf,v 1.1.2.1 2008/08/06 23:51:32 joerg Exp $
+#
+# OpenSSL sample configuration file for use by pkgsrc.sh
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./pkgsrc # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several ctificates with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+default_md = sha1
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+
+string_mask = utf8only
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (eg, YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+[ pkgkey ]
+nsComment = "Certificate for binary pkgsrc packages"
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+subjectAltName=email:move
+
+extendedKeyUsage = codeSigning, emailProtection
+
+[ pkgsec ]
+nsComment = "Certificate for pkg-vulnerabilities"
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+subjectAltName=email:move
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical,CA:true
diff -r faaaef9ec320 -r 16a6e68edba5 pkgtools/pkg_install/files/x509/pkgsrc.sh
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/pkgtools/pkg_install/files/x509/pkgsrc.sh Wed Aug 06 23:51:32 2008 +0000
@@ -0,0 +1,63 @@
+#!/bin/sh
+#
+# $NetBSD: pkgsrc.sh,v 1.1.2.1 2008/08/06 23:51:32 joerg Exp $
+#
+
+CA="openssl ca -config pkgsrc.cnf"
+REQ="openssl req -config pkgsrc.cnf"
+
+set -e
+
+new_ca() {
+ if [ -f $1/serial ]; then
+ echo "CA already exists, exiting" >& 2
+ exit 1
+ fi
+
+ mkdir -p $1/certs $1/crl $1/newcerts $1/private
+ echo "00" > $1/serial
+ touch $1/index.txt
+
+ echo "Making CA certificate ..."
+ $REQ -new -keyout $1/private/cakey.pem \
+ -out $1/careq.pem
+ $CA -out $1/cacert.pem -batch \
+ -keyfile $1/private/cakey.pem -selfsign \
+ -infiles $1/careq.pem
+}
+
+new_pkgkey() {
+ $REQ -new -keyout pkgkey_key.pem -out pkgkey_req.pem
+ $CA -extensions pkgkey -policy policy_match -out pkgkey_cert.pem.pem -infiles pkgkey_req.pem
+ rm pkgkey_req.pem
+ echo "Signed certificate is in pkgkey_cert.pem.pem, key in pkgkey_key.pem"
+}
+
+new_pkgsec() {
+ $REQ -new -keyout pkgsec_key.pem -out pkgsec_req.pem
+ $CA -extensions pkgsec -policy policy_match -out pkgsec_cert.pem.pem -infiles pkgsec_req.pem
+ rm pkgsec_req.pem
+ echo "Signed certificate is in pkgsec_cert.pem.pem, key in pkgsec_key.pem"
+}
+
+usage() {
+ echo "$0:"
+ echo "setup - create new CA in ./pkgsrc for use by pkg_install"
+ echo "pkgkey - create and sign a certificate for binary packages"
+ echo "pkgsec - create and sign a certificate for pkg-vulnerabilities"
+}
+
+case "$1" in
+setup)
+ new_ca ./pkgsrc
+ ;;
+pkgkey)
+ new_pkgkey
+ ;;
+pkgsec)
+ new_pkgsec
+ ;;
+*)
+ usage
+ ;;
+esac
Home |
Main Index |
Thread Index |
Old Index