]> git.saurik.com Git - apple/network_cmds.git/blob - unbound/smallapp/unbound-control-setup.sh.in
projects / apple / network_cmds.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
network_cmds-543.tar.gz
[apple/network_cmds.git] / unbound / smallapp / unbound-control-setup.sh.in
1 #!/bin/sh
2 #
3 # unbound-control-setup.sh - set up SSL certificates for unbound-control
4 #
5 # Copyright (c) 2008, NLnet Labs. All rights reserved.
6 #
7 # This software is open source.
8 #
9 # Redistribution and use in source and binary forms, with or without
10 # modification, are permitted provided that the following conditions
11 # are met:
12 #
13 # Redistributions of source code must retain the above copyright notice,
14 # this list of conditions and the following disclaimer.
15 #
16 # Redistributions in binary form must reproduce the above copyright notice,
17 # this list of conditions and the following disclaimer in the documentation
18 # and/or other materials provided with the distribution.
19 #
20 # Neither the name of the NLNET LABS nor the names of its contributors may
21 # be used to endorse or promote products derived from this software without
22 # specific prior written permission.
23 #
24 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
25 # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
26 # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
27 # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
28 # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
29 # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
30 # TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
31 # PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
32 # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
33 # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
34 # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35
36 # settings:
37
38 # directory for files
39 prefix=@prefix@
40 DESTDIR=@sysconfdir@/unbound
41
42 # issuer and subject name for certificates
43 SERVERNAME=unbound
44 CLIENTNAME=unbound-control
45
46 # validity period for certificates
47 DAYS=7200
48
49 # size of keys in bits
50 BITS=1536
51
52 # hash algorithm
53 HASH=sha256
54
55 # base name for unbound server keys
56 SVR_BASE=unbound_server
57
58 # base name for unbound-control keys
59 CTL_BASE=unbound_control
60
61 # we want -rw-r----- access (say you run this as root: grp=yes (server), all=no).
62 umask 0027
63
64 # end of options
65
66 # functions:
67 error ( ) {
68 echo "$0 fatal error: $1"
69 exit 1
70 }
71
72 # check arguments:
73 while test $# -ne 0; do
74 case $1 in
75 -d)
76 if test $# -eq 1; then error "need argument for -d"; fi
77 DESTDIR="$2"
78 shift
79 ;;
80 *)
81 echo "unbound-control-setup.sh - setup SSL keys for unbound-control"
82 echo " -d dir use directory to store keys and certificates."
83 echo " default: $DESTDIR"
84 echo "please run this command using the same user id that the "
85 echo "unbound daemon uses, it needs read privileges."
86 exit 1
87 ;;
88 esac
89 shift
90 done
91
92 # go!:
93 echo "setup in directory $DESTDIR"
94 cd "$DESTDIR" || error "could not cd to $DESTDIR"
95
96 # create certificate keys; do not recreate if they already exist.
97 if test -f $SVR_BASE.key; then
98 echo "$SVR_BASE.key exists"
99 else
100 echo "generating $SVR_BASE.key"
101 openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa"
102 fi
103 if test -f $CTL_BASE.key; then
104 echo "$CTL_BASE.key exists"
105 else
106 echo "generating $CTL_BASE.key"
107 openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa"
108 fi
109
110 # create self-signed cert for server
111 cat >request.cfg <<EOF
112 [req]
113 default_bits=$BITS
114 default_md=$HASH
115 prompt=no
116 distinguished_name=req_distinguished_name
117
118 [req_distinguished_name]
119 commonName=$SERVERNAME
120 EOF
121 test -f request.cfg || error "could not create request.cfg"
122
123 echo "create $SVR_BASE.pem (self signed certificate)"
124 openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
125 # create trusted usage pem
126 openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
127
128 # create client request and sign it, piped
129 cat >request.cfg <<EOF
130 [req]
131 default_bits=$BITS
132 default_md=$HASH
133 prompt=no
134 distinguished_name=req_distinguished_name
135
136 [req_distinguished_name]
137 commonName=$CLIENTNAME
138 EOF
139 test -f request.cfg || error "could not create request.cfg"
140
141 echo "create $CTL_BASE.pem (signed client certificate)"
142 openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem
143 test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
144 # create trusted usage pem
145 # openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
146
147 # see details with openssl x509 -noout -text < $SVR_BASE.pem
148 # echo "create $CTL_BASE""_browser.pfx (web client certificate)"
149 # echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
150 # echo "preferences - advanced - encryption - view certificates - your certs"
151 # echo "empty password is used, simply click OK on the password dialog box."
152 # openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
153
154 # remove unused permissions
155 chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
156
157 # remove crap
158 rm -f request.cfg
159 rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl"
160
161 echo "Setup success. Certificates created. Enable in unbound.conf file to use"
162
163 exit 0
mirror of network_cmds