[pkgsrc/pkg_install-renovation]: pkgsrc/pkgtools/pkg_install/files/x509 Get t...

[joerg <joerg%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/16a6e68edba5
branches:  pkg_install-renovation
changeset: 541592:16a6e68edba5
user:      joerg <joerg%pkgsrc.org@localhost>
date:      Wed Aug 06 23:51:32 2008 +0000

description:
Get the OpenSSL setup to create a simple CA, pkg-vulnerabilities signing
and package signing keys under version control.

diffstat:

 pkgtools/pkg_install/files/x509/pkgsrc.cnf |  136 +++++++++++++++++++++++++++++
 pkgtools/pkg_install/files/x509/pkgsrc.sh  |   63 +++++++++++++
 2 files changed, 199 insertions(+), 0 deletions(-)

diffs (207 lines):

diff -r faaaef9ec320 -r 16a6e68edba5 pkgtools/pkg_install/files/x509/pkgsrc.cnf
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/pkgtools/pkg_install/files/x509/pkgsrc.cnf        Wed Aug 06 23:51:32 2008 +0000
@@ -0,0 +1,136 @@
+# $NetBSD: pkgsrc.cnf,v 1.1.2.1 2008/08/06 23:51:32 joerg Exp $
+#
+# OpenSSL sample configuration file for use by pkgsrc.sh
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME                   = .
+RANDFILE               = $ENV::HOME/.rnd
+
+####################################################################
+[ ca ]
+default_ca     = CA_default            # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir            = ./pkgsrc              # Where everything is kept
+certs          = $dir/certs            # Where the issued certs are kept
+crl_dir                = $dir/crl              # Where the issued crl are kept
+database       = $dir/index.txt        # database index file.
+#unique_subject        = no                    # Set to 'no' to allow creation of
+                                       # several ctificates with same subject.
+new_certs_dir  = $dir/newcerts         # default place for new certs.
+
+certificate    = $dir/cacert.pem       # The CA certificate
+serial         = $dir/serial           # The current serial number
+crlnumber      = $dir/crlnumber        # the current crl number
+                                       # must be commented out to leave a V1 CRL
+crl            = $dir/crl.pem          # The current CRL
+private_key    = $dir/private/cakey.pem# The private key
+RANDFILE       = $dir/private/.rand    # private random number file
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt       = ca_default            # Subject Name options
+cert_opt       = ca_default            # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions       = crl_ext
+
+default_days   = 365                   # how long to certify for
+default_crl_days= 30                   # how long before next CRL
+default_md     = default               # use public key default MD
+preserve       = no                    # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy         = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName            = match
+stateOrProvinceName    = match
+organizationName       = match
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = optional
+
+####################################################################
+[ req ]
+default_bits           = 2048
+default_keyfile        = privkey.pem
+default_md             = sha1
+distinguished_name     = req_distinguished_name
+x509_extensions        = v3_ca # The extentions to add to the self signed cert
+
+string_mask = utf8only
+
+[ req_distinguished_name ]
+countryName                    = Country Name (2 letter code)
+countryName_default            = AU
+countryName_min                        = 2
+countryName_max                        = 2
+
+stateOrProvinceName            = State or Province Name (full name)
+stateOrProvinceName_default    = Some-State
+
+localityName                   = Locality Name (eg, city)
+
+0.organizationName             = Organization Name (eg, company)
+0.organizationName_default     = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName            = Second Organization Name (eg, company)
+#1.organizationName_default    = World Wide Web Pty Ltd
+
+organizationalUnitName         = Organizational Unit Name (eg, section)
+#organizationalUnitName_default        =
+
+commonName                     = Common Name (eg, YOUR name)
+commonName_max                 = 64
+
+emailAddress                   = Email Address
+emailAddress_max               = 64
+
+[ pkgkey ]
+nsComment                      = "Certificate for binary pkgsrc packages"
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+subjectAltName=email:move
+
+extendedKeyUsage = codeSigning, emailProtection
+
+[ pkgsec ]
+nsComment                      = "Certificate for pkg-vulnerabilities"
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+subjectAltName=email:move
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical,CA:true
diff -r faaaef9ec320 -r 16a6e68edba5 pkgtools/pkg_install/files/x509/pkgsrc.sh
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/pkgtools/pkg_install/files/x509/pkgsrc.sh Wed Aug 06 23:51:32 2008 +0000
@@ -0,0 +1,63 @@
+#!/bin/sh
+#
+# $NetBSD: pkgsrc.sh,v 1.1.2.1 2008/08/06 23:51:32 joerg Exp $
+#
+
+CA="openssl ca -config pkgsrc.cnf"
+REQ="openssl req -config pkgsrc.cnf"
+
+set -e
+
+new_ca() {
+       if [ -f $1/serial ]; then
+               echo "CA already exists, exiting" >& 2
+               exit 1
+       fi
+
+       mkdir -p $1/certs $1/crl $1/newcerts $1/private
+       echo "00" > $1/serial
+       touch $1/index.txt
+
+       echo "Making CA certificate ..."
+       $REQ -new -keyout $1/private/cakey.pem \
+                  -out $1/careq.pem
+       $CA -out $1/cacert.pem -batch \
+                  -keyfile $1/private/cakey.pem -selfsign \
+                  -infiles $1/careq.pem
+}
+
+new_pkgkey() {
+       $REQ -new -keyout pkgkey_key.pem -out pkgkey_req.pem
+       $CA -extensions pkgkey -policy policy_match -out pkgkey_cert.pem.pem -infiles pkgkey_req.pem
+       rm pkgkey_req.pem
+       echo "Signed certificate is in pkgkey_cert.pem.pem, key in pkgkey_key.pem"
+}
+
+new_pkgsec() {
+       $REQ -new -keyout pkgsec_key.pem -out pkgsec_req.pem
+       $CA -extensions pkgsec -policy policy_match -out pkgsec_cert.pem.pem -infiles pkgsec_req.pem
+       rm pkgsec_req.pem
+       echo "Signed certificate is in pkgsec_cert.pem.pem, key in pkgsec_key.pem"
+}
+
+usage() {
+       echo "$0:"
+       echo "setup - create new CA in ./pkgsrc for use by pkg_install"
+       echo "pkgkey - create and sign a certificate for binary packages"
+       echo "pkgsec - create and sign a certificate for pkg-vulnerabilities"
+}
+
+case "$1" in
+setup)
+       new_ca ./pkgsrc
+       ;;
+pkgkey)
+       new_pkgkey
+       ;;
+pkgsec)
+       new_pkgsec
+       ;;
+*)
+       usage
+       ;;
+esac