1## @defgroup on-ssl SSL-Werkzeuge
2## @brief Erzeugung und Verwaltung von Schlüsseln, Zertifikaten und Zertifikatsanfragen
3# Beginn der Doku-Gruppe
6if [ -x
"/usr/bin/openssl" ]; then
8elif [ -x
"/usr/bin/gen_key" ]; then
10elif [ -x
"/usr/bin/certtool" ]; then
16get_ssl_certificate_cn() {
18 case "$SSL_LIBRARY" in
20 openssl x509 -in
"$filename" -subject -nameopt multiline -noout \
21 | awk
'/commonName/ {print $3}'
24 get_ssl_certificate_subject_components
"$filename" | sed -n
's/^CN //p'
27 msg_info "'get_ssl_certificate_cn': missing implementation for SSL library ('$SSL_LIBRARY')"
33_filter_multiline_openssl_subject_output() {
34 sed
'/^subject=/d; s/^ *//; s/=/ /'
38# input: admin@opennet-initiative.de,CN=2.210.aps.on,OU=users,O=Opennet Initiative e.V. / F23,ST=Mecklenburg-Vorpommern,C=de
41# ST Mecklenburg-Vorpommern
42# O Opennet Initiative e.V. / F23
45# admin@opennet-initiative.de
46_filter_gnutls_subject_output() {
47 # split into lines, separate by space, reverse order of lines
48 tr
',' '\n' | tr
'=' ' ' | sed -n
'1!G;h;$p'
52# return the components of a certificate's subject
53# Each resulting line starts with the name of the component followed by a space and the value.
56# stateOrProvinceName Mecklenburg-Vorpommern
57# organizationName Foo Bar
58# organizationalUnitName users
59# commonName 1.23.aps.on
60# emailAddress foo@example.org
61get_ssl_certificate_subject_components() {
63 [ -e
"$filename" ] ||
return 0
64 case "$SSL_LIBRARY" in
66 openssl x509 -nameopt sep_multiline,lname -subject -noout | _filter_multiline_openssl_subject_output
69 certtool --certificate-info | sed -n
's/^\s*Subject: *\(.*\)$/\1/p' | _filter_gnutls_subject_output
72 msg_info "'get_ssl_certificate_subject_components': missing implementation for SSL library ('$SSL_LIBRARY')"
78# see "get_ssl_certificate_subject_components" for the output format
79get_ssl_csr_subject_components() {
81 [ -e
"$filename" ] ||
return 0
82 case "$SSL_LIBRARY" in
84 openssl req -nameopt sep_multiline,lname -subject -noout | _filter_multiline_openssl_subject_output
87 certtool --crq-info | sed -n
's/^\s*Subject: *\(.*\)$/\1/p' | _filter_gnutls_subject_output
90 msg_info "'get_ssl_csr_subject_components': missing implementation for SSL library ('$SSL_LIBRARY')"
96get_ssl_certificate_enddate() {
98 [ -e
"$filename" ] ||
return 0
99 case "$SSL_LIBRARY" in
101 openssl x509 -enddate -noout | cut -f 2- -
d "="
104 certtool --certificate-info | sed -n
's/^\s*Not After: *\(.*\)$/\1/p'
107 msg_info "'get_ssl_certificate_enddate': missing implementation for SSL library ('$SSL_LIBRARY')"
113get_ssl_object_hash() {
115 local object_type=
"$2"
116 [ -e
"$filename" ] ||
return 0
117 case "$SSL_LIBRARY" in
119 case "$object_type" in
121 openssl
"$object_type" -noout -modulus | cut -f 2- -
d "=" | md5sum
124 msg_info "Requested invalid object type hash: '$object_type' (should be one of: rsa / req / x509)"
129 # shellcheck disable=SC2018,SC2019
130 case "$object_type" in
132 certtool --
key-info \
133 | sed
'1,/^modulus:$/d; /^$/,$d; s/^\s*//'
136 certtool --crq-info \
137 | sed
's/^\s*//; 1,/^Modulus/d; /^Exponent/,$d'
140 certtool --certificate-info \
141 | sed
's/^\s*//; 1,/^Modulus/d; /^Exponent/,$d'
143 esac | tr -
d ':\n' | sed
's/^0*//' | tr
'a-z' 'A-Z'
146 msg_info "'get_ssl_object_hash': missing implementation for SSL library ('$SSL_LIBRARY')"
154 local num_bits=
"${2:-2048}"
156 tmp_filename=
$(mktemp)
157 case "$SSL_LIBRARY" in
159 openssl genrsa -out
"$tmp_filename" "$num_bits"
162 gen_key type=rsa rsa_keysize=
"$num_bits" filename=
"$tmp_filename"
165 msg_info "'generate_ssl_key': missing implementation for SSL library ('$SSL_LIBRARY')"
168 mv
"$tmp_filename" "$filename"
172generate_ssl_certificate_request() {
174 local existing_key_filename=
"$2"
175 local attribute_country=
"$3"
176 local attribute_province=
"$4"
177 local attribute_locality=
"$5"
178 local attribute_organizational_unit=
"$6"
179 local attribute_organization_name=
"$7"
180 local attribute_cn=
"$8"
181 local attribute_email=
"$9"
183 tmp_filename=
$(mktemp)
184 if [ ! -e
"$existing_key_filename" ]; then
185 msg_info "Failed to create certificate request due to missing key file: $existing_key_filename"
186 trap
"" EXIT &&
return 1
188 case "$SSL_LIBRARY" in
190 openssl_countryName=
"$attribute_country" \
191 openssl_provinceName=
"$attribute_province" \
192 openssl_localityName=
"$attribute_locality" \
193 openssl_organizationalUnitName=
"$attribute_organizational_unit" \
194 openssl_organizationName=
"$attribute_organization_name" \
195 openssl_commonName=
"$attribute_cn" \
196 openssl_EmailAddress=
"$attribute_email" \
197 openssl req -config /etc/ssl/on_openssl.cnf -batch -nodes -
new \
198 -
key "$existing_key_filename" \
202 cert_req filename=
"$existing_key_filename" \
203 output_file=
"$tmp_filename" \
204 subject_name=
"$attribute_cn"
207 msg_info "Requested invalid SSL library: '$SSL_LIBRARY' (maybe missing?)"
211 mv
"$tmp_filename" "$filename"
214# Ende der Doku-Gruppe
msg_info(message)
Informationen und Fehlermeldungen ins syslog schreiben.
set eu on function print_services services log for dir in etc on services d var on services volatile d
1.9.4