/usr/sbin/cipux_mkcertkey is in cipux-rpc-tools 3.4.0.9-3.1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 | #!/usr/bin/perl -wT
# +=======================================================================+
# || cipux_mkcertkey ||
# || ||
# || Create a TLS certificate for stunnel. To change the default ||
# || settings, edit /etc/cipux/cipux-cert.conf ||
# || ||
# || Copyright (C) 2008 by Christian Kuelker. All rights reserved. ||
# || ||
# || License: GNU General Public License - GNU GPL - version 2 ||
# || or (at your opinion) any later version. ||
# || ||
# +=======================================================================+
# ID: $Id$
# Revision: $Revision$
# Head URL: $HeadURL$
# Date: $Date$
# Source: $Source$
use strict;
use warnings;
use 5.008001;
use re 'taint'; # Keep data captured by parens tainted
use Carp;
use CipUX;
use File::stat;
use Cwd;
use POSIX qw(sysconf _PC_CHOWN_RESTRICTED);
use Readonly;
use Fatal qw(open close);
use English qw( -no_match_vars);
use version; our $VERSION = qv('3.4.0.0');
# +=======================================================================+
# || GLOBAL CONSTANTS ||
# +=======================================================================+
delete @ENV{qw(PATH IFS CDPATH ENV BASH_ENV)}; # Make %ENV safer
Readonly::Scalar my $EMPTY_STRING => q{};
Readonly::Scalar my $SCRIPT => 'cipux_mkcertkey';
Readonly::Scalar my $OPENSSLBIN => '/usr/bin/openssl';
Readonly::Scalar my $CERTCONF => '/etc/cipux/stunnel-cert.conf';
Readonly::Scalar my $KEYDIR => '/etc/cipux/stunnel';
Readonly::Scalar my $KEY => $KEYDIR . '/stunnel-key.pem';
Readonly::Scalar my $CERT => $KEYDIR . '/stunnel-cert.pem';
Readonly::Scalar my $S4USER => 'stunnel4';
Readonly::Scalar my $SOME_ELSE_CAN_WRITE => oct 22; # 022
Readonly::Scalar my $STICKY_BIT => oct 1000; # 01000
# +=======================================================================+
# || GLOBAL VARS ||
# +=======================================================================+
my $debug = 0;
# +=======================================================================+
# || TESTS ||
# +=======================================================================+
# test if we have some tiny configuration file
if ( not -e $CERTCONF ) {
croak 'Cannot find certificate configuration: ' . $CERTCONF . "\n";
}
# test if we have some tool for creating the cert
if ( not -x $OPENSSLBIN ) {
croak 'Cannot find openssl executable: ' . $OPENSSLBIN . "\n";
}
# test if there is a sneaky dir for storing certs
if ( not -d $KEYDIR ) {
croak 'Directory to store certs do not exist: ' . $KEYDIR . "\n";
}
# test if KEY dir is save: mode 700, owner root
if ( not is_verysafe($KEYDIR) ) {
my $msg = 'Directory to store certs is not save!';
$msg .= ' Should be for example: drwx------ 2 root root';
$msg .= ' 4096 2008-04-17 21:15 /etc/cipux/stunnel ';
croak $msg . "\n";
}
# +=======================================================================+
# || GENERATE CERT ||
# +=======================================================================+
# +=======================================================================+
# || ||
# +=======================================================================+
# openssl req -new -x509 -nodes -days 365
# -out stunnel.pem -keyout stunnel.pem
my $cmd = $OPENSSLBIN . ' req -new -x509 -nodes ';
$cmd .= ' -config ' . $CERTCONF . ' -out ' . $CERT;
$cmd .= ' -keyout ' . $KEY;
open my $cert, q{|-}, $cmd
or croak 'Cannot execute ' . $cmd . "\n";
my @out = <$cert>;
close $cert or croak "Can not close $cmd \n";
# print out errors or other stuff in clean untainted manner:
my $C = CipUX->new( { debug => $debug } );
foreach my $line (@out) {
chomp $line;
$C->l($line);
print $line . "\n" or croak 'Can not print to STDOUT!';
}
# change owner
my ( $login, $pass, $uid, $gid ) = getpwnam $S4USER
or croak "$S4USER not known to the system!";
chown $uid, $gid, $KEY;
chown $uid, $gid, $CERT;
# change file mode
my $mode = '0600';
chmod oct($mode), $KEY;
chmod oct($mode), $CERT;
# change owner KYEDIR
chown $uid, $gid, $KEYDIR;
exit 0;
sub is_safe {
my $path = shift;
my $info = stat $path;
return if not $info;
# owner neither superuser nor me
# the real uid is in stored in the $< variable or ($REAL_USER_ID)
if ( ( $info->uid != 0 ) && ( $info->uid != $REAL_USER_ID ) ) {
return 0;
}
# check whether group or other can write file.
# use 066 to detect either reading or writing
if ( $info->mode & $SOME_ELSE_CAN_WRITE ) { # someone else can write this
return 0 if not -d _; # non-directories aren't safe
# but directories with the sticky bit (01000) are
return 0 if not( $info->mode & $STICKY_BIT );
}
return 1;
}
sub is_verysafe {
my $path = shift;
return is_safe($path) if sysconf(_PC_CHOWN_RESTRICTED);
if ( $path !~ m{^/}xms ) {
$path = getcwd() . q{/} . $path;
}
while ( length $path ) {
return if not is_safe($path);
$path =~ s{([^/]+|/)$}{}xms; # dirname
if ( length($path) > 1 ) {
$path =~ s{/$}{}xms;
}
}
return 1;
}
__END__
#===========================================================================
#==== Documentation ========================================================
#===========================================================================
=pod
=head1 NAME
cipux_mkcertkey - simple script to generate certificate for stunnel
=head1 VERSION
version 3.4.0.0
=head1 SYNOPSIS
cipux_mkcertkey
=head1 REQUIRED ARGUMENTS
None.
=head1 ABSTRACT
In order to add security to your XML-RPC server you should generate a
certificate. This script shows a simple method to do that. You have to take the
responsibility by yourself to make sure you understand what you do.
=head1 DESCRIPTION
Generates a certificate and a key in /etc/cipux/stunnel.
=head1 USAGE
cipux_mkcertkey
=head1 OPTIONS
None.
=head1 CERTIFICATE
Each SSL enabled XML-RPC server needs to present a valid X.509 certificate to
the peer and it also needs a private key to decrypt the incoming data. The
easiest way to obtain a certificate and a key is to generate them with the free
openssl package. You can find more information on certificates generation
below. The certificates must be in PEM format and must be sorted starting with
the certificate to the highest level (root CA)
Two things are important when generating the certificate-key pairs.
(1) Because the server has no way to obtain the password from the user, the
private key cannot be encrypted. To create an unencrypted key add the "-nodes"
option when running the req command from the openssl kit.
(2) The order of contents of the .pem file is also important. It should contain
the unencrypted private key first, then a signed certificate (not certificate
request). There should be also empty lines after certificate and private key.
Plaintext certificate information appended on the top of generated certificate
should be discarded. So the file should look like this:
-----BEGIN RSA PRIVATE KEY-----
[encoded key]
-----END RSA PRIVATE KEY-----
[empty line]
-----BEGIN CERTIFICATE-----
[encoded certificate]
-----END CERTIFICATE-----
[empty line]
This can be stored in one file or in two files. This script stores the in to
files to have the flexibility to use the certificate in other location. This to
files will be created:
stunnel-cert.pem
stunnel-key.pem
=head1 DIAGNOSTICS
TODO: write explanations to the messages.
=over
=item C<< Cannot find certificate configuration: %s >>
=item C<< Cannot find openssl executable: %s >>
=item C<< Directory to store certs do not exist: %s >>
=item C<< Directory to store certs is not save!... >>
Directory to store certs is not save!
Should be for example:
drwx------ 2 root root 4096 2008-04-17 21:15 /etc/cipux/stunnel
=item C<< Cannot execute %s >>
=item C<< Can not close %s >>
=item C<< Can not print to STDOUT! >>
=item C<< %s not known to the system! >>
=back
=head1 CONFIGURATION
TODO.
=head1 DEPENDENCIES
Carp
CipUX
File::stat
Cwd
POSIX
Readonly
Fatal
English
version
=head1 INCOMPATIBILITIES
Not known.
=head1 BUGS AND LIMITATIONS
Not known.
=head1 SEE ALSO
See the CipUX webpage and the manual at L<http://www.cipux.org>
See the mailing list L<http://sympa.cipworx.org/wws/info/cipux-devel>
=head1 AUTHOR
Christian Kuelker E<lt>christian.kuelker@cipworx.orgE<gt>
=head1 LICENSE AND COPYRIGHT
Copyright (C) 2008 by Christian Kuelker
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2, or (at
your option) any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
=cut
|