new: [ca] completed charm.

A new ``mkcrt`` script is provided handling ``--server`` and
``--altname``.

precise/ca/hooks/install

@@ -2,45 +2,97 @@
 
 set -eux # -x for verbose logging to juju debug-log
 
+apt-get install -y --force-yes kal-manage  ## this is for ``mkcrt``
 
-apt-get install -y --force-yes kal-manage expect  ## this is for ``mkcrt``
+CA_SUBJECT=${CA_SUBJECT:-/C=FR/ST=France/O=Kalysto/CN=kal.fr/emailAddress=ca@kal.fr}
 
 
-mkdir -p /etc/ssl/ca
-chmod 700 /etc/ssl/ca
+cat <<EOF > /etc/default/ca
+CA_DATA="/var/lib/ca"
+CA_DIR="\$CA_DATA"  ## avoid regexp chars please and '%' as it is concated in a regexp.
+OPENSSL_CONF_FILE=/etc/ssl/openssl.cnf
+PERL_CA_SCRIPT=/usr/lib/ssl/misc/CA.pl
 
-## default location of files to manage the certificate of authority
-sed -ri 's%./demoCA%/etc/ssl/ca%g' /etc/ssl/openssl.cnf
-## default validity period for a certificate extended to 10 years
-sed -ri 's%(default_days\s*= *)365%\13650%g' /etc/ssl/openssl.cnf
+CA_PASSWORD_FILE="\$CA_DIR/password"
 
-## And edit: /usr/lib/ssl/misc/CA.pl
-sed -ri 's%./demoCA%/etc/ssl/ca%g'   /usr/lib/ssl/misc/CA.pl
-sed -ri 's%-days 365%-days 3650%g'   /usr/lib/ssl/misc/CA.pl
-sed -ri 's%-days 1095%-days 10950%g' /usr/lib/ssl/misc/CA.pl
 
+## SSL subject defaults
+COUNTRY=${COUNTRY:-FR}
+STATE=${STATE:-France}
+ORGANISATION=${ORGANISATION:-Kalysto}
+## 20 years = 7300 days
+## 10 years = 3650 days
+## 3 years  = 1095 days
+DAYS=${DAYS:-3650}
 
-ca="/etc/ssl/ca"
+EOF
 
-# from /usr/lib/ssl/misc/CA.pl -newca
-mkdir $ca/{certs,crl,newcerts,private}
-touch $ca/index.txt
-echo "01" > $ca/crlnumber
 
+##
+## Setup CA configuration
+##
 
-## Will require to set the CA password, and some general INFO.
-#openssl req -new -keyout $ca/private/cakey.pem -out $ca/careq.pem
+. /etc/default/ca
 
-##
-#openssl ca -create_serial -out $ca/cacert.pem -days 10950 -batch -keyfile $ca/private/cakey.pem -selfsign -extensions v3_ca -infiles $ca/careq.pem
+mkdir -p "$CA_DIR"
+chmod 700 "$CA_DIR"
+
+## default location of files to manage the certificate of authority
+sed -ri 's%./demoCA%'$CA_DATA'%g' "$OPENSSL_CONF_FILE"
+## default validity period for a certificate extended to 20 years
+## Gosh, this is anyway a self-signed certificate, why the hell would
+## we want to go through all the hassles of re-issuing EVERY certificate
+## ever signed by this authority ?
+sed -ri 's%(default_days\s*= *)365%\7300%g' "$OPENSSL_CONF_FILE"
+
+## And edit: "$PERL_CA_SCRIPT"
+sed -ri "s%./demoCA%$CA_DATA%g"  "$PERL_CA_SCRIPT"
+sed -ri 's%-days 365%-days 7300%g'  "$PERL_CA_SCRIPT"
+sed -ri 's%-days 1095%-days 7300%g' "$PERL_CA_SCRIPT"
+
+## Creating root CA password
+CA_PASSWORD_FILE="$CA_DIR/password"
+touch "$CA_PASSWORD_FILE"
+chmod go-rwx "$CA_PASSWORD_FILE"
+openssl rand -base64 32 | cut -c -32 > "$CA_PASSWORD_FILE"
+
+## from "$PERL_CA_SCRIPT" -newca
+mkdir -p "$CA_DIR/"{certs,crl,newcerts,private}
+touch "$CA_DIR/index.txt"
+echo "01" > "$CA_DIR/crlnumber"
+
+## Create the request
+openssl req -new \
+        -keyout "$CA_DIR/private/cakey.pem" \
+        -out "$CA_DIR/careq.pem" \
+        -subj "$CA_SUBJECT" \
+        -passout file:"$CA_PASSWORD_FILE"
+
+## Self-Sign request
+openssl ca -create_serial \
+        -out "$CA_DIR/cacert.pem" \
+        -days 7300 \
+        -batch \
+        -keyfile "$CA_DIR/private/cakey.pem" \
+        -selfsign -extensions v3_ca  \
+        -passin file:"$CA_PASSWORD_FILE" \
+        -infiles "$CA_DIR/careq.pem"
+
+## Creating dh file (why ? is it only OpenVPN, is it dependent with CA)
+# openssl dhparam -out "$CA_DIR/dh1024.pem" 1024
 
 
+##
+## Prepare data side
+##
 
+mkdir -p "$CA_DATA/keys"
+chmod 700 "$CA_DATA/keys" -R
 
-mkdir -p /etc/ssl/keys
-chmod 700 /etc/ssl/keys -R
 
+##
+## Insert a few tools
+##
 
-cd /etc/ssl/
-openssl dhparam -out dh1024.pem 1024 
+cp src/usr/sbin/mkcrt /usr/sbin/mkcrt
 

precise/ca/metadata.yaml

@@ -5,3 +5,7 @@ inherit: base-0k
 description: |
     Certification Autority
 data-dir: /etc/ssl
+config-resources:
+    - /etc/ssl/ca
+data-resources:
+    - /var/lib/ca

precise/ca/src/usr/sbin/mkcrt

@@ -0,0 +1,155 @@
+#!/bin/bash
+
+#:-
+. /etc/shlib
+#:-
+
+include common
+include pretty
+
+usage="$exname [--server] [--altname ALTNAME] [--days DAYS] COMMONNAME EMAIL"
+
+
+. /etc/default/ca
+
+CA_PASSWORD_FILE=${CA_PASSWORD_FILE:-$CA_CONFIG/password}
+
+if ! [ -e "$CA_PASSWORD_FILE" ]; then
+    die "Password file '$CA_PASSWORD_FILE' does not exist. Either create it or set \$CA_PASSWORD_FILE."
+fi
+
+
+##
+## Arguments
+##
+
+server_cert=
+altnames=()
+while [ "$1" ]; do
+    case "$1" in
+        "--server")
+            server_cert=true
+            ;;
+        "--altname="*)
+            altnames=(${altnames[@]} ${1#--altname=})
+            ;;
+        "--altname")
+            altnames=(${altnames[@]} $2)
+            shift
+            ;;
+        "--days="*)
+            DAYS="${1#--altname=}"
+            ;;
+        "--days")
+            DAYS="${2}"
+            shift
+            ;;
+        *)
+            [ -z ${common_name+x} ] && { common_name=$1 ; shift; continue; }
+            [ -z ${email+x} ] && { email=$1 ; shift; continue;  }
+            die "Unexpected argument '$1'."
+            ;;
+    esac
+    shift
+done
+
+if [ -z "${common_name+x}" ] || [ -z "${email+x}" ]; then
+    err "Missing mandatory positional argument."
+    print_usage
+    exit 1
+fi
+
+for i in COUNTRY STATE ORGANISATION DAYS; do
+    if  [ -z "${!i}" ]; then
+        die "Missing/Empty variable '$i'. You can add it to \`/etc/default/ca\`."
+    fi
+done
+
+keyfile="$CA_DATA/keys/$common_name"
+
+if [ -e "$keyfile.crt+key" ]; then
+    warn "Keyfile '$keyfile.crt+key' already exist."
+    exit 0
+fi
+
+tmpdir=$(mktemp -d)
+trap 'rm -rf "$tmpdir"' EXIT
+
+
+##
+## Subject building
+##
+
+subject=()
+[ -z "${COUNTRY+x}" ] || subject=("${subject[@]}" "C=$COUNTRY")
+[ -z "${STATE+x}" ] || subject=("${subject[@]}" "ST=$STATE")
+[ -z "${ORGANISATION+x}" ] || subject=("${subject[@]}" "O=$ORGANISATION")
+subject=("${subject[@]}" "CN=$common_name")
+subject=("${subject[@]}" "emailAddress=$email")
+
+SUBJECT=$(for elt in "${subject[@]}"; do echo -n "/$elt"; done)
+
+
+##
+## Openssl Options
+##
+
+openssl_opts=()
+openssl_req_opts=()
+openssl_ca_opts=()
+[ -z "${DAYS+x}" ] && openssl_opts=("${openssl_opts[@]}" "-days" "$DAYS")
+
+
+if [ "$server_cert" ]; then
+    if ! egrep "^#\s*nsCertType\s*=\s*server\s*$" "/etc/ssl/openssl.cnf" > /dev/null 2>&1; then
+        err "Unexistent line about 'nsCertType' in '/etc/ssl/openssl.cnf' reference."
+        die "Can't activate the server certificate."
+    fi
+    [ -e "$tmpdir/openssl.cnf" ] || cp /etc/ssl/openssl.cnf "$tmpdir/openssl.cnf"
+    sed -ri 's/^#\s*(nsCertType\s*=\s*server\s*)$/\1/g' "$tmpdir/openssl.cnf"
+    new_openssl_cnf=true
+fi
+
+if [ "${altnames[*]}" ]; then
+    [ -e "$tmpdir/openssl.cnf" ] || cp /etc/ssl/openssl.cnf "$tmpdir/openssl.cnf"
+    openssl_req_opts=("${openssl_req_opts[@]}" "-reqexts" SAN)
+    openssl_ca_opts=("${openssl_ca_opts[@]}" "-extensions" SAN)
+    cat <<EOF >> "$tmpdir/openssl.cnf"
+[SAN]
+subjectAltName = $(for altname in "${altnames[@]}"; do echo -n "DNS:$altname,"; done | rev | cut -c 2- | rev)
+EOF
+    new_openssl_cnf=true
+fi
+
+[ "$new_openssl_cnf" ] && openssl_opts=("${openssl_opts[@]}" "-config" "$tmpdir/openssl.cnf")
+
+
+##
+## Okay, lets do the real work
+##
+
+cd "$tmpdir"
+
+Wrap -q -d "Generating request" <<EOF || exit 1
+openssl req -new -nodes \
+    -keyout "$tmpdir/newkey.pem" \
+    -out "$tmpdir/newreq.pem" \
+    -subj "$SUBJECT" \
+    ${openssl_opts[@]} \
+    ${openssl_req_opts[@]}
+
+EOF
+
+Wrap -q -d "Signing request" <<EOF || exit 1
+    openssl ca -batch \
+         -policy policy_anything \
+         -out "$tmpdir/newcert.pem" \
+         -passin file:"$CA_PASSWORD_FILE" \
+         ${openssl_opts[@]} \
+         ${openssl_ca_opts[@]} \
+         -infiles "$tmpdir/newreq.pem"
+EOF
+
+mv newcert.pem "$keyfile.crt"
+mv newkey.pem "$keyfile.key"
+cat "$keyfile.crt" "$keyfile.key" > "$keyfile.crt+key"