#!/usr/local/bin/perl # distribution boxbackup-0.10 (svn version: 494) # # Copyright (c) 2003 - 2006 # Ben Summers and contributors. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # 3. All use of this software and associated advertising materials must # display the following acknowledgment: # This product includes software developed by Ben Summers. # 4. The names of the Authors may not be used to endorse or promote # products derived from this software without specific prior written # permission. # # [Where legally impermissible the Authors do not disclaim liability for # direct physical injury or death caused solely by defects in the software # unless it is modified by a third party.] # # THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, # INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # # # use strict; # validity period for root certificates -- default is a very long time my $root_sign_period = '10000'; # but less so for client certificates my $sign_period = '5000'; # check and get command line parameters if($#ARGV < 1) { print <<__E; bbstored certificates utility. Bad command line parameters. Usage: bbstored-certs certs-dir command [arguments] certs-dir is the directory holding the root keys and certificates for the backup system command is the action to perform, taking parameters. Commands are init -- generate initial root certificates (certs-dir must not already exist) sign certificate-name -- sign a client certificate sign-server certificate-name -- sign a server certificate Signing requires confirmation that the certificate is correct and should be signed. __E exit(1); } # check for OPENSSL_CONF environment var being set if(exists $ENV{'OPENSSL_CONF'}) { print <<__E; --------------------------------------- WARNING: You have the OPENSSL_CONF environment variable set. Use of non-standard openssl configs may cause problems. --------------------------------------- __E } # directory structure: # # roots/ # clientCA.pem -- root certificate for client (used on server) # serverCA.pem -- root certificate for servers (used on clients) # keys/ # clientRootKey.pem -- root key for clients # serverRootKey.pem -- root key for servers # servers/ # hostname.pem -- certificate for server 'hostname' # clients/ # account.pem -- certficiate for account 'account' (ID in hex) # # check parameters my ($cert_dir,$command,@args) = @ARGV; # check directory exists if($command ne 'init') { if(!-d $cert_dir) { die "$cert_dir does not exist"; } } # run command if($command eq 'init') {&cmd_init;} elsif($command eq 'sign') {&cmd_sign;} elsif($command eq 'sign-server') {&cmd_sign_server;} else { die "Unknown command $command" } sub cmd_init { # create directories unless(mkdir($cert_dir,0700) && mkdir($cert_dir.'/roots',0700) && mkdir($cert_dir.'/keys',0700) && mkdir($cert_dir.'/servers',0700) && mkdir($cert_dir.'/clients',0700)) { die "Failed to create directory structure" } # create root keys and certrs cmd_init_create_root('client'); cmd_init_create_root('server'); } sub cmd_init_create_root { my $entity = $_[0]; my $cert = "$cert_dir/roots/".$entity.'CA.pem'; my $serial = "$cert_dir/roots/".$entity.'CA.srl'; my $key = "$cert_dir/keys/".$entity.'RootKey.pem'; my $csr = "$cert_dir/keys/".$entity.'RootCSR.pem'; # generate key if(system("openssl genrsa -out $key 2048") != 0) { die "Couldn't generate private key." } # make CSR die "Couldn't run openssl for CSR generation" unless open(CSR,"|openssl req -new -key $key -sha1 -out $csr"); print CSR <<__E; . . . . . Backup system $entity root . . . __E close CSR; print "\n\n"; die "Certificate request wasn't created.\n" unless -f $csr; # sign it to make a self-signed root CA key if(system("openssl x509 -req -in $csr -sha1 -extensions v3_ca -signkey $key -out $cert -days $root_sign_period") != 0) { die "Couldn't generate root certificate." } # write the initial serial number open SERIAL,">$serial" or die "Can't open $serial for writing"; print SERIAL "00\n"; close SERIAL; } sub cmd_sign { my $csr = $args[0]; if(!-f $csr) { die "$csr does not exist"; } # get the common name specified in this certificate my $common_name = get_csr_common_name($csr); # look OK? unless($common_name =~ m/\ABACKUP-([A-Fa-f0-9]+)\Z/) { die "The certificate presented does not appear to be a backup client certificate" } my $acc = $1; # check against filename if(!($csr =~ m/(\A|\/)([A-Fa-f0-9]+)-/) || $2 ne $acc) { die "Certificate request filename does not match name in certificate ($common_name)" } print <<__E; This certificate is for backup account $acc Ensure this matches the account number you are expecting. The filename is $csr which should include this account number, and additionally, you should check that you received it from the right person. Signing the wrong certificate compromises the security of your backup system. Would you like to sign this certificate? (type 'yes' to confirm) __E return unless get_confirmation(); # out certificate my $out_cert = "$cert_dir/clients/$acc"."-cert.pem"; # sign it! if(system("openssl x509 -req -in $csr -sha1 -extensions usr_crt -CA $cert_dir/roots/clientCA.pem -CAkey $cert_dir/keys/clientRootKey.pem -out $out_cert -days $sign_period") != 0) { die "Signing failed" } # tell user what to do next print <<__E; Certificate signed. Send the files $out_cert $cert_dir/roots/serverCA.pem to the client. __E } sub cmd_sign_server { my $csr = $args[0]; if(!-f $csr) { die "$csr does not exist"; } # get the common name specified in this certificate my $common_name = get_csr_common_name($csr); # look OK? if($common_name !~ m/\A[-a-zA-Z0-9.]+\Z/) { die "Invalid server name" } print <<__E; This certificate is for backup server $common_name Signing the wrong certificate compromises the security of your backup system. Would you like to sign this certificate? (type 'yes' to confirm) __E return unless get_confirmation(); # out certificate my $out_cert = "$cert_dir/servers/$common_name"."-cert.pem"; # sign it! if(system("openssl x509 -req -in $csr -sha1 -extensions usr_crt -CA $cert_dir/roots/serverCA.pem -CAkey $cert_dir/keys/serverRootKey.pem -out $out_cert -days $sign_period") != 0) { die "Signing failed" } # tell user what to do next print <<__E; Certificate signed. Install the files $out_cert $cert_dir/roots/clientCA.pem on the server. __E } sub get_csr_common_name { my $csr = $_[0]; open CSRTEXT,"openssl req -text -in $csr |" or die "Can't open openssl for reading"; my $subject; while() { $subject = $1 if m/Subject:.+?CN=([-\.\w]+)/ } close CSRTEXT; if($subject eq '') { die "No subject found in CSR $csr" } return $subject } sub get_confirmation() { my $line = ; chomp $line; if(lc $line ne 'yes') { print "CANCELLED\n"; return 0; } return 1; }