Jump to content






Photo
- - - - -

OpenSSL on OpenBSD

Posted by mirrorshades , 17 April 2008 · 495 views

RADIUS Project
I'm using OpenBSD (v 4.2) to run a RADIUS server, which I intend to use for the WLAN. I've got FreeRADIUS (v 1.1.6) installed and it seems to be working properly, at least as far as simple username/password authentication. OpenBSD has proven to be a bit of a challenge for this purpose, in some interesting ways. The most recent challenge has been using OpenSSL (v 0.9.7j)... I have only tacit knowledge of the whole "certificate" process, and futzing with SSL on the command line has invoked some serious head-scratching and Google-jutsu to say the least.Most frustrating thing (so far) has been mention of a magical shell script named CA.sh, that streamlines the process of setting up a certification authority for the certs for use with RADIUS. Apparently the default OpenSSL install that comes with OpenBSD has some stuff stripped out. And, wouldn't you know it, this magical CA.sh script was one of the things they removed.One guy suggested just re-downloading the OpenSSL source and grabbing the file from there, which I did. I am posting the contents of the file here, in the bizarre chance that someone doing the same thing I did should stumble across this site first, or not think to check the source code on the openssl.org website. So here it is, CA.sh in its entirety:[codebox]#!/bin/sh## CA - wrapper around ca to make it easier to use ... basically ca requires# some setup stuff to be done before you can use it and this makes# things easier between now and when Eric is convinced to fix it :-)## CA -newca ... will setup the right stuff# CA -newreq ... will generate a certificate request # CA -sign ... will sign the generated request and output ## At the end of that grab newreq.pem and newcert.pem (one has the key # and the other the certificate) and cat them together and that is what# you want/need ... I'll make even this a little cleaner later.### 12-Jan-96 tjh Added more things ... including CA -signcert which# converts a certificate to a request and then signs it.# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG# environment variable so this can be driven from# a script.# 25-Jul-96 eay Cleaned up filenames some more.# 11-Jun-96 eay Fixed a few filename missmatches.# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'.# 18-Apr-96 tjh Original hacking## Tim Hudson# tjh@cryptsoft.com## default openssl.cnf file has setup as per the following# demoCA ... where everything is storedif [ -z "$OPENSSL" ]; then OPENSSL=openssl; fiDAYS="-days 365"REQ="$OPENSSL req $SSLEAY_CONFIG"CA="$OPENSSL ca $SSLEAY_CONFIG"VERIFY="$OPENSSL verify"X509="$OPENSSL x509"CATOP=./demoCACAKEY=./cakey.pemCACERT=./cacert.pemfor idocase $i in-\?|-h|-help) echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2 exit 0 ;;-newcert) # create a certificate $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS RET=$? echo "Certificate is in newcert.pem, private key is in newkey.pem" ;;-newreq) # create a certificate request $REQ -new -keyout newkey.pem -out newreq.pem $DAYS RET=$? echo "Request is in newreq.pem, private key is in newkey.pem" ;;-newca) # if explicitly asked for or it doesn't exist then setup the directory # structure that Eric likes to manage things NEW="1" if [ "$NEW" -o ! -f ${CATOP}/serial ]; then # create the directory hierarchy mkdir ${CATOP} mkdir ${CATOP}/certs mkdir ${CATOP}/crl mkdir ${CATOP}/newcerts mkdir ${CATOP}/private echo "01" > ${CATOP}/serial touch ${CATOP}/index.txt fi if [ ! -f ${CATOP}/private/$CAKEY ]; then echo "CA certificate filename (or enter to create)" read FILE # ask user for existing CA certificate if [ "$FILE" ]; then cp $FILE ${CATOP}/private/$CAKEY RET=$? else echo "Making CA certificate ..." $REQ -new -x509 -keyout ${CATOP}/private/$CAKEY \ -out ${CATOP}/$CACERT $DAYS RET=$? fi fi ;;-xsign) $CA -policy policy_anything -infiles newreq.pem RET=$? ;;-sign|-signreq) $CA -policy policy_anything -out newcert.pem -infiles newreq.pem RET=$? cat newcert.pem echo "Signed certificate is in newcert.pem" ;;-signcert) echo "Cert passphrase will be requested twice - bug?" $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem $CA -policy policy_anything -out newcert.pem -infiles tmp.pem cat newcert.pem echo "Signed certificate is in newcert.pem" ;;-verify) shift if [ -z "$1" ]; then $VERIFY -CAfile $CATOP/$CACERT newcert.pem RET=$? else for j do $VERIFY -CAfile $CATOP/$CACERT $j if [ $? != 0 ]; then RET=$? fi done fi exit 0 ;;*) echo "Unknown arg $i"; exit 1 ;;esacdoneexit $RET[/codebox]Some other sites suggest a program called CA.pl, which is obtainable in the same way (also being absent from OpenBSD). Looks to be the same thing, just written in Perl instead of a normal shell script (for those of you who like gibberish):[codebox]#!/usr/bin/perl## CA - wrapper around ca to make it easier to use ... basically ca requires# some setup stuff to be done before you can use it and this makes# things easier between now and when Eric is convinced to fix it :-)## CA -newca ... will setup the right stuff# CA -newreq[-nodes] ... will generate a certificate request # CA -sign ... will sign the generated request and output ## At the end of that grab newreq.pem and newcert.pem (one has the key # and the other the certificate) and cat them together and that is what# you want/need ... I'll make even this a little cleaner later.### 12-Jan-96 tjh Added more things ... including CA -signcert which# converts a certificate to a request and then signs it.# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG# environment variable so this can be driven from# a script.# 25-Jul-96 eay Cleaned up filenames some more.# 11-Jun-96 eay Fixed a few filename missmatches.# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'.# 18-Apr-96 tjh Original hacking## Tim Hudson# tjh@cryptsoft.com## 27-Apr-98 snh Translation into perl, fix existing CA bug.### Steve Henson# shenson@bigfoot.com# default openssl.cnf file has setup as per the following# demoCA ... where everything is storedmy $openssl;if(defined $ENV{OPENSSL}) { $openssl = $ENV{OPENSSL};} else { $openssl = "openssl"; $ENV{OPENSSL} = $openssl;}$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};$DAYS="-days 365";$REQ="$openssl req $SSLEAY_CONFIG";$CA="$openssl ca $SSLEAY_CONFIG";$VERIFY="$openssl verify";$X509="$openssl x509";$PKCS12="$openssl pkcs12";$CATOP="./demoCA";$CAKEY="cakey.pem";$CACERT="cacert.pem";$DIRMODE = 0777;$RET = 0;foreach (@ARGV) { if ( /^(-\?|-h|-help)$/ ) { print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; exit 0; } elsif (/^-newcert$/) { # create a certificate system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS"); $RET=$?; print "Certificate is in newcert.pem, private key is in newkey.pem\n" } elsif (/^-newreq$/) { # create a certificate request system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS"); $RET=$?; print "Request is in newreq.pem, private key is in newkey.pem\n"; } elsif (/^-newreq-nodes$/) { # create a certificate request system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS"); $RET=$?; print "Request is in newreq.pem, private key is in newkey.pem\n"; } elsif (/^-newca$/) { # if explicitly asked for or it doesn't exist then setup the # directory structure that Eric likes to manage things $NEW="1"; if ( "$NEW" || ! -f "${CATOP}/serial" ) { # create the directory hierarchy mkdir $CATOP, $DIRMODE; mkdir "${CATOP}/certs", $DIRMODE; mkdir "${CATOP}/crl", $DIRMODE ; mkdir "${CATOP}/newcerts", $DIRMODE; mkdir "${CATOP}/private", $DIRMODE; open OUT, ">${CATOP}/index.txt"; close OUT; } if ( ! -f "${CATOP}/private/$CAKEY" ) { print "CA certificate filename (or enter to create)\n"; $FILE = <STDIN>; chop $FILE; # ask user for existing CA certificate if ($FILE) { cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE"); cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE"); $RET=$?; } else { print "Making CA certificate ...\n"; system ("$REQ -new -x509 -keyout " . "${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS"); $RET=$?; } } if (! -f "${CATOP}/serial" ) { system ("$X509 -in ${CATOP}/$CACERT -noout " . "-next_serial -out ${CATOP}/serial"); } } elsif (/^-pkcs12$/) { my $cname = $ARGV[1]; $cname = "My Certificate" unless defined $cname; system ("$PKCS12 -in newcert.pem -inkey newkey.pem " . "-certfile ${CATOP}/$CACERT -out newcert.p12 " . "-export -name \"$cname\""); $RET=$?; print "PKCS #12 file is in newcert.p12\n"; exit $RET; } elsif (/^-xsign$/) { system ("$CA -policy policy_anything -infiles newreq.pem"); $RET=$?; } elsif (/^(-sign|-signreq)$/) { system ("$CA -policy policy_anything -out newcert.pem " . "-infiles newreq.pem"); $RET=$?; print "Signed certificate is in newcert.pem\n"; } elsif (/^(-signCA)$/) { system ("$CA -policy policy_anything -out newcert.pem " . "-extensions v3_ca -infiles newreq.pem"); $RET=$?; print "Signed CA certificate is in newcert.pem\n"; } elsif (/^-signcert$/) { system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " . "-out tmp.pem"); system ("$CA -policy policy_anything -out newcert.pem " . "-infiles tmp.pem"); $RET = $?; print "Signed certificate is in newcert.pem\n"; } elsif (/^-verify$/) { if (shift) { foreach $j (@ARGV) { system ("$VERIFY -CAfile $CATOP/$CACERT $j"); $RET=$? if ($? != 0); } exit $RET; } else { system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem"); $RET=$?; exit 0; } } else { print STDERR "Unknown arg $_\n"; print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; exit 1; }}exit $RET;sub cp_pem {my ($infile, $outfile, $bound) = @_;open IN, $infile;open OUT, ">$outfile";my $flag = 0;while (<IN>) { $flag = 1 if (/^-----BEGIN.*$bound/) ; print OUT $_ if ($flag); if (/^-----END.*$bound/) { close IN; close OUT; return; }}}[/codebox]Here's hoping this will be useful to someone.




Recent Entries

Recent Comments

BinRev is hosted by the great people at Lunarpages!