diff options
Diffstat (limited to 'external/unbound/smallapp/unbound-control-setup.sh.in')
-rw-r--r-- | external/unbound/smallapp/unbound-control-setup.sh.in | 160 |
1 files changed, 0 insertions, 160 deletions
diff --git a/external/unbound/smallapp/unbound-control-setup.sh.in b/external/unbound/smallapp/unbound-control-setup.sh.in deleted file mode 100644 index 0d759f441..000000000 --- a/external/unbound/smallapp/unbound-control-setup.sh.in +++ /dev/null @@ -1,160 +0,0 @@ -#!/bin/sh -# -# unbound-control-setup.sh - set up SSL certificates for unbound-control -# -# Copyright (c) 2008, NLnet Labs. All rights reserved. -# -# This software is open source. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# -# Redistributions in binary form must reproduce the above copyright notice, -# this list of conditions and the following disclaimer in the documentation -# and/or other materials provided with the distribution. -# -# Neither the name of the NLNET LABS nor the names of its contributors may -# be used to endorse or promote products derived from this software without -# specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED -# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# settings: - -# directory for files -DESTDIR=@ub_conf_dir@ - -# issuer and subject name for certificates -SERVERNAME=unbound -CLIENTNAME=unbound-control - -# validity period for certificates -DAYS=7200 - -# size of keys in bits -BITS=3072 - -# hash algorithm -HASH=sha256 - -# base name for unbound server keys -SVR_BASE=unbound_server - -# base name for unbound-control keys -CTL_BASE=unbound_control - -# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no). -umask 0027 - -# end of options - -# functions: -error ( ) { - echo "$0 fatal error: $1" - exit 1 -} - -# check arguments: -while test $# -ne 0; do - case $1 in - -d) - if test $# -eq 1; then error "need argument for -d"; fi - DESTDIR="$2" - shift - ;; - *) - echo "unbound-control-setup.sh - setup SSL keys for unbound-control" - echo " -d dir use directory to store keys and certificates." - echo " default: $DESTDIR" - echo "please run this command using the same user id that the " - echo "unbound daemon uses, it needs read privileges." - exit 1 - ;; - esac - shift -done - -# go!: -echo "setup in directory $DESTDIR" -cd "$DESTDIR" || error "could not cd to $DESTDIR" - -# create certificate keys; do not recreate if they already exist. -if test -f $SVR_BASE.key; then - echo "$SVR_BASE.key exists" -else - echo "generating $SVR_BASE.key" - openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa" -fi -if test -f $CTL_BASE.key; then - echo "$CTL_BASE.key exists" -else - echo "generating $CTL_BASE.key" - openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa" -fi - -# create self-signed cert for server -echo "[req]" > request.cfg -echo "default_bits=$BITS" >> request.cfg -echo "default_md=$HASH" >> request.cfg -echo "prompt=no" >> request.cfg -echo "distinguished_name=req_distinguished_name" >> request.cfg -echo "" >> request.cfg -echo "[req_distinguished_name]" >> request.cfg -echo "commonName=$SERVERNAME" >> request.cfg - -test -f request.cfg || error "could not create request.cfg" - -echo "create $SVR_BASE.pem (self signed certificate)" -openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" -# create trusted usage pem -openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem" - -# create client request and sign it, piped -echo "[req]" > request.cfg -echo "default_bits=$BITS" >> request.cfg -echo "default_md=$HASH" >> request.cfg -echo "prompt=no" >> request.cfg -echo "distinguished_name=req_distinguished_name" >> request.cfg -echo "" >> request.cfg -echo "[req_distinguished_name]" >> request.cfg -echo "commonName=$CLIENTNAME" >> request.cfg - -test -f request.cfg || error "could not create request.cfg" - -echo "create $CTL_BASE.pem (signed client certificate)" -openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem -test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem" -# create trusted usage pem -# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem" - -# see details with openssl x509 -noout -text < $SVR_BASE.pem -# echo "create $CTL_BASE""_browser.pfx (web client certificate)" -# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:" -# echo "preferences - advanced - encryption - view certificates - your certs" -# echo "empty password is used, simply click OK on the password dialog box." -# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate" - -# remove unused permissions -chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key - -# remove crap -rm -f request.cfg -rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl" - -echo "Setup success. Certificates created. Enable in unbound.conf file to use" - -exit 0 |