source: box/trunk/bin/bbstored/bbstored-certs.in @ 2819

#!@PERL@
use strict;

# validity period for root certificates -- default is 2038, the best we can do for now
my $root_sign_period = int(((1<<31) - time()) / 86400);

# but less so for client certificates
my $sign_period = '5000';

# check and get command line parameters
if($#ARGV < 1)
{
        print <<__E;

bbstored certificates utility.

Bad command line parameters.
Usage:
        bbstored-certs certs-dir command [arguments]

certs-dir is the directory holding the root keys and certificates for the backup system
command is the action to perform, taking parameters.

Commands are

        init
                -- generate initial root certificates (certs-dir must not already exist)
        sign certificate-name
                -- sign a client certificate
        sign-server certificate-name
                -- sign a server certificate

Signing requires confirmation that the certificate is correct and should be signed.

__E
        exit(1);
}

# check for OPENSSL_CONF environment var being set
if(exists $ENV{'OPENSSL_CONF'})
{
        print <<__E;

---------------------------------------

WARNING:
    You have the OPENSSL_CONF environment variable set.
    Use of non-standard openssl configs may cause problems.

---------------------------------------

__E
}

# directory structure:
#
# roots/
#       clientCA.pem -- root certificate for client (used on server)
#       serverCA.pem -- root certificate for servers (used on clients)
# keys/
#   clientRootKey.pem -- root key for clients
#   serverRootKey.pem -- root key for servers
# servers/
#   hostname.pem -- certificate for server 'hostname'
# clients/
#   account.pem -- certficiate for account 'account' (ID in hex)
#


# check parameters
my ($cert_dir,$command,@args) = @ARGV;

# check directory exists
if($command ne 'init')
{
        if(!-d $cert_dir)
        {
                die "$cert_dir does not exist";
        }
}

# run command
if($command eq 'init') {&cmd_init;}
elsif($command eq 'sign') {&cmd_sign;}
elsif($command eq 'sign-server') {&cmd_sign_server;}
else
{
        die "Unknown command $command"
}

sub cmd_init
{
        # create directories
        unless(mkdir($cert_dir,0700)
                && mkdir($cert_dir.'/roots',0700)
                && mkdir($cert_dir.'/keys',0700)
                && mkdir($cert_dir.'/servers',0700)
                && mkdir($cert_dir.'/clients',0700))
        {
                die "Failed to create directory structure"
        }

        # create root keys and certrs
        cmd_init_create_root('client');
        cmd_init_create_root('server');
}

sub cmd_init_create_root
{
        my $entity = $_[0];

        my $cert = "$cert_dir/roots/".$entity.'CA.pem';
        my $serial = "$cert_dir/roots/".$entity.'CA.srl';
        my $key = "$cert_dir/keys/".$entity.'RootKey.pem';
        my $csr = "$cert_dir/keys/".$entity.'RootCSR.pem';

        # generate key
        if(system("openssl genrsa -out $key 2048") != 0)
        {
                die "Couldn't generate private key."
        }
        
        # make CSR
        die "Couldn't run openssl for CSR generation" unless
                open(CSR,"|openssl req -new -key $key -sha1 -out $csr");
        print CSR <<__E;
.
.
.
.
.
Backup system $entity root
.
.
.

__E
        close CSR;
        print "\n\n";
        die "Certificate request wasn't created.\n" unless -f $csr;
        
        # sign it to make a self-signed root CA key
        if(system("openssl x509 -req -in $csr -sha1 -extensions v3_ca -signkey $key -out $cert -days $root_sign_period") != 0)
        {
                die "Couldn't generate root certificate."
        }
        
        # write the initial serial number
        open SERIAL,">$serial" or die "Can't open $serial for writing";
        print SERIAL "00\n";
        close SERIAL;
}

sub cmd_sign
{
        my $csr = $args[0];
        
        if(!-f $csr)
        {
                die "$csr does not exist";
        }
        
        # get the common name specified in this certificate
        my $common_name = get_csr_common_name($csr);
        
        # look OK?
        unless($common_name =~ m/\ABACKUP-([A-Fa-f0-9]+)\Z/)
        {
                die "The certificate presented does not appear to be a backup client certificate"
        }
        
        my $acc = $1;
        
        # check against filename
        if(!($csr =~ m/(\A|\/)([A-Fa-f0-9]+)-/) || $2 ne $acc)
        {
                die "Certificate request filename does not match name in certificate ($common_name)"
        }
                
        print <<__E;

This certificate is for backup account

   $acc

Ensure this matches the account number you are expecting. The filename is

   $csr

which should include this account number, and additionally, you should check
that you received it from the right person.

Signing the wrong certificate compromises the security of your backup system.

Would you like to sign this certificate? (type 'yes' to confirm)
__E

        return unless get_confirmation();

        # out certificate
        my $out_cert = "$cert_dir/clients/$acc"."-cert.pem";

        # sign it!
        if(system("openssl x509 -req -in $csr -sha1 -extensions usr_crt -CA $cert_dir/roots/clientCA.pem -CAkey $cert_dir/keys/clientRootKey.pem -out $out_cert -days $sign_period") != 0)
        {
                die "Signing failed"
        }
        
        # tell user what to do next
        print <<__E;


Certificate signed.

Send the files

   $out_cert
   $cert_dir/roots/serverCA.pem

to the client.

__E
}

sub cmd_sign_server
{
        my $csr = $args[0];
        
        if(!-f $csr)
        {
                die "$csr does not exist";
        }
        
        # get the common name specified in this certificate
        my $common_name = get_csr_common_name($csr);
        
        # look OK?
        if($common_name !~ m/\A[-a-zA-Z0-9.]+\Z/)
        {
                die "Invalid server name"
        }
        
        print <<__E;

This certificate is for backup server

   $common_name

Signing the wrong certificate compromises the security of your backup system.

Would you like to sign this certificate? (type 'yes' to confirm)
__E

        return unless get_confirmation();

        # out certificate
        my $out_cert = "$cert_dir/servers/$common_name"."-cert.pem";

        # sign it!
        if(system("openssl x509 -req -in $csr -sha1 -extensions usr_crt -CA $cert_dir/roots/serverCA.pem -CAkey $cert_dir/keys/serverRootKey.pem -out $out_cert -days $sign_period") != 0)
        {
                die "Signing failed"
        }
        
        # tell user what to do next
        print <<__E;


Certificate signed.

Install the files

   $out_cert
   $cert_dir/roots/clientCA.pem

on the server.

__E
}


sub get_csr_common_name
{
        my $csr = $_[0];
        
        open CSRTEXT,"openssl req -text -in $csr |" or die "Can't open openssl for reading";
        
        my $subject;
        while(<CSRTEXT>)
        {
                $subject = $1 if m/Subject:.+?CN=([-\.\w]+)/
        }       
        close CSRTEXT;

        if($subject eq '')
        {
                die "No subject found in CSR $csr"
        }
        
        return $subject
}

sub get_confirmation()
{
        my $line = <STDIN>;
        chomp $line;
        if(lc $line ne 'yes')
        {
                print "CANCELLED\n";
                return 0;
        }
        
        return 1;
}