pipe2me-client 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/README.mdown +96 -0
- data/bin/pipe2me +21 -0
- data/lib/pipe2me.rb +9 -0
- data/lib/pipe2me/cli-foreman.rb +21 -0
- data/lib/pipe2me/cli-monit.rb +62 -0
- data/lib/pipe2me/cli.rb +29 -0
- data/lib/pipe2me/config.rb +7 -0
- data/lib/pipe2me/ext/file_ext.rb +16 -0
- data/lib/pipe2me/ext/http.rb +213 -0
- data/lib/pipe2me/ext/shell_format.rb +69 -0
- data/lib/pipe2me/ext/sys.rb +38 -0
- data/lib/pipe2me/tunnel.rb +78 -0
- data/lib/pipe2me/tunnel/commands.rb +68 -0
- data/lib/pipe2me/tunnel/echo/http +56 -0
- data/lib/pipe2me/tunnel/echo/https +18 -0
- data/lib/pipe2me/tunnel/openssl.conf +351 -0
- data/lib/pipe2me/tunnel/openssl.rb +29 -0
- data/lib/pipe2me/tunnel/ssh.rb +16 -0
- data/lib/pipe2me/version.rb +4 -0
- data/test/000-roundup-test.sh +7 -0
- data/test/auth-token-test.sh +12 -0
- data/test/env-test.sh +23 -0
- data/test/foreman-test.sh +11 -0
- data/test/monitrc-test.sh +23 -0
- data/test/opensslkey-test.sh +25 -0
- data/test/redirection-test.sh +12 -0
- data/test/setup-test.sh +18 -0
- data/test/sshkey-test.sh +13 -0
- data/test/testhelper.debug +2 -0
- data/test/testhelper.inc +24 -0
- data/test/testhelper.release +2 -0
- data/test/version-test.sh +9 -0
- metadata +131 -0
@@ -0,0 +1,69 @@
|
|
1
|
+
require "shellwords"
|
2
|
+
require_relative "./file_ext"
|
3
|
+
|
4
|
+
module Pipe2me::ShellFormat
|
5
|
+
extend self
|
6
|
+
|
7
|
+
def write(path, data)
|
8
|
+
File.atomic_write path, dump(data)
|
9
|
+
end
|
10
|
+
|
11
|
+
def read(path)
|
12
|
+
parse File.read(path)
|
13
|
+
end
|
14
|
+
|
15
|
+
def dump(obj, prefix=nil)
|
16
|
+
format_entries([], obj, prefix).join
|
17
|
+
end
|
18
|
+
|
19
|
+
alias :shell :dump
|
20
|
+
|
21
|
+
PREFIX = "PIPE2ME"
|
22
|
+
|
23
|
+
def parse(data)
|
24
|
+
arrays = {}
|
25
|
+
|
26
|
+
prefix_re = Regexp.compile(/^#{PREFIX.downcase}_/)
|
27
|
+
|
28
|
+
data.lines.inject({}) do |hsh, line|
|
29
|
+
key, value = line.split(/\s*=\s*/, 2)
|
30
|
+
value.gsub!(/\s*$/, "")
|
31
|
+
value = Integer(value) rescue value
|
32
|
+
|
33
|
+
if key =~ /^(.*)_(\d+)$/
|
34
|
+
ary = arrays[$1] ||= []
|
35
|
+
ary[$2.to_i] = value
|
36
|
+
key, value = $1, ary
|
37
|
+
end
|
38
|
+
|
39
|
+
hsh.update key.downcase.gsub(prefix_re, "").to_sym => value
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
private
|
44
|
+
|
45
|
+
def format_entries(ary, obj, prefix)
|
46
|
+
case obj
|
47
|
+
when Array
|
48
|
+
prefix = "#{prefix}_" if prefix
|
49
|
+
obj.each_with_index do |entry, idx|
|
50
|
+
format_entries ary, entry, "#{prefix}#{idx}"
|
51
|
+
end
|
52
|
+
ary
|
53
|
+
when Hash
|
54
|
+
prefix = "#{prefix}_" if prefix
|
55
|
+
obj.each do |key, value|
|
56
|
+
format_entries ary, value, "#{prefix}#{key.upcase}"
|
57
|
+
end
|
58
|
+
ary
|
59
|
+
when defined?(ActiveRecord::Relation) ? ActiveRecord::Relation : nil
|
60
|
+
format_entries(ary, obj.to_a, prefix)
|
61
|
+
else
|
62
|
+
if obj.respond_to?(:attributes)
|
63
|
+
format_entries(ary, obj.attributes, prefix)
|
64
|
+
else
|
65
|
+
ary << "#{PREFIX}_#{prefix}=#{Shellwords.escape(obj)}\n"
|
66
|
+
end
|
67
|
+
end
|
68
|
+
end
|
69
|
+
end
|
@@ -0,0 +1,38 @@
|
|
1
|
+
require "shellwords"
|
2
|
+
|
3
|
+
module Pipe2me::Sys
|
4
|
+
extend self
|
5
|
+
|
6
|
+
class ExitError < RuntimeError; end
|
7
|
+
|
8
|
+
def sys(*args)
|
9
|
+
cmd, stdout = _sys(*args)
|
10
|
+
return stdout if $?.exitstatus == 0
|
11
|
+
end
|
12
|
+
|
13
|
+
def sys!(*args)
|
14
|
+
cmd, stdout = _sys(*args)
|
15
|
+
return stdout if $?.exitstatus == 0
|
16
|
+
raise ExitError, "#{cmd} failed with exit code #{$?.exitstatus}"
|
17
|
+
end
|
18
|
+
|
19
|
+
def sh(*args)
|
20
|
+
sys "sh", "-c", *args
|
21
|
+
end
|
22
|
+
|
23
|
+
def sh!(*args)
|
24
|
+
sys! "sh", "-c", *args
|
25
|
+
end
|
26
|
+
|
27
|
+
private
|
28
|
+
|
29
|
+
def _sys(*args)
|
30
|
+
cmd = args.
|
31
|
+
map { |arg| Shellwords.escape arg.to_s }.
|
32
|
+
join(" ")
|
33
|
+
|
34
|
+
UI.debug cmd
|
35
|
+
stdout = IO.popen(cmd, &:read)
|
36
|
+
[ cmd, stdout ]
|
37
|
+
end
|
38
|
+
end
|
@@ -0,0 +1,78 @@
|
|
1
|
+
require "pipe2me/ext/http"
|
2
|
+
require "pipe2me/ext/sys"
|
3
|
+
require "pipe2me/ext/shell_format"
|
4
|
+
|
5
|
+
module Pipe2me::Tunnel
|
6
|
+
# file names
|
7
|
+
SSL_KEY = "pipe2me.openssl.priv"
|
8
|
+
SSL_CERT = "pipe2me.openssl.cert"
|
9
|
+
|
10
|
+
SSH_PUBKEY = "pipe2me.id_rsa.pub"
|
11
|
+
SSH_PRIVKEY = "pipe2me.id_rsa"
|
12
|
+
end
|
13
|
+
|
14
|
+
require_relative "tunnel/openssl"
|
15
|
+
require_relative "tunnel/ssh"
|
16
|
+
require_relative "tunnel/commands"
|
17
|
+
|
18
|
+
module Pipe2me::Tunnel
|
19
|
+
ShellFormat = Pipe2me::ShellFormat
|
20
|
+
include Pipe2me::Sys
|
21
|
+
|
22
|
+
include OpenSSL
|
23
|
+
include SSH
|
24
|
+
include Commands
|
25
|
+
|
26
|
+
extend self
|
27
|
+
|
28
|
+
def setup(options)
|
29
|
+
if File.exists?("pipe2me.info.inc")
|
30
|
+
raise "Found existing pipe2me configuration in #{Dir.getwd}"
|
31
|
+
end
|
32
|
+
|
33
|
+
# [todo] escape auth option
|
34
|
+
response = HTTP.post! "#{Pipe2me::Config.server}/tunnels/#{options[:auth]}",
|
35
|
+
"protocols" => options[:protocols]
|
36
|
+
|
37
|
+
server_info = ShellFormat.parse(response)
|
38
|
+
|
39
|
+
raise(ArgumentError, "Missing :fqdn information") unless server_info[:fqdn]
|
40
|
+
|
41
|
+
ShellFormat.write "pipe2me.info.inc", server_info
|
42
|
+
ShellFormat.write "pipe2me.local.inc",
|
43
|
+
:server => Pipe2me::Config.server,
|
44
|
+
:ports => options[:ports]
|
45
|
+
|
46
|
+
server_info
|
47
|
+
end
|
48
|
+
|
49
|
+
private
|
50
|
+
|
51
|
+
# The base URL for this tunnels' configuration
|
52
|
+
def url
|
53
|
+
"#{config.server}/tunnels/#{config.token}"
|
54
|
+
end
|
55
|
+
|
56
|
+
def config
|
57
|
+
@config ||= begin
|
58
|
+
hsh = { :ports => [] }
|
59
|
+
hsh.update ShellFormat.read("pipe2me.info.inc")
|
60
|
+
hsh.update ShellFormat.read("pipe2me.local.inc")
|
61
|
+
OpenStruct.new hsh
|
62
|
+
end
|
63
|
+
end
|
64
|
+
|
65
|
+
public
|
66
|
+
|
67
|
+
def update
|
68
|
+
unless File.exists?(SSH_PRIVKEY)
|
69
|
+
ssh_keygen
|
70
|
+
end
|
71
|
+
unless File.exists?(SSL_KEY)
|
72
|
+
ssl_keygen
|
73
|
+
end
|
74
|
+
unless File.exists?(SSL_CERT)
|
75
|
+
ssl_certsign
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
@@ -0,0 +1,68 @@
|
|
1
|
+
module Pipe2me::Tunnel::Commands
|
2
|
+
extend self
|
3
|
+
|
4
|
+
T = Pipe2me::Tunnel
|
5
|
+
|
6
|
+
private
|
7
|
+
|
8
|
+
# returns an array of [ protocol, remote_port, local_port ] entries
|
9
|
+
def tunnels
|
10
|
+
@tunnels ||= begin
|
11
|
+
urls, ports = config.urls, config.ports
|
12
|
+
|
13
|
+
urls.zip(ports).map do |url, local_port|
|
14
|
+
uri = URI.parse(url)
|
15
|
+
[ uri.scheme, uri.port, local_port || uri.port ]
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
public
|
21
|
+
|
22
|
+
# return an arry [ [name, command ], [name, command ], .. ]
|
23
|
+
def tunnel_commands
|
24
|
+
tunnel_uri = URI.parse config.tunnel
|
25
|
+
|
26
|
+
tunnels.map do |protocol, remote_port, local_port|
|
27
|
+
next unless cmd = port_tunnel_command(tunnel_uri, protocol, remote_port, local_port)
|
28
|
+
[ "#{protocol}_#{remote_port}", cmd ]
|
29
|
+
end.compact
|
30
|
+
end
|
31
|
+
|
32
|
+
def echo_commands
|
33
|
+
tunnels.map do |protocol, remote_port, local_port|
|
34
|
+
next unless cmd = echo_server_command(protocol, local_port)
|
35
|
+
[ "echo_#{remote_port}", cmd ]
|
36
|
+
end.compact
|
37
|
+
end
|
38
|
+
|
39
|
+
private
|
40
|
+
|
41
|
+
def port_tunnel_command(tunnel_uri, protocol, remote_port, local_port)
|
42
|
+
autossh = `which autossh`.chomp
|
43
|
+
|
44
|
+
cmd = <<-SHELL
|
45
|
+
env AUTOSSH_GATETIME=0 # comments work here..
|
46
|
+
#{autossh}
|
47
|
+
-M 0
|
48
|
+
#{tunnel_uri.user}@#{tunnel_uri.host}
|
49
|
+
-p #{tunnel_uri.port}
|
50
|
+
-R 0.0.0.0:#{remote_port}:localhost:#{local_port}
|
51
|
+
-i #{T::SSH_PRIVKEY}
|
52
|
+
-o StrictHostKeyChecking=no
|
53
|
+
-o UserKnownHostsFile=pipe2me.known_hosts
|
54
|
+
-N
|
55
|
+
SHELL
|
56
|
+
|
57
|
+
# remove comments and newlines from commands
|
58
|
+
cmd.gsub(/( *#.*|\s+)/, " ").gsub(/(^ )|( $)/, "")
|
59
|
+
end
|
60
|
+
|
61
|
+
def echo_server_command(protocol, port)
|
62
|
+
binary = File.dirname(__FILE__) + "/echo/#{protocol}"
|
63
|
+
return unless File.executable?(binary)
|
64
|
+
|
65
|
+
UI.info "Starting #{protocol} echo server on port #{port}"
|
66
|
+
"env PORT=#{port} #{binary}"
|
67
|
+
end
|
68
|
+
end
|
@@ -0,0 +1,56 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
#
|
3
|
+
# Derived from https://github.com/radiospiel/inspector
|
4
|
+
|
5
|
+
# -- A rack application -------------------------------------------------------
|
6
|
+
|
7
|
+
require "rack"
|
8
|
+
|
9
|
+
def format_hash(hash)
|
10
|
+
hash.to_a.
|
11
|
+
sort_by(&:first).map do |key, value|
|
12
|
+
"%25s: %s\n" % [ key.to_s.gsub(/^HTTP_/, ""), value.inspect ]
|
13
|
+
end.
|
14
|
+
join
|
15
|
+
end
|
16
|
+
|
17
|
+
def insp(env)
|
18
|
+
request = Rack::Request.new(env)
|
19
|
+
headers, process_env = env.partition do |k,v| k =~ /^HTTP_/ end
|
20
|
+
[
|
21
|
+
"# Request\n\n",
|
22
|
+
format_hash(request_method: request.request_method, fullpath: request.fullpath),
|
23
|
+
"\n# Headers\n\n",
|
24
|
+
format_hash(headers),
|
25
|
+
"\n# process environment\n\n",
|
26
|
+
format_hash(ENV)
|
27
|
+
].join("\n")
|
28
|
+
end
|
29
|
+
|
30
|
+
Application = proc do |env|
|
31
|
+
req = Rack::Request.new(env)
|
32
|
+
body = req.path != "/" ? "#{req.request_method} #{req.fullpath}\n" : insp(env)
|
33
|
+
|
34
|
+
[
|
35
|
+
200,
|
36
|
+
{ 'Content-Type' => 'text/plain' },
|
37
|
+
[ body ]
|
38
|
+
]
|
39
|
+
end
|
40
|
+
|
41
|
+
# -- configure rack server ----------------------------------------------------
|
42
|
+
|
43
|
+
require "webrick/https"
|
44
|
+
|
45
|
+
RACK_SERVER_OPTIONS = {
|
46
|
+
:app => Application,
|
47
|
+
:BindAddress => "localhost",
|
48
|
+
:Port => ENV["PORT"] || 8080,
|
49
|
+
:server => "webrick",
|
50
|
+
:Logger => WEBrick::BasicLog.new($stderr, WEBrick::BasicLog::WARN)
|
51
|
+
}
|
52
|
+
|
53
|
+
if $0 == __FILE__
|
54
|
+
puts "Starting http server at port #{RACK_SERVER_OPTIONS[:Port]}"
|
55
|
+
Rack::Server.start(RACK_SERVER_OPTIONS)
|
56
|
+
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
#
|
3
|
+
|
4
|
+
load "#{File.dirname(__FILE__)}/http"
|
5
|
+
|
6
|
+
cert = OpenSSL::X509::Certificate.new File.read("pipe2me.openssl.cert")
|
7
|
+
pkey = OpenSSL::PKey::RSA.new File.read("pipe2me.openssl.priv")
|
8
|
+
|
9
|
+
RACK_SERVER_OPTIONS.update SSLEnable: true,
|
10
|
+
SSLVerifyClient: OpenSSL::SSL::VERIFY_NONE,
|
11
|
+
SSLPrivateKey: pkey,
|
12
|
+
SSLCertificate: cert,
|
13
|
+
SSLCertName: [["CN", WEBrick::Utils::getservername]]
|
14
|
+
|
15
|
+
if $0 == __FILE__
|
16
|
+
puts "Starting https server at port #{RACK_SERVER_OPTIONS[:Port]}"
|
17
|
+
Rack::Server.start(RACK_SERVER_OPTIONS)
|
18
|
+
end
|
@@ -0,0 +1,351 @@
|
|
1
|
+
#
|
2
|
+
# OpenSSL example configuration file.
|
3
|
+
# This is mostly being used for generation of certificate requests.
|
4
|
+
#
|
5
|
+
|
6
|
+
# This definition stops the following lines choking if HOME isn't
|
7
|
+
# defined.
|
8
|
+
HOME = .
|
9
|
+
RANDFILE = pipe2me.openssl.rnd
|
10
|
+
|
11
|
+
# Extra OBJECT IDENTIFIER info:
|
12
|
+
oid_file = pipe2me.openssl.oid
|
13
|
+
oid_section = new_oids
|
14
|
+
|
15
|
+
# To use this configuration file with the "-extfile" option of the
|
16
|
+
# "openssl x509" utility, name here the section containing the
|
17
|
+
# X.509v3 extensions to use:
|
18
|
+
# extensions =
|
19
|
+
# (Alternatively, use a configuration file that has only
|
20
|
+
# X.509v3 extensions in its main [= default] section.)
|
21
|
+
|
22
|
+
[ new_oids ]
|
23
|
+
|
24
|
+
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
|
25
|
+
# Add a simple OID like this:
|
26
|
+
# testoid1=1.2.3.4
|
27
|
+
# Or use config file substitution like this:
|
28
|
+
# testoid2=${testoid1}.5.6
|
29
|
+
|
30
|
+
# Policies used by the TSA examples.
|
31
|
+
tsa_policy1 = 1.2.3.4.1
|
32
|
+
tsa_policy2 = 1.2.3.4.5.6
|
33
|
+
tsa_policy3 = 1.2.3.4.5.7
|
34
|
+
|
35
|
+
####################################################################
|
36
|
+
[ ca ]
|
37
|
+
default_ca = CA_default # The default ca section
|
38
|
+
|
39
|
+
####################################################################
|
40
|
+
[ CA_default ]
|
41
|
+
|
42
|
+
dir = pipe2me.openssl.ca
|
43
|
+
certs = $dir/certs # Where the issued certs are kept
|
44
|
+
crl_dir = $dir/crl # Where the issued crl are kept
|
45
|
+
database = $dir/index.txt # database index file.
|
46
|
+
#unique_subject = no # Set to 'no' to allow creation of
|
47
|
+
# several ctificates with same subject.
|
48
|
+
unique_subject = no
|
49
|
+
new_certs_dir = $dir/newcerts # default place for new certs.
|
50
|
+
|
51
|
+
certificate = $dir/root/certificate.pem # The CA certificate
|
52
|
+
serial = $dir/serial # The current serial number
|
53
|
+
#crlnumber = $dir/crlnumber # the current crl number
|
54
|
+
# must be commented out to leave a V1 CRL
|
55
|
+
crl = $dir/crl.pem # The current CRL
|
56
|
+
private_key = $dir/root/private_key.pem # The private key
|
57
|
+
RANDFILE = $dir/private/.rand # private random number file
|
58
|
+
|
59
|
+
x509_extensions = usr_cert # The extentions to add to the cert
|
60
|
+
|
61
|
+
# Comment out the following two lines for the "traditional"
|
62
|
+
# (and highly broken) format.
|
63
|
+
name_opt = ca_default # Subject Name options
|
64
|
+
cert_opt = ca_default # Certificate field options
|
65
|
+
|
66
|
+
# Extension copying option: use with caution.
|
67
|
+
# copy_extensions = copy
|
68
|
+
|
69
|
+
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
70
|
+
# so this is commented out by default to leave a V1 CRL.
|
71
|
+
# crlnumber must also be commented out to leave a V1 CRL.
|
72
|
+
# crl_extensions = crl_ext
|
73
|
+
|
74
|
+
default_days = 365 # how long to certify for
|
75
|
+
default_crl_days= 30 # how long before next CRL
|
76
|
+
default_md = sha1 # use public key default MD
|
77
|
+
preserve = no # keep passed DN ordering
|
78
|
+
|
79
|
+
# A few difference way of specifying how similar the request should look
|
80
|
+
# For type CA, the listed attributes must be the same, and the optional
|
81
|
+
# and supplied fields are just that :-)
|
82
|
+
policy = policy_match
|
83
|
+
|
84
|
+
# For the CA policy
|
85
|
+
[ policy_match ]
|
86
|
+
countryName = match
|
87
|
+
stateOrProvinceName = match
|
88
|
+
organizationName = match
|
89
|
+
organizationalUnitName = optional
|
90
|
+
commonName = supplied
|
91
|
+
emailAddress = optional
|
92
|
+
|
93
|
+
# For the 'anything' policy
|
94
|
+
# At this point in time, you must list all acceptable 'object'
|
95
|
+
# types.
|
96
|
+
[ policy_anything ]
|
97
|
+
countryName = optional
|
98
|
+
stateOrProvinceName = optional
|
99
|
+
localityName = optional
|
100
|
+
organizationName = optional
|
101
|
+
organizationalUnitName = optional
|
102
|
+
commonName = supplied
|
103
|
+
emailAddress = optional
|
104
|
+
|
105
|
+
####################################################################
|
106
|
+
[ req ]
|
107
|
+
default_bits = 1024
|
108
|
+
default_keyfile = privkey.pem
|
109
|
+
distinguished_name = req_distinguished_name
|
110
|
+
attributes = req_attributes
|
111
|
+
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
112
|
+
|
113
|
+
# Passwords for private keys if not present they will be prompted for
|
114
|
+
# input_password = secret
|
115
|
+
# output_password = secret
|
116
|
+
|
117
|
+
# This sets a mask for permitted string types. There are several options.
|
118
|
+
# default: PrintableString, T61String, BMPString.
|
119
|
+
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
|
120
|
+
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
|
121
|
+
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
122
|
+
# MASK:XXXX a literal mask value.
|
123
|
+
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
|
124
|
+
string_mask = utf8only
|
125
|
+
|
126
|
+
# req_extensions = v3_req # The extensions to add to a certificate request
|
127
|
+
|
128
|
+
[ req_distinguished_name ]
|
129
|
+
countryName = Country Name (2 letter code)
|
130
|
+
countryName_default = AU
|
131
|
+
countryName_min = 2
|
132
|
+
countryName_max = 2
|
133
|
+
|
134
|
+
stateOrProvinceName = State or Province Name (full name)
|
135
|
+
stateOrProvinceName_default = Some-State
|
136
|
+
|
137
|
+
localityName = Locality Name (eg, city)
|
138
|
+
|
139
|
+
0.organizationName = Organization Name (eg, company)
|
140
|
+
0.organizationName_default = Internet Widgits Pty Ltd
|
141
|
+
|
142
|
+
# we can do this but it is not needed normally :-)
|
143
|
+
#1.organizationName = Second Organization Name (eg, company)
|
144
|
+
#1.organizationName_default = World Wide Web Pty Ltd
|
145
|
+
|
146
|
+
organizationalUnitName = Organizational Unit Name (eg, section)
|
147
|
+
#organizationalUnitName_default =
|
148
|
+
|
149
|
+
commonName = Common Name (eg, YOUR name)
|
150
|
+
commonName_max = 64
|
151
|
+
|
152
|
+
emailAddress = Email Address
|
153
|
+
emailAddress_max = 64
|
154
|
+
|
155
|
+
# SET-ex3 = SET extension number 3
|
156
|
+
|
157
|
+
[ req_attributes ]
|
158
|
+
challengePassword = A challenge password
|
159
|
+
challengePassword_min = 4
|
160
|
+
challengePassword_max = 20
|
161
|
+
|
162
|
+
unstructuredName = An optional company name
|
163
|
+
|
164
|
+
[ usr_cert ]
|
165
|
+
|
166
|
+
# These extensions are added when 'ca' signs a request.
|
167
|
+
|
168
|
+
# This goes against PKIX guidelines but some CAs do it and some software
|
169
|
+
# requires this to avoid interpreting an end user certificate as a CA.
|
170
|
+
|
171
|
+
basicConstraints=CA:FALSE
|
172
|
+
|
173
|
+
# Here are some examples of the usage of nsCertType. If it is omitted
|
174
|
+
# the certificate can be used for anything *except* object signing.
|
175
|
+
|
176
|
+
# This is OK for an SSL server.
|
177
|
+
# nsCertType = server
|
178
|
+
|
179
|
+
# For an object signing certificate this would be used.
|
180
|
+
# nsCertType = objsign
|
181
|
+
|
182
|
+
# For normal client use this is typical
|
183
|
+
# nsCertType = client, email
|
184
|
+
|
185
|
+
# and for everything including object signing:
|
186
|
+
# nsCertType = client, email, objsign
|
187
|
+
|
188
|
+
# This is typical in keyUsage for a client certificate.
|
189
|
+
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
190
|
+
|
191
|
+
# This will be displayed in Netscape's comment listbox.
|
192
|
+
nsComment = "OpenSSL Generated Certificate"
|
193
|
+
|
194
|
+
# PKIX recommendations harmless if included in all certificates.
|
195
|
+
subjectKeyIdentifier=hash
|
196
|
+
authorityKeyIdentifier=keyid,issuer
|
197
|
+
|
198
|
+
# This stuff is for subjectAltName and issuerAltname.
|
199
|
+
# Import the email address.
|
200
|
+
# subjectAltName=email:copy
|
201
|
+
# An alternative to produce certificates that aren't
|
202
|
+
# deprecated according to PKIX.
|
203
|
+
# subjectAltName=email:move
|
204
|
+
|
205
|
+
# Copy subject details
|
206
|
+
# issuerAltName=issuer:copy
|
207
|
+
|
208
|
+
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
209
|
+
#nsBaseUrl
|
210
|
+
#nsRevocationUrl
|
211
|
+
#nsRenewalUrl
|
212
|
+
#nsCaPolicyUrl
|
213
|
+
#nsSslServerName
|
214
|
+
|
215
|
+
# This is required for TSA certificates.
|
216
|
+
# extendedKeyUsage = critical,timeStamping
|
217
|
+
|
218
|
+
[ v3_req ]
|
219
|
+
|
220
|
+
# Extensions to add to a certificate request
|
221
|
+
|
222
|
+
basicConstraints = CA:FALSE
|
223
|
+
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
224
|
+
|
225
|
+
[ v3_ca ]
|
226
|
+
|
227
|
+
|
228
|
+
# Extensions for a typical CA
|
229
|
+
|
230
|
+
|
231
|
+
# PKIX recommendation.
|
232
|
+
|
233
|
+
subjectKeyIdentifier=hash
|
234
|
+
|
235
|
+
authorityKeyIdentifier=keyid:always,issuer
|
236
|
+
|
237
|
+
# This is what PKIX recommends but some broken software chokes on critical
|
238
|
+
# extensions.
|
239
|
+
#basicConstraints = critical,CA:true
|
240
|
+
# So we do this instead.
|
241
|
+
basicConstraints = CA:true
|
242
|
+
|
243
|
+
# Key usage: this is typical for a CA certificate. However since it will
|
244
|
+
# prevent it being used as an test self-signed certificate it is best
|
245
|
+
# left out by default.
|
246
|
+
# keyUsage = cRLSign, keyCertSign
|
247
|
+
|
248
|
+
# Some might want this also
|
249
|
+
# nsCertType = sslCA, emailCA
|
250
|
+
|
251
|
+
# Include email address in subject alt name: another PKIX recommendation
|
252
|
+
# subjectAltName=email:copy
|
253
|
+
# Copy issuer details
|
254
|
+
# issuerAltName=issuer:copy
|
255
|
+
|
256
|
+
# DER hex encoding of an extension: beware experts only!
|
257
|
+
# obj=DER:02:03
|
258
|
+
# Where 'obj' is a standard or added object
|
259
|
+
# You can even override a supported extension:
|
260
|
+
# basicConstraints= critical, DER:30:03:01:01:FF
|
261
|
+
|
262
|
+
[ crl_ext ]
|
263
|
+
|
264
|
+
# CRL extensions.
|
265
|
+
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
266
|
+
|
267
|
+
# issuerAltName=issuer:copy
|
268
|
+
authorityKeyIdentifier=keyid:always
|
269
|
+
|
270
|
+
[ proxy_cert_ext ]
|
271
|
+
# These extensions should be added when creating a proxy certificate
|
272
|
+
|
273
|
+
# This goes against PKIX guidelines but some CAs do it and some software
|
274
|
+
# requires this to avoid interpreting an end user certificate as a CA.
|
275
|
+
|
276
|
+
basicConstraints=CA:FALSE
|
277
|
+
|
278
|
+
# Here are some examples of the usage of nsCertType. If it is omitted
|
279
|
+
# the certificate can be used for anything *except* object signing.
|
280
|
+
|
281
|
+
# This is OK for an SSL server.
|
282
|
+
# nsCertType = server
|
283
|
+
|
284
|
+
# For an object signing certificate this would be used.
|
285
|
+
# nsCertType = objsign
|
286
|
+
|
287
|
+
# For normal client use this is typical
|
288
|
+
# nsCertType = client, email
|
289
|
+
|
290
|
+
# and for everything including object signing:
|
291
|
+
# nsCertType = client, email, objsign
|
292
|
+
|
293
|
+
# This is typical in keyUsage for a client certificate.
|
294
|
+
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
295
|
+
|
296
|
+
# This will be displayed in Netscape's comment listbox.
|
297
|
+
nsComment = "OpenSSL Generated Certificate"
|
298
|
+
|
299
|
+
# PKIX recommendations harmless if included in all certificates.
|
300
|
+
subjectKeyIdentifier=hash
|
301
|
+
authorityKeyIdentifier=keyid,issuer
|
302
|
+
|
303
|
+
# This stuff is for subjectAltName and issuerAltname.
|
304
|
+
# Import the email address.
|
305
|
+
# subjectAltName=email:copy
|
306
|
+
# An alternative to produce certificates that aren't
|
307
|
+
# deprecated according to PKIX.
|
308
|
+
# subjectAltName=email:move
|
309
|
+
|
310
|
+
# Copy subject details
|
311
|
+
# issuerAltName=issuer:copy
|
312
|
+
|
313
|
+
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
314
|
+
#nsBaseUrl
|
315
|
+
#nsRevocationUrl
|
316
|
+
#nsRenewalUrl
|
317
|
+
#nsCaPolicyUrl
|
318
|
+
#nsSslServerName
|
319
|
+
|
320
|
+
# This really needs to be in place for it to be a proxy certificate.
|
321
|
+
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
|
322
|
+
|
323
|
+
####################################################################
|
324
|
+
[ tsa ]
|
325
|
+
|
326
|
+
default_tsa = tsa_config1 # the default TSA section
|
327
|
+
|
328
|
+
[ tsa_config1 ]
|
329
|
+
|
330
|
+
# These are used by the TSA reply generation only.
|
331
|
+
dir = ./demoCA # TSA root directory
|
332
|
+
serial = $dir/tsaserial # The current serial number (mandatory)
|
333
|
+
crypto_device = builtin # OpenSSL engine to use for signing
|
334
|
+
signer_cert = $dir/tsacert.pem # The TSA signing certificate
|
335
|
+
# (optional)
|
336
|
+
certs = $dir/cacert.pem # Certificate chain to include in reply
|
337
|
+
# (optional)
|
338
|
+
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
|
339
|
+
|
340
|
+
default_policy = tsa_policy1 # Policy if request did not specify it
|
341
|
+
# (optional)
|
342
|
+
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
|
343
|
+
digests = md5, sha1 # Acceptable message digests (mandatory)
|
344
|
+
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
|
345
|
+
clock_precision_digits = 0 # number of digits after dot. (optional)
|
346
|
+
ordering = yes # Is ordering defined for timestamps?
|
347
|
+
# (optional, default: no)
|
348
|
+
tsa_name = yes # Must the TSA name be included in the reply?
|
349
|
+
# (optional, default: no)
|
350
|
+
ess_cert_id_chain = no # Must the ESS cert id chain be included?
|
351
|
+
# (optional, default: no)
|