Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /usr/share/doc/pkinit-nss-0.7.6/ drwxr-xr-x |
Viewing file: make-certs.sh (12.67 KB) -rw-r--r-- Select action/file-type: (+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) | #!/bin/bash -e # # Generate a root CA cert for signing, and then a subject cert. # Usage: make-certs.sh hostname [user[@domain]] [more ...] # For testing only, probably still has some bugs in it. # DOMAIN=example.com DAYS=365 KEYTYPE=RSA CRLHOURS=24 CRLDAYS= # Cleanup temporary files at exit. touch openssl.cnf cleanup() { test -f openssl.cnf && rm -f openssl.cnf test -f host.csr && rm -f host.csr test -f ca.txt && rm -f ca.txt } trap cleanup EXIT # Choose a user name part for email attributes. GIVENUSER=$2 test x"$GIVENUSER" = x && GIVENUSER=$USER echo "$GIVENUSER" | grep -q @ || GIVENUSER="$GIVENUSER"@$DOMAIN DOMAIN=`echo "$GIVENUSER" | cut -f2- -d@` # Default to generating a key/cert pair for the current host. commonname="$1" if test "x$commonname" = x ; then echo Usage: `basename $0` 'commonname' user'[@domain]' '[more [...]]' echo More: echo -e \\tKey usage: "[sign|signing|encrypt|encryption|all]" echo -e \\tAuthority Access Info OCSP responder: "ocsp:URI" echo -e \\tCRL distribution point: "crl:URI" echo -e \\tSubject Alternative Name: echo -e \\t\\tHostname: "*" echo -e \\t\\tIP address: w.x.y.z echo -e \\t\\tEmail address: "*@*.com/edu/net/org/local" echo -e \\t\\tKerberos principal name: "*@*.COM/EDU/NET/ORG/LOCAL" echo -e \\tExtended key usage: echo -e \\t\\t1.... echo -e \\t\\t2.... echo -e \\t\\tid-kp-server-auth \| tls-server echo -e \\t\\tid-kp-client-auth \| tls-client echo -e \\t\\tid-kp-email-protection \| email echo -e \\t\\tid-ms-kp-sc-logon \| id-ms-sc-logon echo -e \\t\\tid-pkinit-kp-client-auth \| id-pkinit-client echo -e \\t\\tid-pkinit-kp-kdc \| id-pkinit-kdc echo -e \\t\\tca \| CA exit 1 fi shift || true shift || true # Done already? done=: ocsp() { request_file=`mktemp -t ocsp.request.XXXXXX` if test -n "$request_file" ; then case "$REQUEST_METHOD" in GET) echo "$@" > "$request_file" ;; POST) dd bs=1 of="$request_file" status=noxfer ;; esac fi } keygen() { case "$KEYTYPE" in DSA) openssl dsaparam -out "$1".param 1024 openssl gendsa "$1".param ;; RSA|*) openssl genrsa 2048 -nodes ;; esac } # Generate a CA key. if ! test -s ca.key ; then umask=`umask -p` umask 077 keygen ca > ca.key 2> /dev/null $umask else echo "You already have a ca.key file; not replacing." done=echo fi # Create a new CA serial number. if ! test -s ca.srl ; then (dd if=/dev/urandom bs=8 count=1 2> /dev/null) | od -t x1c | head -n 1 | awk '{$1="00";OFS="";print}' > ca.srl else echo "You already have a ca.srl file; not replacing." fi # Create a new CA "database". if ! test -s ca.db ; then touch ca.db else echo "You already have a ca.db file; not replacing." fi # Parse the arguments which indicate what sort of information we want. CA=FALSE while test $# -gt 0 ; do type= value="$1" case "$value" in RSA|rsa) KEYTYPE=RSA ;; DSA|dsa) KEYTYPE=DSA ;; OCSP:*|ocsp:*) aiaval=`echo "$value" | cut -f2- -d:` aia="OCSP;URI:$aiaval" ;; CRL:*|crl:*) crlval=`echo "$value" | cut -f2- -d:` crl="URI:$crlval" ;; signing|sign) keyusage="${keyusage:+${keyusage},}nonRepudiation,digitalSignature" ;; encryption|encrypt) keyusage="${keyusage:+${keyusage},}keyEncipherment,dataEncipherment" ;; all) keyusage="digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign,encipherOnly,decipherOnly" ;; ca|CA) CA=TRUE keyusage="${keyusage:+${keyusage},}nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign" ;; 1.*|2.*|id-*|tls-*|email|mail) ekuval=`echo "$value" | tr '[A-Z]' '[a-z]' | sed 's,\-,,g'` case "$ekuval" in idkpserverauth|tlsserver) ekuval=1.3.6.1.5.5.7.3.1;; idkpclientauth|tlsclient) ekuval=1.3.6.1.5.5.7.3.2;; idkpemailprotection|email|mail) ekuval=1.3.6.1.5.5.7.3.4;; idmskpsclogon|idmssclogon) ekuval=1.3.6.1.4.1.311.20.2.2;; idpkinitkpclientauth|idpkinitclient) ekuval=1.3.6.1.5.2.3.4;; idpkinitkpkdc|idpkinitkdc) ekuval=1.3.6.1.5.2.3.5;; esac if test -z "$eku" ; then eku="$ekuval" else eku="$eku,$ekuval" fi ;; *@*.COM|*@*.EDU|*@*.NET|*@*.ORG|*@*.LOCAL) luser=`echo "$value" | tr '[A-Z]' '[a-z]'` if test "$luser" = "$value" ; then luser= fi type="otherName:1.3.6.1.5.2.2;SEQUENCE:$value,${luser:+otherName:1.3.6.1.4.1.311.20.2.3;UTF8:${luser},}otherName:1.3.6.1.4.1.311.20.2.3;UTF8" unset luser principals="$principals $value" ;; *@*.com|*@*.edu|*@*.net|*@*.org|*@*.local) type=email;; [0-9]*.[0-9]*.[0-9]*.[0-9]*) type=IP;; *) type=DNS;; esac if test -n "$type" ; then newvalue="${type}:$value" if test -z "$altnames" ; then altnames="${newvalue}" else altnames="${altnames},${newvalue}" fi fi shift done # Generate the CA cert. Set the X.509v3 basic constraints to mark it as a CA # certificate. if ! test -s ca.crt ; then cat > openssl.cnf <<- EOF [req] x509_extensions = v3_ca distinguished_name = req_ca_name oid_section = new_oids prompt = no [req_ca_name] EOF echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf cat >> openssl.cnf <<- EOF commonName = Test Certifying CA [new_oids] domainComponent = 0.9.2342.19200300.100.1.25 [v3_ca] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always keyUsage=nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign basicConstraints=critical,CA:TRUE nsComment="Testing CA Certificate" EOF if test -n "$aia" ; then echo "authorityInfoAccess = ${aia}" >> openssl.cnf fi if test -n "$crl" ; then echo "crlDistributionPoints = ${crl}" >> openssl.cnf fi echo "" >> openssl.cnf openssl req -config `pwd`/openssl.cnf -new -key ca.key > ca.csr 2> /dev/null openssl x509 -extfile `pwd`/openssl.cnf -days $DAYS -req -CAserial ca.srl -signkey ca.key -extensions v3_ca -in ca.csr -out ca.crt openssl x509 -noout -text -in ca.crt > ca.txt cat ca.crt >> ca.txt cat ca.txt > ca.crt rm ca.txt cat ca.crt > ca.chain.crt else echo "You already have a ca.crt file; not replacing." done=echo fi # Generate an OCSP key. if ! test -s ocsp.key ; then umask=`umask -p` umask 077 keygen ocsp > ocsp.key 2> /dev/null $umask else echo "You already have an ocsp.key file; not replacing." done=echo fi # Generate the OCSP signing cert. Set the X.509v3 basic constraints and EKU. if ! test -s ocsp.crt ; then cat > openssl.cnf <<- EOF [req] x509_extensions = v3_ocsp distinguished_name = req_ocsp_name oid_section = new_oids prompt = no [req_ocsp_name] EOF echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf cat >> openssl.cnf <<- EOF commonName = OCSP Signer for Test Certifying CA [new_oids] domainComponent = 0.9.2342.19200300.100.1.25 ocspNoCheck = 1.3.6.1.5.5.7.48.1.5 [v3_ocsp] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always keyUsage=digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign basicConstraints=CA:FALSE extendedKeyUsage=1.3.6.1.5.5.7.3.9 nsComment="Testing OCSP Certificate" 1.3.6.1.5.5.7.48.1.5=ASN1:NULL EOF if test -n "$aia" ; then echo "authorityInfoAccess = ${aia}" >> openssl.cnf fi if test -n "$crl" ; then echo "crlDistributionPoints = ${crl}" >> openssl.cnf fi echo "" >> openssl.cnf openssl req -config `pwd`/openssl.cnf -new -key ocsp.key > ocsp.csr 2> /dev/null openssl x509 -extfile `pwd`/openssl.cnf -days $DAYS -req -CAserial ca.srl -signkey ca.key -extensions v3_ocsp -in ocsp.csr -out ocsp.crt openssl x509 -noout -text -in ocsp.crt > ocsp.txt cat ocsp.crt >> ocsp.txt cat ocsp.txt > ocsp.crt rm ocsp.txt else echo "You already have an ocsp.crt file; not replacing." done=echo fi # We always generate a fresh, empty, CRL. Might as well do it now. cat > openssl.cnf <<- EOF [ca] default_ca = issuer [issuer] private_key = `pwd`/ca.key certificate = `pwd`/ca.crt database = `pwd`/ca.db default_md = sha1 EOF openssl ca -config `pwd`/openssl.cnf -gencrl ${CRLHOURS:+-crlhours ${CRLHOURS}} ${CRLDAYS:+-crldays ${CRLDAYS}} -out ca.crl.pem openssl crl -in ca.crl.pem -outform der -out ca.crl # Create a new serial number if this is a new CA. if test "x$CA" = xTRUE ; then if ! test -d "$commonname" ; then mkdir "$commonname" fi if ! test -s "$commonname/ca.srl" ; then (dd if=/dev/urandom bs=8 count=1 2> /dev/null) | od -t x1c | head -n 1 | awk '{$1="00";OFS="";print}' > "$commonname/ca.srl" else echo "You already have a $commonname/ca.srl file; not replacing." fi cert="$commonname/ca.crt" csr="$commonname/ca.csr" key="$commonname/ca.key" pem="$commonname/ca.pem" pfx="$commonname/ca.p12" ln -s ../`basename $0` "$commonname"/ else cert="$commonname.crt" csr="$commonname.csr" key="$commonname.key" pem="$commonname.pem" pfx="$commonname.p12" fi # Generate the subject's certificate. Set the X.509v3 basic constraints. if ! test -s "$cert" ; then cat > openssl.cnf <<- EOF [req] distinguished_name = req_issued_name prompt = no [x509] x509_extensions = v3_issued [req_issued_name] EOF echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf cat >> openssl.cnf <<- EOF mail = $GIVENUSER commonName = $commonname [v3_issued] certificatePolicies=2.5.29.32.0${eku:+,${eku}} subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer EOF if test -n "$aia" ; then echo "authorityInfoAccess = ${aia}" >> openssl.cnf fi if test -n "$crl" ; then echo "crlDistributionPoints = ${crl}" >> openssl.cnf fi if test -n "$keyusage" ; then echo "keyUsage = critical,${keyusage}" >> openssl.cnf fi if test -n "$altnames" ; then echo "subjectAltName = ${altnames}" >> openssl.cnf fi if test -n "$eku" ; then echo "extendedKeyUsage = ${eku}" >> openssl.cnf fi echo "basicConstraints=critical,CA:$CA" >> openssl.cnf if test "x$CA" = xTRUE ; then echo 'nsComment="Testing CA Certificate for '"$commonname"'"' >> openssl.cnf else echo 'nsComment="Testing Certificate for '"$commonname"'"' >> openssl.cnf fi for value in $principals; do user=`echo "$value" | cut -f1 -d@` realm=`echo "$value" | cut -f2- -d@` echo "" >> openssl.cnf echo "[$value]" >> openssl.cnf echo "realm=EXPLICIT:0,GeneralString:$realm" >> openssl.cnf echo "kerberosname=EXPLICIT:1,SEQUENCE:krb5$user" >> openssl.cnf echo "" >> openssl.cnf echo "[krb5$user]" >> openssl.cnf echo "nametype=EXPLICIT:0,INTEGER:1" >> openssl.cnf echo "namelist=EXPLICIT:1,SEQUENCE:krb5basic$user" >> openssl.cnf echo "[krb5basic$user]" >> openssl.cnf count=0 for part in `echo "$user" | sed 's,/, ,g'` ; do echo "$count.part=GeneralString:$part" >> openssl.cnf count=`expr "$count" + 1` done done # Generate another key, unless we have a key or CSR. if ! test -s "$key" && ! test -s "$csr" ; then umask=`umask -p` umask 077 keygen "$commonname" > "$key" 2> /dev/null $umask else echo "You already have a $key or $csr file; not replacing." done=echo fi if ! test -s "$csr" ; then openssl req -config `pwd`/openssl.cnf -new -key "$key" > "$csr" 2> /dev/null fi openssl x509 -req -extfile `pwd`/openssl.cnf -extensions v3_issued -CA ca.crt -CAkey ca.key -CAserial ca.srl -in "$csr" -days $DAYS > "$cert" 2> /dev/null openssl x509 -noout -text -in "$cert" > "$cert.txt" cat "$cert" >> "$cert.txt" cat "$cert.txt" > "$cert" rm -f "$cert.txt" else echo "You already have a $cert file; not replacing." done=echo fi if test -s ca.chain.crt ; then chain=ca.chain.crt else chain=ca.crt fi if test "x$CA" = xTRUE ; then cat "$chain" "$cert" > "$commonname/ca.chain.crt" fi # Create ca.pem and the subject's name.pem for the benefit of applications # which expect both the private key and the certificate in one file. umask=`umask -p` umask 077 if ! test -s ca.pem ; then cat ca.key ca.crt > ca.pem else echo "You already have a ca.pem file; not replacing." done=echo fi if ! test -s "$pem" ; then cat "$key" "$cert" > "$pem" else echo "You already have a $pem file; not replacing." done=echo fi if ! test -s "$pfx" ; then openssl pkcs12 -export -inkey "$key" -in "$cert" -name "$commonname" -out "$pfx" -nodes -passout pass: else echo "You already have a $pfx file; not replacing." done=echo fi $umask $done echo CA certificate: openssl x509 -noout -issuer -in ca.crt | sed s,=\ ,\ ,g openssl x509 -noout -subject -in ca.crt | sed s,=\ ,\ ,g echo echo End entity certificate: openssl x509 -noout -issuer -in "$cert" | sed s,=\ ,\ ,g openssl x509 -noout -subject -in "$cert" | sed s,=\ ,\ ,g openssl x509 -noout -serial -in "$cert" | sed s,=,\ ,g echo echo PKCS12 bag: openssl pkcs12 -in "$pfx" -nodes -nokeys -nocerts -info -passin pass: echo echo Verifying: echo + openssl verify -CAfile "$chain" "$cert" openssl verify -CAfile "$chain" "$cert" |
:: Command execute :: | |
:: Shadow's tricks :D :: | |
Useful Commands
|
:: Preddy's tricks :D :: | |
Php Safe-Mode Bypass (Read Files)
|
--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0095 ]-- |