unbound/smallapp/unbound-control-setup.sh.in

#!/bin/sh
#
# unbound-control-setup.sh - set up SSL certificates for unbound-control
#
# Copyright (c) 2008, NLnet Labs. All rights reserved.
#
# This software is open source.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# Neither the name of the NLNET LABS nor the names of its contributors may
# be used to endorse or promote products derived from this software without
# specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

# settings:

# directory for files
DESTDIR=@ub_conf_dir@

# issuer and subject name for certificates
SERVERNAME=unbound
CLIENTNAME=unbound-control

# validity period for certificates
DAYS=7200

# size of keys in bits
BITS=3072

# hash algorithm
HASH=sha256

# base name for unbound server keys
SVR_BASE=unbound_server

# base name for unbound-control keys
CTL_BASE=unbound_control

# flag to recreate generated certificates
RECREATE=0

# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no).
umask 0027

# end of options

set -eu

cleanup() {
    echo "removing artifacts"

    rm -rf \
       server.cnf \
       client.cnf \
       "${SVR_BASE}_trust.pem" \
       "${CTL_BASE}_trust.pem" \
       "${SVR_BASE}_trust.srl"
}

fatal() {
    printf "fatal error: $*\n" >/dev/stderr
    exit 1
}

usage() {
    cat <<EOF
usage: $0 OPTIONS
OPTIONS
-d <dir>  used directory to store keys and certificates (default: $DESTDIR)
-h        show help notice
-r        recreate certificates
EOF
}

OPTIND=1
while getopts 'd:hr' arg; do
    case "$arg" in
      d) DESTDIR="$OPTARG" ;;
      h) usage; exit 1 ;;
      r) RECREATE=1 ;;
      ?) fatal "'$arg' unknown option" ;;
    esac
done
shift $((OPTIND - 1))

if ! openssl >/dev/null 2>&1; then
    echo "$0 requires openssl to be installed for keys/certificates generation." >&2
    exit 1
fi

echo "setup in directory $DESTDIR"
cd "$DESTDIR"

trap cleanup INT

# ===
# Generate server certificate
# ===

# generate private key; do no recreate it if they already exist.
if [ ! -f "$SVR_BASE.key" ]; then
    openssl genrsa -out "$SVR_BASE.key" "$BITS"
fi

cat >server.cnf <<EOF
[req]
default_bits=$BITS
default_md=$HASH
prompt=no
distinguished_name=req_distinguished_name
x509_extensions=v3_ca
[req_distinguished_name]
commonName=$SERVERNAME
[v3_ca]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=critical,CA:TRUE,pathlen:0
subjectAltName=DNS:$SERVERNAME
EOF

[ -f server.cnf ] || fatal "cannot create openssl configuration"

if [ ! -f "$SVR_BASE.pem" -o $RECREATE -eq 1 ]; then
    openssl req \
            -new -x509 \
            -key "$SVR_BASE.key" \
            -config server.cnf  \
            -days "$DAYS" \
            -out "$SVR_BASE.pem"

    [ ! -f "SVR_BASE.pem" ] || fatal "cannot create server certificate"
fi

# ===
# Generate client certificate
# ===

# generate private key; do no recreate it if they already exist.
if [ ! -f "$CTL_BASE.key" ]; then
    openssl genrsa -out "$CTL_BASE.key" "$BITS"
fi

cat >client.cnf <<EOF
[req]
default_bits=$BITS
default_md=$HASH
prompt=no
distinguished_name=req_distinguished_name
req_extensions=v3_req
[req_distinguished_name]
commonName=$CLIENTNAME
[v3_req]
basicConstraints=critical,CA:FALSE
subjectAltName=DNS:$CLIENTNAME
EOF

[ -f client.cnf ] || fatal "cannot create openssl configuration"

if [ ! -f "$CTL_BASE.pem" -o $RECREATE -eq 1 ]; then
    openssl x509 \
        -addtrust serverAuth \
        -in "$SVR_BASE.pem" \
        -out "${SVR_BASE}_trust.pem"

    openssl req \
            -new \
            -config client.cnf \
            -key "$CTL_BASE.key" \
        | openssl x509 \
                  -req \
                  -days "$DAYS" \
                  -CA "${SVR_BASE}_trust.pem" \
                  -CAkey "$SVR_BASE.key" \
                  -CAcreateserial \
                  -$HASH \
                  -extfile client.cnf \
                  -extensions v3_req \
                  -out "$CTL_BASE.pem"

    [ ! -f "CTL_BASE.pem" ] || fatal "cannot create signed client certificate"
fi

# remove unused permissions
chmod o-rw \
      "$SVR_BASE.pem" \
      "$SVR_BASE.key" \
      "$CTL_BASE.pem" \
      "$CTL_BASE.key"

cleanup

echo "Setup success. Certificates created. Enable in unbound.conf file to use"

# create trusted usage pem
# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"

# see details with openssl x509 -noout -text < $SVR_BASE.pem
# echo "create $CTL_BASE""_browser.pfx (web client certificate)"
# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
# echo "preferences - advanced - encryption - view certificates - your certs"
# echo "empty password is used, simply click OK on the password dialog box."
# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"