$NetBSD: patch-ab,v 1.5 2006/01/05 21:21:55 joerg Exp $

--- pkg.sslsup/mkcert.sh.orig	Sun Apr 16 19:21:24 2000
+++ pkg.sslsup/mkcert.sh
@@ -1,39 +1,57 @@
-#!/bin/sh
+#!@SH@
 ##
 ##  mkcert.sh -- SSL Certificate Generation Utility
 ##  Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. 
 ##
 
 #   parameters
-make="$1"
-mflags="$2"
-openssl="$3"
-support="$4"
-type="$5"
-algo="$6"
-crt="$7"
-key="$8"
-view="$9"
-
-#   we can operate only inside the Apache 1.3 source
-#   tree and only when mod_ssl+OpenSSL is actually configured.
-if [ ! -f "../README.configure" ]; then
-    echo "mkcert.sh:Error: Cannot operate outside the Apache 1.3 source tree." 1>&2
-    echo "mkcert.sh:Hint:  You have to stay inside apache_1.3.x/src." 1>&2
-    exit 1
-fi
-if [ ".$openssl" = . ]; then
-    echo "mkcert.sh:Error: mod_ssl/OpenSSL has to be configured before using this utility." 1>&2
-    echo "mkcert.sh:Hint:  Configure mod_ssl with --enable-module=ssl in APACI, first." 1>&2
-    exit 1
+parameters=`getopt a:c:t:k:v $*`
+if [ $# = 0 ]; then
+    cat << EOF
+Usage:
+        mkcert.sh [-t type] [-a algo] [-c crtfile ] [-k keyfile] [-v]
+
+Options:
+        -t type		Type of certificates to generate.  Valid types are:
+                            dummy      self-signed Snake Oil cert
+                            test       test cert signed by Snake Oil CA
+                            custom     custom cert signed by own CA
+                            existing   existing cert
+
+        -a algo         Signature algorithm for generated certificate.  Valid
+                        algorithms are RSA or DSA.
+
+        -c crtfile      Path to an existing certificate
+
+        -k keyfile      Path to an existing key file
+
+        -v              Display the certificate and key, then exit.
+
+EOF
+    exit 2
 fi
 
+set -- $parameters
+for param; do
+    case $param in
+        -a) algo=$2 ;;
+        -c) crt=$2 ;;
+        -t) type=$2 ;;
+        -k) key=$2 ;;
+        -v) view=1 ;;
+        --) break ;;
+    esac
+    shift
+done
+
+openssl="openssl"
+confdir=@PKG_SYSCONFDIR@
+
 #   configuration
-#   WE ARE CALLED FROM THE PARENT DIR!
-sslcrtdir="../conf/ssl.crt"
-sslcsrdir="../conf/ssl.csr"
-sslkeydir="../conf/ssl.key"
-sslprmdir="../conf/ssl.prm"
+sslcrtdir="$confdir/ssl.crt"
+sslcsrdir="$confdir/ssl.csr"
+sslkeydir="$confdir/ssl.key"
+sslprmdir="$confdir/ssl.prm"
 
 #   some optional terminal sequences
 case $TERM in
@@ -93,11 +111,11 @@ if [ ".$view" != . ]; then
 fi
 
 #   find some random files
-#   (do not use /dev/random here, because this device 
-#   doesn't work as expected on all platforms)
-randfiles=''
+#   We will always generate a /tmp/randfile using /dev/urandom
+#   before passing $randfile to openssl.
+randfiles='/tmp/randfile'
 for file in /var/log/messages /var/adm/messages /var/log/system.log /var/wtmp \
-            /kernel /kernel/genunix /vmunix /vmlinuz /mach \
+            /kernel /kernel/genunix /vmunix /vmlinuz /mach /netbsd \
             /etc/hosts /etc/group /etc/resolv.conf /bin/ls; do
     if [ -r $file ]; then
         if [ ".$randfiles" = . ]; then
@@ -112,7 +130,7 @@ done
 if [ -f $HOME/.rnd ]; then
     RANDFILE="$HOME/.rnd"
 else
-    RANDFILE=".mkcert.rnd"
+    RANDFILE="/tmp/.mkcert.rnd"
     (ps; date) >$RANDFILE
 fi
 export RANDFILE
@@ -156,12 +174,12 @@ case $type in
         fi
         echo "${T_MD}RESULT: Server Certification Files${T_ME}"
         echo ""
-        echo "o  ${T_MD}conf/ssl.key/server.key${T_ME}"
+        echo "o  ${T_MD}$confdir/ssl.key/server.key${T_ME}"
         echo "   The PEM-encoded $algo private key file which you configure"
         echo "   with the 'SSLCertificateKeyFile' directive (automatically done"
         echo "   when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}"
         echo ""
-        echo "o  ${T_MD}conf/ssl.crt/server.crt${T_ME}"
+        echo "o  ${T_MD}$confdir/ssl.crt/server.crt${T_ME}"
         echo "   The PEM-encoded X.509 certificate file which you configure"
         echo "   with the 'SSLCertificateFile' directive (automatically done"
         echo "   when you install via APACI)."
@@ -211,6 +229,7 @@ case $type in
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 1: Generating $algo private key (1024 bit) [server.key]${T_ME}"
+        (umask 077; head -500 /dev/urandom > randfile)
         if [ ".$algo" = .RSA ]; then
             if [ ".$randfiles" != . ]; then
                 $openssl genrsa -rand $randfiles -out $sslkeydir/server.key 1024
@@ -238,10 +257,11 @@ case $type in
                 exit 1
             fi
         fi
+        rm -f randfile
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 2: Generating X.509 certificate signing request [server.csr]${T_ME}"
-        cat >.mkcert.cfg <<EOT
+        cat >/tmp/.mkcert.cfg <<EOT
 [ req ]
 default_bits                    = 1024
 distinguished_name              = req_DN
@@ -265,7 +285,7 @@ emailAddress                    = "7. Em
 emailAddress_max                = 40
 emailAddress_default            = www@snakeoil.dom
 EOT
-        $openssl req -config .mkcert.cfg \
+        $openssl req -config /tmp/.mkcert.cfg \
                      -new \
                      -key $sslkeydir/server.key \
                      -out $sslcsrdir/server.csr
@@ -273,7 +293,7 @@ EOT
             echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2
             exit 1
         fi
-        rm -f .mkcert.cfg
+        rm -f /tmp/.mkcert.cfg
         prompt="8. Certificate Validity     (days)          [365]:"
         echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt"
         read days
@@ -287,8 +307,8 @@ EOT
         read certversion
         extfile=""
         if [ ".$certversion" = .3 -o ".$certversion" = . ]; then
-            extfile="-extfile .mkcert.cfg"
-            cat >.mkcert.cfg <<EOT
+            extfile="-extfile /tmp/.mkcert.cfg"
+            cat >/tmp/.mkcert.cfg <<EOT
 extensions = x509v3
 [ x509v3 ]
 subjectAltName   = email:copy
@@ -296,13 +316,13 @@ nsComment        = "mod_ssl generated te
 nsCertType       = server
 EOT
         fi
-        if [ ! -f .mkcert.serial ]; then
-            echo '01' >.mkcert.serial
+        if [ ! -f /tmp/.mkcert.serial ]; then
+            echo '01' >/tmp/.mkcert.serial
         fi
         if [ ".$algo" = .RSA ]; then
             $openssl x509 $extfile \
                           -days $days \
-                          -CAserial .mkcert.serial \
+                          -CAserial /tmp/.mkcert.serial \
                           -CA $sslcrtdir/snakeoil-ca-rsa.crt \
                           -CAkey $sslkeydir/snakeoil-ca-rsa.key \
                           -in $sslcsrdir/server.csr -req \
@@ -310,7 +330,7 @@ EOT
         else
             $openssl x509 $extfile \
                           -days $days \
-                          -CAserial .mkcert.serial \
+                          -CAserial /tmp/.mkcert.serial \
                           -CA $sslcrtdir/snakeoil-ca-dsa.crt \
                           -CAkey $sslkeydir/snakeoil-ca-dsa.key \
                           -in $sslcsrdir/server.csr -req \
@@ -320,7 +340,7 @@ EOT
             echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2
             exit 1
         fi
-        rm -f .mkcert.cfg
+        rm -f /tmp/.mkcert.cfg
         echo "Verify: matching certificate & key modulus"
         modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/server.crt | sed -e 's;.*Modulus=;;'`
         if [ ".$algo" = .RSA ]; then
@@ -387,22 +407,22 @@ EOT
         echo ""
         echo "${T_MD}RESULT: Server Certification Files${T_ME}"
         echo ""
-        echo "o  ${T_MD}conf/ssl.key/server.key${T_ME}"
+        echo "o  ${T_MD}$confdir/ssl.key/server.key${T_ME}"
         echo "   The PEM-encoded $algo private key file which you configure"
         echo "   with the 'SSLCertificateKeyFile' directive (automatically done"
         echo "   when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}"
         echo ""
-        echo "o  ${T_MD}conf/ssl.crt/server.crt${T_ME}"
+        echo "o  ${T_MD}$confdir/ssl.crt/server.crt${T_ME}"
         echo "   The PEM-encoded X.509 certificate file which you configure"
         echo "   with the 'SSLCertificateFile' directive (automatically done"
         echo "   when you install via APACI)."
         echo ""
-        echo "o  ${T_MD}conf/ssl.csr/server.csr${T_ME}"
+        echo "o  ${T_MD}$confdir/ssl.csr/server.csr${T_ME}"
         echo "   The PEM-encoded X.509 certificate signing request file which" 
         echo "   you can send to an official Certificate Authority (CA) in order"
         echo "   to request a real server certificate (signed by this CA instead"
         echo "   of our demonstration-only Snake Oil CA) which later can replace"
-        echo "   the conf/ssl.crt/server.crt file."
+        echo "   the $confdir/ssl.crt/server.crt file."
         echo ""
         echo "WARNING: Do not use this for real-life/production systems"
         echo ""
@@ -448,6 +468,7 @@ EOT
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 1: Generating $algo private key for CA (1024 bit) [ca.key]${T_ME}"
+        (umask 077; head -500 /dev/urandom > randfile)
         if [ ".$algo" = .RSA ]; then
             if [ ".$randfiles" != . ]; then
                 $openssl genrsa -rand $randfiles -out $sslkeydir/ca.key 1024
@@ -475,10 +496,11 @@ EOT
                 exit 1
             fi
         fi
+        rm -f randfile
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 2: Generating X.509 certificate signing request for CA [ca.csr]${T_ME}"
-        cat >.mkcert.cfg <<EOT
+        cat >/tmp/.mkcert.cfg <<EOT
 [ req ]
 default_bits                    = 1024
 distinguished_name              = req_DN
@@ -502,7 +524,7 @@ emailAddress                    = "7. Em
 emailAddress_max                = 40
 emailAddress_default            = ca@snakeoil.dom
 EOT
-        $openssl req -config .mkcert.cfg \
+        $openssl req -config /tmp/.mkcert.cfg \
                      -new \
                      -key $sslkeydir/ca.key \
                      -out $sslcsrdir/ca.csr
@@ -510,7 +532,7 @@ EOT
             echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2
             exit 1
         fi
-        rm -f .mkcert.cfg
+        rm -f /tmp/.mkcert.cfg
         prompt="8. Certificate Validity     (days)          [365]:"
         echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt"
         read days
@@ -524,8 +546,8 @@ EOT
         read certversion
         extfile=""
         if [ ".$certversion" = .3 -o ".$certversion" = . ]; then
-            extfile="-extfile .mkcert.cfg"
-            cat >.mkcert.cfg <<EOT
+            extfile="-extfile /tmp/.mkcert.cfg"
+            cat >/tmp/.mkcert.cfg <<EOT
 extensions = x509v3
 [ x509v3 ]
 subjectAltName   = email:copy
@@ -543,7 +565,7 @@ EOT
             echo "mkcert.sh:Error: Failed to generate self-signed CA certificate" 1>&2
             exit 1
         fi
-        rm -f .mkcert.cfg
+        rm -f /tmp/.mkcert.cfg
         echo "Verify: matching certificate & key modulus"
         modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/ca.crt | sed -e 's;.*Modulus=;;'`
         if [ ".$algo" = .RSA ]; then
@@ -564,6 +586,7 @@ EOT
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 4: Generating $algo private key for SERVER (1024 bit) [server.key]${T_ME}"
+        (umask 077; head -500 /dev/urandom > randfile)
         if [ ".$algo" = .RSA ]; then
             if [ ".$randfiles" != . ]; then
                 $openssl genrsa -rand $randfiles -out $sslkeydir/server.key 1024
@@ -588,10 +611,11 @@ EOT
                 exit 1
             fi
         fi
+        rm -f randfile
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]${T_ME}"
-        cat >.mkcert.cfg <<EOT
+        cat >/tmp/.mkcert.cfg <<EOT
 [ req ]
 default_bits                    = 1024
 distinguished_name              = req_DN
@@ -615,7 +639,7 @@ emailAddress                    = "7. Em
 emailAddress_max                = 40
 emailAddress_default            = www@snakeoil.dom
 EOT
-        $openssl req -config .mkcert.cfg \
+        $openssl req -config /tmp/.mkcert.cfg \
                      -new \
                      -key $sslkeydir/server.key \
                      -out $sslcsrdir/server.csr
@@ -623,7 +647,7 @@ EOT
             echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2
             exit 1
         fi
-        rm -f .mkcert.cfg
+        rm -f /tmp/.mkcert.cfg
         prompt="8. Certificate Validity     (days)          [365]:"
         echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt"
         read days
@@ -637,8 +661,8 @@ EOT
         read certversion
         extfile=""
         if [ ".$certversion" = .3 -o ".$certversion" = . ]; then
-            extfile="-extfile .mkcert.cfg"
-            cat >.mkcert.cfg <<EOT
+            extfile="-extfile /tmp/.mkcert.cfg"
+            cat >/tmp/.mkcert.cfg <<EOT
 extensions = x509v3
 [ x509v3 ]
 subjectAltName   = email:copy
@@ -646,12 +670,12 @@ nsComment        = "mod_ssl generated cu
 nsCertType       = server
 EOT
         fi
-        if [ ! -f .mkcert.serial ]; then
-            echo '01' >.mkcert.serial
+        if [ ! -f /tmp/.mkcert.serial ]; then
+            echo '01' >/tmp/.mkcert.serial
         fi
         $openssl x509 $extfile \
                       -days $days \
-                      -CAserial .mkcert.serial \
+                      -CAserial /tmp/.mkcert.serial \
                       -CA    $sslcrtdir/ca.crt \
                       -CAkey $sslkeydir/ca.key \
                       -in    $sslcsrdir/server.csr -req \
@@ -660,7 +684,7 @@ EOT
             echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2
             exit 1
         fi
-        rm -f .mkcert.cfg
+        rm -f /tmp/.mkcert.cfg
         echo "Verify: matching certificate & key modulus"
         modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/server.crt | sed -e 's;.*Modulus=;;'`
         if [ ".$algo" = .RSA ]; then
@@ -764,31 +788,31 @@ EOT
         echo ""
         echo "${T_MD}RESULT: CA and Server Certification Files${T_ME}"
         echo ""
-        echo "o  ${T_MD}conf/ssl.key/ca.key${T_ME}"
+        echo "o  ${T_MD}$confdir/ssl.key/ca.key${T_ME}"
         echo "   The PEM-encoded $algo private key file of the CA which you can"
         echo "   use to sign other servers or clients. ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}"
         echo ""
-        echo "o  ${T_MD}conf/ssl.crt/ca.crt${T_ME}"
+        echo "o  ${T_MD}$confdir/ssl.crt/ca.crt${T_ME}"
         echo "   The PEM-encoded X.509 certificate file of the CA which you use to"
         echo "   sign other servers or clients. When you sign clients with it (for"
         echo "   SSL client authentication) you can configure this file with the"
         echo "   'SSLCACertificateFile' directive."
         echo ""
-        echo "o  ${T_MD}conf/ssl.key/server.key${T_ME}"
+        echo "o  ${T_MD}$confdir/ssl.key/server.key${T_ME}"
         echo "   The PEM-encoded $algo private key file of the server which you configure"
         echo "   with the 'SSLCertificateKeyFile' directive (automatically done"
         echo "   when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}"
         echo ""
-        echo "o  ${T_MD}conf/ssl.crt/server.crt${T_ME}"
+        echo "o  ${T_MD}$confdir/ssl.crt/server.crt${T_ME}"
         echo "   The PEM-encoded X.509 certificate file of the server which you configure"
         echo "   with the 'SSLCertificateFile' directive (automatically done"
         echo "   when you install via APACI)."
         echo ""
-        echo "o  ${T_MD}conf/ssl.csr/server.csr${T_ME}"
+        echo "o  ${T_MD}$confdir/ssl.csr/server.csr${T_ME}"
         echo "   The PEM-encoded X.509 certificate signing request of the server file which" 
         echo "   you can send to an official Certificate Authority (CA) in order"
         echo "   to request a real server certificate (signed by this CA instead"
-        echo "   of our own CA) which later can replace the conf/ssl.crt/server.crt"
+        echo "   of our own CA) which later can replace the $confdir/ssl.crt/server.crt"
         echo "   file."
         echo ""
         echo "Congratulations that you establish your server with real certificates."
@@ -808,14 +832,26 @@ EOT
             echo "mkcert.sh: Cannot find certificate file: $crt" 1>&2
             exit 1
         fi
+        if [ $crt -ef $sslcrtdir/server.crt ]; then
+            mv -f $crt $crt.backup
+            crt="$crt.backup"
+        fi
         if [ ".$key" != . ]; then
             if [ ! -f "$key" ]; then
                 echo "mkcert.sh: Cannot find private key file: $key" 1>&2
                 exit 1
             fi
+            if [ $key -ef $sslkeydir/server.key ]; then
+                mv -f $key $key.backup
+                key="$key.backup"
+            fi
             cp $crt $sslcrtdir/server.crt
             (umask 077; cp $key $sslkeydir/server.key)
         else
+            if [ $crt -ef $sslcrtdir/server.crt ]; then
+                mv -f $crt $crt.backup
+                crt="$crt.backup"
+            fi
             key=$crt
             umask 077
             touch $sslkeydir/server.key
@@ -836,12 +872,12 @@ EOT
         fi
         echo "${T_MD}RESULT: Server Certification Files${T_ME}"
         echo ""
-        echo "o  ${T_MD}conf/ssl.key/server.key${T_ME}"
+        echo "o  ${T_MD}$confdir/ssl.key/server.key${T_ME}"
         echo "   The PEM-encoded $algo private key file which you configure"
         echo "   with the 'SSLCertificateKeyFile' directive (automatically done"
         echo "   when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}"
         echo ""
-        echo "o  ${T_MD}conf/ssl.crt/server.crt${T_ME}"
+        echo "o  ${T_MD}$confdir/ssl.crt/server.crt${T_ME}"
         echo "   The PEM-encoded X.509 certificate file which you configure"
         echo "   with the 'SSLCertificateFile' directive (automatically done"
         echo "   when you install via APACI)."
