From 6debc56bbc8913cc383fa7e7e27b28b6211b9608 Mon Sep 17 00:00:00 2001 From: Bruce Momjian Date: Fri, 16 Aug 2002 04:29:15 +0000 Subject: [PATCH] Remove interfaces/ssl. Was unclaimed stuff that had no more usefulness. --- src/interfaces/ssl/client.conf | 120 --------------- src/interfaces/ssl/mkcert.sh | 114 -------------- src/interfaces/ssl/pgkeygen.sh | 54 ------- src/interfaces/ssl/root.conf | 270 --------------------------------- src/interfaces/ssl/server.conf | 118 -------------- 5 files changed, 676 deletions(-) delete mode 100644 src/interfaces/ssl/client.conf delete mode 100755 src/interfaces/ssl/mkcert.sh delete mode 100644 src/interfaces/ssl/pgkeygen.sh delete mode 100644 src/interfaces/ssl/root.conf delete mode 100644 src/interfaces/ssl/server.conf diff --git a/src/interfaces/ssl/client.conf b/src/interfaces/ssl/client.conf deleted file mode 100644 index 48793dc848..0000000000 --- a/src/interfaces/ssl/client.conf +++ /dev/null @@ -1,120 +0,0 @@ -# -# PostgreSQL sample configuration for *client* cert. -# Contrast and compare with server.conf and root.conf. -# - -#################################################################### -[ req ] -default_bits = 1024 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -#x509_extensions = v3_ca # The extentions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = nombstr - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -0.domainComponent = domain name (TLD) -0.domainComponent_default = com -0.domainComponent_min = 2 -0.domainComponent_max = 3 - -1.domainComponent = domain name -1.domainComponent_default = example -1.domainComponent_min = 1 -1.domainComponent_max = 64 - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = Snake Oil - -# we can do this but it is not needed normally :-) -#1.organizationName = Second Organization Name (eg, company) -#1.organizationName_default = World Wide Web Pty Ltd - -#organizationalUnitName = Organizational Unit Name (eg, section) -#organizationalUnitName_default = - -commonName = Your name -commonName_max = 64 - -emailAddress = Email Address -emailAddress_max = 40 - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] -pgName = PostgreSQL user name -pgName_min = 1 -pgName_max = 12 - -[ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -#nsComment = "OpenSSL Generated Certificate" -nsComment = "PostgreSQL/OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -subjectAltName=email:copy -subjectAltName=pgName - -# Copy subject details -issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - diff --git a/src/interfaces/ssl/mkcert.sh b/src/interfaces/ssl/mkcert.sh deleted file mode 100755 index 8728a3a7a3..0000000000 --- a/src/interfaces/ssl/mkcert.sh +++ /dev/null @@ -1,114 +0,0 @@ -#!/bin/sh - -# === FIRST DRAFT === - -PG_HOME=/var/lib/postgres -PG_DATA=$PG_HOME/data - -# default password for CA key -PASSWORD=postgresql - -# -# this script creates the root (CA) certificate and -# server cert for PostgreSQL. The OpenSSL applications -# must be in the path. -# - -if [ $PG_HOME"." = "." -o $PG_DATA"." = "." ] -then - /bin/echo You must define \$PG_HOME and \$PG_DATA before running this program. - exit 0 -fi - -# -# generate DSA parameters file used for keys, if one does -# not already exist. -# -if [ ! -f $PG_HOME/dsa1024.pem -o -z $PG_HOME/dsa1024.pem ] -then - openssl dsaparam -out $PG_HOME/dsa1024.pem 1024 -fi - -# -# generate CA directory tree and contents, if it does not already -# exist. -# -if [ ! -d $PG_HOME/CA ] -then - /bin/mkdir $PG_HOME/CA; -fi -if [ ! -d $PG_HOME/CA/certs ] -then - /bin/mkdir $PG_HOME/CA/certs -fi -if [ ! -d $PG_HOME/CA/crl ] -then - /bin/mkdir $PG_HOME/CA/crl -fi -if [ ! -d $PG_HOME/CA/newcerts ] -then - /bin/mkdir $PG_HOME/CA/newcerts -fi -if [ ! -d $PG_HOME/CA/private ] -then - /bin/mkdir $PG_HOME/CA/private - /bin/chmod 0700 $PG_HOME/CA/private -fi -if [ ! -f $PG_HOME/CA/index.txt ] -then - /usr/bin/touch $PG_HOME/CA/index.txt -fi -if [ ! -f $PG_HOME/CA/serial ] -then - /bin/echo 01 > $PG_HOME/CA/serial -fi - -# -# generate root key, if one does not already exist. -# -if [ ! -f $PG_HOME/CA/private/cakey.pem -o -z $PG_HOME/CA/private/cakey.pem ] -then - openssl gendsa $PG_HOME/dsa1024.pem |\ - openssl pkcs8 -topk8 -v2 bf -out $PG_HOME/CA/private/cakey.pem - /bin/chmod 0700 $PG_HOME/CA/private/cakey.pem -fi - -# -# generate self-signed root certificate, if one does not already exist -# -if [ ! -f $PG_HOME/CA/cacert.pem -o -z $PG_HOME/CA/cacert.pem ] -then - /bin/echo "Creating the root certificate...." - /bin/echo "" - openssl req -new -x509 -out $PG_HOME/CA/cacert.pem \ - -key $PG_HOME/CA/private/cakey.pem \ - -config $PG_HOME/root.conf - link -s $PG_HOME/CA/cacert.pem $PG_DATA/root.crt -fi - -# -# generate server key, if one does not already exist. -# -if [ ! -f $PG_DATA/server.key -o -z $PG_DATA/server.key ] -then - openssl gendsa -out $PG_DATA/server.key $PG_HOME/dsa1024.pem - /bin/chmod 0700 $PG_HOME/CA/private/cakey.pem -fi - -# -# generate server certificate, if one does not already exist. -# -if [ ! -f $PG_DATA/server.crt -o -z $PG_DATA/server.crt ] -then - /bin/echo "Creating the PostgreSQL server certificate...." - /bin/echo "" - openssl req -new -x509 -out $PG_DATA/server.self \ - -key $PG_DATA/server.key \ - -config $PG_HOME/server.conf - if [ -f $PG_DATA/server.self ] - then - openssl ca -out $PG_DATA/server.crt -ss_cert $PG_DATA/server.self \ - -config $PG_HOME/root.conf -extensions svr_cert - /bin/rm -f $PG_DATA/server.self - fi -fi diff --git a/src/interfaces/ssl/pgkeygen.sh b/src/interfaces/ssl/pgkeygen.sh deleted file mode 100644 index a65bb0fc4e..0000000000 --- a/src/interfaces/ssl/pgkeygen.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh - -echo \$HOME = $HOME - -CLIENTDIR=$HOME/.postgresql - -# -# copy root certificate, if necessary -# -if [ ! -f $CLIENTDIR/root.crt -o -z $CLIENTDIR/root.crt ] -then - if [ -f /etc/postgresql/root.crt ] - then - /bin/cp -p /etc/postgresql/root.crt $CLIENTDIR - fi -fi - -# -# generate client key, if one does not already exist. -# -if [ ! -f $CLIENTDIR/postgresql.key -o -z $CLIENTDIR/postgresql.key ] -then - if [ ! -f /etc/postgresql/dsa1024.pem -o -z /etc/postgresql/dsa1024.pem ] - then - /bin/echo "You must get the dsa1024.pem file from your DBA." - exit 0 - fi - openssl gendsa /etc/postgresql/dsa1024.pem |\ - openssl pkcs8 -topk8 -v2 bf -out $CLIENTDIR/postgresql.key - /bin/chmod 0600 $CLIENTDIR/postgresql.key -fi - -# -# generate client SS certificate, if one does not already exist. -# -if [ ! -f $CLIENTDIR/postgresql.crt -o -z $CLIENTDIR/postgresql.crt ] -then - if [ ! -f $CLIENTDIR/postgresql.pem -o -z $CLIENTDIR/postgresql.pem ] - then - /bin/echo "Creating client certificate...." - /bin/echo "" - openssl req -new -x509 -out $CLIENTDIR/postgresql.pem \ - -key $CLIENTDIR/postgresql.key -config /etc/postgresql/client.conf - /bin/echo "" - /bin/cat << EOM - -You must now provide a copy of your ~/.postgresql/postgresql.pem file -to your DBA for them to sign. When they have done so, you should rerun -this application. -EOM - else - cp -p $CLIENTDIR/postgresql.pem $CLIENTDIR/postgresql.crt - fi -fi diff --git a/src/interfaces/ssl/root.conf b/src/interfaces/ssl/root.conf deleted file mode 100644 index d7ed143b26..0000000000 --- a/src/interfaces/ssl/root.conf +++ /dev/null @@ -1,270 +0,0 @@ -# -# PostgreSQL sample configuration for *root* cert. -# Contrast and compare with server.conf and client.conf. -# - -# define something in case $PG_HOME isn't defined. -PG_HOME = /var/lib/postgres - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = $ENV::PG_HOME/CA # Where everything is kept -certs = $dir/certs # Where the issued certs are kept -crl_dir = $dir/crl # Where the issued crl are kept -database = $dir/index.txt # database index file. -new_certs_dir = $dir/newcerts # default place for new certs. - -certificate = $dir/cacert.pem # The CA certificate -serial = $dir/serial # The current serial number -crl = $dir/crl.pem # The current CRL -private_key = $dir/private/cakey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file - -x509_extensions = clnt_cert # The extentions to add to the cert - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 365 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = sha1 # which md to use. -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_match - -# For the CA policy -[ policy_match ] -domainComponent = match -#1.domainComponent = match -#organizationName = match -#organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -domainComponent = optional -#1.domainComponent = optional -#countryName = optional -#stateOrProvinceName = optional -#localityName = optional -#organizationName = optional -#organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -#################################################################### -[ req ] -default_bits = 1024 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = nombstr - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -0.domainComponent = domain name (TLD) -0.domainComponent_default = com -0.domainComponent_min = 2 -0.domainComponent_max = 3 - -1.domainComponent = domain name -1.domainComponent_default = example -1.domainComponent_min = 1 -1.domainComponent_max = 64 - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = Snake Oil - -# we can do this but it is not needed normally :-) -#1.organizationName = Second Organization Name (eg, company) -#1.organizationName_default = World Wide Web Pty Ltd - -#organizationalUnitName = Organizational Unit Name (eg, section) -#organizationalUnitName_default = - -commonName = Common Name -commonName_value = PostgreSQL Root Cert -#commonName_max = 64 - -emailAddress = Email Address -emailAddress_default = postgres@example.com -emailAddress_max = 40 - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] - -[ svr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -#nsComment = "OpenSSL Generated Certificate" -nsComment = "PostgreSQL/OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -subjectAltName=email:copy - -# Copy subject details -issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -[ clnt_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -#nsComment = "OpenSSL Generated Certificate" -nsComment = "PostgreSQL/OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -subjectAltName=email:copy - -# Copy subject details -issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] - -# Extensions for a typical CA - -# PKIX recommendation. - -subjectKeyIdentifier=hash - -authorityKeyIdentifier=keyid:always,issuer:always - -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true - -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -keyUsage = cRLSign, keyCertSign - -# Some might want this also -nsCertType = sslCA, emailCA - -# Include email address in subject alt name: another PKIX recommendation -subjectAltName=email:copy -# Copy issuer details -issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - -[ crl_ext ] - -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always diff --git a/src/interfaces/ssl/server.conf b/src/interfaces/ssl/server.conf deleted file mode 100644 index fe6cfe4106..0000000000 --- a/src/interfaces/ssl/server.conf +++ /dev/null @@ -1,118 +0,0 @@ -# -# PostgreSQL sample configuration for *server* cert. -# Contrast and compare with root.conf and client.conf. -# - -#################################################################### -[ req ] -default_bits = 1024 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -#x509_extensions = v3_ca # The extentions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = nombstr - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -0.domainComponent = domain name (TLD) -0.domainComponent_default = com -0.domainComponent_min = 2 -0.domainComponent_max = 3 - -1.domainComponent = domain name -1.domainComponent_default = example -1.domainComponent_min = 1 -1.domainComponent_max = 64 - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = Snake Oil - -# we can do this but it is not needed normally :-) -#1.organizationName = Second Organization Name (eg, company) -#1.organizationName_default = World Wide Web Pty Ltd - -#organizationalUnitName = Organizational Unit Name (eg, section) -#organizationalUnitName_default = - -commonName = FQDN of server -commonName_default = postgres.example.com -commonName_max = 64 - -emailAddress = Email Address -emailAddress_default = postgres@example.com -emailAddress_max = 40 - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] - -[ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -#nsComment = "OpenSSL Generated Certificate" -nsComment = "PostgreSQL/OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -subjectAltName=email:copy - -# Copy subject details -issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -