Remove interfaces/ssl. Was unclaimed stuff that had no more usefulness.

6debc56b · Bruce Momjian · 52f8c56a · 52f8c56a · 52f8c56a · 52f8c56a
Commit 6debc56b authored Aug 16, 2002 by Bruce Momjian
5 changed files
--- a/src/interfaces/ssl/client.conf
+++ b/src/interfaces/ssl/client.conf
-#
-# PostgreSQL sample configuration for *client* cert.
-# Contrast and compare with server.conf and root.conf.
-#
-
-####################################################################
-[ req ]
-default_bits		= 1024
-default_keyfile 	= privkey.pem
-distinguished_name	= req_distinguished_name
-attributes		= req_attributes
-#x509_extensions	= v3_ca	# The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options. 
-# default: PrintableString, T61String, BMPString.
-# pkix	 : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-string_mask = nombstr
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-0.domainComponent		= domain name (TLD)
-0.domainComponent_default	= com
-0.domainComponent_min		= 2
-0.domainComponent_max		= 3
-
-1.domainComponent		= domain name
-1.domainComponent_default	= example
-1.domainComponent_min		= 1
-1.domainComponent_max		= 64
-
-0.organizationName		= Organization Name (eg, company)
-0.organizationName_default	= Snake Oil
-
-# we can do this but it is not needed normally :-)
-#1.organizationName		= Second Organization Name (eg, company)
-#1.organizationName_default	= World Wide Web Pty Ltd
-
-#organizationalUnitName		= Organizational Unit Name (eg, section)
-#organizationalUnitName_default	=
-
-commonName			= Your name
-commonName_max			= 64
-
-emailAddress			= Email Address
-emailAddress_max		= 40
-
-# SET-ex3			= SET extension number 3
-
-[ req_attributes ]
-pgName				= PostgreSQL user name
-pgName_min			= 1
-pgName_max			= 12
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-#nsComment			= "OpenSSL Generated Certificate"
-nsComment = "PostgreSQL/OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-subjectAltName=email:copy
-subjectAltName=pgName
-
-# Copy subject details
-issuerAltName=issuer:copy
-
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
--- a/src/interfaces/ssl/mkcert.sh
+++ b/src/interfaces/ssl/mkcert.sh
-#!/bin/sh
-
-# === FIRST DRAFT ===
-
-PG_HOME=/var/lib/postgres
-PG_DATA=$PG_HOME/data
-
-# default password for CA key
-PASSWORD=postgresql
-
-#
-# this script creates the root (CA) certificate and
-# server cert for PostgreSQL.  The OpenSSL applications
-# must be in the path.
-#
-
-if [ $PG_HOME"." = "." -o $PG_DATA"." = "." ]
-then
-  /bin/echo You must define \$PG_HOME and \$PG_DATA before running this program.
-  exit 0
-fi
-
-#
-# generate DSA parameters file used for keys, if one does
-# not already exist.
-#
-if [ ! -f $PG_HOME/dsa1024.pem -o -z $PG_HOME/dsa1024.pem ]
-then
-  openssl dsaparam -out $PG_HOME/dsa1024.pem 1024
-fi
-
-#
-# generate CA directory tree and contents, if it does not already
-# exist.
-#
-if [ ! -d $PG_HOME/CA ]
-then
-  /bin/mkdir $PG_HOME/CA;
-fi
-if [ ! -d $PG_HOME/CA/certs ]
-then
-  /bin/mkdir $PG_HOME/CA/certs
-fi
-if [ ! -d $PG_HOME/CA/crl ]
-then
-  /bin/mkdir $PG_HOME/CA/crl
-fi
-if [ ! -d $PG_HOME/CA/newcerts ]
-then
-  /bin/mkdir $PG_HOME/CA/newcerts
-fi
-if [ ! -d $PG_HOME/CA/private ]
-then
-  /bin/mkdir $PG_HOME/CA/private
-  /bin/chmod 0700 $PG_HOME/CA/private
-fi
-if [ ! -f $PG_HOME/CA/index.txt ]
-then
-  /usr/bin/touch $PG_HOME/CA/index.txt
-fi
-if [ ! -f $PG_HOME/CA/serial ]
-then
-  /bin/echo 01 > $PG_HOME/CA/serial
-fi
-
-#
-# generate root key, if one does not already exist.
-#
-if [ ! -f $PG_HOME/CA/private/cakey.pem -o -z $PG_HOME/CA/private/cakey.pem ]
-then
-  openssl gendsa $PG_HOME/dsa1024.pem |\
-    openssl pkcs8 -topk8 -v2 bf -out $PG_HOME/CA/private/cakey.pem 
-  /bin/chmod 0700 $PG_HOME/CA/private/cakey.pem
-fi
-
-#
-# generate self-signed root certificate, if one does not already exist
-#
-if [ ! -f $PG_HOME/CA/cacert.pem -o -z $PG_HOME/CA/cacert.pem ]
-then
-  /bin/echo "Creating the root certificate...."
-  /bin/echo ""
-  openssl req -new -x509 -out $PG_HOME/CA/cacert.pem \
-	-key $PG_HOME/CA/private/cakey.pem \
-	-config $PG_HOME/root.conf
-  link -s $PG_HOME/CA/cacert.pem $PG_DATA/root.crt
-fi
-
-#
-# generate server key, if one does not already exist.
-#
-if [ ! -f $PG_DATA/server.key -o -z $PG_DATA/server.key ]
-then
-  openssl gendsa -out $PG_DATA/server.key $PG_HOME/dsa1024.pem
-  /bin/chmod 0700 $PG_HOME/CA/private/cakey.pem
-fi
-
-#
-# generate server certificate, if one does not already exist.
-#
-if [ ! -f $PG_DATA/server.crt -o -z $PG_DATA/server.crt ]
-then
-  /bin/echo "Creating the PostgreSQL server certificate...."
-  /bin/echo ""
-  openssl req -new -x509 -out $PG_DATA/server.self \
-	-key $PG_DATA/server.key \
-	-config $PG_HOME/server.conf
-  if [ -f $PG_DATA/server.self ]
-  then
-    openssl ca -out $PG_DATA/server.crt -ss_cert $PG_DATA/server.self \
-	-config $PG_HOME/root.conf -extensions svr_cert
-    /bin/rm -f $PG_DATA/server.self
-  fi
-fi
--- a/src/interfaces/ssl/pgkeygen.sh
+++ b/src/interfaces/ssl/pgkeygen.sh
-#!/bin/sh
-
-echo \$HOME = $HOME
-
-CLIENTDIR=$HOME/.postgresql
-
-#
-# copy root certificate, if necessary
-#
-if [ ! -f $CLIENTDIR/root.crt -o -z $CLIENTDIR/root.crt ]
-then
-  if [ -f /etc/postgresql/root.crt ]
-  then
-    /bin/cp -p /etc/postgresql/root.crt $CLIENTDIR
-  fi
-fi
-
-#
-# generate client key, if one does not already exist.
-#
-if [ ! -f $CLIENTDIR/postgresql.key -o -z $CLIENTDIR/postgresql.key ]
-then
-  if [ ! -f /etc/postgresql/dsa1024.pem -o -z /etc/postgresql/dsa1024.pem ]
-  then
-    /bin/echo "You must get the dsa1024.pem file from your DBA."
-    exit 0
-  fi
-  openssl gendsa /etc/postgresql/dsa1024.pem |\
-    openssl pkcs8 -topk8 -v2 bf -out $CLIENTDIR/postgresql.key
-  /bin/chmod 0600 $CLIENTDIR/postgresql.key
-fi
-
-#
-# generate client SS certificate, if one does not already exist.
-#
-if [ ! -f $CLIENTDIR/postgresql.crt -o -z $CLIENTDIR/postgresql.crt ]
-then
-  if [ ! -f $CLIENTDIR/postgresql.pem -o -z $CLIENTDIR/postgresql.pem ]
-  then
-    /bin/echo "Creating client certificate...."
-    /bin/echo ""
-    openssl req -new -x509 -out $CLIENTDIR/postgresql.pem \
-      -key $CLIENTDIR/postgresql.key -config /etc/postgresql/client.conf
-    /bin/echo ""
-    /bin/cat << EOM
-
-You must now provide a copy of your ~/.postgresql/postgresql.pem file
-to your DBA for them to sign.  When they have done so, you should rerun
-this application.
-EOM
-  else
-    cp -p $CLIENTDIR/postgresql.pem $CLIENTDIR/postgresql.crt
-  fi
-fi
--- a/src/interfaces/ssl/root.conf
+++ b/src/interfaces/ssl/root.conf
-#
-# PostgreSQL sample configuration for *root* cert.
-# Contrast and compare with server.conf and client.conf.
-#
-
-# define something in case $PG_HOME isn't defined.
-PG_HOME		= /var/lib/postgres
-
-####################################################################
-[ ca ]
-default_ca	= CA_default		# The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir		= $ENV::PG_HOME/CA	# Where everything is kept
-certs		= $dir/certs		# Where the issued certs are kept
-crl_dir		= $dir/crl		# Where the issued crl are kept
-database	= $dir/index.txt	# database index file.
-new_certs_dir	= $dir/newcerts		# default place for new certs.
-
-certificate	= $dir/cacert.pem 	# The CA certificate
-serial		= $dir/serial 		# The current serial number
-crl		= $dir/crl.pem 		# The current CRL
-private_key	= $dir/private/cakey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file
-
-x509_extensions	= clnt_cert		# The extentions to add to the cert
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crl_extensions	= crl_ext
-
-default_days	= 365			# how long to certify for
-default_crl_days= 30			# how long before next CRL
-default_md	= sha1			# which md to use.
-preserve	= no			# keep passed DN ordering
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy		= policy_match
-
-# For the CA policy
-[ policy_match ]
-domainComponent	= match
-#1.domainComponent	= match
-#organizationName	= match
-#organizationalUnitName	= optional
-commonName		= supplied
-emailAddress		= optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-domainComponent	= optional
-#1.domainComponent	= optional
-#countryName		= optional
-#stateOrProvinceName	= optional
-#localityName		= optional
-#organizationName	= optional
-#organizationalUnitName	= optional
-commonName		= supplied
-emailAddress		= optional
-
-####################################################################
-[ req ]
-default_bits		= 1024
-default_keyfile 	= privkey.pem
-distinguished_name	= req_distinguished_name
-attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options. 
-# default: PrintableString, T61String, BMPString.
-# pkix	 : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-string_mask = nombstr
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-0.domainComponent		= domain name (TLD)
-0.domainComponent_default	= com
-0.domainComponent_min		= 2
-0.domainComponent_max		= 3
-
-1.domainComponent		= domain name
-1.domainComponent_default	= example
-1.domainComponent_min		= 1
-1.domainComponent_max		= 64
-
-0.organizationName		= Organization Name (eg, company)
-0.organizationName_default	= Snake Oil
-
-# we can do this but it is not needed normally :-)
-#1.organizationName		= Second Organization Name (eg, company)
-#1.organizationName_default	= World Wide Web Pty Ltd
-
-#organizationalUnitName		= Organizational Unit Name (eg, section)
-#organizationalUnitName_default	=
-
-commonName			= Common Name
-commonName_value		= PostgreSQL Root Cert
-#commonName_max			= 64
-
-emailAddress			= Email Address
-emailAddress_default		= postgres@example.com
-emailAddress_max		= 40
-
-# SET-ex3			= SET extension number 3
-
-[ req_attributes ]
-
-[ svr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-#nsComment			= "OpenSSL Generated Certificate"
-nsComment = "PostgreSQL/OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-subjectAltName=email:copy
-
-# Copy subject details
-issuerAltName=issuer:copy
-
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-[ clnt_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-#nsComment			= "OpenSSL Generated Certificate"
-nsComment = "PostgreSQL/OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-subjectAltName=email:copy
-
-# Copy subject details
-issuerAltName=issuer:copy
-
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-
-# Extensions for a typical CA
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-
-authorityKeyIdentifier=keyid:always,issuer:always
-
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-subjectAltName=email:copy
-# Copy issuer details
-issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
--- a/src/interfaces/ssl/server.conf
+++ b/src/interfaces/ssl/server.conf
-#
-# PostgreSQL sample configuration for *server* cert.
-# Contrast and compare with root.conf and client.conf.
-#
-
-####################################################################
-[ req ]
-default_bits		= 1024
-default_keyfile 	= privkey.pem
-distinguished_name	= req_distinguished_name
-attributes		= req_attributes
-#x509_extensions	= v3_ca	# The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options. 
-# default: PrintableString, T61String, BMPString.
-# pkix	 : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-string_mask = nombstr
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-0.domainComponent		= domain name (TLD)
-0.domainComponent_default	= com
-0.domainComponent_min		= 2
-0.domainComponent_max		= 3
-
-1.domainComponent		= domain name
-1.domainComponent_default	= example
-1.domainComponent_min		= 1
-1.domainComponent_max		= 64
-
-0.organizationName		= Organization Name (eg, company)
-0.organizationName_default	= Snake Oil
-
-# we can do this but it is not needed normally :-)
-#1.organizationName		= Second Organization Name (eg, company)
-#1.organizationName_default	= World Wide Web Pty Ltd
-
-#organizationalUnitName		= Organizational Unit Name (eg, section)
-#organizationalUnitName_default	=
-
-commonName			= FQDN of server
-commonName_default		= postgres.example.com
-commonName_max			= 64
-
-emailAddress			= Email Address
-emailAddress_default		= postgres@example.com
-emailAddress_max		= 40
-
-# SET-ex3			= SET extension number 3
-
-[ req_attributes ]
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-#nsComment			= "OpenSSL Generated Certificate"
-nsComment = "PostgreSQL/OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-subjectAltName=email:copy
-
-# Copy subject details
-issuerAltName=issuer:copy
-
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-