SSL Java viewer work thru proxy. -sslGenCA, etc key/cert management utils for x11vnc. FBPM "support".
parent
1602b345f3
commit
d14cf0a84c
@ -1,2 +1,2 @@
|
|||||||
EXTRA_DIST=VncViewer.jar index.vnc
|
EXTRA_DIST=VncViewer.jar index.vnc SignedVncViewer.jar proxy.vnc README ssl_vncviewer
|
||||||
|
|
||||||
|
@ -0,0 +1,72 @@
|
|||||||
|
This directory contains a patched Java applet VNC viewer that is SSL
|
||||||
|
enabled.
|
||||||
|
|
||||||
|
The patches in the *.patch files are relative to the source tarball:
|
||||||
|
|
||||||
|
tightvnc-1.3dev7_javasrc.tar.gz
|
||||||
|
|
||||||
|
currently (4/06) available here:
|
||||||
|
|
||||||
|
http://prdownloads.sourceforge.net/vnc-tight/tightvnc-1.3dev7_javasrc.tar.gz?download
|
||||||
|
|
||||||
|
It also includes some simple patches to:
|
||||||
|
|
||||||
|
- fix richcursor colors
|
||||||
|
|
||||||
|
- make the Java Applet cursor (not the cursor drawn to the canvas
|
||||||
|
framebuffer) invisible when it is inside the canvas.
|
||||||
|
|
||||||
|
- allow Tab (and some other) keystrokes to be sent to the vnc
|
||||||
|
server instead of doing widget traversal.
|
||||||
|
|
||||||
|
|
||||||
|
This SSL applet should work with any VNC viewer that has an SSL tunnel in
|
||||||
|
front of it. It has been tested on x11vnc and using the stunnel tunnel
|
||||||
|
to other VNC servers.
|
||||||
|
|
||||||
|
By default this Vnc Viewer will only do SSL. To do unencrypted traffic
|
||||||
|
see the "DisableSSL" applet parameter (e.g. set it to Yes in index.vnc).
|
||||||
|
|
||||||
|
Proxies: they are a general problem with java socket applets (a socket
|
||||||
|
connection does not go through the proxy). See the info in the proxy.vnc
|
||||||
|
file for a workaround. It uses SignedVncViewer.jar which is simply
|
||||||
|
a signed version of VncViewer.jar. The basic idea is the user clicks
|
||||||
|
"Yes" to trust the applet and then it can connect directly to the proxy
|
||||||
|
and issue a CONNECT request.
|
||||||
|
|
||||||
|
This applet has been tested on versions 1.4.2 and 1.5.0 of the Sun
|
||||||
|
Java plugin. It may not work on older releases or different vendor VM's.
|
||||||
|
Send full Java Console output for failures.
|
||||||
|
|
||||||
|
---------------------------------------------------------------
|
||||||
|
Tips:
|
||||||
|
|
||||||
|
When doing single-port proxy connections (e.g. both VNC and HTTPS
|
||||||
|
thru port 5900) it helps to move through the 'do you trust this site'
|
||||||
|
dialogs quickly. x11vnc has to wait to see if the traffic is VNC or
|
||||||
|
HTTP and this can cause timeouts if you don't move thru them quickly.
|
||||||
|
|
||||||
|
You may have to restart your browser completely if it gets into a
|
||||||
|
weird state. For one case we saw the JVM requesting VncViewer.class
|
||||||
|
even when no such file exists.
|
||||||
|
|
||||||
|
|
||||||
|
---------------------------------------------------------------
|
||||||
|
Extras:
|
||||||
|
|
||||||
|
ssl_vncviewer (not Java):
|
||||||
|
|
||||||
|
Wrapper script for native VNC viewer to connect to x11vnc in
|
||||||
|
SSL mode. Script launches stunnel(8) and then connects to it
|
||||||
|
via localhost which in turn is then redirected to x11vnc via an
|
||||||
|
SSL tunnel. stunnel(8) must be installed and available in PATH.
|
||||||
|
|
||||||
|
|
||||||
|
Running Java SSL VncViewer from the command line:
|
||||||
|
|
||||||
|
From this directory:
|
||||||
|
|
||||||
|
java -cp ./VncViewer.jar VncViewer HOST <thehost> PORT <theport>
|
||||||
|
|
||||||
|
substitute <thehost> and <theport> with the actual values.
|
||||||
|
|
Binary file not shown.
Binary file not shown.
@ -0,0 +1,70 @@
|
|||||||
|
<!--
|
||||||
|
index.vnc - default HTML page for TightVNC Java viewer applet, to be
|
||||||
|
used with Xvnc. On any file ending in .vnc, the HTTP server embedded in
|
||||||
|
Xvnc will substitute the following variables when preceded by a dollar:
|
||||||
|
USER, DESKTOP, DISPLAY, APPLETWIDTH, APPLETHEIGHT, WIDTH, HEIGHT, PORT,
|
||||||
|
PARAMS. Use two dollar signs ($$) to get a dollar sign in the generated
|
||||||
|
HTML page.
|
||||||
|
|
||||||
|
NOTE: the $PARAMS variable is not supported by the standard VNC, so
|
||||||
|
make sure you have TightVNC on the server side, if you're using this
|
||||||
|
variable.
|
||||||
|
-->
|
||||||
|
|
||||||
|
<!--
|
||||||
|
The idea behind using the signed applet in SignedVncViewer.jar for
|
||||||
|
firewall proxies:
|
||||||
|
|
||||||
|
Java socket applets and http proxies do not get along well.
|
||||||
|
|
||||||
|
Java security allows the applet to connect back via a socket to the
|
||||||
|
originating host, but the browser/plugin Proxy settings are not used for
|
||||||
|
socket connections (only http and the like). So the socket connection
|
||||||
|
fails in the proxy environment.
|
||||||
|
|
||||||
|
The applet is not allowed to open a socket connection to the proxy (since
|
||||||
|
that would let it connect to just about any host, e.g. CONNECT method).
|
||||||
|
|
||||||
|
This is indpendent of SSL but of course fails for that socket connection
|
||||||
|
as well. I.e. this is a problem for non-SSL VNC Viewers as well.
|
||||||
|
|
||||||
|
Solution? Sign the applet and have the user click on "Yes" that they
|
||||||
|
fully trust the applet. Then the applet can connect to any host via
|
||||||
|
sockets, in particular the proxy. It next issues the request
|
||||||
|
|
||||||
|
CONNECT host:port HTTP/1.1
|
||||||
|
Host: host:port
|
||||||
|
|
||||||
|
and if the proxy supports the CONNECT method we are finally connected to
|
||||||
|
the VNC server.
|
||||||
|
|
||||||
|
For SSL connections, SSL is layered on top of this socket. However note
|
||||||
|
this scheme will work for non-SSL applet proxy tunnelling as well.
|
||||||
|
|
||||||
|
It should be able to get non-SSL VNC connections to work via GET
|
||||||
|
command but that has not been done yet.
|
||||||
|
|
||||||
|
Note that some proxies only allow CONNECT to only these the ports 443
|
||||||
|
(HTTPS) and 563 (SNEWS). So you would have to run the VNC server on
|
||||||
|
those ports.
|
||||||
|
|
||||||
|
SignedVncViewer.jar is just a signed version of VncViewer.jar
|
||||||
|
|
||||||
|
The URL to use for this file: https://host:port/proxy.vnc
|
||||||
|
|
||||||
|
-->
|
||||||
|
|
||||||
|
|
||||||
|
<HTML>
|
||||||
|
<TITLE>
|
||||||
|
$USER's $DESKTOP desktop ($DISPLAY)
|
||||||
|
</TITLE>
|
||||||
|
<APPLET CODE=VncViewer.class ARCHIVE=SignedVncViewer.jar
|
||||||
|
WIDTH=$APPLETWIDTH HEIGHT=$APPLETHEIGHT>
|
||||||
|
<param name=PORT value=$PORT>
|
||||||
|
<param name="Open New Window" value=yes>
|
||||||
|
$PARAMS
|
||||||
|
</APPLET>
|
||||||
|
<BR>
|
||||||
|
<A href="http://www.tightvnc.com/">TightVNC site</A>
|
||||||
|
</HTML>
|
@ -0,0 +1,142 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# ssl_vncviewer: wrapper for vncviewer to use stunnel SSL tunnel.
|
||||||
|
#
|
||||||
|
# You must have stunnel(8) installed on the system and in your
|
||||||
|
# PATH (n.b. stunnel is usually in an sbin subdir).
|
||||||
|
#
|
||||||
|
# You should have "x11vnc -ssl ..." or "x11vnc -stunnel ..."
|
||||||
|
# running as the VNC server.
|
||||||
|
#
|
||||||
|
# usage: ssl_vncviewer [cert-args] host:display <vncviewer-args>
|
||||||
|
#
|
||||||
|
# e.g.: ssl_vncviewer snoopy:0
|
||||||
|
# ssl_vncviewer snoopy:0 -encodings "copyrect tight zrle hextile"
|
||||||
|
#
|
||||||
|
# [cert-args] can be:
|
||||||
|
# -verify /path/to/cacert.pem
|
||||||
|
# -mycert /path/to/mycert.pem
|
||||||
|
#
|
||||||
|
# -verify specifies a CA cert PEM file (or a self-signed one) for
|
||||||
|
# authenticating the VNC server.
|
||||||
|
#
|
||||||
|
# -mycert specifies this client's cert+key PEM file for the VNC server to
|
||||||
|
# authenticate this client.
|
||||||
|
#
|
||||||
|
|
||||||
|
VNCVIEWERCMD="vncviewer"
|
||||||
|
PATH=$PATH:/usr/sbin:/usr/local/sbin:/dist/sbin; export PATH
|
||||||
|
|
||||||
|
help() {
|
||||||
|
head -26 $0 | tail +2
|
||||||
|
}
|
||||||
|
|
||||||
|
# grab our cmdline options:
|
||||||
|
while [ "X$1" != "X" ]
|
||||||
|
do
|
||||||
|
case $1 in
|
||||||
|
"-verify") shift; verify="$1"
|
||||||
|
;;
|
||||||
|
"-mycert") shift; mycert="$1"
|
||||||
|
;;
|
||||||
|
"-h"*) help; exit 0
|
||||||
|
;;
|
||||||
|
*) break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
|
||||||
|
orig="$1"
|
||||||
|
shift
|
||||||
|
|
||||||
|
# play around with host:display port:
|
||||||
|
if ! echo "$orig" | grep ':' > /dev/null; then
|
||||||
|
orig="$orig:0"
|
||||||
|
fi
|
||||||
|
|
||||||
|
host=`echo "$orig" | awk -F: '{print $1}'`
|
||||||
|
disp=`echo "$orig" | awk -F: '{print $2}'`
|
||||||
|
if [ $disp -lt 200 ]; then
|
||||||
|
port=`expr $disp + 5900`
|
||||||
|
fi
|
||||||
|
|
||||||
|
# try to find an open listening port via netstat(1):
|
||||||
|
use=""
|
||||||
|
if uname | grep Linux > /dev/null; then
|
||||||
|
inuse=`netstat -ant | grep LISTEN | awk '{print $4}' | sed 's/^.*://'`
|
||||||
|
try=5920
|
||||||
|
while [ $try -lt 6000 ]
|
||||||
|
do
|
||||||
|
if ! echo "$inuse" | grep -w $try > /dev/null; then
|
||||||
|
use=$try
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
try=`expr $try + 1`
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
if [ "X$use" = "X" ]; then
|
||||||
|
# otherwise choose a "random" one:
|
||||||
|
use=`date +%S`
|
||||||
|
use=`expr $use + 5920`
|
||||||
|
fi
|
||||||
|
|
||||||
|
# create the stunnel config file:
|
||||||
|
if [ "X$verify" != "X" ]; then
|
||||||
|
if [ -d $verify ]; then
|
||||||
|
verify="CApath = $verify"
|
||||||
|
else
|
||||||
|
verify="CAfile = $verify"
|
||||||
|
fi
|
||||||
|
verify="$verify
|
||||||
|
verify = 2"
|
||||||
|
fi
|
||||||
|
if [ "X$mycert" != "X" ]; then
|
||||||
|
cert="cert = $mycert"
|
||||||
|
fi
|
||||||
|
|
||||||
|
##debug = 7
|
||||||
|
tmp=/tmp/ssl_vncviewer.$$
|
||||||
|
cat > $tmp <<END
|
||||||
|
foreground = yes
|
||||||
|
pid =
|
||||||
|
client = yes
|
||||||
|
$verify
|
||||||
|
$cert
|
||||||
|
|
||||||
|
[vnc_stunnel]
|
||||||
|
accept = $use
|
||||||
|
connect= $host:$port
|
||||||
|
END
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "Using this stunnel configuration:"
|
||||||
|
cat $tmp
|
||||||
|
echo ""
|
||||||
|
sleep 1
|
||||||
|
|
||||||
|
echo "running: stunnel $tmp"
|
||||||
|
stunnel $tmp < /dev/tty > /dev/tty &
|
||||||
|
pid=$!
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
# pause here to let the user supply a possible passphrase for the
|
||||||
|
# mycert key:
|
||||||
|
if [ "X$mycert" != "X" ]; then
|
||||||
|
sleep 4
|
||||||
|
fi
|
||||||
|
sleep 2
|
||||||
|
rm -f $tmp
|
||||||
|
|
||||||
|
if [ $use -ge 5900 ]; then
|
||||||
|
n=`expr $use - 5900`
|
||||||
|
fi
|
||||||
|
|
||||||
|
if echo "$0" | grep vncip > /dev/null; then
|
||||||
|
# hack for runge's special wrapper script vncip.
|
||||||
|
vncip "$@" localhost:$n
|
||||||
|
else
|
||||||
|
$VNCVIEWERCMD "$@" localhost:$n
|
||||||
|
fi
|
||||||
|
|
||||||
|
kill $pid
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,93 @@
|
|||||||
|
/* -- pm.c -- */
|
||||||
|
#include "x11vnc.h"
|
||||||
|
#include "cleanup.h"
|
||||||
|
|
||||||
|
void check_pm(void);
|
||||||
|
static void check_fbpm(void);
|
||||||
|
|
||||||
|
#if LIBVNCSERVER_HAVE_FBPM
|
||||||
|
#include <X11/Xmd.h>
|
||||||
|
#include <X11/extensions/fbpm.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
void check_pm(void) {
|
||||||
|
check_fbpm();
|
||||||
|
/* someday dpms activities? */
|
||||||
|
}
|
||||||
|
|
||||||
|
static void check_fbpm(void) {
|
||||||
|
static int init_fbpm = 0;
|
||||||
|
#if LIBVNCSERVER_HAVE_FBPM
|
||||||
|
static int fbpm_capable = 0;
|
||||||
|
static time_t last_fbpm = 0;
|
||||||
|
int db = 1;
|
||||||
|
|
||||||
|
CARD16 level;
|
||||||
|
BOOL enabled;
|
||||||
|
|
||||||
|
if (raw_fb && ! dpy) return; /* raw_fb hack */
|
||||||
|
|
||||||
|
if (! init_fbpm) {
|
||||||
|
if (FBPMCapable(dpy)) {
|
||||||
|
fbpm_capable = 1;
|
||||||
|
rfbLog("X display is capable of FBPM.\n");
|
||||||
|
if (watch_fbpm) {
|
||||||
|
rfbLog("Preventing low-power FBPM modes when"
|
||||||
|
" VNC clients are connected.\n");
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
rfbLog("X display is not capable of FBPM.\n");
|
||||||
|
fbpm_capable = 0;
|
||||||
|
}
|
||||||
|
init_fbpm = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (! watch_fbpm) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (! fbpm_capable) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (! client_count) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (time(0) < last_fbpm + 5) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
last_fbpm = time(0);
|
||||||
|
|
||||||
|
if (FBPMInfo(dpy, &level, &enabled)) {
|
||||||
|
if (db) fprintf(stderr, "FBPMInfo level: %d enabled: %d\n", level, enabled);
|
||||||
|
|
||||||
|
if (enabled && level != FBPMModeOn) {
|
||||||
|
char *from = "unknown-fbpm-state";
|
||||||
|
XErrorHandler old_handler = XSetErrorHandler(trap_xerror);
|
||||||
|
trapped_xerror = 0;
|
||||||
|
|
||||||
|
if (level == FBPMModeStandby) {
|
||||||
|
from = "FBPMModeStandby";
|
||||||
|
} else if (level == FBPMModeSuspend) {
|
||||||
|
from = "FBPMModeSuspend";
|
||||||
|
} else if (level == FBPMModeOff) {
|
||||||
|
from = "FBPMModeOff";
|
||||||
|
}
|
||||||
|
|
||||||
|
rfbLog("switching FBPM state from %s to FBPMModeOn\n", from);
|
||||||
|
|
||||||
|
FBPMForceLevel(dpy, FBPMModeOn);
|
||||||
|
|
||||||
|
XSetErrorHandler(old_handler);
|
||||||
|
trapped_xerror = 0;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if (db) fprintf(stderr, "FBPMInfo failed.\n");
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
if (raw_fb && ! dpy) return; /* raw_fb hack */
|
||||||
|
if (! init_fbpm) {
|
||||||
|
rfbLog("X FBPM extension not supported.\n");
|
||||||
|
init_fbpm = 1;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,7 @@
|
|||||||
|
#ifndef _X11VNC_PM_H
|
||||||
|
#define _X11VNC_PM_H
|
||||||
|
|
||||||
|
/* -- pm.h -- */
|
||||||
|
extern void check_pm(void);
|
||||||
|
|
||||||
|
#endif /* _X11VNC_PM_H */
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,674 @@
|
|||||||
|
#ifndef _SSLTOOLS_H
|
||||||
|
#define _SSLTOOLS_H
|
||||||
|
|
||||||
|
/* quoted scripts, edit source not this file. */
|
||||||
|
|
||||||
|
|
||||||
|
char genCA[] =
|
||||||
|
"#!/bin/sh\n"
|
||||||
|
"\n"
|
||||||
|
"DIR=$BASE_DIR\n"
|
||||||
|
"if [ \"x$DIR\" = \"x\" ]; then\n"
|
||||||
|
" DIR=\"$HOME/dotkjr_vnc/certs\"\n"
|
||||||
|
" rm -rf \"$DIR\"\n"
|
||||||
|
"fi\n"
|
||||||
|
"if echo \"$DIR\" | grep '^/' > /dev/null; then\n"
|
||||||
|
" :\n"
|
||||||
|
"else\n"
|
||||||
|
" DIR=\"`pwd`/$DIR\"\n"
|
||||||
|
"fi\n"
|
||||||
|
"\n"
|
||||||
|
"PATH=/usr/bin:/bin:/usr/sbin:$PATH; export PATH\n"
|
||||||
|
"if [ \"x$OPENSSL\" = \"x\" ]; then\n"
|
||||||
|
" OPENSSL=\"openssl\"\n"
|
||||||
|
"fi\n"
|
||||||
|
"\n"
|
||||||
|
"type \"$OPENSSL\" > /dev/null || exit 1\n"
|
||||||
|
"\n"
|
||||||
|
"if [ -f \"$DIR/CA/cacert.pem\" ]; then\n"
|
||||||
|
" echo \"Files will be overwritten in $DIR/CA\"\n"
|
||||||
|
" printf \"Continue? [y]/n \"\n"
|
||||||
|
" read x\n"
|
||||||
|
" if [ \"x$x\" = \"xn\" ]; then\n"
|
||||||
|
" exit 1;\n"
|
||||||
|
" fi\n"
|
||||||
|
"fi\n"
|
||||||
|
"\n"
|
||||||
|
"#mkdir -p \"$DIR/HASH\" || exit 1\n"
|
||||||
|
"mkdir -p \"$DIR/clients\" || exit 1\n"
|
||||||
|
"#mkdir -p \"$DIR/clients/HASH\" || exit 1\n"
|
||||||
|
"mkdir -p \"$DIR/CA/certs\" || exit 1\n"
|
||||||
|
"mkdir -p \"$DIR/CA/crl\" || exit 1\n"
|
||||||
|
"mkdir -p \"$DIR/CA/newcerts\" || exit 1\n"
|
||||||
|
"mkdir -p \"$DIR/CA/private\" || exit 1\n"
|
||||||
|
"chmod go-rwx \"$DIR/CA/private\" || exit 1\n"
|
||||||
|
"mkdir -p \"$DIR/tmp\" || exit 1\n"
|
||||||
|
"chmod go-rwx \"$DIR/tmp\" || exit 1\n"
|
||||||
|
"touch \"$DIR/CA/index.txt\" || exit 1\n"
|
||||||
|
"if [ ! -f \"$DIR/CA/serial\" ]; then\n"
|
||||||
|
" echo \"01\" > \"$DIR/CA/serial\" || exit 1\n"
|
||||||
|
"fi\n"
|
||||||
|
"\n"
|
||||||
|
"cnf='\n"
|
||||||
|
"HOME = .\n"
|
||||||
|
"RANDFILE = $ENV::HOME/.rnd\n"
|
||||||
|
"\n"
|
||||||
|
"####################################################################\n"
|
||||||
|
"[ ca ]\n"
|
||||||
|
"default_ca = CA_default # The default ca section\n"
|
||||||
|
"\n"
|
||||||
|
"####################################################################\n"
|
||||||
|
"[ CA_default ]\n"
|
||||||
|
"\n"
|
||||||
|
"dir = ./CA # Where everything is kept\n"
|
||||||
|
"certs = $dir/certs # Where the issued certs are kept\n"
|
||||||
|
"crl_dir = $dir/crl # Where the issued crl are kept\n"
|
||||||
|
"database = $dir/index.txt # database index file.\n"
|
||||||
|
"new_certs_dir = $dir/newcerts # default place for new certs.\n"
|
||||||
|
"certificate = $dir/cacert.pem # The CA certificate\n"
|
||||||
|
"serial = $dir/serial # The current serial number\n"
|
||||||
|
"crl = $dir/crl.pem # The current CRL\n"
|
||||||
|
"private_key = $dir/private/cakey.pem # The private key\n"
|
||||||
|
"RANDFILE = $dir/private/.rand # private random number file\n"
|
||||||
|
"\n"
|
||||||
|
"x509_extensions = usr_cert # The extentions to add to the cert\n"
|
||||||
|
"\n"
|
||||||
|
"name_opt = ca_default # Subject Name options\n"
|
||||||
|
"cert_opt = ca_default # Certificate field options\n"
|
||||||
|
"\n"
|
||||||
|
"default_days = 365 # how long to certify for\n"
|
||||||
|
"default_crl_days= 30 # how long before next CRL\n"
|
||||||
|
"default_md = md5 # which md to use.\n"
|
||||||
|
"preserve = no # keep passed DN ordering\n"
|
||||||
|
"\n"
|
||||||
|
"policy = policy_match\n"
|
||||||
|
"\n"
|
||||||
|
"# For the CA policy\n"
|
||||||
|
"[ policy_match ]\n"
|
||||||
|
"countryName = match\n"
|
||||||
|
"stateOrProvinceName = match\n"
|
||||||
|
"organizationName = match\n"
|
||||||
|
"organizationalUnitName = optional\n"
|
||||||
|
"commonName = supplied\n"
|
||||||
|
"emailAddress = optional\n"
|
||||||
|
"\n"
|
||||||
|
"[ policy_anything ]\n"
|
||||||
|
"countryName = optional\n"
|
||||||
|
"stateOrProvinceName = optional\n"
|
||||||
|
"localityName = optional\n"
|
||||||
|
"organizationName = optional\n"
|
||||||
|
"organizationalUnitName = optional\n"
|
||||||
|
"commonName = supplied\n"
|
||||||
|
"emailAddress = optional\n"
|
||||||
|
"\n"
|
||||||
|
"####################################################################\n"
|
||||||
|
"[ req ]\n"
|
||||||
|
"default_bits = 2048\n"
|
||||||
|
"default_keyfile = privkey.pem\n"
|
||||||
|
"distinguished_name = req_distinguished_name\n"
|
||||||
|
"attributes = req_attributes\n"
|
||||||
|
"x509_extensions = v3_ca # The extentions to add to the self signed cert\n"
|
||||||
|
"\n"
|
||||||
|
"string_mask = nombstr\n"
|
||||||
|
"\n"
|
||||||
|
"# req_extensions = v3_req # The extensions to add to a certificate request\n"
|
||||||
|
"\n"
|
||||||
|
"[ req_distinguished_name ]\n"
|
||||||
|
"countryName = Country Name (2 letter code)\n"
|
||||||
|
"countryName_default = AU\n"
|
||||||
|
"countryName_min = 2\n"
|
||||||
|
"countryName_max = 2\n"
|
||||||
|
"\n"
|
||||||
|
"stateOrProvinceName = State or Province Name (full name)\n"
|
||||||
|
"stateOrProvinceName_default = mystate\n"
|
||||||
|
"\n"
|
||||||
|
"localityName = Locality Name (eg, city)\n"
|
||||||
|
"\n"
|
||||||
|
"0.organizationName = Organization Name (eg, company)\n"
|
||||||
|
"0.organizationName_default = x11vnc server CA\n"
|
||||||
|
"\n"
|
||||||
|
"organizationalUnitName = Organizational Unit Name (eg, section)\n"
|
||||||
|
"\n"
|
||||||
|
"commonName = Common Name (eg, YOUR name)\n"
|
||||||
|
"commonName_default = %USER x11vnc server CA\n"
|
||||||
|
"commonName_max = 64\n"
|
||||||
|
"\n"
|
||||||
|
"emailAddress = Email Address\n"
|
||||||
|
"emailAddress_default = x11vnc@CA.nowhere\n"
|
||||||
|
"emailAddress_max = 64\n"
|
||||||
|
"\n"
|
||||||
|
"[ req_attributes ]\n"
|
||||||
|
"challengePassword = A challenge password\n"
|
||||||
|
"challengePassword_min = 4\n"
|
||||||
|
"challengePassword_max = 20\n"
|
||||||
|
"\n"
|
||||||
|
"unstructuredName = An optional company name\n"
|
||||||
|
"\n"
|
||||||
|
"[ usr_cert ]\n"
|
||||||
|
"\n"
|
||||||
|
"basicConstraints=CA:FALSE\n"
|
||||||
|
"\n"
|
||||||
|
"nsComment = \"OpenSSL Generated Certificate\"\n"
|
||||||
|
"\n"
|
||||||
|
"subjectKeyIdentifier=hash\n"
|
||||||
|
"authorityKeyIdentifier=keyid,issuer:always\n"
|
||||||
|
"\n"
|
||||||
|
"[ v3_req ]\n"
|
||||||
|
"\n"
|
||||||
|
"basicConstraints = CA:FALSE\n"
|
||||||
|
"keyUsage = nonRepudiation, digitalSignature, keyEncipherment\n"
|
||||||
|
"\n"
|
||||||
|
"[ v3_ca ]\n"
|
||||||
|
"\n"
|
||||||
|
"subjectKeyIdentifier=hash\n"
|
||||||
|
"\n"
|
||||||
|
"authorityKeyIdentifier=keyid:always,issuer:always\n"
|
||||||
|
"\n"
|
||||||
|
"basicConstraints = CA:true\n"
|
||||||
|
"\n"
|
||||||
|
"[ crl_ext ]\n"
|
||||||
|
"\n"
|
||||||
|
"authorityKeyIdentifier=keyid:always,issuer:always\n"
|
||||||
|
"\n"
|
||||||
|
"'\n"
|
||||||
|
"selfcnf='\n"
|
||||||
|
"####################################################################\n"
|
||||||
|
"[ req ]\n"
|
||||||
|
"default_bits = 2048\n"
|
||||||
|
"encrypt_key = yes\n"
|
||||||
|
"distinguished_name = req_distinguished_name\n"
|
||||||
|
"x509_extensions = cert_type\n"
|
||||||
|
"\n"
|
||||||
|
"[ req_distinguished_name ]\n"
|
||||||
|
"countryName = Country Name (2 letter code)\n"
|
||||||
|
"countryName_default = AU\n"
|
||||||
|
"countryName_min = 2\n"
|
||||||
|
"countryName_max = 2\n"
|
||||||
|
"\n"
|
||||||
|
"stateOrProvinceName = State or Province Name (full name)\n"
|
||||||
|
"stateOrProvinceName_default = mystate\n"
|
||||||
|
"\n"
|
||||||
|
"localityName = Locality Name (eg, city)\n"
|
||||||
|
"\n"
|
||||||
|
"0.organizationName = Organization Name (eg, company)\n"
|
||||||
|
"0.organizationName_default = x11vnc server self-signed\n"
|
||||||
|
"\n"
|
||||||
|
"organizationalUnitName = Organizational Unit Name (eg, section)\n"
|
||||||
|
"\n"
|
||||||
|
"commonName = Common Name (eg, YOUR name)\n"
|
||||||
|
"commonName_default = x11vnc server self-signed %NAME\n"
|
||||||
|
"commonName_max = 64\n"
|
||||||
|
"\n"
|
||||||
|
"emailAddress = Email Address\n"
|
||||||
|
"emailAddress_default = x11vnc@self-signed.nowhere\n"
|
||||||
|
"emailAddress_max = 64\n"
|
||||||
|
"\n"
|
||||||
|
"[ cert_type ]\n"
|
||||||
|
"nsCertType = server\n"
|
||||||
|
"\n"
|
||||||
|
"'\n"
|
||||||
|
"echo \"$cnf\" | sed -e \"s/%USER/$USER/\" \\\n"
|
||||||
|
" > \"$DIR/CA/ssl.cnf\" || exit 1\n"
|
||||||
|
"echo \"$cnf\" | sed -e \"s/%USER *//\" -e 's/server CA/server %NAME/g' -e 's/@CA/@server/' \\\n"
|
||||||
|
" > \"$DIR/CA/ssl.cnf.server\" || exit 1\n"
|
||||||
|
"echo \"$cnf\" | sed -e \"s/%USER *//\" -e 's/server CA/client %NAME/g' -e 's/@CA/@client/' \\\n"
|
||||||
|
" > \"$DIR/CA/ssl.cnf.client\" || exit 1\n"
|
||||||
|
"\n"
|
||||||
|
"echo \"$selfcnf\" > \"$DIR/CA/self.cnf.server\" || exit 1\n"
|
||||||
|
"echo \"$selfcnf\" | sed -e 's/ server/ client/g' \\\n"
|
||||||
|
" > \"$DIR/CA/self.cnf.client\" || exit 1\n"
|
||||||
|
"\n"
|
||||||
|
"cd \"$DIR\" || exit 1\n"
|
||||||
|
"\n"
|
||||||
|
"echo \"\"\n"
|
||||||
|
"echo \"----------------------------------------------------------------------\"\n"
|
||||||
|
"echo \"Generating your x11vnc CA (certificate authority) key and certificate:\"\n"
|
||||||
|
"echo \"\"\n"
|
||||||
|
"echo \"Please supply a passphrase and any other information you care to.\"\n"
|
||||||
|
"echo \"----------------------------------------------------------------------\"\n"
|
||||||
|
"echo \"\"\n"
|
||||||
|
"\n"
|
||||||
|
"\"$OPENSSL\" req -config \"$DIR/CA/ssl.cnf\" -new -x509 \\\n"
|
||||||
|
" -keyout \"$DIR/CA/private/cakey.pem\" \\\n"
|
||||||
|
" -out \"$DIR/CA/cacert.pem\"\n"
|
||||||
|
"\n"
|
||||||
|
"chmod go-rwx \"$DIR/CA/private/cakey.pem\"\n"
|
||||||
|
"\n"
|
||||||
|
"if [ $? != 0 ]; then\n"
|
||||||
|
" echo \"openssl failed.\"\n"
|
||||||
|
" exit 1\n"
|
||||||
|
"fi\n"
|
||||||
|
"\n"
|
||||||
|
"echo \"\"\n"
|
||||||
|
"echo \"----------------------------------------------------------------------\"\n"
|
||||||
|
"echo \"Your public x11vnc CA cert is:\"\n"
|
||||||
|
"echo \"\"\n"
|
||||||
|
"echo \" $DIR/CA/cacert.pem\"\n"
|
||||||
|
"echo \"\"\n"
|
||||||
|
"echo \" It may be copied to other applications, e.g. Web browser, Java\"\n"
|
||||||
|
"echo \" Applet keystore, or stunnel cfg, to use to verify signed server\"\n"
|
||||||
|
"echo \" or client certs, etc.\"\n"
|
||||||
|
"echo \"\"\n"
|
||||||
|
"echo \"Your private x11vnc CA key is:\"\n"
|
||||||
|
"echo \"\"\n"
|
||||||
|
"echo \" $DIR/CA/private/cakey.pem\"\n"
|
||||||
|
"echo \"\"\n"
|
||||||
|
"echo \" It will be used to sign server or client certs, keep it secret.\"\n"
|
||||||
|
"echo \"----------------------------------------------------------------------\"\n"
|
||||||
|
"echo \"\"\n"
|
||||||
|
"printf \"Press Enter to print the cacert.pem certificate to the screen: \"\n"
|
||||||
|
"read x\n"
|
||||||
|
"echo \"\"\n"
|
||||||
|
"cat \"$DIR/CA/cacert.pem\"\n"
|
||||||
|
;
|
||||||
|
|
||||||
|
char genCert[] =
|
||||||
|
"#!/bin/sh\n"
|
||||||
|
"\n"
|
||||||
|
"direrror() {\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" if echo \"$DIR\" | grep '/\\.vnc/certs' > /dev/null; then\n"
|
||||||
|
" echo \"You need first to run: x11vnc -sslGenCA\"\n"
|
||||||
|
" else\n"
|
||||||
|
" echo \"You need first to run: x11vnc -sslGenCA $DIR\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" echo \"to create the CA cert file and other needed config files and directories.\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" if [ \"X$1\" != \"X\" ]; then\n"
|
||||||
|
" echo \"(missing: $1)\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" exit 1\n"
|
||||||
|
"}\n"
|
||||||
|
"\n"
|
||||||
|
"make_HASH() {\n"
|
||||||
|
" crt=\"$1\"\n"
|
||||||
|
" remove=\"$2\"\n"
|
||||||
|
" if [ ! -f \"$crt\" ]; then\n"
|
||||||
|
" return\n"
|
||||||
|
" fi\n"
|
||||||
|
" dirhash=`dirname \"$crt\"`/HASH\n"
|
||||||
|
" bashash=`basename \"$crt\"`\n"
|
||||||
|
" if [ ! -d \"$dirhash\" ]; then\n"
|
||||||
|
" return\n"
|
||||||
|
" fi\n"
|
||||||
|
" hash=`\"$OPENSSL\" x509 -hash -noout -in \"$crt\" 2>/dev/null | head -1`\n"
|
||||||
|
" if [ \"X$hash\" != \"X\" ]; then\n"
|
||||||
|
" for i in 0 1 2 3 4 5 6 7 8 9\n"
|
||||||
|
" do\n"
|
||||||
|
" lnk=\"$dirhash/$hash.$i\"\n"
|
||||||
|
" if [ \"X$remove\" = \"X1\" ]; then\n"
|
||||||
|
" if [ -h \"$lnk\" ]; then\n"
|
||||||
|
" if cmp \"$lnk\" \"$crt\" > /dev/null 2>&1; then\n"
|
||||||
|
" ls -l \"$lnk\"\n"
|
||||||
|
" rm -i \"$lnk\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" fi\n"
|
||||||
|
" else\n"
|
||||||
|
" if [ -h \"$lnk\" ]; then\n"
|
||||||
|
" if [ ! -f \"$lnk\" ]; then\n"
|
||||||
|
" rm -f \"$lnk\" 1>/dev/null 2>&1\n"
|
||||||
|
" else\n"
|
||||||
|
" continue\n"
|
||||||
|
" fi\n"
|
||||||
|
" fi\n"
|
||||||
|
" if [ \"x$HASH_verbose\" = \"x1\" ]; then\n"
|
||||||
|
" echo \"creating: $lnk -> ../$bashash\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" ln -s \"../$bashash\" \"$lnk\"\n"
|
||||||
|
" break\n"
|
||||||
|
" fi\n"
|
||||||
|
" done\n"
|
||||||
|
" fi\n"
|
||||||
|
"}\n"
|
||||||
|
"\n"
|
||||||
|
"create_key() {\n"
|
||||||
|
" \n"
|
||||||
|
" echo \"----------------------------------------------------------------------\"\n"
|
||||||
|
" echo \"Creating new x11vnc certificate and key for name: $type $name0\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
"\n"
|
||||||
|
" cnf=\"$DIR/tmp/cnf.$$\"\n"
|
||||||
|
" trap \"rm -f \\\"$cnf\\\"\" 0 1 2 15\n"
|
||||||
|
"\n"
|
||||||
|
" rm -f \"$DIR/$dest.key\" \"$DIR/$dest.crt\" \"$DIR/$dest.req\"\n"
|
||||||
|
"\n"
|
||||||
|
" if [ \"x$self\" = \"x1\" ]; then\n"
|
||||||
|
" if [ ! -f \"$DIR/CA/self.cnf.$type\" ]; then\n"
|
||||||
|
" direrror \"$DIR/CA/self.cnf.$type\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" cat \"$DIR/CA/self.cnf.$type\" | sed -e \"s/%NAME/$name0/\" > \"$cnf\" || exit 1\n"
|
||||||
|
" \"$OPENSSL\" req -config \"$cnf\" -nodes -new -newkey rsa:2048 -x509 \\\n"
|
||||||
|
" -keyout \"$DIR/$dest.key\" \\\n"
|
||||||
|
" -out \"$DIR/$dest.crt\"\n"
|
||||||
|
" else\n"
|
||||||
|
" if [ ! -f \"$DIR/CA/ssl.cnf.$type\" ]; then\n"
|
||||||
|
" direrror \"$DIR/CA/ssl.cnf.$type\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" cat \"$DIR/CA/ssl.cnf.$type\" | sed -e \"s/%NAME/$name0/\" > \"$cnf\" || exit 1\n"
|
||||||
|
" \"$OPENSSL\" req -config \"$cnf\" -nodes -new -newkey rsa:2048 \\\n"
|
||||||
|
" -keyout \"$DIR/$dest.key\" \\\n"
|
||||||
|
" -out \"$DIR/$dest.req\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" rc=$?\n"
|
||||||
|
" if [ -f \"$DIR/$dest.key\" ]; then\n"
|
||||||
|
" chmod go-rwx \"$DIR/$dest.key\"\n"
|
||||||
|
" fi\n"
|
||||||
|
"\n"
|
||||||
|
"\n"
|
||||||
|
"\n"
|
||||||
|
" if [ $rc != 0 ]; then\n"
|
||||||
|
" echo \"openssl 'req' command failed\"\n"
|
||||||
|
" rm -f \"$DIR/$dest.key\" \"$DIR/$dest.crt\" \"$DIR/$dest.req\"\n"
|
||||||
|
" exit 1\n"
|
||||||
|
" fi\n"
|
||||||
|
"}\n"
|
||||||
|
"\n"
|
||||||
|
"enc_key() {\n"
|
||||||
|
" \n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \"----------------------------------------------------------------------\"\n"
|
||||||
|
" echo \"Do you want to protect the generated private key with a passphrase?\"\n"
|
||||||
|
" echo \"Doing so will significantly decrease the chances someone could steal\"\n"
|
||||||
|
" if [ \"x$type\" = \"xserver\" ]; then\n"
|
||||||
|
" echo \"the key and pretend to be your x11vnc server. The downside is it is\"\n"
|
||||||
|
" else\n"
|
||||||
|
" echo \"the key and pretend to be your VNC client. The downside is it is\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" echo \"inconvenient because you will have to supply the passphrase every\"\n"
|
||||||
|
" if [ \"x$type\" = \"xserver\" ]; then\n"
|
||||||
|
" echo \"time you start x11vnc using this key.\"\n"
|
||||||
|
" else\n"
|
||||||
|
" echo \"time you start the VNC viewer SSL tunnel using this key.\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" printf \"Protect key with a passphrase? [y]/n \"\n"
|
||||||
|
" read x\n"
|
||||||
|
" estr=\" *unencrypted*\"\n"
|
||||||
|
" if [ \"x$ENCRYPT_ONLY\" != \"x\" ]; then\n"
|
||||||
|
" target=\"$ENCRYPT_ONLY\"\n"
|
||||||
|
" else\n"
|
||||||
|
" target=\"$DIR/$dest.key\"\n"
|
||||||
|
" bdir=`dirname \"$DIR/$dest.key\"`\n"
|
||||||
|
" if [ ! -d \"$bdir\" ]; then\n"
|
||||||
|
" direrror \"$bdir\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" fi\n"
|
||||||
|
" if [ \"x$x\" != \"xn\" ]; then\n"
|
||||||
|
" \"$OPENSSL\" rsa -in \"$target\" -des3 -out \"$target\"\n"
|
||||||
|
" if [ $? != 0 ]; then\n"
|
||||||
|
" echo \"openssl 'rsa' command failed\"\n"
|
||||||
|
" rm -f \"$DIR/$dest.key\" \"$DIR/$dest.crt\" \"$DIR/$dest.req\"\n"
|
||||||
|
" exit 1\n"
|
||||||
|
" fi\n"
|
||||||
|
" estr=\" encrypted\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
"}\n"
|
||||||
|
"\n"
|
||||||
|
"sign_key() {\n"
|
||||||
|
" cd \"$DIR\" || exit 1\n"
|
||||||
|
"\n"
|
||||||
|
" if [ \"x$self\" = \"x1\" ]; then\n"
|
||||||
|
" :\n"
|
||||||
|
" else\n"
|
||||||
|
" if echo \"$name0\" | grep '^req:' > /dev/null; then\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \"----------------------------------------------------------------------\"\n"
|
||||||
|
" echo \"Your x11vnc $type certificate request is:\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \" $DIR/$dest.req\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \" It may be sent to an external CA for signing, afterward you can\"\n"
|
||||||
|
" echo \" save the cert they send you in:\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \" $DIR/$dest.crt\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \"Your$estr private x11vnc $type key is:\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \" $DIR/$dest.key\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \" You should combine it and the received cert in the file:\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \" $DIR/$dest.pem\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \" It will be needed by applications to identify themselves.\"\n"
|
||||||
|
" echo \" This file should be kept secret.\"\n"
|
||||||
|
" echo \"----------------------------------------------------------------------\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" printf \"Press Enter to print the $dest.req cert request to the screen: \"\n"
|
||||||
|
" read x\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" cat \"$DIR/$dest.req\"\n"
|
||||||
|
" exit 0\n"
|
||||||
|
" fi\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \"----------------------------------------------------------------------\"\n"
|
||||||
|
" echo \"Now signing the new key with CA private key. You will need to supply\"\n"
|
||||||
|
" echo \"the CA key passphrase and reply \\\"y\\\" to sign and commit the key.\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" \"$OPENSSL\" ca -config \"$cnf\" -policy policy_anything -notext \\\n"
|
||||||
|
" -in \"$DIR/$dest.req\" \\\n"
|
||||||
|
" -out \"$DIR/$dest.crt\"\n"
|
||||||
|
" if [ $? != 0 ]; then\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \"openssl 'ca' command failed\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \" You may have a duplicate DN entry for this name in:\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \" $DIR/CA/index.txt\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \" remove the duplicate in that file and try again.\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" rm -f \"$DIR/$dest.key\" \"$DIR/$dest.crt\" \"$DIR/$dest.req\"\n"
|
||||||
|
" exit 1\n"
|
||||||
|
" fi\n"
|
||||||
|
" fi\n"
|
||||||
|
"\n"
|
||||||
|
" cat \"$DIR/$dest.key\" \"$DIR/$dest.crt\" \\\n"
|
||||||
|
" > \"$DIR/$dest.pem\" || exit 1 \n"
|
||||||
|
"\n"
|
||||||
|
" make_HASH \"$DIR/$dest.crt\" 0\n"
|
||||||
|
"\n"
|
||||||
|
" rm -f \"$DIR/$dest.key\" \"$DIR/$dest.req\" || exit 1\n"
|
||||||
|
" chmod go-rwx \"$DIR/$dest.pem\" || exit 1\n"
|
||||||
|
"\n"
|
||||||
|
" if [ \"x$type\" = \"xserver\" -o \"x$type\" = \"xclient\" ]; then\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \"----------------------------------------------------------------------\"\n"
|
||||||
|
" echo \"Your public x11vnc $type cert is:\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \" $DIR/$dest.crt\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \" It may be copied to other machines / applications to be used for\"\n"
|
||||||
|
" echo \" authentication. However, since it is signed with the x11vnc CA\"\n"
|
||||||
|
" echo \" key, all the applications need is the x11vnc CA certificate.\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \"Your$estr private x11vnc $type key is:\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \" $DIR/$dest.pem\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \" It will be needed by applications to identify themselves.\"\n"
|
||||||
|
" echo \" This file should be kept secret.\"\n"
|
||||||
|
" echo \"----------------------------------------------------------------------\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" fi\n"
|
||||||
|
"\n"
|
||||||
|
" printf \"Press Enter to print the $dest.crt certificate to the screen: \"\n"
|
||||||
|
" read x\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" cat \"$DIR/$dest.crt\"\n"
|
||||||
|
"}\n"
|
||||||
|
"\n"
|
||||||
|
"DIR=$BASE_DIR\n"
|
||||||
|
"if [ \"x$DIR\" = \"x\" ]; then\n"
|
||||||
|
" DIR=\"$HOME/dotkjr_vnc/certs\"\n"
|
||||||
|
"fi\n"
|
||||||
|
"if echo \"$DIR\" | grep '^/' > /dev/null; then\n"
|
||||||
|
" :\n"
|
||||||
|
"else\n"
|
||||||
|
" DIR=\"`pwd`/$DIR\"\n"
|
||||||
|
"fi\n"
|
||||||
|
"\n"
|
||||||
|
"if [ \"x$HASHON\" != \"x\" ]; then\n"
|
||||||
|
" for dir in \"$DIR/HASH\" \"$DIR/clients/HASH\"\n"
|
||||||
|
" do\n"
|
||||||
|
" if [ -d \"$dir\" ]; then\n"
|
||||||
|
" rm -rf \"$dir\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" done\n"
|
||||||
|
" dir=\"$DIR/HASH\"\n"
|
||||||
|
" mkdir -p \"$dir\" || exit 1\n"
|
||||||
|
" dir=\"$DIR/clients/HASH\"\n"
|
||||||
|
" mkdir -p \"$dir\" || exit 1\n"
|
||||||
|
" HASH_verbose=1\n"
|
||||||
|
" for f in \"$DIR\"/*.crt \"$DIR\"/clients/*.crt\n"
|
||||||
|
" do\n"
|
||||||
|
" if [ -f \"$f\" ]; then\n"
|
||||||
|
" make_HASH \"$f\" 0\n"
|
||||||
|
" fi\n"
|
||||||
|
" done\n"
|
||||||
|
" exit\n"
|
||||||
|
"fi\n"
|
||||||
|
"if [ \"x$HASHOFF\" != \"x\" ]; then\n"
|
||||||
|
" dir=\"$DIR/HASH\"\n"
|
||||||
|
" for dir in \"$DIR/HASH\" \"$DIR/clients/HASH\"\n"
|
||||||
|
" do\n"
|
||||||
|
" if [ -d \"$dir\" ]; then\n"
|
||||||
|
" for f in \"$dir\"/*\n"
|
||||||
|
" do\n"
|
||||||
|
" if [ -f \"$f\" ]; then\n"
|
||||||
|
" echo \"deleting: $f\"\n"
|
||||||
|
" rm -f \"$f\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" done\n"
|
||||||
|
" rm -rf \"$dir\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" done\n"
|
||||||
|
" exit\n"
|
||||||
|
"fi\n"
|
||||||
|
"\n"
|
||||||
|
"PATH=/usr/bin:/bin:/usr/sbin:$PATH; export PATH\n"
|
||||||
|
"if [ \"x$OPENSSL\" = \"x\" ]; then\n"
|
||||||
|
" OPENSSL=\"openssl\"\n"
|
||||||
|
"fi\n"
|
||||||
|
"\n"
|
||||||
|
"type \"$OPENSSL\" > /dev/null || exit 1\n"
|
||||||
|
"\n"
|
||||||
|
"self=\"\"\n"
|
||||||
|
"if [ \"x$SELF\" != \"x\" ]; then\n"
|
||||||
|
" self=1\n"
|
||||||
|
"elif [ \"x$1\" = \"x-self\" ]; then\n"
|
||||||
|
" shift\n"
|
||||||
|
" self=1\n"
|
||||||
|
"fi\n"
|
||||||
|
"\n"
|
||||||
|
"if [ \"x$TYPE\" != \"x\" ]; then\n"
|
||||||
|
" type=\"$TYPE\"\n"
|
||||||
|
"else\n"
|
||||||
|
" if [ \"X$1\" != \"X\" ]; then\n"
|
||||||
|
" type=\"$1\"\n"
|
||||||
|
" shift\n"
|
||||||
|
" fi\n"
|
||||||
|
"fi\n"
|
||||||
|
"if [ \"x$NAME\" != \"x\" ]; then\n"
|
||||||
|
" name=\"$NAME\"\n"
|
||||||
|
"else\n"
|
||||||
|
" if [ \"X$1\" != \"X\" ]; then\n"
|
||||||
|
" name=\"$1\"\n"
|
||||||
|
" shift\n"
|
||||||
|
" fi\n"
|
||||||
|
"fi\n"
|
||||||
|
"\n"
|
||||||
|
"if echo \"$name\" | grep '^self:' > /dev/null; then\n"
|
||||||
|
" self=1\n"
|
||||||
|
"fi\n"
|
||||||
|
"\n"
|
||||||
|
"if [ \"x$type\" = \"xserver\" ]; then\n"
|
||||||
|
" name0=\"$name\"\n"
|
||||||
|
" if echo \"$name\" | grep '^-' > /dev/null; then\n"
|
||||||
|
" :\n"
|
||||||
|
" elif [ \"x$name\" != \"x\" ]; then\n"
|
||||||
|
" name=\"-$name\";\n"
|
||||||
|
" fi\n"
|
||||||
|
" dest=\"server$name\"\n"
|
||||||
|
"elif [ \"x$type\" = \"xclient\" ]; then\n"
|
||||||
|
" if [ \"x$name\" = \"x\" ]; then\n"
|
||||||
|
" name=\"nobody\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" name0=\"$name\"\n"
|
||||||
|
" dest=\"clients/$name\"\n"
|
||||||
|
"else\n"
|
||||||
|
" exit 1\n"
|
||||||
|
"fi\n"
|
||||||
|
"\n"
|
||||||
|
"#set -xv\n"
|
||||||
|
"\n"
|
||||||
|
"if [ \"x$INFO_ONLY\" != \"x\" ]; then\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \"VNC Certificate file:\"\n"
|
||||||
|
" echo \" $INFO_ONLY\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" \"$OPENSSL\" x509 -text -in \"$INFO_ONLY\"\n"
|
||||||
|
" exit \n"
|
||||||
|
"elif [ \"x$DELETE_ONLY\" != \"x\" ]; then\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \"VNC Certificate file:\"\n"
|
||||||
|
" echo \" $DELETE_ONLY\"\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" \n"
|
||||||
|
" base=`echo \"$DELETE_ONLY\" | sed -e 's/\\....$//'`\n"
|
||||||
|
" for suff in crt pem key req\n"
|
||||||
|
" do\n"
|
||||||
|
" try=\"$base.$suff\"\n"
|
||||||
|
" if [ -f \"$try\" ]; then\n"
|
||||||
|
" make_HASH \"$try\" 1\n"
|
||||||
|
" rm -i \"$try\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" done\n"
|
||||||
|
" if echo \"$base\" | grep 'CA/cacert$' > /dev/null; then\n"
|
||||||
|
" base2=`echo \"$base\" | sed -e 's,cacert$,private/cakey,'`\n"
|
||||||
|
" else\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" exit\n"
|
||||||
|
" fi\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" for suff in crt pem key req\n"
|
||||||
|
" do\n"
|
||||||
|
" try=\"$base2.$suff\"\n"
|
||||||
|
" if [ -f \"$try\" ]; then\n"
|
||||||
|
" make_HASH \"$try\" 1\n"
|
||||||
|
" rm -i \"$try\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" done\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" exit \n"
|
||||||
|
"elif [ \"x$ENCRYPT_ONLY\" != \"x\" ]; then\n"
|
||||||
|
" if [ \"x$type\" = \"x\" ]; then\n"
|
||||||
|
" type=\"server\"\n"
|
||||||
|
" fi\n"
|
||||||
|
" echo \"\"\n"
|
||||||
|
" echo \"Key PEM file:\"\n"
|
||||||
|
" echo \" $ENCRYPT_ONLY\"\n"
|
||||||
|
" enc_key\n"
|
||||||
|
" exit\n"
|
||||||
|
"fi\n"
|
||||||
|
"\n"
|
||||||
|
"if [ ! -d \"$DIR/tmp\" ]; then\n"
|
||||||
|
" direrror \"$DIR/tmp\"\n"
|
||||||
|
"fi\n"
|
||||||
|
"bdir=`dirname \"$DIR/$dest.key\"`\n"
|
||||||
|
"if [ ! -d \"$bdir\" ]; then\n"
|
||||||
|
" direrror \"$bdir\"\n"
|
||||||
|
"fi\n"
|
||||||
|
"if [ ! -f \"$DIR/CA/cacert.pem\" ]; then\n"
|
||||||
|
" direrror \"$DIR/CA/cacert.pem\"\n"
|
||||||
|
"fi\n"
|
||||||
|
"\n"
|
||||||
|
"create_key\n"
|
||||||
|
"enc_key\n"
|
||||||
|
"sign_key\n"
|
||||||
|
;
|
||||||
|
|
||||||
|
#endif /* _SSLTOOLS_H */
|
Loading…
Reference in new issue