[RndTbl] Neat trick... passing _environment variables_ to openssl.
Sean Cody
sean at tinfoilhat.ca
Mon Jul 23 12:51:58 CDT 2012
Neat trick with OpenSSL is that a bunch of variables can
be substituted with environment variables. Now you may be thinking,
"yeah, they call it scripting" but the reality is a bit more subtle.
For instance you want to pass credentials to a chain of openssl
commands. You can substitute the credential in your script but the
credential ends up in logs (ie. using sudo) or the process list thereby
exposing the credentials to the untrained eye.
With this option you tell openssl... 'for this value lookup the
environment variable X' so upon invocation your command string shows
only the variable name and not the credential.
Here is an example script which illustrates this by dumping the
contents of a wack load of PKCS12 certificate stores.
Note the passwords for import and keys are passed in without exposing
the credentials outside of the process environment.
Pretty slick bit of functionality.
#!/bin/sh
#./check_certificates.sh 2>/dev/null | grep 'CN\=.*example\.com$' <---
dump certificates grab .gwl.bz hostnames from CNs
PACKAGE_FOLDER=packages/
EXPORT_PASSWORD="ZOMGWTFBBQ^2!"
export EXPORT_PASSWORD
for HOST in `cat hosts.txt`; do
# Show contents of PCKS12 package, don't care if it's named p12
or pfx.
openssl pkcs12 -info -in ${PACKAGE_FOLDER}/${HOST}.p* -passin
env:EXPORT_PASSWORD -passout env:EXPORT_PASSWORD
done
# Not _entirely_ necessary but never hurts.
EXPORT_PASSWORD=""
export EXPORT_PASSWORD
--
Sean
More information about the Roundtable
mailing list