--- pyca-20031119.orig/debian/TODO +++ pyca-20031119/debian/TODO @@ -0,0 +1,2 @@ +debconf +look into possible superfluous install commands and permissions in rules --- pyca-20031119.orig/debian/compat +++ pyca-20031119/debian/compat @@ -0,0 +1 @@ +5 --- pyca-20031119.orig/debian/dirs +++ pyca-20031119/debian/dirs @@ -0,0 +1,7 @@ +usr/bin +usr/sbin +usr/lib/cgi-bin/pyca +usr/share/pyca/pylib/openssl +var/log/pyca +etc/logrotate.d +etc/pyca --- pyca-20031119.orig/debian/changelog +++ pyca-20031119/debian/changelog @@ -0,0 +1,207 @@ +pyca (20031119-0) unstable; urgency=low + + * Cleaned up stray openssl patch + * Specified encoding as specified by PEP 0263 (closes: #488828) + * Forfeited removal off log directory when removing package + (closes: #420569) + * New standards version + * Fixed dependencies + * Fixed lintian warnings + * Restored pristine source without my modifications. + * Bumped the date in the version number one day, io. to upload + real pristine source tarball. + + -- Lars Bahner Sun, 24 Aug 2008 21:34:59 +0000 + +pyca (20031118-3.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix encoding issue in debian/control and debian/copyright. + Closes: #453999 + * Turn Build-Depends-Indep into Build-Depends (lintian error) + + -- Christian Perrier Sun, 03 Feb 2008 19:33:42 +0100 + +pyca (20031118-3) unstable; urgency=low + + * Added --language switch to dh_installman (closes #403533) + * Added patch to remove hardcoded paths to OpenSSLExec (closes #248103) + + -- Lars Bahner Mon, 12 Feb 2007 19:44:51 +0100 + +pyca (20031118-2) unstable; urgency=low + + * Removed german umlauts in man page (Closes: #355176) + * Modified pyca_make_alias() in postinst (Closes: #359718) + * Bug reported was caused by local misconfiguration (Closes: #354381) + + -- Lars Bahner Thu, 20 Apr 2006 20:42:44 +0000 + +pyca (20031118-1) unstable; urgency=low + + * New upstream release + * conversion to dpatch + * Significantly reworked debian/rules + * Added patch for encoding type utf-8 to pylib/openssl/cnf.py + io. to avoid croak from ca2ldif.py. My system + is utf-8 an so I trust are many others. + * New frontpage + * Typos in man-pages ... which are also UTF-8 :| + * Cascade the manpages to actual files shut lintian up. + + -- Lars Bahner Tue, 2 Dec 2003 19:39:35 +0100 + +pyca (20031021-2) unstable; urgency=low + + * Standards 3.6.1 + + -- Lars Bahner Mon, 27 Oct 2003 22:32:09 +0100 + +pyca (20031021-1) unstable; urgency=low + + * New upstream release + + -- Lars Bahner Mon, 27 Oct 2003 21:01:37 +0100 + +pyca (20030710-1) unstable; urgency=low + + * New upstream release + + -- Lars Bahner Sun, 13 Jul 2003 13:38:18 +0200 + +pyca (20030602-2) unstable; urgency=low + + * Patched pycacnf.py. Thanks Diane Trout. (closes: #197091) + * Added #DEBHELPER# to postinst. Let's see if lintian stops croaking. + * Specified Build-Depends-Indep as suggested by lintian + * Standards-version 3.5.10 + + -- Lars Bahner Thu, 12 Jun 2003 07:16:44 +0200 + +pyca (20030602-1) unstable; urgency=low + + * New upstream release + * Lessened rewrite of conffiles + * chgrp nogroup /var/log/pyca/ca-certreq-mail.out + + -- Lars Bahner Tue, 3 Jun 2003 22:36:00 +0200 + +pyca (20021129-8) unstable; urgency=low + + * Removed recommendation for openldapd. + * Changed architecture from "any" to "all" + + -- Lars Bahner Thu, 27 Mar 2003 14:57:53 +0100 + +pyca (20021129-7) unstable; urgency=low + + * Last correction didn't come clean. (closes: #186466) + + -- Lars Bahner Thu, 27 Mar 2003 14:50:04 +0100 + +pyca (20021129-6) unstable; urgency=low + + * Rearranged rules-file (closes: #186466) + + -- Lars Bahner Thu, 27 Mar 2003 14:02:29 +0100 + +pyca (20021129-5) unstable; urgency=low + + * Checked Debian Policy compliance in scripts (closes: #186333) + * Modified dependencies on openssl + * Added more checks to maintainer scripts + * Made maintainer scripts less noisy + * Crack at using sysexits + * Removed purging of /var/www/pyca by dpkg --purge + * Modified manpage + * Added script for logrotate + * Removed https: URI's from base test installation + * Increased group access to folders according to policy 11.9 + * Rewrote scripts to avoid the use of /tmp/files + + -- Lars Bahner Wed, 26 Mar 2003 21:33:31 +0100 + +pyca (20021129-4) unstable; urgency=low + + * Edited postinst to delete files in /tmp (closes: #185185) + + -- Lars Bahner Tue, 25 Mar 2003 20:26:31 +0100 + +pyca (20021129-3) unstable; urgency=low + + * Standards 3.5.9 + * Built from non-CVS source (closes: #184872) + + -- Lars Bahner Sat, 15 Mar 2003 18:07:20 +0100 + +pyca (20021129-2) unstable; urgency=low + + * Standards 3.5.8 + * Built differently to have original source and diffs separated. + * Made symbolic links for non-existing manpages + + -- Lars Bahner Thu, 13 Mar 2003 22:23:30 +0100 + +pyca (20021129-1) unstable; urgency=low + + * New upstream release + + -- Lars Bahner Sun, 2 Mar 2003 17:09:49 +0100 + +pyca (20020902-1) unstable; urgency=low + + * New upstream release + + -- Lars Bahner Sun, 8 Sep 2002 16:48:55 +0200 + +pyca (20020818-2) unstable; urgency=low + + * Corrected flawed advice in README.Debian. + * Removed cron-entries (which didn't work) + * Actually applied the patch from upstream to fix #155903 + * Rewrote the package code to be more clean + * apt-get source [... ] should now work properly + + -- Lars Bahner Mon, 19 Aug 2002 14:18:14 +0200 + +pyca (20020818-1) unstable; urgency=low + + * New upstream version + * Normalized URI's somewhat in accordance with upstream. + + -- Lars Bahner Mon, 19 Aug 2002 12:47:12 +0200 + +pyca (20020605-4) unstable; urgency=low + + * Added patch from Jordan Hrycaj . (closes: #155903) + + -- Lars Bahner Fri, 9 Aug 2002 19:58:54 +0200 + +pyca (20020605-3) unstable; urgency=low + + * Corrected ugly path to CA + * Added info on seeding LDAP + * Added index.html from website + * Added this line to close ITP :) (closes: #151366) + + -- root Fri, 19 Jul 2002 15:35:20 +0200 + +pyca (20020605-2) unstable; urgency=low + + * Corrected typos + * Changed dependencies + * Added creation of user ``pyca'' + * Added cronjob for both private and public on same machine + * Added htdocs + * Added initial manpages + * Added mailalias + * Nice distinction between --remove and --purge for content + + -- Lars Bahner Sun, 30 Jun 2002 15:52:35 +0200 + +pyca (20020605-1) unstable; urgency=low + + * Initial Release. (closes: #151366 ) + * Modified original scripts to reflect debianized defaults. + + -- Lars Bahner Sat, 29 Jun 2002 23:19:53 +0200 --- pyca-20031119.orig/debian/rules +++ pyca-20031119/debian/rules @@ -0,0 +1,63 @@ +#!/usr/bin/make -f +# GNU Copyright @ 2001 - 2008 Lars Bahner +# GNU copyright 1997 to 1999 by Joey Hess. + +export PACKAGE=pyca + +include /usr/share/dpatch/dpatch.make + +configure: + + dh_testdir + +build: configure patch + +clean: unpatch + + dh_testdir + dh_testroot + + rm -f httpd_error_log ca-certreq-mail.out + + dh_clean + +install: build + + dh_testdir + dh_testroot + dh_installdirs + + touch httpd_error_log + touch ca-certreq-mail.out + + cp -r bin/* debian/pyca/usr/bin + cp -r sbin/* debian/pyca/usr/sbin + cp -r cgi-bin/* debian/pyca/usr/lib/cgi-bin/pyca + cp -r conf/* debian/pyca/etc/pyca + cp -r pylib/* debian/pyca/usr/share/pyca/pylib + + install -o root -g www-data -m 620 httpd_error_log debian/pyca/var/log/pyca/httpd_error_log + install -o root -g nogroup -m 620 ca-certreq-mail.out debian/pyca/var/log/pyca/ca-certreq-mail.out + install -o root -g root -m 644 debian/pyca.logrotate debian/pyca/etc/logrotate.d/pyca + + chmod 644 debian/pyca/usr/lib/cgi-bin/pyca/pycacnf.py + +binary-indep: build install + + dh_testdir + dh_testroot + dh_installdocs htdocs debian/crontab.sample + cat debian/index.html > debian/pyca/usr/share/doc/pyca/htdocs/index.html + dh_installman --language=C debian/*.1 debian/*.8 + dh_installchangelogs + dh_link + dh_compress + dh_fixperms + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep + +.PHONY: build clean binary-indep binary install configure --- pyca-20031119.orig/debian/postrm +++ pyca-20031119/debian/postrm @@ -0,0 +1,44 @@ +#! /bin/sh -e + +set -e + +case "$1" in + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + + if test -e /usr/share/pyca && ! [ "$1" = upgrade ]; then + + rm -rf /usr/share/pyca 2>&1 > /dev/null || exit 78 + fi + + ;; + + purge) + + if test -e /etc/pyca; then + + rm -rf /etc/pyca 2>&1 > /dev/null || exit 78 + + fi + + if test -e /var/lib/pyca; then + + rm -rf /var/lib/pyca 2>&1 > /dev/null || exit 78 + fi + + if test -e /var/log/pyca; then + + rm -rf /var/log/pyca 2>&1 > /dev/null || exit 78 + + fi + + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 64 + +esac + +#DEBHELPER# + +exit 0 --- pyca-20031119.orig/debian/control +++ pyca-20031119/debian/control @@ -0,0 +1,25 @@ +Source: pyca +Section: net +Priority: optional +Maintainer: Lars Bahner +Build-Depends: debhelper (>> 5.0.0), dpatch +Standards-Version: 3.8.0 + +Package: pyca +Architecture: all +Depends: python, openssl (>= 0.9.7), logrotate, adduser +Conflicts: openssl (= 0.9.6) +Recommends: apache2 | httpd-cgi, slapd, mail-transport-agent, python-ldap +Description: Certification Authority written in Python + pyca is a set of Python scripts written Michael Ströder. They provide an + almost fully fledged Certification Authority. + Support for issueing email and authentication certificates works fine. + . + Most notably spooling of requests and certificates between the public and + the private parts of the CA remains to be written. + . + Other than that the documentation and scripts provided are of good quality + and may facilitate using and understanding the CA capabilities of OpenSSL. + . + The required webserver must provide CGI support. + --- pyca-20031119.orig/debian/copyright +++ pyca-20031119/debian/copyright @@ -0,0 +1,18 @@ +This package was downloaded from +http://www.pyca.de/download/pyca-20031118.tar.gz + +Upstream Author: Michael Ströder + +Copyright: + +Copyright © 2003 by Michael Ströder + +License: + +The GPL (GNU GENERAL PUBLIC LICENSE) Version 2 is available +on this system in the file /usr/share/common-licenses/GPL-2 + +This software including all modules is Open Source and given away under: +GPL (GNU GENERAL PUBLIC LICENSE) Version 2. + +The author refuses to give any warranty of any kind. --- pyca-20031119.orig/debian/ca2ldif.py.1 +++ pyca-20031119/debian/ca2ldif.py.1 @@ -0,0 +1,31 @@ +.\" Hey, EMACS: -*- nroff -*- +.encoding UTF-8 +.TH ca2ldif-py 1 "december 2, 2003" +.SH NAME +ca2ldif.py \- parse and insert in certs to LDAP +.SH SYNOPSIS +.TP +.B ca2ldif.py +[options] +.SH DESCRIPTION +Write CA certificates and CRLs to a LDIF file. This is intended for initially setting up the CA entries not for daily CRL update. The entries are of objectclass certificationAuthority and contain the attributes cACertificate;binary, authorityRevocationList;binary and certificateRevocationList;binary. This might require extending schemas on LDAPv2 servers. Have a look at your LDAP servers configuration documentation. +.SH USAGE +.TP +.B -h or --help + Print help message. +.SH SEE ALSO +.BR pyca(1), certs2ldap.py(1), ca-cycle-pub(8), ca-cycle-priv(8) +.P +The programs are documented fully by the HTML documents in \fB/usr/share/doc/pyca/htdocs/\fP +.SH COPYRIGHT +Copyright © 2001 \- 2003 Michael Ströder + +This software including all modules is Open Source and given away under: +GPL (GNU GENERAL PUBLIC LICENSE) Version 2. + +The author refuses to give any warranty of any kind. +.SH AUTHOR +Michael Ströder +.P +This manual page was written by Lars Bahner , +for the Debian GNU/Linux system. --- pyca-20031119.orig/debian/print-cacerts.py.1 +++ pyca-20031119/debian/print-cacerts.py.1 @@ -0,0 +1,44 @@ +.\" Hey, EMACS: -*- nroff -*- +.encoding UTF-8 +.TH pyca 1 "june 30, 2002" +.SH NAME +pyca \- CA written in python +.SH DESCRIPTION +The scripts in ths suite are basically wrappers around \fBopenssl(1)\fP. Additionally the scripts integrates the generic CA\-functionality with the mail\-system and apache for handling certificate requests; with LDAP for handling distributing certificates and revocation lists; and cron for maintenance tasks. +.SH PROGRAMMES +.TP +.B ca2ldif.py +Write CA certificates and CRLs to a LDIF file. This is intended for initially setting up the CA entries not for daily CRL update. The entries are of objectclass certificationAuthority and contain the attributes cACertificate;binary, authorityRevocationList;binary and certificateRevocationList;binary. This might require extending schemas on LDAPv2 servers. Have a look at your LDAP servers configuration documentation. +.TP +.B certs2ldap.py +Send all certs and CRLs to a LDAP repository. +.TP +.B copy\-cacerts.py +Copy all CA certificates defined in an OpenSSL configuration to a bundled PEM file or a directory with hash\-named symbolic links. This is quite handy in conjunction with ApacheSSL or Apache with mod_ssl for copying the files for SSLCACertificateFile or SSLCACertificatePath. +.TP +.B ns\-jsconfig.py +Create Javascript code containing all CA certificates defined in an OpenSSL configuration for use with the Netscape admin tool (creating netscape.cfg). +.TP +.B print\-cacerts.py +This simple script prints all CA certs on stdout. It is intended to generate authentic printouts (on paper!) of the CA certs fingerprints and is typically run on the private CA system. +Choose the option \-\-html to generate nicer formatted HTML\-output instead of the default textual output in ISO\-8859\-1. +.TP +.B ns\-jsconfig.py +Create a Javascript file to be included in a Netscape configuration file (netscape.cfg). +.SH SEE ALSO +.BR pyca (8) +.P +The programs are documented fully by the HTML documents in \fB/usr/share/doc/pyca/htdocs/\fP +.SH COPYRIGHT +Copyright © 2001 \- 2003 Michael Ströder + + +This software including all modules is Open Source and given away under: +GPL (GNU GENERAL PUBLIC LICENSE) Version 2. + +The author refuses to give any warranty of any kind. +.SH AUTHOR +Michael Ströder +.P +This manual page was written by Lars Bahner , +for the Debian GNU/Linux system. --- pyca-20031119.orig/debian/index.html +++ pyca-20031119/debian/index.html @@ -0,0 +1,133 @@ + + + + + + pyCA - X.509 CA + + + + + + + + + + + + + + + + + + +
+

+ pyCA - + X.509 CA +

+ Software for running a X.509/PKIX certificate authority + 		+ +
+
+ General +
+
+ <Download> + <News> + <Demo> + <Related> +
+
+ Support +
+
+ <Commercial> + <Feedback> + <FAQ> +
+
+ Documentation +
+
+ <Features> + <Overview> + <Installing> + <Configuration> + <Changes> + <Files> + <Roadmap> +
+
+ +
+ + + + +

Abstract

+

+ The usage of cryptographic techniques promises secure usage of + Internet services concerning authentication of clients and servers and + authorized access to sensitive data. During the last two years it turned + out that X.509 certificates, SSL and S/MIME are the relevant, widely + adopted cryptographic standards for securing various Internet services + like WWW, Mail, etc. +

+

+ However these standards require setting up a working X.509-based PKI + (pulic key infrastructure). + Although there is a quite lot of documentation and some example software + for setting up a primitive PKI with an own certificate authority + with the free package OpenSSL + it seems that this task is not easy for most people. There is a lot of + discussion on various mailing-lists, e.g. how to generate self-signed + CA certificates, generate certificate requests with the famous WWW browsers and how to provide + client certificates / certificate revocation lists for download, etc. + Additionally if the certification business of an organization gets only a + little bit more serious one has to take care about critical security issues. +

+

+ pyCA tries to make it + easier for people to set up and run a organizational certificate authority + which fulfills the need for a fairly secure certification processing. + The package also tries to reduce administrative tasks and user's frustration + by providing a comfortable web interface to users contacting the certificate + authority. +

+ +

Project status

+

+Unfortunately I do not have the time at the moment to spend more time +on developing this project. I will apply bug fixes and patches submitted +by users as long as they do not require too much rewriting of code. +

+ +
+ +Page last modified: Thursday, 15-May-2003 20:32:19 CEST, +sponsored by
+ +stroeder.com - Information Technology, IT-Security, Identity Management, +System Integration + + +

+ + + + --- pyca-20031119.orig/debian/ns-jsconfig.py.1 +++ pyca-20031119/debian/ns-jsconfig.py.1 @@ -0,0 +1,44 @@ +.\" Hey, EMACS: -*- nroff -*- +.encoding UTF-8 +.TH pyca 1 "june 30, 2002" +.SH NAME +pyca \- CA written in python +.SH DESCRIPTION +The scripts in ths suite are basically wrappers around \fBopenssl(1)\fP. Additionally the scripts integrates the generic CA\-functionality with the mail\-system and apache for handling certificate requests; with LDAP for handling distributing certificates and revocation lists; and cron for maintenance tasks. +.SH PROGRAMMES +.TP +.B ca2ldif.py +Write CA certificates and CRLs to a LDIF file. This is intended for initially setting up the CA entries not for daily CRL update. The entries are of objectclass certificationAuthority and contain the attributes cACertificate;binary, authorityRevocationList;binary and certificateRevocationList;binary. This might require extending schemas on LDAPv2 servers. Have a look at your LDAP servers configuration documentation. +.TP +.B certs2ldap.py +Send all certs and CRLs to a LDAP repository. +.TP +.B copy\-cacerts.py +Copy all CA certificates defined in an OpenSSL configuration to a bundled PEM file or a directory with hash\-named symbolic links. This is quite handy in conjunction with ApacheSSL or Apache with mod_ssl for copying the files for SSLCACertificateFile or SSLCACertificatePath. +.TP +.B ns\-jsconfig.py +Create Javascript code containing all CA certificates defined in an OpenSSL configuration for use with the Netscape admin tool (creating netscape.cfg). +.TP +.B print\-cacerts.py +This simple script prints all CA certs on stdout. It is intended to generate authentic printouts (on paper!) of the CA certs fingerprints and is typically run on the private CA system. +Choose the option \-\-html to generate nicer formatted HTML\-output instead of the default textual output in ISO\-8859\-1. +.TP +.B ns\-jsconfig.py +Create a Javascript file to be included in a Netscape configuration file (netscape.cfg). +.SH SEE ALSO +.BR pyca (8) +.P +The programs are documented fully by the HTML documents in \fB/usr/share/doc/pyca/htdocs/\fP +.SH COPYRIGHT +Copyright © 2001 \- 2003 Michael Ströder + + +This software including all modules is Open Source and given away under: +GPL (GNU GENERAL PUBLIC LICENSE) Version 2. + +The author refuses to give any warranty of any kind. +.SH AUTHOR +Michael Ströder +.P +This manual page was written by Lars Bahner , +for the Debian GNU/Linux system. --- pyca-20031119.orig/debian/postinst +++ pyca-20031119/debian/postinst @@ -0,0 +1,81 @@ +#! /bin/bash + +set -e + +pyca_setup_user() { + if ! id pyca > /dev/null 2>&1 ; then + adduser --system --no-create-home pyca 2>&1 > /dev/null || exit 78 + fi +} + +pyca_log_perms() { + + if test -e /var/log/pyca; then + + chmod 655 /var/log/pyca || exit 78 + chgrp adm /var/log/pyca || exit 78 + + + fi + + if id www-data > /dev/null 2>&1; then + + chgrp www-data /var/log/pyca/httpd_error_log || exit 78 + chmod 620 /var/log/pyca/httpd_error_log || exit 78 + + fi + + if id daemon > /dev/null 2>&1; then + + chgrp daemon /var/log/pyca/ca-certreq-mail.out || exit 78 + chmod 620 /var/log/pyca/ca-certreq-mail.out || exit 78 + + fi + +} + +pyca_make_alias() { + + if test -e /etc/aliases; then + + if ! grep -q ca-certreq-mail /etc/aliases;then + + cat >> /etc/aliases <&1 > /dev/null || exit 78 + fi + + fi + + fi + +} + + +case "$1" in + configure) + +pyca_setup_user +pyca_log_perms +pyca_make_alias + + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 64 + ;; +esac + +#DEBHELPER# + +exit 0 + --- pyca-20031119.orig/debian/certs2ldap.py.1 +++ pyca-20031119/debian/certs2ldap.py.1 @@ -0,0 +1,44 @@ +.\" Hey, EMACS: -*- nroff -*- +.encoding UTF-8 +.TH pyca 1 "june 30, 2002" +.SH NAME +pyca \- CA written in python +.SH DESCRIPTION +The scripts in ths suite are basically wrappers around \fBopenssl(1)\fP. Additionally the scripts integrates the generic CA\-functionality with the mail\-system and apache for handling certificate requests; with LDAP for handling distributing certificates and revocation lists; and cron for maintenance tasks. +.SH PROGRAMMES +.TP +.B ca2ldif.py +Write CA certificates and CRLs to a LDIF file. This is intended for initially setting up the CA entries not for daily CRL update. The entries are of objectclass certificationAuthority and contain the attributes cACertificate;binary, authorityRevocationList;binary and certificateRevocationList;binary. This might require extending schemas on LDAPv2 servers. Have a look at your LDAP servers configuration documentation. +.TP +.B certs2ldap.py +Send all certs and CRLs to a LDAP repository. +.TP +.B copy\-cacerts.py +Copy all CA certificates defined in an OpenSSL configuration to a bundled PEM file or a directory with hash\-named symbolic links. This is quite handy in conjunction with ApacheSSL or Apache with mod_ssl for copying the files for SSLCACertificateFile or SSLCACertificatePath. +.TP +.B ns\-jsconfig.py +Create Javascript code containing all CA certificates defined in an OpenSSL configuration for use with the Netscape admin tool (creating netscape.cfg). +.TP +.B print\-cacerts.py +This simple script prints all CA certs on stdout. It is intended to generate authentic printouts (on paper!) of the CA certs fingerprints and is typically run on the private CA system. +Choose the option \-\-html to generate nicer formatted HTML\-output instead of the default textual output in ISO\-8859\-1. +.TP +.B ns\-jsconfig.py +Create a Javascript file to be included in a Netscape configuration file (netscape.cfg). +.SH SEE ALSO +.BR pyca (8) +.P +The programs are documented fully by the HTML documents in \fB/usr/share/doc/pyca/htdocs/\fP +.SH COPYRIGHT +Copyright © 2001 \- 2003 Michael Ströder + + +This software including all modules is Open Source and given away under: +GPL (GNU GENERAL PUBLIC LICENSE) Version 2. + +The author refuses to give any warranty of any kind. +.SH AUTHOR +Michael Ströder +.P +This manual page was written by Lars Bahner , +for the Debian GNU/Linux system. --- pyca-20031119.orig/debian/README.Debian +++ pyca-20031119/debian/README.Debian @@ -0,0 +1,41 @@ +pyca for Debian +--------------- + +I have applied a patch to provide debianized defaults. So there should +be no need to provide parameters to many of the maintenance scripts. + +Debconf adaptation is not implemented yet, so you MUST edit the files in +/etc/pyca manually. + +A nice document for this is the usr/share/doc/openssl/doc/openssl.txt.gz +which can be found in the openssl package. + +When you have done this you may give the ``ca-make.py'' command to create +your Root CA and sub CA's. Have a piece of paper ready, you need several +good passwords :) + +The Debian ``slapd'' have the correct inetorgperson.schema required for +storing X.509 certificates. Before you issue the ``ca2ldif.py'' command +to put your CAcertificates into ldap you need to run ``ca-cycle-priv.py'' +to create CRL's - even if you haven't issued and much less revoked any +certificates yet. Then use all parameters to command something like: + + ca2ldif.py --crl --dntemplate="cn=%(CN)s,ou=ca,o=debian,c=no" | slapadd + +The possibility of using domainComponents instead of C/St/L/O/OU notation +for DN's have been explored. Where as this seems to be The Right Thing in +terms of how LDAP is being used these days, it looks awful in the +applications I have tested. (IE, Mozilla, Firebird, Mutt, Outlook Express, +Outlook). Applications look for the C/St/L/O/OU fields in order to display +their contents to the user. +Not finding this information they display nothing, which looks very silly. +Mind you, the problem is purely cosmetic. + +Oh, and the applications tend *not* to display utf-8, as well :( So my +personal company name - Tølveguten - can't be used. + +If your use for a CA is to have client certificates for your mail server +internally on the other hand, domainComponent notation will ease the pain +of setting up SASL. + + -- Lars Bahner , Wed Mar 26 20:10:49 CEST 2003 --- pyca-20031119.orig/debian/pyca.1 +++ pyca-20031119/debian/pyca.1 @@ -0,0 +1,44 @@ +.\" Hey, EMACS: -*- nroff -*- +.encoding UTF-8 +.TH pyca 1 "june 30, 2002" +.SH NAME +pyca \- CA written in python +.SH DESCRIPTION +The scripts in ths suite are basically wrappers around \fBopenssl(1)\fP. Additionally the scripts integrates the generic CA\-functionality with the mail\-system and apache for handling certificate requests; with LDAP for handling distributing certificates and revocation lists; and cron for maintenance tasks. +.SH PROGRAMMES +.TP +.B ca2ldif.py +Write CA certificates and CRLs to a LDIF file. This is intended for initially setting up the CA entries not for daily CRL update. The entries are of objectclass certificationAuthority and contain the attributes cACertificate;binary, authorityRevocationList;binary and certificateRevocationList;binary. This might require extending schemas on LDAPv2 servers. Have a look at your LDAP servers configuration documentation. +.TP +.B certs2ldap.py +Send all certs and CRLs to a LDAP repository. +.TP +.B copy\-cacerts.py +Copy all CA certificates defined in an OpenSSL configuration to a bundled PEM file or a directory with hash\-named symbolic links. This is quite handy in conjunction with ApacheSSL or Apache with mod_ssl for copying the files for SSLCACertificateFile or SSLCACertificatePath. +.TP +.B ns\-jsconfig.py +Create Javascript code containing all CA certificates defined in an OpenSSL configuration for use with the Netscape admin tool (creating netscape.cfg). +.TP +.B print\-cacerts.py +This simple script prints all CA certs on stdout. It is intended to generate authentic printouts (on paper!) of the CA certs fingerprints and is typically run on the private CA system. +Choose the option \-\-html to generate nicer formatted HTML\-output instead of the default textual output in ISO\-8859\-1. +.TP +.B ns\-jsconfig.py +Create a Javascript file to be included in a Netscape configuration file (netscape.cfg). +.SH SEE ALSO +.BR pyca (8) +.P +The programs are documented fully by the HTML documents in \fB/usr/share/doc/pyca/htdocs/\fP +.SH COPYRIGHT +Copyright © 2001 \- 2003 Michael Stroeder + + +This software including all modules is Open Source and given away under: +GPL (GNU GENERAL PUBLIC LICENSE) Version 2. + +The author refuses to give any warranty of any kind. +.SH AUTHOR +Michael Stroeder +.P +This manual page was written by Lars Bahner , +for the Debian GNU/Linux system. --- pyca-20031119.orig/debian/pyca.8 +++ pyca-20031119/debian/pyca.8 @@ -0,0 +1,61 @@ +.\" Hey, EMACS: -*- nroff -*- +.encoding UTF-8 +.TH pyca 8 "june 30, 2002" +.SH NAME +pyca \- CA written in python +.SH DESCRIPTION +The scripts in this suite are basically wrappers around \fBopenssl(1)\fP. Additionally the scripts integrates the generic CA\-functionality with the mail\-system and apache for handling certificate requests; with LDAP for handling distributing certificates and revocation lists; and cron for maintenance tasks. +.SH PROGRAMMES +.TP +.B pickle\-cnf.py +Create a pickled copy the OpenSSL configuration object for faster reading of the configuration. The pickle-file name is the name of the OpenSSL configuration file plus .pickle. +.TP +.B ca\-make.py +Generate a CA hierarchy, all necessary files and directories and all initial CRLs (see also signedby extension in OpenSSL configuration file). This is intended to be run under user root since it sets the ownership and permissions. +.TP +.B ca\-certreq\-mail.py +Handles the mail dialogue after certificate request. The SPKAC certificate request and LDIF data is moved from the directory pend_reqs_dir to new_reqs_dir. Set this script in your /etc/aliases, procmailrc or similar to receive mails for the address specified in caCertReqMailAdr. +.TP +.B ca\-cycle\-pub.py +.br +This script is typically run by the CA admin user via CRON or a similar task manager on a networked system holding the public certificate data. It does several jobs: +.RS +.P +* Publish new certificates and inform user via e\-mail where to download his certificate +.P +* Remove stale certificate requests from pend_reqs_dir. +.P +* Spool certificate requests and certificate revocation requests to the system holding the CA's private keys. (not implemented yet) +.P +* Spool certificates and certificate revocation lists from the system holding the CA's private keys. (not implemented yet) +.RE +.TP +.B ca\-cycle\-priv.py +This script is run on the system where the private keys of the CA are stored. It does several jobs: +.RS +.P +* Mark expired certificates in OpenSSL certificate database +.P +* Generate new CRLs, move old CRLs to archive (not implemented yet) +.P +* Process certificate requests and certificate revocation requests (not implemented yet) +.P +* Spool certificate database, issued certificates and CRLs to public WWW and LDAP server (not implemented yet) +.RE +.SH SEE ALSO +.BR pyca (1) +.P +The programs are documented fully by the HTML documents in \fB/usr/share/doc/pyca/htdocs/\fP +.SH COPYRIGHT +Copyright © 2001 - 2003 Michael Stroeder + + +This software including all modules is Open Source and given away under: +GPL (GNU GENERAL PUBLIC LICENSE) Version 2. + +The author refuses to give any warranty of any kind. +.SH AUTHOR +Michael Stroeder +.P +This manual page was written by Lars Bahner , +for the Debian GNU/Linux system (but may be used by others). --- pyca-20031119.orig/debian/pyca.logrotate +++ pyca-20031119/debian/pyca.logrotate @@ -0,0 +1,12 @@ +/var/log/pyca/*.out { + rotate 12 + weekly + compress +} + + +/var/log/pyca/*_log { + rotate 12 + weekly + compress +} --- pyca-20031119.orig/debian/copy-cacerts.py.1 +++ pyca-20031119/debian/copy-cacerts.py.1 @@ -0,0 +1,44 @@ +.\" Hey, EMACS: -*- nroff -*- +.encoding UTF-8 +.TH pyca 1 "june 30, 2002" +.SH NAME +pyca \- CA written in python +.SH DESCRIPTION +The scripts in ths suite are basically wrappers around \fBopenssl(1)\fP. Additionally the scripts integrates the generic CA\-functionality with the mail\-system and apache for handling certificate requests; with LDAP for handling distributing certificates and revocation lists; and cron for maintenance tasks. +.SH PROGRAMMES +.TP +.B ca2ldif.py +Write CA certificates and CRLs to a LDIF file. This is intended for initially setting up the CA entries not for daily CRL update. The entries are of objectclass certificationAuthority and contain the attributes cACertificate;binary, authorityRevocationList;binary and certificateRevocationList;binary. This might require extending schemas on LDAPv2 servers. Have a look at your LDAP servers configuration documentation. +.TP +.B certs2ldap.py +Send all certs and CRLs to a LDAP repository. +.TP +.B copy\-cacerts.py +Copy all CA certificates defined in an OpenSSL configuration to a bundled PEM file or a directory with hash\-named symbolic links. This is quite handy in conjunction with ApacheSSL or Apache with mod_ssl for copying the files for SSLCACertificateFile or SSLCACertificatePath. +.TP +.B ns\-jsconfig.py +Create Javascript code containing all CA certificates defined in an OpenSSL configuration for use with the Netscape admin tool (creating netscape.cfg). +.TP +.B print\-cacerts.py +This simple script prints all CA certs on stdout. It is intended to generate authentic printouts (on paper!) of the CA certs fingerprints and is typically run on the private CA system. +Choose the option \-\-html to generate nicer formatted HTML\-output instead of the default textual output in ISO\-8859\-1. +.TP +.B ns\-jsconfig.py +Create a Javascript file to be included in a Netscape configuration file (netscape.cfg). +.SH SEE ALSO +.BR pyca (8) +.P +The programs are documented fully by the HTML documents in \fB/usr/share/doc/pyca/htdocs/\fP +.SH COPYRIGHT +Copyright © 2001 \- 2003 Michael Ströder + + +This software including all modules is Open Source and given away under: +GPL (GNU GENERAL PUBLIC LICENSE) Version 2. + +The author refuses to give any warranty of any kind. +.SH AUTHOR +Michael Ströder +.P +This manual page was written by Lars Bahner , +for the Debian GNU/Linux system. --- pyca-20031119.orig/debian/crontab.sample +++ pyca-20031119/debian/crontab.sample @@ -0,0 +1,5 @@ +# +# Regular cron jobs for the pyca package +# +0 3 * * * root ca-cycle-priv.py +0 4 * * * root ca-cycle-pub.py --- pyca-20031119.orig/debian/patches/01_debianization +++ pyca-20031119/debian/patches/01_debianization @@ -0,0 +1,667 @@ +#!/bin/sh -e +## DP: Debian conformance patch for the Debian pyca-package +## DP: This patch consists mainly of FHS (2.2) stuff +## Copyright @ 2003 by Lars Bahner + +if [ $# -ne 1 ]; then + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1 +fi + +[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts +patch_opts="${patch_opts:--f --no-backup-if-mismatch}" + +case "$1" in + -patch) patch $patch_opts -p1 < $0;; + -unpatch) patch $patch_opts -p1 -R < $0;; + *) + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1;; +esac + +exit 0 + +@DPATCH@ +diff -Naur pyca.orig/bin/ca2ldif.py pyca-20030602/bin/ca2ldif.py +--- pyca.orig/bin/ca2ldif.py 2002-02-20 18:41:22.000000000 +0100 ++++ pyca-20030602/bin/ca2ldif.py 2003-06-03 22:19:23.000000000 +0200 +@@ -34,11 +34,11 @@ + + --config=[pathname] + Pathname of OpenSSL configuration file. +- Default: /etc/openssl/openssl.cnf ++ Default: /etc/pyca/openssl.cnf + + --pycalib=[directory] + Specify directory containing the pyCA modules +- Default: /usr/local/pyca/pylib ++ Default: /usr/share/pyca/pylib + + --out=[pathname] + Pathname of LDIF file for output +@@ -70,7 +70,7 @@ + if findoption(options,'--config')!=(): + opensslcnfname = findoption(options,'--config')[1] + else: +- opensslcnfname = os.environ.get('OPENSSL_CONF','/etc/openssl/openssl.cnf') ++ opensslcnfname = os.environ.get('OPENSSL_CONF','/etc/pyca/openssl.cnf') + + if not os.path.isfile(opensslcnfname): + PrintUsage('Config file %s not found.' % (opensslcnfname)) +@@ -79,7 +79,7 @@ + if findoption(options,'--pycalib')!=(): + pycalib = findoption(options,'--pycalib')[1] + else: +- pycalib = os.environ.get('PYCALIB','/usr/local/pyca/pylib') ++ pycalib = os.environ.get('PYCALIB','/usr/share/pyca/pylib') + + if not os.path.exists(pycalib) or not os.path.isdir(pycalib): + PrintUsage('Module directory %s does not exist or is no directory.' % (pycalib)) +diff -Naur pyca.orig/conf/cacert_AuthCerts.cnf pyca-20030602/conf/cacert_AuthCerts.cnf +--- pyca.orig/conf/cacert_AuthCerts.cnf 2003-05-15 20:32:19.000000000 +0200 ++++ pyca-20030602/conf/cacert_AuthCerts.cnf 2003-06-03 22:16:51.000000000 +0200 +@@ -39,16 +39,16 @@ + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid:always,issuer:always + keyUsage = cRLSign, keyCertSign +-subjectAltName = URI:"http://localhost/pyca/get-cert.py/AuthCerts/ca.crt" ++subjectAltName = URI:"http://localhost/cgi-bin/pyca/get-cert.py/AuthCerts/ca.crt" + issuerAltName = issuer:copy +-crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/Root/crl.crl" ++crlDistributionPoints = URI:"http://localhost/cgi-bin/pyca/get-cert.py/Root/crl.crl" + #certificatePolicies=ia5org,@polsect + + # Netscape cert extensions + nsComment = "This CA issues SSL client certificates." + nsCaPolicyUrl = "https://localhost/AuthCerts/policy.html" + nsCertType = sslCA +-nsCaRevocationUrl = "http://localhost/pyca/get-cert.py/Root/crl.crl" ++nsCaRevocationUrl = "http://localhost/cgi-bin/pyca/get-cert.py/Root/crl.crl" + + [ polsect ] + #policyIdentifier=1.2.3.4 +diff -Naur pyca.orig/conf/cacert_CodeSigning.cnf pyca-20030602/conf/cacert_CodeSigning.cnf +--- pyca.orig/conf/cacert_CodeSigning.cnf 2003-05-15 20:32:19.000000000 +0200 ++++ pyca-20030602/conf/cacert_CodeSigning.cnf 2003-06-03 22:16:51.000000000 +0200 +@@ -39,16 +39,16 @@ + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid:always,issuer:always + keyUsage = cRLSign, keyCertSign +-subjectAltName = URI:"http://localhost/pyca/get-cert.py/CodeSigning/ca.crt" ++subjectAltName = URI:"http://localhost/cgi-bin/pyca/get-cert.py/CodeSigning/ca.crt" + issuerAltName = issuer:copy +-crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/Root/crl.crl" ++crlDistributionPoints = URI:"http://localhost/cgi-bin/pyca/get-cert.py/Root/crl.crl" + #certificatePolicies=ia5org,@polsect + + # Netscape cert extensions + nsComment = "This CA issues code signing certificates." + nsCaPolicyUrl = "https://localhost/CodeSigning/policy.html" + nsCertType = objCA +-nsCaRevocationUrl = "http://localhost/pyca/get-cert.py/Root/crl.crl" ++nsCaRevocationUrl = "http://localhost/cgi-bin/pyca/get-cert.py/Root/crl.crl" + + [ polsect ] + #policyIdentifier=1.2.3.4 +diff -Naur pyca.orig/conf/cacert_EmailCerts.cnf pyca-20030602/conf/cacert_EmailCerts.cnf +--- pyca.orig/conf/cacert_EmailCerts.cnf 2003-05-15 20:32:19.000000000 +0200 ++++ pyca-20030602/conf/cacert_EmailCerts.cnf 2003-06-03 22:16:51.000000000 +0200 +@@ -39,16 +39,16 @@ + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid:always,issuer:always + keyUsage = cRLSign, keyCertSign +-subjectAltName = URI:"http://localhost/pyca/get-cert.py/EmailCerts/ca.crt" ++subjectAltName = URI:"http://localhost/cgi-bin/pyca/get-cert.py/EmailCerts/ca.crt" + issuerAltName = issuer:copy +-crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/Root/crl.crl" ++crlDistributionPoints = URI:"http://localhost/cgi-bin/pyca/get-cert.py/Root/crl.crl" + #certificatePolicies=ia5org,@polsect + + # Netscape cert extensions + nsComment = "This CA issues e-mail certificates." + nsCaPolicyUrl = "https://localhost/EmailCerts/policy.html" + nsCertType = emailCA +-nsCaRevocationUrl = "http://localhost/pyca/get-cert.py/Root/crl.crl" ++nsCaRevocationUrl = "http://localhost/cgi-bin/pyca/get-cert.py/Root/crl.crl" + + [ polsect ] + #policyIdentifier=1.2.3.4 +diff -Naur pyca.orig/conf/cacert_Root.cnf pyca-20030602/conf/cacert_Root.cnf +--- pyca.orig/conf/cacert_Root.cnf 2003-05-15 20:32:19.000000000 +0200 ++++ pyca-20030602/conf/cacert_Root.cnf 2003-06-03 22:16:51.000000000 +0200 +@@ -37,8 +37,8 @@ + # Netscape cert extensions + nsCertType = sslCA,emailCA,objCA + nsComment = "This Root CA issues sub-CA certs of different policies and has no contact with end-entities." +-nsCaPolicyUrl = "https://localhost/Root/policy.html" +-nsCaRevocationUrl = "http://localhost/pyca/get-cert.py/Root/crl.crl" ++nsCaPolicyUrl = "http://localhost/Root/policy.html" ++nsCaRevocationUrl = "http://localhost/cgi-bin/pyca/get-cert.py/Root/crl.crl" + + # PKIX + basicConstraints=critical,CA:true +@@ -46,8 +46,8 @@ + authorityKeyIdentifier=keyid:always,issuer:always + keyUsage = cRLSign,keyCertSign + extendedKeyUsage = nsSGC,msSGC +-subjectAltName = URI:"http://localhost/pyca/get-cert.py/Root/ca.crt" +-crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/Root/crl.crl" ++subjectAltName = URI:"http://localhost/cgi-bin/pyca/get-cert.py/Root/ca.crt" ++crlDistributionPoints = URI:"http://localhost/cgi-bin/pyca/get-cert.py/Root/crl.crl" + #certificatePolicies=ia5org,@polsect + + [ polsect ] +diff -Naur pyca.orig/conf/cacert_ServerCerts.cnf pyca-20030602/conf/cacert_ServerCerts.cnf +--- pyca.orig/conf/cacert_ServerCerts.cnf 2003-05-15 20:32:19.000000000 +0200 ++++ pyca-20030602/conf/cacert_ServerCerts.cnf 2003-06-03 22:16:51.000000000 +0200 +@@ -40,16 +40,16 @@ + authorityKeyIdentifier=keyid:always,issuer:always + keyUsage = cRLSign, keyCertSign + extendedKeyUsage = nsSGC,msSGC +-subjectAltName = URI:"http://localhost/pyca/get-cert.py/ServerCerts/ca.crt" ++subjectAltName = URI:"http://localhost/cgi-bin/pyca/get-cert.py/ServerCerts/ca.crt" + issuerAltName = issuer:copy +-crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/Root/crl.crl" ++crlDistributionPoints = URI:"http://localhost/cgi-bin/pyca/get-cert.py/Root/crl.crl" + #certificatePolicies=ia5org,@polsect + + # Netscape cert extensions + nsComment = "This CA issues SSL server certificates." + nsCaPolicyUrl = "https://localhost/ServerCerts/policy.html" + nsCertType = sslCA +-nsCaRevocationUrl = "http://localhost/pyca/get-cert.py/Root/crl.crl" ++nsCaRevocationUrl = "http://localhost/cgi-bin/pyca/get-cert.py/Root/crl.crl" + + [ polsect ] + #policyIdentifier=1.2.3.4 +diff -Naur pyca.orig/conf/openssl.cnf pyca-20030602/conf/openssl.cnf +--- pyca.orig/conf/openssl.cnf 2003-05-15 20:32:19.000000000 +0200 ++++ pyca-20030602/conf/openssl.cnf 2003-06-03 22:29:03.000000000 +0200 +@@ -12,7 +12,7 @@ + # +-CodeSigning (solely for code signing, Authenticode etc.) + + RANDFILE = "$ENV::HOME/.rnd" +-oid_file = /etc/openssl/.oid ++oid_file = /etc/pyca/.oid + oid_section = new_oids + + [ new_oids ] +@@ -41,7 +41,7 @@ + #################################################################### + + [ CA_Root ] +-dir = /usr/local/myCA/Root# Where everything is kept ++dir = /var/lib/pyca/Root# Where everything is kept + certs = $dir/certs # Where the issued certs are kept + crl_dir = $dir/crl # Where the issued crl are kept + database = $dir/index.txt # database index file. +@@ -58,12 +58,12 @@ + default_md = sha1 # which md to use. + preserve = no # keep passed DN ordering + policy = policy_CA +-ca_x509_extfile = /etc/openssl/cacert_Root.cnf ++ca_x509_extfile = /etc/pyca/cacert_Root.cnf + x509_extensions = x509v3_ext_CA # This section is only used for + # displaying the params in ca-index.py + + [ CA_EmailCerts ] +-dir = /usr/local/myCA/EmailCerts # Where everything is kept ++dir = /var/lib/pyca/EmailCerts # Where everything is kept + certs = $dir/certs # Where the issued certs are kept + crl_dir = $dir/crl # Where the issued crl are kept + database = $dir/index.txt # database index file. +@@ -82,12 +82,12 @@ + policy = policy_EmailCerts + x509_extensions = x509v3_ext_EmailCerts + signedby = Root +-ca_x509_extfile = /etc/openssl/cacert_EmailCerts.cnf ++ca_x509_extfile = /etc/pyca/cacert_EmailCerts.cnf + req = req_EmailCerts + min_key_size = 768 + + [ CA_AuthCerts ] +-dir = /usr/local/myCA/AuthCerts # Where everything is kept ++dir = /var/lib/pyca/AuthCerts # Where everything is kept + certs = $dir/certs # Where the issued certs are kept + crl_dir = $dir/crl # Where the issued crl are kept + database = $dir/index.txt # database index file. +@@ -106,11 +106,11 @@ + policy = policy_AuthCerts + x509_extensions = x509v3_ext_AuthCerts + signedby = Root +-ca_x509_extfile = /etc/openssl/cacert_AuthCerts.cnf ++ca_x509_extfile = /etc/pyca/cacert_AuthCerts.cnf + req = req_AuthCerts + + [ CA_CodeSigning ] +-dir = /usr/local/myCA/CodeSigning # Where everything is kept ++dir = /var/lib/pyca/CodeSigning # Where everything is kept + certs = $dir/certs # Where the issued certs are kept + crl_dir = $dir/crl # Where the issued crl are kept + database = $dir/index.txt # database index file. +@@ -129,11 +129,11 @@ + policy = policy_CodeSigning + x509_extensions = x509v3_ext_CodeSigning + signedby = Root +-ca_x509_extfile = /etc/openssl/cacert_CodeSigning.cnf ++ca_x509_extfile = /etc/pyca/cacert_CodeSigning.cnf + req = req_EmailCerts + + [ CA_ServerCerts ] +-dir = /usr/local/myCA/ServerCerts # Where everything is kept ++dir = /var/lib/pyca/ServerCerts # Where everything is kept + certs = $dir/certs # Where the issued certs are kept + crl_dir = $dir/crl # Where the issued crl are kept + database = $dir/index.txt # database index file. +@@ -152,7 +152,7 @@ + policy = policy_ServerCerts + x509_extensions = x509v3_ext_ServerCerts + signedby = Root +-ca_x509_extfile = /etc/openssl/cacert_ServerCerts.cnf ++ca_x509_extfile = /etc/pyca/cacert_ServerCerts.cnf + + ########################### Policies ############################### + +@@ -310,13 +310,13 @@ + [ x509v3_ext_CA ] + basicConstraints = CA:true + keyUsage = cRLSign,keyCertSign +-crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/Root/crl.crl" ++crlDistributionPoints = URI:"http://localhost/cgi-bin/pyca/get-cert.py/Root/crl.crl" + nsComment = "This certificate is used for issueing sub-CA certs." +-nsBaseUrl = "https://localhost/" +-nsCaRevocationUrl = pyca/get-cert.py/Root/crl.crl +-nsRevocationUrl = pyca/ns-check-rev.py/Root? +-nsRenewalUrl = pyca/ns-renewal.py/Root? +-nsCaPolicyUrl = TestCA/policy/CA-policy.html ++nsBaseUrl = "http://localhost/" ++nsCaRevocationUrl = cgi-bin/pyca/get-cert.py/Root/crl.crl ++nsRevocationUrl = cgi-binpyca/ns-check-rev.py/Root? ++nsRenewalUrl = cgi-bin/pyca/ns-renewal.py/Root? ++nsCaPolicyUrl = CA/policy.html + + [ x509v3_ext_EmailCerts ] + # PKIX extensions +@@ -324,16 +324,16 @@ + authorityKeyIdentifier = keyid:always,issuer:always + keyUsage = nonRepudiation,digitalSignature,keyEncipherment + extendedKeyUsage = emailProtection +-issuerAltName = URI:"https://localhost/pyca/get-cert.py/EmailCerts/ca.crt" +-crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/EmailCerts/crl.crl" ++issuerAltName = URI:"http://localhost/cgi-bin/pyca/get-cert.py/EmailCerts/ca.crt" ++crlDistributionPoints = URI:"http://localhost/cgi-bin/pyca/get-cert.py/EmailCerts/crl.crl" + subjectAltName = email:copy + # Netscape-specific extensions + nsComment = "This certificate is used for e-mail." +-nsBaseUrl = "https://localhost/" +-nsCaRevocationUrl = pyca/get-cert.py/EmailCerts/crl.crl +-nsRevocationUrl = pyca/ns-check-rev.py/EmailCerts? +-nsRenewalUrl = pyca/ns-renewal.py/EmailCerts? +-nsCaPolicyUrl = TestCA/policy/EmailCerts-policy.html ++nsBaseUrl = "http://localhost/" ++nsCaRevocationUrl = cgi-bin/pyca/get-cert.py/EmailCerts/crl.crl ++nsRevocationUrl = cgi-bin/pyca/ns-check-rev.py/EmailCerts? ++nsRenewalUrl = cgi-bin/pyca/ns-renewal.py/EmailCerts? ++nsCaPolicyUrl = EmailCerts/policy.html + nsCertType = email + + [ x509v3_ext_AuthCerts ] +@@ -342,15 +342,15 @@ + authorityKeyIdentifier = keyid:always,issuer:always + keyUsage = digitalSignature + extendedKeyUsage = clientAuth +-issuerAltName = URI:"https://localhost/pyca/get-cert.py/AuthCerts/ca.crt" +-crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/AuthCerts/crl.crl" ++issuerAltName = URI:"http://localhost/cgi-bin/pyca/get-cert.py/AuthCerts/ca.crt" ++crlDistributionPoints = URI:"http://localhost/cgi-bin/pyca/get-cert.py/AuthCerts/crl.crl" + # Netscape-specific extensions + nsComment = "This certificate is used for strong authentication." +-nsBaseUrl = "https://localhost/" +-nsCaRevocationUrl = pyca/get-cert.py/AuthCerts/crl.crl +-nsRevocationUrl = pyca/ns-check-rev.py/AuthCerts? +-nsRenewalUrl = pyca/ns-renewal.py/AuthCerts? +-nsCaPolicyUrl = TestCA/policy/AuthCerts-policy.html ++nsBaseUrl = "http://localhost/" ++nsCaRevocationUrl = cgi-bin/pyca/get-cert.py/AuthCerts/crl.crl ++nsRevocationUrl = cgi-bin/pyca/ns-check-rev.py/AuthCerts? ++nsRenewalUrl = cgi-bin/pyca/ns-renewal.py/AuthCerts? ++nsCaPolicyUrl = AuthCerts/policy.html + nsCertType = client + + [ x509v3_ext_CodeSigning ] +@@ -359,31 +359,31 @@ + authorityKeyIdentifier = keyid:always,issuer:always + keyUsage = digitalSignature + extendedKeyUsage = codeSigning +-issuerAltName = URI:"https://localhost/pyca/get-cert.py/CodeSigning/ca.crt" +-crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/CodeSigning/crl.crl" ++issuerAltName = URI:"http://localhost/cgi-bin/pyca/get-cert.py/CodeSigning/ca.crt" ++crlDistributionPoints = URI:"http://localhost/cgi-bin/pyca/get-cert.py/CodeSigning/crl.crl" + # Netscape-specific extensions + nsComment = "This certificate is used for CodeSigning signing." +-nsBaseUrl = "https://localhost/" +-nsCaRevocationUrl = pyca/get-cert.py/CodeSigning/crl.crl +-nsRevocationUrl = pyca/ns-check-rev.py/CodeSigning? +-nsRenewalUrl = pyca/ns-renewal.py/CodeSigning? +-nsCaPolicyUrl = TestCA/policy/CodeSigning-policy.html ++nsBaseUrl = "http://localhost/" ++nsCaRevocationUrl = cgi-bin/pyca/get-cert.py/CodeSigning/crl.crl ++nsRevocationUrl = cgi-bin/pyca/ns-check-rev.py/CodeSigning? ++nsRenewalUrl = cgi-bin/pyca/ns-renewal.py/CodeSigning? ++nsCaPolicyUrl = CodeSigning/policy.html + nsCertType = objsign + + [ x509v3_ext_ServerCerts ] + # PKIX extensions + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always,issuer:always +-crlDistributionPoints = URI:"http://localhost/pyca/get-cert.py/ServerCerts/crl.crl" ++crlDistributionPoints = URI:"http://localhost/cgi-bin/pyca/get-cert.py/ServerCerts/crl.crl" + keyUsage = keyEncipherment + extendedKeyUsage = serverAuth,nsSGC,msSGC + # Netscape-specific extensions + nsComment = "This certificate is used for SSL ServerCerts." +-nsBaseUrl = "https://localhost/" +-nsCaRevocationUrl = pyca/get-cert.py/ServerCerts/crl.crl +-nsRevocationUrl = pyca/ns-check-rev.py/ServerCerts? +-nsRenewalUrl = pyca/ns-renewal.py/ServerCerts? +-nsCaPolicyUrl = TestCA/policy/ServerCerts-policy.html ++nsBaseUrl = "http://localhost/" ++nsCaRevocationUrl = cgi-bin/pyca/get-cert.py/ServerCerts/crl.crl ++nsRevocationUrl = cgi-bin/pyca/ns-check-rev.py/ServerCerts? ++nsRenewalUrl = cgi-bin/pyca/ns-renewal.py/ServerCerts? ++nsCaPolicyUrl = ServerCerts/policy.html + nsCertType = server + + # [ pyca ] is a proprietary, non-OpenSSL section for the pyca-package +@@ -396,37 +396,37 @@ + # Base-URL for the other URL addresses + # This is meant as fallback option if the CA-specific + # attribute nsBaseUrl is not set +-nsBaseUrl = "https://localhost/" ++nsBaseUrl = "http://localhost/" + + # Relative URL address of ca-index.py +-nsCAIndexUrl = pyca/ca-index.py ++nsCAIndexUrl = cgi-bin/pyca/ca-index.py + + # Relative URL address of client-enroll.py +-nsEnrollUrl = pyca/client-enroll.py ++nsEnrollUrl = cgi-bin/pyca/client-enroll.py + + # Relative URL address of get-cert.py +-nsGetCertUrl = pyca/get-cert.py ++nsGetCertUrl = cgi-bin/pyca/get-cert.py + + # Relative URL address of view-cert.py +-nsViewCertUrl = pyca/view-cert.py ++nsViewCertUrl = cgi-bin/pyca/view-cert.py + + # Pathname of the openssl executable + OpenSSLExec = /usr/bin/openssl + + # Username of caadmin +-userCAAdmin = caadmin ++userCAAdmin = pyca + + # Username of WWW Server +-userWWWRun = wwwrun ++userWWWRun = www-data + + # Username of mail delivery demon +-userMailDaemon = daemon ++userMailDaemon = nobody + + # Preferred HTTP method for submitting form parameters + ScriptMethod = POST + + # Relative URL address of help texts (e.g. client-enroll-help.html) +-HelpUrl = inkasite/python/pyca/help/ ++HelpUrl = /pyca/help/ + + # The default SMTP mail relay + MailRelay = localhost +@@ -441,16 +441,16 @@ + + # Pathname for the error log file. + # stderr is used as default, if empty or not defined. +-#ErrorLog = /var/log/pyca/httpd_error_log ++ErrorLog = /var/log/pyca/httpd_error_log + + # E-mail address of the mail dialogue script for certificate requests + # if empty, no mail dialogue is initiated. +-caCertReqMailAdr = confirm-cert-req@ms.inka.de ++caCertReqMailAdr = ca-certreq-mail@localhost + + # Central e-mail address of the CA's administrator. + # This is used as From: address if the subject name of a CA cert does + # not contain an Email attribute. +-caAdminMailAdr = caadmin@ms.inka.de ++caAdminMailAdr = pyca@localhost + + # Amount of time [h] how long a pending certificate request is stored + # in caPendCertReqDir without being confirmed by e-mail. +@@ -467,7 +467,7 @@ + caInternalIPAdr = 127.0.0.0/255.0.0.0,10.0.0.0/255.0.0.0 + + # List of email address domains which are handled as internal +-caInternalDomains = pyca.de ++caInternalDomains = localhost + + # List of CA names for which handling of intermediate CA certs should + # be provided. +diff -Naur pyca.orig/sbin/ca-certreq-mail.py pyca-20030602/sbin/ca-certreq-mail.py +--- pyca.orig/sbin/ca-certreq-mail.py 2002-05-31 22:54:48.000000000 +0200 ++++ pyca-20030602/sbin/ca-certreq-mail.py 2003-06-03 22:16:51.000000000 +0200 +@@ -60,7 +60,7 @@ + if findoption(options,'--pycalib')!=(): + pycalib = findoption(options,'--pycalib')[1] + else: +- pycalib = os.environ.get('PYCALIB','/usr/local/pyca/pylib') ++ pycalib = os.environ.get('PYCALIB','/usr/share/pyca/pylib') + if not os.path.exists(pycalib) or not os.path.isdir(pycalib): + LogWrite(logfile,'Error',None,'Module directory %s not exists or not a directory.' % (pycalib)) + sys.path.append(pycalib) +@@ -68,7 +68,7 @@ + if findoption(options,'--config')!=(): + opensslcnfname = findoption(options,'--config')[1] + else: +- opensslcnfname = os.environ.get('OPENSSL_CONF','/etc/openssl/openssl.cnf') ++ opensslcnfname = os.environ.get('OPENSSL_CONF','/etc/pyca/openssl.cnf') + + if not os.path.isfile(opensslcnfname): + LogWrite(logfile,'Error',None,'Config file %s not found.' % (opensslcnfname)) +diff -Naur pyca.orig/sbin/ca-cycle-priv.py pyca-20030602/sbin/ca-cycle-priv.py +--- pyca.orig/sbin/ca-cycle-priv.py 2001-06-09 20:52:53.000000000 +0200 ++++ pyca-20030602/sbin/ca-cycle-priv.py 2003-06-03 22:16:51.000000000 +0200 +@@ -44,11 +44,11 @@ + --config=[pathname] + Pathname of OpenSSL configuration file. + You may also use env variable OPENSSL_CONF. +- Default: /etc/openssl/openssl.cnf ++ Default: /etc/pyca/openssl.cnf + + --pycalib=[directory] + Specify directory containing the pyCA modules +- Default: /usr/local/pyca/pylib ++ Default: /usr/share/pyca/pylib + + --issuecrls + Force issuing of new CRLs +@@ -76,7 +76,7 @@ + if findoption(options,'--config')!=(): + opensslcnfname = findoption(options,'--config')[1] + else: +- opensslcnfname = os.environ.get('OPENSSL_CONF','/etc/openssl/openssl.cnf') ++ opensslcnfname = os.environ.get('OPENSSL_CONF','/etc/pyca/openssl.cnf') + + if not os.path.isfile(opensslcnfname): + PrintUsage('Config file %s not found.' % (opensslcnfname)) +@@ -84,7 +84,7 @@ + if findoption(options,'--pycalib')!=(): + pycalib = findoption(options,'--pycalib')[1] + else: +- pycalib = os.environ.get('PYCALIB','/usr/local/pyca/pylib') ++ pycalib = os.environ.get('PYCALIB','/usr/share/pyca/pylib') + + issuecrls = findoption(options,'--issuecrls')!=() + +diff -Naur pyca.orig/sbin/ca-cycle-pub.py pyca-20030602/sbin/ca-cycle-pub.py +--- pyca.orig/sbin/ca-cycle-pub.py 2001-06-09 16:50:09.000000000 +0200 ++++ pyca-20030602/sbin/ca-cycle-pub.py 2003-06-03 22:16:51.000000000 +0200 +@@ -41,11 +41,11 @@ + --config=[pathname] + Pathname of OpenSSL configuration file. + You may also use env variable OPENSSL_CONF. +- Default: /etc/openssl/openssl.cnf ++ Default: /etc/pyca/openssl.cnf + + --pycalib=[directory] + Specify directory containing the pyCA modules +- Default: /usr/local/pyca/pylib ++ Default: /usr/share/pyca/pylib + + """ % (script_name,script_name)) + if ErrorMsg: +@@ -69,7 +69,7 @@ + if findoption(options,'--config')!=(): + opensslcnfname = findoption(options,'--config')[1] + else: +- opensslcnfname = os.environ.get('OPENSSL_CONF','/etc/openssl/openssl.cnf') ++ opensslcnfname = os.environ.get('OPENSSL_CONF','/etc/pyca/openssl.cnf') + + if not os.path.isfile(opensslcnfname): + PrintUsage('Config file %s not found.' % (opensslcnfname)) +@@ -77,7 +77,7 @@ + if findoption(options,'--pycalib')!=(): + pycalib = findoption(options,'--pycalib')[1] + else: +- pycalib = os.environ.get('PYCALIB','/usr/local/pyca/pylib') ++ pycalib = os.environ.get('PYCALIB','/usr/share/pyca/pylib') + + if not os.path.exists(pycalib) or not os.path.isdir(pycalib): + PrintUsage('Module directory %s not exists or not a directory.' % (pycalib)) +diff -Naur pyca.orig/sbin/ca-make.py pyca-20030602/sbin/ca-make.py +--- pyca.orig/sbin/ca-make.py 2002-05-31 22:44:56.000000000 +0200 ++++ pyca-20030602/sbin/ca-make.py 2003-06-03 22:16:51.000000000 +0200 +@@ -83,11 +83,11 @@ + --config=[pathname] + Pathname of OpenSSL configuration file. + You may also use env variable OPENSSL_CONF. +- Default: /etc/openssl/openssl.cnf ++ Default: /etc/pyca/openssl.cnf + + --pycalib=[directory] + Specify directory containing the pyCA modules +- Default: /usr/local/pyca/pylib ++ Default: /usr/share/pyca/pylib + + """ % (script_name,script_name)) + if ErrorMsg: +@@ -111,7 +111,7 @@ + if findoption(options,'--config')!=(): + opensslcnfname = findoption(options,'--config')[1] + else: +- opensslcnfname = os.environ.get('OPENSSL_CONF','/etc/openssl/openssl.cnf') ++ opensslcnfname = os.environ.get('OPENSSL_CONF','/etc/pyca/openssl.cnf') + + if not os.path.isfile(opensslcnfname): + PrintUsage('Config file %s not found.' % (opensslcnfname)) +@@ -119,7 +119,7 @@ + if findoption(options,'--pycalib')!=(): + pycalib = findoption(options,'--pycalib')[1] + else: +- pycalib = os.environ.get('PYCALIB','/usr/local/pyca/pylib') ++ pycalib = os.environ.get('PYCALIB','/usr/share/pyca/pylib') + + if not os.path.exists(pycalib) or not os.path.isdir(pycalib): + PrintUsage('Module directory %s not exists or not a directory.' % (pycalib)) +diff -Naur pyca.orig/sbin/ca-revoke.py pyca-20030602/sbin/ca-revoke.py +--- pyca.orig/sbin/ca-revoke.py 2001-05-18 12:17:21.000000000 +0200 ++++ pyca-20030602/sbin/ca-revoke.py 2003-06-03 22:16:51.000000000 +0200 +@@ -36,12 +36,12 @@ + --config=[pathname] + Pathname of OpenSSL configuration file. + You may also use env variable OPENSSL_CONF. +- Default: /etc/openssl/openssl.cnf ++ Default: /etc/pyca/openssl.cnf + + --pycalib=[directory] + Specify directory containing the pyCA modules + You may also use env variable PYCALIB. +- Default: /usr/local/pyca/pylib ++ Default: /usr/share/pyca/pylib + + --name=[CA name] + Name of CA in section [ca] of OpenSSL config. +@@ -71,7 +71,7 @@ + if findoption(options,'--config')!=(): + opensslcnfname = findoption(options,'--config')[1] + else: +- opensslcnfname = os.environ.get('OPENSSL_CONF','/etc/openssl/openssl.cnf') ++ opensslcnfname = os.environ.get('OPENSSL_CONF','/etc/pyca/openssl.cnf') + + if not os.path.isfile(opensslcnfname): + PrintUsage('Config file %s not found.' % (opensslcnfname)) +@@ -79,7 +79,7 @@ + if findoption(options,'--pycalib')!=(): + pycalib = findoption(options,'--pycalib')[1] + else: +- pycalib = os.environ.get('PYCALIB','/usr/local/pyca/pylib') ++ pycalib = os.environ.get('PYCALIB','/usr/share/pyca/pylib') + + if not os.path.exists(pycalib) or not os.path.isdir(pycalib): + PrintUsage('Module directory %s not exists or not a directory.' % (pycalib)) +diff -Naur pyca.orig/sbin/pickle-cnf.py pyca-20030602/sbin/pickle-cnf.py +--- pyca.orig/sbin/pickle-cnf.py 2001-05-18 12:17:21.000000000 +0200 ++++ pyca-20030602/sbin/pickle-cnf.py 2003-06-03 22:16:51.000000000 +0200 +@@ -34,12 +34,12 @@ + --config=[pathname] + Pathname of OpenSSL configuration file. + You may also use env variable OPENSSL_CONF. +- Default: /etc/openssl/openssl.cnf ++ Default: /etc/pyca/openssl.cnf + + --pycalib=[directory] + Specify directory containing the pyCA modules + You may also use env variable PYCALIB. +- Default: /usr/local/pyca/pylib ++ Default: /usr/share/pyca/pylib + + """ % (script_name,script_name)) + if ErrorMsg: +@@ -63,7 +63,7 @@ + if findoption(options,'--config')!=(): + opensslcnfname = findoption(options,'--config')[1] + else: +- opensslcnfname = os.environ.get('OPENSSL_CONF','/etc/openssl/openssl.cnf') ++ opensslcnfname = os.environ.get('OPENSSL_CONF','/etc/pyca/openssl.cnf') + + if not os.path.isfile(opensslcnfname): + PrintUsage('Config file %s not found.' % (opensslcnfname)) +@@ -71,7 +71,7 @@ + if findoption(options,'--pycalib')!=(): + pycalib = findoption(options,'--pycalib')[1] + else: +- pycalib = os.environ.get('PYCALIB','/usr/local/pyca/pylib') ++ pycalib = os.environ.get('PYCALIB','/usr/share/pyca/pylib') + + if not os.path.exists(pycalib) or not os.path.isdir(pycalib): + PrintUsage('Module directory %s not exists or not a directory.' % (pycalib)) +--- pyca.orig/cgi-bin/pycacnf.py 2003-05-15 20:32:19.000000000 +0200 ++++ pyca-20030602/cgi-bin/pycacnf.py 2003-06-12 06:15:35.000000000 +0200 +@@ -13,12 +13,11 @@ + + # Full pathname of OpenSSL configuration file, + # most times named openssl.cnf +-cnf_filename = '/etc/openssl/openssl.cnf' ++cnf_filename = '/etc/pyca/openssl.cnf' + + # List of additional module directories + pylib = [ +- os.environ.get('PYCALIB','/usr/local/pyca/pylib'), +- '/home/michael/Proj/python/pyca/pylib' ++ os.environ.get('PYCALIB','/usr/share/pyca/pylib') + ] + + ######################################################################## --- pyca-20031119.orig/debian/patches/00list +++ pyca-20031119/debian/patches/00list @@ -0,0 +1,3 @@ +01_debianization +02_pep0263 +03_opensslexec --- pyca-20031119.orig/debian/patches/03_opensslexec +++ pyca-20031119/debian/patches/03_opensslexec @@ -0,0 +1,156 @@ +#!/bin/sh -e +## DP: Debian conformance patch for the Debian pyca-package +## DP: This patch consists mainly of FHS (2.2) stuff +## Copyright @ 2003 by Lars Bahner + +if [ $# -ne 1 ]; then + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1 +fi + +[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts +patch_opts="${patch_opts:--f --no-backup-if-mismatch}" + +case "$1" in + -patch) patch $patch_opts -p1 < $0;; + -unpatch) patch $patch_opts -p1 -R < $0;; + *) + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1;; +esac + +exit 0 + +@DPATCH@ +diff -Naur pyca-20031118/bin/ca2ldif.py pyca-20031118.New/bin/ca2ldif.py +--- pyca-20031118/bin/ca2ldif.py 2002-02-20 17:41:22.000000000 +0000 ++++ pyca-20031118.New/bin/ca2ldif.py 2008-08-24 18:43:18.000000000 +0000 +@@ -110,7 +110,7 @@ + create_crls = findoption(options,'--crl')!=() + + pyca_section = opensslcnf.data.get('pyca',{}) +-openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/local/ssl/bin/openssl') ++openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/bin/openssl') + if not os.path.isfile(openssl.bin_filename): + sys.stderr.write('Did not find OpenSSL executable %s.\n' % (openssl.bin_filename)) + sys.exit(1) +diff -Naur pyca-20031118/bin/certs2ldap.py pyca-20031118.New/bin/certs2ldap.py +--- pyca-20031118/bin/certs2ldap.py 2002-05-31 20:08:02.000000000 +0000 ++++ pyca-20031118.New/bin/certs2ldap.py 2008-08-24 18:43:18.000000000 +0000 +@@ -178,7 +178,7 @@ + delete_reason = {openssl.db.DB_TYPE_EXP:'expired',openssl.db.DB_TYPE_REV:'revoked'} + + pyca_section = opensslcnf.data.get('pyca',{}) +-openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/local/ssl/bin/openssl') ++openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/bin/openssl') + if not os.path.isfile(openssl.bin_filename): + sys.stderr.write('Did not find OpenSSL executable %s.\n' % (openssl.bin_filename)) + sys.exit(1) +diff -Naur pyca-20031118/bin/copy-cacerts.py pyca-20031118.New/bin/copy-cacerts.py +--- pyca-20031118/bin/copy-cacerts.py 2001-05-18 10:17:17.000000000 +0000 ++++ pyca-20031118.New/bin/copy-cacerts.py 2008-08-24 18:43:18.000000000 +0000 +@@ -112,7 +112,7 @@ + opensslcnf=openssl.cnf.OpenSSLConfigClass(opensslcnfname) + + pyca_section = opensslcnf.data.get('pyca',{}) +-openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/local/ssl/bin/openssl') ++openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/bin/openssl') + + if findoption(options,'--certfile')!=(): + certfilename = findoption(options,'--certfile')[1] +diff -Naur pyca-20031118/bin/ns-jsconfig.py pyca-20031118.New/bin/ns-jsconfig.py +--- pyca-20031118/bin/ns-jsconfig.py 2001-05-18 10:17:17.000000000 +0000 ++++ pyca-20031118.New/bin/ns-jsconfig.py 2008-08-24 18:43:18.000000000 +0000 +@@ -108,7 +108,7 @@ + opensslcnf=openssl.cnf.OpenSSLConfigClass(opensslcnfname) + + pyca_section = opensslcnf.data.get('pyca',{}) +-openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/local/ssl/bin/openssl') ++openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/bin/openssl') + + if findoption(options,'--nssecconf')!=(): + nssecconf = open(findoption(options,'--nssecconf')[1],'w') +diff -Naur pyca-20031118/bin/print-cacerts.py pyca-20031118.New/bin/print-cacerts.py +--- pyca-20031118/bin/print-cacerts.py 2001-07-05 18:16:59.000000000 +0000 ++++ pyca-20031118.New/bin/print-cacerts.py 2008-08-24 18:43:18.000000000 +0000 +@@ -102,7 +102,7 @@ + + pyca_section = opensslcnf.data.get('pyca',{}) + +-openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/local/ssl/bin/openssl') ++openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/bin/openssl') + if not os.path.isfile(openssl.bin_filename): + PrintUsage('Did not find OpenSSL executable %s.' % (openssl.bin_filename)) + +diff -Naur pyca-20031118/htdocs/config.html pyca-20031118.New/htdocs/config.html +--- pyca-20031118/htdocs/config.html 2001-08-23 18:30:24.000000000 +0000 ++++ pyca-20031118.New/htdocs/config.html 2008-08-24 18:43:18.000000000 +0000 +@@ -108,7 +108,7 @@ + OpenSSLExec + +
+- Full pathname of the openssl executable (default /usr/local/ssl/bin/openssl). ++ Full pathname of the openssl executable (default /usr/bin/openssl). +
+
+ CaFixExec +diff -Naur pyca-20031118/sbin/ca-certreq-mail.py pyca-20031118.New/sbin/ca-certreq-mail.py +--- pyca-20031118/sbin/ca-certreq-mail.py 2003-10-21 06:49:48.000000000 +0000 ++++ pyca-20031118.New/sbin/ca-certreq-mail.py 2008-08-24 18:43:18.000000000 +0000 +@@ -100,7 +100,7 @@ + logfile_name = pyca_section.get('caCertConfirmReqLog','/var/log/pyca/ca-certreq-mail.out') + logfile = open(logfile_name,'a') + +-openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/local/ssl/bin/openssl') ++openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/bin/openssl') + if not os.path.isfile(openssl.bin_filename): + LogWrite(logfile,'Error',None,'Did not find OpenSSL executable %s.' % (openssl.bin_filename)) + +diff -Naur pyca-20031118/sbin/ca-cycle-priv.py pyca-20031118.New/sbin/ca-cycle-priv.py +--- pyca-20031118/sbin/ca-cycle-priv.py 2001-06-09 18:52:53.000000000 +0000 ++++ pyca-20031118.New/sbin/ca-cycle-priv.py 2008-08-24 18:43:18.000000000 +0000 +@@ -115,7 +115,7 @@ + + pyca_section = opensslcnf.data.get('pyca',{}) + +-openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/local/ssl/bin/openssl') ++openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/bin/openssl') + if not os.path.isfile(openssl.bin_filename): + PrintUsage('Did not find OpenSSL executable %s.' % (openssl.bin_filename)) + +diff -Naur pyca-20031118/sbin/ca-cycle-pub.py pyca-20031118.New/sbin/ca-cycle-pub.py +--- pyca-20031118/sbin/ca-cycle-pub.py 2001-06-09 14:50:09.000000000 +0000 ++++ pyca-20031118.New/sbin/ca-cycle-pub.py 2008-08-24 18:43:18.000000000 +0000 +@@ -111,7 +111,7 @@ + + pyca_section = opensslcnf.data.get('pyca',{}) + +-openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/local/ssl/bin/openssl') ++openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/bin/openssl') + if not os.path.isfile(openssl.bin_filename): + PrintUsage('Did not find OpenSSL executable %s.' % (openssl.bin_filename)) + +diff -Naur pyca-20031118/sbin/ca-make.py pyca-20031118.New/sbin/ca-make.py +--- pyca-20031118/sbin/ca-make.py 2002-05-31 20:44:56.000000000 +0000 ++++ pyca-20031118.New/sbin/ca-make.py 2008-08-24 18:43:18.000000000 +0000 +@@ -148,7 +148,7 @@ + + pyca_section = opensslcnf.data.get('pyca',{}) + +-openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/local/ssl/bin/openssl') ++openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/bin/openssl') + if not os.path.isfile(openssl.bin_filename): + PrintUsage('Did not find OpenSSL executable %s.' % (openssl.bin_filename)) + +diff -Naur pyca-20031118/sbin/ca-revoke.py pyca-20031118.New/sbin/ca-revoke.py +--- pyca-20031118/sbin/ca-revoke.py 2001-05-18 10:17:21.000000000 +0000 ++++ pyca-20031118.New/sbin/ca-revoke.py 2008-08-24 18:43:18.000000000 +0000 +@@ -114,7 +114,7 @@ + pyca_section = opensslcnf.data.get('pyca',{}) + ca_names = opensslcnf.sectionkeys.get('ca',[]) + +-openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/local/ssl/bin/openssl') ++openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/bin/openssl') + if not os.path.isfile(openssl.bin_filename): + sys.stderr.write('Did not find OpenSSL executable %s.\n' % (openssl.bin_filename)) + sys.exit(1) --- pyca-20031119.orig/debian/patches/02_pep0263 +++ pyca-20031119/debian/patches/02_pep0263 @@ -0,0 +1,113 @@ +#!/bin/sh -e +## DP: Debian conformance patch for the Debian pyca-package +## DP: This patch consists mainly of FHS (2.2) stuff +## Copyright @ 2003 by Lars Bahner + +if [ $# -ne 1 ]; then + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1 +fi + +[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts +patch_opts="${patch_opts:--f --no-backup-if-mismatch}" + +case "$1" in + -patch) patch $patch_opts -p1 < $0;; + -unpatch) patch $patch_opts -p1 -R < $0;; + *) + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1;; +esac + +exit 0 + +@DPATCH@ +diff -Naur pyca-20031118/cgi-bin/browser-check.py pyca-20031118.new/cgi-bin/browser-check.py +--- pyca-20031118/cgi-bin/browser-check.py 2001-08-26 17:32:58.000000000 +0000 ++++ pyca-20031118.new/cgi-bin/browser-check.py 2008-08-24 18:49:26.000000000 +0000 +@@ -1,4 +1,5 @@ + #!/usr/bin/python ++# -*- coding: iso-8859-15 -*- + + """ + browser-check.py +diff -Naur pyca-20031118/cgi-bin/ca-index.py pyca-20031118.new/cgi-bin/ca-index.py +--- pyca-20031118/cgi-bin/ca-index.py 2001-06-09 14:49:59.000000000 +0000 ++++ pyca-20031118.new/cgi-bin/ca-index.py 2008-08-24 18:49:31.000000000 +0000 +@@ -1,4 +1,5 @@ + #!/usr/bin/python ++# -*- coding: iso-8859-15 -*- + + """ + ca-index.py +diff -Naur pyca-20031118/cgi-bin/cert-query.py pyca-20031118.new/cgi-bin/cert-query.py +--- pyca-20031118/cgi-bin/cert-query.py 2003-10-21 06:47:02.000000000 +0000 ++++ pyca-20031118.new/cgi-bin/cert-query.py 2008-08-24 18:49:35.000000000 +0000 +@@ -1,4 +1,5 @@ + #!/usr/bin/python ++# -*- coding: iso-8859-15 -*- + + """ + cert-query.py +diff -Naur pyca-20031118/cgi-bin/client-enroll.py pyca-20031118.new/cgi-bin/client-enroll.py +--- pyca-20031118/cgi-bin/client-enroll.py 2003-10-21 06:47:02.000000000 +0000 ++++ pyca-20031118.new/cgi-bin/client-enroll.py 2008-08-24 18:49:39.000000000 +0000 +@@ -1,4 +1,5 @@ + #!/usr/bin/python ++# -*- coding: iso-8859-15 -*- + + """ + client-enroll.py - certificate enrollment with mainstream web browsers +diff -Naur pyca-20031118/cgi-bin/get-cert.py pyca-20031118.new/cgi-bin/get-cert.py +--- pyca-20031118/cgi-bin/get-cert.py 2003-10-21 06:47:02.000000000 +0000 ++++ pyca-20031118.new/cgi-bin/get-cert.py 2008-08-24 18:49:43.000000000 +0000 +@@ -1,4 +1,5 @@ + #!/usr/bin/python ++# -*- coding: iso-8859-15 -*- + + """ + get-cert.py +diff -Naur pyca-20031118/cgi-bin/ns-check-rev.py pyca-20031118.new/cgi-bin/ns-check-rev.py +--- pyca-20031118/cgi-bin/ns-check-rev.py 2001-01-14 21:35:17.000000000 +0000 ++++ pyca-20031118.new/cgi-bin/ns-check-rev.py 2008-08-24 18:49:47.000000000 +0000 +@@ -1,4 +1,5 @@ + #!/usr/bin/python ++# -*- coding: iso-8859-15 -*- + + """ + ns-check-rev.py +diff -Naur pyca-20031118/cgi-bin/ns-revoke.py pyca-20031118.new/cgi-bin/ns-revoke.py +--- pyca-20031118/cgi-bin/ns-revoke.py 2003-10-21 06:47:02.000000000 +0000 ++++ pyca-20031118.new/cgi-bin/ns-revoke.py 2008-08-24 18:49:53.000000000 +0000 +@@ -1,4 +1,5 @@ + #!/usr/bin/python ++# -*- coding: iso-8859-15 -*- + + """ + ns-revoke.py +diff -Naur pyca-20031118/cgi-bin/scep.py pyca-20031118.new/cgi-bin/scep.py +--- pyca-20031118/cgi-bin/scep.py 2003-10-21 06:47:02.000000000 +0000 ++++ pyca-20031118.new/cgi-bin/scep.py 2008-08-24 18:50:22.000000000 +0000 +@@ -1,4 +1,5 @@ + #!/usr/bin/python ++# -*- coding: iso-8859-15 -*- + + """ + scep.py - Cisco System's Simple Certificate Enrollment Protocol +diff -Naur pyca-20031118/cgi-bin/view-cert.py pyca-20031118.new/cgi-bin/view-cert.py +--- pyca-20031118/cgi-bin/view-cert.py 2003-10-21 06:47:02.000000000 +0000 ++++ pyca-20031118.new/cgi-bin/view-cert.py 2008-08-24 18:50:26.000000000 +0000 +@@ -1,4 +1,5 @@ + #!/usr/bin/python ++# -*- coding: iso-8859-15 -*- + + """ + view-cert.py +diff -Naur pyca-20031118/pylib/openssl/cnf.py pyca-20031118.newe/pylib/openssl/cnf.py +--- pyca-20031118/pylib/openssl/cnf.py 2001-05-17 17:23:49.000000000 +0000 ++++ pyca-20031118.newe/pylib/openssl/cnf.py 2008-08-24 19:28:04.000000000 +0000 +@@ -1,3 +1,4 @@ ++# -*- coding: iso-8859-15 -*- + ####################################################################### + # openssl.cnf.py + # (c) by Michael Stroeder, michael.stroeder@propack-data.de