[RndTbl] Neat trick... passing _environment variables_ to openssl.

[Sean Cody]

Neat trick with OpenSSL is that a bunch of variables can
be substituted with environment variables.  Now you may be thinking, 
"yeah, they call it scripting" but the reality is a bit more subtle.  
For instance you want to pass credentials to a chain of openssl 
commands.  You can substitute the credential in your script but the 
credential ends up in logs (ie. using sudo) or the process list thereby 
exposing the credentials to the untrained eye.

With this option you tell openssl... 'for this value lookup the 
environment variable X' so upon invocation your command string shows 
only the variable name and not the credential.

Here is an example script which illustrates this by dumping the 
contents of a wack load of PKCS12 certificate stores.

Note the passwords for import and keys are passed in without exposing 
the credentials outside of the process environment.

Pretty slick bit of functionality.

#!/bin/sh
#./check_certificates.sh 2>/dev/null | grep 'CN\=.*example\.com$' <--- 
dump certificates grab .gwl.bz hostnames from CNs
PACKAGE_FOLDER=packages/
EXPORT_PASSWORD="ZOMGWTFBBQ^2!"

export EXPORT_PASSWORD
for HOST in `cat hosts.txt`; do
         # Show contents of PCKS12 package, don't care if it's named p12 
or pfx.
         openssl pkcs12 -info -in ${PACKAGE_FOLDER}/${HOST}.p* -passin 
env:EXPORT_PASSWORD -passout env:EXPORT_PASSWORD
done

# Not _entirely_ necessary but never hurts.
EXPORT_PASSWORD=""
export EXPORT_PASSWORD


-- 
Sean