/[gentoo-x86]/eclass/ssl-cert.eclass
Gentoo

Contents of /eclass/ssl-cert.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.10 - (hide annotations) (download)
Fri Dec 7 22:41:04 2007 UTC (6 years, 7 months ago) by ulm
Branch: MAIN
Changes since 1.9: +70 -1 lines
New function install_cert, replaces docert. Bug #174759.

1 vapier 1.5 # Copyright 1999-2004 Gentoo Foundation
2 max 1.1 # Distributed under the terms of the GNU General Public License v2
3 ulm 1.10 # $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.9 2005/07/11 15:08:06 swegener Exp $
4 max 1.1 #
5     # Author: Max Kalika <max@gentoo.org>
6     #
7     # This eclass implements standard installation procedure for installing
8     # self-signed SSL certificates.
9    
10     # Conditionally depend on OpenSSL: allows inheretence
11     # without pulling extra packages if not needed
12 mr_bones_ 1.3 DEPEND="ssl? ( dev-libs/openssl )"
13 agriffis 1.8 IUSE="ssl"
14 max 1.1
15 swegener 1.9 # Initializes variables and generates the needed
16 max 1.1 # OpenSSL configuration file and a CA serial file
17     #
18     # Access: private
19     gen_cnf() {
20     # Location of the config file
21     SSL_CONF="${T}/${$}ssl.cnf"
22     # Location of the CA serial file
23     SSL_SERIAL="${T}/${$}ca.ser"
24     # Location of some random files OpenSSL can use: don't use
25     # /dev/u?random here -- doesn't work properly on all platforms
26 max 1.4 SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
27 max 1.1
28     # These can be overridden in the ebuild
29     SSL_DAYS="${SSL_BITS:-730}"
30     SSL_BITS="${SSL_BITS:-1024}"
31     SSL_COUNTRY="${SSL_COUNTRY:-US}"
32     SSL_STATE="${SSL_STATE:-California}"
33     SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}"
34 vapier 1.2 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}"
35 max 1.1 SSL_UNIT="${SSL_UNIT:-For Testing Purposes Only}"
36     SSL_COMMONNAME="${SSL_COMMONNAME:-localhost}"
37     SSL_EMAIL="${SSL_EMAIL:-root@localhost}"
38    
39     # Create the CA serial file
40     echo "01" > "${SSL_SERIAL}"
41    
42     # Create the config file
43     ebegin "Generating OpenSSL configuration"
44     cat <<-EOF > "${SSL_CONF}"
45     [ req ]
46     prompt = no
47     default_bits = ${SSL_BITS}
48     distinguished_name = req_dn
49     [ req_dn ]
50     C = ${SSL_COUNTRY}
51     ST = ${SSL_STATE}
52     L = ${SSL_LOCALITY}
53     O = ${SSL_ORGANIZATION}
54     OU = ${SSL_UNIT}
55     CN = ${SSL_COMMONNAME}
56     emailAddress = ${SSL_EMAIL}
57     EOF
58     eend $?
59 swegener 1.9
60 max 1.1 return $?
61     }
62    
63     # Simple function to determine whether we're creating
64     # a CA (which should only be done once) or final part
65     #
66     # Access: private
67     get_base() {
68     if [ "${1}" ] ; then
69     echo "${T}/${$}ca"
70     else
71     echo "${T}/${$}server"
72     fi
73     }
74    
75     # Generates an RSA key
76     #
77     # Access: private
78     gen_key() {
79     local base=`get_base $1`
80     ebegin "Generating ${SSL_BITS} bit RSA key${1:+ for CA}"
81     /usr/bin/openssl genrsa -rand "${SSL_RANDOM}" \
82     -out "${base}.key" "${SSL_BITS}" &> /dev/null
83     eend $?
84    
85     return $?
86     }
87    
88     # Generates a certificate signing request using
89     # the key made by gen_key()
90     #
91     # Access: private
92     gen_csr() {
93     local base=`get_base $1`
94     ebegin "Generating Certificate Signing Request${1:+ for CA}"
95     /usr/bin/openssl req -config "${SSL_CONF}" -new \
96     -key "${base}.key" -out "${base}.csr" &>/dev/null
97     eend $?
98    
99     return $?
100     }
101    
102     # Generates either a self-signed CA certificate using
103     # the csr and key made by gen_csr() and gen_key() or
104     # a signed server certificate using the CA cert previously
105     # created by gen_crt()
106     #
107     # Access: private
108     gen_crt() {
109     local base=`get_base $1`
110     if [ "${1}" ] ; then
111     ebegin "Generating self-signed X.509 Certificate for CA"
112     /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
113     -days ${SSL_DAYS} -req -signkey "${base}.key" \
114     -in "${base}.csr" -out "${base}.crt" &>/dev/null
115     else
116     local ca=`get_base 1`
117     ebegin "Generating authority-signed X.509 Certificate"
118     /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
119     -days ${SSL_DAYS} -req -CAserial "${SSL_SERIAL}" \
120     -CAkey "${ca}.key" -CA "${ca}.crt" \
121     -in "${base}.csr" -out "${base}.crt" &>/dev/null
122     fi
123     eend $?
124    
125     return $?
126     }
127    
128     # Generates a PEM file by concatinating the key
129     # and cert file created by gen_key() and gen_cert()
130     #
131     # Access: private
132     gen_pem() {
133     local base=`get_base $1`
134     ebegin "Generating PEM Certificate"
135     (cat "${base}.key"; echo; cat "${base}.crt") > "${base}.pem"
136     eend $?
137    
138     return $?
139     }
140    
141     # Uses all the private functions above to generate
142     # and install the requested certificates
143 ulm 1.10 # Note: This function is deprecated, use install_cert instead
144 max 1.1 #
145     # Access: public
146     docert() {
147     if [ $# -lt 1 ] ; then
148     eerror "At least one argument needed"
149     return 1;
150     fi
151    
152     # Initialize configuration
153     gen_cnf || return 1
154     echo
155    
156     # Generate a CA environment
157     gen_key 1 || return 1
158     gen_csr 1 || return 1
159     gen_crt 1 || return 1
160     echo
161    
162     local count=0
163     for cert in "$@" ; do
164     # Sanitize and check the requested certificate
165     cert="`/usr/bin/basename "${cert}"`"
166     if [ -z "${cert}" ] ; then
167     ewarn "Invalid certification requested, skipping"
168     continue
169     fi
170    
171     # Check for previous existence of generated files
172     for type in key crt pem ; do
173     if [ -e "${D}${INSDESTTREE}/${cert}.${type}" ] ; then
174     ewarn "${D}${INSDESTTREE}/${cert}.${type}: exists, skipping"
175     continue 2
176     fi
177     done
178    
179     # Generate the requested files
180     gen_key || continue
181     gen_csr || continue
182     gen_crt || continue
183     gen_pem || continue
184     echo
185    
186     # Install the generated files and set sane permissions
187     local base=`get_base`
188     newins "${base}.key" "${cert}.key"
189     fperms 0400 "${INSDESTTREE}/${cert}.key"
190     newins "${base}.csr" "${cert}.csr"
191     fperms 0444 "${INSDESTTREE}/${cert}.csr"
192     newins "${base}.crt" "${cert}.crt"
193     fperms 0444 "${INSDESTTREE}/${cert}.crt"
194     newins "${base}.pem" "${cert}.pem"
195     fperms 0400 "${INSDESTTREE}/${cert}.pem"
196     count=$((${count}+1))
197     done
198    
199     # Resulting status
200     if [ ! ${count} ] ; then
201     eerror "No certificates were generated"
202     return 1
203     elif [ ${count} != ${#} ] ; then
204     ewarn "Some requested certificates were not generated"
205     fi
206     }
207 ulm 1.10
208     # Uses all the private functions above to generate
209     # and install the requested certificates
210     #
211     # Access: public
212     install_cert() {
213     if [ $# -lt 1 ] ; then
214     eerror "At least one argument needed"
215     return 1;
216     fi
217    
218     case ${EBUILD_PHASE} in
219     unpack|compile|test|install)
220     eerror "install_cert cannot be called in ${EBUILD_PHASE}"
221     return 1 ;;
222     esac
223    
224     # Initialize configuration
225     gen_cnf || return 1
226     echo
227    
228     # Generate a CA environment
229     gen_key 1 || return 1
230     gen_csr 1 || return 1
231     gen_crt 1 || return 1
232     echo
233    
234     local count=0
235     for cert in "$@" ; do
236     # Check the requested certificate
237     if [ -z "${cert##*/}" ] ; then
238     ewarn "Invalid certification requested, skipping"
239     continue
240     fi
241    
242     # Check for previous existence of generated files
243     for type in key csr crt pem ; do
244     if [ -e "${ROOT}${cert}.${type}" ] ; then
245     ewarn "${ROOT}${cert}.${type}: exists, skipping"
246     continue 2
247     fi
248     done
249    
250     # Generate the requested files
251     gen_key || continue
252     gen_csr || continue
253     gen_crt || continue
254     gen_pem || continue
255     echo
256    
257     # Install the generated files and set sane permissions
258     local base=$(get_base)
259     install -d "${ROOT}${cert%/*}"
260     install -m0400 "${base}.key" "${ROOT}${cert}.key"
261     install -m0444 "${base}.csr" "${ROOT}${cert}.csr"
262     install -m0444 "${base}.crt" "${ROOT}${cert}.crt"
263     install -m0400 "${base}.pem" "${ROOT}${cert}.pem"
264     count=$((${count}+1))
265     done
266    
267     # Resulting status
268     if [ ! ${count} ] ; then
269     eerror "No certificates were generated"
270     return 1
271     elif [ ${count} != ${#} ] ; then
272     ewarn "Some requested certificates were not generated"
273     fi
274     }

  ViewVC Help
Powered by ViewVC 1.1.20