/[gentoo-x86]/eclass/ssl-cert.eclass
Gentoo

Contents of /eclass/ssl-cert.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.13 - (hide annotations) (download)
Fri Dec 28 17:48:34 2007 UTC (6 years, 7 months ago) by ulm
Branch: MAIN
Changes since 1.12: +32 -7 lines
Sync eclasses from Emacs overlay (revision 894).

elisp-common.eclass:
Install packages' site-init files in site-gentoo.d subdirectory.
Update documentation and einfo messages accordingly.

1 vapier 1.5 # Copyright 1999-2004 Gentoo Foundation
2 max 1.1 # Distributed under the terms of the GNU General Public License v2
3 ulm 1.13 # $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.12 2007/12/09 08:09:56 ulm Exp $
4 max 1.1 #
5 ulm 1.13 # @ECLASS: ssl-cert.eclass
6     # @MAINTAINER:
7 max 1.1 # Author: Max Kalika <max@gentoo.org>
8 ulm 1.13 # @BLURB: Eclass for SSL certificates
9     # @DESCRIPTION:
10 max 1.1 # This eclass implements standard installation procedure for installing
11     # self-signed SSL certificates.
12 ulm 1.13 # @EXAMPLE:
13     # "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
14 max 1.1
15     # Conditionally depend on OpenSSL: allows inheretence
16     # without pulling extra packages if not needed
17 mr_bones_ 1.3 DEPEND="ssl? ( dev-libs/openssl )"
18 agriffis 1.8 IUSE="ssl"
19 max 1.1
20 ulm 1.13 # @FUNCTION: gen_cnf
21     # @USAGE:
22     # @DESCRIPTION:
23 swegener 1.9 # Initializes variables and generates the needed
24 max 1.1 # OpenSSL configuration file and a CA serial file
25     #
26     # Access: private
27     gen_cnf() {
28     # Location of the config file
29     SSL_CONF="${T}/${$}ssl.cnf"
30     # Location of the CA serial file
31     SSL_SERIAL="${T}/${$}ca.ser"
32     # Location of some random files OpenSSL can use: don't use
33     # /dev/u?random here -- doesn't work properly on all platforms
34 max 1.4 SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
35 max 1.1
36     # These can be overridden in the ebuild
37 ulm 1.12 SSL_DAYS="${SSL_DAYS:-730}"
38 max 1.1 SSL_BITS="${SSL_BITS:-1024}"
39     SSL_COUNTRY="${SSL_COUNTRY:-US}"
40     SSL_STATE="${SSL_STATE:-California}"
41     SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}"
42 vapier 1.2 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}"
43 max 1.1 SSL_UNIT="${SSL_UNIT:-For Testing Purposes Only}"
44     SSL_COMMONNAME="${SSL_COMMONNAME:-localhost}"
45     SSL_EMAIL="${SSL_EMAIL:-root@localhost}"
46    
47     # Create the CA serial file
48     echo "01" > "${SSL_SERIAL}"
49    
50     # Create the config file
51     ebegin "Generating OpenSSL configuration"
52     cat <<-EOF > "${SSL_CONF}"
53     [ req ]
54     prompt = no
55     default_bits = ${SSL_BITS}
56     distinguished_name = req_dn
57     [ req_dn ]
58     C = ${SSL_COUNTRY}
59     ST = ${SSL_STATE}
60     L = ${SSL_LOCALITY}
61     O = ${SSL_ORGANIZATION}
62     OU = ${SSL_UNIT}
63     CN = ${SSL_COMMONNAME}
64     emailAddress = ${SSL_EMAIL}
65     EOF
66     eend $?
67 swegener 1.9
68 max 1.1 return $?
69     }
70    
71 ulm 1.13 # @FUNCTION: get_base
72     # @USAGE: [if_ca]
73     # @RETURN: <base path>
74     # @DESCRIPTION:
75 max 1.1 # Simple function to determine whether we're creating
76     # a CA (which should only be done once) or final part
77     #
78     # Access: private
79     get_base() {
80     if [ "${1}" ] ; then
81     echo "${T}/${$}ca"
82     else
83     echo "${T}/${$}server"
84     fi
85     }
86    
87 ulm 1.13 # @FUNCTION: gen_key
88     # @USAGE: <base path>
89     # @DESCRIPTION:
90 max 1.1 # Generates an RSA key
91     #
92     # Access: private
93     gen_key() {
94     local base=`get_base $1`
95     ebegin "Generating ${SSL_BITS} bit RSA key${1:+ for CA}"
96     /usr/bin/openssl genrsa -rand "${SSL_RANDOM}" \
97     -out "${base}.key" "${SSL_BITS}" &> /dev/null
98     eend $?
99    
100     return $?
101     }
102    
103 ulm 1.13 # @FUNCTION: gen_csr
104     # @USAGE: <base path>
105     # @DESCRIPTION:
106 max 1.1 # Generates a certificate signing request using
107     # the key made by gen_key()
108     #
109     # Access: private
110     gen_csr() {
111     local base=`get_base $1`
112     ebegin "Generating Certificate Signing Request${1:+ for CA}"
113     /usr/bin/openssl req -config "${SSL_CONF}" -new \
114     -key "${base}.key" -out "${base}.csr" &>/dev/null
115     eend $?
116    
117     return $?
118     }
119    
120 ulm 1.13 # @FUNCTION: gen_crt
121     # @USAGE: <base path>
122     # @DESCRIPTION:
123 max 1.1 # Generates either a self-signed CA certificate using
124     # the csr and key made by gen_csr() and gen_key() or
125     # a signed server certificate using the CA cert previously
126     # created by gen_crt()
127     #
128     # Access: private
129     gen_crt() {
130     local base=`get_base $1`
131     if [ "${1}" ] ; then
132     ebegin "Generating self-signed X.509 Certificate for CA"
133     /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
134     -days ${SSL_DAYS} -req -signkey "${base}.key" \
135     -in "${base}.csr" -out "${base}.crt" &>/dev/null
136     else
137     local ca=`get_base 1`
138     ebegin "Generating authority-signed X.509 Certificate"
139     /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
140     -days ${SSL_DAYS} -req -CAserial "${SSL_SERIAL}" \
141     -CAkey "${ca}.key" -CA "${ca}.crt" \
142     -in "${base}.csr" -out "${base}.crt" &>/dev/null
143     fi
144     eend $?
145    
146     return $?
147     }
148    
149 ulm 1.13 # @FUNCTION: gen_pem
150     # @USAGE: <base path>
151     # @DESCRIPTION:
152 max 1.1 # Generates a PEM file by concatinating the key
153     # and cert file created by gen_key() and gen_cert()
154     #
155     # Access: private
156     gen_pem() {
157     local base=`get_base $1`
158     ebegin "Generating PEM Certificate"
159     (cat "${base}.key"; echo; cat "${base}.crt") > "${base}.pem"
160     eend $?
161    
162     return $?
163     }
164    
165     # Uses all the private functions above to generate
166     # and install the requested certificates
167 ulm 1.10 # Note: This function is deprecated, use install_cert instead
168 max 1.1 #
169     # Access: public
170     docert() {
171 ulm 1.11 ewarn "Function \"docert\" is deprecated for security reasons."
172     ewarn "\"install_cert\" should be used instead. See bug #174759."
173    
174 max 1.1 if [ $# -lt 1 ] ; then
175     eerror "At least one argument needed"
176     return 1;
177     fi
178    
179     # Initialize configuration
180     gen_cnf || return 1
181     echo
182    
183     # Generate a CA environment
184     gen_key 1 || return 1
185     gen_csr 1 || return 1
186     gen_crt 1 || return 1
187     echo
188    
189     local count=0
190     for cert in "$@" ; do
191     # Sanitize and check the requested certificate
192     cert="`/usr/bin/basename "${cert}"`"
193     if [ -z "${cert}" ] ; then
194     ewarn "Invalid certification requested, skipping"
195     continue
196     fi
197    
198     # Check for previous existence of generated files
199     for type in key crt pem ; do
200     if [ -e "${D}${INSDESTTREE}/${cert}.${type}" ] ; then
201     ewarn "${D}${INSDESTTREE}/${cert}.${type}: exists, skipping"
202     continue 2
203     fi
204     done
205    
206     # Generate the requested files
207     gen_key || continue
208     gen_csr || continue
209     gen_crt || continue
210     gen_pem || continue
211     echo
212    
213     # Install the generated files and set sane permissions
214     local base=`get_base`
215     newins "${base}.key" "${cert}.key"
216     fperms 0400 "${INSDESTTREE}/${cert}.key"
217     newins "${base}.csr" "${cert}.csr"
218     fperms 0444 "${INSDESTTREE}/${cert}.csr"
219     newins "${base}.crt" "${cert}.crt"
220     fperms 0444 "${INSDESTTREE}/${cert}.crt"
221     newins "${base}.pem" "${cert}.pem"
222     fperms 0400 "${INSDESTTREE}/${cert}.pem"
223     count=$((${count}+1))
224     done
225    
226     # Resulting status
227     if [ ! ${count} ] ; then
228     eerror "No certificates were generated"
229     return 1
230     elif [ ${count} != ${#} ] ; then
231     ewarn "Some requested certificates were not generated"
232     fi
233     }
234 ulm 1.10
235 ulm 1.13 # @FUNCTION: install_cert
236     # @USAGE: <certificates>
237     # @DESCRIPTION:
238     # Uses all the private functions above to generate and install the
239     # requested certificates.
240     # <certificates> are full pathnames relative to ROOT, without extension.
241 ulm 1.11 #
242     # Example: "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
243     #
244 ulm 1.10 # Access: public
245     install_cert() {
246     if [ $# -lt 1 ] ; then
247     eerror "At least one argument needed"
248     return 1;
249     fi
250    
251     case ${EBUILD_PHASE} in
252     unpack|compile|test|install)
253     eerror "install_cert cannot be called in ${EBUILD_PHASE}"
254     return 1 ;;
255     esac
256    
257     # Initialize configuration
258     gen_cnf || return 1
259     echo
260    
261     # Generate a CA environment
262     gen_key 1 || return 1
263     gen_csr 1 || return 1
264     gen_crt 1 || return 1
265     echo
266    
267     local count=0
268     for cert in "$@" ; do
269     # Check the requested certificate
270     if [ -z "${cert##*/}" ] ; then
271     ewarn "Invalid certification requested, skipping"
272     continue
273     fi
274    
275     # Check for previous existence of generated files
276     for type in key csr crt pem ; do
277     if [ -e "${ROOT}${cert}.${type}" ] ; then
278     ewarn "${ROOT}${cert}.${type}: exists, skipping"
279     continue 2
280     fi
281     done
282    
283     # Generate the requested files
284     gen_key || continue
285     gen_csr || continue
286     gen_crt || continue
287     gen_pem || continue
288     echo
289    
290     # Install the generated files and set sane permissions
291     local base=$(get_base)
292     install -d "${ROOT}${cert%/*}"
293     install -m0400 "${base}.key" "${ROOT}${cert}.key"
294     install -m0444 "${base}.csr" "${ROOT}${cert}.csr"
295     install -m0444 "${base}.crt" "${ROOT}${cert}.crt"
296     install -m0400 "${base}.pem" "${ROOT}${cert}.pem"
297     count=$((${count}+1))
298     done
299    
300     # Resulting status
301     if [ ! ${count} ] ; then
302     eerror "No certificates were generated"
303     return 1
304     elif [ ${count} != ${#} ] ; then
305     ewarn "Some requested certificates were not generated"
306     fi
307     }

  ViewVC Help
Powered by ViewVC 1.1.20