/[gentoo-x86]/eclass/ssl-cert.eclass
Gentoo

Contents of /eclass/ssl-cert.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.15 - (hide annotations) (download)
Mon Apr 14 06:27:45 2008 UTC (6 years ago) by ulm
Branch: MAIN
Changes since 1.14: +5 -68 lines
Replace "docert" function by dummy, bug 174759.

1 vapier 1.5 # Copyright 1999-2004 Gentoo Foundation
2 max 1.1 # Distributed under the terms of the GNU General Public License v2
3 ulm 1.15 # $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.14 2007/12/28 17:51:03 ulm Exp $
4 max 1.1 #
5     # Author: Max Kalika <max@gentoo.org>
6 ulm 1.14 #
7 max 1.1 # This eclass implements standard installation procedure for installing
8     # self-signed SSL certificates.
9    
10     # Conditionally depend on OpenSSL: allows inheretence
11     # without pulling extra packages if not needed
12 mr_bones_ 1.3 DEPEND="ssl? ( dev-libs/openssl )"
13 agriffis 1.8 IUSE="ssl"
14 max 1.1
15 swegener 1.9 # Initializes variables and generates the needed
16 max 1.1 # OpenSSL configuration file and a CA serial file
17     #
18     # Access: private
19     gen_cnf() {
20     # Location of the config file
21     SSL_CONF="${T}/${$}ssl.cnf"
22     # Location of the CA serial file
23     SSL_SERIAL="${T}/${$}ca.ser"
24     # Location of some random files OpenSSL can use: don't use
25     # /dev/u?random here -- doesn't work properly on all platforms
26 max 1.4 SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
27 max 1.1
28     # These can be overridden in the ebuild
29 ulm 1.12 SSL_DAYS="${SSL_DAYS:-730}"
30 max 1.1 SSL_BITS="${SSL_BITS:-1024}"
31     SSL_COUNTRY="${SSL_COUNTRY:-US}"
32     SSL_STATE="${SSL_STATE:-California}"
33     SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}"
34 vapier 1.2 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}"
35 max 1.1 SSL_UNIT="${SSL_UNIT:-For Testing Purposes Only}"
36     SSL_COMMONNAME="${SSL_COMMONNAME:-localhost}"
37     SSL_EMAIL="${SSL_EMAIL:-root@localhost}"
38    
39     # Create the CA serial file
40     echo "01" > "${SSL_SERIAL}"
41    
42     # Create the config file
43     ebegin "Generating OpenSSL configuration"
44     cat <<-EOF > "${SSL_CONF}"
45     [ req ]
46     prompt = no
47     default_bits = ${SSL_BITS}
48     distinguished_name = req_dn
49     [ req_dn ]
50     C = ${SSL_COUNTRY}
51     ST = ${SSL_STATE}
52     L = ${SSL_LOCALITY}
53     O = ${SSL_ORGANIZATION}
54     OU = ${SSL_UNIT}
55     CN = ${SSL_COMMONNAME}
56     emailAddress = ${SSL_EMAIL}
57     EOF
58     eend $?
59 swegener 1.9
60 max 1.1 return $?
61     }
62    
63     # Simple function to determine whether we're creating
64     # a CA (which should only be done once) or final part
65     #
66     # Access: private
67     get_base() {
68     if [ "${1}" ] ; then
69     echo "${T}/${$}ca"
70     else
71     echo "${T}/${$}server"
72     fi
73     }
74    
75     # Generates an RSA key
76     #
77     # Access: private
78     gen_key() {
79     local base=`get_base $1`
80     ebegin "Generating ${SSL_BITS} bit RSA key${1:+ for CA}"
81     /usr/bin/openssl genrsa -rand "${SSL_RANDOM}" \
82     -out "${base}.key" "${SSL_BITS}" &> /dev/null
83     eend $?
84    
85     return $?
86     }
87    
88     # Generates a certificate signing request using
89     # the key made by gen_key()
90     #
91     # Access: private
92     gen_csr() {
93     local base=`get_base $1`
94     ebegin "Generating Certificate Signing Request${1:+ for CA}"
95     /usr/bin/openssl req -config "${SSL_CONF}" -new \
96     -key "${base}.key" -out "${base}.csr" &>/dev/null
97     eend $?
98    
99     return $?
100     }
101    
102     # Generates either a self-signed CA certificate using
103     # the csr and key made by gen_csr() and gen_key() or
104     # a signed server certificate using the CA cert previously
105     # created by gen_crt()
106     #
107     # Access: private
108     gen_crt() {
109     local base=`get_base $1`
110     if [ "${1}" ] ; then
111     ebegin "Generating self-signed X.509 Certificate for CA"
112     /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
113     -days ${SSL_DAYS} -req -signkey "${base}.key" \
114     -in "${base}.csr" -out "${base}.crt" &>/dev/null
115     else
116     local ca=`get_base 1`
117     ebegin "Generating authority-signed X.509 Certificate"
118     /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
119     -days ${SSL_DAYS} -req -CAserial "${SSL_SERIAL}" \
120     -CAkey "${ca}.key" -CA "${ca}.crt" \
121     -in "${base}.csr" -out "${base}.crt" &>/dev/null
122     fi
123     eend $?
124    
125     return $?
126     }
127    
128     # Generates a PEM file by concatinating the key
129     # and cert file created by gen_key() and gen_cert()
130     #
131     # Access: private
132     gen_pem() {
133     local base=`get_base $1`
134     ebegin "Generating PEM Certificate"
135     (cat "${base}.key"; echo; cat "${base}.crt") > "${base}.pem"
136     eend $?
137    
138     return $?
139     }
140    
141 ulm 1.15 # Removed due to bug 174759
142 max 1.1 docert() {
143 ulm 1.15 eerror "Function \"docert\" has been removed for security reasons."
144     eerror "\"install_cert\" should be used instead. See bug 174759."
145     die
146 max 1.1 }
147 ulm 1.10
148 ulm 1.14 # Uses all the private functions above to generate
149     # and install the requested certificates
150     #
151     # Usage: install_cert <certificates>
152     # where <certificates> are full pathnames relative to ROOT, without extension.
153 ulm 1.11 #
154     # Example: "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
155     #
156 ulm 1.10 # Access: public
157     install_cert() {
158     if [ $# -lt 1 ] ; then
159     eerror "At least one argument needed"
160     return 1;
161     fi
162    
163     case ${EBUILD_PHASE} in
164     unpack|compile|test|install)
165     eerror "install_cert cannot be called in ${EBUILD_PHASE}"
166     return 1 ;;
167     esac
168    
169     # Initialize configuration
170     gen_cnf || return 1
171     echo
172    
173     # Generate a CA environment
174     gen_key 1 || return 1
175     gen_csr 1 || return 1
176     gen_crt 1 || return 1
177     echo
178    
179     local count=0
180     for cert in "$@" ; do
181     # Check the requested certificate
182     if [ -z "${cert##*/}" ] ; then
183     ewarn "Invalid certification requested, skipping"
184     continue
185     fi
186    
187     # Check for previous existence of generated files
188     for type in key csr crt pem ; do
189     if [ -e "${ROOT}${cert}.${type}" ] ; then
190     ewarn "${ROOT}${cert}.${type}: exists, skipping"
191     continue 2
192     fi
193     done
194    
195     # Generate the requested files
196     gen_key || continue
197     gen_csr || continue
198     gen_crt || continue
199     gen_pem || continue
200     echo
201    
202     # Install the generated files and set sane permissions
203     local base=$(get_base)
204     install -d "${ROOT}${cert%/*}"
205     install -m0400 "${base}.key" "${ROOT}${cert}.key"
206     install -m0444 "${base}.csr" "${ROOT}${cert}.csr"
207     install -m0444 "${base}.crt" "${ROOT}${cert}.crt"
208     install -m0400 "${base}.pem" "${ROOT}${cert}.pem"
209     count=$((${count}+1))
210     done
211    
212     # Resulting status
213     if [ ! ${count} ] ; then
214     eerror "No certificates were generated"
215     return 1
216     elif [ ${count} != ${#} ] ; then
217     ewarn "Some requested certificates were not generated"
218     fi
219     }

  ViewVC Help
Powered by ViewVC 1.1.20