/[gentoo-x86]/eclass/ssl-cert.eclass
Gentoo

Contents of /eclass/ssl-cert.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.19 - (hide annotations) (download)
Mon Aug 22 04:46:32 2011 UTC (3 years ago) by vapier
Branch: MAIN
Changes since 1.18: +5 -4 lines
fix random bugs in eclass documentation, and convert to new @AUTHOR tag

1 vapier 1.19 # Copyright 1999-2011 Gentoo Foundation
2 max 1.1 # Distributed under the terms of the GNU General Public License v2
3 vapier 1.19 # $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.18 2010/02/16 14:23:39 pva Exp $
4    
5 ulm 1.16 # @ECLASS: ssl-cert.eclass
6     # @MAINTAINER:
7 vapier 1.19 # @AUTHOR:
8     # Max Kalika <max@gentoo.org>
9 ulm 1.16 # @BLURB: Eclass for SSL certificates
10     # @DESCRIPTION:
11     # This eclass implements a standard installation procedure for installing
12 max 1.1 # self-signed SSL certificates.
13 ulm 1.16 # @EXAMPLE:
14     # "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
15 max 1.1
16     # Conditionally depend on OpenSSL: allows inheretence
17     # without pulling extra packages if not needed
18 mr_bones_ 1.3 DEPEND="ssl? ( dev-libs/openssl )"
19 agriffis 1.8 IUSE="ssl"
20 max 1.1
21 ulm 1.16 # @FUNCTION: gen_cnf
22     # @USAGE:
23     # @DESCRIPTION:
24 swegener 1.9 # Initializes variables and generates the needed
25 max 1.1 # OpenSSL configuration file and a CA serial file
26     #
27     # Access: private
28     gen_cnf() {
29     # Location of the config file
30     SSL_CONF="${T}/${$}ssl.cnf"
31     # Location of the CA serial file
32     SSL_SERIAL="${T}/${$}ca.ser"
33     # Location of some random files OpenSSL can use: don't use
34     # /dev/u?random here -- doesn't work properly on all platforms
35 max 1.4 SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
36 max 1.1
37     # These can be overridden in the ebuild
38 ulm 1.12 SSL_DAYS="${SSL_DAYS:-730}"
39 max 1.1 SSL_BITS="${SSL_BITS:-1024}"
40     SSL_COUNTRY="${SSL_COUNTRY:-US}"
41     SSL_STATE="${SSL_STATE:-California}"
42     SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}"
43 vapier 1.2 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}"
44 max 1.1 SSL_UNIT="${SSL_UNIT:-For Testing Purposes Only}"
45     SSL_COMMONNAME="${SSL_COMMONNAME:-localhost}"
46     SSL_EMAIL="${SSL_EMAIL:-root@localhost}"
47    
48     # Create the CA serial file
49     echo "01" > "${SSL_SERIAL}"
50    
51     # Create the config file
52 pva 1.18 ebegin "Generating OpenSSL configuration${1:+ for CA}"
53 max 1.1 cat <<-EOF > "${SSL_CONF}"
54     [ req ]
55     prompt = no
56     default_bits = ${SSL_BITS}
57     distinguished_name = req_dn
58     [ req_dn ]
59     C = ${SSL_COUNTRY}
60     ST = ${SSL_STATE}
61     L = ${SSL_LOCALITY}
62     O = ${SSL_ORGANIZATION}
63     OU = ${SSL_UNIT}
64 pva 1.18 CN = ${SSL_COMMONNAME}${1:+ CA}
65 max 1.1 emailAddress = ${SSL_EMAIL}
66     EOF
67     eend $?
68 swegener 1.9
69 max 1.1 return $?
70     }
71    
72 ulm 1.16 # @FUNCTION: get_base
73     # @USAGE: [if_ca]
74     # @RETURN: <base path>
75     # @DESCRIPTION:
76 max 1.1 # Simple function to determine whether we're creating
77     # a CA (which should only be done once) or final part
78     #
79     # Access: private
80     get_base() {
81     if [ "${1}" ] ; then
82     echo "${T}/${$}ca"
83     else
84     echo "${T}/${$}server"
85     fi
86     }
87    
88 ulm 1.16 # @FUNCTION: gen_key
89     # @USAGE: <base path>
90     # @DESCRIPTION:
91 max 1.1 # Generates an RSA key
92     #
93     # Access: private
94     gen_key() {
95     local base=`get_base $1`
96     ebegin "Generating ${SSL_BITS} bit RSA key${1:+ for CA}"
97     /usr/bin/openssl genrsa -rand "${SSL_RANDOM}" \
98     -out "${base}.key" "${SSL_BITS}" &> /dev/null
99     eend $?
100    
101     return $?
102     }
103    
104 ulm 1.16 # @FUNCTION: gen_csr
105     # @USAGE: <base path>
106     # @DESCRIPTION:
107 max 1.1 # Generates a certificate signing request using
108     # the key made by gen_key()
109     #
110     # Access: private
111     gen_csr() {
112     local base=`get_base $1`
113     ebegin "Generating Certificate Signing Request${1:+ for CA}"
114     /usr/bin/openssl req -config "${SSL_CONF}" -new \
115     -key "${base}.key" -out "${base}.csr" &>/dev/null
116     eend $?
117    
118     return $?
119     }
120    
121 ulm 1.16 # @FUNCTION: gen_crt
122     # @USAGE: <base path>
123     # @DESCRIPTION:
124 max 1.1 # Generates either a self-signed CA certificate using
125     # the csr and key made by gen_csr() and gen_key() or
126     # a signed server certificate using the CA cert previously
127     # created by gen_crt()
128     #
129     # Access: private
130     gen_crt() {
131     local base=`get_base $1`
132     if [ "${1}" ] ; then
133     ebegin "Generating self-signed X.509 Certificate for CA"
134     /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
135     -days ${SSL_DAYS} -req -signkey "${base}.key" \
136     -in "${base}.csr" -out "${base}.crt" &>/dev/null
137     else
138     local ca=`get_base 1`
139     ebegin "Generating authority-signed X.509 Certificate"
140     /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
141     -days ${SSL_DAYS} -req -CAserial "${SSL_SERIAL}" \
142     -CAkey "${ca}.key" -CA "${ca}.crt" \
143     -in "${base}.csr" -out "${base}.crt" &>/dev/null
144     fi
145     eend $?
146    
147     return $?
148     }
149    
150 ulm 1.16 # @FUNCTION: gen_pem
151     # @USAGE: <base path>
152     # @DESCRIPTION:
153 max 1.1 # Generates a PEM file by concatinating the key
154     # and cert file created by gen_key() and gen_cert()
155     #
156     # Access: private
157     gen_pem() {
158     local base=`get_base $1`
159     ebegin "Generating PEM Certificate"
160     (cat "${base}.key"; echo; cat "${base}.crt") > "${base}.pem"
161     eend $?
162    
163     return $?
164     }
165    
166 ulm 1.15 # Removed due to bug 174759
167 max 1.1 docert() {
168 ulm 1.15 eerror "Function \"docert\" has been removed for security reasons."
169     eerror "\"install_cert\" should be used instead. See bug 174759."
170     die
171 max 1.1 }
172 ulm 1.10
173 ulm 1.16 # @FUNCTION: install_cert
174     # @USAGE: <certificates>
175     # @DESCRIPTION:
176     # Uses all the private functions above to generate and install the
177     # requested certificates.
178     # <certificates> are full pathnames relative to ROOT, without extension.
179 ulm 1.11 #
180     # Example: "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
181     #
182 ulm 1.10 # Access: public
183     install_cert() {
184     if [ $# -lt 1 ] ; then
185     eerror "At least one argument needed"
186     return 1;
187     fi
188    
189     case ${EBUILD_PHASE} in
190     unpack|compile|test|install)
191     eerror "install_cert cannot be called in ${EBUILD_PHASE}"
192     return 1 ;;
193     esac
194    
195 pva 1.18 # Generate a CA environment #164601
196     gen_cnf 1 || return 1
197 ulm 1.10 gen_key 1 || return 1
198     gen_csr 1 || return 1
199     gen_crt 1 || return 1
200     echo
201    
202 pva 1.18 gen_cnf || return 1
203     echo
204    
205 ulm 1.10 local count=0
206     for cert in "$@" ; do
207     # Check the requested certificate
208     if [ -z "${cert##*/}" ] ; then
209     ewarn "Invalid certification requested, skipping"
210     continue
211     fi
212    
213     # Check for previous existence of generated files
214     for type in key csr crt pem ; do
215     if [ -e "${ROOT}${cert}.${type}" ] ; then
216     ewarn "${ROOT}${cert}.${type}: exists, skipping"
217     continue 2
218     fi
219     done
220    
221     # Generate the requested files
222     gen_key || continue
223     gen_csr || continue
224     gen_crt || continue
225     gen_pem || continue
226     echo
227    
228     # Install the generated files and set sane permissions
229     local base=$(get_base)
230     install -d "${ROOT}${cert%/*}"
231     install -m0400 "${base}.key" "${ROOT}${cert}.key"
232     install -m0444 "${base}.csr" "${ROOT}${cert}.csr"
233     install -m0444 "${base}.crt" "${ROOT}${cert}.crt"
234     install -m0400 "${base}.pem" "${ROOT}${cert}.pem"
235     count=$((${count}+1))
236     done
237    
238     # Resulting status
239 mrness 1.17 if [ ${count} = 0 ] ; then
240 ulm 1.10 eerror "No certificates were generated"
241     return 1
242     elif [ ${count} != ${#} ] ; then
243     ewarn "Some requested certificates were not generated"
244     fi
245     }

  ViewVC Help
Powered by ViewVC 1.1.20