/[gentoo-x86]/eclass/ssl-cert.eclass
Gentoo

Contents of /eclass/ssl-cert.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.20 - (hide annotations) (download)
Thu Jan 3 19:19:55 2013 UTC (19 months, 3 weeks ago) by alonbl
Branch: MAIN
Changes since 1.19: +19 -5 lines
ssl-cert - support mandatory enrollment and custom USE flag

1 vapier 1.19 # Copyright 1999-2011 Gentoo Foundation
2 max 1.1 # Distributed under the terms of the GNU General Public License v2
3 alonbl 1.20 # $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.19 2011/08/22 04:46:32 vapier Exp $
4 vapier 1.19
5 ulm 1.16 # @ECLASS: ssl-cert.eclass
6     # @MAINTAINER:
7 vapier 1.19 # @AUTHOR:
8     # Max Kalika <max@gentoo.org>
9 ulm 1.16 # @BLURB: Eclass for SSL certificates
10     # @DESCRIPTION:
11     # This eclass implements a standard installation procedure for installing
12 max 1.1 # self-signed SSL certificates.
13 ulm 1.16 # @EXAMPLE:
14     # "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
15 max 1.1
16 alonbl 1.20 # @ECLASS-VARIABLE: SSL_CERT_MANDATORY
17     # @DESCRIPTION:
18     # Set to non zero if ssl-cert is mandatory for ebuild.
19     #
20     SSL_CERT_MANDATORY="${SSL_CERT_MANDATORY:-0}"
21    
22     # @ECLASS-VARIABLE: SSL_CERT_USE
23     # @DESCRIPTION:
24     # Use flag to append dependency to.
25     #
26     SSL_CERT_USE="${SSL_CERT_USE:-ssl}"
27    
28     if [[ "${SSL_CERT_MANDATORY}" = 0 ]]; then
29     DEPEND="${SSL_CERT_USE}? ( dev-libs/openssl )"
30     IUSE="${SSL_CERT_USE}"
31     else
32     DEPEND="dev-libs/openssl"
33     fi
34 max 1.1
35 ulm 1.16 # @FUNCTION: gen_cnf
36     # @USAGE:
37     # @DESCRIPTION:
38 swegener 1.9 # Initializes variables and generates the needed
39 max 1.1 # OpenSSL configuration file and a CA serial file
40     #
41     # Access: private
42     gen_cnf() {
43     # Location of the config file
44     SSL_CONF="${T}/${$}ssl.cnf"
45     # Location of the CA serial file
46     SSL_SERIAL="${T}/${$}ca.ser"
47     # Location of some random files OpenSSL can use: don't use
48     # /dev/u?random here -- doesn't work properly on all platforms
49 max 1.4 SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
50 max 1.1
51     # These can be overridden in the ebuild
52 ulm 1.12 SSL_DAYS="${SSL_DAYS:-730}"
53 max 1.1 SSL_BITS="${SSL_BITS:-1024}"
54     SSL_COUNTRY="${SSL_COUNTRY:-US}"
55     SSL_STATE="${SSL_STATE:-California}"
56     SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}"
57 vapier 1.2 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}"
58 max 1.1 SSL_UNIT="${SSL_UNIT:-For Testing Purposes Only}"
59     SSL_COMMONNAME="${SSL_COMMONNAME:-localhost}"
60     SSL_EMAIL="${SSL_EMAIL:-root@localhost}"
61    
62     # Create the CA serial file
63     echo "01" > "${SSL_SERIAL}"
64    
65     # Create the config file
66 pva 1.18 ebegin "Generating OpenSSL configuration${1:+ for CA}"
67 max 1.1 cat <<-EOF > "${SSL_CONF}"
68     [ req ]
69     prompt = no
70     default_bits = ${SSL_BITS}
71     distinguished_name = req_dn
72     [ req_dn ]
73     C = ${SSL_COUNTRY}
74     ST = ${SSL_STATE}
75     L = ${SSL_LOCALITY}
76     O = ${SSL_ORGANIZATION}
77     OU = ${SSL_UNIT}
78 pva 1.18 CN = ${SSL_COMMONNAME}${1:+ CA}
79 max 1.1 emailAddress = ${SSL_EMAIL}
80     EOF
81     eend $?
82 swegener 1.9
83 max 1.1 return $?
84     }
85    
86 ulm 1.16 # @FUNCTION: get_base
87     # @USAGE: [if_ca]
88     # @RETURN: <base path>
89     # @DESCRIPTION:
90 max 1.1 # Simple function to determine whether we're creating
91     # a CA (which should only be done once) or final part
92     #
93     # Access: private
94     get_base() {
95     if [ "${1}" ] ; then
96     echo "${T}/${$}ca"
97     else
98     echo "${T}/${$}server"
99     fi
100     }
101    
102 ulm 1.16 # @FUNCTION: gen_key
103     # @USAGE: <base path>
104     # @DESCRIPTION:
105 max 1.1 # Generates an RSA key
106     #
107     # Access: private
108     gen_key() {
109     local base=`get_base $1`
110     ebegin "Generating ${SSL_BITS} bit RSA key${1:+ for CA}"
111     /usr/bin/openssl genrsa -rand "${SSL_RANDOM}" \
112     -out "${base}.key" "${SSL_BITS}" &> /dev/null
113     eend $?
114    
115     return $?
116     }
117    
118 ulm 1.16 # @FUNCTION: gen_csr
119     # @USAGE: <base path>
120     # @DESCRIPTION:
121 max 1.1 # Generates a certificate signing request using
122     # the key made by gen_key()
123     #
124     # Access: private
125     gen_csr() {
126     local base=`get_base $1`
127     ebegin "Generating Certificate Signing Request${1:+ for CA}"
128     /usr/bin/openssl req -config "${SSL_CONF}" -new \
129     -key "${base}.key" -out "${base}.csr" &>/dev/null
130     eend $?
131    
132     return $?
133     }
134    
135 ulm 1.16 # @FUNCTION: gen_crt
136     # @USAGE: <base path>
137     # @DESCRIPTION:
138 max 1.1 # Generates either a self-signed CA certificate using
139     # the csr and key made by gen_csr() and gen_key() or
140     # a signed server certificate using the CA cert previously
141     # created by gen_crt()
142     #
143     # Access: private
144     gen_crt() {
145     local base=`get_base $1`
146     if [ "${1}" ] ; then
147     ebegin "Generating self-signed X.509 Certificate for CA"
148     /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
149     -days ${SSL_DAYS} -req -signkey "${base}.key" \
150     -in "${base}.csr" -out "${base}.crt" &>/dev/null
151     else
152     local ca=`get_base 1`
153     ebegin "Generating authority-signed X.509 Certificate"
154     /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
155     -days ${SSL_DAYS} -req -CAserial "${SSL_SERIAL}" \
156     -CAkey "${ca}.key" -CA "${ca}.crt" \
157     -in "${base}.csr" -out "${base}.crt" &>/dev/null
158     fi
159     eend $?
160    
161     return $?
162     }
163    
164 ulm 1.16 # @FUNCTION: gen_pem
165     # @USAGE: <base path>
166     # @DESCRIPTION:
167 max 1.1 # Generates a PEM file by concatinating the key
168     # and cert file created by gen_key() and gen_cert()
169     #
170     # Access: private
171     gen_pem() {
172     local base=`get_base $1`
173     ebegin "Generating PEM Certificate"
174     (cat "${base}.key"; echo; cat "${base}.crt") > "${base}.pem"
175     eend $?
176    
177     return $?
178     }
179    
180 ulm 1.15 # Removed due to bug 174759
181 max 1.1 docert() {
182 ulm 1.15 eerror "Function \"docert\" has been removed for security reasons."
183     eerror "\"install_cert\" should be used instead. See bug 174759."
184     die
185 max 1.1 }
186 ulm 1.10
187 ulm 1.16 # @FUNCTION: install_cert
188     # @USAGE: <certificates>
189     # @DESCRIPTION:
190     # Uses all the private functions above to generate and install the
191     # requested certificates.
192     # <certificates> are full pathnames relative to ROOT, without extension.
193 ulm 1.11 #
194     # Example: "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
195     #
196 ulm 1.10 # Access: public
197     install_cert() {
198     if [ $# -lt 1 ] ; then
199     eerror "At least one argument needed"
200     return 1;
201     fi
202    
203     case ${EBUILD_PHASE} in
204     unpack|compile|test|install)
205     eerror "install_cert cannot be called in ${EBUILD_PHASE}"
206     return 1 ;;
207     esac
208    
209 pva 1.18 # Generate a CA environment #164601
210     gen_cnf 1 || return 1
211 ulm 1.10 gen_key 1 || return 1
212     gen_csr 1 || return 1
213     gen_crt 1 || return 1
214     echo
215    
216 pva 1.18 gen_cnf || return 1
217     echo
218    
219 ulm 1.10 local count=0
220     for cert in "$@" ; do
221     # Check the requested certificate
222     if [ -z "${cert##*/}" ] ; then
223     ewarn "Invalid certification requested, skipping"
224     continue
225     fi
226    
227     # Check for previous existence of generated files
228     for type in key csr crt pem ; do
229     if [ -e "${ROOT}${cert}.${type}" ] ; then
230     ewarn "${ROOT}${cert}.${type}: exists, skipping"
231     continue 2
232     fi
233     done
234    
235     # Generate the requested files
236     gen_key || continue
237     gen_csr || continue
238     gen_crt || continue
239     gen_pem || continue
240     echo
241    
242     # Install the generated files and set sane permissions
243     local base=$(get_base)
244     install -d "${ROOT}${cert%/*}"
245     install -m0400 "${base}.key" "${ROOT}${cert}.key"
246     install -m0444 "${base}.csr" "${ROOT}${cert}.csr"
247     install -m0444 "${base}.crt" "${ROOT}${cert}.crt"
248     install -m0400 "${base}.pem" "${ROOT}${cert}.pem"
249     count=$((${count}+1))
250     done
251    
252     # Resulting status
253 mrness 1.17 if [ ${count} = 0 ] ; then
254 ulm 1.10 eerror "No certificates were generated"
255     return 1
256     elif [ ${count} != ${#} ] ; then
257     ewarn "Some requested certificates were not generated"
258     fi
259     }

  ViewVC Help
Powered by ViewVC 1.1.20