/[gentoo-x86]/eclass/ssl-cert.eclass
Gentoo

Contents of /eclass/ssl-cert.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.8 - (hide annotations) (download)
Wed Jul 6 21:01:21 2005 UTC (9 years ago) by agriffis
Branch: MAIN
Changes since 1.7: +2 -2 lines
add IUSE=ssl

1 vapier 1.5 # Copyright 1999-2004 Gentoo Foundation
2 max 1.1 # Distributed under the terms of the GNU General Public License v2
3 agriffis 1.8 # $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.7 2005/07/06 20:23:20 agriffis Exp $
4 max 1.1 #
5     # Author: Max Kalika <max@gentoo.org>
6     #
7     # This eclass implements standard installation procedure for installing
8     # self-signed SSL certificates.
9    
10     # Conditionally depend on OpenSSL: allows inheretence
11     # without pulling extra packages if not needed
12 mr_bones_ 1.3 DEPEND="ssl? ( dev-libs/openssl )"
13 agriffis 1.8 IUSE="ssl"
14 max 1.1
15     # Initializes variables and generates the needed
16     # OpenSSL configuration file and a CA serial file
17     #
18     # Access: private
19     gen_cnf() {
20     # Location of the config file
21     SSL_CONF="${T}/${$}ssl.cnf"
22     # Location of the CA serial file
23     SSL_SERIAL="${T}/${$}ca.ser"
24     # Location of some random files OpenSSL can use: don't use
25     # /dev/u?random here -- doesn't work properly on all platforms
26 max 1.4 SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
27 max 1.1
28     # These can be overridden in the ebuild
29     SSL_DAYS="${SSL_BITS:-730}"
30     SSL_BITS="${SSL_BITS:-1024}"
31     SSL_COUNTRY="${SSL_COUNTRY:-US}"
32     SSL_STATE="${SSL_STATE:-California}"
33     SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}"
34 vapier 1.2 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}"
35 max 1.1 SSL_UNIT="${SSL_UNIT:-For Testing Purposes Only}"
36     SSL_COMMONNAME="${SSL_COMMONNAME:-localhost}"
37     SSL_EMAIL="${SSL_EMAIL:-root@localhost}"
38    
39     # Create the CA serial file
40     echo "01" > "${SSL_SERIAL}"
41    
42     # Create the config file
43     ebegin "Generating OpenSSL configuration"
44     cat <<-EOF > "${SSL_CONF}"
45     [ req ]
46     prompt = no
47     default_bits = ${SSL_BITS}
48     distinguished_name = req_dn
49     [ req_dn ]
50     C = ${SSL_COUNTRY}
51     ST = ${SSL_STATE}
52     L = ${SSL_LOCALITY}
53     O = ${SSL_ORGANIZATION}
54     OU = ${SSL_UNIT}
55     CN = ${SSL_COMMONNAME}
56     emailAddress = ${SSL_EMAIL}
57     EOF
58     eend $?
59    
60     return $?
61     }
62    
63     # Simple function to determine whether we're creating
64     # a CA (which should only be done once) or final part
65     #
66     # Access: private
67     get_base() {
68     if [ "${1}" ] ; then
69     echo "${T}/${$}ca"
70     else
71     echo "${T}/${$}server"
72     fi
73     }
74    
75     # Generates an RSA key
76     #
77     # Access: private
78     gen_key() {
79     local base=`get_base $1`
80     ebegin "Generating ${SSL_BITS} bit RSA key${1:+ for CA}"
81     /usr/bin/openssl genrsa -rand "${SSL_RANDOM}" \
82     -out "${base}.key" "${SSL_BITS}" &> /dev/null
83     eend $?
84    
85     return $?
86     }
87    
88     # Generates a certificate signing request using
89     # the key made by gen_key()
90     #
91     # Access: private
92     gen_csr() {
93     local base=`get_base $1`
94     ebegin "Generating Certificate Signing Request${1:+ for CA}"
95     /usr/bin/openssl req -config "${SSL_CONF}" -new \
96     -key "${base}.key" -out "${base}.csr" &>/dev/null
97     eend $?
98    
99     return $?
100     }
101    
102     # Generates either a self-signed CA certificate using
103     # the csr and key made by gen_csr() and gen_key() or
104     # a signed server certificate using the CA cert previously
105     # created by gen_crt()
106     #
107     # Access: private
108     gen_crt() {
109     local base=`get_base $1`
110     if [ "${1}" ] ; then
111     ebegin "Generating self-signed X.509 Certificate for CA"
112     /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
113     -days ${SSL_DAYS} -req -signkey "${base}.key" \
114     -in "${base}.csr" -out "${base}.crt" &>/dev/null
115     else
116     local ca=`get_base 1`
117     ebegin "Generating authority-signed X.509 Certificate"
118     /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
119     -days ${SSL_DAYS} -req -CAserial "${SSL_SERIAL}" \
120     -CAkey "${ca}.key" -CA "${ca}.crt" \
121     -in "${base}.csr" -out "${base}.crt" &>/dev/null
122     fi
123     eend $?
124    
125     return $?
126     }
127    
128     # Generates a PEM file by concatinating the key
129     # and cert file created by gen_key() and gen_cert()
130     #
131     # Access: private
132     gen_pem() {
133     local base=`get_base $1`
134     ebegin "Generating PEM Certificate"
135     (cat "${base}.key"; echo; cat "${base}.crt") > "${base}.pem"
136     eend $?
137    
138     return $?
139     }
140    
141     # Uses all the private functions above to generate
142     # and install the requested certificates
143     #
144     # Access: public
145     docert() {
146     if [ $# -lt 1 ] ; then
147     eerror "At least one argument needed"
148     return 1;
149     fi
150    
151     # Initialize configuration
152     gen_cnf || return 1
153     echo
154    
155     # Generate a CA environment
156     gen_key 1 || return 1
157     gen_csr 1 || return 1
158     gen_crt 1 || return 1
159     echo
160    
161     local count=0
162     for cert in "$@" ; do
163     # Sanitize and check the requested certificate
164     cert="`/usr/bin/basename "${cert}"`"
165     if [ -z "${cert}" ] ; then
166     ewarn "Invalid certification requested, skipping"
167     continue
168     fi
169    
170     # Check for previous existence of generated files
171     for type in key crt pem ; do
172     if [ -e "${D}${INSDESTTREE}/${cert}.${type}" ] ; then
173     ewarn "${D}${INSDESTTREE}/${cert}.${type}: exists, skipping"
174     continue 2
175     fi
176     done
177    
178     # Generate the requested files
179     gen_key || continue
180     gen_csr || continue
181     gen_crt || continue
182     gen_pem || continue
183     echo
184    
185     # Install the generated files and set sane permissions
186     local base=`get_base`
187     newins "${base}.key" "${cert}.key"
188     fperms 0400 "${INSDESTTREE}/${cert}.key"
189     newins "${base}.csr" "${cert}.csr"
190     fperms 0444 "${INSDESTTREE}/${cert}.csr"
191     newins "${base}.crt" "${cert}.crt"
192     fperms 0444 "${INSDESTTREE}/${cert}.crt"
193     newins "${base}.pem" "${cert}.pem"
194     fperms 0400 "${INSDESTTREE}/${cert}.pem"
195     count=$((${count}+1))
196     done
197    
198     # Resulting status
199     if [ ! ${count} ] ; then
200     eerror "No certificates were generated"
201     return 1
202     elif [ ${count} != ${#} ] ; then
203     ewarn "Some requested certificates were not generated"
204     fi
205     }

  ViewVC Help
Powered by ViewVC 1.1.20