/[gentoo-x86]/eclass/ssl-cert.eclass
Gentoo

Diff of /eclass/ssl-cert.eclass

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.6 Revision 1.18
1# Copyright 1999-2004 Gentoo Foundation 1# Copyright 1999-2004 Gentoo Foundation
2# Distributed under the terms of the GNU General Public License v2 2# Distributed under the terms of the GNU General Public License v2
3# $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.6 2005/07/06 20:20:04 agriffis Exp $ 3# $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.18 2010/02/16 14:23:39 pva Exp $
4# 4#
5# @ECLASS: ssl-cert.eclass
6# @MAINTAINER:
5# Author: Max Kalika <max@gentoo.org> 7# Author: Max Kalika <max@gentoo.org>
6# 8# @BLURB: Eclass for SSL certificates
9# @DESCRIPTION:
7# This eclass implements standard installation procedure for installing 10# This eclass implements a standard installation procedure for installing
8# self-signed SSL certificates. 11# self-signed SSL certificates.
9 12# @EXAMPLE:
10INHERITED="$INHERITED $ECLASS" 13# "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
11 14
12# Conditionally depend on OpenSSL: allows inheretence 15# Conditionally depend on OpenSSL: allows inheretence
13# without pulling extra packages if not needed 16# without pulling extra packages if not needed
14DEPEND="ssl? ( dev-libs/openssl )" 17DEPEND="ssl? ( dev-libs/openssl )"
18IUSE="ssl"
15 19
20# @FUNCTION: gen_cnf
21# @USAGE:
22# @DESCRIPTION:
16# Initializes variables and generates the needed 23# Initializes variables and generates the needed
17# OpenSSL configuration file and a CA serial file 24# OpenSSL configuration file and a CA serial file
18# 25#
19# Access: private 26# Access: private
20gen_cnf() { 27gen_cnf() {
21 # Location of the config file 28 # Location of the config file
25 # Location of some random files OpenSSL can use: don't use 32 # Location of some random files OpenSSL can use: don't use
26 # /dev/u?random here -- doesn't work properly on all platforms 33 # /dev/u?random here -- doesn't work properly on all platforms
27 SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf" 34 SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
28 35
29 # These can be overridden in the ebuild 36 # These can be overridden in the ebuild
30 SSL_DAYS="${SSL_BITS:-730}" 37 SSL_DAYS="${SSL_DAYS:-730}"
31 SSL_BITS="${SSL_BITS:-1024}" 38 SSL_BITS="${SSL_BITS:-1024}"
32 SSL_COUNTRY="${SSL_COUNTRY:-US}" 39 SSL_COUNTRY="${SSL_COUNTRY:-US}"
33 SSL_STATE="${SSL_STATE:-California}" 40 SSL_STATE="${SSL_STATE:-California}"
34 SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}" 41 SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}"
35 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}" 42 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}"
39 46
40 # Create the CA serial file 47 # Create the CA serial file
41 echo "01" > "${SSL_SERIAL}" 48 echo "01" > "${SSL_SERIAL}"
42 49
43 # Create the config file 50 # Create the config file
44 ebegin "Generating OpenSSL configuration" 51 ebegin "Generating OpenSSL configuration${1:+ for CA}"
45 cat <<-EOF > "${SSL_CONF}" 52 cat <<-EOF > "${SSL_CONF}"
46 [ req ] 53 [ req ]
47 prompt = no 54 prompt = no
48 default_bits = ${SSL_BITS} 55 default_bits = ${SSL_BITS}
49 distinguished_name = req_dn 56 distinguished_name = req_dn
51 C = ${SSL_COUNTRY} 58 C = ${SSL_COUNTRY}
52 ST = ${SSL_STATE} 59 ST = ${SSL_STATE}
53 L = ${SSL_LOCALITY} 60 L = ${SSL_LOCALITY}
54 O = ${SSL_ORGANIZATION} 61 O = ${SSL_ORGANIZATION}
55 OU = ${SSL_UNIT} 62 OU = ${SSL_UNIT}
56 CN = ${SSL_COMMONNAME} 63 CN = ${SSL_COMMONNAME}${1:+ CA}
57 emailAddress = ${SSL_EMAIL} 64 emailAddress = ${SSL_EMAIL}
58 EOF 65 EOF
59 eend $? 66 eend $?
60
61 return $?
62}
63 67
68 return $?
69}
70
71# @FUNCTION: get_base
72# @USAGE: [if_ca]
73# @RETURN: <base path>
74# @DESCRIPTION:
64# Simple function to determine whether we're creating 75# Simple function to determine whether we're creating
65# a CA (which should only be done once) or final part 76# a CA (which should only be done once) or final part
66# 77#
67# Access: private 78# Access: private
68get_base() { 79get_base() {
71 else 82 else
72 echo "${T}/${$}server" 83 echo "${T}/${$}server"
73 fi 84 fi
74} 85}
75 86
87# @FUNCTION: gen_key
88# @USAGE: <base path>
89# @DESCRIPTION:
76# Generates an RSA key 90# Generates an RSA key
77# 91#
78# Access: private 92# Access: private
79gen_key() { 93gen_key() {
80 local base=`get_base $1` 94 local base=`get_base $1`
84 eend $? 98 eend $?
85 99
86 return $? 100 return $?
87} 101}
88 102
103# @FUNCTION: gen_csr
104# @USAGE: <base path>
105# @DESCRIPTION:
89# Generates a certificate signing request using 106# Generates a certificate signing request using
90# the key made by gen_key() 107# the key made by gen_key()
91# 108#
92# Access: private 109# Access: private
93gen_csr() { 110gen_csr() {
98 eend $? 115 eend $?
99 116
100 return $? 117 return $?
101} 118}
102 119
120# @FUNCTION: gen_crt
121# @USAGE: <base path>
122# @DESCRIPTION:
103# Generates either a self-signed CA certificate using 123# Generates either a self-signed CA certificate using
104# the csr and key made by gen_csr() and gen_key() or 124# the csr and key made by gen_csr() and gen_key() or
105# a signed server certificate using the CA cert previously 125# a signed server certificate using the CA cert previously
106# created by gen_crt() 126# created by gen_crt()
107# 127#
124 eend $? 144 eend $?
125 145
126 return $? 146 return $?
127} 147}
128 148
149# @FUNCTION: gen_pem
150# @USAGE: <base path>
151# @DESCRIPTION:
129# Generates a PEM file by concatinating the key 152# Generates a PEM file by concatinating the key
130# and cert file created by gen_key() and gen_cert() 153# and cert file created by gen_key() and gen_cert()
131# 154#
132# Access: private 155# Access: private
133gen_pem() { 156gen_pem() {
137 eend $? 160 eend $?
138 161
139 return $? 162 return $?
140} 163}
141 164
165# Removed due to bug 174759
166docert() {
167 eerror "Function \"docert\" has been removed for security reasons."
168 eerror "\"install_cert\" should be used instead. See bug 174759."
169 die
170}
171
172# @FUNCTION: install_cert
173# @USAGE: <certificates>
174# @DESCRIPTION:
142# Uses all the private functions above to generate 175# Uses all the private functions above to generate and install the
143# and install the requested certificates 176# requested certificates.
177# <certificates> are full pathnames relative to ROOT, without extension.
178#
179# Example: "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
144# 180#
145# Access: public 181# Access: public
146docert() { 182install_cert() {
147 if [ $# -lt 1 ] ; then 183 if [ $# -lt 1 ] ; then
148 eerror "At least one argument needed" 184 eerror "At least one argument needed"
149 return 1; 185 return 1;
150 fi 186 fi
151 187
152 # Initialize configuration 188 case ${EBUILD_PHASE} in
189 unpack|compile|test|install)
190 eerror "install_cert cannot be called in ${EBUILD_PHASE}"
191 return 1 ;;
192 esac
193
194 # Generate a CA environment #164601
153 gen_cnf || return 1 195 gen_cnf 1 || return 1
154 echo
155
156 # Generate a CA environment
157 gen_key 1 || return 1 196 gen_key 1 || return 1
158 gen_csr 1 || return 1 197 gen_csr 1 || return 1
159 gen_crt 1 || return 1 198 gen_crt 1 || return 1
160 echo 199 echo
161 200
201 gen_cnf || return 1
202 echo
203
162 local count=0 204 local count=0
163 for cert in "$@" ; do 205 for cert in "$@" ; do
164 # Sanitize and check the requested certificate 206 # Check the requested certificate
165 cert="`/usr/bin/basename "${cert}"`"
166 if [ -z "${cert}" ] ; then 207 if [ -z "${cert##*/}" ] ; then
167 ewarn "Invalid certification requested, skipping" 208 ewarn "Invalid certification requested, skipping"
168 continue 209 continue
169 fi 210 fi
170 211
171 # Check for previous existence of generated files 212 # Check for previous existence of generated files
172 for type in key crt pem ; do 213 for type in key csr crt pem ; do
173 if [ -e "${D}${INSDESTTREE}/${cert}.${type}" ] ; then 214 if [ -e "${ROOT}${cert}.${type}" ] ; then
174 ewarn "${D}${INSDESTTREE}/${cert}.${type}: exists, skipping" 215 ewarn "${ROOT}${cert}.${type}: exists, skipping"
175 continue 2 216 continue 2
176 fi 217 fi
177 done 218 done
178 219
179 # Generate the requested files 220 # Generate the requested files
182 gen_crt || continue 223 gen_crt || continue
183 gen_pem || continue 224 gen_pem || continue
184 echo 225 echo
185 226
186 # Install the generated files and set sane permissions 227 # Install the generated files and set sane permissions
187 local base=`get_base` 228 local base=$(get_base)
229 install -d "${ROOT}${cert%/*}"
188 newins "${base}.key" "${cert}.key" 230 install -m0400 "${base}.key" "${ROOT}${cert}.key"
189 fperms 0400 "${INSDESTTREE}/${cert}.key"
190 newins "${base}.csr" "${cert}.csr" 231 install -m0444 "${base}.csr" "${ROOT}${cert}.csr"
191 fperms 0444 "${INSDESTTREE}/${cert}.csr"
192 newins "${base}.crt" "${cert}.crt" 232 install -m0444 "${base}.crt" "${ROOT}${cert}.crt"
193 fperms 0444 "${INSDESTTREE}/${cert}.crt"
194 newins "${base}.pem" "${cert}.pem" 233 install -m0400 "${base}.pem" "${ROOT}${cert}.pem"
195 fperms 0400 "${INSDESTTREE}/${cert}.pem"
196 count=$((${count}+1)) 234 count=$((${count}+1))
197 done 235 done
198 236
199 # Resulting status 237 # Resulting status
200 if [ ! ${count} ] ; then 238 if [ ${count} = 0 ] ; then
201 eerror "No certificates were generated" 239 eerror "No certificates were generated"
202 return 1 240 return 1
203 elif [ ${count} != ${#} ] ; then 241 elif [ ${count} != ${#} ] ; then
204 ewarn "Some requested certificates were not generated" 242 ewarn "Some requested certificates were not generated"
205 fi 243 fi
Legend:
Removed from v.1.6  
changed lines
  Added in v.1.18
  ViewVC Help
Powered by ViewVC 1.1.20