/[gentoo-x86]/eclass/ssl-cert.eclass
Gentoo

Diff of /eclass/ssl-cert.eclass

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.2 Revision 1.19
1# Copyright 1999-2003 Gentoo Technologies, Inc. 1# Copyright 1999-2011 Gentoo Foundation
2# Distributed under the terms of the GNU General Public License v2 2# Distributed under the terms of the GNU General Public License v2
3# $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.2 2004/04/01 22:08:35 vapier Exp $ 3# $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.19 2011/08/22 04:46:32 vapier Exp $
4# 4
5# @ECLASS: ssl-cert.eclass
6# @MAINTAINER:
7# @AUTHOR:
5# Author: Max Kalika <max@gentoo.org> 8# Max Kalika <max@gentoo.org>
6# 9# @BLURB: Eclass for SSL certificates
10# @DESCRIPTION:
7# This eclass implements standard installation procedure for installing 11# This eclass implements a standard installation procedure for installing
8# self-signed SSL certificates. 12# self-signed SSL certificates.
9 13# @EXAMPLE:
10ECLASS=ssl-cert 14# "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
11INHERITED="$INHERITED $ECLASS"
12 15
13# Conditionally depend on OpenSSL: allows inheretence 16# Conditionally depend on OpenSSL: allows inheretence
14# without pulling extra packages if not needed 17# without pulling extra packages if not needed
15newdepend "ssl? ( dev-libs/openssl )" 18DEPEND="ssl? ( dev-libs/openssl )"
19IUSE="ssl"
16 20
21# @FUNCTION: gen_cnf
22# @USAGE:
23# @DESCRIPTION:
17# Initializes variables and generates the needed 24# Initializes variables and generates the needed
18# OpenSSL configuration file and a CA serial file 25# OpenSSL configuration file and a CA serial file
19# 26#
20# Access: private 27# Access: private
21gen_cnf() { 28gen_cnf() {
22 # Location of the config file 29 # Location of the config file
23 SSL_CONF="${T}/${$}ssl.cnf" 30 SSL_CONF="${T}/${$}ssl.cnf"
24 # Location of the CA serial file 31 # Location of the CA serial file
25 SSL_SERIAL="${T}/${$}ca.ser" 32 SSL_SERIAL="${T}/${$}ca.ser"
26 # Location of some random files OpenSSL can use: don't use 33 # Location of some random files OpenSSL can use: don't use
27 # /dev/u?random here -- doesn't work properly on all platforms 34 # /dev/u?random here -- doesn't work properly on all platforms
28 SSL_RANDOM="${T}/evironment:${T}/eclass-debug.log:/etc/resolv.conf" 35 SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
29 36
30 # These can be overridden in the ebuild 37 # These can be overridden in the ebuild
31 SSL_DAYS="${SSL_BITS:-730}" 38 SSL_DAYS="${SSL_DAYS:-730}"
32 SSL_BITS="${SSL_BITS:-1024}" 39 SSL_BITS="${SSL_BITS:-1024}"
33 SSL_COUNTRY="${SSL_COUNTRY:-US}" 40 SSL_COUNTRY="${SSL_COUNTRY:-US}"
34 SSL_STATE="${SSL_STATE:-California}" 41 SSL_STATE="${SSL_STATE:-California}"
35 SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}" 42 SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}"
36 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}" 43 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}"
40 47
41 # Create the CA serial file 48 # Create the CA serial file
42 echo "01" > "${SSL_SERIAL}" 49 echo "01" > "${SSL_SERIAL}"
43 50
44 # Create the config file 51 # Create the config file
45 ebegin "Generating OpenSSL configuration" 52 ebegin "Generating OpenSSL configuration${1:+ for CA}"
46 cat <<-EOF > "${SSL_CONF}" 53 cat <<-EOF > "${SSL_CONF}"
47 [ req ] 54 [ req ]
48 prompt = no 55 prompt = no
49 default_bits = ${SSL_BITS} 56 default_bits = ${SSL_BITS}
50 distinguished_name = req_dn 57 distinguished_name = req_dn
52 C = ${SSL_COUNTRY} 59 C = ${SSL_COUNTRY}
53 ST = ${SSL_STATE} 60 ST = ${SSL_STATE}
54 L = ${SSL_LOCALITY} 61 L = ${SSL_LOCALITY}
55 O = ${SSL_ORGANIZATION} 62 O = ${SSL_ORGANIZATION}
56 OU = ${SSL_UNIT} 63 OU = ${SSL_UNIT}
57 CN = ${SSL_COMMONNAME} 64 CN = ${SSL_COMMONNAME}${1:+ CA}
58 emailAddress = ${SSL_EMAIL} 65 emailAddress = ${SSL_EMAIL}
59 EOF 66 EOF
60 eend $? 67 eend $?
61
62 return $?
63}
64 68
69 return $?
70}
71
72# @FUNCTION: get_base
73# @USAGE: [if_ca]
74# @RETURN: <base path>
75# @DESCRIPTION:
65# Simple function to determine whether we're creating 76# Simple function to determine whether we're creating
66# a CA (which should only be done once) or final part 77# a CA (which should only be done once) or final part
67# 78#
68# Access: private 79# Access: private
69get_base() { 80get_base() {
72 else 83 else
73 echo "${T}/${$}server" 84 echo "${T}/${$}server"
74 fi 85 fi
75} 86}
76 87
88# @FUNCTION: gen_key
89# @USAGE: <base path>
90# @DESCRIPTION:
77# Generates an RSA key 91# Generates an RSA key
78# 92#
79# Access: private 93# Access: private
80gen_key() { 94gen_key() {
81 local base=`get_base $1` 95 local base=`get_base $1`
85 eend $? 99 eend $?
86 100
87 return $? 101 return $?
88} 102}
89 103
104# @FUNCTION: gen_csr
105# @USAGE: <base path>
106# @DESCRIPTION:
90# Generates a certificate signing request using 107# Generates a certificate signing request using
91# the key made by gen_key() 108# the key made by gen_key()
92# 109#
93# Access: private 110# Access: private
94gen_csr() { 111gen_csr() {
99 eend $? 116 eend $?
100 117
101 return $? 118 return $?
102} 119}
103 120
121# @FUNCTION: gen_crt
122# @USAGE: <base path>
123# @DESCRIPTION:
104# Generates either a self-signed CA certificate using 124# Generates either a self-signed CA certificate using
105# the csr and key made by gen_csr() and gen_key() or 125# the csr and key made by gen_csr() and gen_key() or
106# a signed server certificate using the CA cert previously 126# a signed server certificate using the CA cert previously
107# created by gen_crt() 127# created by gen_crt()
108# 128#
125 eend $? 145 eend $?
126 146
127 return $? 147 return $?
128} 148}
129 149
150# @FUNCTION: gen_pem
151# @USAGE: <base path>
152# @DESCRIPTION:
130# Generates a PEM file by concatinating the key 153# Generates a PEM file by concatinating the key
131# and cert file created by gen_key() and gen_cert() 154# and cert file created by gen_key() and gen_cert()
132# 155#
133# Access: private 156# Access: private
134gen_pem() { 157gen_pem() {
138 eend $? 161 eend $?
139 162
140 return $? 163 return $?
141} 164}
142 165
166# Removed due to bug 174759
167docert() {
168 eerror "Function \"docert\" has been removed for security reasons."
169 eerror "\"install_cert\" should be used instead. See bug 174759."
170 die
171}
172
173# @FUNCTION: install_cert
174# @USAGE: <certificates>
175# @DESCRIPTION:
143# Uses all the private functions above to generate 176# Uses all the private functions above to generate and install the
144# and install the requested certificates 177# requested certificates.
178# <certificates> are full pathnames relative to ROOT, without extension.
179#
180# Example: "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
145# 181#
146# Access: public 182# Access: public
147docert() { 183install_cert() {
148 if [ $# -lt 1 ] ; then 184 if [ $# -lt 1 ] ; then
149 eerror "At least one argument needed" 185 eerror "At least one argument needed"
150 return 1; 186 return 1;
151 fi 187 fi
152 188
153 # Initialize configuration 189 case ${EBUILD_PHASE} in
190 unpack|compile|test|install)
191 eerror "install_cert cannot be called in ${EBUILD_PHASE}"
192 return 1 ;;
193 esac
194
195 # Generate a CA environment #164601
154 gen_cnf || return 1 196 gen_cnf 1 || return 1
155 echo
156
157 # Generate a CA environment
158 gen_key 1 || return 1 197 gen_key 1 || return 1
159 gen_csr 1 || return 1 198 gen_csr 1 || return 1
160 gen_crt 1 || return 1 199 gen_crt 1 || return 1
161 echo 200 echo
162 201
202 gen_cnf || return 1
203 echo
204
163 local count=0 205 local count=0
164 for cert in "$@" ; do 206 for cert in "$@" ; do
165 # Sanitize and check the requested certificate 207 # Check the requested certificate
166 cert="`/usr/bin/basename "${cert}"`"
167 if [ -z "${cert}" ] ; then 208 if [ -z "${cert##*/}" ] ; then
168 ewarn "Invalid certification requested, skipping" 209 ewarn "Invalid certification requested, skipping"
169 continue 210 continue
170 fi 211 fi
171 212
172 # Check for previous existence of generated files 213 # Check for previous existence of generated files
173 for type in key crt pem ; do 214 for type in key csr crt pem ; do
174 if [ -e "${D}${INSDESTTREE}/${cert}.${type}" ] ; then 215 if [ -e "${ROOT}${cert}.${type}" ] ; then
175 ewarn "${D}${INSDESTTREE}/${cert}.${type}: exists, skipping" 216 ewarn "${ROOT}${cert}.${type}: exists, skipping"
176 continue 2 217 continue 2
177 fi 218 fi
178 done 219 done
179 220
180 # Generate the requested files 221 # Generate the requested files
183 gen_crt || continue 224 gen_crt || continue
184 gen_pem || continue 225 gen_pem || continue
185 echo 226 echo
186 227
187 # Install the generated files and set sane permissions 228 # Install the generated files and set sane permissions
188 local base=`get_base` 229 local base=$(get_base)
230 install -d "${ROOT}${cert%/*}"
189 newins "${base}.key" "${cert}.key" 231 install -m0400 "${base}.key" "${ROOT}${cert}.key"
190 fperms 0400 "${INSDESTTREE}/${cert}.key"
191 newins "${base}.csr" "${cert}.csr" 232 install -m0444 "${base}.csr" "${ROOT}${cert}.csr"
192 fperms 0444 "${INSDESTTREE}/${cert}.csr"
193 newins "${base}.crt" "${cert}.crt" 233 install -m0444 "${base}.crt" "${ROOT}${cert}.crt"
194 fperms 0444 "${INSDESTTREE}/${cert}.crt"
195 newins "${base}.pem" "${cert}.pem" 234 install -m0400 "${base}.pem" "${ROOT}${cert}.pem"
196 fperms 0400 "${INSDESTTREE}/${cert}.pem"
197 count=$((${count}+1)) 235 count=$((${count}+1))
198 done 236 done
199 237
200 # Resulting status 238 # Resulting status
201 if [ ! ${count} ] ; then 239 if [ ${count} = 0 ] ; then
202 eerror "No certificates were generated" 240 eerror "No certificates were generated"
203 return 1 241 return 1
204 elif [ ${count} != ${#} ] ; then 242 elif [ ${count} != ${#} ] ; then
205 ewarn "Some requested certificates were not generated" 243 ewarn "Some requested certificates were not generated"
206 fi 244 fi

Legend:
Removed from v.1.2  
changed lines
  Added in v.1.19

  ViewVC Help
Powered by ViewVC 1.1.20