--- eclass/ssl-cert.eclass 2005/11/30 09:59:20 1.1.1.1 +++ eclass/ssl-cert.eclass 2013/01/03 19:19:55 1.20 @@ -1,17 +1,40 @@ -# Copyright 1999-2004 Gentoo Foundation +# Copyright 1999-2011 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.1.1.1 2005/11/30 09:59:20 chriswhite Exp $ -# -# Author: Max Kalika -# -# This eclass implements standard installation procedure for installing +# $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.20 2013/01/03 19:19:55 alonbl Exp $ + +# @ECLASS: ssl-cert.eclass +# @MAINTAINER: +# @AUTHOR: +# Max Kalika +# @BLURB: Eclass for SSL certificates +# @DESCRIPTION: +# This eclass implements a standard installation procedure for installing # self-signed SSL certificates. +# @EXAMPLE: +# "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem} + +# @ECLASS-VARIABLE: SSL_CERT_MANDATORY +# @DESCRIPTION: +# Set to non zero if ssl-cert is mandatory for ebuild. +# +SSL_CERT_MANDATORY="${SSL_CERT_MANDATORY:-0}" -# Conditionally depend on OpenSSL: allows inheretence -# without pulling extra packages if not needed -DEPEND="ssl? ( dev-libs/openssl )" -IUSE="ssl" +# @ECLASS-VARIABLE: SSL_CERT_USE +# @DESCRIPTION: +# Use flag to append dependency to. +# +SSL_CERT_USE="${SSL_CERT_USE:-ssl}" +if [[ "${SSL_CERT_MANDATORY}" = 0 ]]; then + DEPEND="${SSL_CERT_USE}? ( dev-libs/openssl )" + IUSE="${SSL_CERT_USE}" +else + DEPEND="dev-libs/openssl" +fi + +# @FUNCTION: gen_cnf +# @USAGE: +# @DESCRIPTION: # Initializes variables and generates the needed # OpenSSL configuration file and a CA serial file # @@ -26,7 +49,7 @@ SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf" # These can be overridden in the ebuild - SSL_DAYS="${SSL_BITS:-730}" + SSL_DAYS="${SSL_DAYS:-730}" SSL_BITS="${SSL_BITS:-1024}" SSL_COUNTRY="${SSL_COUNTRY:-US}" SSL_STATE="${SSL_STATE:-California}" @@ -40,7 +63,7 @@ echo "01" > "${SSL_SERIAL}" # Create the config file - ebegin "Generating OpenSSL configuration" + ebegin "Generating OpenSSL configuration${1:+ for CA}" cat <<-EOF > "${SSL_CONF}" [ req ] prompt = no @@ -52,7 +75,7 @@ L = ${SSL_LOCALITY} O = ${SSL_ORGANIZATION} OU = ${SSL_UNIT} - CN = ${SSL_COMMONNAME} + CN = ${SSL_COMMONNAME}${1:+ CA} emailAddress = ${SSL_EMAIL} EOF eend $? @@ -60,6 +83,10 @@ return $? } +# @FUNCTION: get_base +# @USAGE: [if_ca] +# @RETURN: +# @DESCRIPTION: # Simple function to determine whether we're creating # a CA (which should only be done once) or final part # @@ -72,6 +99,9 @@ fi } +# @FUNCTION: gen_key +# @USAGE: +# @DESCRIPTION: # Generates an RSA key # # Access: private @@ -85,6 +115,9 @@ return $? } +# @FUNCTION: gen_csr +# @USAGE: +# @DESCRIPTION: # Generates a certificate signing request using # the key made by gen_key() # @@ -99,6 +132,9 @@ return $? } +# @FUNCTION: gen_crt +# @USAGE: +# @DESCRIPTION: # Generates either a self-signed CA certificate using # the csr and key made by gen_csr() and gen_key() or # a signed server certificate using the CA cert previously @@ -125,6 +161,9 @@ return $? } +# @FUNCTION: gen_pem +# @USAGE: +# @DESCRIPTION: # Generates a PEM file by concatinating the key # and cert file created by gen_key() and gen_cert() # @@ -138,39 +177,57 @@ return $? } -# Uses all the private functions above to generate -# and install the requested certificates +# Removed due to bug 174759 +docert() { + eerror "Function \"docert\" has been removed for security reasons." + eerror "\"install_cert\" should be used instead. See bug 174759." + die +} + +# @FUNCTION: install_cert +# @USAGE: +# @DESCRIPTION: +# Uses all the private functions above to generate and install the +# requested certificates. +# are full pathnames relative to ROOT, without extension. +# +# Example: "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem} # # Access: public -docert() { +install_cert() { if [ $# -lt 1 ] ; then eerror "At least one argument needed" return 1; fi - # Initialize configuration - gen_cnf || return 1 - echo + case ${EBUILD_PHASE} in + unpack|compile|test|install) + eerror "install_cert cannot be called in ${EBUILD_PHASE}" + return 1 ;; + esac - # Generate a CA environment + # Generate a CA environment #164601 + gen_cnf 1 || return 1 gen_key 1 || return 1 gen_csr 1 || return 1 gen_crt 1 || return 1 echo + gen_cnf || return 1 + echo + local count=0 for cert in "$@" ; do - # Sanitize and check the requested certificate - cert="`/usr/bin/basename "${cert}"`" - if [ -z "${cert}" ] ; then + # Check the requested certificate + if [ -z "${cert##*/}" ] ; then ewarn "Invalid certification requested, skipping" continue fi # Check for previous existence of generated files - for type in key crt pem ; do - if [ -e "${D}${INSDESTTREE}/${cert}.${type}" ] ; then - ewarn "${D}${INSDESTTREE}/${cert}.${type}: exists, skipping" + for type in key csr crt pem ; do + if [ -e "${ROOT}${cert}.${type}" ] ; then + ewarn "${ROOT}${cert}.${type}: exists, skipping" continue 2 fi done @@ -183,20 +240,17 @@ echo # Install the generated files and set sane permissions - local base=`get_base` - newins "${base}.key" "${cert}.key" - fperms 0400 "${INSDESTTREE}/${cert}.key" - newins "${base}.csr" "${cert}.csr" - fperms 0444 "${INSDESTTREE}/${cert}.csr" - newins "${base}.crt" "${cert}.crt" - fperms 0444 "${INSDESTTREE}/${cert}.crt" - newins "${base}.pem" "${cert}.pem" - fperms 0400 "${INSDESTTREE}/${cert}.pem" + local base=$(get_base) + install -d "${ROOT}${cert%/*}" + install -m0400 "${base}.key" "${ROOT}${cert}.key" + install -m0444 "${base}.csr" "${ROOT}${cert}.csr" + install -m0444 "${base}.crt" "${ROOT}${cert}.crt" + install -m0400 "${base}.pem" "${ROOT}${cert}.pem" count=$((${count}+1)) done # Resulting status - if [ ! ${count} ] ; then + if [ ${count} = 0 ] ; then eerror "No certificates were generated" return 1 elif [ ${count} != ${#} ] ; then