/[gentoo-x86]/eclass/ssl-cert.eclass
Gentoo

Contents of /eclass/ssl-cert.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.13 - (show annotations) (download)
Fri Dec 28 17:48:34 2007 UTC (6 years, 8 months ago) by ulm
Branch: MAIN
Changes since 1.12: +32 -7 lines
Sync eclasses from Emacs overlay (revision 894).

elisp-common.eclass:
Install packages' site-init files in site-gentoo.d subdirectory.
Update documentation and einfo messages accordingly.

1 # Copyright 1999-2004 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.12 2007/12/09 08:09:56 ulm Exp $
4 #
5 # @ECLASS: ssl-cert.eclass
6 # @MAINTAINER:
7 # Author: Max Kalika <max@gentoo.org>
8 # @BLURB: Eclass for SSL certificates
9 # @DESCRIPTION:
10 # This eclass implements standard installation procedure for installing
11 # self-signed SSL certificates.
12 # @EXAMPLE:
13 # "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
14
15 # Conditionally depend on OpenSSL: allows inheretence
16 # without pulling extra packages if not needed
17 DEPEND="ssl? ( dev-libs/openssl )"
18 IUSE="ssl"
19
20 # @FUNCTION: gen_cnf
21 # @USAGE:
22 # @DESCRIPTION:
23 # Initializes variables and generates the needed
24 # OpenSSL configuration file and a CA serial file
25 #
26 # Access: private
27 gen_cnf() {
28 # Location of the config file
29 SSL_CONF="${T}/${$}ssl.cnf"
30 # Location of the CA serial file
31 SSL_SERIAL="${T}/${$}ca.ser"
32 # Location of some random files OpenSSL can use: don't use
33 # /dev/u?random here -- doesn't work properly on all platforms
34 SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
35
36 # These can be overridden in the ebuild
37 SSL_DAYS="${SSL_DAYS:-730}"
38 SSL_BITS="${SSL_BITS:-1024}"
39 SSL_COUNTRY="${SSL_COUNTRY:-US}"
40 SSL_STATE="${SSL_STATE:-California}"
41 SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}"
42 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}"
43 SSL_UNIT="${SSL_UNIT:-For Testing Purposes Only}"
44 SSL_COMMONNAME="${SSL_COMMONNAME:-localhost}"
45 SSL_EMAIL="${SSL_EMAIL:-root@localhost}"
46
47 # Create the CA serial file
48 echo "01" > "${SSL_SERIAL}"
49
50 # Create the config file
51 ebegin "Generating OpenSSL configuration"
52 cat <<-EOF > "${SSL_CONF}"
53 [ req ]
54 prompt = no
55 default_bits = ${SSL_BITS}
56 distinguished_name = req_dn
57 [ req_dn ]
58 C = ${SSL_COUNTRY}
59 ST = ${SSL_STATE}
60 L = ${SSL_LOCALITY}
61 O = ${SSL_ORGANIZATION}
62 OU = ${SSL_UNIT}
63 CN = ${SSL_COMMONNAME}
64 emailAddress = ${SSL_EMAIL}
65 EOF
66 eend $?
67
68 return $?
69 }
70
71 # @FUNCTION: get_base
72 # @USAGE: [if_ca]
73 # @RETURN: <base path>
74 # @DESCRIPTION:
75 # Simple function to determine whether we're creating
76 # a CA (which should only be done once) or final part
77 #
78 # Access: private
79 get_base() {
80 if [ "${1}" ] ; then
81 echo "${T}/${$}ca"
82 else
83 echo "${T}/${$}server"
84 fi
85 }
86
87 # @FUNCTION: gen_key
88 # @USAGE: <base path>
89 # @DESCRIPTION:
90 # Generates an RSA key
91 #
92 # Access: private
93 gen_key() {
94 local base=`get_base $1`
95 ebegin "Generating ${SSL_BITS} bit RSA key${1:+ for CA}"
96 /usr/bin/openssl genrsa -rand "${SSL_RANDOM}" \
97 -out "${base}.key" "${SSL_BITS}" &> /dev/null
98 eend $?
99
100 return $?
101 }
102
103 # @FUNCTION: gen_csr
104 # @USAGE: <base path>
105 # @DESCRIPTION:
106 # Generates a certificate signing request using
107 # the key made by gen_key()
108 #
109 # Access: private
110 gen_csr() {
111 local base=`get_base $1`
112 ebegin "Generating Certificate Signing Request${1:+ for CA}"
113 /usr/bin/openssl req -config "${SSL_CONF}" -new \
114 -key "${base}.key" -out "${base}.csr" &>/dev/null
115 eend $?
116
117 return $?
118 }
119
120 # @FUNCTION: gen_crt
121 # @USAGE: <base path>
122 # @DESCRIPTION:
123 # Generates either a self-signed CA certificate using
124 # the csr and key made by gen_csr() and gen_key() or
125 # a signed server certificate using the CA cert previously
126 # created by gen_crt()
127 #
128 # Access: private
129 gen_crt() {
130 local base=`get_base $1`
131 if [ "${1}" ] ; then
132 ebegin "Generating self-signed X.509 Certificate for CA"
133 /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
134 -days ${SSL_DAYS} -req -signkey "${base}.key" \
135 -in "${base}.csr" -out "${base}.crt" &>/dev/null
136 else
137 local ca=`get_base 1`
138 ebegin "Generating authority-signed X.509 Certificate"
139 /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
140 -days ${SSL_DAYS} -req -CAserial "${SSL_SERIAL}" \
141 -CAkey "${ca}.key" -CA "${ca}.crt" \
142 -in "${base}.csr" -out "${base}.crt" &>/dev/null
143 fi
144 eend $?
145
146 return $?
147 }
148
149 # @FUNCTION: gen_pem
150 # @USAGE: <base path>
151 # @DESCRIPTION:
152 # Generates a PEM file by concatinating the key
153 # and cert file created by gen_key() and gen_cert()
154 #
155 # Access: private
156 gen_pem() {
157 local base=`get_base $1`
158 ebegin "Generating PEM Certificate"
159 (cat "${base}.key"; echo; cat "${base}.crt") > "${base}.pem"
160 eend $?
161
162 return $?
163 }
164
165 # Uses all the private functions above to generate
166 # and install the requested certificates
167 # Note: This function is deprecated, use install_cert instead
168 #
169 # Access: public
170 docert() {
171 ewarn "Function \"docert\" is deprecated for security reasons."
172 ewarn "\"install_cert\" should be used instead. See bug #174759."
173
174 if [ $# -lt 1 ] ; then
175 eerror "At least one argument needed"
176 return 1;
177 fi
178
179 # Initialize configuration
180 gen_cnf || return 1
181 echo
182
183 # Generate a CA environment
184 gen_key 1 || return 1
185 gen_csr 1 || return 1
186 gen_crt 1 || return 1
187 echo
188
189 local count=0
190 for cert in "$@" ; do
191 # Sanitize and check the requested certificate
192 cert="`/usr/bin/basename "${cert}"`"
193 if [ -z "${cert}" ] ; then
194 ewarn "Invalid certification requested, skipping"
195 continue
196 fi
197
198 # Check for previous existence of generated files
199 for type in key crt pem ; do
200 if [ -e "${D}${INSDESTTREE}/${cert}.${type}" ] ; then
201 ewarn "${D}${INSDESTTREE}/${cert}.${type}: exists, skipping"
202 continue 2
203 fi
204 done
205
206 # Generate the requested files
207 gen_key || continue
208 gen_csr || continue
209 gen_crt || continue
210 gen_pem || continue
211 echo
212
213 # Install the generated files and set sane permissions
214 local base=`get_base`
215 newins "${base}.key" "${cert}.key"
216 fperms 0400 "${INSDESTTREE}/${cert}.key"
217 newins "${base}.csr" "${cert}.csr"
218 fperms 0444 "${INSDESTTREE}/${cert}.csr"
219 newins "${base}.crt" "${cert}.crt"
220 fperms 0444 "${INSDESTTREE}/${cert}.crt"
221 newins "${base}.pem" "${cert}.pem"
222 fperms 0400 "${INSDESTTREE}/${cert}.pem"
223 count=$((${count}+1))
224 done
225
226 # Resulting status
227 if [ ! ${count} ] ; then
228 eerror "No certificates were generated"
229 return 1
230 elif [ ${count} != ${#} ] ; then
231 ewarn "Some requested certificates were not generated"
232 fi
233 }
234
235 # @FUNCTION: install_cert
236 # @USAGE: <certificates>
237 # @DESCRIPTION:
238 # Uses all the private functions above to generate and install the
239 # requested certificates.
240 # <certificates> are full pathnames relative to ROOT, without extension.
241 #
242 # Example: "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
243 #
244 # Access: public
245 install_cert() {
246 if [ $# -lt 1 ] ; then
247 eerror "At least one argument needed"
248 return 1;
249 fi
250
251 case ${EBUILD_PHASE} in
252 unpack|compile|test|install)
253 eerror "install_cert cannot be called in ${EBUILD_PHASE}"
254 return 1 ;;
255 esac
256
257 # Initialize configuration
258 gen_cnf || return 1
259 echo
260
261 # Generate a CA environment
262 gen_key 1 || return 1
263 gen_csr 1 || return 1
264 gen_crt 1 || return 1
265 echo
266
267 local count=0
268 for cert in "$@" ; do
269 # Check the requested certificate
270 if [ -z "${cert##*/}" ] ; then
271 ewarn "Invalid certification requested, skipping"
272 continue
273 fi
274
275 # Check for previous existence of generated files
276 for type in key csr crt pem ; do
277 if [ -e "${ROOT}${cert}.${type}" ] ; then
278 ewarn "${ROOT}${cert}.${type}: exists, skipping"
279 continue 2
280 fi
281 done
282
283 # Generate the requested files
284 gen_key || continue
285 gen_csr || continue
286 gen_crt || continue
287 gen_pem || continue
288 echo
289
290 # Install the generated files and set sane permissions
291 local base=$(get_base)
292 install -d "${ROOT}${cert%/*}"
293 install -m0400 "${base}.key" "${ROOT}${cert}.key"
294 install -m0444 "${base}.csr" "${ROOT}${cert}.csr"
295 install -m0444 "${base}.crt" "${ROOT}${cert}.crt"
296 install -m0400 "${base}.pem" "${ROOT}${cert}.pem"
297 count=$((${count}+1))
298 done
299
300 # Resulting status
301 if [ ! ${count} ] ; then
302 eerror "No certificates were generated"
303 return 1
304 elif [ ${count} != ${#} ] ; then
305 ewarn "Some requested certificates were not generated"
306 fi
307 }

  ViewVC Help
Powered by ViewVC 1.1.20