/[gentoo-x86]/eclass/ssl-cert.eclass
Gentoo

Contents of /eclass/ssl-cert.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.14 - (show annotations) (download)
Fri Dec 28 17:51:03 2007 UTC (6 years, 6 months ago) by ulm
Branch: MAIN
Changes since 1.13: +6 -31 lines
Revert accidental commit of ssl-cert.eclass.

1 # Copyright 1999-2004 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.12 2007/12/09 08:09:56 ulm Exp $
4 #
5 # Author: Max Kalika <max@gentoo.org>
6 #
7 # This eclass implements standard installation procedure for installing
8 # self-signed SSL certificates.
9
10 # Conditionally depend on OpenSSL: allows inheretence
11 # without pulling extra packages if not needed
12 DEPEND="ssl? ( dev-libs/openssl )"
13 IUSE="ssl"
14
15 # Initializes variables and generates the needed
16 # OpenSSL configuration file and a CA serial file
17 #
18 # Access: private
19 gen_cnf() {
20 # Location of the config file
21 SSL_CONF="${T}/${$}ssl.cnf"
22 # Location of the CA serial file
23 SSL_SERIAL="${T}/${$}ca.ser"
24 # Location of some random files OpenSSL can use: don't use
25 # /dev/u?random here -- doesn't work properly on all platforms
26 SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
27
28 # These can be overridden in the ebuild
29 SSL_DAYS="${SSL_DAYS:-730}"
30 SSL_BITS="${SSL_BITS:-1024}"
31 SSL_COUNTRY="${SSL_COUNTRY:-US}"
32 SSL_STATE="${SSL_STATE:-California}"
33 SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}"
34 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}"
35 SSL_UNIT="${SSL_UNIT:-For Testing Purposes Only}"
36 SSL_COMMONNAME="${SSL_COMMONNAME:-localhost}"
37 SSL_EMAIL="${SSL_EMAIL:-root@localhost}"
38
39 # Create the CA serial file
40 echo "01" > "${SSL_SERIAL}"
41
42 # Create the config file
43 ebegin "Generating OpenSSL configuration"
44 cat <<-EOF > "${SSL_CONF}"
45 [ req ]
46 prompt = no
47 default_bits = ${SSL_BITS}
48 distinguished_name = req_dn
49 [ req_dn ]
50 C = ${SSL_COUNTRY}
51 ST = ${SSL_STATE}
52 L = ${SSL_LOCALITY}
53 O = ${SSL_ORGANIZATION}
54 OU = ${SSL_UNIT}
55 CN = ${SSL_COMMONNAME}
56 emailAddress = ${SSL_EMAIL}
57 EOF
58 eend $?
59
60 return $?
61 }
62
63 # Simple function to determine whether we're creating
64 # a CA (which should only be done once) or final part
65 #
66 # Access: private
67 get_base() {
68 if [ "${1}" ] ; then
69 echo "${T}/${$}ca"
70 else
71 echo "${T}/${$}server"
72 fi
73 }
74
75 # Generates an RSA key
76 #
77 # Access: private
78 gen_key() {
79 local base=`get_base $1`
80 ebegin "Generating ${SSL_BITS} bit RSA key${1:+ for CA}"
81 /usr/bin/openssl genrsa -rand "${SSL_RANDOM}" \
82 -out "${base}.key" "${SSL_BITS}" &> /dev/null
83 eend $?
84
85 return $?
86 }
87
88 # Generates a certificate signing request using
89 # the key made by gen_key()
90 #
91 # Access: private
92 gen_csr() {
93 local base=`get_base $1`
94 ebegin "Generating Certificate Signing Request${1:+ for CA}"
95 /usr/bin/openssl req -config "${SSL_CONF}" -new \
96 -key "${base}.key" -out "${base}.csr" &>/dev/null
97 eend $?
98
99 return $?
100 }
101
102 # Generates either a self-signed CA certificate using
103 # the csr and key made by gen_csr() and gen_key() or
104 # a signed server certificate using the CA cert previously
105 # created by gen_crt()
106 #
107 # Access: private
108 gen_crt() {
109 local base=`get_base $1`
110 if [ "${1}" ] ; then
111 ebegin "Generating self-signed X.509 Certificate for CA"
112 /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
113 -days ${SSL_DAYS} -req -signkey "${base}.key" \
114 -in "${base}.csr" -out "${base}.crt" &>/dev/null
115 else
116 local ca=`get_base 1`
117 ebegin "Generating authority-signed X.509 Certificate"
118 /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
119 -days ${SSL_DAYS} -req -CAserial "${SSL_SERIAL}" \
120 -CAkey "${ca}.key" -CA "${ca}.crt" \
121 -in "${base}.csr" -out "${base}.crt" &>/dev/null
122 fi
123 eend $?
124
125 return $?
126 }
127
128 # Generates a PEM file by concatinating the key
129 # and cert file created by gen_key() and gen_cert()
130 #
131 # Access: private
132 gen_pem() {
133 local base=`get_base $1`
134 ebegin "Generating PEM Certificate"
135 (cat "${base}.key"; echo; cat "${base}.crt") > "${base}.pem"
136 eend $?
137
138 return $?
139 }
140
141 # Uses all the private functions above to generate
142 # and install the requested certificates
143 # Note: This function is deprecated, use install_cert instead
144 #
145 # Access: public
146 docert() {
147 ewarn "Function \"docert\" is deprecated for security reasons."
148 ewarn "\"install_cert\" should be used instead. See bug #174759."
149
150 if [ $# -lt 1 ] ; then
151 eerror "At least one argument needed"
152 return 1;
153 fi
154
155 # Initialize configuration
156 gen_cnf || return 1
157 echo
158
159 # Generate a CA environment
160 gen_key 1 || return 1
161 gen_csr 1 || return 1
162 gen_crt 1 || return 1
163 echo
164
165 local count=0
166 for cert in "$@" ; do
167 # Sanitize and check the requested certificate
168 cert="`/usr/bin/basename "${cert}"`"
169 if [ -z "${cert}" ] ; then
170 ewarn "Invalid certification requested, skipping"
171 continue
172 fi
173
174 # Check for previous existence of generated files
175 for type in key crt pem ; do
176 if [ -e "${D}${INSDESTTREE}/${cert}.${type}" ] ; then
177 ewarn "${D}${INSDESTTREE}/${cert}.${type}: exists, skipping"
178 continue 2
179 fi
180 done
181
182 # Generate the requested files
183 gen_key || continue
184 gen_csr || continue
185 gen_crt || continue
186 gen_pem || continue
187 echo
188
189 # Install the generated files and set sane permissions
190 local base=`get_base`
191 newins "${base}.key" "${cert}.key"
192 fperms 0400 "${INSDESTTREE}/${cert}.key"
193 newins "${base}.csr" "${cert}.csr"
194 fperms 0444 "${INSDESTTREE}/${cert}.csr"
195 newins "${base}.crt" "${cert}.crt"
196 fperms 0444 "${INSDESTTREE}/${cert}.crt"
197 newins "${base}.pem" "${cert}.pem"
198 fperms 0400 "${INSDESTTREE}/${cert}.pem"
199 count=$((${count}+1))
200 done
201
202 # Resulting status
203 if [ ! ${count} ] ; then
204 eerror "No certificates were generated"
205 return 1
206 elif [ ${count} != ${#} ] ; then
207 ewarn "Some requested certificates were not generated"
208 fi
209 }
210
211 # Uses all the private functions above to generate
212 # and install the requested certificates
213 #
214 # Usage: install_cert <certificates>
215 # where <certificates> are full pathnames relative to ROOT, without extension.
216 #
217 # Example: "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
218 #
219 # Access: public
220 install_cert() {
221 if [ $# -lt 1 ] ; then
222 eerror "At least one argument needed"
223 return 1;
224 fi
225
226 case ${EBUILD_PHASE} in
227 unpack|compile|test|install)
228 eerror "install_cert cannot be called in ${EBUILD_PHASE}"
229 return 1 ;;
230 esac
231
232 # Initialize configuration
233 gen_cnf || return 1
234 echo
235
236 # Generate a CA environment
237 gen_key 1 || return 1
238 gen_csr 1 || return 1
239 gen_crt 1 || return 1
240 echo
241
242 local count=0
243 for cert in "$@" ; do
244 # Check the requested certificate
245 if [ -z "${cert##*/}" ] ; then
246 ewarn "Invalid certification requested, skipping"
247 continue
248 fi
249
250 # Check for previous existence of generated files
251 for type in key csr crt pem ; do
252 if [ -e "${ROOT}${cert}.${type}" ] ; then
253 ewarn "${ROOT}${cert}.${type}: exists, skipping"
254 continue 2
255 fi
256 done
257
258 # Generate the requested files
259 gen_key || continue
260 gen_csr || continue
261 gen_crt || continue
262 gen_pem || continue
263 echo
264
265 # Install the generated files and set sane permissions
266 local base=$(get_base)
267 install -d "${ROOT}${cert%/*}"
268 install -m0400 "${base}.key" "${ROOT}${cert}.key"
269 install -m0444 "${base}.csr" "${ROOT}${cert}.csr"
270 install -m0444 "${base}.crt" "${ROOT}${cert}.crt"
271 install -m0400 "${base}.pem" "${ROOT}${cert}.pem"
272 count=$((${count}+1))
273 done
274
275 # Resulting status
276 if [ ! ${count} ] ; then
277 eerror "No certificates were generated"
278 return 1
279 elif [ ${count} != ${#} ] ; then
280 ewarn "Some requested certificates were not generated"
281 fi
282 }

  ViewVC Help
Powered by ViewVC 1.1.20