/[gentoo-x86]/eclass/ssl-cert.eclass
Gentoo

Contents of /eclass/ssl-cert.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.19 - (show annotations) (download)
Mon Aug 22 04:46:32 2011 UTC (3 years, 2 months ago) by vapier
Branch: MAIN
Changes since 1.18: +5 -4 lines
fix random bugs in eclass documentation, and convert to new @AUTHOR tag

1 # Copyright 1999-2011 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.18 2010/02/16 14:23:39 pva Exp $
4
5 # @ECLASS: ssl-cert.eclass
6 # @MAINTAINER:
7 # @AUTHOR:
8 # Max Kalika <max@gentoo.org>
9 # @BLURB: Eclass for SSL certificates
10 # @DESCRIPTION:
11 # This eclass implements a standard installation procedure for installing
12 # self-signed SSL certificates.
13 # @EXAMPLE:
14 # "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
15
16 # Conditionally depend on OpenSSL: allows inheretence
17 # without pulling extra packages if not needed
18 DEPEND="ssl? ( dev-libs/openssl )"
19 IUSE="ssl"
20
21 # @FUNCTION: gen_cnf
22 # @USAGE:
23 # @DESCRIPTION:
24 # Initializes variables and generates the needed
25 # OpenSSL configuration file and a CA serial file
26 #
27 # Access: private
28 gen_cnf() {
29 # Location of the config file
30 SSL_CONF="${T}/${$}ssl.cnf"
31 # Location of the CA serial file
32 SSL_SERIAL="${T}/${$}ca.ser"
33 # Location of some random files OpenSSL can use: don't use
34 # /dev/u?random here -- doesn't work properly on all platforms
35 SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
36
37 # These can be overridden in the ebuild
38 SSL_DAYS="${SSL_DAYS:-730}"
39 SSL_BITS="${SSL_BITS:-1024}"
40 SSL_COUNTRY="${SSL_COUNTRY:-US}"
41 SSL_STATE="${SSL_STATE:-California}"
42 SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}"
43 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}"
44 SSL_UNIT="${SSL_UNIT:-For Testing Purposes Only}"
45 SSL_COMMONNAME="${SSL_COMMONNAME:-localhost}"
46 SSL_EMAIL="${SSL_EMAIL:-root@localhost}"
47
48 # Create the CA serial file
49 echo "01" > "${SSL_SERIAL}"
50
51 # Create the config file
52 ebegin "Generating OpenSSL configuration${1:+ for CA}"
53 cat <<-EOF > "${SSL_CONF}"
54 [ req ]
55 prompt = no
56 default_bits = ${SSL_BITS}
57 distinguished_name = req_dn
58 [ req_dn ]
59 C = ${SSL_COUNTRY}
60 ST = ${SSL_STATE}
61 L = ${SSL_LOCALITY}
62 O = ${SSL_ORGANIZATION}
63 OU = ${SSL_UNIT}
64 CN = ${SSL_COMMONNAME}${1:+ CA}
65 emailAddress = ${SSL_EMAIL}
66 EOF
67 eend $?
68
69 return $?
70 }
71
72 # @FUNCTION: get_base
73 # @USAGE: [if_ca]
74 # @RETURN: <base path>
75 # @DESCRIPTION:
76 # Simple function to determine whether we're creating
77 # a CA (which should only be done once) or final part
78 #
79 # Access: private
80 get_base() {
81 if [ "${1}" ] ; then
82 echo "${T}/${$}ca"
83 else
84 echo "${T}/${$}server"
85 fi
86 }
87
88 # @FUNCTION: gen_key
89 # @USAGE: <base path>
90 # @DESCRIPTION:
91 # Generates an RSA key
92 #
93 # Access: private
94 gen_key() {
95 local base=`get_base $1`
96 ebegin "Generating ${SSL_BITS} bit RSA key${1:+ for CA}"
97 /usr/bin/openssl genrsa -rand "${SSL_RANDOM}" \
98 -out "${base}.key" "${SSL_BITS}" &> /dev/null
99 eend $?
100
101 return $?
102 }
103
104 # @FUNCTION: gen_csr
105 # @USAGE: <base path>
106 # @DESCRIPTION:
107 # Generates a certificate signing request using
108 # the key made by gen_key()
109 #
110 # Access: private
111 gen_csr() {
112 local base=`get_base $1`
113 ebegin "Generating Certificate Signing Request${1:+ for CA}"
114 /usr/bin/openssl req -config "${SSL_CONF}" -new \
115 -key "${base}.key" -out "${base}.csr" &>/dev/null
116 eend $?
117
118 return $?
119 }
120
121 # @FUNCTION: gen_crt
122 # @USAGE: <base path>
123 # @DESCRIPTION:
124 # Generates either a self-signed CA certificate using
125 # the csr and key made by gen_csr() and gen_key() or
126 # a signed server certificate using the CA cert previously
127 # created by gen_crt()
128 #
129 # Access: private
130 gen_crt() {
131 local base=`get_base $1`
132 if [ "${1}" ] ; then
133 ebegin "Generating self-signed X.509 Certificate for CA"
134 /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
135 -days ${SSL_DAYS} -req -signkey "${base}.key" \
136 -in "${base}.csr" -out "${base}.crt" &>/dev/null
137 else
138 local ca=`get_base 1`
139 ebegin "Generating authority-signed X.509 Certificate"
140 /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
141 -days ${SSL_DAYS} -req -CAserial "${SSL_SERIAL}" \
142 -CAkey "${ca}.key" -CA "${ca}.crt" \
143 -in "${base}.csr" -out "${base}.crt" &>/dev/null
144 fi
145 eend $?
146
147 return $?
148 }
149
150 # @FUNCTION: gen_pem
151 # @USAGE: <base path>
152 # @DESCRIPTION:
153 # Generates a PEM file by concatinating the key
154 # and cert file created by gen_key() and gen_cert()
155 #
156 # Access: private
157 gen_pem() {
158 local base=`get_base $1`
159 ebegin "Generating PEM Certificate"
160 (cat "${base}.key"; echo; cat "${base}.crt") > "${base}.pem"
161 eend $?
162
163 return $?
164 }
165
166 # Removed due to bug 174759
167 docert() {
168 eerror "Function \"docert\" has been removed for security reasons."
169 eerror "\"install_cert\" should be used instead. See bug 174759."
170 die
171 }
172
173 # @FUNCTION: install_cert
174 # @USAGE: <certificates>
175 # @DESCRIPTION:
176 # Uses all the private functions above to generate and install the
177 # requested certificates.
178 # <certificates> are full pathnames relative to ROOT, without extension.
179 #
180 # Example: "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
181 #
182 # Access: public
183 install_cert() {
184 if [ $# -lt 1 ] ; then
185 eerror "At least one argument needed"
186 return 1;
187 fi
188
189 case ${EBUILD_PHASE} in
190 unpack|compile|test|install)
191 eerror "install_cert cannot be called in ${EBUILD_PHASE}"
192 return 1 ;;
193 esac
194
195 # Generate a CA environment #164601
196 gen_cnf 1 || return 1
197 gen_key 1 || return 1
198 gen_csr 1 || return 1
199 gen_crt 1 || return 1
200 echo
201
202 gen_cnf || return 1
203 echo
204
205 local count=0
206 for cert in "$@" ; do
207 # Check the requested certificate
208 if [ -z "${cert##*/}" ] ; then
209 ewarn "Invalid certification requested, skipping"
210 continue
211 fi
212
213 # Check for previous existence of generated files
214 for type in key csr crt pem ; do
215 if [ -e "${ROOT}${cert}.${type}" ] ; then
216 ewarn "${ROOT}${cert}.${type}: exists, skipping"
217 continue 2
218 fi
219 done
220
221 # Generate the requested files
222 gen_key || continue
223 gen_csr || continue
224 gen_crt || continue
225 gen_pem || continue
226 echo
227
228 # Install the generated files and set sane permissions
229 local base=$(get_base)
230 install -d "${ROOT}${cert%/*}"
231 install -m0400 "${base}.key" "${ROOT}${cert}.key"
232 install -m0444 "${base}.csr" "${ROOT}${cert}.csr"
233 install -m0444 "${base}.crt" "${ROOT}${cert}.crt"
234 install -m0400 "${base}.pem" "${ROOT}${cert}.pem"
235 count=$((${count}+1))
236 done
237
238 # Resulting status
239 if [ ${count} = 0 ] ; then
240 eerror "No certificates were generated"
241 return 1
242 elif [ ${count} != ${#} ] ; then
243 ewarn "Some requested certificates were not generated"
244 fi
245 }

  ViewVC Help
Powered by ViewVC 1.1.20