/[gentoo-x86]/eclass/ssl-cert.eclass
Gentoo

Contents of /eclass/ssl-cert.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.20 - (show annotations) (download)
Thu Jan 3 19:19:55 2013 UTC (21 months, 2 weeks ago) by alonbl
Branch: MAIN
Changes since 1.19: +19 -5 lines
ssl-cert - support mandatory enrollment and custom USE flag

1 # Copyright 1999-2011 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.19 2011/08/22 04:46:32 vapier Exp $
4
5 # @ECLASS: ssl-cert.eclass
6 # @MAINTAINER:
7 # @AUTHOR:
8 # Max Kalika <max@gentoo.org>
9 # @BLURB: Eclass for SSL certificates
10 # @DESCRIPTION:
11 # This eclass implements a standard installation procedure for installing
12 # self-signed SSL certificates.
13 # @EXAMPLE:
14 # "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
15
16 # @ECLASS-VARIABLE: SSL_CERT_MANDATORY
17 # @DESCRIPTION:
18 # Set to non zero if ssl-cert is mandatory for ebuild.
19 #
20 SSL_CERT_MANDATORY="${SSL_CERT_MANDATORY:-0}"
21
22 # @ECLASS-VARIABLE: SSL_CERT_USE
23 # @DESCRIPTION:
24 # Use flag to append dependency to.
25 #
26 SSL_CERT_USE="${SSL_CERT_USE:-ssl}"
27
28 if [[ "${SSL_CERT_MANDATORY}" = 0 ]]; then
29 DEPEND="${SSL_CERT_USE}? ( dev-libs/openssl )"
30 IUSE="${SSL_CERT_USE}"
31 else
32 DEPEND="dev-libs/openssl"
33 fi
34
35 # @FUNCTION: gen_cnf
36 # @USAGE:
37 # @DESCRIPTION:
38 # Initializes variables and generates the needed
39 # OpenSSL configuration file and a CA serial file
40 #
41 # Access: private
42 gen_cnf() {
43 # Location of the config file
44 SSL_CONF="${T}/${$}ssl.cnf"
45 # Location of the CA serial file
46 SSL_SERIAL="${T}/${$}ca.ser"
47 # Location of some random files OpenSSL can use: don't use
48 # /dev/u?random here -- doesn't work properly on all platforms
49 SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
50
51 # These can be overridden in the ebuild
52 SSL_DAYS="${SSL_DAYS:-730}"
53 SSL_BITS="${SSL_BITS:-1024}"
54 SSL_COUNTRY="${SSL_COUNTRY:-US}"
55 SSL_STATE="${SSL_STATE:-California}"
56 SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}"
57 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}"
58 SSL_UNIT="${SSL_UNIT:-For Testing Purposes Only}"
59 SSL_COMMONNAME="${SSL_COMMONNAME:-localhost}"
60 SSL_EMAIL="${SSL_EMAIL:-root@localhost}"
61
62 # Create the CA serial file
63 echo "01" > "${SSL_SERIAL}"
64
65 # Create the config file
66 ebegin "Generating OpenSSL configuration${1:+ for CA}"
67 cat <<-EOF > "${SSL_CONF}"
68 [ req ]
69 prompt = no
70 default_bits = ${SSL_BITS}
71 distinguished_name = req_dn
72 [ req_dn ]
73 C = ${SSL_COUNTRY}
74 ST = ${SSL_STATE}
75 L = ${SSL_LOCALITY}
76 O = ${SSL_ORGANIZATION}
77 OU = ${SSL_UNIT}
78 CN = ${SSL_COMMONNAME}${1:+ CA}
79 emailAddress = ${SSL_EMAIL}
80 EOF
81 eend $?
82
83 return $?
84 }
85
86 # @FUNCTION: get_base
87 # @USAGE: [if_ca]
88 # @RETURN: <base path>
89 # @DESCRIPTION:
90 # Simple function to determine whether we're creating
91 # a CA (which should only be done once) or final part
92 #
93 # Access: private
94 get_base() {
95 if [ "${1}" ] ; then
96 echo "${T}/${$}ca"
97 else
98 echo "${T}/${$}server"
99 fi
100 }
101
102 # @FUNCTION: gen_key
103 # @USAGE: <base path>
104 # @DESCRIPTION:
105 # Generates an RSA key
106 #
107 # Access: private
108 gen_key() {
109 local base=`get_base $1`
110 ebegin "Generating ${SSL_BITS} bit RSA key${1:+ for CA}"
111 /usr/bin/openssl genrsa -rand "${SSL_RANDOM}" \
112 -out "${base}.key" "${SSL_BITS}" &> /dev/null
113 eend $?
114
115 return $?
116 }
117
118 # @FUNCTION: gen_csr
119 # @USAGE: <base path>
120 # @DESCRIPTION:
121 # Generates a certificate signing request using
122 # the key made by gen_key()
123 #
124 # Access: private
125 gen_csr() {
126 local base=`get_base $1`
127 ebegin "Generating Certificate Signing Request${1:+ for CA}"
128 /usr/bin/openssl req -config "${SSL_CONF}" -new \
129 -key "${base}.key" -out "${base}.csr" &>/dev/null
130 eend $?
131
132 return $?
133 }
134
135 # @FUNCTION: gen_crt
136 # @USAGE: <base path>
137 # @DESCRIPTION:
138 # Generates either a self-signed CA certificate using
139 # the csr and key made by gen_csr() and gen_key() or
140 # a signed server certificate using the CA cert previously
141 # created by gen_crt()
142 #
143 # Access: private
144 gen_crt() {
145 local base=`get_base $1`
146 if [ "${1}" ] ; then
147 ebegin "Generating self-signed X.509 Certificate for CA"
148 /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
149 -days ${SSL_DAYS} -req -signkey "${base}.key" \
150 -in "${base}.csr" -out "${base}.crt" &>/dev/null
151 else
152 local ca=`get_base 1`
153 ebegin "Generating authority-signed X.509 Certificate"
154 /usr/bin/openssl x509 -extfile "${SSL_CONF}" \
155 -days ${SSL_DAYS} -req -CAserial "${SSL_SERIAL}" \
156 -CAkey "${ca}.key" -CA "${ca}.crt" \
157 -in "${base}.csr" -out "${base}.crt" &>/dev/null
158 fi
159 eend $?
160
161 return $?
162 }
163
164 # @FUNCTION: gen_pem
165 # @USAGE: <base path>
166 # @DESCRIPTION:
167 # Generates a PEM file by concatinating the key
168 # and cert file created by gen_key() and gen_cert()
169 #
170 # Access: private
171 gen_pem() {
172 local base=`get_base $1`
173 ebegin "Generating PEM Certificate"
174 (cat "${base}.key"; echo; cat "${base}.crt") > "${base}.pem"
175 eend $?
176
177 return $?
178 }
179
180 # Removed due to bug 174759
181 docert() {
182 eerror "Function \"docert\" has been removed for security reasons."
183 eerror "\"install_cert\" should be used instead. See bug 174759."
184 die
185 }
186
187 # @FUNCTION: install_cert
188 # @USAGE: <certificates>
189 # @DESCRIPTION:
190 # Uses all the private functions above to generate and install the
191 # requested certificates.
192 # <certificates> are full pathnames relative to ROOT, without extension.
193 #
194 # Example: "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
195 #
196 # Access: public
197 install_cert() {
198 if [ $# -lt 1 ] ; then
199 eerror "At least one argument needed"
200 return 1;
201 fi
202
203 case ${EBUILD_PHASE} in
204 unpack|compile|test|install)
205 eerror "install_cert cannot be called in ${EBUILD_PHASE}"
206 return 1 ;;
207 esac
208
209 # Generate a CA environment #164601
210 gen_cnf 1 || return 1
211 gen_key 1 || return 1
212 gen_csr 1 || return 1
213 gen_crt 1 || return 1
214 echo
215
216 gen_cnf || return 1
217 echo
218
219 local count=0
220 for cert in "$@" ; do
221 # Check the requested certificate
222 if [ -z "${cert##*/}" ] ; then
223 ewarn "Invalid certification requested, skipping"
224 continue
225 fi
226
227 # Check for previous existence of generated files
228 for type in key csr crt pem ; do
229 if [ -e "${ROOT}${cert}.${type}" ] ; then
230 ewarn "${ROOT}${cert}.${type}: exists, skipping"
231 continue 2
232 fi
233 done
234
235 # Generate the requested files
236 gen_key || continue
237 gen_csr || continue
238 gen_crt || continue
239 gen_pem || continue
240 echo
241
242 # Install the generated files and set sane permissions
243 local base=$(get_base)
244 install -d "${ROOT}${cert%/*}"
245 install -m0400 "${base}.key" "${ROOT}${cert}.key"
246 install -m0444 "${base}.csr" "${ROOT}${cert}.csr"
247 install -m0444 "${base}.crt" "${ROOT}${cert}.crt"
248 install -m0400 "${base}.pem" "${ROOT}${cert}.pem"
249 count=$((${count}+1))
250 done
251
252 # Resulting status
253 if [ ${count} = 0 ] ; then
254 eerror "No certificates were generated"
255 return 1
256 elif [ ${count} != ${#} ] ; then
257 ewarn "Some requested certificates were not generated"
258 fi
259 }

  ViewVC Help
Powered by ViewVC 1.1.20