/[gentoo-x86]/eclass/ssl-cert.eclass
Gentoo

Contents of /eclass/ssl-cert.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.21 - (show annotations) (download)
Thu Mar 20 19:30:32 2014 UTC (6 months, 1 week ago) by vapier
Branch: MAIN
Changes since 1.20: +10 -12 lines
misc style fixes -- do not hardcode full path to `openssl`

1 # Copyright 1999-2014 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.20 2013/01/03 19:19:55 alonbl Exp $
4
5 # @ECLASS: ssl-cert.eclass
6 # @MAINTAINER:
7 # @AUTHOR:
8 # Max Kalika <max@gentoo.org>
9 # @BLURB: Eclass for SSL certificates
10 # @DESCRIPTION:
11 # This eclass implements a standard installation procedure for installing
12 # self-signed SSL certificates.
13 # @EXAMPLE:
14 # "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
15
16 # @ECLASS-VARIABLE: SSL_CERT_MANDATORY
17 # @DESCRIPTION:
18 # Set to non zero if ssl-cert is mandatory for ebuild.
19 : ${SSL_CERT_MANDATORY:=0}
20
21 # @ECLASS-VARIABLE: SSL_CERT_USE
22 # @DESCRIPTION:
23 # Use flag to append dependency to.
24 : ${SSL_CERT_USE:=ssl}
25
26 if [[ "${SSL_CERT_MANDATORY}" == "0" ]]; then
27 DEPEND="${SSL_CERT_USE}? ( dev-libs/openssl )"
28 IUSE="${SSL_CERT_USE}"
29 else
30 DEPEND="dev-libs/openssl"
31 fi
32
33 # @FUNCTION: gen_cnf
34 # @USAGE:
35 # @DESCRIPTION:
36 # Initializes variables and generates the needed
37 # OpenSSL configuration file and a CA serial file
38 #
39 # Access: private
40 gen_cnf() {
41 # Location of the config file
42 SSL_CONF="${T}/${$}ssl.cnf"
43 # Location of the CA serial file
44 SSL_SERIAL="${T}/${$}ca.ser"
45 # Location of some random files OpenSSL can use: don't use
46 # /dev/u?random here -- doesn't work properly on all platforms
47 SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
48
49 # These can be overridden in the ebuild
50 SSL_DAYS="${SSL_DAYS:-730}"
51 SSL_BITS="${SSL_BITS:-1024}"
52 SSL_COUNTRY="${SSL_COUNTRY:-US}"
53 SSL_STATE="${SSL_STATE:-California}"
54 SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}"
55 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}"
56 SSL_UNIT="${SSL_UNIT:-For Testing Purposes Only}"
57 SSL_COMMONNAME="${SSL_COMMONNAME:-localhost}"
58 SSL_EMAIL="${SSL_EMAIL:-root@localhost}"
59
60 # Create the CA serial file
61 echo "01" > "${SSL_SERIAL}"
62
63 # Create the config file
64 ebegin "Generating OpenSSL configuration${1:+ for CA}"
65 cat <<-EOF > "${SSL_CONF}"
66 [ req ]
67 prompt = no
68 default_bits = ${SSL_BITS}
69 distinguished_name = req_dn
70 [ req_dn ]
71 C = ${SSL_COUNTRY}
72 ST = ${SSL_STATE}
73 L = ${SSL_LOCALITY}
74 O = ${SSL_ORGANIZATION}
75 OU = ${SSL_UNIT}
76 CN = ${SSL_COMMONNAME}${1:+ CA}
77 emailAddress = ${SSL_EMAIL}
78 EOF
79 eend $?
80
81 return $?
82 }
83
84 # @FUNCTION: get_base
85 # @USAGE: [if_ca]
86 # @RETURN: <base path>
87 # @DESCRIPTION:
88 # Simple function to determine whether we're creating
89 # a CA (which should only be done once) or final part
90 #
91 # Access: private
92 get_base() {
93 if [ "${1}" ] ; then
94 echo "${T}/${$}ca"
95 else
96 echo "${T}/${$}server"
97 fi
98 }
99
100 # @FUNCTION: gen_key
101 # @USAGE: <base path>
102 # @DESCRIPTION:
103 # Generates an RSA key
104 #
105 # Access: private
106 gen_key() {
107 local base=`get_base $1`
108 ebegin "Generating ${SSL_BITS} bit RSA key${1:+ for CA}"
109 openssl genrsa -rand "${SSL_RANDOM}" \
110 -out "${base}.key" "${SSL_BITS}" &> /dev/null
111 eend $?
112
113 return $?
114 }
115
116 # @FUNCTION: gen_csr
117 # @USAGE: <base path>
118 # @DESCRIPTION:
119 # Generates a certificate signing request using
120 # the key made by gen_key()
121 #
122 # Access: private
123 gen_csr() {
124 local base=`get_base $1`
125 ebegin "Generating Certificate Signing Request${1:+ for CA}"
126 openssl req -config "${SSL_CONF}" -new \
127 -key "${base}.key" -out "${base}.csr" &>/dev/null
128 eend $?
129
130 return $?
131 }
132
133 # @FUNCTION: gen_crt
134 # @USAGE: <base path>
135 # @DESCRIPTION:
136 # Generates either a self-signed CA certificate using
137 # the csr and key made by gen_csr() and gen_key() or
138 # a signed server certificate using the CA cert previously
139 # created by gen_crt()
140 #
141 # Access: private
142 gen_crt() {
143 local base=`get_base $1`
144 if [ "${1}" ] ; then
145 ebegin "Generating self-signed X.509 Certificate for CA"
146 openssl x509 -extfile "${SSL_CONF}" \
147 -days ${SSL_DAYS} -req -signkey "${base}.key" \
148 -in "${base}.csr" -out "${base}.crt" &>/dev/null
149 else
150 local ca=`get_base 1`
151 ebegin "Generating authority-signed X.509 Certificate"
152 openssl x509 -extfile "${SSL_CONF}" \
153 -days ${SSL_DAYS} -req -CAserial "${SSL_SERIAL}" \
154 -CAkey "${ca}.key" -CA "${ca}.crt" \
155 -in "${base}.csr" -out "${base}.crt" &>/dev/null
156 fi
157 eend $?
158
159 return $?
160 }
161
162 # @FUNCTION: gen_pem
163 # @USAGE: <base path>
164 # @DESCRIPTION:
165 # Generates a PEM file by concatinating the key
166 # and cert file created by gen_key() and gen_cert()
167 #
168 # Access: private
169 gen_pem() {
170 local base=`get_base $1`
171 ebegin "Generating PEM Certificate"
172 (cat "${base}.key"; echo; cat "${base}.crt") > "${base}.pem"
173 eend $?
174
175 return $?
176 }
177
178 # Removed due to bug 174759
179 docert() {
180 eerror "Function \"docert\" has been removed for security reasons."
181 eerror "\"install_cert\" should be used instead. See bug 174759."
182 die
183 }
184
185 # @FUNCTION: install_cert
186 # @USAGE: <certificates>
187 # @DESCRIPTION:
188 # Uses all the private functions above to generate and install the
189 # requested certificates.
190 # <certificates> are full pathnames relative to ROOT, without extension.
191 #
192 # Example: "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
193 #
194 # Access: public
195 install_cert() {
196 if [ $# -lt 1 ] ; then
197 eerror "At least one argument needed"
198 return 1;
199 fi
200
201 case ${EBUILD_PHASE} in
202 unpack|compile|test|install)
203 eerror "install_cert cannot be called in ${EBUILD_PHASE}"
204 return 1 ;;
205 esac
206
207 # Generate a CA environment #164601
208 gen_cnf 1 || return 1
209 gen_key 1 || return 1
210 gen_csr 1 || return 1
211 gen_crt 1 || return 1
212 echo
213
214 gen_cnf || return 1
215 echo
216
217 local count=0
218 for cert in "$@" ; do
219 # Check the requested certificate
220 if [ -z "${cert##*/}" ] ; then
221 ewarn "Invalid certification requested, skipping"
222 continue
223 fi
224
225 # Check for previous existence of generated files
226 for type in key csr crt pem ; do
227 if [ -e "${ROOT}${cert}.${type}" ] ; then
228 ewarn "${ROOT}${cert}.${type}: exists, skipping"
229 continue 2
230 fi
231 done
232
233 # Generate the requested files
234 gen_key || continue
235 gen_csr || continue
236 gen_crt || continue
237 gen_pem || continue
238 echo
239
240 # Install the generated files and set sane permissions
241 local base=$(get_base)
242 install -d "${ROOT}${cert%/*}"
243 install -m0400 "${base}.key" "${ROOT}${cert}.key"
244 install -m0444 "${base}.csr" "${ROOT}${cert}.csr"
245 install -m0444 "${base}.crt" "${ROOT}${cert}.crt"
246 install -m0400 "${base}.pem" "${ROOT}${cert}.pem"
247 : $(( ++count ))
248 done
249
250 # Resulting status
251 if [ ${count} = 0 ] ; then
252 eerror "No certificates were generated"
253 return 1
254 elif [ ${count} != ${#} ] ; then
255 ewarn "Some requested certificates were not generated"
256 fi
257 }

  ViewVC Help
Powered by ViewVC 1.1.20