/[gentoo-x86]/eclass/ssl-cert.eclass
Gentoo

Diff of /eclass/ssl-cert.eclass

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.1.1.1 Revision 1.24
1# Copyright 1999-2004 Gentoo Foundation 1# Copyright 1999-2014 Gentoo Foundation
2# Distributed under the terms of the GNU General Public License v2 2# Distributed under the terms of the GNU General Public License v2
3# $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.1.1.1 2005/11/30 09:59:20 chriswhite Exp $ 3# $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.24 2014/03/20 19:33:13 vapier Exp $
4# 4
5# @ECLASS: ssl-cert.eclass
6# @MAINTAINER:
7# @AUTHOR:
5# Author: Max Kalika <max@gentoo.org> 8# Max Kalika <max@gentoo.org>
6# 9# @BLURB: Eclass for SSL certificates
10# @DESCRIPTION:
7# This eclass implements standard installation procedure for installing 11# This eclass implements a standard installation procedure for installing
8# self-signed SSL certificates. 12# self-signed SSL certificates.
13# @EXAMPLE:
14# "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
9 15
10# Conditionally depend on OpenSSL: allows inheretence 16# @ECLASS-VARIABLE: SSL_CERT_MANDATORY
11# without pulling extra packages if not needed 17# @DESCRIPTION:
18# Set to non zero if ssl-cert is mandatory for ebuild.
19: ${SSL_CERT_MANDATORY:=0}
20
21# @ECLASS-VARIABLE: SSL_CERT_USE
22# @DESCRIPTION:
23# Use flag to append dependency to.
24: ${SSL_CERT_USE:=ssl}
25
26if [[ "${SSL_CERT_MANDATORY}" == "0" ]]; then
27 DEPEND="${SSL_CERT_USE}? ( dev-libs/openssl )"
28 IUSE="${SSL_CERT_USE}"
29else
12DEPEND="ssl? ( dev-libs/openssl )" 30 DEPEND="dev-libs/openssl"
13IUSE="ssl" 31fi
14 32
33# @FUNCTION: gen_cnf
34# @USAGE:
35# @DESCRIPTION:
15# Initializes variables and generates the needed 36# Initializes variables and generates the needed
16# OpenSSL configuration file and a CA serial file 37# OpenSSL configuration file and a CA serial file
17# 38#
18# Access: private 39# Access: private
19gen_cnf() { 40gen_cnf() {
24 # Location of some random files OpenSSL can use: don't use 45 # Location of some random files OpenSSL can use: don't use
25 # /dev/u?random here -- doesn't work properly on all platforms 46 # /dev/u?random here -- doesn't work properly on all platforms
26 SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf" 47 SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
27 48
28 # These can be overridden in the ebuild 49 # These can be overridden in the ebuild
29 SSL_DAYS="${SSL_BITS:-730}" 50 SSL_DAYS="${SSL_DAYS:-730}"
30 SSL_BITS="${SSL_BITS:-1024}" 51 SSL_BITS="${SSL_BITS:-1024}"
31 SSL_COUNTRY="${SSL_COUNTRY:-US}" 52 SSL_COUNTRY="${SSL_COUNTRY:-US}"
32 SSL_STATE="${SSL_STATE:-California}" 53 SSL_STATE="${SSL_STATE:-California}"
33 SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}" 54 SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}"
34 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}" 55 SSL_ORGANIZATION="${SSL_ORGANIZATION:-SSL Server}"
38 59
39 # Create the CA serial file 60 # Create the CA serial file
40 echo "01" > "${SSL_SERIAL}" 61 echo "01" > "${SSL_SERIAL}"
41 62
42 # Create the config file 63 # Create the config file
43 ebegin "Generating OpenSSL configuration" 64 ebegin "Generating OpenSSL configuration${1:+ for CA}"
44 cat <<-EOF > "${SSL_CONF}" 65 cat <<-EOF > "${SSL_CONF}"
45 [ req ] 66 [ req ]
46 prompt = no 67 prompt = no
47 default_bits = ${SSL_BITS} 68 default_bits = ${SSL_BITS}
48 distinguished_name = req_dn 69 distinguished_name = req_dn
50 C = ${SSL_COUNTRY} 71 C = ${SSL_COUNTRY}
51 ST = ${SSL_STATE} 72 ST = ${SSL_STATE}
52 L = ${SSL_LOCALITY} 73 L = ${SSL_LOCALITY}
53 O = ${SSL_ORGANIZATION} 74 O = ${SSL_ORGANIZATION}
54 OU = ${SSL_UNIT} 75 OU = ${SSL_UNIT}
55 CN = ${SSL_COMMONNAME} 76 CN = ${SSL_COMMONNAME}${1:+ CA}
56 emailAddress = ${SSL_EMAIL} 77 emailAddress = ${SSL_EMAIL}
57 EOF 78 EOF
58 eend $? 79 eend $?
59 80
60 return $? 81 return $?
61} 82}
62 83
84# @FUNCTION: get_base
85# @USAGE: [if_ca]
86# @RETURN: <base path>
87# @DESCRIPTION:
63# Simple function to determine whether we're creating 88# Simple function to determine whether we're creating
64# a CA (which should only be done once) or final part 89# a CA (which should only be done once) or final part
65# 90#
66# Access: private 91# Access: private
67get_base() { 92get_base() {
70 else 95 else
71 echo "${T}/${$}server" 96 echo "${T}/${$}server"
72 fi 97 fi
73} 98}
74 99
100# @FUNCTION: gen_key
101# @USAGE: <base path>
102# @DESCRIPTION:
75# Generates an RSA key 103# Generates an RSA key
76# 104#
77# Access: private 105# Access: private
78gen_key() { 106gen_key() {
79 local base=`get_base $1` 107 local base=$(get_base "$1")
80 ebegin "Generating ${SSL_BITS} bit RSA key${1:+ for CA}" 108 ebegin "Generating ${SSL_BITS} bit RSA key${1:+ for CA}"
81 /usr/bin/openssl genrsa -rand "${SSL_RANDOM}" \ 109 openssl genrsa -rand "${SSL_RANDOM}" \
82 -out "${base}.key" "${SSL_BITS}" &> /dev/null 110 -out "${base}.key" "${SSL_BITS}" &> /dev/null
83 eend $? 111 eend $?
84 112
85 return $? 113 return $?
86} 114}
87 115
116# @FUNCTION: gen_csr
117# @USAGE: <base path>
118# @DESCRIPTION:
88# Generates a certificate signing request using 119# Generates a certificate signing request using
89# the key made by gen_key() 120# the key made by gen_key()
90# 121#
91# Access: private 122# Access: private
92gen_csr() { 123gen_csr() {
93 local base=`get_base $1` 124 local base=$(get_base "$1")
94 ebegin "Generating Certificate Signing Request${1:+ for CA}" 125 ebegin "Generating Certificate Signing Request${1:+ for CA}"
95 /usr/bin/openssl req -config "${SSL_CONF}" -new \ 126 openssl req -config "${SSL_CONF}" -new \
96 -key "${base}.key" -out "${base}.csr" &>/dev/null 127 -key "${base}.key" -out "${base}.csr" &>/dev/null
97 eend $? 128 eend $?
98 129
99 return $? 130 return $?
100} 131}
101 132
133# @FUNCTION: gen_crt
134# @USAGE: <base path>
135# @DESCRIPTION:
102# Generates either a self-signed CA certificate using 136# Generates either a self-signed CA certificate using
103# the csr and key made by gen_csr() and gen_key() or 137# the csr and key made by gen_csr() and gen_key() or
104# a signed server certificate using the CA cert previously 138# a signed server certificate using the CA cert previously
105# created by gen_crt() 139# created by gen_crt()
106# 140#
107# Access: private 141# Access: private
108gen_crt() { 142gen_crt() {
109 local base=`get_base $1` 143 local base=$(get_base "$1")
110 if [ "${1}" ] ; then 144 if [ "${1}" ] ; then
111 ebegin "Generating self-signed X.509 Certificate for CA" 145 ebegin "Generating self-signed X.509 Certificate for CA"
112 /usr/bin/openssl x509 -extfile "${SSL_CONF}" \ 146 openssl x509 -extfile "${SSL_CONF}" \
113 -days ${SSL_DAYS} -req -signkey "${base}.key" \ 147 -days ${SSL_DAYS} -req -signkey "${base}.key" \
114 -in "${base}.csr" -out "${base}.crt" &>/dev/null 148 -in "${base}.csr" -out "${base}.crt" &>/dev/null
115 else 149 else
116 local ca=`get_base 1` 150 local ca=$(get_base 1)
117 ebegin "Generating authority-signed X.509 Certificate" 151 ebegin "Generating authority-signed X.509 Certificate"
118 /usr/bin/openssl x509 -extfile "${SSL_CONF}" \ 152 openssl x509 -extfile "${SSL_CONF}" \
119 -days ${SSL_DAYS} -req -CAserial "${SSL_SERIAL}" \ 153 -days ${SSL_DAYS} -req -CAserial "${SSL_SERIAL}" \
120 -CAkey "${ca}.key" -CA "${ca}.crt" \ 154 -CAkey "${ca}.key" -CA "${ca}.crt" \
121 -in "${base}.csr" -out "${base}.crt" &>/dev/null 155 -in "${base}.csr" -out "${base}.crt" &>/dev/null
122 fi 156 fi
123 eend $? 157 eend $?
124 158
125 return $? 159 return $?
126} 160}
127 161
162# @FUNCTION: gen_pem
163# @USAGE: <base path>
164# @DESCRIPTION:
128# Generates a PEM file by concatinating the key 165# Generates a PEM file by concatinating the key
129# and cert file created by gen_key() and gen_cert() 166# and cert file created by gen_key() and gen_cert()
130# 167#
131# Access: private 168# Access: private
132gen_pem() { 169gen_pem() {
133 local base=`get_base $1` 170 local base=$(get_base "$1")
134 ebegin "Generating PEM Certificate" 171 ebegin "Generating PEM Certificate"
135 (cat "${base}.key"; echo; cat "${base}.crt") > "${base}.pem" 172 (cat "${base}.key"; echo; cat "${base}.crt") > "${base}.pem"
136 eend $? 173 eend $?
137 174
138 return $? 175 return $?
139} 176}
140 177
178# @FUNCTION: install_cert
179# @USAGE: <certificates>
180# @DESCRIPTION:
141# Uses all the private functions above to generate 181# Uses all the private functions above to generate and install the
142# and install the requested certificates 182# requested certificates.
183# <certificates> are full pathnames relative to ROOT, without extension.
184#
185# Example: "install_cert /foo/bar" installs ${ROOT}/foo/bar.{key,csr,crt,pem}
143# 186#
144# Access: public 187# Access: public
145docert() { 188install_cert() {
146 if [ $# -lt 1 ] ; then 189 if [ $# -lt 1 ] ; then
147 eerror "At least one argument needed" 190 eerror "At least one argument needed"
148 return 1; 191 return 1;
149 fi 192 fi
150 193
151 # Initialize configuration 194 case ${EBUILD_PHASE} in
195 unpack|prepare|configure|compile|test|install)
196 die "install_cert cannot be called in ${EBUILD_PHASE}"
197 ;;
198 esac
199
200 # Generate a CA environment #164601
152 gen_cnf || return 1 201 gen_cnf 1 || return 1
153 echo
154
155 # Generate a CA environment
156 gen_key 1 || return 1 202 gen_key 1 || return 1
157 gen_csr 1 || return 1 203 gen_csr 1 || return 1
158 gen_crt 1 || return 1 204 gen_crt 1 || return 1
159 echo 205 echo
160 206
207 gen_cnf || return 1
208 echo
209
161 local count=0 210 local count=0
162 for cert in "$@" ; do 211 for cert in "$@" ; do
163 # Sanitize and check the requested certificate 212 # Check the requested certificate
164 cert="`/usr/bin/basename "${cert}"`"
165 if [ -z "${cert}" ] ; then 213 if [ -z "${cert##*/}" ] ; then
166 ewarn "Invalid certification requested, skipping" 214 ewarn "Invalid certification requested, skipping"
167 continue 215 continue
168 fi 216 fi
169 217
170 # Check for previous existence of generated files 218 # Check for previous existence of generated files
171 for type in key crt pem ; do 219 for type in key csr crt pem ; do
172 if [ -e "${D}${INSDESTTREE}/${cert}.${type}" ] ; then 220 if [ -e "${ROOT}${cert}.${type}" ] ; then
173 ewarn "${D}${INSDESTTREE}/${cert}.${type}: exists, skipping" 221 ewarn "${ROOT}${cert}.${type}: exists, skipping"
174 continue 2 222 continue 2
175 fi 223 fi
176 done 224 done
177 225
178 # Generate the requested files 226 # Generate the requested files
181 gen_crt || continue 229 gen_crt || continue
182 gen_pem || continue 230 gen_pem || continue
183 echo 231 echo
184 232
185 # Install the generated files and set sane permissions 233 # Install the generated files and set sane permissions
186 local base=`get_base` 234 local base=$(get_base)
235 install -d "${ROOT}${cert%/*}"
187 newins "${base}.key" "${cert}.key" 236 install -m0400 "${base}.key" "${ROOT}${cert}.key"
188 fperms 0400 "${INSDESTTREE}/${cert}.key"
189 newins "${base}.csr" "${cert}.csr" 237 install -m0444 "${base}.csr" "${ROOT}${cert}.csr"
190 fperms 0444 "${INSDESTTREE}/${cert}.csr"
191 newins "${base}.crt" "${cert}.crt" 238 install -m0444 "${base}.crt" "${ROOT}${cert}.crt"
192 fperms 0444 "${INSDESTTREE}/${cert}.crt"
193 newins "${base}.pem" "${cert}.pem" 239 install -m0400 "${base}.pem" "${ROOT}${cert}.pem"
194 fperms 0400 "${INSDESTTREE}/${cert}.pem" 240 : $(( ++count ))
195 count=$((${count}+1))
196 done 241 done
197 242
198 # Resulting status 243 # Resulting status
199 if [ ! ${count} ] ; then 244 if [ ${count} = 0 ] ; then
200 eerror "No certificates were generated" 245 eerror "No certificates were generated"
201 return 1 246 return 1
202 elif [ ${count} != ${#} ] ; then 247 elif [ ${count} != ${#} ] ; then
203 ewarn "Some requested certificates were not generated" 248 ewarn "Some requested certificates were not generated"
204 fi 249 fi

Legend:
Removed from v.1.1.1.1  
changed lines
  Added in v.1.24

  ViewVC Help
Powered by ViewVC 1.1.20