diff options
author | Max Kalika <max@gentoo.org> | 2003-10-30 17:14:37 +0000 |
---|---|---|
committer | Max Kalika <max@gentoo.org> | 2003-10-30 17:14:37 +0000 |
commit | bc4e92ddb5ddf3abe4828303efc1110e3194a169 (patch) | |
tree | f80a31a5fc0c066bc81479de622c3aa64901aabb /eclass | |
parent | virtual/tftp (diff) | |
download | gentoo-2-bc4e92ddb5ddf3abe4828303efc1110e3194a169.tar.gz gentoo-2-bc4e92ddb5ddf3abe4828303efc1110e3194a169.tar.bz2 gentoo-2-bc4e92ddb5ddf3abe4828303efc1110e3194a169.zip |
Add the ssl-cert.eclass lib. Documentation coming in next commit.
Diffstat (limited to 'eclass')
-rw-r--r-- | eclass/ssl-cert.eclass | 207 |
1 files changed, 207 insertions, 0 deletions
diff --git a/eclass/ssl-cert.eclass b/eclass/ssl-cert.eclass new file mode 100644 index 000000000000..665a24341b49 --- /dev/null +++ b/eclass/ssl-cert.eclass @@ -0,0 +1,207 @@ +# Copyright 1999-2003 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/eclass/ssl-cert.eclass,v 1.1 2003/10/30 17:14:37 max Exp $ +# +# Author: Max Kalika <max@gentoo.org> +# +# This eclass implements standard installation procedure for installing +# self-signed SSL certificates. + +ECLASS=ssl-cert +INHERITED="$INHERITED $ECLASS" + +# Conditionally depend on OpenSSL: allows inheretence +# without pulling extra packages if not needed +newdepend "ssl? ( dev-libs/openssl )" + +# Initializes variables and generates the needed +# OpenSSL configuration file and a CA serial file +# +# Access: private +gen_cnf() { + # Location of the config file + SSL_CONF="${T}/${$}ssl.cnf" + # Location of the CA serial file + SSL_SERIAL="${T}/${$}ca.ser" + # Location of some random files OpenSSL can use: don't use + # /dev/u?random here -- doesn't work properly on all platforms + SSL_RANDOM="${T}/evironment:${T}/eclass-debug.log:/etc/resolv.conf" + + # These can be overridden in the ebuild + SSL_DAYS="${SSL_BITS:-730}" + SSL_BITS="${SSL_BITS:-1024}" + SSL_COUNTRY="${SSL_COUNTRY:-US}" + SSL_STATE="${SSL_STATE:-California}" + SSL_LOCALITY="${SSL_LOCALITY:-Santa Barbara}" + SSL_ORGANIZATION="${SSL_ORGANIZTION:-SSL Server}" + SSL_UNIT="${SSL_UNIT:-For Testing Purposes Only}" + SSL_COMMONNAME="${SSL_COMMONNAME:-localhost}" + SSL_EMAIL="${SSL_EMAIL:-root@localhost}" + + # Create the CA serial file + echo "01" > "${SSL_SERIAL}" + + # Create the config file + ebegin "Generating OpenSSL configuration" + cat <<-EOF > "${SSL_CONF}" + [ req ] + prompt = no + default_bits = ${SSL_BITS} + distinguished_name = req_dn + [ req_dn ] + C = ${SSL_COUNTRY} + ST = ${SSL_STATE} + L = ${SSL_LOCALITY} + O = ${SSL_ORGANIZATION} + OU = ${SSL_UNIT} + CN = ${SSL_COMMONNAME} + emailAddress = ${SSL_EMAIL} + EOF + eend $? + + return $? +} + +# Simple function to determine whether we're creating +# a CA (which should only be done once) or final part +# +# Access: private +get_base() { + if [ "${1}" ] ; then + echo "${T}/${$}ca" + else + echo "${T}/${$}server" + fi +} + +# Generates an RSA key +# +# Access: private +gen_key() { + local base=`get_base $1` + ebegin "Generating ${SSL_BITS} bit RSA key${1:+ for CA}" + /usr/bin/openssl genrsa -rand "${SSL_RANDOM}" \ + -out "${base}.key" "${SSL_BITS}" &> /dev/null + eend $? + + return $? +} + +# Generates a certificate signing request using +# the key made by gen_key() +# +# Access: private +gen_csr() { + local base=`get_base $1` + ebegin "Generating Certificate Signing Request${1:+ for CA}" + /usr/bin/openssl req -config "${SSL_CONF}" -new \ + -key "${base}.key" -out "${base}.csr" &>/dev/null + eend $? + + return $? +} + +# Generates either a self-signed CA certificate using +# the csr and key made by gen_csr() and gen_key() or +# a signed server certificate using the CA cert previously +# created by gen_crt() +# +# Access: private +gen_crt() { + local base=`get_base $1` + if [ "${1}" ] ; then + ebegin "Generating self-signed X.509 Certificate for CA" + /usr/bin/openssl x509 -extfile "${SSL_CONF}" \ + -days ${SSL_DAYS} -req -signkey "${base}.key" \ + -in "${base}.csr" -out "${base}.crt" &>/dev/null + else + local ca=`get_base 1` + ebegin "Generating authority-signed X.509 Certificate" + /usr/bin/openssl x509 -extfile "${SSL_CONF}" \ + -days ${SSL_DAYS} -req -CAserial "${SSL_SERIAL}" \ + -CAkey "${ca}.key" -CA "${ca}.crt" \ + -in "${base}.csr" -out "${base}.crt" &>/dev/null + fi + eend $? + + return $? +} + +# Generates a PEM file by concatinating the key +# and cert file created by gen_key() and gen_cert() +# +# Access: private +gen_pem() { + local base=`get_base $1` + ebegin "Generating PEM Certificate" + (cat "${base}.key"; echo; cat "${base}.crt") > "${base}.pem" + eend $? + + return $? +} + +# Uses all the private functions above to generate +# and install the requested certificates +# +# Access: public +docert() { + if [ $# -lt 1 ] ; then + eerror "At least one argument needed" + return 1; + fi + + # Initialize configuration + gen_cnf || return 1 + echo + + # Generate a CA environment + gen_key 1 || return 1 + gen_csr 1 || return 1 + gen_crt 1 || return 1 + echo + + local count=0 + for cert in "$@" ; do + # Sanitize and check the requested certificate + cert="`/usr/bin/basename "${cert}"`" + if [ -z "${cert}" ] ; then + ewarn "Invalid certification requested, skipping" + continue + fi + + # Check for previous existence of generated files + for type in key crt pem ; do + if [ -e "${D}${INSDESTTREE}/${cert}.${type}" ] ; then + ewarn "${D}${INSDESTTREE}/${cert}.${type}: exists, skipping" + continue 2 + fi + done + + # Generate the requested files + gen_key || continue + gen_csr || continue + gen_crt || continue + gen_pem || continue + echo + + # Install the generated files and set sane permissions + local base=`get_base` + newins "${base}.key" "${cert}.key" + fperms 0400 "${INSDESTTREE}/${cert}.key" + newins "${base}.csr" "${cert}.csr" + fperms 0444 "${INSDESTTREE}/${cert}.csr" + newins "${base}.crt" "${cert}.crt" + fperms 0444 "${INSDESTTREE}/${cert}.crt" + newins "${base}.pem" "${cert}.pem" + fperms 0400 "${INSDESTTREE}/${cert}.pem" + count=$((${count}+1)) + done + + # Resulting status + if [ ! ${count} ] ; then + eerror "No certificates were generated" + return 1 + elif [ ${count} != ${#} ] ; then + ewarn "Some requested certificates were not generated" + fi +} |