Browse Source

[ssl_mgmt] Set ownership and rights of keycert

Thomas Preud'homme 4 years ago
parent
commit
519303988c
5 changed files with 14 additions and 4 deletions
  1. 7
    4
      ssl_mgmt/ssl_mgmt
  2. 3
    0
      ssl_mgmt/tests/6/cmdline
  3. 2
    0
      ssl_mgmt/tests/6/driver
  4. 1
    0
      ssl_mgmt/tests/6/fini
  5. 1
    0
      ssl_mgmt/tests/6/init

+ 7
- 4
ssl_mgmt/ssl_mgmt View File

@@ -285,6 +285,7 @@ generate_cert ()
285 285
 	certFile=${certPath##*/}
286 286
 	keyFile=${keyPath##*/}
287 287
 	keycertFile=${service}-keycert.pem
288
+	keycertPath=${keyPath%/*}/$keycertFile
288 289
 
289 290
 	# Create the CSR and the key
290 291
 	openssl req -new -nodes -out $csrSubdir/$reqFile -keyout $keySubdir/$keyFile -config $opensslCnfFile
@@ -298,6 +299,7 @@ generate_cert ()
298 299
 	then
299 300
 		return 1
300 301
 	fi
302
+	# Sets ownership and access rights of the key
301 303
 	getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keyFile
302 304
 	chown --reference="$keyPath" $keySubdir/$keyFile
303 305
 
@@ -306,8 +308,11 @@ generate_cert ()
306 308
 		-keyfile $CAKeyPath -passin file:$rootCAPwdPath \
307 309
 		-out $certSubdir/$certFile -infiles $csrSubdir/$reqFile
308 310
 
309
-	# Create the keycert file (file with merged key and certificate)
311
+	# Create the keycert file (file with merged key and certificate) and
312
+	# sets its ownership and access rights
310 313
 	cat $keySubdir/$keyFile $certSubdir/$certFile > $keySubdir/$keycertFile
314
+	getfacl "$keycertPath" | setfacl --set-file=- $keySubdir/$keycertFile
315
+	chown --reference="$keycertPath" $keySubdir/$keycertFile
311 316
 
312 317
 	# Safety check
313 318
 	if ! openssl x509 -noout -text -in $certSubdir/$certFile >/dev/null 2>&1 ||
@@ -333,11 +338,9 @@ generate_cert ()
333 338
 		return 1
334 339
 	fi
335 340
 
336
-	# Sets ownership and rights of generated files
341
+	# Sets ownership and access rights of the certificate
337 342
 	getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile
338 343
 	chown --reference="$certPath" $certSubdir/$certFile
339
-	getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keycertFile
340
-	chown --reference="$keyPath" $keySubdir/$keycertFile
341 344
 
342 345
 	# Notify and install the new certificate
343 346
 	if [ -z "$no_overwrite" ]

+ 3
- 0
ssl_mgmt/tests/6/cmdline View File

@@ -0,0 +1,3 @@
1
+chmod u+rwx ./destdir/private/foo-keycert.pem \
2
+	&& keyId= cnfFilePath=./ssl_mgmt.conf ../ssl_mgmt renew foo \
3
+	&& getfacl ./destdir/private/foo-keycert.pem | grep "user::rwx"

+ 2
- 0
ssl_mgmt/tests/6/driver View File

@@ -0,0 +1,2 @@
1
+echo
2
+echo "y"

+ 1
- 0
ssl_mgmt/tests/6/fini View File

@@ -0,0 +1 @@
1
+../restore_foo_fini

+ 1
- 0
ssl_mgmt/tests/6/init View File

@@ -0,0 +1 @@
1
+../save_foo_init

Loading…
Cancel
Save