[ssl_mgmt] Add some sanity checks

Check openssl can read both certificate and key and that they match each
other.
This commit is contained in:
Thomas Preud'homme 2014-05-06 20:57:11 +08:00
parent 4d5efe91cc
commit 7bc13c2c89
1 changed files with 42 additions and 10 deletions

View File

@ -278,28 +278,54 @@ generate_cert ()
certFile=${certPath##*/}
keyFile=${keyPath##*/}
keycertFile=${service}-keycert.pem
# Create the CSR and the key
openssl req -new -nodes -out $csrSubdir/$reqFile -keyout $keySubdir/$keyFile -config $opensslCnfFile
openssl req -in $csrSubdir/$reqFile -text -verify -noout
if ! openssl req -in $csrSubdir/$reqFile -text -verify -noout 2>/dev/null
then
echo "Generated CSR is corrupted." >&2
rm $csrSubdir/$reqFile $keySubdir/$keyFile
return 1
fi
if ! ask_user_default_no "Is the Certificate Signing Request correct?"
then
return 1
fi
getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keyFile
chown --reference="$keyPath" $keySubdir/$keyFile
if [ -z "$no_overwrite" ]
then
if [ ! -f "$keyDestDir/$keyFile" ]
then
echo "Error! No file named $keyFile in directory $keyDestDir:" >&2
echo "there might be a problem." >&2
fi
mv $keySubdir/$keyFile $keyDestDir
fi
# Sign the CSR to make a certificate
openssl ca -batch -config $opensslCnfFile -cert $CACertPath \
-keyfile $CAKeyPath -passin file:$rootCAPwdPath \
-out $certSubdir/$certFile -infiles $csrSubdir/$reqFile
getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile
chown --reference="$certPath" $certSubdir/$certFile
# Safety check
if ! openssl x509 -noout -text -in $certSubdir/$certFile >/dev/null 2>&1 ||
! openssl verify -CAfile $CACertPath $certSubdir/$certFile >/dev/null 2>&1
then
echo "Generated certificate is corrupted." >&2
rm $certSubdir/$certFile $keySubdir/$keyFile
return 1
fi
if ! openssl rsa -noout -text -in $keySubdir/$keyFile >/dev/null 2>&1
then
echo "Generated key is corrupted." >&2
rm $certSubdir/$certFile $keySubdir/$keyFile
return 1
fi
certModulus=$(openssl x509 -noout -modulus -in $certSubdir/$certFile)
keyModulus=$(openssl rsa -noout -modulus -in $keySubdir/$keyFile)
if [ -z "$certModulus" -o "$certModulus" != "$keyModulus" ]
then
echo -n "Generated certificate and key do not match." >&2
echo " Aborting." >&2
rm $certSubdir/$certFile $keySubdir/$keyFile
return 1
fi
# Notify and install the new certificate
if [ -z "$no_overwrite" ]
then
if [ ! -f "$certDestDir/$certFile" ]
@ -307,6 +333,12 @@ generate_cert ()
echo "No file named $certFile in directory $certDestDir:" >&2
echo "there might be a problem" >&2
fi
if [ ! -f "$keyDestDir/$keyFile" ]
then
echo "Error! No file named $keyFile in directory $keyDestDir:" >&2
echo "there might be a problem." >&2
fi
mv $keySubdir/$keyFile $keyDestDir
fingerprint="$(openssl x509 -in "$certPath" -noout -fingerprint)"
fingerprint=${fingerprint#*=}
if [ -n "$notifiedUsers" ]