mcy
/
scripts
1
0
Fork 0
Code Issues Pull Requests Releases Activity

[ssl_mgmt] Stop hardcoding path 

Replace hardcoded paths by a bunch of variables with default values and
that can be set from a configuration file. This should make testing much
more easy.
This commit is contained in:
Thomas Preud'homme 2014-05-03 15:40:11 +08:00
parent 01f601c8c2
commit 8bf95f40af
1 changed files with 45 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
ssl_mgmt/ssl_mgmt
View File

@ -21,7 +21,22 @@
set -u set -u
confFile=openssl.cnf cnfFilePath=${cnfFilePath:-/etc/${0##*/}.conf}
. $cnfFilePath
workDir=${workDir:-/usr/lib/ssl/CA}
csrSubdir=${csrSubdir:-csr}
certSubdir=${certSubdir:-newcerts}
keySubdir=${keySubdir:-newkeys}
certDestDir=${certDestDir:-/etc/ssl/certs}
keyDestDir=${keyDestDir:-/etc/ssl/private}
CACertPath=${CACertPath:-$certDestDir/ca-cert.pem}
CAKeyPath=${CAKeyPath:-$keyDestDir/ca-key.pem}
opensslCnfFile=openssl.cnf
rootCAPwdPath=${rootCAPwdPath:-/root/passwords/root_ca}
managedCerts=${managedCerts:-$(xargs </root/homemade-certs)}
# Display usage. # Display usage.
usage () usage ()
@ -122,7 +137,9 @@ try_sudo ()
ret=$? ret=$?
if [ ! $ret -eq 0 ] if [ ! $ret -eq 0 ]
then then
echo "Error! You must be root or being able to become root by sudo without password to create an email account or add an email alias." >&2 echo -n "Error! You must be root or being able to become root"
echo -n " by sudo without password to\ncreate an email account"
echo -n " or add an email alias." >&2
fi fi
exit $ret exit $ret
} }
@ -211,18 +228,18 @@ generate_config ()
replaceCmd="$(add_to_replace_cmd "$replaceCmd" "@COMMONNAME@" "${commonName:-}")" replaceCmd="$(add_to_replace_cmd "$replaceCmd" "@COMMONNAME@" "${commonName:-}")"
replaceCmd="$(add_to_replace_cmd "$replaceCmd" "@ALTNAME@" "${altName:-}")" replaceCmd="$(add_to_replace_cmd "$replaceCmd" "@ALTNAME@" "${altName:-}")"
replaceCmd="$replaceCmd${replaceCmd:+;}s/\(.*=[[:blank:]]*\$\)/#\\1/" replaceCmd="$replaceCmd${replaceCmd:+;}s/\(.*=[[:blank:]]*\$\)/#\\1/"
cnfTmpFile="$(mktemp --tmpdir=. openssl.cnf.XXXXXXXXXX)" opensslCnfTmpFile="$(mktemp --tmpdir=. openssl.cnf.XXXXXXXXXX)"
sed "$replaceCmd" $confFile.in > $cnfTmpFile sed "$replaceCmd" $opensslCnfFile.in > $opensslCnfTmpFile
if ask_user_default_no "Do you want to edit the openssl configuration file?" if ask_user_default_no "Do you want to edit the openssl configuration file?"
then then
if [ -n "${EDITOR:-}" ] if [ -n "${EDITOR:-}" ]
then then
$EDITOR $cnfTmpFile $EDITOR $opensslCnfTmpFile
else else
editor $cnfTmpFile editor $opensslCnfTmpFile
fi fi
fi fi
mv $cnfTmpFile $confFile mv $opensslCnfTmpFile $opensslCnfFile
} }
# @param service the name of the service associated with the certificate to # @param service the name of the service associated with the certificate to
@ -244,36 +261,36 @@ generate_cert ()
certFile=${certPath##*/} certFile=${certPath##*/}
keyFile=${keyPath##*/} keyFile=${keyPath##*/}
keycertFile=${service}-keycert.pem keycertFile=${service}-keycert.pem
openssl req -new -nodes -out csr/$reqFile -keyout newkeys/$keyFile -config $confFile openssl req -new -nodes -out $csrSubdir/$reqFile -keyout $keySubdir/$keyFile -config $opensslCnfFile
openssl req -in csr/$reqFile -text -verify -noout openssl req -in $csrSubdir/$reqFile -text -verify -noout
if ! ask_user_default_no "Is the Certificate Signing Request correct?" if ! ask_user_default_no "Is the Certificate Signing Request correct?"
then then
return 1 return 1
fi fi
getfacl "$keyPath" | setfacl --set-file=- newkeys/$keyFile getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keyFile
if [ -z "$no_overwrite" ] if [ -z "$no_overwrite" ]
then then
if [ ! -f "private/$keyFile" ] if [ ! -f "$keyDestDir/$keyFile" ]
then then
echo -n "Error! No file named $keyFile in directory" >&2 echo "Error! No file named $keyFile in directory $keyDestDir:" >&2
echo " $(readlink -f private):" >&2 echo "there might be a problem." >&2
echo "there might be a problem" >&2
fi fi
mv newkeys/$keyFile private mv $keySubdir/$keyFile $keyDestDir
fi fi
openssl ca -batch -out newcerts/$certFile -config $confFile -passin file:/root/passwords/root_ca -infiles csr/$reqFile openssl ca -batch -config $opensslCnfFile -cert $CACertPath \
getfacl "$certPath" | setfacl --set-file=- newcerts/$certFile -keyfile $CAKeyPath -passin file:$rootCAPwdPath \
-out $certSubdir/$certFile -infiles $csrSubdir/$reqFile
getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile
if [ -z "$no_overwrite" ] if [ -z "$no_overwrite" ]
then then
if [ ! -f "certs/$certFile" ] if [ ! -f "$certDestDir/$certFile" ]
then then
echo "No file named $certFile in directory" >&2 echo "No file named $certFile in directory $certDestDir:" >&2
echo " $(readlink -f certs):" >&2
echo "there might be a problem" >&2 echo "there might be a problem" >&2
fi fi
mv newcerts/$certFile certs mv $certSubdir/$certFile $certDestDir
fi fi
cat private/$keyFile certs/$certFile > private/$keycertFile cat $keyDestDir/$keyFile $certDestDir/$certFile > $keyDestDir/$keycertFile
return 0 return 0
} }
@ -288,14 +305,14 @@ main ()
then then
try_sudo "$@" try_sudo "$@"
fi fi
cd /usr/lib/ssl/CA/ cd $workDir
if [ "${service}" = "all" ] if [ "${service}" = "all" ]
then then
services="" services=""
while read service for service in $managedCerts
do do
services="$services $service" services="$services $service"
done </root/homemade-certs done
else else
services=${service} services=${service}
fi fi
@ -307,10 +324,10 @@ main ()
then then
service="${service##*/}" service="${service##*/}"
service="${service%.*}" service="${service%.*}"
keyPath="/etc/ssl/private/${service}.key" keyPath="$keyDestDir/${service}.key"
else else
certPath="/etc/ssl/certs/${service}-cert.pem" certPath="$certDestDir/${service}-cert.pem"
keyPath="/etc/ssl/private/${service}-key.pem" keyPath="$keyDestDir/${service}-key.pem"
fi fi
if [ ! -f "$certPath" ] if [ ! -f "$certPath" ]
then then