diff options
| author | Dave Brolley <brolley@redhat.com> | 2009-04-02 12:34:29 -0400 |
|---|---|---|
| committer | Dave Brolley <brolley@redhat.com> | 2009-04-02 12:34:29 -0400 |
| commit | 2f54c4fe5a3aa21b4d5c38edabf83f3cdad0177d (patch) | |
| tree | 5ff9417c68651e345b5c82f9662d2d8d39a870f3 /modsign.cxx | |
| parent | f5ccb20cd2a00649213270637161f0d68ffc0163 (diff) | |
| download | systemtap-steved-2f54c4fe5a3aa21b4d5c38edabf83f3cdad0177d.tar.gz systemtap-steved-2f54c4fe5a3aa21b4d5c38edabf83f3cdad0177d.tar.xz systemtap-steved-2f54c4fe5a3aa21b4d5c38edabf83f3cdad0177d.zip | |
2009-04-02 Dave Brolley <brolley@redhat.com>
* stap-serverd (initialization): Create client certificate database if it
does not exist.
* stap-server (call_stap): Don't pass --sign-module to stap.
* session.h (unprivileged): New member of systemtap_session.
* modsign.cxx (init_cert_db_path, check_cert_db_path): New functions.
(sign_module): Call check_cert_db_path.
* main.cxx (usage): Document --signing-cert and --unprivileged.
(runner): Set default signing certificate path. Initialize s.unprivileged.
(LONG_OPT_SIGN_MODULE): Renamed to LONG_OPT_SIGNING_CERT.
(LONG_OPT_UNPRIVILEGED): #define it.
(long_options): Add --signing-cert and --unprivileged.
(runner): Allow multiple --signing-cert options. Use the last specified.
Don't reset unless the new setting is valid. Handle LONG_OPT_UNPRIVILEGED.
Diffstat (limited to 'modsign.cxx')
| -rw-r--r-- | modsign.cxx | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/modsign.cxx b/modsign.cxx index 2154cdbb..c9307484 100644 --- a/modsign.cxx +++ b/modsign.cxx @@ -33,10 +33,49 @@ extern "C" { #include <cryptohi.h> #include <stdio.h> +#include <stdlib.h> } using namespace std; +/* Function: int init_cert_db_path (const string &cert_db_path); + * + * Initialize a certificate database at the given path. + */ +static int +init_cert_db_path (const string &cert_db_path) { + string cmd = "stap-gen-cert " + cert_db_path; + return system (cmd.c_str()) == 0; +} + +/* Function: int check_cert_db_path (const string &cert_db_path); + * + * Check that the given certificate directory exists and is initialized. + * Create and/or initialize it otherwise. + */ +static int +check_cert_db_path (const string &cert_db_path) { + static const char* keyFiles[] = { + "cert8.db", "key3.db", "pw", "secmod.db", "stap-server.cert", NULL + }; + + // Does the path exist? + PRFileInfo fileInfo; + PRStatus prStatus = PR_GetFileInfo (cert_db_path.c_str(), &fileInfo); + if (prStatus != PR_SUCCESS || fileInfo.type != PR_FILE_DIRECTORY) + return init_cert_db_path (cert_db_path); + + // Does it contain the key files? + for (int i = 0; keyFiles[i]; ++i) { + string fname = cert_db_path + "/" + keyFiles[i]; + prStatus = PR_GetFileInfo (fname.c_str (), &fileInfo); + if (prStatus != PR_SUCCESS || fileInfo.type != PR_FILE_FILE || fileInfo.size < 0) + return init_cert_db_path (cert_db_path); + } + + return 1; // ok +} + /* Function: char * password_callback() * * Purpose: This function is our custom password handler that is called by @@ -212,6 +251,9 @@ sign_module (systemtap_session& s) SECKEYPrivateKey *privKey; SECStatus secStatus; + if (! check_cert_db_path (s.cert_db_path)) + return; + password = get_password (s.cert_db_path + "/pw"); if (! password) { |