diff options
| author | Dave Brolley <brolley@redhat.com> | 2009-05-04 16:05:22 -0400 |
|---|---|---|
| committer | Dave Brolley <brolley@redhat.com> | 2009-05-04 16:05:22 -0400 |
| commit | 2035bcd40b17832439df0a1eb28403b99a71b74f (patch) | |
| tree | 0fb027ba40f34513279f2e39e1110b50a415d2c1 /stap-gen-cert | |
| parent | 3ba2eb82cafa938c1c3f7ef9d2da06912a49d8e0 (diff) | |
| download | systemtap-steved-2035bcd40b17832439df0a1eb28403b99a71b74f.tar.gz systemtap-steved-2035bcd40b17832439df0a1eb28403b99a71b74f.tar.xz systemtap-steved-2035bcd40b17832439df0a1eb28403b99a71b74f.zip | |
Module signing and verification using a separate file for the module signature.
Diffstat (limited to 'stap-gen-cert')
| -rw-r--r-- | stap-gen-cert | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/stap-gen-cert b/stap-gen-cert new file mode 100644 index 00000000..574df351 --- /dev/null +++ b/stap-gen-cert @@ -0,0 +1,95 @@ +#!/bin/bash + +# Generate a certificate for the systemtap server and add it to the +# database of trusted servers for the client. +# +# Copyright (C) 2008, 2009 Red Hat Inc. +# +# This file is part of systemtap, and is free software. You can +# redistribute it and/or modify it under the terms of the GNU General +# Public License (GPL); either version 2, or (at your option) any +# later version. + +# Initialize the environment +. `dirname $0`/stap-env + +# Obtain a password from stdin and echo it. +function user_enter_password +{ + while true + do + while true + do + read -sp "Enter new password for systemtap server certificate/key database:" pw1 junk + echo "" >&2 + test "X$pw1" != "X" && break + done + while true + do + read -sp "Reenter new password:" pw2 junk + echo "" >&2 + test "X$pw2" != "X" && break + done + test "$pw1" = "$pw2" && break + echo "Passwords do not match" >&2 + done + + echo $pw1 +} + +# Obtain the certificate database directory name. +serverdb=$1 +if test "X$serverdb" = "X"; then + serverdb=$stap_ssl_db/server +fi +rm -fr $serverdb + +# Create the server's certificate database directory. +if ! mkdir -p -m 755 $serverdb; then + echo "Unable to create the server certificate database directory: $serverdb" >&2 + exit 1 +fi + +# Create the certificate database password file. Care must be taken +# that this file is only readable by the owner. +if ! (touch $serverdb/pw && chmod 600 $serverdb/pw); then + echo "Unable to create the server certificate database password file: $serverdb/pw" >&2 + exit 1 +fi + +# Generate a random password. +mkpasswd -l 20 > $serverdb/pw 2>/dev/null || \ +apg -a 1 -n 1 -m 20 -x 20 > $serverdb/pw 2>/dev/null || \ +user_enter_password > $serverdb/pw + +# Generate the server certificate database +if ! certutil -N -d $serverdb -f $serverdb/pw > /dev/null; then + echo "Unable to initialize the server certificate database directory: $serverdb" >&2 + exit 1 +fi + +# We need some random noise for generating keys +dd bs=123 count=1 < /dev/urandom > $serverdb/noise 2> /dev/null + +# Generate a request for the server's certificate. +certutil -R -d $serverdb -f $serverdb/pw -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" -o $serverdb/stap.req -z $serverdb/noise 2> /dev/null +rm -fr $serverdb/noise + +# Create the certificate file first so that it always has the proper access permissions. +if ! (touch $serverdb/$stap_certfile && chmod 644 $serverdb/$stap_certfile); then + echo "Unable to create the server certificate file: $serverdb/$stap_certfile" >&2 + exit 1 +fi + +# Now generate the actual certificate. +certutil -C -i $serverdb/stap.req -o $serverdb/$stap_certfile -x -d $serverdb -f $serverdb/pw -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF +1 +3 +7 +8 +y +EOF +rm -fr $serverdb/stap.req + +# Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer +certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/$stap_certfile -d $serverdb -f $serverdb/pw |