diff options
| -rw-r--r-- | modsign.cxx | 17 | ||||
| -rwxr-xr-x | stap-env | 2 | ||||
| -rwxr-xr-x | stap-gen-cert | 12 | ||||
| -rwxr-xr-x | stap-serverd | 18 |
4 files changed, 36 insertions, 13 deletions
diff --git a/modsign.cxx b/modsign.cxx index c9307484..34537921 100644 --- a/modsign.cxx +++ b/modsign.cxx @@ -56,7 +56,7 @@ init_cert_db_path (const string &cert_db_path) { static int check_cert_db_path (const string &cert_db_path) { static const char* keyFiles[] = { - "cert8.db", "key3.db", "pw", "secmod.db", "stap-server.cert", NULL + "cert8.db", "key3.db", "pw", "secmod.db", "stap.cert", NULL }; // Does the path exist? @@ -65,9 +65,22 @@ check_cert_db_path (const string &cert_db_path) { if (prStatus != PR_SUCCESS || fileInfo.type != PR_FILE_DIRECTORY) return init_cert_db_path (cert_db_path); + // Update the user's cert file if it is old. + string fname = cert_db_path + "/stap-server.cert"; + prStatus = PR_GetFileInfo (fname.c_str (), &fileInfo); + if (prStatus == PR_SUCCESS && fileInfo.type == PR_FILE_FILE && fileInfo.size > 0) + { + string fname1 = cert_db_path + "/stap.cert"; + prStatus = PR_GetFileInfo (fname1.c_str (), &fileInfo); + if (prStatus != PR_SUCCESS) + PR_Rename (fname.c_str (), fname1.c_str ()); + else + PR_Delete (fname.c_str ()); + } + // Does it contain the key files? for (int i = 0; keyFiles[i]; ++i) { - string fname = cert_db_path + "/" + keyFiles[i]; + fname = cert_db_path + "/" + keyFiles[i]; prStatus = PR_GetFileInfo (fname.c_str (), &fileInfo); if (prStatus != PR_SUCCESS || fileInfo.type != PR_FILE_FILE || fileInfo.size < 0) return init_cert_db_path (cert_db_path); @@ -34,3 +34,5 @@ else fi stap_signing_db=$stap_sysconfdir/systemtap/staprun +stap_certfile=stap.cert +stap_old_certfile=stap-server.cert diff --git a/stap-gen-cert b/stap-gen-cert index 940779eb..574df351 100755 --- a/stap-gen-cert +++ b/stap-gen-cert @@ -72,24 +72,24 @@ fi dd bs=123 count=1 < /dev/urandom > $serverdb/noise 2> /dev/null # Generate a request for the server's certificate. -certutil -R -d $serverdb -f $serverdb/pw -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" -o $serverdb/stap-server.req -z $serverdb/noise 2> /dev/null +certutil -R -d $serverdb -f $serverdb/pw -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" -o $serverdb/stap.req -z $serverdb/noise 2> /dev/null rm -fr $serverdb/noise # Create the certificate file first so that it always has the proper access permissions. -if ! (touch $serverdb/stap-server.cert && chmod 644 $serverdb/stap-server.cert); then - echo "Unable to create the server certificate file: $serverdb/stap-server.cert" >&2 +if ! (touch $serverdb/$stap_certfile && chmod 644 $serverdb/$stap_certfile); then + echo "Unable to create the server certificate file: $serverdb/$stap_certfile" >&2 exit 1 fi # Now generate the actual certificate. -certutil -C -i $serverdb/stap-server.req -o $serverdb/stap-server.cert -x -d $serverdb -f $serverdb/pw -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF +certutil -C -i $serverdb/stap.req -o $serverdb/$stap_certfile -x -d $serverdb -f $serverdb/pw -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF 1 3 7 8 y EOF -rm -fr $serverdb/stap-server.req +rm -fr $serverdb/stap.req # Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer -certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/stap-server.cert -d $serverdb -f $serverdb/pw +certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/$stap_certfile -d $serverdb -f $serverdb/pw diff --git a/stap-serverd b/stap-serverd index 16869e89..b422deaa 100755 --- a/stap-serverd +++ b/stap-serverd @@ -37,20 +37,28 @@ function initialization { # Where is the ssl certificate/key database? ssl_db=$2 if test "X$ssl_db" = "X"; then + ssl_db=$stap_ssl_db/server + # Update the certificate file if it is old. + if test -f $ssl_db/$stap_old_certfile; then + if ! test -e $ssl_db/$stap_certfile; then + mv $ssl_db/$stap_old_certfile $ssl_db/$stap_certfile + else + rm -fr $ssl_db/$stap_old_certfile + fi + fi # If no certificate/key database has been specified, then find/create # a local one. - ssl_db=$stap_ssl_db/server - if ! test -f $ssl_db/stap-server.cert; then + if ! test -f $ssl_db/$stap_certfile; then ${stap_exec_prefix}stap-gen-cert $ssl_db || exit 1 # Now add the server's certificate to the client's database, # making it a trusted peer. Do this only if the client has been installed. if test -f `which ${stap_exec_prefix}stap-add-server-cert` -a -x `which ${stap_exec_prefix}stap-add-server-cert`; then - ${stap_exec_prefix}stap-authorize-server-cert $ssl_db/stap-server.cert + ${stap_exec_prefix}stap-authorize-server-cert $ssl_db/$stap_certfile fi elif ! test -f $stap_ssl_db/client/cert8.db; then # If the client's database does not exist, then initialize it with our certificate. if test -f `which ${stap_exec_prefix}stap-add-server-cert` -a -x `which ${stap_exec_prefix}stap-add-server-cert`; then - ${stap_exec_prefix}stap-authorize-server-cert $ssl_db/stap-server.cert + ${stap_exec_prefix}stap-authorize-server-cert $ssl_db/$stap_certfile fi fi fi @@ -155,7 +163,7 @@ function check_db { check_db_file $dir/key3.db || rc=1 check_db_file $dir/secmod.db || rc=1 check_db_file $dir/pw || rc=1 - check_cert_file $dir/stap-server.cert || rc=1 + check_cert_file $dir/$stap_certfile || rc=1 test $rc = 1 && fatal "Unable to use certificate database '$dir' due to errors" |