summaryrefslogtreecommitdiffstats
path: root/stap-gen-cert
blob: 4938817de9e06c8a929dbb4c1fe980568b97c000 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/bin/bash

# Generate a certificate for the systemtap server and add it to the
# database of trusted servers for the client.
#
# Copyright (C) 2008-2010 Red Hat Inc.
#
# This file is part of systemtap, and is free software.  You can
# redistribute it and/or modify it under the terms of the GNU General
# Public License (GPL); either version 2, or (at your option) any
# later version.

# Initialize the environment
. ${PKGLIBEXECDIR}stap-env

# Obtain the certificate database directory name.
serverdb="$1"
if  test "X$serverdb" = "X"; then
    serverdb="$stap_ssl_db/server"
fi
rm -fr "$serverdb"

# Create the server's certificate database directory.
if ! mkdir -p -m 755 "$serverdb"; then
    echo "Unable to create the server certificate database directory: $serverdb" >&2
    exit 1
fi

# Create the certificate database password file. Care must be taken
# that this file is only readable by the owner.
if ! (touch "$serverdb/pw" && chmod 600 "$serverdb/pw"); then
    echo "Unable to create the server certificate database password file: $serverdb/pw" >&2
    exit 1
fi

# Generate a random password.
mkpasswd -l 20 > "$serverdb/pw" 2>/dev/null || \
apg -a 1 -n 1 -m 20 -x 20 > "$serverdb/pw" 2>/dev/null || \
(read -n20 password </dev/urandom; echo "$password" > "$serverdb/pw")

# Generate the server certificate database
if ! certutil -N -d "$serverdb" -f "$serverdb/pw" > /dev/null; then
    echo "Unable to initialize the server certificate database directory: $serverdb" >&2
    exit 1
fi

# We need some random noise for generating keys
dd bs=123 count=1 < /dev/urandom > "$serverdb/noise" 2> /dev/null

# Generate a request for the server's certificate.
certutil -R -d "$serverdb" -f "$serverdb/pw" -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" \
         -o "$serverdb/stap.req" -z "$serverdb/noise" 2> /dev/null
rm -fr "$serverdb/noise"

# Create the certificate file first so that it always has the proper access permissions.
if ! (touch "$serverdb/$stap_certfile" && chmod 644 "$serverdb/$stap_certfile"); then
    echo "Unable to create the server certificate file: $serverdb/$stap_certfile" >&2
    exit 1
fi

# Now generate the actual certificate. Make is valid for 1 year.
certutil -C -i "$serverdb/stap.req" -o "$serverdb/$stap_certfile" -x -d "$serverdb" \
         -f "$serverdb/pw" -v 12 -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF
1
3
7
8
y
EOF
rm -fr "$serverdb/stap.req"

# Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer
certutil -A -n stap-server -t "PCu,,PCu" -i "$serverdb/$stap_certfile" -d "$serverdb" -f "$serverdb/pw"

# Print some information about the certificate.
echo "Certificate $serverdb/$stap_certfile created and added to database $serverdb"
certutil -L -d "$serverdb" -n stap-server | \
  awk '/Validity|Not After|Not Before/ { print $0 }' | \
  sed 's/^ */  /'

exit 0