summaryrefslogtreecommitdiffstats
path: root/stap-gen-cert
blob: 4f2650cde299a762efc0dca2c17557108f666a88 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/bin/bash

# Generate a certificate for the systemtap server and add it to the
# database of trusted servers for the client.
#
# Copyright (C) 2008, 2009 Red Hat Inc.
#
# This file is part of systemtap, and is free software.  You can
# redistribute it and/or modify it under the terms of the GNU General
# Public License (GPL); either version 2, or (at your option) any
# later version.

# Initialize the environment
. ${PKGLIBEXECDIR}stap-env

# Obtain the certificate database directory name.
serverdb=$1
if  test "X$serverdb" = "X"; then
    serverdb=$stap_ssl_db/server
fi
rm -fr $serverdb

# Create the server's certificate database directory.
if ! mkdir -p -m 755 $serverdb; then
    echo "Unable to create the server certificate database directory: $serverdb" >&2
    exit 1
fi

# Create the certificate database password file. Care must be taken
# that this file is only readable by the owner.
if ! (touch $serverdb/pw && chmod 600 $serverdb/pw); then
    echo "Unable to create the server certificate database password file: $serverdb/pw" >&2
    exit 1
fi

# Generate a random password.
mkpasswd -l 20 > $serverdb/pw 2>/dev/null || \
apg -a 1 -n 1 -m 20 -x 20 > $serverdb/pw 2>/dev/null || \
(read -n20 password </dev/urandom; echo "$password" > $serverdb/pw)

# Generate the server certificate database
if ! certutil -N -d $serverdb -f $serverdb/pw > /dev/null; then
    echo "Unable to initialize the server certificate database directory: $serverdb" >&2
    exit 1
fi

# We need some random noise for generating keys
dd bs=123 count=1 < /dev/urandom > $serverdb/noise 2> /dev/null

# Generate a request for the server's certificate.
certutil -R -d $serverdb -f $serverdb/pw -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" -o $serverdb/stap.req -z $serverdb/noise 2> /dev/null
rm -fr $serverdb/noise

# Create the certificate file first so that it always has the proper access permissions.
if ! (touch $serverdb/$stap_certfile && chmod 644 $serverdb/$stap_certfile); then
    echo "Unable to create the server certificate file: $serverdb/$stap_certfile" >&2
    exit 1
fi

# Now generate the actual certificate.
certutil -C -i $serverdb/stap.req -o $serverdb/$stap_certfile -x -d $serverdb -f $serverdb/pw -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF
1
3
7
8
y
EOF
rm -fr $serverdb/stap.req

# Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer
certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/$stap_certfile -d $serverdb -f $serverdb/pw

echo "Certificate $serverdb/$stap_certfile created and added to database $serverdb"
exit 0