blob: 574df351bb1ad167af8401778d8993319631aef7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
#!/bin/bash
# Generate a certificate for the systemtap server and add it to the
# database of trusted servers for the client.
#
# Copyright (C) 2008, 2009 Red Hat Inc.
#
# This file is part of systemtap, and is free software. You can
# redistribute it and/or modify it under the terms of the GNU General
# Public License (GPL); either version 2, or (at your option) any
# later version.
# Initialize the environment
. `dirname $0`/stap-env
# Obtain a password from stdin and echo it.
function user_enter_password
{
while true
do
while true
do
read -sp "Enter new password for systemtap server certificate/key database:" pw1 junk
echo "" >&2
test "X$pw1" != "X" && break
done
while true
do
read -sp "Reenter new password:" pw2 junk
echo "" >&2
test "X$pw2" != "X" && break
done
test "$pw1" = "$pw2" && break
echo "Passwords do not match" >&2
done
echo $pw1
}
# Obtain the certificate database directory name.
serverdb=$1
if test "X$serverdb" = "X"; then
serverdb=$stap_ssl_db/server
fi
rm -fr $serverdb
# Create the server's certificate database directory.
if ! mkdir -p -m 755 $serverdb; then
echo "Unable to create the server certificate database directory: $serverdb" >&2
exit 1
fi
# Create the certificate database password file. Care must be taken
# that this file is only readable by the owner.
if ! (touch $serverdb/pw && chmod 600 $serverdb/pw); then
echo "Unable to create the server certificate database password file: $serverdb/pw" >&2
exit 1
fi
# Generate a random password.
mkpasswd -l 20 > $serverdb/pw 2>/dev/null || \
apg -a 1 -n 1 -m 20 -x 20 > $serverdb/pw 2>/dev/null || \
user_enter_password > $serverdb/pw
# Generate the server certificate database
if ! certutil -N -d $serverdb -f $serverdb/pw > /dev/null; then
echo "Unable to initialize the server certificate database directory: $serverdb" >&2
exit 1
fi
# We need some random noise for generating keys
dd bs=123 count=1 < /dev/urandom > $serverdb/noise 2> /dev/null
# Generate a request for the server's certificate.
certutil -R -d $serverdb -f $serverdb/pw -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" -o $serverdb/stap.req -z $serverdb/noise 2> /dev/null
rm -fr $serverdb/noise
# Create the certificate file first so that it always has the proper access permissions.
if ! (touch $serverdb/$stap_certfile && chmod 644 $serverdb/$stap_certfile); then
echo "Unable to create the server certificate file: $serverdb/$stap_certfile" >&2
exit 1
fi
# Now generate the actual certificate.
certutil -C -i $serverdb/stap.req -o $serverdb/$stap_certfile -x -d $serverdb -f $serverdb/pw -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF
1
3
7
8
y
EOF
rm -fr $serverdb/stap.req
# Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer
certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/$stap_certfile -d $serverdb -f $serverdb/pw
|
