]>
Commit | Line | Data |
---|---|---|
1cecb3c5 DB |
1 | #!/bin/bash |
2 | ||
3 | # Generate a certificate for the systemtap server and add it to the | |
4 | # database of trusted servers for the client. | |
5 | # | |
be21f2db | 6 | # Copyright (C) 2008, 2009 Red Hat Inc. |
1cecb3c5 DB |
7 | # |
8 | # This file is part of systemtap, and is free software. You can | |
9 | # redistribute it and/or modify it under the terms of the GNU General | |
10 | # Public License (GPL); either version 2, or (at your option) any | |
11 | # later version. | |
12 | ||
be21f2db DB |
13 | # Obtain a password from stdin and echo it. |
14 | function user_enter_password | |
15 | { | |
16 | while true | |
17 | do | |
18 | while true | |
19 | do | |
20 | read -sp "Enter new password for systemtap server certificate/key database:" pw1 junk | |
21 | echo "" >&2 | |
22 | test "X$pw1" != "X" && break | |
23 | done | |
24 | while true | |
25 | do | |
26 | read -sp "Reenter new password:" pw2 junk | |
27 | echo "" >&2 | |
28 | test "X$pw2" != "X" && break | |
29 | done | |
30 | test "$pw1" = "$pw2" && break | |
31 | echo "Passwords do not match" >&2 | |
32 | done | |
33 | ||
34 | echo $pw1 | |
35 | } | |
36 | ||
1cecb3c5 DB |
37 | # Obtain the certificate database directory name. |
38 | if test "X$1" = "X"; then | |
39 | echo "Certificate database directory must be specified" >&2 | |
40 | exit 1 | |
41 | fi | |
42 | rm -fr $1 | |
43 | ||
44 | # Create the server's certificate database directory. | |
45 | serverdb=$1/server | |
4d6a58a6 | 46 | if ! mkdir -p -m 755 $serverdb; then |
1cecb3c5 DB |
47 | echo "Unable to create the server certificate database directory: $serverdb" >&2 |
48 | exit 1 | |
49 | fi | |
50 | ||
51 | # Create the certificate database password file. Care must be taken | |
52 | # that this file is only readable by the owner. | |
53 | if ! (touch $serverdb/pw && chmod 600 $serverdb/pw); then | |
54 | echo "Unable to create the server certificate database password file: $serverdb/pw" >&2 | |
55 | exit 1 | |
56 | fi | |
57 | ||
58 | # Generate a random password. | |
be21f2db DB |
59 | mkpasswd -l 20 > $serverdb/pw 2>/dev/null || \ |
60 | apg -a 1 -n 1 -m 20 -x 20 > $serverdb/pw 2>/dev/null || \ | |
61 | user_enter_password > $serverdb/pw | |
1cecb3c5 DB |
62 | |
63 | # Generate the server certificate database | |
64 | if ! certutil -N -d $serverdb -f $serverdb/pw > /dev/null; then | |
65 | echo "Unable to initialize the server certificate database directory: $serverdb" >&2 | |
66 | exit 1 | |
67 | fi | |
68 | ||
69 | # We need some random noise for generating keys | |
70 | dd bs=123 count=1 < /dev/urandom > $1/noise 2> /dev/null | |
71 | ||
72 | # Generate a request for the server's certificate. | |
73 | certutil -R -d $serverdb -f $serverdb/pw -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" -o $1/stap-server.req -z $1/noise 2> /dev/null | |
74 | rm -fr $1/noise | |
75 | ||
4d6a58a6 DB |
76 | # Create the certificate file first so that it always has the proper access permissions. |
77 | if ! (touch $serverdb/stap-server.cert && chmod 644 $serverdb/stap-server.cert); then | |
78 | echo "Unable to create the server certificate file: $serverdb/stap-server.cert" >&2 | |
79 | exit 1 | |
80 | fi | |
81 | ||
1cecb3c5 DB |
82 | # Now generate the actual certificate. |
83 | certutil -C -i $1/stap-server.req -o $serverdb/stap-server.cert -x -d $serverdb -f $serverdb/pw -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF | |
84 | 1 | |
85 | 3 | |
86 | 7 | |
87 | 8 | |
88 | y | |
89 | EOF | |
90 | rm -fr $1/stap-server.req | |
91 | ||
92 | # Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer | |
93 | certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/stap-server.cert -d $serverdb -f $serverdb/pw |