[systemtap.git] / stap-gen-server-cert

#!/bin/bash

# Generate a certificate for the systemtap server and add it to the
# database of trusted servers for the client.
#
# Copyright (C) 2008, 2009 Red Hat Inc.
#
# This file is part of systemtap, and is free software.  You can
# redistribute it and/or modify it under the terms of the GNU General
# Public License (GPL); either version 2, or (at your option) any
# later version.

# Obtain a password from stdin and echo it.
function user_enter_password
{
    while true
    do
	while true
	do
	    read -sp "Enter new password for systemtap server certificate/key database:" pw1 junk
	    echo "" >&2
	    test "X$pw1" != "X" && break
	done
	while true
	do
	    read -sp "Reenter new password:" pw2 junk
	    echo "" >&2
	    test "X$pw2" != "X" && break
	done
	test "$pw1" = "$pw2" && break
	echo "Passwords do not match" >&2
    done

    echo $pw1
}

# Obtain the certificate database directory name.
if  test "X$1" = "X"; then
    echo "Certificate database directory must be specified" >&2
    exit 1
fi
rm -fr $1

# Create the server's certificate database directory.
serverdb=$1/server
if ! mkdir -p -m 755 $serverdb; then
    echo "Unable to create the server certificate database directory: $serverdb" >&2
    exit 1
fi

# Create the certificate database password file. Care must be taken
# that this file is only readable by the owner.
if ! (touch $serverdb/pw && chmod 600 $serverdb/pw); then
    echo "Unable to create the server certificate database password file: $serverdb/pw" >&2
    exit 1
fi

# Generate a random password.
mkpasswd -l 20 > $serverdb/pw 2>/dev/null || \
apg -a 1 -n 1 -m 20 -x 20 > $serverdb/pw 2>/dev/null || \
user_enter_password > $serverdb/pw

# Generate the server certificate database
if ! certutil -N -d $serverdb -f $serverdb/pw > /dev/null; then
    echo "Unable to initialize the server certificate database directory: $serverdb" >&2
    exit 1
fi

# We need some random noise for generating keys
dd bs=123 count=1 < /dev/urandom > $1/noise 2> /dev/null

# Generate a request for the server's certificate.
certutil -R -d $serverdb -f $serverdb/pw -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" -o $1/stap-server.req -z $1/noise 2> /dev/null
rm -fr $1/noise

# Create the certificate file first so that it always has the proper access permissions.
if ! (touch $serverdb/stap-server.cert && chmod 644 $serverdb/stap-server.cert); then
    echo "Unable to create the server certificate file: $serverdb/stap-server.cert" >&2
    exit 1
fi

# Now generate the actual certificate.
certutil -C -i $1/stap-server.req -o $serverdb/stap-server.cert -x -d $serverdb -f $serverdb/pw -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF
1
3
7
8
y
EOF
rm -fr $1/stap-server.req

# Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer
certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/stap-server.cert -d $serverdb -f $serverdb/pw
Commit	Line	Data
1cecb3c5 DB	1	#!/bin/bash
	2
	3	# Generate a certificate for the systemtap server and add it to the
	4	# database of trusted servers for the client.
	5	#
be21f2db	6	# Copyright (C) 2008, 2009 Red Hat Inc.
1cecb3c5 DB	7	#
	8	# This file is part of systemtap, and is free software. You can
	9	# redistribute it and/or modify it under the terms of the GNU General
	10	# Public License (GPL); either version 2, or (at your option) any
	11	# later version.
	12
be21f2db DB	13	# Obtain a password from stdin and echo it.
	14	function user_enter_password
	15	{
	16	while true
	17	do
	18	while true
	19	do
	20	read -sp "Enter new password for systemtap server certificate/key database:" pw1 junk
	21	echo "" >&2
	22	test "X$pw1" != "X" && break
	23	done
	24	while true
	25	do
	26	read -sp "Reenter new password:" pw2 junk
	27	echo "" >&2
	28	test "X$pw2" != "X" && break
	29	done
	30	test "$pw1" = "$pw2" && break
	31	echo "Passwords do not match" >&2
	32	done
	33
	34	echo $pw1
	35	}
	36
1cecb3c5 DB	37	# Obtain the certificate database directory name.
	38	if test "X$1" = "X"; then
	39	echo "Certificate database directory must be specified" >&2
	40	exit 1
	41	fi
	42	rm -fr $1
	43
	44	# Create the server's certificate database directory.
	45	serverdb=$1/server
4d6a58a6	46	if ! mkdir -p -m 755 $serverdb; then
1cecb3c5 DB	47	echo "Unable to create the server certificate database directory: $serverdb" >&2
	48	exit 1
	49	fi
	50
	51	# Create the certificate database password file. Care must be taken
	52	# that this file is only readable by the owner.
	53	if ! (touch $serverdb/pw && chmod 600 $serverdb/pw); then
	54	echo "Unable to create the server certificate database password file: $serverdb/pw" >&2
	55	exit 1
	56	fi
	57
	58	# Generate a random password.
be21f2db DB	59	mkpasswd -l 20 > $serverdb/pw 2>/dev/null \|\| \
	60	apg -a 1 -n 1 -m 20 -x 20 > $serverdb/pw 2>/dev/null \|\| \
	61	user_enter_password > $serverdb/pw
1cecb3c5 DB	62
	63	# Generate the server certificate database
	64	if ! certutil -N -d $serverdb -f $serverdb/pw > /dev/null; then
	65	echo "Unable to initialize the server certificate database directory: $serverdb" >&2
	66	exit 1
	67	fi
	68
	69	# We need some random noise for generating keys
	70	dd bs=123 count=1 < /dev/urandom > $1/noise 2> /dev/null
	71
	72	# Generate a request for the server's certificate.
	73	certutil -R -d $serverdb -f $serverdb/pw -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" -o $1/stap-server.req -z $1/noise 2> /dev/null
	74	rm -fr $1/noise
	75
4d6a58a6 DB	76	# Create the certificate file first so that it always has the proper access permissions.
	77	if ! (touch $serverdb/stap-server.cert && chmod 644 $serverdb/stap-server.cert); then
	78	echo "Unable to create the server certificate file: $serverdb/stap-server.cert" >&2
	79	exit 1
	80	fi
	81
1cecb3c5 DB	82	# Now generate the actual certificate.
	83	certutil -C -i $1/stap-server.req -o $serverdb/stap-server.cert -x -d $serverdb -f $serverdb/pw -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF
	84	1
	85	3
	86	7
	87	8
	88	y
	89	EOF
	90	rm -fr $1/stap-server.req
	91
	92	# Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer
	93	certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/stap-server.cert -d $serverdb -f $serverdb/pw