stap-gen-cert

   1 #!/bin/bash
   2
   3 # Generate a certificate for the systemtap server and add it to the
   4 # database of trusted servers for the client.
   5 #
   6 # Copyright (C) 2008-2010 Red Hat Inc.
   7 #
   8 # This file is part of systemtap, and is free software.  You can
   9 # redistribute it and/or modify it under the terms of the GNU General
  10 # Public License (GPL); either version 2, or (at your option) any
  11 # later version.
  12
  13 # Initialize the environment
  14 . ${PKGLIBEXECDIR}stap-env
  15
  16 # Obtain the certificate database directory name.
  17 serverdb="$1"
  18 if  test "X$serverdb" = "X"; then
  19     serverdb="$stap_ssl_db/server"
  20 fi
  21 rm -fr "$serverdb"
  22
  23 # Create the server's certificate database directory.
  24 if ! mkdir -p -m 755 "$serverdb"; then
  25     echo "Unable to create the server certificate database directory: $serverdb" >&2
  26     exit 1
  27 fi
  28
  29 # Create the certificate database password file. Care must be taken
  30 # that this file is only readable by the owner.
  31 if ! (touch "$serverdb/pw" && chmod 600 "$serverdb/pw"); then
  32     echo "Unable to create the server certificate database password file: $serverdb/pw" >&2
  33     exit 1
  34 fi
  35
  36 # Generate a random password.
  37 mkpasswd -l 20 > "$serverdb/pw" 2>/dev/null || \
  38 apg -a 1 -n 1 -m 20 -x 20 > "$serverdb/pw" 2>/dev/null || \
  39 (read -n20 password </dev/urandom; echo "$password" > "$serverdb/pw")
  40
  41 # Generate the server certificate database
  42 if ! certutil -N -d "$serverdb" -f "$serverdb/pw" > /dev/null; then
  43     echo "Unable to initialize the server certificate database directory: $serverdb" >&2
  44     exit 1
  45 fi
  46
  47 # We need some random noise for generating keys
  48 dd bs=123 count=1 < /dev/urandom > "$serverdb/noise" 2> /dev/null
  49
  50 # Generate a request for the server's certificate.
  51 certutil -R -d "$serverdb" -f "$serverdb/pw" -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" \
  52          -o "$serverdb/stap.req" -z "$serverdb/noise" 2> /dev/null
  53 rm -fr "$serverdb/noise"
  54
  55 # Create the certificate file first so that it always has the proper access permissions.
  56 if ! (touch "$serverdb/$stap_certfile" && chmod 644 "$serverdb/$stap_certfile"); then
  57     echo "Unable to create the server certificate file: $serverdb/$stap_certfile" >&2
  58     exit 1
  59 fi
  60
  61 # Now generate the actual certificate. Make is valid for 1 year.
  62 certutil -C -i "$serverdb/stap.req" -o "$serverdb/$stap_certfile" -x -d "$serverdb" \
  63          -f "$serverdb/pw" -v 12 -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF
  64 1
  65 3
  66 7
  67 8
  68 y
  69 EOF
  70 rm -fr "$serverdb/stap.req"
  71
  72 # Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer
  73 certutil -A -n stap-server -t "PCu,,PCu" -i "$serverdb/$stap_certfile" -d "$serverdb" -f "$serverdb/pw"
  74
  75 # Print some information about the certificate.
  76 echo "Certificate $serverdb/$stap_certfile created and added to database $serverdb"
  77 certutil -L -d "$serverdb" -n stap-server | \
  78   awk '/Validity|Not After|Not Before/ { print $0 }' | \
  79   sed 's/^ */  /'
  80
  81 exit 0