From 0164b44c5d65aab7a2f5b36ed7665a51dad5cee0 Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Mon, 17 Oct 2005 21:16:19 +0000
Subject: Always use full paths. Quote all paths. openssl routines as
 functions.

---
 localmksslcerts | 161 ++++++++++++++++++++++++++++++++------------------------
 1 file changed, 93 insertions(+), 68 deletions(-)

(limited to 'localmksslcerts')

diff --git a/localmksslcerts b/localmksslcerts
index b9b30ca..3cf2f2b 100755
--- a/localmksslcerts
+++ b/localmksslcerts
@@ -3,7 +3,7 @@
 # /usr/local/sbin/localmksslcerts
 # Copyright 2001-2004 Jonas Smedegaard <dr@jones.dk>
 #
-# $Id: localmksslcerts,v 1.17 2005-07-01 11:33:18 jonas Exp $
+# $Id: localmksslcerts,v 1.18 2005-10-17 21:16:19 jonas Exp $
 #
 # Generate certificates for mail (and other) servers
 # Based on uw-imapd-ssl post-install script
@@ -17,6 +17,12 @@ set -e
 prg=$(basename $0)
 copyright="(C) 2001-2004 Jonas Smedegaard <dr@jones.dk>"
 
+# Set some defaults
+PATH="$PATH:/usr/bin/ssl"
+DAYS2EXPIRE="365"
+SSLCERTDIR="/etc/ssl/certs"
+SSLPRIVDIR="/etc/ssl/private"
+
 usage() {
 echo "$prg, $copyright
 
@@ -58,10 +64,65 @@ If issuer is not given, \"postmaster@<localdomain>\" is used."
 exit 1
 }
 
-# Set some defaults
-CWD=`pwd`
-PATH=$PATH:/usr/bin/ssl
-DAYS2EXPIRE=365
+mkcerthash() {
+	filebase="$1"
+	filename="$filebase.pem"
+	certhash="$(openssl x509 -noout -hash -in "$SSLCERTDIR/$filename")"
+	hashfile="$certhash.0"
+	ln -sf "$filename" "$SSLCERTDIR/$hashfile"
+}
+
+mkselfcert() {
+	filebase="$1"
+	cn="$2"
+	state="$3"
+	loc="$4"
+	org="$5"
+	ou="$6"
+	fqdn="$7"
+	issuer="$8"
+	filename="$filebase.pem"
+	openssl req -new -x509 -nodes \
+		-days "$DAYS2EXPIRE" \
+		-keyout "$SSLCERTDIR/$filename" \
+		-out "$SSLCERTDIR/$filename" > /dev/null 2>&1 <<+
+$cn
+$state
+$loc
+$org
+$ou
+$fqdn
+$issuer
++
+	mkcerthash "$filebase"
+	chown root:root "$SSLCERTDIR/$filename"
+	chmod 0640 "$SSLCERTDIR/$filename"
+}
+
+mkcertreq() {
+	filebase="$1"
+	cn="$2"
+	state="$3"
+	loc="$4"
+	org="$5"
+	ou="$6"
+	fqdn="$7"
+	issuer="$8"
+	filename="$filebase.pem"
+	openssl req -new \
+		-key "$SSLPRIVDIR/$filename" \
+		-out "$SSLCERTDIR/$filename" > /dev/null 2>&1 <<+
+$cn
+$state
+$loc
+$org
+$ou
+$fqdn
+$issuer
++
+	chown root:root "$SSLCERTDIR/$filename"
+	chmod 0640 "$SSLCERTDIR/$filename"
+}
 
 fqdn=''
 cn=''
@@ -134,24 +195,24 @@ for val in cn state loc; do
 done
 
 if [ -n "$cert" ]; then
-	if [ ! -s /etc/ssl/certs/$fqdn.pem ] || [ ! -s /etc/ssl/private/$fqdn.pem ]; then
+	if [ ! -s "$SSLCERTDIR/$fqdn.pem" ] || [ ! -s "$SSLPRIVDIR/$fqdn.pem" ]; then
 		echo "WARNING: Host certificate for \"$fqdn\" missing..."
 		if [ -z "$cacert" ]; then
 			echo "ERROR: The \"--cacert\" option is required when making a host certificate!"
 			exit 1
 		fi
 		# Cleaning up - if allowed
-		for file in /etc/ssl/private/$fqdn.pem /etc/ssl/certs/$fqdn.csr /etc/ssl/certs/$fqdn.pem; do
-			if [ -e $file ]; then
+		for file in "$SSLPRIVDIR/$fqdn.pem" "$SSLCERTDIR/$fqdn.csr" "$SSLCERTDIR/$fqdn.pem"; do
+			if [ -e "$file" ]; then
 				if [ -n "$force" ]; then
-					rm -f $file
+					rm -f "$file"
 				else
-					echo "ERROR: File $file already exists!"
+					echo "ERROR: File \"$file\" already exists!"
 					exit 1
 				fi
 			fi
 		done
-		if [ ! -s /etc/ssl/certs/$cacert.pem ] || [ ! -s /etc/ssl/private/$cacert.pem ]; then
+		if [ ! -s "$SSLCERTDIR/$cacert.pem" ] || [ ! -s "$SSLPRIVDIR/$cacert.pem" ]; then
 			echo "WARNING: CAcert (certifying authority certificate) missing..."
 			if [ -z "$makeca" ]; then
 				echo "ERROR: The \"--makeca\" option is required when making a CAcert!"
@@ -159,60 +220,43 @@ if [ -n "$cert" ]; then
 			fi
 			# Generate private key for CA certificate
 			echo "Generating CAcert \"$cacert\"..."
-			cd /etc/ssl/private
 #FIXME: Make strength configurable
-			openssl genrsa -des3 -out $cacert.pem 1024
-			chown root:root $cacert.pem
-			chmod 0400 $cacert.pem
+			openssl genrsa -des3 -out "$SSLPRIVDIR/$cacert.pem" 1024
+			chown root:root "$SSLPRIVDIR/$cacert.pem"
+			chmod 0400 "$SSLPRIVDIR/$cacert.pem"
 			# Generate and pre-fill certification request
-			cd /etc/ssl/certs
 #FIXME: Make validity configurable
 			openssl req -new \
-				-key /etc/ssl/private/$cacert.pem \
+				-key "$SSLPRIVDIR/$cacert.pem" \
 				-x509 -days 1095 \
-				-out $cacert.pem
+				-out "$SSLCERTDIR/$cacert.pem"
 			# Add hash to certified public certificate and cleanup
-			ln -sf $cacert.pem `openssl x509 -noout -hash -in $cacert.pem`.0
+			mkcerthash $cacert
 		fi
 		echo "Generating host certificate for \"$fqdn\"..."
 		# Generate private key for host certificate
-		cd /etc/ssl/private
-		openssl genrsa -out $fqdn.pem
-		chown root:root $fqdn.pem
-		chmod 0600 $fqdn.pem
+		openssl genrsa -out "$SSLPRIVDIR/$fqdn.pem"
+		chown root:root "$SSLPRIVDIR/$fqdn.pem"
+		chmod 0600 "$SSLPRIVDIR/$fqdn.pem"
 		# Generate and pre-fill certification request
-		cd /etc/ssl/certs
-		openssl req -new \
-			-key /etc/ssl/private/$fqdn.pem \
-			-out $fqdn.csr > /dev/null 2>&1 <<+
-$cn
-$state
-$loc
-$org
-$ou
-$fqdn
-$issuer
-.
-.
-+
+		mkcertreq "$fqdn" "$cn" "$state" "$loc" "$org" "$ou" "$fqdn" "$issuer"
 		# Generate public certificate from certification request
 		openssl x509 -req \
 			-days $DAYS2EXPIRE \
-			-CA /etc/ssl/certs/$cacert.pem \
-			-CAkey /etc/ssl/private/$cacert.pem \
-			-CAcreateserial -out $fqdn.pem -in $fqdn.csr
+			-CA "$SSLCERTDIR/$cacert.pem" \
+			-CAkey "$SSLPRIVDIR/$cacert.pem" \
+			-CAcreateserial -out "$SSLCERTDIR/$fqdn.pem" -in "$SSLCERTDIR/$fqdn.csr"
 		# Add hash to certified public certificate and cleanup
-		ln -sf $fqdn.pem `openssl x509 -noout -hash -in $fqdn.pem`.0
-		rm $fqdn.csr
+		mkcerthash $fqdn
+		rm "$SSLCERTDIR/$fqdn.csr"
 	fi
 fi
 
-cd /etc/ssl/certs
 for daemon in $daemons $@; do
-	if [ -f $daemon.pem ]; then
+	if [ -f "$SSLCERTDIR/$daemon.pem" ]; then
 		if [ -n "$force" ]; then
-			rm -f `openssl x509 -noout -hash < $daemon.pem`.0
-			rm -f $daemon.pem
+			rm -f "$SSLCERTDIR/$(openssl x509 -noout -hash < "$SSLCERTDIR/$daemon.pem").0"
+			rm -f "$SSLCERTDIR/$daemon.pem"
 		else
 			echo "Ignoring certificate (/etc/ssl/certs/$daemon.pem already exists...)"
 			continue
@@ -220,30 +264,11 @@ for daemon in $daemons $@; do
 	fi
 	if [ -n "$cert" ]; then
 		echo "Attaching $daemon to certified certificate for $fqdn."
-		ln -sf $fqdn.pem $daemon.pem
-		(
-			cd /etc/ssl/private
-			ln -sf $fqdn.pem $daemon.pem
-		)
+		ln -sf "$fqdn.pem" "$SSLCERTDIR/$daemon.pem"
+		ln -sf "$fqdn.pem" "$SSLPRIVDIR/$daemon.pem"
 	else
 		echo -n "Generating self-certifying $daemon certificate..."
-		openssl req -new -x509 -nodes \
-			-days $DAYS2EXPIRE \
-			-keyout $daemon.pem \
-			-out $daemon.pem > /dev/null 2>&1 <<+
-$cn
-$state
-$loc
-$org
-$ou
-$fqdn
-$issuer
-+
-		ln -sf $daemon.pem `openssl x509 -noout -hash -in $daemon.pem`.0
-		chown root:root $daemon.pem
-		chmod 0640 $daemon.pem
+		mkselfcert "$daemon" "$cn" "$state" "$loc" "$org" "$ou" "$fqdn" "$issuer"
 		echo "Done!"
 	fi
 done
-
-cd $CWD
-- 
cgit v1.2.3