scripts: Fix lazy chown syntax
[hcoop/domtool2.git] / scripts / domtool-addcert
1 #!/bin/sh -e
2
3 USER="$1"
4 if test -z "$USER"; then
5 echo Usage: domtool-addcert USERNAME
6 exit 1
7 fi
8
9 umask 0066 # Prevent others from reading any files creating on local fs
10
11 WORKDIR=/tmp/domtool-keyreq
12 KEYDIR=`domtool-config -path cert keys`/$USER
13 KEYFILE=$KEYDIR/key.pem
14 CERTFILE=`domtool-config -path cert certs`/$USER.pem
15 NEWREQ=$WORKDIR/.newreq.pem
16 NEW=$WORKDIR/.new.pem
17 KEYIN=$WORKDIR/.keyin
18 NEWCERT=$WORKDIR/.cert
19 CACONF=`domtool-config -path cert ca`/domtool-openssl.conf
20
21 mkdir $WORKDIR && chmod 700 $WORKDIR || (echo Cannot create work dir ; exit 1)
22
23 mkdir $KEYDIR || echo Key directory already exists.
24 openssl genrsa -out $KEYFILE 4096
25 # chown -R domtool.nogroup $KEYDIR
26 # chmod for non-afs systems
27 chmod 700 $KEYDIR
28 chmod 600 $KEYFILE
29 if [ "$2" != '-unsafe' ]; then
30 if [ -z "`getent passwd $USER`" ]; then
31 echo "$USER does not exist. This must be a server principal."
32 else
33 chown -R $USER:nogroup $KEYDIR
34 fi
35 fi
36
37 fs sa $KEYDIR $USER read || echo This must be a server principal.
38 echo "." >$KEYIN
39 echo "." >>$KEYIN
40 echo "." >>$KEYIN
41 echo "." >>$KEYIN
42 echo "." >>$KEYIN
43 echo "$USER" >>$KEYIN
44 # fixme: domtool-config -domain
45 echo "$USER@`domtool-config -domain`" >>$KEYIN
46 echo "" >>$KEYIN
47 echo "" >>$KEYIN
48 openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN
49 rm $KEYIN
50 cat $NEWREQ $KEYFILE >$NEW
51 rm $NEWREQ
52
53 ROOTCMD=""
54 # Insecure CA is OK for development, and if the CA is in afs it is
55 # assumed the script is being run with sufficient
56 # permissions. Otherwise, become root to use the ca private key,
57 if [ ! -r $CACONF ]; then
58 ROOTCMD=sudo
59 fi
60
61 $ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $NEWCERT -infiles $NEW
62 $ROOTCMD chown `whoami` $NEWCERT
63 mv $NEWCERT $CERTFILE
64 rm $NEW
65 rm $WORKDIR -rf
66 #chown domtool.nogroup $CERTFILE