X-Git-Url: https://git.hcoop.net/hcoop/domtool2.git/blobdiff_plain/385c3534feda76934476fd3a058574fc84e302da..ec76f5e64acbc68248b1555f4ba74594be8b939b:/scripts/domtool-addcert

diff --git a/scripts/domtool-addcert b/scripts/domtool-addcert
dissimilarity index 62%
index 535d825..9b5495b 100755
--- a/scripts/domtool-addcert
+++ b/scripts/domtool-addcert
@@ -1,29 +1,66 @@
-#!/bin/sh -e
-
-  KEYDIR=/afs/hcoop.net/common/etc/domtool/keys/$1
- KEYFILE=$KEYDIR/key.pem
-CERTFILE=/afs/hcoop.net/common/etc/domtool/certs/$1.pem
-  NEWREQ=~/.newreq.pem
-     NEW=~/.new.pem
-   KEYIN=~/.keyin
-
-mkdir $KEYDIR || echo Already exists
-openssl genrsa -out $KEYFILE
-chown -R domtool.domtool $KEYDIR
-fs sa $KEYDIR $1 read
-echo "." >$KEYIN
-echo "." >>$KEYIN
-echo "." >>$KEYIN
-echo "." >>$KEYIN
-echo "." >>$KEYIN
-echo "$1" >>$KEYIN
-echo "$1@hcoop.net" >>$KEYIN
-echo "" >>$KEYIN
-echo "" >>$KEYIN
-openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN
-rm $KEYIN
-cat $NEWREQ $KEYFILE >$NEW
-rm $NEWREQ
-openssl ca -batch -config /etc/domtool/openssl.cnf -policy policy_anything -out $CERTFILE -infiles $NEW
-rm $NEW
-chown domtool.domtool $CERTFILE
+#!/bin/sh -e
+
+USER="$1"
+if test -z "$USER"; then
+	echo Usage: domtool-addcert USERNAME
+	exit 1
+fi   
+
+umask 0066 # Prevent others from reading any files creating on local fs
+
+ WORKDIR=/tmp/domtool-keyreq
+  KEYDIR=`domtool-config -path cert keys`/$USER
+ KEYFILE=$KEYDIR/key.pem
+CERTFILE=`domtool-config -path cert certs`/$USER.pem
+  NEWREQ=$WORKDIR/.newreq.pem
+     NEW=$WORKDIR/.new.pem
+   KEYIN=$WORKDIR/.keyin
+ NEWCERT=$WORKDIR/.cert
+  CACONF=`domtool-config -path cert ca`/domtool-openssl.conf
+
+mkdir $WORKDIR && chmod 700 $WORKDIR || (echo Cannot create work dir ; exit 1)
+
+mkdir $KEYDIR || echo Key directory already exists.
+openssl genrsa -out $KEYFILE 4096
+# chown -R domtool.nogroup $KEYDIR
+# chmod for non-afs systems
+chmod 700 $KEYDIR
+chmod 600 $KEYFILE
+if [ "$2" != '-unsafe' ]; then
+    if [ -z "`getent passwd $USER`" ]; then
+	echo "$USER does not exist. This must be a server principal."
+    else
+	chown -R $USER.nogroup $KEYDIR
+    fi
+fi
+
+fs sa $KEYDIR $USER read || echo This must be a server principal.
+echo "." >$KEYIN
+echo "." >>$KEYIN
+echo "." >>$KEYIN
+echo "." >>$KEYIN
+echo "." >>$KEYIN
+echo "$USER" >>$KEYIN
+# fixme: domtool-config -domain
+echo "$USER@`domtool-config -domain`" >>$KEYIN
+echo "" >>$KEYIN
+echo "" >>$KEYIN
+openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN
+rm $KEYIN
+cat $NEWREQ $KEYFILE >$NEW
+rm $NEWREQ
+
+ROOTCMD=""
+# Insecure CA is OK for development, and if the CA is in afs it is
+# assumed the script is being run with sufficient
+# permissions. Otherwise, become root to use the ca private key,
+if [ ! -r $CACONF ]; then
+    ROOTCMD=sudo
+fi
+
+$ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $NEWCERT -infiles $NEW
+$ROOTCMD chown `whoami` $NEWCERT
+mv $NEWCERT $CERTFILE
+rm $NEW
+rm $WORKDIR -rf
+#chown domtool.nogroup $CERTFILE