X-Git-Url: https://git.hcoop.net/hcoop/domtool2.git/blobdiff_plain/d63aa5e7b08630cc17a606e85e35acc5bd0041ee..2a0307b3c1b24fd9b8d2256fe9bb5d8800f1c3f0:/scripts/domtool-addcert

diff --git a/scripts/domtool-addcert b/scripts/domtool-addcert
index 25533b1..21eddba 100755
--- a/scripts/domtool-addcert
+++ b/scripts/domtool-addcert
@@ -6,14 +6,20 @@ if test -z "$USER"; then
 	exit 1
 fi   
 
+umask 0066 # Prevent others from reading any files creating on local fs
+
+ WORKDIR=/tmp/domtool-keyreq
   KEYDIR=`domtool-config -path cert keys`/$USER
  KEYFILE=$KEYDIR/key.pem
 CERTFILE=`domtool-config -path cert certs`/$USER.pem
-  NEWREQ=~/.newreq.pem
-     NEW=~/.new.pem
-   KEYIN=~/.keyin
+  NEWREQ=$WORKDIR/.newreq.pem
+     NEW=$WORKDIR/.new.pem
+   KEYIN=$WORKDIR/.keyin
+ NEWCERT=$WORKDIR/.cert
   CACONF=`domtool-config -path cert ca`/domtool-openssl.conf
 
+mkdir $WORKDIR && chmod 700 $WORKDIR || (echo Cannot create work dir ; exit 1)
+
 mkdir $KEYDIR || echo Key directory already exists.
 openssl genrsa -out $KEYFILE 4096
 # chown -R domtool.nogroup $KEYDIR
@@ -24,7 +30,7 @@ if [ "$2" != '-unsafe' ]; then
     if [ -z "`getent passwd $USER`" ]; then
 	echo "$USER does not exist. This must be a server principal."
     else
-	chown -R $USER.nogroup $KEYDIR
+	chown -R $USER:nogroup $KEYDIR
     fi
 fi
 
@@ -52,6 +58,9 @@ if [ ! -r $CACONF ]; then
     ROOTCMD=sudo
 fi
 
-$ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $CERTFILE -infiles $NEW
+$ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $NEWCERT -infiles $NEW
+$ROOTCMD chown `whoami` $NEWCERT
+mv $NEWCERT $CERTFILE
 rm $NEW
+rm $WORKDIR -rf
 #chown domtool.nogroup $CERTFILE