qdevices/corosync-qnetd-certutil.sh

   1 #!@BASHPATH@
   2
   3 #
   4 # Copyright (c) 2015-2016 Red Hat, Inc.
   5 #
   6 # All rights reserved.
   7 #
   8 # Author: Jan Friesse (jfriesse@redhat.com)
   9 #
  10 # This software licensed under BSD license, the text of which follows:
  11 #
  12 # Redistribution and use in source and binary forms, with or without
  13 # modification, are permitted provided that the following conditions are met:
  14 #
  15 # - Redistributions of source code must retain the above copyright notice,
  16 #   this list of conditions and the following disclaimer.
  17 # - Redistributions in binary form must reproduce the above copyright notice,
  18 #   this list of conditions and the following disclaimer in the documentation
  19 #   and/or other materials provided with the distribution.
  20 # - Neither the name of the Red Hat, Inc. nor the names of its
  21 #   contributors may be used to endorse or promote products derived from this
  22 #   software without specific prior written permission.
  23 #
  24 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  25 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  26 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  27 # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
  28 # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  29 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  30 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  31 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  32 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  33 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
  34 # THE POSSIBILITY OF SUCH DAMAGE.
  35 #
  36
  37 CONFIG_DIR="@COROSYSCONFDIR@/qnetd"
  38 DB_DIR="$CONFIG_DIR/nssdb"
  39 # Validity of certificate (months)
  40 CRT_VALIDITY=1200
  41 CA_NICKNAME="QNet CA"
  42 SERVER_NICKNAME="QNetd Cert"
  43 CA_SUBJECT="CN=QNet CA"
  44 SERVER_SUBJECT="CN=Qnetd Server"
  45 PWD_FILE="$DB_DIR/pwdfile.txt"
  46 NOISE_FILE="$DB_DIR/noise.txt"
  47 SERIAL_NO_FILE="$DB_DIR/serial.txt"
  48 CA_EXPORT_FILE="$DB_DIR/qnetd-cacert.crt"
  49
  50 usage() {
  51     echo "$0: [-i|-s] [-c certificate] [-n cluster_name]"
  52     echo
  53     echo " -i                  Initialize QNetd CA and generate server certificate"
  54     echo " -s                  Sign cluster certificate (needs cluster certificate)"
  55     echo " -c certificate      CRQ certificate file name"
  56     echo " -n cluster_name     Name of cluster (for -s operation)"
  57
  58     exit 0
  59 }
  60
  61 chown_ref_cfgdir() {
  62     if [ "$UID" == "0" ];then
  63         chown --reference="$CONFIG_DIR" "$@" 2>/dev/null || chown "$(stat -f "%u:%g" "$CONFIG_DIR")" "$@" 2>/dev/null || return $?
  64     fi
  65 }
  66
  67 create_new_noise_file() {
  68     local noise_file="$1"
  69
  70     if [ ! -e "$noise_file" ];then
  71         echo "Creating new noise file $noise_file"
  72
  73         (ps -elf; date; w) | sha1sum | (read sha_sum rest; echo $sha_sum) > "$noise_file"
  74
  75         chown_ref_cfgdir "$noise_file"
  76         chmod 0660 "$noise_file"
  77     else
  78         echo "Using existing noise file $noise_file"
  79     fi
  80 }
  81
  82 get_serial_no() {
  83     local serial_no
  84
  85     if ! [ -f "$SERIAL_NO_FILE" ];then
  86         echo "100" > $SERIAL_NO_FILE
  87         chown_ref_cfgdir "$SERIAL_NO_FILE"
  88         chmod 0660 "$SERIAL_NO_FILE"
  89     fi
  90     serial_no=`cat $SERIAL_NO_FILE`
  91     serial_no=$((serial_no+1))
  92     echo "$serial_no" > $SERIAL_NO_FILE
  93     echo "$serial_no"
  94 }
  95
  96 init_qnetd_ca() {
  97     if [ -f "$DB_DIR/cert8.db" ];then
  98         echo "Certificate database ($DB_DIR) already exists. Delete it to initialize new db" >&2
  99
 100         exit 1
 101     fi
 102
 103     if ! [ -d "$DB_DIR" ];then
 104         echo "Creating $DB_DIR"
 105         mkdir -p "$DB_DIR"
 106         chown_ref_cfgdir "$DB_DIR"
 107         chmod 0770 "$DB_DIR"
 108     fi
 109
 110     echo "Creating new key and cert db"
 111     echo -n "" > "$PWD_FILE"
 112     chown_ref_cfgdir "$PWD_FILE"
 113     chmod 0660 "$PWD_FILE"
 114
 115     certutil -N -d "$DB_DIR" -f "$PWD_FILE"
 116     chown_ref_cfgdir "$DB_DIR/key3.db" "$DB_DIR/cert8.db" "$DB_DIR/secmod.db"
 117     chmod 0660 "$DB_DIR/key3.db" "$DB_DIR/cert8.db" "$DB_DIR/secmod.db"
 118
 119     create_new_noise_file "$NOISE_FILE"
 120
 121     echo "Creating new CA"
 122     # Create self-signed certificate (CA). Asks 3 questions (is this CA, lifetime and critical extension
 123     echo -e "y\n0\ny\n" | certutil -S -n "$CA_NICKNAME" -s "$CA_SUBJECT" -x \
 124         -t "CT,," -m "$(get_serial_no)" -v $CRT_VALIDITY -d "$DB_DIR" \
 125         -z "$NOISE_FILE" -f "$PWD_FILE" -2
 126     # Export CA certificate in ascii
 127     certutil -L -d "$DB_DIR" -n "$CA_NICKNAME" > "$CA_EXPORT_FILE"
 128     certutil -L -d "$DB_DIR" -n "$CA_NICKNAME" -a >> "$CA_EXPORT_FILE"
 129     chown_ref_cfgdir "$CA_EXPORT_FILE"
 130
 131     certutil -S -n "$SERVER_NICKNAME" -s "$SERVER_SUBJECT" -c "$CA_NICKNAME" -t "u,u,u" -m "$(get_serial_no)" \
 132         -v $CRT_VALIDITY -d "$DB_DIR" -z "$NOISE_FILE" -f "$PWD_FILE"
 133
 134     echo "QNetd CA certificate is exported as $CA_EXPORT_FILE"
 135 }
 136
 137
 138 sign_cluster_cert() {
 139     if ! [ -f "$DB_DIR/cert8.db" ];then
 140         echo "Certificate database doesn't exists. Use $0 -I to create it" >&2
 141
 142         exit 1
 143     fi
 144
 145     echo "Signing cluster certificate"
 146     certutil -C -v "$CRT_VALIDITY" -m "$(get_serial_no)" -i "$CERTIFICATE_FILE" -o "$CRT_FILE" -c "$CA_NICKNAME" -d "$DB_DIR"
 147     chown_ref_cfgdir "$CRT_FILE"
 148
 149     echo "Certificate stored in $CRT_FILE"
 150 }
 151
 152
 153 OPERATION=""
 154 CERTIFICATE_FILE=""
 155 CLUSTER_NAME=""
 156
 157 while getopts ":hisc:n:" opt; do
 158     case $opt in
 159         i)
 160             OPERATION=init_qnetd_ca
 161             ;;
 162         s)
 163             OPERATION=sign_cluster_cert
 164             ;;
 165         h)
 166             usage
 167             ;;
 168         c)
 169             CERTIFICATE_FILE="$OPTARG"
 170             ;;
 171         n)
 172             CLUSTER_NAME="$OPTARG"
 173             ;;
 174         \?)
 175             echo "Invalid option: -$OPTARG" >&2
 176
 177             exit 1
 178             ;;
 179         :)
 180             echo "Option -$OPTARG requires an argument." >&2
 181
 182             exit 1
 183             ;;
 184    esac
 185 done
 186
 187 [ "$OPERATION" == "" ] && usage
 188
 189 CRT_FILE="$DB_DIR/cluster-$CLUSTER_NAME.crt"
 190
 191 case "$OPERATION" in
 192     "init_qnetd_ca")
 193         init_qnetd_ca
 194     ;;
 195     "sign_cluster_cert")
 196         if ! [ -e "$CERTIFICATE_FILE" ];then
 197             echo "Can't open certificate file $CERTIFICATE_FILE" >&2
 198
 199             exit 2
 200         fi
 201
 202         if [ "$CLUSTER_NAME" == "" ];then
 203             echo "You have to specify cluster name" >&2
 204
 205             exit 2
 206         fi
 207
 208         sign_cluster_cert
 209     ;;
 210     *)
 211         usage
 212     ;;
 213 esac