]>
git.proxmox.com Git - mirror_corosync-qdevice.git/blob - qdevices/corosync-qnetd-certutil.sh
fa1d229dc7b0a026170d98a2e808de4d87795ae5
4 # Copyright (c) 2015-2016 Red Hat, Inc.
8 # Author: Jan Friesse (jfriesse@redhat.com)
10 # This software licensed under BSD license, the text of which follows:
12 # Redistribution and use in source and binary forms, with or without
13 # modification, are permitted provided that the following conditions are met:
15 # - Redistributions of source code must retain the above copyright notice,
16 # this list of conditions and the following disclaimer.
17 # - Redistributions in binary form must reproduce the above copyright notice,
18 # this list of conditions and the following disclaimer in the documentation
19 # and/or other materials provided with the distribution.
20 # - Neither the name of the Red Hat, Inc. nor the names of its
21 # contributors may be used to endorse or promote products derived from this
22 # software without specific prior written permission.
24 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
25 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
28 # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
29 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
30 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
31 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
32 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
33 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
34 # THE POSSIBILITY OF SUCH DAMAGE.
37 CONFIG_DIR
="@COROSYSCONFDIR@/qnetd"
38 DB_DIR
="$CONFIG_DIR/nssdb"
39 # Validity of certificate (months)
42 SERVER_NICKNAME
="QNetd Cert"
43 CA_SUBJECT
="CN=QNet CA"
44 SERVER_SUBJECT
="CN=Qnetd Server"
45 PWD_FILE
="$DB_DIR/pwdfile.txt"
46 NOISE_FILE
="$DB_DIR/noise.txt"
47 SERIAL_NO_FILE
="$DB_DIR/serial.txt"
48 CA_EXPORT_FILE
="$DB_DIR/qnetd-cacert.crt"
51 echo "$0: [-i|-s] [-c certificate] [-n cluster_name]"
53 echo " -i Initialize QNetd CA and generate server certificate"
54 echo " -s Sign cluster certificate (needs cluster certificate)"
55 echo " -c certificate CRQ certificate file name"
56 echo " -n cluster_name Name of cluster (for -s operation)"
62 if [ "$UID" == "0" ];then
63 chown
--reference="$CONFIG_DIR" "$@" 2>/dev
/null || chown
"$(stat -f "%u
:%g
" "$CONFIG_DIR")" "$@" 2>/dev
/null ||
return $?
67 create_new_noise_file
() {
70 if [ ! -e "$noise_file" ];then
71 echo "Creating new noise file $noise_file"
73 (ps
-elf; date; w
) |
sha1sum |
(read sha_sum rest
; echo $sha_sum) > "$noise_file"
75 chown_ref_cfgdir
"$noise_file"
76 chmod 0660 "$noise_file"
78 echo "Using existing noise file $noise_file"
85 if ! [ -f "$SERIAL_NO_FILE" ];then
86 echo "100" > $SERIAL_NO_FILE
87 chown_ref_cfgdir
"$SERIAL_NO_FILE"
88 chmod 0660 "$SERIAL_NO_FILE"
90 serial_no
=`cat $SERIAL_NO_FILE`
91 serial_no
=$
((serial_no
+1))
92 echo "$serial_no" > $SERIAL_NO_FILE
97 if [ -f "$DB_DIR/cert8.db" ];then
98 echo "Certificate database ($DB_DIR) already exists. Delete it to initialize new db" >&2
103 if ! [ -d "$DB_DIR" ];then
104 echo "Creating $DB_DIR"
106 chown_ref_cfgdir
"$DB_DIR"
110 echo "Creating new key and cert db"
111 echo -n "" > "$PWD_FILE"
112 chown_ref_cfgdir
"$PWD_FILE"
113 chmod 0660 "$PWD_FILE"
115 certutil
-N -d "$DB_DIR" -f "$PWD_FILE"
116 chown_ref_cfgdir
"$DB_DIR/key3.db" "$DB_DIR/cert8.db" "$DB_DIR/secmod.db"
117 chmod 0660 "$DB_DIR/key3.db" "$DB_DIR/cert8.db" "$DB_DIR/secmod.db"
119 create_new_noise_file
"$NOISE_FILE"
121 echo "Creating new CA"
122 # Create self-signed certificate (CA). Asks 3 questions (is this CA, lifetime and critical extension
123 echo -e "y\n0\ny\n" | certutil
-S -n "$CA_NICKNAME" -s "$CA_SUBJECT" -x \
124 -t "CT,," -m "$(get_serial_no)" -v $CRT_VALIDITY -d "$DB_DIR" \
125 -z "$NOISE_FILE" -f "$PWD_FILE" -2
126 # Export CA certificate in ascii
127 certutil
-L -d "$DB_DIR" -n "$CA_NICKNAME" > "$CA_EXPORT_FILE"
128 certutil
-L -d "$DB_DIR" -n "$CA_NICKNAME" -a >> "$CA_EXPORT_FILE"
129 chown_ref_cfgdir
"$CA_EXPORT_FILE"
131 certutil
-S -n "$SERVER_NICKNAME" -s "$SERVER_SUBJECT" -c "$CA_NICKNAME" -t "u,u,u" -m "$(get_serial_no)" \
132 -v $CRT_VALIDITY -d "$DB_DIR" -z "$NOISE_FILE" -f "$PWD_FILE"
134 echo "QNetd CA certificate is exported as $CA_EXPORT_FILE"
138 sign_cluster_cert
() {
139 if ! [ -f "$DB_DIR/cert8.db" ];then
140 echo "Certificate database doesn't exists. Use $0 -I to create it" >&2
145 echo "Signing cluster certificate"
146 certutil
-C -v "$CRT_VALIDITY" -m "$(get_serial_no)" -i "$CERTIFICATE_FILE" -o "$CRT_FILE" -c "$CA_NICKNAME" -d "$DB_DIR"
147 chown_ref_cfgdir
"$CRT_FILE"
149 echo "Certificate stored in $CRT_FILE"
157 while getopts ":hisc:n:" opt
; do
160 OPERATION
=init_qnetd_ca
163 OPERATION
=sign_cluster_cert
169 CERTIFICATE_FILE
="$OPTARG"
172 CLUSTER_NAME
="$OPTARG"
175 echo "Invalid option: -$OPTARG" >&2
180 echo "Option -$OPTARG requires an argument." >&2
187 [ "$OPERATION" == "" ] && usage
189 CRT_FILE
="$DB_DIR/cluster-$CLUSTER_NAME.crt"
196 if ! [ -e "$CERTIFICATE_FILE" ];then
197 echo "Can't open certificate file $CERTIFICATE_FILE" >&2
202 if [ "$CLUSTER_NAME" == "" ];then
203 echo "You have to specify cluster name" >&2