diff options
author | Ben Pfaff <blp@nicira.com> | 2010-08-06 10:24:13 -0700 |
---|---|---|
committer | Ben Pfaff <blp@nicira.com> | 2010-08-06 13:32:56 -0700 |
commit | 99e5e05db37ab8271c2264b885813b9a27d6f483 (patch) | |
tree | 58b79c08c229ad7b416bb09faa8a7b61135fccce /utilities/ovs-pki.in | |
parent | ccc9fc5a70e2af642721fa9356d7fbcb9a697d06 (diff) |
ovs-pki: Create private keys with restricted permissions.
OpenSSL will happily create private keys world-writable, but we probably
should not do that.
CC: Keith Amidon <keith@nicira.com>
Diffstat (limited to 'utilities/ovs-pki.in')
-rwxr-xr-x | utilities/ovs-pki.in | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index cbdb43d0..1f528690 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -460,13 +460,15 @@ OU = Open vSwitch certifier CN = Open vSwitch certificate for $arg1 EOF if test $keytype = rsa; then - newkey=rsa:$bits + (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \ + || exit $? else must_exist "$dsaparam" - newkey=dsa:$dsaparam + (umask 077 && openssl gendsa -out "$1-privkey.pem" "$dsaparam") \ + 1>&3 2>&3 || exit $? fi - openssl req -config "$TMP/req.cnf" -text -nodes \ - -newkey $newkey -keyout "$1-privkey.pem" -out "$1-req.pem" 1>&3 2>&3 + openssl req -config "$TMP/req.cnf" -new -text \ + -key "$1-privkey.pem" -out "$1-req.pem" 1>&3 2>&3 } sign_request() { @@ -524,8 +526,14 @@ elif test "$command" = self-sign; then must_exist "$arg1-privkey.pem" must_not_exist "$arg1-cert.pem" - openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem" \ - -signkey "$arg1-privkey.pem" -req -text 2>&3 + # Create both the private key and certificate with restricted permissions. + (umask 077 && \ + openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \ + -signkey "$arg1-privkey.pem" -req -text) 2>&3 || exit $? + + # Reset the permissions on the certificate to the user's default. + cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem" + rm -f "$arg1-cert.pem.tmp" elif test "$command" = ls; then check_type "$arg2" |