diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-05-22 17:34:56 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-05-22 17:53:59 +0200 |
| commit | 0ee5bf050a9a673d61485426ce62c8efcbb7bcc6 (patch) | |
| tree | 44ed4d91860ffca9e70e260a2aecd96687ad1a25 /roles | |
| parent | 8cf4032ecec5b9f58d829e89f231179170432539 (diff) | |
genkeypair, gendhparam: use -rand /dev/urandom when generating keys or DH parameters.
Diffstat (limited to 'roles')
| -rwxr-xr-x | roles/common/files/usr/local/bin/gendhparam.sh | 2 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/bin/genkeypair.sh | 3 |
2 files changed, 2 insertions, 3 deletions
diff --git a/roles/common/files/usr/local/bin/gendhparam.sh b/roles/common/files/usr/local/bin/gendhparam.sh index a82a8a5..a94175a 100755 --- a/roles/common/files/usr/local/bin/gendhparam.sh +++ b/roles/common/files/usr/local/bin/gendhparam.sh @@ -1,10 +1,10 @@ #!/bin/sh set -ue PATH=/usr/bin:/bin out="$1" bits="${2:-2048}" install --mode=0644 /dev/null "$out" -openssl dhparam "$bits" >"$out" +openssl dhparam -rand /dev/urandom "$bits" >"$out" diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index 53cc050..45e2181 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -21,41 +21,40 @@ set -ue PATH=/usr/bin:/bin # Default values type=rsa bits= hash= force=0 config= pubkey=pubkey.pem privkey=privkey.pem dns= ou= cn= usage= mode= owner= group= -rand= usage() { cat >&2 <<- EOF Usage: $0 command [OPTIONS] Command: x509: generate a self-signed X.509 server certificate csr: generate a Certificate Signing Request dkim: generate a private key (to use for DKIM signing) Options: -t type: key type (default: rsa) -b bits: key length or EC curve (default: 2048 for RSA, 1024 for DSA, secp224r1 for ECDSA) -h digest: digest algorithm --ou: organizational Unit Name; can be repeated --cn: common Name (default: \$(hostname --fqdn) --dns: hostname for AltName; can be repeated -f: force; can be repeated (0: don't overwrite, default; 1: reuse private key if it exists; 2: overwrite both keys if they exist) @@ -168,38 +167,38 @@ if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then organizationName = Fripost organizationalUnitName = SSLcerts $(echo "$ou") commonName = ${cn:-/} [ v3_req ] subjectAltName = email:admin@fripost.org${dns:+, $dns} basicConstraints = critical, CA:FALSE # https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method keyUsage = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign} subjectKeyIdentifier = hash EOF fi if [ -s "$privkey" -a $force -eq 0 ]; then echo "Error: private key exists: $privkey" >&2 [ "$cmd" = dkim ] && dkiminfo exit 1 elif [ ! -s "$privkey" -o $force -ge 2 ]; then install --mode="${mode:-0600}" ${owner:+--owner="$owner"} ${group:+--group="$group"} /dev/null "$privkey" || exit 2 - openssl $genkey -rand "${rand:-/dev/urandom}" $genkeyargs >"$privkey" || exit 2 + openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2 [ "$cmd" = dkim ] && { dkiminfo; exit; } fi if [ "$cmd" = x509 -a "$pubkey" = "$privkey" ]; then pubkey=$(mktemp) openssl req -config "$config" -new -x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 cat "$pubkey" >>"$privkey" || exit 2 rm -f "$pubkey" elif [ "$cmd" = x509 -o "$cmd" = csr ]; then if [ -s "$pubkey" -a $force -eq 0 ]; then echo "Error: public key exists: $pubkey" >&2 exit 1 else [ "$cmd" = x509 ] && x509=-x509 || x509= openssl req -config "$config" -new $x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 fi fi |