summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-07-07 01:24:52 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:52:33 +0200
commitd198adc93708070fa1325e6d6b5df20f05804e1e (patch)
tree1d35798bfaa508992248006a1e44404c8590c810 /roles
parent1e68d980a0587bb1afea3685d0a46fce86135cb9 (diff)
Add ability to chmod, chown and set the key usage in genkeypair.
Diffstat (limited to 'roles')
-rwxr-xr-xroles/common/files/usr/local/bin/genkeypair.sh15
1 files changed, 14 insertions, 1 deletions
diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index c5dfb30..bbf2c9d 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -32,6 +32,9 @@ config=
pubkey=pubkey.pem
privkey=privkey.pem
dns=
+usage=
+chmod=
+chown=
usage() {
cat >&2 <<- EOF
@@ -51,6 +54,9 @@ usage() {
--config: configuration file
--pubkey: public key file (default: pubkey.pem)
--privkey: private key file (default: privkey.pem; created with og-rwx)
+ --usage: key usage (default: digitalSignature,keyEncipherment)
+ --chmod: chmod the private key
+ --chown: chown the private key
Return values:
0 The key pair was successfully generated
@@ -83,8 +89,12 @@ while [ $# -gt 0 ]; do
--privkey=?*) privkey="${1#--privkey=}";;
--dns=?*) dns="${dns:+$dns,}${1#--dns=}";;
+ --usage=?*) usage="${usage:+$usage,}${1#--usage=}";;
--config=?*) dns="${1#--config=}";;
+ --chmod=?*) chmod="${1#--chmod=}";;
+ --chown=?*) chown="${1#--chown=}";;
+
--help) usage; exit;;
*) echo "Unrecognized argument: $1" >&2; exit 2
esac
@@ -155,13 +165,16 @@ if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then
[ v3_req ]
subjectAltName = email:admin@fripost.org, DNS:$cn$names
basicConstraints = critical, CA:FALSE
+ # https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method
+ keyUsage = critical, ${usage:-digitalSignature,keyEncipherment}
EOF
fi
if [ "$force" != 0 ]; then
# Ensure "$privkey" is created with umask 0077
mv "$(mktemp)" "$privkey" || exit 2
- chmod og-rwx "$privkey" || exit 2
+ chmod "${chmod:-og-rwx}" "$privkey" || exit 2
+ [ -z "$chown" ] || chown "$chown" "$privkey" || exit 2
openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2
fi