From: Ben Pfaff Date: Fri, 6 Aug 2010 17:24:13 +0000 (-0700) Subject: ovs-pki: Create private keys with restricted permissions. X-Git-Tag: v1.1.0pre1~114 X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=99e5e05db37ab8271c2264b885813b9a27d6f483;p=sliver-openvswitch.git ovs-pki: Create private keys with restricted permissions. OpenSSL will happily create private keys world-writable, but we probably should not do that. CC: Keith Amidon --- diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index cbdb43d0a..1f5286908 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -460,13 +460,15 @@ OU = Open vSwitch certifier CN = Open vSwitch certificate for $arg1 EOF if test $keytype = rsa; then - newkey=rsa:$bits + (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \ + || exit $? else must_exist "$dsaparam" - newkey=dsa:$dsaparam + (umask 077 && openssl gendsa -out "$1-privkey.pem" "$dsaparam") \ + 1>&3 2>&3 || exit $? fi - openssl req -config "$TMP/req.cnf" -text -nodes \ - -newkey $newkey -keyout "$1-privkey.pem" -out "$1-req.pem" 1>&3 2>&3 + openssl req -config "$TMP/req.cnf" -new -text \ + -key "$1-privkey.pem" -out "$1-req.pem" 1>&3 2>&3 } sign_request() { @@ -524,8 +526,14 @@ elif test "$command" = self-sign; then must_exist "$arg1-privkey.pem" must_not_exist "$arg1-cert.pem" - openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem" \ - -signkey "$arg1-privkey.pem" -req -text 2>&3 + # Create both the private key and certificate with restricted permissions. + (umask 077 && \ + openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \ + -signkey "$arg1-privkey.pem" -req -text) 2>&3 || exit $? + + # Reset the permissions on the certificate to the user's default. + cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem" + rm -f "$arg1-cert.pem.tmp" elif test "$command" = ls; then check_type "$arg2"