From 090359fa083753b8f9f3f1f3660cf4c8b36ef1e9 Mon Sep 17 00:00:00 2001
From: Thierry Parmentelat <thierry.parmentelat@inria.fr>
Date: Thu, 21 Nov 2024 14:18:08 +0100
Subject: [PATCH] superficial reformatting of plc.d/ssl
---
plc.d/ssl | 132 +++++++++++++++++++++++++++---------------------------
1 file changed, 65 insertions(+), 67 deletions(-)
diff --git a/plc.d/ssl b/plc.d/ssl
index f09294a..432ea31 100755
--- a/plc.d/ssl
+++ b/plc.d/ssl
@@ -16,62 +16,61 @@
set -x
# Print the CNAME of an SSL certificate
-ssl_cname ()
-{
- openssl x509 -noout -in $1 -subject | \
+function ssl_cname() {
+ local crt=$1; shift
+ openssl x509 -noout -in $crt -subject | \
sed -e 's|.*CN *= *\([-_a-zA-Z0-9.]*\).*|\1|' | \
lower
}
-backup_file ()
-{
- filepath=$1
- filename=$(basename ${filepath})
- dir=$(dirname ${filepath})
+function backup_file() {
+ local filepath=$1
+ local filename=$(basename ${filepath})
+ local dir=$(dirname ${filepath})
mv -f ${filepath} ${dir}/${filename}-`date +%Y-%m-%d-%H-%M-%S`.bak
}
# Verify a certificate. If invalid, generate a new self-signed
# certificate.
-verify_or_generate_certificate() {
- crt=$1
- key=$2
- ca=$3
- cname=$(lower $4)
+function verify_or_generate_certificate() {
+ local crt=$1
+ local key=$2
+ local ca=$3
+ local cname=$(lower $4)
# If the CA certificate does not exist, assume that the
# certificate is self-signed.
if [ ! -f $ca ] ; then
- cp -a $crt $ca
+ cp -a $crt $ca
fi
if [ -f $crt ] ; then
- # Check if certificate is valid
- # Backup if invalid or if the subject has changed
- if openssl verify -CAfile $ca $crt | grep -q "error" || \
- [ "$(ssl_cname $crt)" != "$cname" ] ; then
- backup_file $crt
- backup_file $ca
- backup_file $key
- fi
+ # Check if certificate is valid
+ # Backup if invalid or if the subject has changed
+ if openssl verify -CAfile $ca $crt | grep -q "error" || \
+ [ "$(ssl_cname $crt)" != "$cname" ] ; then
+ backup_file $crt
+ backup_file $ca
+ backup_file $key
+ fi
fi
if [ ! -f $crt ] ; then
# Set subject
- subj=
- if [ -n "$cname" ] ; then
- subj="$subj/CN=$cname"
- fi
-
- # Generate new self-signed certificate
- mkdir -p $(dirname $crt)
- openssl req -new -x509 -days 3650 -set_serial $RANDOM \
- -batch -subj "$subj" \
- -nodes -keyout $key -out $crt
- check
-
- # The certificate it self-signed, so it is its own CA
- cp -a $crt $ca
+ local subj=
+ if [ -n "$cname" ] ; then
+ subj="$subj/CN=$cname"
+ fi
+
+ # Generate new self-signed certificate
+ mkdir -p $(dirname $crt)
+ openssl req -new -x509 -days 3650 -set_serial $RANDOM \
+ -batch -subj "$subj" \
+ -nodes -keyout $key -out $crt
+ check
+
+ # The certificate it self-signed, so it is its own CA
+ cp -a $crt $ca
fi
# Fix permissions
@@ -85,18 +84,19 @@ case "$1" in
# certificate for each enabled server with a different
# hostname. These self-signed certificates may be overridden
# later.
- MESSAGE=$"Generating SSL certificates for"
- dialog "$MESSAGE"
+ local MESSAGE=$"Generating SSL certificates for"
+ dialog "$MESSAGE"
for server in WWW API BOOT MONITOR; do
- eval "a=\$PLC_${server}_ENABLED"
- echo $a
- if [ "$a" -ne 1 ] ; then
- echo "Skipping"
- continue
- fi
+ enabled=PLC_${server}_ENABLED
+ if [ "${!enabled}" != "1" ] ; then
+ echo "Skipping disabled server $server"
+ continue
+ fi
dialog "$server"
- ssl_key=PLC_${server}_SSL_KEY
+ # not local - we're not in a function
+ # plus, that breaks the ${!var} thing below
+ ssl_key=PLC_${server}_SSL_KEY
ssl_crt=PLC_${server}_SSL_CRT
ca_ssl_crt=PLC_${server}_CA_SSL_CRT
hostname=PLC_${server}_HOST
@@ -104,26 +104,24 @@ case "$1" in
# Check if we have already generated a certificate for
# the same hostname.
for previous_server in WWW API BOOT MONITOR; do
- if [ "$server" = "$previous_server" ] ; then
- break
- fi
- previous_ssl_key=PLC_${previous_server}_SSL_KEY
- previous_ssl_crt=PLC_${previous_server}_SSL_CRT
- previous_ca_ssl_crt=PLC_${previous_server}_CA_SSL_CRT
- previous_hostname=PLC_${previous_server}_HOST
-
- if [ -f ${!previous_ssl_crt} ] && \
- [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
- cp -a ${!previous_ssl_key} ${!ssl_key}
- cp -a ${!previous_ssl_crt} ${!ssl_crt}
- cp -a ${!previous_ca_ssl_crt} ${!ca_ssl_crt}
- break
- fi
+ if [ "$server" = "$previous_server" ] ; then
+ break
+ fi
+ previous_ssl_key=PLC_${previous_server}_SSL_KEY
+ previous_ssl_crt=PLC_${previous_server}_SSL_CRT
+ previous_ca_ssl_crt=PLC_${previous_server}_CA_SSL_CRT
+ previous_hostname=PLC_${previous_server}_HOST
+
+ if [ -f ${!previous_ssl_crt} ] && \
+ [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
+ cp -a ${!previous_ssl_key} ${!ssl_key}
+ cp -a ${!previous_ssl_crt} ${!ssl_crt}
+ cp -a ${!previous_ca_ssl_crt} ${!ca_ssl_crt}
+ break
+ fi
done
- verify_or_generate_certificate \
- ${!ssl_crt} ${!ssl_key} ${!ca_ssl_crt} \
- ${!hostname}
+ verify_or_generate_certificate ${!ssl_crt} ${!ssl_key} ${!ca_ssl_crt} ${!hostname}
done
# Install HTTPS certificates into both /etc/pki (Fedora Core
@@ -133,11 +131,11 @@ case "$1" in
for server in API BOOT MONITOR WWW; do
enabled=PLC_${server}_ENABLED
if [ "${!enabled}" != "1" ] ; then
- continue
+ continue
fi
- ssl_key=PLC_${server}_SSL_KEY
- ssl_crt=PLC_${server}_SSL_CRT
- ssl_ca_crt=PLC_${server}_CA_SSL_CRT
+ ssl_key=PLC_${server}_SSL_KEY
+ ssl_crt=PLC_${server}_SSL_CRT
+ ssl_ca_crt=PLC_${server}_CA_SSL_CRT
symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
--
2.47.0