Blame libexec-create-certdb.sh
|
Jan Vcelak |
a757206 |
#!/bin/bash
|
|
Jan Vcelak |
a757206 |
# Author: Jan Vcelak <jvcelak@redhat.com>
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
set -e
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
# default options
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
CERTDB_DIR=/etc/openldap/certs
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
# internals
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so"
|
|
Jan Vcelak |
a757206 |
RANDOM_SOURCE=/dev/urandom
|
|
Jan Vcelak |
a757206 |
PASSWORD_BYTES=32
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
# parse arguments
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
usage() {
|
|
Jan Vcelak |
a757206 |
printf "usage: create-certdb.sh [-d certdb]\n" >&2
|
|
Jan Vcelak |
a757206 |
exit 1
|
|
Jan Vcelak |
a757206 |
}
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
while getopts "d:" opt; do
|
|
Jan Vcelak |
a757206 |
case "$opt" in
|
|
Jan Vcelak |
a757206 |
d)
|
|
Jan Vcelak |
a757206 |
CERTDB_DIR="$OPTARG"
|
|
Jan Vcelak |
a757206 |
;;
|
|
Jan Vcelak |
a757206 |
\?)
|
|
Jan Vcelak |
a757206 |
usage
|
|
Jan Vcelak |
a757206 |
;;
|
|
Jan Vcelak |
a757206 |
esac
|
|
Jan Vcelak |
a757206 |
done
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
[ "$OPTIND" -le "$#" ] && usage
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
# verify target location
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
if [ ! -d "$CERTDB_DIR" ]; then
|
|
Jan Vcelak |
a757206 |
printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2
|
|
Jan Vcelak |
a757206 |
exit 1
|
|
Jan Vcelak |
a757206 |
fi
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
if [ ! "$(find "$CERTDB_DIR" -maxdepth 0 -empty | wc -l)" -eq 1 ]; then
|
|
Jan Vcelak |
a757206 |
printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2
|
|
Jan Vcelak |
a757206 |
exit 1
|
|
Jan Vcelak |
a757206 |
fi
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
# create the database
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
PASSWORD_FILE="$CERTDB_DIR/password"
|
|
Jan Vcelak |
a757206 |
OLD_UMASK="$(umask)"
|
|
Jan Vcelak |
a757206 |
umask 0377
|
|
Jan Vcelak |
a757206 |
dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE"
|
|
Jan Vcelak |
a757206 |
umask "$OLD_UMASK"
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
# load module with builtin CA certificates
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
# tune permissions
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
for dbfile in "$CERTDB_DIR"/*.db; do
|
|
Jan Vcelak |
a757206 |
chmod 0644 "$dbfile"
|
|
Jan Vcelak |
a757206 |
done
|
|
Jan Vcelak |
a757206 |
|
|
Jan Vcelak |
a757206 |
exit 0
|