Check-in [111b99f620]
Overview
Comment:Updated to only prompt for passwords for encrypted files, and store certificate if a CSR was automatically generated
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 111b99f62054222b708ed4e43b6ba21d4d0a29dc
User & Date: rkeene on 2014-11-17 21:03:26
Other Links: manifest | tags
Context
2014-11-17
21:05
Updated to allow in-place signing, rather than atomic-replace check-in: 93b5d66091 user: rkeene tags: trunk
21:03
Updated to only prompt for passwords for encrypted files, and store certificate if a CSR was automatically generated check-in: 111b99f620 user: rkeene tags: trunk
20:50
Updated to trim trailing newlines check-in: 3242c8d4d5 user: rkeene tags: trunk
Changes

Modified appfs-cert from [536bd4fe36] to [bccff16fa2].

70
71
72
73
74
75
76
77

78
79
80
81
82
83
84
70
71
72
73
74
75
76

77
78
79
80
81
82
83
84







-
+







set fd [open $filename_key w 0400]
puts $fd [pki::key $key $::env(CA_PASSWORD)]
close $fd
'
}

function generate_key() {
	read_password 'Password for Site Key: ' SITE_PASSWORD
	read_password 'Password for Site Key being generated: ' SITE_PASSWORD

	export SITE_PASSWORD

	call_appfsd --tcl '
package require pki

if {[info exists ::env(SITE_KEY_FILE)]} {
106
107
108
109
110
111
112

113




114
115
116
117
118
119
120
106
107
108
109
110
111
112
113

114
115
116
117
118
119
120
121
122
123
124







+
-
+
+
+
+







		SITE_KEY_FILE="AppFS_Site_${SITE_HOSTNAME}.key"
	fi

	export SITE_HOSTNAME SITE_KEY_FILE

	if [ -f "${SITE_KEY_FILE}" ]; then
		echo 'Key file already exists.'
		if cat "${SITE_KEY_FILE}" | grep -i '^Proc-Type: .*,ENCRYPTED' >/dev/null; then
		read_password 'Password for (existing) Site Key: ' SITE_PASSWORD
			read_password 'Password for (existing) Site Key: ' SITE_PASSWORD
		else
			SITE_PASSWORD=""
		fi

		export SITE_PASSWORD
	else
		generate_key
	fi

call_appfsd --tcl '
152
153
154
155
156
157
158

159


160
161
162
163
164
165
166
156
157
158
159
160
161
162
163

164
165
166
167
168
169
170
171
172







+
-
+
+







	fi

	if [ ! -e "${CA_CERT_FILE}" -o ! -e "${CA_KEY_FILE}" ]; then
		read_text 'Certificate Authority (CA) Certificate Filename: ' CA_CERT_FILE
		read_text 'Certificate Authority (CA) Key Filename: ' CA_KEY_FILE
	fi

	if cat "${CA_KEY_FILE}" | grep -i '^Proc-Type: .*,ENCRYPTED' >/dev/null; then
	read_password 'Certificate Authority (CA) Password: ' CA_PASSWORD
		read_password 'Certificate Authority (CA) Password: ' CA_PASSWORD
	fi

	SITE_SERIAL_NUMBER="$(uuidgen | dd conv=ucase 2>/dev/null | sed 's@-@@g;s@^@ibase=16; @' | bc -lq)"

	export SITE_CSR_FILE SITE_SERIAL_NUMBER CA_CERT_FILE CA_KEY_FILE CA_PASSWORD

	SITE_CERT="$(call_appfsd --tcl '
package require pki
180
181
182
183
184
185
186
187







188
189
190
191
192
193
194
186
187
188
189
190
191
192

193
194
195
196
197
198
199
200
201
202
203
204
205
206







-
+
+
+
+
+
+
+







puts $cert
')"

	SITE_SUBJECT="$(echo "${SITE_CERT}" | openssl x509 -subject -noout | sed 's@.*= @@')"

	echo "${USER}@${HOSTNAME} $(date): ${SITE_SERIAL_NUMBER} ${SITE_SUBJECT}" >> "${CA_KEY_FILE}.issued"

	echo "${SITE_CERT}"
	echo "${SITE_CERT}" | (
		if [ -z "${SITE_HOSTNAME}" ]; then
			cat
		else
			tee "AppFS_Site_${SITE_HOSTNAME}.crt"
		fi
	)
}

function generate_selfsigned() {
	read_password 'Password for Key: ' SITE_PASSWORD
	read_text 'Site hostname: ' SITE_HOSTNAME

	SITE_SERIAL_NUMBER="$(uuidgen | dd conv=ucase 2>/dev/null | sed 's@-@@g;s@^@ibase=16; @' | bc -lq)"
226
227
228
229
230
231
232


233




234
235
236
237
238
239
240
238
239
240
241
242
243
244
245
246

247
248
249
250
251
252
253
254
255
256
257







+
+
-
+
+
+
+







	SITE_INDEX_FILE="$1"
	SITE_KEY_FILE="$2"
	SITE_CERT_FILE="$3"

	read_text 'AppFS Site Index file: ' SITE_INDEX_FILE
	read_text 'Site Key filename: ' SITE_KEY_FILE
	read_text 'Site Certificate filename: ' SITE_CERT_FILE

	if cat "${SITE_KEY_FILE}" | grep -i '^Proc-Type: .*,ENCRYPTED' >/dev/null; then
	read_password "Password for Key (${SITE_KEY_FILE}): " SITE_PASSWORD
		read_password "Password for Key (${SITE_KEY_FILE}): " SITE_PASSWORD
	else
		SITE_PASSWORD=""
	fi

	export SITE_INDEX_FILE SITE_KEY_FILE SITE_CERT_FILE SITE_PASSWORD

	call_appfsd --tcl "$(cat <<\_EOF_
package require pki

set fd [open $::env(SITE_INDEX_FILE)]