Move key generation to the post-install stage

Don't package any keys. Generate the keys only if they are missing. Keep the keys on uninstall. For TLS keys, increase validity to 10 years. No need to have xrdp stop working in one year.
2016-12-27 00:22:59 -08:00 · 2016-12-27 00:22:59 -08:00 · 1ab54b8592
commit 1ab54b8592
parent 85247383dc
1 changed files with 21 additions and 3 deletions
--- a/xrdp.spec
+++ b/xrdp.spec
@ -29,6 +29,7 @@ Requires: tigervnc-server-minimal

 Requires(post): systemd
 Requires(post): systemd-sysv
+Requires(post): openssl
 Requires(preun): systemd
 Requires(postun): systemd

@ -60,6 +61,9 @@ echo '#!/bin/bash -l
 #install logrotate /etc/logrotate.d/xrdp
 %{__install} -Dp -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/xrdp

+#install openssl.conf /etc/xrdp
+%{__install} -Dp -m 644 keygen/openssl.conf %{buildroot}%{_sysconfdir}/xrdp/openssl.conf
+
 #install log file /var/log/xrdp-sesman.log
 %{__mkdir} -p %{buildroot}%{_localstatedir}/log/
 touch %{buildroot}%{_localstatedir}/log/xrdp-sesman.log
@ -75,8 +79,18 @@ touch %{buildroot}%{_sysconfdir}/xrdp/rsakeys.ini
 %post
 %systemd_post xrdp.service

-xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini > /dev/null
-%{__chmod} 0600 %{_sysconfdir}/xrdp/rsakeys.ini
+if [ ! -f %{_sysconfdir}/xrdp/rsakeys.ini ]; then
+  xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini > /dev/null
+  %{__chmod} 0600 %{_sysconfdir}/xrdp/rsakeys.ini
+fi
+
+if [ ! -f %{_sysconfdir}/xrdp/cert.pem ]; then
+  openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \
+    -keyout %{_sysconfdir}/xrdp/key.pem \
+    -out %{_sysconfdir}/xrdp/cert.pem \
+    -subj /C=US/ST=CA/L=Sunnyvale/O=xrdp/CN=www.xrdp.org \
+    -config %{_sysconfdir}/xrdp/openssl.conf
+fi

 %preun
 %systemd_preun xrdp.service
@ -110,8 +124,12 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/xrdp
 %config(noreplace) %{_sysconfdir}/xrdp/sesman.ini
 %{_sysconfdir}/xrdp/*.sh
-%{_sysconfdir}/xrdp/*.pem
+%exclude %ghost %{_sysconfdir}/xrdp/*.pem
+%exclude %ghost %{_sysconfdir}/xrdp/rsakeys.ini
 %{_sysconfdir}/xrdp/km*.ini
+%{_sysconfdir}/xrdp/openssl.conf
+%{_sysconfdir}/xrdp/sesman.ini
+%{_sysconfdir}/xrdp/xrdp.ini
 %{_sysconfdir}/xrdp/xrdp_keyboard.ini
 %{_bindir}/xrdp-genkeymap
 %{_bindir}/xrdp-sesadmin