From 3f40655ad0708b74a4a41b13c2b21995b157c14d Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Wed, 5 Aug 2020 15:53:45 -0400 Subject: [PATCH] Don't clobber existing files on bootstrap Rebased: v3.0.20 Signed-off-by: Alexander Scheel --- raddb/certs/bootstrap | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap index 0f719aa..336a2bd 100755 --- a/raddb/certs/bootstrap +++ b/raddb/certs/bootstrap @@ -31,52 +31,55 @@ fi # Don't edit the following text. Instead, edit the Makefile, and # re-generate these commands. # -if [ ! -f dh ]; then +if [ ! -e dh ]; then openssl dhparam -out dh 2048 || exit 1 - if [ -e /dev/urandom ] ; then - ln -sf /dev/urandom random - else - date > ./random; - fi + ln -sf /dev/urandom random fi -if [ ! -f server.key ]; then +if [ ! -e server.key ]; then openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1 + chmod g+r server.key fi -if [ ! -f ca.key ]; then +if [ ! -e ca.key ]; then openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1 fi -if [ ! -f index.txt ]; then +if [ ! -e index.txt ]; then touch index.txt fi -if [ ! -f serial ]; then +if [ ! -e serial ]; then echo '01' > serial fi -if [ ! -f server.crt ]; then +if [ ! -e server.crt ]; then openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1 fi -if [ ! -f server.p12 ]; then +if [ ! -e server.p12 ]; then openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 + chmod g+r server.p12 fi -if [ ! -f server.pem ]; then +if [ ! -e server.pem ]; then openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 openssl verify -CAfile ca.pem server.pem || exit 1 + chmod g+r server.pem fi -if [ ! -f ca.der ]; then +if [ ! -e ca.der ]; then openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1 fi -if [ ! -f client.key ]; then +if [ ! -e client.key ]; then openssl req -new -out client.csr -keyout client.key -config ./client.cnf + chmod g+r client.key fi -if [ ! -f client.crt ]; then +if [ ! -e client.crt ]; then openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf fi + +chown root:radiusd dh ca.* client.* server.* +chmod 640 dh ca.* client.* server.* -- 2.26.2