- genkey: create private key files with permissions 0400

- genkey: tidy up error handling a little
2005-04-27 12:39:28 +00:00 · 2005-04-27 12:39:28 +00:00 · 88c57d5f74
parent b6b73e0b2d
commit 88c57d5f74
2 changed files with 38 additions and 17 deletions
--- a/crypto-utils.spec
+++ b/crypto-utils.spec
@ -4,7 +4,7 @@
 Summary: SSL certificate and key management utilities
 Name: crypto-utils
 Version: 2.2
-Release: 3
+Release: 4
 Source: crypto-rand-%{crver}.tar.gz
 Source1: genkey.pl
 Source2: certwatch.c
@ -101,6 +101,10 @@ sed -e "s|^\$bindir.*$|\$bindir = \"%{_bindir}\";|" \
 %{_mandir}/man1/*.1*

 %changelog
+* Wed Apr 27 2005 Joe Orton <jorton@redhat.com> 2.2-4
+- genkey: create private key files with permissions 0400
+- genkey: tidy up error handling a little
+
 * Tue Apr 26 2005 Joe Orton <jorton@redhat.com> 2.2-3
 - pass $OPTIONS to $HTTPD in certwatch.cron
 - man page tweaks
--- a/genkey.pl
+++ b/genkey.pl
@ -149,16 +149,14 @@ if (!$genreq_mode && -f $keyfile && !$overwrite_key) {
 		"This script will not overwrite an existing key.\n" . 
 		"You will need to remove or rename this file in order to" .
 		"generate a new key for this host, then run\n" .
-		"\"genkey $servername\"\n\n" .
-		"Press return to exit");
+		"\"genkey $servername\"");
    Newt::Finished();
    exit 1;
 }

 if ($genreq_mode && !(-f $keyfile)) {
    Newt::newtWinMessage("Error", "Close", 
-		"You do not have a key file for this host\n\n" .
-		"Press return to exit");
+                         "You do not have a key file for this host");
    Newt::Finished();
    exit 1;
 }
@ -599,8 +597,7 @@ EOT

 	if ($pass1 ne $pass2) {
 	    Newt::newtWinMessage("Error", "Close",
-			       "The passphrases you entered do not match\n\n".
-			       "Press return to try again");
+                                 "The passphrases you entered do not match.");
 	    next;
 	}
 	if (length($pass1)<4) {
@ -617,21 +614,34 @@ EOT

    return $ret if ($ret eq "Back" or $ret eq "Cancel");

-    unlink($keyfile.".tmp");
-    if (!open (PIPE,"|$bindir/openssl rsa -des3 -in $keyfile -passout stdin -out $keyfile.tmp")) {
-        Newt:newtWinMessage("Error","Close","Unable to set passphrase".
+    my $enckey = $keyfile . ".tmp";
+
+    unlink($enckey);
+
+    if (!open (PIPE,
+               "|$bindir/openssl rsa -des3 -in $keyfile -passout stdin ".
+               "-out $enckey")) {
+        Newt::newtWinMessage("Error", "Close",
+                             "Unable to set passphrase".
 			    "\n\nPress return to continue");
 	return "Back";
    }
    print PIPE $pass1."\n";
    close(PIPE);

-    if (-f $keyfile.".tmp") {
-	unlink($keyfile);
-	rename($keyfile.".tmp",$keyfile);
+    if (-f $enckey) {
+	if (chmod(0400, $enckey) != 1
+            || !rename($enckey, $keyfile)) {
+            Newt::newtWinMessage("Error", "Close", 
+                                 "Could not install private key file.\n".
+                                 "$! - $enckey");
+            unlink($enckey);
+            return "Back";
+        }
    } else {
-        Newt:newtWinMessage("Error","Close","Unable to set passphrase".
-			    "\n\nPress return to continue");
+        Newt:newtWinMessage("Error", "Close",
+                            "Unable to set passphrase\n\n".
+			    "Press return to continue");
 	return "Back";
    }
    return "Next";
@ -1042,8 +1052,15 @@ sub generateKey()
    #
    system("$bindir/openssl genrsa -rand $randfile $bits > $keyfile");
    unlink($randfile);
-
    Newt::Resume();
+
+    if (chmod(0400, $keyfile) != 1) {
+        Newt::newtWinMessage("Error", "Close",
+                             "Could not set permissions of private key file.\n".
+                             "$1 - $keyfile");
+        Newt::Finished();
+        exit 1;
+    }
+
    return "Skip";
 }
-