From 88c57d5f7466429ba870bc8a3952a70ea9d21f05 Mon Sep 17 00:00:00 2001
From: jorton <jorton@fedoraproject.org>
Date: Wed, 27 Apr 2005 12:39:28 +0000
Subject: [PATCH] - genkey: create private key files with permissions 0400 -
 genkey: tidy up error handling a little

---
 crypto-utils.spec |  6 +++++-
 genkey.pl         | 49 +++++++++++++++++++++++++++++++----------------
 2 files changed, 38 insertions(+), 17 deletions(-)

diff --git a/crypto-utils.spec b/crypto-utils.spec
index c09f506..5da0080 100644
--- a/crypto-utils.spec
+++ b/crypto-utils.spec
@@ -4,7 +4,7 @@
 Summary: SSL certificate and key management utilities
 Name: crypto-utils
 Version: 2.2
-Release: 3
+Release: 4
 Source: crypto-rand-%{crver}.tar.gz
 Source1: genkey.pl
 Source2: certwatch.c
@@ -101,6 +101,10 @@ sed -e "s|^\$bindir.*$|\$bindir = \"%{_bindir}\";|" \
 %{_mandir}/man1/*.1*
 
 %changelog
+* Wed Apr 27 2005 Joe Orton <jorton@redhat.com> 2.2-4
+- genkey: create private key files with permissions 0400
+- genkey: tidy up error handling a little
+
 * Tue Apr 26 2005 Joe Orton <jorton@redhat.com> 2.2-3
 - pass $OPTIONS to $HTTPD in certwatch.cron
 - man page tweaks
diff --git a/genkey.pl b/genkey.pl
index e1c5c83..1b18480 100644
--- a/genkey.pl
+++ b/genkey.pl
@@ -149,16 +149,14 @@ if (!$genreq_mode && -f $keyfile && !$overwrite_key) {
 		"This script will not overwrite an existing key.\n" . 
 		"You will need to remove or rename this file in order to" .
 		"generate a new key for this host, then run\n" .
-		"\"genkey $servername\"\n\n" .
-		"Press return to exit");
+		"\"genkey $servername\"");
     Newt::Finished();
     exit 1;
 }
 
 if ($genreq_mode && !(-f $keyfile)) {
     Newt::newtWinMessage("Error", "Close", 
-		"You do not have a key file for this host\n\n" .
-		"Press return to exit");
+                         "You do not have a key file for this host");
     Newt::Finished();
     exit 1;
 }
@@ -599,8 +597,7 @@ EOT
 
 	if ($pass1 ne $pass2) {
 	    Newt::newtWinMessage("Error", "Close",
-			       "The passphrases you entered do not match\n\n".
-			       "Press return to try again");
+                                 "The passphrases you entered do not match.");
 	    next;
 	}
 	if (length($pass1)<4) {
@@ -617,21 +614,34 @@ EOT
 
     return $ret if ($ret eq "Back" or $ret eq "Cancel");
 
-    unlink($keyfile.".tmp");
-    if (!open (PIPE,"|$bindir/openssl rsa -des3 -in $keyfile -passout stdin -out $keyfile.tmp")) {
-        Newt:newtWinMessage("Error","Close","Unable to set passphrase".
+    my $enckey = $keyfile . ".tmp";
+
+    unlink($enckey);
+
+    if (!open (PIPE,
+               "|$bindir/openssl rsa -des3 -in $keyfile -passout stdin ".
+               "-out $enckey")) {
+        Newt::newtWinMessage("Error", "Close",
+                             "Unable to set passphrase".
 			    "\n\nPress return to continue");
 	return "Back";
     }
     print PIPE $pass1."\n";
     close(PIPE);
 
-    if (-f $keyfile.".tmp") {
-	unlink($keyfile);
-	rename($keyfile.".tmp",$keyfile);
+    if (-f $enckey) {
+	if (chmod(0400, $enckey) != 1
+            || !rename($enckey, $keyfile)) {
+            Newt::newtWinMessage("Error", "Close", 
+                                 "Could not install private key file.\n".
+                                 "$! - $enckey");
+            unlink($enckey);
+            return "Back";
+        }
     } else {
-        Newt:newtWinMessage("Error","Close","Unable to set passphrase".
-			    "\n\nPress return to continue");
+        Newt:newtWinMessage("Error", "Close",
+                            "Unable to set passphrase\n\n".
+			    "Press return to continue");
 	return "Back";
     }
     return "Next";
@@ -1042,8 +1052,15 @@ sub generateKey()
     #
     system("$bindir/openssl genrsa -rand $randfile $bits > $keyfile");
     unlink($randfile);
-
     Newt::Resume();
+
+    if (chmod(0400, $keyfile) != 1) {
+        Newt::newtWinMessage("Error", "Close",
+                             "Could not set permissions of private key file.\n".
+                             "$1 - $keyfile");
+        Newt::Finished();
+        exit 1;
+    }
+
     return "Skip";
 }
-