[bind10] Generate private key and cert for b10-cmdctl during installation (#913230)
Tomas Hozza
thozza at fedoraproject.org
Wed Aug 28 14:17:22 UTC 2013
commit e14fed8053c1a5a22f09ae5d8a168ecb393415bb
Author: Tomas Hozza <thozza at redhat.com>
Date: Wed Aug 28 15:39:30 2013 +0200
Generate private key and cert for b10-cmdctl during installation (#913230)
Signed-off-by: Tomas Hozza <thozza at redhat.com>
bind10.spec | 41 +++++++++++++++++++++++++++++++++++++++--
1 files changed, 39 insertions(+), 2 deletions(-)
---
diff --git a/bind10.spec b/bind10.spec
index eebb7b7..9aa056e 100644
--- a/bind10.spec
+++ b/bind10.spec
@@ -9,7 +9,7 @@
Name: bind10
Version: 1.1.0
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: The Berkeley Internet Name Domain 10 (BIND10) DNS and DHCP suite
License: ISC
@@ -24,6 +24,7 @@ Source2: bind10.tmpfiles.conf
Patch0: %{name}-1.1.0-missing-header.patch
Requires(pre): shadow-utils
+Requires(post): openssl
Requires: systemd
BuildRequires: log4cplus-devel, python3-devel, botan-devel, boost-devel
@@ -100,6 +101,12 @@ rm -f $RPM_BUILD_ROOT/%{b10libexecdir}/b10-resolver
rm -f $RPM_BUILD_ROOT/%{_mandir}/man8/b10-resolver*
rm -f $RPM_BUILD_ROOT/%{b10datadir}/resolver.spec
+# don't distrubute upstream private key and certificate for b10-cmdctl
+rm -f $RPM_BUILD_ROOT/%{b10sysconfdir}/cmdctl-keyfile.pem
+rm -f $RPM_BUILD_ROOT/%{b10sysconfdir}/cmdctl-certfile.pem
+touch $RPM_BUILD_ROOT/%{b10sysconfdir}/cmdctl-keyfile.pem
+touch $RPM_BUILD_ROOT/%{b10sysconfdir}/cmdctl-certfile.pem
+
# Package those files via %%doc
rm -f $RPM_BUILD_ROOT/%{_docdir}/bind10/{AUTHORS,COPYING,ChangeLog,README}
rm -f $RPM_BUILD_ROOT/%{_docdir}/bind10/bind10*
@@ -126,6 +133,32 @@ fi;
/sbin/ldconfig
%systemd_post bind10.service
+# if installing the package
+if [ "$1" = 1 ]; then
+ # generate private RSA key and create certificate for b10-cmdctl if there is none
+ if [ ! -s %{b10sysconfdir}/cmdctl-keyfile.pem ] || [ ! -s %{b10sysconfdir}/cmdctl-certfile.pem ]; then
+ openssl genpkey -algorithm RSA -out %{b10sysconfdir}/cmdctl-keyfile.pem -pkeyopt rsa_keygen_bits:2048 &> /dev/null
+
+ echo -n "[req]
+ prompt = no
+ distinguished_name = req_distinguished_name
+
+ [ req_distinguished_name ]
+ C = XX
+ O = UNKNOWN
+ CN = localhost" > %{b10sysconfdir}/openssl-req.conf
+
+ openssl req -new -key %{b10sysconfdir}/cmdctl-keyfile.pem -out %{b10sysconfdir}/req.pem -config %{b10sysconfdir}/openssl-req.conf &> /dev/null
+ rm -f %{b10sysconfdir}/openssl-req.conf &> /dev/null
+
+ openssl x509 -req -in %{b10sysconfdir}/req.pem -signkey %{b10sysconfdir}/cmdctl-keyfile.pem -out %{b10sysconfdir}/cmdctl-certfile.pem -days 3650 &> /dev/null
+ rm -f %{b10sysconfdir}/req.pem &> /dev/null
+
+ chmod 640 %{b10sysconfdir}/cmdctl-keyfile.pem %{b10sysconfdir}/cmdctl-certfile.pem &> /dev/null
+ chgrp named %{b10sysconfdir}/cmdctl-keyfile.pem %{b10sysconfdir}/cmdctl-certfile.pem &> /dev/null
+ fi
+fi
+
%preun
%systemd_preun bind10.service
@@ -167,7 +200,8 @@ fi;
%attr(3775, root, named) %dir %{b10localstatedir}
%attr(-, named, named) %dir %{b10piddir}
%attr(0750, root, named) %dir %{b10sysconfdir}
-%attr(0640, root, named) %config(noreplace) %{b10sysconfdir}/cmdctl*
+%attr(0640, root, named) %config(noreplace) %ghost %{b10sysconfdir}/cmdctl-keyfile.pem
+%attr(0640, root, named) %config(noreplace) %ghost %{b10sysconfdir}/cmdctl-certfile.pem
%{_sbindir}/bind10
%{_mandir}/man8/bind10*
%{_bindir}/b10-certgen
@@ -348,6 +382,9 @@ fi;
%{_libdir}/libb10-dhcpsrv.so.*
%changelog
+* Wed Aug 28 2013 Tomas Hozza <thozza at redhat.com> - 1.1.0-6
+- Generate private key and cert for b10-cmdctl during installation (#913230)
+
* Wed Aug 28 2013 Tomas Hozza <thozza at redhat.com> - 1.1.0-5
- Fix cmdctl-certfile.pem and cmdctl-keyfile.pem owner group (#1001695)
More information about the scm-commits
mailing list