*) $log="$PWD/$log" ;;
esac
+logdir=$(dirname "$log")
+if test ! -d "$logdir"; then
+ mkdir -p -m755 "$logdir" 2>/dev/null || true
+ if test ! -d "$logdir"; then
+ echo "$0: log directory $logdir does not exist and cannot be created" >&2
+ exit 1
+ fi
+fi
+
if test "$command" = "init"; then
if test -e "$pkidir" && test "$force" != "yes"; then
echo "$0: $pkidir already exists and --force not specified" >&2
CN = Open vSwitch certificate for $arg1
EOF
if test $keytype = rsa; then
- newkey=rsa:$bits
+ (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \
+ || exit $?
else
must_exist "$dsaparam"
- newkey=dsa:$dsaparam
+ (umask 077 && openssl gendsa -out "$1-privkey.pem" "$dsaparam") \
+ 1>&3 2>&3 || exit $?
fi
- openssl req -config "$TMP/req.cnf" -text -nodes \
- -newkey $newkey -keyout "$1-privkey.pem" -out "$1-req.pem" 1>&3 2>&3
+ openssl req -config "$TMP/req.cnf" -new -text \
+ -key "$1-privkey.pem" -out "$1-req.pem" 1>&3 2>&3
}
sign_request() {
must_exist "$arg1-privkey.pem"
must_not_exist "$arg1-cert.pem"
- openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem" \
- -signkey "$arg1-privkey.pem" -req -text 2>&3
+ # Create both the private key and certificate with restricted permissions.
+ (umask 077 && \
+ openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \
+ -signkey "$arg1-privkey.pem" -req -text) 2>&3 || exit $?
+
+ # Reset the permissions on the certificate to the user's default.
+ cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
+ rm -f "$arg1-cert.pem.tmp"
elif test "$command" = ls; then
check_type "$arg2"