From 99e5e05db37ab8271c2264b885813b9a27d6f483 Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@nicira.com>
Date: Fri, 6 Aug 2010 10:24:13 -0700
Subject: [PATCH] ovs-pki: Create private keys with restricted permissions.

OpenSSL will happily create private keys world-writable, but we probably
should not do that.

CC: Keith Amidon <keith@nicira.com>
---
 utilities/ovs-pki.in | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index cbdb43d0..1f528690 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -460,13 +460,15 @@ OU = Open vSwitch certifier
 CN = Open vSwitch certificate for $arg1
 EOF
     if test $keytype = rsa; then
-        newkey=rsa:$bits
+        (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \
+            || exit $?
     else
         must_exist "$dsaparam"
-        newkey=dsa:$dsaparam
+        (umask 077 && openssl gendsa -out "$1-privkey.pem" "$dsaparam") \
+            1>&3 2>&3 || exit $?
     fi
-    openssl req -config "$TMP/req.cnf" -text -nodes \
-        -newkey $newkey -keyout "$1-privkey.pem" -out "$1-req.pem" 1>&3 2>&3
+    openssl req -config "$TMP/req.cnf" -new -text \
+        -key "$1-privkey.pem" -out "$1-req.pem" 1>&3 2>&3
 }
 
 sign_request() {
@@ -524,8 +526,14 @@ elif test "$command" = self-sign; then
     must_exist "$arg1-privkey.pem"
     must_not_exist "$arg1-cert.pem"
 
-    openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem" \
-        -signkey "$arg1-privkey.pem" -req -text 2>&3
+    # Create both the private key and certificate with restricted permissions.
+    (umask 077 && \
+     openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \
+        -signkey "$arg1-privkey.pem" -req -text) 2>&3 || exit $?
+
+    # Reset the permissions on the certificate to the user's default.
+    cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
+    rm -f "$arg1-cert.pem.tmp"
 elif test "$command" = ls; then
     check_type "$arg2"
 
-- 
2.30.2