[Engine-patches] Change in ovirt-engine[master]: pki: add pki-enroll-openssh-cert functionality

Alon Bar-Lev Tue, 09 Jun 2015 08:48:18 -0700

Alon Bar-Lev has uploaded a new change for review.

Change subject: pki: add pki-enroll-openssh-cert functionality
......................................................................


pki: add pki-enroll-openssh-cert functionality

requires for future usage of openssh certificates.

Change-Id: Ide34d4f0ffadf70e6ce42ae57328e262a832a3e4
Signed-off-by: Alon Bar-Lev <alo...@redhat.com>
---
M ovirt-engine.spec.in
A packaging/bin/pki-enroll-openssh-cert.sh
2 files changed, 111 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/94/38094/9

diff --git a/ovirt-engine.spec.in b/ovirt-engine.spec.in
index 4d3501c..b5ff0d3 100644
--- a/ovirt-engine.spec.in
+++ b/ovirt-engine.spec.in
@@ -332,6 +332,7 @@
 Requires:      mailcap
 Requires:      mod_ssl
 Requires:      novnc
+Requires:      openssh
 Requires:      openssl
 Requires:      ovirt-host-deploy-java >= 1.4.0
 Requires:      python-cheetah
@@ -1014,6 +1015,7 @@
 %dir %{engine_pki}/keys
 %{engine_data}/bin/pki-common.sh
 %{engine_data}/bin/pki-create-ca.sh
+%{engine_data}/bin/pki-enroll-openssh-cert.sh
 %{engine_data}/bin/pki-enroll-pkcs12.sh
 %{engine_data}/bin/pki-enroll-request.sh
 %{engine_data}/bin/pki-pkcs12-extract.sh
diff --git a/packaging/bin/pki-enroll-openssh-cert.sh 
b/packaging/bin/pki-enroll-openssh-cert.sh
new file mode 100755
index 0000000..ff5f384
--- /dev/null
+++ b/packaging/bin/pki-enroll-openssh-cert.sh
@@ -0,0 +1,109 @@
+#!/bin/sh
+
+sign() {
+       local name="$1"
+       local id="$2"
+       local host="$3"
+       local principals="$4"
+       local options="$5"
+       local days="$6"
+
+       local cert="${PKIDIR}/certs/${name}.cer"
+       local sshpub="${PKIDIR}/certs/${name}.pub"
+       local sshcert="${PKIDIR}/certs/${name}-cert.pub"
+
+       common_backup "${sshpub}" "${sshcert}"
+
+       #
+       # TODO: replace when el-6 supports -m PKCS8
+       #
+       openssl x509 -in "${cert}" -noout -pubkey | \
+               "${BINDIR}/pki-ssh-keygen.py" -i -m PKCS8 -f /proc/self/fd/0 \
+               > "${sshpub}" \
+               || die "Cannot generate ssh pubkey out of certificate"
+
+       #
+       # TODO: modify when CA key mode will be better (PKI rewrite)
+       #
+       (
+               TMPCA="$(mktemp)"
+               cleanup() {
+                       rm -fr "${TMPCA}"
+               }
+               trap cleanup 0
+               cat "${PKIDIR}/private/ca.pem" > "${TMPCA}"
+               ssh-keygen \
+                       -s "${TMPCA}" \
+                       -I "${id}" \
+                       ${host:+-h} \
+                       -V "-1h:+${days}d" \
+                       ${principals:+-n "${principals}"} \
+                       $(echo -n "${options}" | xargs -ix -d',' echo -O x) \
+                       "${sshpub}" \
+                       || die "ssh-keygen failed"
+       ) || die "Cannot sign ssh certificate"
+}
+
+usage() {
+       cat << __EOF__
+Usage: $0 [OPTIONS]
+Enroll OpenSSH certificate out of X.509 certificate.
+Certificate is available at:                   ${PKIDIR}/certs/PREFIX.cer
+Open SSH Certificate will be available at:     ${PKIDIR}/certs/PREFIX-cert.pub
+
+    --name=prefix           file name.
+    --id=id                 certificate id.
+    --host                  generate host certificate.
+    --principals=principals certificate principals.
+    --options=options       certificate options.
+    --days=n                issue days.
+__EOF__
+}
+
+. "$(dirname "$(readlink -f "$0")")"/pki-common.sh
+
+NAME=""
+ID=""
+HOST=""
+PRINCIPALS=""
+OPTIONS="clear,permit-pty"
+DAYS="1800"
+while [ -n "$1" ]; do
+       x="$1"
+       v="${x#*=}"
+       shift
+       case "${x}" in
+               --name=*)
+                       NAME="${v}"
+               ;;
+               --id=*)
+                       ID="${v}"
+               ;;
+               --host)
+                       HOST="1"
+               ;;
+               --principals=*)
+                       PRINCIPALS="${v}"
+               ;;
+               --options=*)
+                       OPTIONS="${v}"
+               ;;
+               --days=*)
+                       DAYS="${v}"
+               ;;
+               --help)
+                       usage
+                       exit 0
+               ;;
+               *)
+                       usage
+                       exit 1
+               ;;
+       esac
+done
+
+[ -n "${NAME}" ] || die "Please specify name"
+[ -n "${ID}" ] || die "Please specify id"
+[ -n "${HOST}" ] && OPTIONS=""
+
+sign "${NAME}" "${ID}" "${HOST}" "${PRINCIPALS}" "${OPTIONS}" "${DAYS}"


-- 
To view, visit https://gerrit.ovirt.org/38094
To unsubscribe, visit https://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ide34d4f0ffadf70e6ce42ae57328e262a832a3e4
Gerrit-PatchSet: 9
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alon Bar-Lev <alo...@redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com>
Gerrit-Reviewer: Francesco Romani <from...@redhat.com>
Gerrit-Reviewer: Jenkins CI
Gerrit-Reviewer: Michal Skrivanek <michal.skriva...@redhat.com>
Gerrit-Reviewer: Sandro Bonazzola <sbona...@redhat.com>
Gerrit-Reviewer: Yedidyah Bar David <d...@redhat.com>
Gerrit-Reviewer: automat...@ovirt.org
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

[Engine-patches] Change in ovirt-engine[master]: pki: add pki-enroll-openssh-cert functionality

Reply via email to