shaba/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-27 18:03:50 +03:00
Code Releases Activity
libvirt/tools/virt-pki-validate.in

325 lines
9.4 KiB
Plaintext
Raw Normal View History

* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
#!/bin/sh
#
# This shell script checks the TLS certificates and options needed
# for the secure client/server support of libvirt as documented at
# http://libvirt.org/remote.html#Remote_certificates
#
# Daniel Veillard <veillard@redhat.com>
#
USER=`who am i | awk '{ print $1 }'`
SERVER=1
CLIENT=1
PORT=16514
#
# First get certtool
#
CERTOOL=`which certtool 2>/dev/null`
virt-pki-validate: behave when CERTTOOL is missing
2011-02-20 22:29:25 +02:00
if [ ! -x "$CERTOOL" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
portability fixes to tools/virt-pki-validate.in A few fixes will help make tools/virt-pki-validate.in useful on Debian and Ubuntu. And one fix should be useful to everyone (see #3). 1) note our gnutls-bin package (in addition to your gnutls-utils package) in the no-certtool error text 2) fix a bashism, == should be = in the case where /bin/sh is a symlink to dash 3) $(SYSCONFDIR) cannot evaluate; set a single shell SYSCONFDIR variable to the autoconf @SYSCONFDIR@ value, and use $SYSCONFDIR everywhere Bug report: * https://bugs.edge.launchpad.net/ubuntu/+source/libvirt/+bug/562266 Signed-off-by: Dustin Kirkland <kirkland@canonical.com> Signed-off-by: Eric Blake <eblake@redhat.com>
2010-04-21 16:52:10 -05:00
echo "Could not locate the certtool program"
echo "make sure the gnutls-utils (or gnutls-bin) package is installed"
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
exit 1
fi
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
echo Found "$CERTOOL"
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
#
# Check the directory structure
#
portability fixes to tools/virt-pki-validate.in A few fixes will help make tools/virt-pki-validate.in useful on Debian and Ubuntu. And one fix should be useful to everyone (see #3). 1) note our gnutls-bin package (in addition to your gnutls-utils package) in the no-certtool error text 2) fix a bashism, == should be = in the case where /bin/sh is a symlink to dash 3) $(SYSCONFDIR) cannot evaluate; set a single shell SYSCONFDIR variable to the autoconf @SYSCONFDIR@ value, and use $SYSCONFDIR everywhere Bug report: * https://bugs.edge.launchpad.net/ubuntu/+source/libvirt/+bug/562266 Signed-off-by: Dustin Kirkland <kirkland@canonical.com> Signed-off-by: Eric Blake <eblake@redhat.com>
2010-04-21 16:52:10 -05:00
SYSCONFDIR="@SYSCONFDIR@"
PKI="$SYSCONFDIR/pki"
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -d "$PKI" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo the $PKI directory is missing, it is usually
echo installed as part of the filesystem or openssl packages
exit 1
fi
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -r "$PKI" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo the $PKI directory is not readable by $USER
echo "as root do: chmod a+rx $PKI"
exit 1
fi
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -x "$PKI" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo the $PKI directory is not listable by $USER
echo "as root do: chmod a+rx $PKI"
exit 1
fi
CA="$PKI/CA"
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -d "$CA" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo the $CA directory is missing, it is usually
echo installed as part of the or openssl package
exit 1
fi
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -r "$CA" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo the $CA directory is not readable by $USER
echo "as root do: chmod a+rx $CA"
exit 1
fi
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -x "$CA" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo the $CA directory is not listable by $USER
echo "as root do: chmod a+rx $CA"
exit 1
fi
LIBVIRT="$PKI/libvirt"
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -d "$LIBVIRT" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo the $LIBVIRT directory is missing, it is usually
echo installed by the libvirt package
echo "as root do: mkdir -m 755 $LIBVIRT ; chown root:root $LIBVIRT"
exit 1
fi
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -r "$LIBVIRT" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo the $LIBVIRT directory is not readable by $USER
echo "as root do: chown root:root $LIBVIRT ; chmod 755 $LIBVIRT"
exit 1
fi
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -x "$LIBVIRT" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo the $LIBVIRT directory is not listable by $USER
echo "as root do: chown root:root $LIBVIRT ; chmod 755 $LIBVIRT"
exit 1
fi
LIBVIRTP="$LIBVIRT/private"
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -d "$LIBVIRTP" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo the $LIBVIRTP directory is missing, it is usually
echo installed by the libvirt package
echo "as root do: mkdir -m 755 $LIBVIRTP ; chown root:root $LIBVIRTP"
exit 1
fi
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -r "$LIBVIRTP" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo the $LIBVIRTP directory is not readable by $USER
echo "as root do: chown root:root $LIBVIRTP ; chmod 755 $LIBVIRTP"
exit 1
fi
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -x "$LIBVIRTP" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo the $LIBVIRTP directory is not listable by $USER
echo "as root do: chown root:root $LIBVIRTP ; chmod 755 $LIBVIRTP"
exit 1
fi
#
# Now check the certificates
# First the CA certificate
#
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -f "$CA/cacert.pem" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo the CA certificate $CA/cacert.pem is missing while it
echo should be installed on both client and servers
echo "see http://libvirt.org/remote.html#Remote_TLS_CA"
echo on how to install it
exit 1
fi
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -r "$CA/cacert.pem" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo the CA certificate $CA/cacert.pem is not readable by $USER
echo "as root do: chmod 644 $CA/cacert.pem"
exit 1
fi
Fix virt-pki-validate's determination of CN Ubuntu's gntls package generates an Issuer line that looks like this: Issuer: C=US,ST=NY,L=Rochester,O=example.com,CN=example.com CA,EMAIL=hostmaster@example.com While Red Hat's looks like this Issuer: CN=Red Hat Emerging Technologies Note the leading whitespace, and the additional fields in the former. This patch updates the regular expression to: * trim leading characters before "Issuer:" * trim anything between Issuer: and CN= * trim anything after the next , I've tested this against the certool output of both RH and Ubuntu generated certs. Signed-off-by: Dustin Kirkland <kirkland@canonical.com> Signed-off-by: Eric Blake <eblake@redhat.com>
2010-04-29 16:20:50 -05:00
sed_get_org='/Issuer:/ {
s/.*Issuer:.*CN=//
s/,.*//
p
}'
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
ORG=`"$CERTOOL" -i --infile "$CA/cacert.pem" | sed -n "$sed_get_org"`
portability fixes to tools/virt-pki-validate.in A few fixes will help make tools/virt-pki-validate.in useful on Debian and Ubuntu. And one fix should be useful to everyone (see #3). 1) note our gnutls-bin package (in addition to your gnutls-utils package) in the no-certtool error text 2) fix a bashism, == should be = in the case where /bin/sh is a symlink to dash 3) $(SYSCONFDIR) cannot evaluate; set a single shell SYSCONFDIR variable to the autoconf @SYSCONFDIR@ value, and use $SYSCONFDIR everywhere Bug report: * https://bugs.edge.launchpad.net/ubuntu/+source/libvirt/+bug/562266 Signed-off-by: Dustin Kirkland <kirkland@canonical.com> Signed-off-by: Eric Blake <eblake@redhat.com>
2010-04-21 16:52:10 -05:00
if [ "$ORG" = "" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo the CA certificate $CA/cacert.pem does not define the organization
echo it should probably regenerated
echo "see http://libvirt.org/remote.html#Remote_TLS_CA"
echo on how to regenerate it
exit 1
fi
echo Found CA certificate $CA/cacert.pem for $ORG
# Second the client certificates
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ -f "$LIBVIRT/clientcert.pem" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -r "$LIBVIRT/clientcert.pem" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo Client certificate $LIBVIRT/clientcert.pem should be world readable
maint: enforce whitespace on shell scripts Noticed because virt-pki-validate was very inconsistent on using tabs vs. 8 spaces, sometimes mixing both paradigms on a single line. 'git diff -b' shows significant changes only in cfg.mk. * cfg.mk (sc_TAB_in_indentation): Add a few files. * daemon/libvirtd.init.in: Avoid tabs. * tools/virt-pki-validate.in: Likewise.
2010-04-21 17:21:06 -06:00
echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem"
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
else
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'`
maint: enforce whitespace on shell scripts Noticed because virt-pki-validate was very inconsistent on using tabs vs. 8 spaces, sometimes mixing both paradigms on a single line. 'git diff -b' shows significant changes only in cfg.mk. * cfg.mk (sc_TAB_in_indentation): Add a few files. * daemon/libvirtd.init.in: Avoid tabs. * tools/virt-pki-validate.in: Likewise.
2010-04-21 17:21:06 -06:00
if [ "$ORG" != "$S_ORG" ]
then
echo The CA certificate and the client certificate do not match
echo CA organization: $ORG
echo Client organization: $S_ORG
fi
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
CLIENT=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'`
maint: enforce whitespace on shell scripts Noticed because virt-pki-validate was very inconsistent on using tabs vs. 8 spaces, sometimes mixing both paradigms on a single line. 'git diff -b' shows significant changes only in cfg.mk. * cfg.mk (sc_TAB_in_indentation): Add a few files. * daemon/libvirtd.init.in: Avoid tabs. * tools/virt-pki-validate.in: Likewise.
2010-04-21 17:21:06 -06:00
echo Found client certificate $LIBVIRT/clientcert.pem for $CLIENT
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -e "$LIBVIRTP/clientkey.pem" ]
maint: enforce whitespace on shell scripts Noticed because virt-pki-validate was very inconsistent on using tabs vs. 8 spaces, sometimes mixing both paradigms on a single line. 'git diff -b' shows significant changes only in cfg.mk. * cfg.mk (sc_TAB_in_indentation): Add a few files. * daemon/libvirtd.init.in: Avoid tabs. * tools/virt-pki-validate.in: Likewise.
2010-04-21 17:21:06 -06:00
then
echo Missing client private key $LIBVIRTP/clientkey.pem
else
echo Found client private key $LIBVIRTP/clientkey.pem
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
OWN=`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print $3 }'`
MOD=`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print $1 }'`
maint: enforce whitespace on shell scripts Noticed because virt-pki-validate was very inconsistent on using tabs vs. 8 spaces, sometimes mixing both paradigms on a single line. 'git diff -b' shows significant changes only in cfg.mk. * cfg.mk (sc_TAB_in_indentation): Add a few files. * daemon/libvirtd.init.in: Avoid tabs. * tools/virt-pki-validate.in: Likewise.
2010-04-21 17:21:06 -06:00
if [ "$OWN" != "root" ]
then
echo The client private key should be owned by root
echo "as root do: chown root $LIBVIRTP/clientkey.pem"
fi
if [ "$MOD" != "-rw-r--r--" ]
then
echo The client private key need to be read by client tools
echo "as root do: chmod 644 $LIBVIRTP/clientkey.pem"
fi
fi
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
fi
else
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
echo Did not find "$LIBVIRT/clientcert.pem" client certificate
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
echo The machine cannot act as a client
echo "see http://libvirt.org/remote.html#Remote_TLS_client_certificates"
echo on how to regenerate it
CLIENT=0
fi
# Third the server certificates
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ -f "$LIBVIRT/servercert.pem" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -r "$LIBVIRT/servercert.pem" ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
echo Server certificate $LIBVIRT/servercert.pem should be world readable
maint: enforce whitespace on shell scripts Noticed because virt-pki-validate was very inconsistent on using tabs vs. 8 spaces, sometimes mixing both paradigms on a single line. 'git diff -b' shows significant changes only in cfg.mk. * cfg.mk (sc_TAB_in_indentation): Add a few files. * daemon/libvirtd.init.in: Avoid tabs. * tools/virt-pki-validate.in: Likewise.
2010-04-21 17:21:06 -06:00
echo "as root do: chown root:root $LIBVIRT/servercert.pem ; chmod 644 $LIBVIRT/servercert.pem"
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
else
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z\. _-]*\).*+\1+'`
maint: enforce whitespace on shell scripts Noticed because virt-pki-validate was very inconsistent on using tabs vs. 8 spaces, sometimes mixing both paradigms on a single line. 'git diff -b' shows significant changes only in cfg.mk. * cfg.mk (sc_TAB_in_indentation): Add a few files. * daemon/libvirtd.init.in: Avoid tabs. * tools/virt-pki-validate.in: Likewise.
2010-04-21 17:21:06 -06:00
if [ "$ORG" != "$S_ORG" ]
then
echo The CA certificate and the server certificate do not match
echo CA organization: $ORG
echo Server organization: $S_ORG
fi
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*CN=\([a-zA-Z\. _-]*\)+\1+'`
maint: enforce whitespace on shell scripts Noticed because virt-pki-validate was very inconsistent on using tabs vs. 8 spaces, sometimes mixing both paradigms on a single line. 'git diff -b' shows significant changes only in cfg.mk. * cfg.mk (sc_TAB_in_indentation): Add a few files. * daemon/libvirtd.init.in: Avoid tabs. * tools/virt-pki-validate.in: Likewise.
2010-04-21 17:21:06 -06:00
if test "$S_HOST" != "`hostname -s`" && test "$S_HOST" != "`hostname`"
then
echo The server certificate does not seem to match the host name
echo hostname: '"'`hostname`'"'
echo Server certificate CN: '"'$S_HOST'"'
fi
echo Found server certificate $LIBVIRT/servercert.pem for $S_HOST
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if [ ! -e "$LIBVIRTP/serverkey.pem" ]
maint: enforce whitespace on shell scripts Noticed because virt-pki-validate was very inconsistent on using tabs vs. 8 spaces, sometimes mixing both paradigms on a single line. 'git diff -b' shows significant changes only in cfg.mk. * cfg.mk (sc_TAB_in_indentation): Add a few files. * daemon/libvirtd.init.in: Avoid tabs. * tools/virt-pki-validate.in: Likewise.
2010-04-21 17:21:06 -06:00
then
echo Missing server private key $LIBVIRTP/serverkey.pem
else
echo Found server private key $LIBVIRTP/serverkey.pem
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
OWN=`ls -l "$LIBVIRTP/serverkey.pem" | awk '{ print $3 }'`
MOD=`ls -l "$LIBVIRTP/serverkey.pem" | awk '{ print $1 }'`
maint: enforce whitespace on shell scripts Noticed because virt-pki-validate was very inconsistent on using tabs vs. 8 spaces, sometimes mixing both paradigms on a single line. 'git diff -b' shows significant changes only in cfg.mk. * cfg.mk (sc_TAB_in_indentation): Add a few files. * daemon/libvirtd.init.in: Avoid tabs. * tools/virt-pki-validate.in: Likewise.
2010-04-21 17:21:06 -06:00
if [ "$OWN" != "root" ]
then
echo The server private key should be owned by root
echo "as root do: chown root $LIBVIRTP/serverkey.pem"
fi
if [ "$MOD" != "-rw-------" ]
then
echo The server private key need to be read only by root
echo "as root do: chmod 600 $LIBVIRTP/serverkey.pem"
fi
fi
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
fi
else
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
echo Did not find $LIBVIRT/servercert.pem server certificate
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
echo The machine cannot act as a server
echo "see http://libvirt.org/remote.html#Remote_TLS_server_certificates"
echo on how to regenerate it
SERVER=0
fi
if [ "$SERVER" = "1" ]
then
portability fixes to tools/virt-pki-validate.in A few fixes will help make tools/virt-pki-validate.in useful on Debian and Ubuntu. And one fix should be useful to everyone (see #3). 1) note our gnutls-bin package (in addition to your gnutls-utils package) in the no-certtool error text 2) fix a bashism, == should be = in the case where /bin/sh is a symlink to dash 3) $(SYSCONFDIR) cannot evaluate; set a single shell SYSCONFDIR variable to the autoconf @SYSCONFDIR@ value, and use $SYSCONFDIR everywhere Bug report: * https://bugs.edge.launchpad.net/ubuntu/+source/libvirt/+bug/562266 Signed-off-by: Dustin Kirkland <kirkland@canonical.com> Signed-off-by: Eric Blake <eblake@redhat.com>
2010-04-21 16:52:10 -05:00
if [ -r "$SYSCONFDIR"/sysconfig/libvirtd ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
portability fixes to tools/virt-pki-validate.in A few fixes will help make tools/virt-pki-validate.in useful on Debian and Ubuntu. And one fix should be useful to everyone (see #3). 1) note our gnutls-bin package (in addition to your gnutls-utils package) in the no-certtool error text 2) fix a bashism, == should be = in the case where /bin/sh is a symlink to dash 3) $(SYSCONFDIR) cannot evaluate; set a single shell SYSCONFDIR variable to the autoconf @SYSCONFDIR@ value, and use $SYSCONFDIR everywhere Bug report: * https://bugs.edge.launchpad.net/ubuntu/+source/libvirt/+bug/562266 Signed-off-by: Dustin Kirkland <kirkland@canonical.com> Signed-off-by: Eric Blake <eblake@redhat.com>
2010-04-21 16:52:10 -05:00
if grep "^LIBVIRTD_ARGS.*--listen" "$SYSCONFDIR"/sysconfig/libvirtd \
>/dev/null 2>&1
maint: enforce whitespace on shell scripts Noticed because virt-pki-validate was very inconsistent on using tabs vs. 8 spaces, sometimes mixing both paradigms on a single line. 'git diff -b' shows significant changes only in cfg.mk. * cfg.mk (sc_TAB_in_indentation): Add a few files. * daemon/libvirtd.init.in: Avoid tabs. * tools/virt-pki-validate.in: Likewise.
2010-04-21 17:21:06 -06:00
then
portability fixes to tools/virt-pki-validate.in A few fixes will help make tools/virt-pki-validate.in useful on Debian and Ubuntu. And one fix should be useful to everyone (see #3). 1) note our gnutls-bin package (in addition to your gnutls-utils package) in the no-certtool error text 2) fix a bashism, == should be = in the case where /bin/sh is a symlink to dash 3) $(SYSCONFDIR) cannot evaluate; set a single shell SYSCONFDIR variable to the autoconf @SYSCONFDIR@ value, and use $SYSCONFDIR everywhere Bug report: * https://bugs.edge.launchpad.net/ubuntu/+source/libvirt/+bug/562266 Signed-off-by: Dustin Kirkland <kirkland@canonical.com> Signed-off-by: Eric Blake <eblake@redhat.com>
2010-04-21 16:52:10 -05:00
:
else
echo Make sure "$SYSCONFDIR"/sysconfig/libvirtd is setup to listen to
maint: enforce whitespace on shell scripts Noticed because virt-pki-validate was very inconsistent on using tabs vs. 8 spaces, sometimes mixing both paradigms on a single line. 'git diff -b' shows significant changes only in cfg.mk. * cfg.mk (sc_TAB_in_indentation): Add a few files. * daemon/libvirtd.init.in: Avoid tabs. * tools/virt-pki-validate.in: Likewise.
2010-04-21 17:21:06 -06:00
echo TCP/IP connections and restart the libvirtd service
fi
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
fi
portability fixes to tools/virt-pki-validate.in A few fixes will help make tools/virt-pki-validate.in useful on Debian and Ubuntu. And one fix should be useful to everyone (see #3). 1) note our gnutls-bin package (in addition to your gnutls-utils package) in the no-certtool error text 2) fix a bashism, == should be = in the case where /bin/sh is a symlink to dash 3) $(SYSCONFDIR) cannot evaluate; set a single shell SYSCONFDIR variable to the autoconf @SYSCONFDIR@ value, and use $SYSCONFDIR everywhere Bug report: * https://bugs.edge.launchpad.net/ubuntu/+source/libvirt/+bug/562266 Signed-off-by: Dustin Kirkland <kirkland@canonical.com> Signed-off-by: Eric Blake <eblake@redhat.com>
2010-04-21 16:52:10 -05:00
if [ -r "$SYSCONFDIR"/sysconfig/iptables ]
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
then
virt-*-validate.in: quote all variable references Alas, the shell is not a real programming language. Patch generated by manual confirmation of vim's s/[^"]\@<=\$\S\+\s\@=/"&"/gc and s/\(echo \)\@<=[^"].*\$.*$/"&"/c matches. This patch generate a lot of noise and carries little benefits, as I do not really expect $PKI to contain spaces or backticks. I'm just fuming, and would not really mind if this patch is ignored
2011-02-20 22:29:26 +02:00
if grep "$PORT" "$SYSCONFDIR"/sysconfig/iptables >/dev/null 2>&1
maint: enforce whitespace on shell scripts Noticed because virt-pki-validate was very inconsistent on using tabs vs. 8 spaces, sometimes mixing both paradigms on a single line. 'git diff -b' shows significant changes only in cfg.mk. * cfg.mk (sc_TAB_in_indentation): Add a few files. * daemon/libvirtd.init.in: Avoid tabs. * tools/virt-pki-validate.in: Likewise.
2010-04-21 17:21:06 -06:00
then
portability fixes to tools/virt-pki-validate.in A few fixes will help make tools/virt-pki-validate.in useful on Debian and Ubuntu. And one fix should be useful to everyone (see #3). 1) note our gnutls-bin package (in addition to your gnutls-utils package) in the no-certtool error text 2) fix a bashism, == should be = in the case where /bin/sh is a symlink to dash 3) $(SYSCONFDIR) cannot evaluate; set a single shell SYSCONFDIR variable to the autoconf @SYSCONFDIR@ value, and use $SYSCONFDIR everywhere Bug report: * https://bugs.edge.launchpad.net/ubuntu/+source/libvirt/+bug/562266 Signed-off-by: Dustin Kirkland <kirkland@canonical.com> Signed-off-by: Eric Blake <eblake@redhat.com>
2010-04-21 16:52:10 -05:00
:
else
echo Make sure "$SYSCONFDIR"/sysconfig/iptables is setup to allow
maint: enforce whitespace on shell scripts Noticed because virt-pki-validate was very inconsistent on using tabs vs. 8 spaces, sometimes mixing both paradigms on a single line. 'git diff -b' shows significant changes only in cfg.mk. * cfg.mk (sc_TAB_in_indentation): Add a few files. * daemon/libvirtd.init.in: Avoid tabs. * tools/virt-pki-validate.in: Likewise.
2010-04-21 17:21:06 -06:00
echo incoming TCP/IP connections on port $PORT and
echo restart the iptables service
fi
* docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
2007-07-12 15:47:19 +00:00
fi
fi
Make pki_check.sh into an installed & supported tool * docs/pki_check.sh: Move to tool/virt-pki-validate.in and add in POD man page documentation * tools/.gitignore: Ignore generated virt-pki-validate file * tools/Makefile.am: Install & build virt-pki-validate and virt-pki-validate.1 * docs/remote.html, docs/remote.html.in: Refer to new tool name virt-pki-validate * libvirt.spec.in, mingw32-libvirt.spec.in: Add virt-pki-validate and virt-pki-validate.1 to files list
2009-09-16 14:42:57 +01:00
exit 0
: <<=cut
=pod
=head1 NAME
virt-pki-validate - validate libvirt PKI files are configured correctly
=head1 SYNOPSIS
virt-pki-validate
=head1 DESCRIPTION
Fix up a few typos in the tree. Signed-off-by: Chris Lalancette <clalance@redhat.com>
2009-09-22 11:42:06 +02:00
This tool validates that the necessary PKI files are configured for
Make pki_check.sh into an installed & supported tool * docs/pki_check.sh: Move to tool/virt-pki-validate.in and add in POD man page documentation * tools/.gitignore: Ignore generated virt-pki-validate file * tools/Makefile.am: Install & build virt-pki-validate and virt-pki-validate.1 * docs/remote.html, docs/remote.html.in: Refer to new tool name virt-pki-validate * libvirt.spec.in, mingw32-libvirt.spec.in: Add virt-pki-validate and virt-pki-validate.1 to files list
2009-09-16 14:42:57 +01:00
a secure libvirt server or client using the TLS encryption protocol.
It will report any missing certificate or key files on the host. It
Fix up a few typos in the tree. Signed-off-by: Chris Lalancette <clalance@redhat.com>
2009-09-22 11:42:06 +02:00
should be run as root to ensure it can read all the necessary files
Make pki_check.sh into an installed & supported tool * docs/pki_check.sh: Move to tool/virt-pki-validate.in and add in POD man page documentation * tools/.gitignore: Ignore generated virt-pki-validate file * tools/Makefile.am: Install & build virt-pki-validate and virt-pki-validate.1 * docs/remote.html, docs/remote.html.in: Refer to new tool name virt-pki-validate * libvirt.spec.in, mingw32-libvirt.spec.in: Add virt-pki-validate and virt-pki-validate.1 to files list
2009-09-16 14:42:57 +01:00
=head1 EXIT STATUS
Upon successful validation, an exit status of 0 will be set. Upon
failure a non-zero status will be set.
=head1 AUTHOR
Richard Jones
=head1 BUGS
Report any bugs discovered to the libvirt community via the
mailing list C<http://libvirt.org/contact.html> or bug tracker C<http://libvirt.org/bugs.html>.
Alternatively report bugs to your software distributor / vendor.
=head1 COPYRIGHT
build: import latest gnulib A lot of syntax check rules have to be rewritten, but the result is easier to maintain. I tested each syntax rule by intentionally introducing a temporary violation of the rule. Additionally, some false positives for unmarked_diagnostics crept in, and an improved copyright_format test caught some bugs. * .gnulib: Update to latest. * cfg.mk (sc_prohibit_test_minus_ao): Delete, it was moved into gnulib's maint.mk. (sc_avoid_write, sc_prohibit_strcmp_and_strncmp) (sc_prohibit_asprintf, sc_prohibit_strncpy, sc_prohibit_readlink) (sc_prohibit_gethostname, sc_prohibit_gettext_noop) (sc_prohibit_VIR_ERR_NO_MEMORY, sc_prohibit_nonreentrant) (sc_prohibit_ctype_h, sc_TAB_in_indentation) (sc_avoid_ctype_macros) (sc_prohibit_virBufferAdd_with_string_literal) (sc_prohibit_gethostby, sc_copyright_format): Rewrite in terms of new maint.mk macros. (sc_libvirt_unmarked_diagnostics): Fix whitespace. * .x-sc_unmarked_diagnostics: New file. * tests/object-locking.ml: Fix copyright. * tools/virt-pki-validate.in: Likewise. * tools/virt-xml-validate.in: Likewise.
2010-03-31 17:02:10 -06:00
Copyright (C) 2006-2010 by Red Hat, Inc.
Make pki_check.sh into an installed & supported tool * docs/pki_check.sh: Move to tool/virt-pki-validate.in and add in POD man page documentation * tools/.gitignore: Ignore generated virt-pki-validate file * tools/Makefile.am: Install & build virt-pki-validate and virt-pki-validate.1 * docs/remote.html, docs/remote.html.in: Refer to new tool name virt-pki-validate * libvirt.spec.in, mingw32-libvirt.spec.in: Add virt-pki-validate and virt-pki-validate.1 to files list
2009-09-16 14:42:57 +01:00
=head1 LICENSE
virt-pki-validate is distributed under the terms of the GNU GPL v2+.
This is free software; see the source for copying conditions. There
is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE
=head1 SEE ALSO
C<virsh(1)>, online PKI setup instructions C<http://libvirt.org/remote.html>
=cut
Copy Permalink