From acaf4be8e301a01041acba189194d9502994611d Mon Sep 17 00:00:00 2001

From: Alexander Scheel <ascheel@redhat.com>

Date: Wed, 13 May 2020 10:01:47 -0400

Subject: [PATCH] Don't clobber existing files on bootstrap

Signed-off-by: Alexander Scheel <ascheel@redhat.com>

---

 raddb/certs/bootstrap | 31 +++++++++++++++----------------

 1 file changed, 15 insertions(+), 16 deletions(-)

diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap

index ede09bc..e555491 100755

--- a/raddb/certs/bootstrap

+++ b/raddb/certs/bootstrap

@@ -20,56 +20,55 @@ cd `dirname $0`

 #  Don't edit the following text.  Instead, edit the Makefile, and

 #  re-generate these commands.

 #

-if [ ! -f dh ]; then

+if [ ! -e dh ]; then

   openssl dhparam -out dh 2048 || exit 1

-  if [ -e /dev/urandom ] ; then

-	ln -sf /dev/urandom random

-  else

-	date > ./random;

-  fi

+  ln -sf /dev/urandom random

 fi

-if [ ! -f server.key ]; then

+if [ ! -e server.key ]; then

   openssl req -new  -out server.csr -keyout server.key -config ./server.cnf || exit 1

   chmod g+r server.key

 fi

-if [ ! -f ca.key ]; then

+if [ ! -e ca.key ]; then

   openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1

 fi

-if [ ! -f index.txt ]; then

+if [ ! -e index.txt ]; then

   touch index.txt

 fi

-if [ ! -f serial ]; then

+if [ ! -e serial ]; then

   echo '01' > serial

 fi

-if [ ! -f server.crt ]; then

+if [ ! -e server.crt ]; then

   openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1

 fi

-if [ ! -f server.p12 ]; then

+if [ ! -e server.p12 ]; then

   openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1

   chmod g+r server.p12

 fi

-if [ ! -f server.pem ]; then

+if [ ! -e server.pem ]; then

   openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1

   openssl verify -CAfile ca.pem server.pem || exit 1

   chmod g+r server.pem

 fi

-if [ ! -f ca.der ]; then

+if [ ! -e ca.der ]; then

   openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1

 fi

-if [ ! -f client.key ]; then

+if [ ! -e client.key ]; then

   openssl req -new  -out client.csr -keyout client.key -config ./client.cnf

   chmod g+r client.key

 fi

-if [ ! -f client.crt ]; then

+if [ ! -e client.crt ]; then

   openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf

 fi

+

+chown root:radiusd dh ca.* client.* server.*

+chmod 640 dh ca.* client.* server.*

-- 

2.26.2