fudo-service/scripts/generate-keystore.rb

#!/usr/bin/env ruby

require "pathname"
require "tmpdir"
require "open3"
require "fileutils"

require "/fudo/lib/fudo.rb"

Fudo::require("fudo/config")
Fudo::require("network")

config = Fudo::Config::default
hostname = Fudo::Network::hostname

keystore = Pathname.new(
  config.get("services::#{hostname}::service::keystore"))
passwd_file = Pathname.new(
  config.get("services::#{hostname}::service::keystore_passwd_file"))

if ARGV.length != 2
  puts "usage: #{$0} [KEY_FILE] [CERT_FILE]"
  exit 1
end

KEYNAME = Pathname.new(ARGV[0])
CERTNAME = Pathname.new(ARGV[1])

if not File::readable?(KEYNAME)
  raise RuntimeError.new("Key #{KEYNAME.to_s} can't be read!")
end

if not File::readable?(CERTNAME)
  raise RuntimeError.new("Certificate #{CERTNAME.to_s} can't be read!")
end

if not keystore.parent.writable?
  raise RuntimeError.new("Can't write JKS to directory #{keystore.parent.to_s}")
end

if keystore.exist?
  raise RuntimeError.new("Keystore exists: #{keystore}! Aborting...")
end

if passwd_file.exist?
  raise RuntimeError.new("Keystore password file exists: #{passwd_file}! Aborting...")
end

def exec_or_die(cmd)
  out, err, status = Open3::capture3(cmd)
  if status != 0
    puts err
    raise RuntimeError.new(err)
  end
end

def randpass
  (0...50).map { ('a'..'z').to_a[rand(26)] }.join
end

finalpass = randpass

Dir::mktmpdir { |tmp_0|
  begin
    PRIV = Pathname.new(tmp_0) + "private"
    Dir::mkdir(PRIV)
    File::chmod(0700, PRIV)
    pkcs12 = PRIV + "key_crt.p12"
    pem_to_pkcs12 = <<EOF
  openssl pkcs12 \
          -export \
          -inkey #{KEYNAME.to_s} \
          -in #{CERTNAME.to_s} \
          -out #{pkcs12.to_s} \
          -name key_crt \
          -password pass:#{finalpass}
EOF
    pkcs12_to_jks = <<EOF
  keytool -importkeystore \
          -srckeystore #{pkcs12.to_s} \
          -srcstoretype pkcs12 \
          -srcstorepass #{finalpass} \
          -srcalias key_crt \
          -destkeystore #{keystore.to_s} \
          -deststoretype jks \
          -deststorepass #{finalpass}
EOF
    exec_or_die(pem_to_pkcs12)
    exec_or_die(pkcs12_to_jks)

    File::open(passwd_file, "w", 0600) { |file|
      file.print(finalpass)
    }
  ensure
    FileUtils::rm(pkcs12)
  end
}
initial commit, moved from system repo 2020-07-30 11:09:31 -07:00			`#!/usr/bin/env ruby`

			`require "pathname"`
			`require "tmpdir"`
			`require "open3"`
			`require "fileutils"`

			`require "/fudo/lib/fudo.rb"`

			`Fudo::require("fudo/config")`
			`Fudo::require("network")`

			`config = Fudo::Config::default`
			`hostname = Fudo::Network::hostname`

			`keystore = Pathname.new(`
			`config.get("services::#{hostname}::service::keystore"))`
			`passwd_file = Pathname.new(`
			`config.get("services::#{hostname}::service::keystore_passwd_file"))`

			`if ARGV.length != 2`
			`puts "usage: #{$0} [KEY_FILE] [CERT_FILE]"`
			`exit 1`
			`end`

			`KEYNAME = Pathname.new(ARGV[0])`
			`CERTNAME = Pathname.new(ARGV[1])`

			`if not File::readable?(KEYNAME)`
			`raise RuntimeError.new("Key #{KEYNAME.to_s} can't be read!")`
			`end`

			`if not File::readable?(CERTNAME)`
			`raise RuntimeError.new("Certificate #{CERTNAME.to_s} can't be read!")`
			`end`

			`if not keystore.parent.writable?`
			`raise RuntimeError.new("Can't write JKS to directory #{keystore.parent.to_s}")`
			`end`

			`if keystore.exist?`
			`raise RuntimeError.new("Keystore exists: #{keystore}! Aborting...")`
			`end`

			`if passwd_file.exist?`
			`raise RuntimeError.new("Keystore password file exists: #{passwd_file}! Aborting...")`
			`end`

			`def exec_or_die(cmd)`
			`out, err, status = Open3::capture3(cmd)`
			`if status != 0`
			`puts err`
			`raise RuntimeError.new(err)`
			`end`
			`end`

			`def randpass`
			`(0...50).map { ('a'..'z').to_a[rand(26)] }.join`
			`end`

			`finalpass = randpass`

			`Dir::mktmpdir { \|tmp_0\|`
			`begin`
			`PRIV = Pathname.new(tmp_0) + "private"`
			`Dir::mkdir(PRIV)`
			`File::chmod(0700, PRIV)`
			`pkcs12 = PRIV + "key_crt.p12"`
			`pem_to_pkcs12 = <<EOF`
			`openssl pkcs12 \`
			`-export \`
			`-inkey #{KEYNAME.to_s} \`
			`-in #{CERTNAME.to_s} \`
			`-out #{pkcs12.to_s} \`
			`-name key_crt \`
			`-password pass:#{finalpass}`
			`EOF`
			`pkcs12_to_jks = <<EOF`
			`keytool -importkeystore \`
			`-srckeystore #{pkcs12.to_s} \`
			`-srcstoretype pkcs12 \`
			`-srcstorepass #{finalpass} \`
			`-srcalias key_crt \`
			`-destkeystore #{keystore.to_s} \`
			`-deststoretype jks \`
			`-deststorepass #{finalpass}`
			`EOF`
			`exec_or_die(pem_to_pkcs12)`
			`exec_or_die(pkcs12_to_jks)`

			`File::open(passwd_file, "w", 0600) { \|file\|`
			`file.print(finalpass)`
			`}`
			`ensure`
			`FileUtils::rm(pkcs12)`
			`end`
			`}`