Просмотр исходного кода

qdevice-net-certutil: Add option for key size

This patch adds the -g option, which specifies the key size to
use when generating new public and private key pairs. This option
is passed directly to certutil.

Support for loading the sysconfig file
(/etc/sysconfig/corosync-qdevice) is also added. The
COROSYNC_QDEVICE_NET_CERTUTIL_KEY_SIZE variable can now be set in the
sysconfig file, which is equivalent to the -g option.

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Jan Friesse 3 недель назад
Родитель
Сommit
58f094ae53

+ 6 - 1
init/corosync-qdevice.sysconfig.example

@@ -1,6 +1,11 @@
-# Corosync Qdevice daemon init script configuration file
+# Configuration file for the Corosync Qdevice daemon init script,
+# systemd unit and corosync-qdevice-net-certutil tool.
 
 
 # COROSYNC_QDEVICE_OPTIONS specifies options passed to corosync-qdevice command
 # COROSYNC_QDEVICE_OPTIONS specifies options passed to corosync-qdevice command
 # (default is no options).
 # (default is no options).
 # See "man corosync-qdevice" for detailed descriptions of the options.
 # See "man corosync-qdevice" for detailed descriptions of the options.
 COROSYNC_QDEVICE_OPTIONS=""
 COROSYNC_QDEVICE_OPTIONS=""
+
+# COROSYNC_QDEVICE_NET_CERTUTIL_KEY_SIZE specifies the key size to use when generating
+# new public and private key pairs. This is equivalent to the -g option.
+#COROSYNC_QDEVICE_NET_CERTUTIL_KEY_SIZE=""

+ 14 - 3
man/corosync-qdevice-net-certutil.8

@@ -1,5 +1,5 @@
 .\"/*
 .\"/*
-.\" * Copyright (C) 2016 Red Hat, Inc.
+.\" * Copyright (C) 2016-2026 Red Hat, Inc.
 .\" *
 .\" *
 .\" * All rights reserved.
 .\" * All rights reserved.
 .\" *
 .\" *
@@ -31,11 +31,11 @@
 .\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
 .\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
 .\" * THE POSSIBILITY OF SUCH DAMAGE.
 .\" * THE POSSIBILITY OF SUCH DAMAGE.
 .\" */
 .\" */
-.TH COROSYNC-QDEVICE-NET-CERTUTIL 8 2016-06-28
+.TH COROSYNC-QDEVICE-NET-CERTUTIL 8 2026-06-11
 .SH NAME
 .SH NAME
 corosync-qdevice-net-certutil - tool to generate qdevice model net TLS certificates
 corosync-qdevice-net-certutil - tool to generate qdevice model net TLS certificates
 .SH SYNOPSIS
 .SH SYNOPSIS
-.B "corosync-qdevice-net-certutil [-i|-m|-M|-r|-s|-Q] [-c certificate] [-S ssh_command] [-C scp_command] [-n cluster_name]"
+.B "corosync-qdevice-net-certutil [-i|-m|-M|-r|-s|-Q] [-c certificate] [-g keysize] [-S ssh_command] [-C scp_command] [-n cluster_name]"
 .SH DESCRIPTION
 .SH DESCRIPTION
 .B corosync-qdevice-net-certutil
 .B corosync-qdevice-net-certutil
 is a frontend for NSS certutil used for generating client certificate for the net model of
 is a frontend for NSS certutil used for generating client certificate for the net model of
@@ -75,6 +75,16 @@ or ssh/scp will keep asking for a password - roughly 8 times the number of nodes
 .B -c
 .B -c
 File with certificate to load.
 File with certificate to load.
 .TP
 .TP
+.B -g
+Specify the key size to use when generating new public and private key pairs.
+This option is passed directly to the
+.B certutil
+command. By default, this is left empty, meaning
+.B -g
+is not passed to
+.B certutil
+at all.
+.TP
 .B -S
 .B -S
 Alternative remote shell command to be use in place of ssh. If not specified, ssh is used.
 Alternative remote shell command to be use in place of ssh. If not specified, ssh is used.
 .TP
 .TP
@@ -86,6 +96,7 @@ Name of the cluster.
 .SH SEE ALSO
 .SH SEE ALSO
 .BR corosync-qnetd (8)
 .BR corosync-qnetd (8)
 .BR corosync-qdevice (8)
 .BR corosync-qdevice (8)
+.BR certutil(1)
 .SH AUTHOR
 .SH AUTHOR
 Jan Friesse
 Jan Friesse
 .PP
 .PP

+ 1 - 0
qdevices/Makefile.am

@@ -164,6 +164,7 @@ corosync-qdevice-net-certutil: corosync-qdevice-net-certutil.sh
 	sed -e 's#@''DATADIR@#${datadir}#g' \
 	sed -e 's#@''DATADIR@#${datadir}#g' \
 	    -e 's#@''BASHPATH@#${BASHPATH}#g' \
 	    -e 's#@''BASHPATH@#${BASHPATH}#g' \
 	    -e 's#@''COROSYSCONFDIR@#${COROSYSCONFDIR}#g' \
 	    -e 's#@''COROSYSCONFDIR@#${COROSYSCONFDIR}#g' \
+	    -e 's#@''INITCONFIGDIR@#${INITCONFIGDIR}#g' \
 	    $< > $@
 	    $< > $@
 
 
 TESTS				= qnetd-cluster-list.test dynar.test dynar-simple-lex.test \
 TESTS				= qnetd-cluster-list.test dynar.test dynar-simple-lex.test \

+ 27 - 4
qdevices/corosync-qdevice-net-certutil.sh

@@ -1,7 +1,7 @@
 #!@BASHPATH@
 #!@BASHPATH@
 
 
 #
 #
-# Copyright (c) 2015-2018 Red Hat, Inc.
+# Copyright (c) 2015-2026 Red Hat, Inc.
 #
 #
 # All rights reserved.
 # All rights reserved.
 #
 #
@@ -52,7 +52,7 @@ REMOTE_SHELL_EXECUTABLE="ssh"
 REMOTE_COPY_EXECUTABLE="scp"
 REMOTE_COPY_EXECUTABLE="scp"
 
 
 usage() {
 usage() {
-    echo "$0: [-i|-m|-M|-r|-s|-Q] [-c certificate] [-S ssh_command] [-C scp_command] [-n cluster_name]"
+    echo "$0: [-i|-m|-M|-r|-s|-Q] [-c certificate] [-g keysize] [-S ssh_command] [-C scp_command] [-n cluster_name]"
     echo
     echo
     echo " -i      Initialize node CA. Needs CA certificate from server"
     echo " -i      Initialize node CA. Needs CA certificate from server"
     echo " -m      Import cluster certificate on node (needs pk12 certificate)"
     echo " -m      Import cluster certificate on node (needs pk12 certificate)"
@@ -61,6 +61,7 @@ usage() {
     echo " -Q      Quick start. Uses ssh/scp to initialze both qnetd and nodes."
     echo " -Q      Quick start. Uses ssh/scp to initialze both qnetd and nodes."
     echo ""
     echo ""
     echo " -c certificate      Ether CA, CRQ, CRT or pk12 certificate (operation dependant)"
     echo " -c certificate      Ether CA, CRQ, CRT or pk12 certificate (operation dependant)"
+    echo " -g keysize          Key size in bits - passed directly to certutil as -g parameter"
     echo " -S ssh_command      Alternative remote shell command to be use in place of ssh. If not specified, ssh is used."
     echo " -S ssh_command      Alternative remote shell command to be use in place of ssh. If not specified, ssh is used."
     echo " -C scp_command      Alternative remote copy command to be use in place of scp. If not specified, scp is used."
     echo " -C scp_command      Alternative remote copy command to be use in place of scp. If not specified, scp is used."
     echo " -n cluster_name     Name of cluster (for -r and -s operations)"
     echo " -n cluster_name     Name of cluster (for -r and -s operations)"
@@ -85,6 +86,16 @@ usage() {
     exit 0
     exit 0
 }
 }
 
 
+get_certutil_key_params() {
+    CERTUTIL_PARAMS=""
+
+    if [ ! -z "$COROSYNC_QDEVICE_NET_CERTUTIL_KEY_SIZE" ];then
+        CERTUTIL_PARAMS="$CERTUTIL_PARAMS -g $COROSYNC_QDEVICE_NET_CERTUTIL_KEY_SIZE"
+    fi
+
+    echo "$CERTUTIL_PARAMS"
+}
+
 create_new_noise_file() {
 create_new_noise_file() {
     local noise_file="$1"
     local noise_file="$1"
 
 
@@ -178,7 +189,8 @@ gen_cluster_cert_req() {
 
 
     echo "Creating new certificate request"
     echo "Creating new certificate request"
 
 
-    certutil -R -s "CN=$CLUSTER_NAME" -o "$CRQ_FILE" -d "$DB_DIR" -f "$PWD_FILE" -z "$NOISE_FILE"
+    certutil -R -s "CN=$CLUSTER_NAME" -o "$CRQ_FILE" -d "$DB_DIR" -f "$PWD_FILE" -z "$NOISE_FILE" \
+        $(get_certutil_key_params)
 
 
     echo "Certificate request stored in $CRQ_FILE"
     echo "Certificate request stored in $CRQ_FILE"
 }
 }
@@ -276,11 +288,19 @@ quick_start() {
     done
     done
 }
 }
 
 
+# Initialize options that may be overwritten by the configuration file
+COROSYNC_QDEVICE_NET_CERTUTIL_KEY_SIZE=""
+
+# Import configuration file if it exists
+if [ -f "@INITCONFIGDIR@/corosync-qdevice" ];then
+    . "@INITCONFIGDIR@/corosync-qdevice"
+fi
+
 OPERATION=""
 OPERATION=""
 CERTIFICATE_FILE=""
 CERTIFICATE_FILE=""
 CLUSTER_NAME=""
 CLUSTER_NAME=""
 
 
-while getopts ":hiMmQrc:S:C:n:" opt; do
+while getopts ":hiMmQrc:g:S:C:n:" opt; do
     case $opt in
     case $opt in
         r)
         r)
             OPERATION=gen_cluster_cert_req
             OPERATION=gen_cluster_cert_req
@@ -312,6 +332,9 @@ while getopts ":hiMmQrc:S:C:n:" opt; do
         c)
         c)
             CERTIFICATE_FILE="$OPTARG"
             CERTIFICATE_FILE="$OPTARG"
             ;;
             ;;
+        g)
+            COROSYNC_QDEVICE_NET_CERTUTIL_KEY_SIZE="$OPTARG"
+            ;;
         \?)
         \?)
             echo "Invalid option: -$OPTARG" >&2
             echo "Invalid option: -$OPTARG" >&2