Parcourir la source

qnetd-certutil: Add option for key size

This patch adds the -g option, which specifies the key size to
use when generating new public and private key pairs. This option
is passed directly to certutil.

Support for loading the sysconfig file
(/etc/sysconfig/corosync-qnetd) is also added. The
COROSYNC_QNETD_CERTUTIL_KEY_SIZE variable can now be set in the
sysconfig file, which is equivalent to the -g option.

Lastly, the -G option is added to the man page.

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Jan Friesse il y a 3 mois
Parent
commit
a7ceaa849b

+ 6 - 1
init/corosync-qnetd.sysconfig.example

@@ -1,4 +1,5 @@
-# Corosync Qdevice Network daemon init script configuration file
+# Configuration file for the Corosync Qdevice Network daemon init script,
+# systemd unit and corosync-qnetd-certutil tool.
 
 # COROSYNC_QNETD_OPTIONS specifies options passed to corosync-qnetd command
 # (default is no options).
@@ -11,3 +12,7 @@ COROSYNC_QNETD_OPTIONS=""
 # /var/run/corosync-qnetd
 # This has no effect if systemd unit is used (you have to change unit file)
 COROSYNC_QNETD_RUNAS=""
+
+# COROSYNC_QNETD_CERTUTIL_KEY_SIZE specifies the key size to use when generating
+# new public and private key pairs. This is equivalent to the -g option.
+#COROSYNC_QNETD_CERTUTIL_KEY_SIZE=""

+ 14 - 3
man/corosync-qnetd-certutil.8

@@ -1,5 +1,5 @@
 .\"/*
-.\" * Copyright (C) 2016 Red Hat, Inc.
+.\" * Copyright (C) 2016-2026 Red Hat, Inc.
 .\" *
 .\" * All rights reserved.
 .\" *
@@ -31,11 +31,11 @@
 .\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
 .\" * THE POSSIBILITY OF SUCH DAMAGE.
 .\" */
-.TH COROSYNC-QNETD-CERTUTIL 8 2016-06-28
+.TH COROSYNC-QNETD-CERTUTIL 8 2026-03-31
 .SH NAME
 corosync-qnetd-certutil - tool to generate qnetd TLS certificates
 .SH SYNOPSIS
-.B "corosync-qnetd-certutil [-i|-s] [-c certificate] [-n cluster_name]"
+.B "corosync-qnetd-certutil [-i|-s] [-c certificate] [-G] [-g keysize] [-n cluster_name]"
 .SH DESCRIPTION
 .B corosync-qnetd-certutil
 is a frontend for the NSS certutil, it is used for generating the QNetd CA (Certificate Authority), 
@@ -70,6 +70,16 @@ to root:$COROQNETD with permissions 0750 and then create database (as a root):
 # corosync-qnetd-certutil -i -G
 .fi
 
+.TP
+.B -g
+Specify the key size to use when generating new public and private key pairs.
+This option is passed directly to the
+.B certutil
+command. By default, this is left empty, meaning
+.B -g
+is not passed to
+.B certutil
+at all.
 .TP
 .B -n
 Name of the cluster.
@@ -80,6 +90,7 @@ is executed as root it tries to copy the owner and group of /etc/corosync/qnetd
 .SH SEE ALSO
 .BR corosync-qnetd (8)
 .BR corosync-qdevice (8)
+.BR certutil(1)
 .SH AUTHOR
 Jan Friesse
 .PP

+ 1 - 0
qdevices/Makefile.am

@@ -90,6 +90,7 @@ corosync-qnetd-certutil: corosync-qnetd-certutil.sh
 	sed -e 's#@''DATADIR@#${datadir}#g' \
 	    -e 's#@''BASHPATH@#${BASHPATH}#g' \
 	    -e 's#@''COROSYSCONFDIR@#${COROSYSCONFDIR}#g' \
+	    -e 's#@''INITCONFIGDIR@#${INITCONFIGDIR}#g' \
 	    $< > $@
 
 endif

+ 26 - 5
qdevices/corosync-qnetd-certutil.sh

@@ -1,7 +1,7 @@
 #!@BASHPATH@
 
 #
-# Copyright (c) 2015-2018 Red Hat, Inc.
+# Copyright (c) 2015-2026 Red Hat, Inc.
 #
 # All rights reserved.
 #
@@ -50,12 +50,13 @@ CERTDB_FILES=("cert9.db key4.db pkcs11.txt"
               "cert8.db key3.db secmod.db")
 
 usage() {
-    echo "$0: [-i|-s] [-c certificate] [-G] [-n cluster_name]"
+    echo "$0: [-i|-s] [-c certificate] [-G] [-g keysize] [-n cluster_name]"
     echo
     echo " -i                  Initialize QNetd CA and generate server certificate"
     echo " -s                  Sign cluster certificate (needs cluster certificate)"
     echo " -c certificate      CRQ certificate file name"
     echo " -G                  Do not set group write bit for new files"
+    echo " -g keysize          Key size in bits - passed directly to certutil as -g parameter"
     echo " -n cluster_name     Name of cluster (for -s operation)"
 
     exit 0
@@ -120,6 +121,16 @@ find_certdb_files() {
     return 1
 }
 
+get_certutil_key_params() {
+    CERTUTIL_PARAMS=""
+
+    if [ ! -z "$COROSYNC_QNETD_CERTUTIL_KEY_SIZE" ];then
+        CERTUTIL_PARAMS="$CERTUTIL_PARAMS -g $COROSYNC_QNETD_CERTUTIL_KEY_SIZE"
+    fi
+
+    echo "$CERTUTIL_PARAMS"
+}
+
 init_qnetd_ca() {
     cert_files=`find_certdb_files`
     if [ "$cert_files" != "" ];then
@@ -159,14 +170,14 @@ init_qnetd_ca() {
     # Create self-signed certificate (CA). Asks 3 questions (is this CA, lifetime and critical extension
     echo -e "y\n0\ny\n" | certutil -S -n "$CA_NICKNAME" -s "$CA_SUBJECT" -x \
         -t "CT,," -m "$(get_serial_no)" -v $CRT_VALIDITY -d "$DB_DIR" \
-        -z "$NOISE_FILE" -f "$PWD_FILE" -2
+        -z "$NOISE_FILE" -f "$PWD_FILE" -2 $(get_certutil_key_params)
     # Export CA certificate in ascii
     certutil -L -d "$DB_DIR" -n "$CA_NICKNAME" > "$CA_EXPORT_FILE"
     certutil -L -d "$DB_DIR" -n "$CA_NICKNAME" -a >> "$CA_EXPORT_FILE"
     chown_ref_cfgdir "$CA_EXPORT_FILE"
 
     certutil -S -n "$SERVER_NICKNAME" -s "$SERVER_SUBJECT" -c "$CA_NICKNAME" -t "u,u,u" -m "$(get_serial_no)" \
-        -v $CRT_VALIDITY -d "$DB_DIR" -z "$NOISE_FILE" -f "$PWD_FILE"
+        -v $CRT_VALIDITY -d "$DB_DIR" -z "$NOISE_FILE" -f "$PWD_FILE" $(get_certutil_key_params)
 
     echo "QNetd CA certificate is exported as $CA_EXPORT_FILE"
 }
@@ -187,13 +198,20 @@ sign_cluster_cert() {
     echo "Certificate stored in $CRT_FILE"
 }
 
+# Initialize options that may be overwritten by the configuration file
+COROSYNC_QNETD_CERTUTIL_KEY_SIZE=""
+
+# Import configuration file if it exists
+if [ -f "@INITCONFIGDIR@/corosync-qnetd" ];then
+    . "@INITCONFIGDIR@/corosync-qnetd"
+fi
 
 OPERATION=""
 CERTIFICATE_FILE=""
 CLUSTER_NAME=""
 SET_GROUP_WRITE_BIT=true
 
-while getopts ":Ghisc:n:" opt; do
+while getopts ":Ghisc:g:n:" opt; do
     case $opt in
         i)
             OPERATION=init_qnetd_ca
@@ -210,6 +228,9 @@ while getopts ":Ghisc:n:" opt; do
         G)
             SET_GROUP_WRITE_BIT=false
             ;;
+        g)
+            COROSYNC_QNETD_CERTUTIL_KEY_SIZE="$OPTARG"
+            ;;
         n)
             CLUSTER_NAME="$OPTARG"
             ;;