From 9386014e7cadaaca392226db926ebe3847a8960d220c5e50bb6f2b8fcdb80d02 Mon Sep 17 00:00:00 2001
From: Roman Drahtmueller <draht@schaltsekun.de>
Date: Fri, 27 Jul 2012 11:17:03 +0000
Subject: [PATCH] Accepting request 128919 from home:saschpe:branches:Apache

- gensslcert: Use 0400 permissions for generated SSL certificate files
  instead of 0644

OBS-URL: https://build.opensuse.org/request/show/128919
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=368
---
 apache2.changes |  6 ++++++
 gensslcert      | 12 ++++++------
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/apache2.changes b/apache2.changes
index ad1dc94..11bf6f7 100644
--- a/apache2.changes
+++ b/apache2.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Jul 25 11:32:34 UTC 2012 - saschpe@suse.de
+
+- gensslcert: Use 0400 permissions for generated SSL certificate files
+  instead of 0644
+
 -------------------------------------------------------------------
 Fri Jul  6 11:58:03 UTC 2012 - meissner@suse.com
 
diff --git a/gensslcert b/gensslcert
index 0d9038c..3480323 100644
--- a/gensslcert
+++ b/gensslcert
@@ -91,7 +91,7 @@ sslprmdir=$r/etc/apache2/ssl.prm
 # CA
 #
 echo;myecho creating CA key ...
-$openssl genrsa -rand $r/var/log/y2log:$r/var/log/messages -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?
+(umask 0377 ; $openssl genrsa -rand $r/var/log/y2log:$r/var/log/messages -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?)
 
 cat >$r/root/.mkcert.cfg <<EOT
 [ req ]
@@ -116,7 +116,7 @@ challengePassword              = $RANDOM$RANDOMA challenge password
 EOT
 
 echo;myecho creating CA request/certificate ...
-$openssl req -config $r/root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?
+(umask 0377 ; $openssl req -config $r/root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?)
 
 cp -pv $sslcrtdir/${name}ca.crt $r/srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt
 
@@ -124,7 +124,7 @@ cp -pv $sslcrtdir/${name}ca.crt $r/srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')
 # Server CERT
 #
 echo;myecho creating server key ...
-$openssl genrsa -rand $r/etc/rc.config:$r/var/log/messages -out $sslkeydir/${name}server.key 1024 || myexit $LINENO $?
+(umask 0377 ; $openssl genrsa -rand $r/etc/rc.config:$r/var/log/messages -out $sslkeydir/${name}server.key 1024 || myexit $LINENO $?)
 
 cat >$r/root/.mkcert.cfg <<EOT
 [ req ]
@@ -149,7 +149,7 @@ challengePassword              = $RANDOM$RANDOMA challenge password
 EOT
 
 echo;myecho creating server request ...
-$openssl req -config $r/root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?
+(umask 0377 ; $openssl req -config $r/root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?)
 
 
 cat >$r/root/.mkcert.cfg <<EOT
@@ -163,14 +163,14 @@ EOT
 
 test -f $r/root/.mkcert.serial || echo 01 >$r/root/.mkcert.serial
 myecho "creating server certificate ..."
-$openssl x509 					\
+(umask 0377 ; $openssl x509 					\
 	-extfile $r/root/.mkcert.cfg 			\
 	-days $srvdays 				\
 	-CAserial $r/root/.mkcert.serial 		\
 	-CA $sslcrtdir/${name}ca.crt       	\
 	-CAkey $sslkeydir/${name}ca.key   	\
 	-in $sslcsrdir/${name}server.csr -req 	\
-	-out $sslcrtdir/${name}server.crt || myexit $LINENO $?
+        -out $sslcrtdir/${name}server.crt || myexit $LINENO $?)
 
 rm -f $r/root/.mkcert.cfg