scripts/util/keystore-cert-import - cloudstack - Git at Google

 #!/bin/bash
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.

 PROPS_FILE="$1"
 KS_FILE="$2"
 MODE="$3"
 CERT_FILE="$4"
 CERT=$(echo "$5" | tr '^' '\n' | tr '~' ' ')
 CACERT_FILE="$6"
 CACERT=$(echo "$7" | tr '^' '\n' | tr '~' ' ')
 PRIVKEY_FILE="$8"
 PRIVKEY=$(echo "$9" | tr '^' '\n' | tr '~' ' ')

 ALIAS="cloud"
 SYSTEM_FILE="/var/cache/cloud/cmdline"
 LIBVIRTD_FILE="/etc/libvirt/libvirtd.conf"

 # Find keystore password
 KS_PASS=$(sed -n '/keystore.passphrase/p' "$PROPS_FILE" 2>/dev/null  | sed 's/keystore.passphrase=//g' 2>/dev/null)

 if [ -z "${KS_PASS// }" ]; then
     echo "Failed to find keystore passphrase from file: $PROPS_FILE, quiting!"
     exit 1
 fi

 # Import certificate
 if [ ! -z "${CERT// }" ]; then
     echo "$CERT" > "$CERT_FILE"
 fi

 # Import ca certs
 if [ ! -z "${CACERT// }" ]; then
     echo "$CACERT" > "$CACERT_FILE"
 fi

 # Import cacerts into the keystore
 awk '/-----BEGIN CERTIFICATE-----?/{n++}{print > "cloudca." n }' "$CACERT_FILE"
 for caChain in $(ls cloudca.*); do
     keytool -delete -noprompt -alias "$caChain" -keystore "$KS_FILE" -storepass "$KS_PASS" > /dev/null 2>&1 || true
     keytool -import -noprompt -storepass "$KS_PASS" -trustcacerts -alias "$caChain" -file "$caChain" -keystore "$KS_FILE" > /dev/null 2>&1
 done
 rm -f cloudca.*

 # Stop cloud service in systemvm
 if [ "$MODE" == "ssh" ] && [ -f $SYSTEM_FILE ]; then
     systemctl stop cloud > /dev/null 2>&1
 fi

 # Import private key if available
 if [ ! -z "${PRIVKEY// }" ]; then
     echo "$PRIVKEY" > "$PRIVKEY_FILE"
     # Re-initialize keystore when private key is provided
     keytool -delete -noprompt -alias "$ALIAS" -keystore "$KS_FILE" -storepass "$KS_PASS" 2>/dev/null || true
     openssl pkcs12 -export -name "$ALIAS" -in "$CERT_FILE" -inkey "$PRIVKEY_FILE" -out "$KS_FILE.p12" -password pass:"$KS_PASS" > /dev/null 2>&1
     keytool -importkeystore -srckeystore "$KS_FILE.p12" -destkeystore "$KS_FILE" -srcstoretype PKCS12 -alias "$ALIAS" -deststorepass "$KS_PASS" -destkeypass "$KS_PASS" -srcstorepass "$KS_PASS" -srckeypass "$KS_PASS" > /dev/null 2>&1
 else
     # Import certificate into the keystore
     keytool -import -storepass "$KS_PASS" -alias "$ALIAS" -file "$CERT_FILE" -keystore "$KS_FILE" > /dev/null 2>&1 || true
     # Export private key from keystore
     rm -f "$PRIVKEY_FILE"
     keytool -importkeystore -srckeystore "$KS_FILE" -destkeystore "$KS_FILE.p12" -deststoretype PKCS12 -srcalias "$ALIAS" -deststorepass "$KS_PASS" -destkeypass "$KS_PASS" -srcstorepass "$KS_PASS" -srckeypass "$KS_PASS" > /dev/null 2>&1
     openssl pkcs12 -in "$KS_FILE.p12" -nodes -nocerts -nomac -password pass:"$KS_PASS" 2>/dev/null | openssl rsa -out "$PRIVKEY_FILE" > /dev/null 2>&1
 fi

 rm -f "$KS_FILE.p12"

 # Secure libvirtd on cert import
 if [ -f "$LIBVIRTD_FILE" ]; then
     mkdir -p /etc/pki/CA
     mkdir -p /etc/pki/libvirt/private
     ln -sf /etc/cloudstack/agent/cloud.ca.crt /etc/pki/CA/cacert.pem
     ln -sf /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/clientcert.pem
     ln -sf /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/servercert.pem
     ln -sf /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/clientkey.pem
     ln -sf /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/serverkey.pem
     cloudstack-setup-agent -s > /dev/null
 fi

 # Update ca-certs if we're in systemvm
 if [ -f "$SYSTEM_FILE" ]; then
     mkdir -p /usr/local/share/ca-certificates/cloudstack
     cp "$CACERT_FILE" /usr/local/share/ca-certificates/cloudstack/ca.crt
     chmod 755 /usr/local/share/ca-certificates/cloudstack
     chmod 644 /usr/local/share/ca-certificates/cloudstack/ca.crt
     update-ca-certificates > /dev/null 2>&1 || true

     # Ensure cloud service is running in systemvm
     if [ "$MODE" == "ssh" ]; then
         systemctl start cloud > /dev/null 2>&1
     fi
 fi

 # Fix file permission
 chmod 600 $CACERT_FILE
 chmod 600 $CERT_FILE
 chmod 600 $PRIVKEY_FILE
	#!/bin/bash
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.

	PROPS_FILE="$1"
	KS_FILE="$2"
	MODE="$3"
	CERT_FILE="$4"
	CERT=$(echo "$5" \| tr '^' '\n' \| tr '~' ' ')
	CACERT_FILE="$6"
	CACERT=$(echo "$7" \| tr '^' '\n' \| tr '~' ' ')
	PRIVKEY_FILE="$8"
	PRIVKEY=$(echo "$9" \| tr '^' '\n' \| tr '~' ' ')

	ALIAS="cloud"
	SYSTEM_FILE="/var/cache/cloud/cmdline"
	LIBVIRTD_FILE="/etc/libvirt/libvirtd.conf"

	# Find keystore password
	KS_PASS=$(sed -n '/keystore.passphrase/p' "$PROPS_FILE" 2>/dev/null \| sed 's/keystore.passphrase=//g' 2>/dev/null)

	if [ -z "${KS_PASS// }" ]; then
	echo "Failed to find keystore passphrase from file: $PROPS_FILE, quiting!"
	exit 1
	fi

	# Import certificate
	if [ ! -z "${CERT// }" ]; then
	echo "$CERT" > "$CERT_FILE"
	fi

	# Import ca certs
	if [ ! -z "${CACERT// }" ]; then
	echo "$CACERT" > "$CACERT_FILE"
	fi

	# Import cacerts into the keystore
	awk '/-----BEGIN CERTIFICATE-----?/{n++}{print > "cloudca." n }' "$CACERT_FILE"
	for caChain in $(ls cloudca.*); do
	keytool -delete -noprompt -alias "$caChain" -keystore "$KS_FILE" -storepass "$KS_PASS" > /dev/null 2>&1 \|\| true
	keytool -import -noprompt -storepass "$KS_PASS" -trustcacerts -alias "$caChain" -file "$caChain" -keystore "$KS_FILE" > /dev/null 2>&1
	done
	rm -f cloudca.*

	# Stop cloud service in systemvm
	if [ "$MODE" == "ssh" ] && [ -f $SYSTEM_FILE ]; then
	systemctl stop cloud > /dev/null 2>&1
	fi

	# Import private key if available
	if [ ! -z "${PRIVKEY// }" ]; then
	echo "$PRIVKEY" > "$PRIVKEY_FILE"
	# Re-initialize keystore when private key is provided
	keytool -delete -noprompt -alias "$ALIAS" -keystore "$KS_FILE" -storepass "$KS_PASS" 2>/dev/null \|\| true
	openssl pkcs12 -export -name "$ALIAS" -in "$CERT_FILE" -inkey "$PRIVKEY_FILE" -out "$KS_FILE.p12" -password pass:"$KS_PASS" > /dev/null 2>&1
	keytool -importkeystore -srckeystore "$KS_FILE.p12" -destkeystore "$KS_FILE" -srcstoretype PKCS12 -alias "$ALIAS" -deststorepass "$KS_PASS" -destkeypass "$KS_PASS" -srcstorepass "$KS_PASS" -srckeypass "$KS_PASS" > /dev/null 2>&1
	else
	# Import certificate into the keystore
	keytool -import -storepass "$KS_PASS" -alias "$ALIAS" -file "$CERT_FILE" -keystore "$KS_FILE" > /dev/null 2>&1 \|\| true
	# Export private key from keystore
	rm -f "$PRIVKEY_FILE"
	keytool -importkeystore -srckeystore "$KS_FILE" -destkeystore "$KS_FILE.p12" -deststoretype PKCS12 -srcalias "$ALIAS" -deststorepass "$KS_PASS" -destkeypass "$KS_PASS" -srcstorepass "$KS_PASS" -srckeypass "$KS_PASS" > /dev/null 2>&1
	openssl pkcs12 -in "$KS_FILE.p12" -nodes -nocerts -nomac -password pass:"$KS_PASS" 2>/dev/null \| openssl rsa -out "$PRIVKEY_FILE" > /dev/null 2>&1
	fi

	rm -f "$KS_FILE.p12"

	# Secure libvirtd on cert import
	if [ -f "$LIBVIRTD_FILE" ]; then
	mkdir -p /etc/pki/CA
	mkdir -p /etc/pki/libvirt/private
	ln -sf /etc/cloudstack/agent/cloud.ca.crt /etc/pki/CA/cacert.pem
	ln -sf /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/clientcert.pem
	ln -sf /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/servercert.pem
	ln -sf /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/clientkey.pem
	ln -sf /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/serverkey.pem
	cloudstack-setup-agent -s > /dev/null
	fi

	# Update ca-certs if we're in systemvm
	if [ -f "$SYSTEM_FILE" ]; then
	mkdir -p /usr/local/share/ca-certificates/cloudstack
	cp "$CACERT_FILE" /usr/local/share/ca-certificates/cloudstack/ca.crt
	chmod 755 /usr/local/share/ca-certificates/cloudstack
	chmod 644 /usr/local/share/ca-certificates/cloudstack/ca.crt
	update-ca-certificates > /dev/null 2>&1 \|\| true

	# Ensure cloud service is running in systemvm
	if [ "$MODE" == "ssh" ]; then
	systemctl start cloud > /dev/null 2>&1
	fi
	fi

	# Fix file permission
	chmod 600 $CACERT_FILE
	chmod 600 $CERT_FILE
	chmod 600 $PRIVKEY_FILE