scripts/util/keystore-cert-import - cloudstack - Git at Google

 #!/bin/bash
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.

 PROPS_FILE="$1"
 KS_PASS="$2"
 KS_FILE="$3"
 MODE="$4"
 CERT_FILE="$5"
 CERT=$(echo "$6" | tr '^' '\n' | tr '~' ' ')
 CACERT_FILE="$7"
 CACERT=$(echo "$8" | tr '^' '\n' | tr '~' ' ')
 PRIVKEY_FILE="$9"
 PRIVKEY=$(echo "${10}" | tr '^' '\n' | tr '~' ' ')

 ALIAS="cloud"
 SYSTEM_FILE="/var/cache/cloud/cmdline"
 LIBVIRTD_FILE="/etc/libvirt/libvirtd.conf"

 if [ ! -f "$LIBVIRTD_FILE" ]; then
   # Re-use existing password or use the one provided
   while [ ! -d /usr/local/cloud/systemvm/conf ]; do sleep 1; done
   if [ -f "$PROPS_FILE" ]; then
       OLD_PASS=$(sed -n '/keystore.passphrase/p' "$PROPS_FILE" 2>/dev/null  | sed 's/keystore.passphrase=//g' 2>/dev/null)
       if [ ! -z "${OLD_PASS// }" ]; then
           KS_PASS="$OLD_PASS"
       else
           sed -i "/keystore.passphrase.*/d" $PROPS_FILE 2> /dev/null || true
           echo "keystore.passphrase=$KS_PASS" >> $PROPS_FILE
       fi
   fi
 fi

 # Find keystore password
 KS_PASS=$(sed -n '/keystore.passphrase/p' "$PROPS_FILE" 2>/dev/null  | sed 's/keystore.passphrase=//g' 2>/dev/null)

 if [ -z "${KS_PASS// }" ]; then
     echo "Failed to find keystore passphrase from file: $PROPS_FILE, quitting!"
     exit 1
 fi

 # Import certificate
 if [ ! -z "${CERT// }" ]; then
     echo "$CERT" > "$CERT_FILE"
 elif [ ! -f "$CERT_FILE" ]; then
    echo "Cannot find certificate file: $CERT_FILE, exiting"
    exit
 fi

 # Import ca certs
 if [ ! -z "${CACERT// }" ]; then
     echo "$CACERT" > "$CACERT_FILE"
 elif [ ! -f "$CACERT_FILE" ]; then
     echo "Cannot find ca certificate file: $CACERT_FILE, exiting!"
     exit
 fi

 # Import cacerts into the keystore
 awk '/-----BEGIN CERTIFICATE-----?/{n++}{print > "cloudca." n }' "$CACERT_FILE"
 for caChain in $(ls cloudca.*); do
     keytool -delete -noprompt -alias "$caChain" -keystore "$KS_FILE" -storepass "$KS_PASS" > /dev/null 2>&1 || true
     keytool -import -noprompt -storepass "$KS_PASS" -trustcacerts -alias "$caChain" -file "$caChain" -keystore "$KS_FILE" > /dev/null 2>&1
 done
 rm -f cloudca.*

 # Stop cloud service in systemvm
 if [ "$MODE" == "ssh" ] && [ -f $SYSTEM_FILE ]; then
     systemctl stop cloud > /dev/null 2>&1
 fi

 # Import private key if available
 if [ ! -z "${PRIVKEY// }" ]; then
     echo "$PRIVKEY" > "$PRIVKEY_FILE"
 else
     > "$PRIVKEY_FILE"
 fi

 if [ -f "$PRIVKEY_FILE" ] && [ -s "$PRIVKEY_FILE" ]; then
     # Re-initialize keystore when private key is provided
     keytool -delete -noprompt -alias "$ALIAS" -keystore "$KS_FILE" -storepass "$KS_PASS" 2>/dev/null || true
     openssl pkcs12 -export -name "$ALIAS" -in "$CERT_FILE" -inkey "$PRIVKEY_FILE" -out "$KS_FILE.p12" -password pass:"$KS_PASS" > /dev/null 2>&1
     keytool -importkeystore -srckeystore "$KS_FILE.p12" -destkeystore "$KS_FILE" -srcstoretype PKCS12 -alias "$ALIAS" -deststorepass "$KS_PASS" -destkeypass "$KS_PASS" -srcstorepass "$KS_PASS" -srckeypass "$KS_PASS" > /dev/null 2>&1
 else
     # Import certificate into the keystore
     keytool -import -storepass "$KS_PASS" -alias "$ALIAS" -file "$CERT_FILE" -keystore "$KS_FILE" > /dev/null 2>&1 || true
     # Export private key from keystore
     rm -f "$PRIVKEY_FILE"
     keytool -importkeystore -srckeystore "$KS_FILE" -destkeystore "$KS_FILE.p12" -deststoretype PKCS12 -srcalias "$ALIAS" -deststorepass "$KS_PASS" -destkeypass "$KS_PASS" -srcstorepass "$KS_PASS" -srckeypass "$KS_PASS" > /dev/null 2>&1
     openssl pkcs12 -in "$KS_FILE.p12" -nodes -nocerts -nomac -password pass:"$KS_PASS" 2>/dev/null | openssl rsa -out "$PRIVKEY_FILE" > /dev/null 2>&1
 fi

 rm -f "$KS_FILE.p12"

 # Secure libvirtd on cert import
 if [ -f "$LIBVIRTD_FILE" ]; then
     mkdir -p /etc/pki/CA
     mkdir -p /etc/pki/libvirt/private
     ln -sf /etc/cloudstack/agent/cloud.ca.crt /etc/pki/CA/cacert.pem
     ln -sf /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/clientcert.pem
     ln -sf /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/servercert.pem
     ln -sf /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/clientkey.pem
     ln -sf /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/serverkey.pem

     # VNC TLS directory and certificates
     mkdir -p /etc/pki/libvirt-vnc
     ln -sf /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem
     ln -sf /etc/pki/libvirt/servercert.pem /etc/pki/libvirt-vnc/server-cert.pem
     ln -sf /etc/pki/libvirt/private/serverkey.pem /etc/pki/libvirt-vnc/server-key.pem
     cloudstack-setup-agent -s > /dev/null

     QEMU_GROUP=$(sed -n 's/^group=//p' /etc/libvirt/qemu.conf | awk -F'"' '{print $2}' | tail -n1)
     if [ ! -z "${QEMU_GROUP// }" ]; then
       chgrp $QEMU_GROUP /etc/pki/libvirt /etc/pki/libvirt-vnc /etc/pki/CA /etc/pki/libvirt/private /etc/pki/libvirt/servercert.pem /etc/pki/libvirt/private/serverkey.pem /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
       chmod 750 /etc/pki/libvirt /etc/pki/libvirt-vnc /etc/pki/CA /etc/pki/libvirt/private /etc/pki/libvirt/servercert.pem /etc/pki/libvirt/private/serverkey.pem /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
     fi
 fi

 # Update ca-certs if we're in systemvm
 if [ -f "$SYSTEM_FILE" ]; then
     mkdir -p /usr/local/share/ca-certificates/cloudstack
     cp "$CACERT_FILE" /usr/local/share/ca-certificates/cloudstack/ca.crt
     chmod 755 /usr/local/share/ca-certificates/cloudstack
     chmod 644 /usr/local/share/ca-certificates/cloudstack/ca.crt
     update-ca-certificates > /dev/null 2>&1 || true

     # Ensure cloud service is running in systemvm
     if [ "$MODE" == "ssh" ]; then
         systemctl start cloud > /dev/null 2>&1
     fi
 fi

 # Fix file permission
 chmod 750 $CACERT_FILE
 chmod 750 $CERT_FILE
 chmod 750 $PRIVKEY_FILE
	#!/bin/bash
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.

	PROPS_FILE="$1"
	KS_PASS="$2"
	KS_FILE="$3"
	MODE="$4"
	CERT_FILE="$5"
	CERT=$(echo "$6" \| tr '^' '\n' \| tr '~' ' ')
	CACERT_FILE="$7"
	CACERT=$(echo "$8" \| tr '^' '\n' \| tr '~' ' ')
	PRIVKEY_FILE="$9"
	PRIVKEY=$(echo "${10}" \| tr '^' '\n' \| tr '~' ' ')

	ALIAS="cloud"
	SYSTEM_FILE="/var/cache/cloud/cmdline"
	LIBVIRTD_FILE="/etc/libvirt/libvirtd.conf"

	if [ ! -f "$LIBVIRTD_FILE" ]; then
	# Re-use existing password or use the one provided
	while [ ! -d /usr/local/cloud/systemvm/conf ]; do sleep 1; done
	if [ -f "$PROPS_FILE" ]; then
	OLD_PASS=$(sed -n '/keystore.passphrase/p' "$PROPS_FILE" 2>/dev/null \| sed 's/keystore.passphrase=//g' 2>/dev/null)
	if [ ! -z "${OLD_PASS// }" ]; then
	KS_PASS="$OLD_PASS"
	else
	sed -i "/keystore.passphrase.*/d" $PROPS_FILE 2> /dev/null \|\| true
	echo "keystore.passphrase=$KS_PASS" >> $PROPS_FILE
	fi
	fi
	fi

	# Find keystore password
	KS_PASS=$(sed -n '/keystore.passphrase/p' "$PROPS_FILE" 2>/dev/null \| sed 's/keystore.passphrase=//g' 2>/dev/null)

	if [ -z "${KS_PASS// }" ]; then
	echo "Failed to find keystore passphrase from file: $PROPS_FILE, quitting!"
	exit 1
	fi

	# Import certificate
	if [ ! -z "${CERT// }" ]; then
	echo "$CERT" > "$CERT_FILE"
	elif [ ! -f "$CERT_FILE" ]; then
	echo "Cannot find certificate file: $CERT_FILE, exiting"
	exit
	fi

	# Import ca certs
	if [ ! -z "${CACERT// }" ]; then
	echo "$CACERT" > "$CACERT_FILE"
	elif [ ! -f "$CACERT_FILE" ]; then
	echo "Cannot find ca certificate file: $CACERT_FILE, exiting!"
	exit
	fi

	# Import cacerts into the keystore
	awk '/-----BEGIN CERTIFICATE-----?/{n++}{print > "cloudca." n }' "$CACERT_FILE"
	for caChain in $(ls cloudca.*); do
	keytool -delete -noprompt -alias "$caChain" -keystore "$KS_FILE" -storepass "$KS_PASS" > /dev/null 2>&1 \|\| true
	keytool -import -noprompt -storepass "$KS_PASS" -trustcacerts -alias "$caChain" -file "$caChain" -keystore "$KS_FILE" > /dev/null 2>&1
	done
	rm -f cloudca.*

	# Stop cloud service in systemvm
	if [ "$MODE" == "ssh" ] && [ -f $SYSTEM_FILE ]; then
	systemctl stop cloud > /dev/null 2>&1
	fi

	# Import private key if available
	if [ ! -z "${PRIVKEY// }" ]; then
	echo "$PRIVKEY" > "$PRIVKEY_FILE"
	else
	> "$PRIVKEY_FILE"
	fi

	if [ -f "$PRIVKEY_FILE" ] && [ -s "$PRIVKEY_FILE" ]; then
	# Re-initialize keystore when private key is provided
	keytool -delete -noprompt -alias "$ALIAS" -keystore "$KS_FILE" -storepass "$KS_PASS" 2>/dev/null \|\| true
	openssl pkcs12 -export -name "$ALIAS" -in "$CERT_FILE" -inkey "$PRIVKEY_FILE" -out "$KS_FILE.p12" -password pass:"$KS_PASS" > /dev/null 2>&1
	keytool -importkeystore -srckeystore "$KS_FILE.p12" -destkeystore "$KS_FILE" -srcstoretype PKCS12 -alias "$ALIAS" -deststorepass "$KS_PASS" -destkeypass "$KS_PASS" -srcstorepass "$KS_PASS" -srckeypass "$KS_PASS" > /dev/null 2>&1
	else
	# Import certificate into the keystore
	keytool -import -storepass "$KS_PASS" -alias "$ALIAS" -file "$CERT_FILE" -keystore "$KS_FILE" > /dev/null 2>&1 \|\| true
	# Export private key from keystore
	rm -f "$PRIVKEY_FILE"
	keytool -importkeystore -srckeystore "$KS_FILE" -destkeystore "$KS_FILE.p12" -deststoretype PKCS12 -srcalias "$ALIAS" -deststorepass "$KS_PASS" -destkeypass "$KS_PASS" -srcstorepass "$KS_PASS" -srckeypass "$KS_PASS" > /dev/null 2>&1
	openssl pkcs12 -in "$KS_FILE.p12" -nodes -nocerts -nomac -password pass:"$KS_PASS" 2>/dev/null \| openssl rsa -out "$PRIVKEY_FILE" > /dev/null 2>&1
	fi

	rm -f "$KS_FILE.p12"

	# Secure libvirtd on cert import
	if [ -f "$LIBVIRTD_FILE" ]; then
	mkdir -p /etc/pki/CA
	mkdir -p /etc/pki/libvirt/private
	ln -sf /etc/cloudstack/agent/cloud.ca.crt /etc/pki/CA/cacert.pem
	ln -sf /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/clientcert.pem
	ln -sf /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/servercert.pem
	ln -sf /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/clientkey.pem
	ln -sf /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/serverkey.pem

	# VNC TLS directory and certificates
	mkdir -p /etc/pki/libvirt-vnc
	ln -sf /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem
	ln -sf /etc/pki/libvirt/servercert.pem /etc/pki/libvirt-vnc/server-cert.pem
	ln -sf /etc/pki/libvirt/private/serverkey.pem /etc/pki/libvirt-vnc/server-key.pem
	cloudstack-setup-agent -s > /dev/null

	QEMU_GROUP=$(sed -n 's/^group=//p' /etc/libvirt/qemu.conf \| awk -F'"' '{print $2}' \| tail -n1)
	if [ ! -z "${QEMU_GROUP// }" ]; then
	chgrp $QEMU_GROUP /etc/pki/libvirt /etc/pki/libvirt-vnc /etc/pki/CA /etc/pki/libvirt/private /etc/pki/libvirt/servercert.pem /etc/pki/libvirt/private/serverkey.pem /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
	chmod 750 /etc/pki/libvirt /etc/pki/libvirt-vnc /etc/pki/CA /etc/pki/libvirt/private /etc/pki/libvirt/servercert.pem /etc/pki/libvirt/private/serverkey.pem /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
	fi
	fi

	# Update ca-certs if we're in systemvm
	if [ -f "$SYSTEM_FILE" ]; then
	mkdir -p /usr/local/share/ca-certificates/cloudstack
	cp "$CACERT_FILE" /usr/local/share/ca-certificates/cloudstack/ca.crt
	chmod 755 /usr/local/share/ca-certificates/cloudstack
	chmod 644 /usr/local/share/ca-certificates/cloudstack/ca.crt
	update-ca-certificates > /dev/null 2>&1 \|\| true

	# Ensure cloud service is running in systemvm
	if [ "$MODE" == "ssh" ]; then
	systemctl start cloud > /dev/null 2>&1
	fi
	fi

	# Fix file permission
	chmod 750 $CACERT_FILE
	chmod 750 $CERT_FILE
	chmod 750 $PRIVKEY_FILE