Roxen.git / server / base_server / roxen.pike

version» Context lines:

Roxen.git/server/base_server/roxen.pike:5978: Inside #if defined(THREADS)
   backend_thread = this_thread();   #ifdef THREADS    name_thread( backend_thread, "Backend" );   #else    report_debug("\n"    "WARNING: Threads not enabled!\n"    "\n");   #endif /* THREADS */       foreach(({ "testca.pem", "demo_certificate.pem" }), string file_name) { -  if (sizeof(roxenloader.package_directories) && -  (lfile_path(file_name) == file_name)) { +  if (!sizeof(roxenloader.package_directories)) break; +  string cert; +  if (lfile_path(file_name) == file_name) {    file_name = roxenloader.package_directories[-1] + "/" + file_name;    report_notice("Generating a new certificate: %O...\n", file_name); -  string cert = Roxen.generate_self_signed_certificate("*"); +  cert = Roxen.generate_self_signed_certificate("*"); + #if constant(Standards.X509) +  } else { +  file_name = lfile_path(file_name);    -  +  // Check if we need to upgrade the cert. +  // +  // Certificates generated by old versions of Pike were +  // plain X.509v1, while certificates generated by Pike 8.0 +  // and later are X.509v3 with some required extensions. +     // Note: set_u_and_gid() hasn't been called yet,    // so there's no need for Privs. -  +  Standards.PEM.Messages msgs = +  Standards.PEM.Messages(Stdio.read_bytes(file_name)); +  +  int upgrade_needed; +  +  foreach(msgs->parts; string part; Standards.PEM.Message msg) { +  if (!has_suffix(part, "CERTIFICATE")) continue; +  Standards.X509.TBSCertificate tbs = +  Standards.X509.decode_certificate(msg->body); +  upgrade_needed = (tbs->version < 3); +  break; +  } +  +  if (!upgrade_needed || (sizeof(msgs->parts) != 2)) continue; +  +  // NB: We reuse the old key. +  Crypto.Sign key; +  foreach(msgs->parts; string part; Standards.PEM.Message msg) { +  if (!has_suffix(part, "PRIVATE KEY")) continue; +  if (msg->headers["dek-info"]) { +  // Not supported here. +  break; +  } +  key = Standards.X509.parse_private_key(msg->body); +  } +  if (!key) continue; +  +  report_notice("Renewing certificate: %O...\n", file_name); +  cert = Roxen.generate_self_signed_certificate("*", key); + #endif /* constant(Standards.X509) */ +  } +  +  if (cert) { +  // Note: set_u_and_gid() hasn't been called yet, +  // so there's no need for Privs.    Stdio.File file = Stdio.File(); -  if (!file->open(file_name, "wxc", 0600)) { +  if (!file->open(file_name, "wtc", 0600)) {    report_error("Couldn't create certificate file %O.\n", file_name);    } else if (file->write(cert) != sizeof(cert)) { -  rm(cert); +  rm(file_name);    report_error("Couldn't write certificate file %O.\n", file_name);    }    }    }       enable_configurations();       string pid_file = Getopt.find_option(argv, "p", "pid-file");    if (pid_file && query("permanent_uid")) rm(pid_file);