From patchwork Tue Feb 13 19:44:41 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ilya Maximets <i.maximets@ovn.org>
X-Patchwork-Id: 1898411
X-Patchwork-Delegate: i.maximets@samsung.com
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4TZBbY6Ljqz23hT
	for <incoming@patchwork.ozlabs.org>; Wed, 14 Feb 2024 06:44:09 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp4.osuosl.org (Postfix) with ESMTP id B6FF940A02;
	Tue, 13 Feb 2024 19:44:07 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
	by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id XnF8kyoAoQ-o; Tue, 13 Feb 2024 19:44:06 +0000 (UTC)
X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56;
 helo=lists.linuxfoundation.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org C3068406EE
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp4.osuosl.org (Postfix) with ESMTPS id C3068406EE;
	Tue, 13 Feb 2024 19:44:06 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id AC711C0072;
	Tue, 13 Feb 2024 19:44:06 +0000 (UTC)
X-Original-To: ovs-dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
 by lists.linuxfoundation.org (Postfix) with ESMTP id DDB46C0037
 for <ovs-dev@openvswitch.org>; Tue, 13 Feb 2024 19:44:05 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp3.osuosl.org (Postfix) with ESMTP id CDEB460E28
 for <ovs-dev@openvswitch.org>; Tue, 13 Feb 2024 19:44:05 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
 by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 82Xm0BQ6qh0H for <ovs-dev@openvswitch.org>;
 Tue, 13 Feb 2024 19:44:05 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=217.70.183.195;
 helo=relay3-d.mail.gandi.net; envelope-from=i.maximets@ovn.org;
 receiver=<UNKNOWN>
DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 00DB960E1D
Authentication-Results: smtp3.osuosl.org;
 dmarc=none (p=none dis=none) header.from=ovn.org
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 00DB960E1D
Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net
 [217.70.183.195])
 by smtp3.osuosl.org (Postfix) with ESMTPS id 00DB960E1D
 for <ovs-dev@openvswitch.org>; Tue, 13 Feb 2024 19:44:04 +0000 (UTC)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 8E17860003;
 Tue, 13 Feb 2024 19:44:01 +0000 (UTC)
From: Ilya Maximets <i.maximets@ovn.org>
To: ovs-dev@openvswitch.org
Date: Tue, 13 Feb 2024 20:44:41 +0100
Message-ID: <20240213194442.1590625-1-i.maximets@ovn.org>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
X-GND-Sasl: i.maximets@ovn.org
Cc: Ilya Maximets <i.maximets@ovn.org>
Subject: [ovs-dev] [PATCH] ovs-pki: Remove umask trick for self-signing.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

The output file of this openssl command is a certificate signed with
pre-existing private key.  It doesn't create a private key.   The
restricted permissions are explicitly removed from the resulted
certificate right after its generation.  So, there is no point in
creating it with restricted permissions in the first place.

Fixes: 99e5e05db37a ("ovs-pki: Create private keys with restricted permissions.")
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Mike Pattrick <mkp@redhat.com>
Acked-by: Simon Horman <horms@ovn.org>
---
 utilities/ovs-pki.in | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index e0ba910f9..d20f6eb98 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -545,16 +545,9 @@ elif test "$command" = self-sign; then
     cat > "$TMP/v3.ext" <<EOF
 subjectAltName = DNS:$arg1
 EOF
-
-    # Create both the private key and certificate with restricted permissions.
-    (umask 077 && \
-     openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \
-                  -signkey "$arg1-privkey.pem" -req -days 3650 -text \
-                  -extfile $TMP/v3.ext) 2>&3 || exit $?
-
-    # Reset the permissions on the certificate to the user's default.
-    cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
-    rm -f "$arg1-cert.pem.tmp"
+    openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem" \
+                 -signkey "$arg1-privkey.pem" -req -days 3650 -text \
+                 -extfile $TMP/v3.ext 2>&3 || exit $?
 else
     echo "$0: $command command unknown; use --help for help" >&2
     exit 1