The output file of this openssl command is a certificate signed with
pre-existing private key. It doesn't create a private key. The
restricted permissions are explicitly removed from the resulted
certificate right after its generation. So, there is no point in
creating it with restricted permissions in the first place.
Fixes: 99e5e05db37a ("ovs-pki: Create private keys with restricted
permissions.")
Signed-off-by: Ilya Maximets <[email protected]>
---
utilities/ovs-pki.in | 13 +++----------
1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index e0ba910f9..d20f6eb98 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -545,16 +545,9 @@ elif test "$command" = self-sign; then
cat > "$TMP/v3.ext" <<EOF
subjectAltName = DNS:$arg1
EOF
-
- # Create both the private key and certificate with restricted permissions.
- (umask 077 && \
- openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \
- -signkey "$arg1-privkey.pem" -req -days 3650 -text \
- -extfile $TMP/v3.ext) 2>&3 || exit $?
-
- # Reset the permissions on the certificate to the user's default.
- cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
- rm -f "$arg1-cert.pem.tmp"
+ openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem" \
+ -signkey "$arg1-privkey.pem" -req -days 3650 -text \
+ -extfile $TMP/v3.ext 2>&3 || exit $?
else
echo "$0: $command command unknown; use --help for help" >&2
exit 1
--
2.43.0
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
