ervin/acme.sh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

make sure the private key is never world-readable

Browse Source 
1. Set the private to chmod 0600 on creation.
2. Avoid possible race condition by setting the private
   key backup to 0600 _first_ and then saving the key.
3. Reset existing backup key to chmod 0600 before
   saving the new key.
This commit is contained in:
Viktor Szakats 2020-06-04 21:43:29 +00:00
parent 9190fdd42c
commit c1c1921dde
No known key found for this signature in database
GPG Key ID: 9C01E9B68B91DE4D
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
acme.sh
View File

@ -1076,6 +1076,8 @@ _createkey() {
fi
fi
chmod 600 "$f"
if _isEccKey "$length"; then
_debug "Using ec name: $eccname"
if _opkey="$(${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey 2>/dev/null)"; then
@ -5265,10 +5267,12 @@ _installcert() {
cp "$_real_key" "$_backup_path/key.bak"
fi
if [ -f "$_real_key" ]; then
chmod 600 "$_real_key"
cat "$CERT_KEY_PATH" >"$_real_key" || return 1
else
cat "$CERT_KEY_PATH" >"$_real_key" || return 1
touch "$_real_key"
chmod 600 "$_real_key"
cat "$CERT_KEY_PATH" >"$_real_key" || return 1
fi
fi