ovs-pki: Remove umask trick for self-signing.

The output file of this openssl command is a certificate signed with pre-existing private key. It doesn't create a private key. The restricted permissions are explicitly removed from the resulted certificate right after its generation. So, there is no point in creating it with restricted permissions in the first place. Fixes: 99e5e05 ("ovs-pki: Create private keys with restricted permissions.") Acked-by: Mike Pattrick <mkp@redhat.com> Acked-by: Simon Horman <horms@ovn.org> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
openvswitch · Feb 15, 2024 · c7dd0a7 · c7dd0a7
1 parent dda2532
commit c7dd0a7
Showing 1 changed file with 3 additions and 10 deletions.
diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
@@ -545,16 +545,9 @@ elif test "$command" = self-sign; then
     cat > "$TMP/v3.ext" <<EOF
 subjectAltName = DNS:$arg1
 EOF
-
-    # Create both the private key and certificate with restricted permissions.
-    (umask 077 && \
-     openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \
-                  -signkey "$arg1-privkey.pem" -req -days 3650 -text \
-                  -extfile $TMP/v3.ext) 2>&3 || exit $?
-
-    # Reset the permissions on the certificate to the user's default.
-    cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
-    rm -f "$arg1-cert.pem.tmp"
+    openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem" \
+                 -signkey "$arg1-privkey.pem" -req -days 3650 -text \
+                 -extfile $TMP/v3.ext 2>&3 || exit $?
 else
     echo "$0: $command command unknown; use --help for help" >&2
     exit 1