From 2132d4f7dea1e7355702ca096ff88628c4174bca Mon Sep 17 00:00:00 2001
From: Alexander Sulfrian <asulfrian@zedat.fu-berlin.de>
Date: Mon, 14 Feb 2022 16:43:09 +0100
Subject: SSLCA: Allow to create self signed certificates

---
 schemas/sslca-cert.xsd                             |  8 +++++++
 .../Server/Plugins/Cfg/CfgSSLCACertCreator.py      | 26 +++++++++++++---------
 2 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/schemas/sslca-cert.xsd b/schemas/sslca-cert.xsd
index 7330ca0ff..4dad1ca1f 100644
--- a/schemas/sslca-cert.xsd
+++ b/schemas/sslca-cert.xsd
@@ -98,6 +98,14 @@
         </xsd:documentation>
       </xsd:annotation>
     </xsd:attribute>
+    <xsd:attribute type="xsd:boolean" name="self_sign" default="false">
+      <xsd:annotation>
+        <xsd:documentation>
+          Create a self signed certificate. If you set this to ``true``,
+          you do not need a ca setting.
+        </xsd:documentation>
+      </xsd:annotation>
+    </xsd:attribute>
     <xsd:attribute type="xsd:integer" name="days" default="365">
       <xsd:annotation>
         <xsd:documentation>
diff --git a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py
index 09a09787e..698203a87 100644
--- a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py
+++ b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py
@@ -130,15 +130,20 @@ class CfgSSLCACertCreator(XMLCfgCreator, CfgVerifier):
         """ generate a new cert """
         self.logger.info("Cfg: Generating new SSL cert for %s" % self.name)
         cert = self.XMLMatch(metadata).find("Cert")
-        ca = self.get_ca(cert.get('ca', 'default'))
-        req = self.build_request(self._get_keyfile(cert, metadata), metadata)
+        keyfile = self._get_keyfile(cert, metadata)
+        req = self.build_request(keyfile, metadata)
         try:
             days = cert.get('days', '365')
-            cmd = ["openssl", "ca", "-config", ca['config'], "-in", req,
-                   "-days", days, "-batch"]
-            passphrase = ca.get('passphrase')
-            if passphrase:
-                cmd.extend(["-passin", "pass:%s" % passphrase])
+            if cert.get('self_sign', 'false') != 'true':
+                ca = self.get_ca(cert.get('ca', 'default'))
+                cmd = ["openssl", "ca", "-config", ca['config'],
+                       "-in", req, "-days", days, "-batch"]
+                passphrase = ca.get('passphrase')
+                if passphrase:
+                    cmd.extend(["-passin", "pass:%s" % passphrase])
+            else:
+                cmd = ["openssl", "req", "-in", req, "-x509",
+                       "-days", days, "-key", keyfile, "-batch"]
             result = self.cmd.run(cmd)
             if not result.success:
                 raise CfgCreationError("Failed to generate cert: %s" %
@@ -165,10 +170,11 @@ class CfgSSLCACertCreator(XMLCfgCreator, CfgVerifier):
                        "verification" % (entry.get("name"), fname))
         os.fdopen(fd, 'w').write(data)
         cert = self.XMLMatch(metadata).find("Cert")
-        ca = self.get_ca(cert.get('ca', 'default'))
         try:
-            if ca.get('chaincert'):
-                self.verify_cert_against_ca(fname, entry, metadata)
+            if cert.get('self_sign', 'false') != 'true':
+                ca = self.get_ca(cert.get('ca', 'default'))
+                if ca.get('chaincert'):
+                    self.verify_cert_against_ca(fname, entry, metadata)
             self.verify_cert_against_key(fname,
                                          self._get_keyfile(cert, metadata))
         finally:
-- 
cgit v1.2.3-1-g7c22