gen-ec-cert: better error checking

2020-02-13 10:49:45 +00:00 · 2020-02-13 10:49:45 +00:00 · ea435f67d5
parent e139dfbdb9
commit ea435f67d5
1 changed files with 8 additions and 2 deletions
--- a/utils/gen-ec-cert.sh
+++ b/utils/gen-ec-cert.sh
@ -28,6 +28,12 @@ shift $((OPTIND - 1))
 domain=$1

 (umask 077 && openssl genpkey -aes256 \
-    -algorithm ec -pkeyopt ec_paramgen_curve:"$curve" -out "$domain.key") &&
-    openssl req -new -x509 -days "$days" -subj "/CN=$domain" \
+    -algorithm ec -pkeyopt ec_paramgen_curve:"$curve" -out "$domain.key")
+if [ $? -ne 0 ] || [ ! -s "$domain.key" ]; then
+	# openssl doesn't return an error code if there is a password mismatch
+	# or a password too short, and it creates the output file anyways
+	rm -f "$domain.key"
+	exit 1
+fi
+openssl req -new -x509 -days "$days" -subj "/CN=$domain" \
    -key "$domain.key" -out "$domain.pem"