From ea435f67d521e344eac3ccc5a2a9551e1a5976c4 Mon Sep 17 00:00:00 2001 From: Lucas Date: Thu, 13 Feb 2020 10:49:45 +0000 Subject: [PATCH] gen-ec-cert: better error checking --- utils/gen-ec-cert.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/utils/gen-ec-cert.sh b/utils/gen-ec-cert.sh index 90498e7..f8769a3 100644 --- a/utils/gen-ec-cert.sh +++ b/utils/gen-ec-cert.sh @@ -28,6 +28,12 @@ shift $((OPTIND - 1)) domain=$1 (umask 077 && openssl genpkey -aes256 \ - -algorithm ec -pkeyopt ec_paramgen_curve:"$curve" -out "$domain.key") && - openssl req -new -x509 -days "$days" -subj "/CN=$domain" \ + -algorithm ec -pkeyopt ec_paramgen_curve:"$curve" -out "$domain.key") +if [ $? -ne 0 ] || [ ! -s "$domain.key" ]; then + # openssl doesn't return an error code if there is a password mismatch + # or a password too short, and it creates the output file anyways + rm -f "$domain.key" + exit 1 +fi +openssl req -new -x509 -days "$days" -subj "/CN=$domain" \ -key "$domain.key" -out "$domain.pem"