From 430d2d0a1ff89ef6dbbab85bf55956c678acfebf Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 14 Nov 2022 21:32:08 +0100
Subject: ca: temporary p12 output files

---
 tools/ca/ca/__main__.py | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

(limited to 'tools/ca')

diff --git a/tools/ca/ca/__main__.py b/tools/ca/ca/__main__.py
index b89d91ff..6615da55 100644
--- a/tools/ca/ca/__main__.py
+++ b/tools/ca/ca/__main__.py
@@ -27,7 +27,7 @@ from math import ceil, ldexp
 import re
 from getpass import getpass
 from itertools import count
-from tempfile import TemporaryFile
+from tempfile import TemporaryFile, mkstemp
 import subprocess
 import json
 from leapseconddata import LeapSecondData
@@ -469,12 +469,16 @@ def new_client(ca_cert, ca_key, key_type, clock_skew, validity, subject, alterna
         ).public_bytes(serialization.Encoding.PEM)
     )
 
-def to_pkcs12(random_password, random_password_length, weak_encryption, filename, output):
+def to_pkcs12(random_password, random_password_length, weak_encryption, filename, temporary_output, output):
     key_file = filename.with_suffix('.key')
     cert_file = filename.with_suffix('.crt')
 
+    output_handle = None
     if not output:
-        output = filename.with_suffix('.p12')
+        if not temporary_output:
+            output = filename.with_suffix('.p12')
+        else:
+            output_handle, output = mkstemp(suffix='.p12', prefix=filename.stem + '.')
 
     key = load_key(key_file)
     logger.info('Successfully loaded privkey from ‘%s’', key_file)
@@ -483,7 +487,7 @@ def to_pkcs12(random_password, random_password_length, weak_encryption, filename
         cert = x509.load_pem_x509_certificate(fh.read())
         logger.info('Successfully loaded certificate from ‘%s’', cert_file)
 
-    with umask(0o0177), atomic_write(output, overwrite=False, mode='wb') as fh:
+    with umask(0o0177), atomic_write(output, overwrite=False, mode='wb') if not output_handle else os.fdopen(output_handle, mode='wb') as fh:
         logger.info('Writing to ‘%s’...', output)
         common_name_attrs = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)
         if len(common_name_attrs) != 1:
@@ -525,6 +529,9 @@ def to_pkcs12(random_password, random_password_length, weak_encryption, filename
     logger.debug('Adjusting permissions for ‘%s’...', output)
     os.chmod(output, 0o0400)
 
+    if temporary_output:
+        print(f'Temporary output file: {output}', file=sys.stderr)
+
 
 def main():
     global logger
@@ -591,6 +598,7 @@ def main():
     subparser.add_argument('--random-password', '--no-random-password', action=BooleanAction, default=True)
     subparser.add_argument('--random-password-length', type=int, default=12)
     subparser.add_argument('--weak-encryption', '--no-weak-encryption', action=BooleanAction, default=False)
+    subparser.add_argument('--temporary-output', '--no-temporary-output', action=BooleanAction, default=True)
     subparser.add_argument('--output', type=Path)
     subparser.add_argument('filename', metavar='BASENAME', type=Path)
     subparser.set_defaults(cmd=to_pkcs12)
-- 
cgit v1.2.3