/[smeserver]/rpms/e-smith-base/sme10/e-smith-base-5.8.0-bz11552-renewkey.patch
ViewVC logotype

Annotation of /rpms/e-smith-base/sme10/e-smith-base-5.8.0-bz11552-renewkey.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Mon May 31 03:19:21 2021 UTC (3 years, 5 months ago) by jpp
Branch: MAIN
WIP crt

1 jpp 1.1 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt
2     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt 2021-05-30 22:12:33.595000000 -0400
3     +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt 2021-05-30 23:06:09.991000000 -0400
4     @@ -1,5 +1,6 @@
5     {
6     use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365;
7     + use esmith::ssl;
8     use Date::Parse;
9     use Cwd;
10     use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
11     @@ -38,12 +39,15 @@
12     $email = substr($email, 0, 64);
13     $commonName = substr($commonName, 0, 64);
14    
15     - if ( -f $crt )
16     + # if self-signed certificate files exists, is a certificate, and is still valid
17     + if ( cert_exists_good_size )
18     {
19     + # check expiry date, if less than 2 days from now we update it.
20     my $expire = `openssl x509 -enddate -noout -in $crt`;
21     $expire =~ s/^notAfter=//;
22     $expire = str2time($expire);
23     my $ttl_days = ($expire - time()) / 60 / 60 / 24;
24     + # check the cert and the key are related, if key has been changed, then we need to change the cert
25     my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
26     my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
27    
28     @@ -63,7 +67,7 @@
29     $signatureAlg =~ s/^ *Signature Algorithm: //;
30    
31     # Test for expected subjectAltName
32     - # openssl x509 -text -noout -in /etc/dehydrated/certs/itx.pialasse.com/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
33     + # openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
34     $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
35     chomp $expected_subjectAltName;
36     if (
37     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key
38     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key 2021-05-30 22:12:33.596000000 -0400
39     +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key 2021-05-30 23:06:09.728000000 -0400
40     @@ -1,26 +1,22 @@
41     {
42     use Cwd;
43     + use esmith::ssl;
44     my $here = getcwd;
45    
46     my $KeySize = $modSSL{KeySize} ||'4096';
47     my $FQDN = "$SystemName.$DomainName";
48     my $key = "/home/e-smith/ssl.key/$FQDN.key";
49     - if ( -f $key )
50     + # if key exists and good size, we use it
51     + if ( key_exists_good_size )
52     {
53     - # check key size openssl rsa -in /home/e-smith/ssl.key/sme10.test10.pialasse.com.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
54     - my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`;
55     - chomp $signatureKeySize;
56     - $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p;
57     - if ( $signatureKeySize == $KeySize ) {
58     - # Old key file is still good. Read it out - processTemplate will work
59     - # out that it hasn't changed, and leave the old one in place
60     - open(K, "$key") or die "Couldn't open key file: $!";
61     - my @key = <K>;
62     - chomp @key;
63     - $OUT = join "\n", @key;
64     - close(K);
65     - return;
66     - }
67     + # Old key file is still good. Read it out - processTemplate will work
68     + # out that it hasn't changed, and leave the old one in place
69     + open(K, "$key") or die "Couldn't open key file: $!";
70     + my @key = <K>;
71     + chomp @key;
72     + $OUT = join "\n", @key;
73     + close(K);
74     + return;
75     }
76     # go to somewhere private and safe where we can run programs
77     # as root
78     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl
79     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2021-05-30 22:12:33.789000000 -0400
80     +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2021-05-30 23:06:08.793000000 -0400
81     @@ -1,13 +1,8 @@
82     {
83     $OUT = '';
84     - # if key is defined, we do not need to geenrate a self signed certificate
85     - # so we do not need to expand openssl.conf
86     - my $key = $modSSL{'key'};
87     - unless ($key and -e $key)
88     - {
89     - use esmith::templates;
90     - esmith::templates::processTemplate({
91     + # let's expand the /etc/openssl.conf configuration
92     + use esmith::templates;
93     + esmith::templates::processTemplate({
94     TEMPLATE_PATH => "/etc/openssl.conf"
95     });
96     - }
97     }
98     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key
99     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key 2021-05-30 22:12:33.789000000 -0400
100     +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key 2021-05-30 23:06:08.992000000 -0400
101     @@ -3,16 +3,16 @@
102     my $hostname = $SystemName || "localhost";
103     $OUT = '';
104    
105     - my $key = $modSSL{'key'};
106     - unless ($key and -e $key)
107     - {
108     - $key = "/home/e-smith/ssl.key/$hostname.$domain.key";
109     - use esmith::templates;
110     - esmith::templates::processTemplate({
111     - TEMPLATE_PATH => "/home/e-smith/ssl.key/key",
112     - OUTPUT_FILENAME => $key,
113     - });
114     - }
115     + # expand default key
116     + my $dkey = "/home/e-smith/ssl.key/$hostname.$domain.key";
117     + use esmith::templates;
118     + esmith::templates::processTemplate({
119     + TEMPLATE_PATH => "/home/e-smith/ssl.key/key",
120     + OUTPUT_FILENAME => $dkey,
121     + });
122     +
123     + # choose which key to put in pem
124     + my $key = ( defined $modSSL{'key'} and -f $modSSL{'key'} ) ? $modSSL{'key'} : $dkey;
125     open(KEY, $key) or die "Could not open key file: $!";
126     my @key = <KEY>;
127     chomp @key;
128     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt
129     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt 2021-05-30 22:12:33.789000000 -0400
130     +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt 2021-05-30 23:06:09.234000000 -0400
131     @@ -2,16 +2,16 @@
132     my $domain = $DomainName || "localdomain";
133     my $hostname = $SystemName || "localhost";
134    
135     - my $crt = $modSSL{'crt'};
136     - unless ($crt and -e $crt)
137     - {
138     - $crt = "/home/e-smith/ssl.crt/$hostname.$domain.crt";
139     - use esmith::templates;
140     - esmith::templates::processTemplate({
141     - TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt",
142     - OUTPUT_FILENAME => $crt,
143     - });
144     - }
145     + # expand default self signed crt
146     + my $dcrt = "/home/e-smith/ssl.crt/$hostname.$domain.crt";
147     + use esmith::templates;
148     + esmith::templates::processTemplate({
149     + TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt",
150     + OUTPUT_FILENAME => $dcrt,
151     + });
152     +
153     + # choose crt to add to pem
154     + $crt = ( defined $modSSL{'crt'} and -f $modSSL{'crt'} )? $modSSL{'crt'} : $dcrt;
155     open(CRT, $crt) or die "Could not open crt file: $!";
156     my @crt = <CRT>;
157     chomp @crt;
158     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem
159     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem 2021-05-30 22:12:33.789000000 -0400
160     +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem 2021-05-30 23:06:09.486000000 -0400
161     @@ -1,4 +1,6 @@
162     {
163     + my $domain = $DomainName || "localdomain";
164     + my $hostname = $SystemName || "localhost";
165     my $pem = $modSSL{'CertificateChainFile'};
166     if ($pem and -e $pem)
167     {
168     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
169     --- e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 1969-12-31 19:00:00.000000000 -0500
170     +++ e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 2021-05-30 23:06:10.229000000 -0400
171     @@ -0,0 +1,110 @@
172     +package esmith::ssl;
173     +
174     +use strict;
175     +use warnings;
176     +use esmith::ConfigDB;
177     +
178     +
179     +our @ISA = qw(Exporter);
180     +our @EXPORT = qw( key_exists_good_size cert_exists_good_size );
181     +
182     +my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
183     +our $SystemName = $configdb->get('SystemName')->value;
184     +our $DomainName = $configdb->get('DomainName')->value;
185     +
186     +# test key size
187     +# test key exists
188     +=head1 NAME
189     +
190     +esmith::php - A few tools to help with php-fpm installed versions
191     +
192     +=head1 SYNOPSIS
193     +
194     + use esmith::ssl;
195     +
196     + my $booleanK=key_exists_good_size;
197     +
198     +=head1 DESCRIPTION
199     +
200     +This is intended to help playing with installed SSL self-generated certificates and keys.
201     +
202     +=head1 Methods
203     +
204     +
205     +=head2 key_exists_good_size
206     +test key exists, then test key size correct. Obviously it also test that the files is indeed a key
207     +planned to be called in :
208     +/etc/e-smith/templates/home/e-smith/ssl.crt
209     +/etc/e-smith/templates/home/e-smith/ssl.key
210     +
211     +returns 0 if key is missing or wrong size
212     +returns 1 if key exists and key size is correct
213     +
214     +=cut
215     +sub key_exists_good_size {
216     + my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
217     + my %modSSL = $configdb->as_hash('modSSL');
218     + my $KeySize = $modSSL{KeySize} ||'4096';
219     + my $FQDN = "$SystemName.$DomainName";
220     + my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
221     + if ( -f $key )
222     + {
223     + #print "$key exists\n";
224     + # check key size openssl rsa -in /home/e-smith/ssl.key/$host.$domain.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
225     + my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`;
226     + chomp $signatureKeySize;
227     + $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p;
228     + if ( $signatureKeySize == $KeySize ) {
229     + #print "key size is correct ($KeySize)\n";
230     + # key exists and key size is correct, we can proceed
231     + return 1;
232     + }
233     + }
234     + # key is either missing or wrong key size.
235     + return 0;
236     +}
237     +
238     +
239     +# test key is key
240     +#openssl rsa -check -in $key
241     +
242     +=head2 cert_exists_good_size
243     +# check cert exist
244     +# check cert is cert
245     +# check cert size Public-Key
246     +# openssl rsa -noout -modulus -in domain.key | openssl md5
247     +# openssl x509 -noout -modulus -in domain.crt | openssl md5
248     +
249     +=cut
250     +sub cert_exists_good_size {
251     + my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
252     + my %modSSL = $configdb->as_hash('modSSL');
253     + my $KeySize = $modSSL{KeySize} ||'4096';
254     + my $FQDN = "$SystemName.$DomainName";
255     + my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
256     + if ( -f $crt )
257     + {
258     + #openssl x509 -text -noout -in /home/e-smith/ssl.crt/$host.$domain.crt| sed -rn "s/Public-Key: \((.*) bit\)/\1/p"
259     + my $signatureKeySize = `openssl x509 -text -noout -in $crt | grep "Public-Key" | head -1`;
260     + chomp $signatureKeySize;
261     + $signatureKeySize =~ s/^ *Public-Key: \((.*) bit\)/$1/p;
262     + if ( $signatureKeySize == $KeySize ) {
263     + #print "$signatureKeySize\n";
264     + # cert is correct size and exists, we can proceed.
265     + # next check key and cert are related
266     + # next check cert is still valid
267     + # next check alt name are still the same
268     + return 1;
269     + }
270     + }
271     + return 0;
272     +}
273     +
274     +##TODO migrate those actions from
275     +# check cert is related to key
276     +# => /etc/e-smith/templates/home/e-smith/ssl.crt
277     +# check cert domain and alt
278     +# => /etc/e-smith/templates/home/e-smith/ssl.crt
279     +# check is valid / expiry date
280     +# => /etc/e-smith/templates/home/e-smith/ssl.crt
281     +###################################

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed