/[smeserver]/rpms/e-smith-base/sme10/e-smith-base-5.8.0-bz11552-renewkey.patch
ViewVC logotype

Annotation of /rpms/e-smith-base/sme10/e-smith-base-5.8.0-bz11552-renewkey.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.2 - (hide annotations) (download)
Mon May 31 05:50:15 2021 UTC (3 years, 6 months ago) by jpp
Branch: MAIN
Changes since 1.1: +65 -16 lines
WIP crt

1 jpp 1.1 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt
2     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt 2021-05-30 22:12:33.595000000 -0400
3 jpp 1.2 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt 2021-05-31 01:49:45.333000000 -0400
4 jpp 1.1 @@ -1,5 +1,6 @@
5     {
6     use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365;
7     + use esmith::ssl;
8     use Date::Parse;
9     use Cwd;
10     use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
11     @@ -38,12 +39,15 @@
12     $email = substr($email, 0, 64);
13     $commonName = substr($commonName, 0, 64);
14    
15     - if ( -f $crt )
16     + # if self-signed certificate files exists, is a certificate, and is still valid
17     + if ( cert_exists_good_size )
18     {
19     + # check expiry date, if less than 2 days from now we update it.
20     my $expire = `openssl x509 -enddate -noout -in $crt`;
21     $expire =~ s/^notAfter=//;
22     $expire = str2time($expire);
23     my $ttl_days = ($expire - time()) / 60 / 60 / 24;
24     + # check the cert and the key are related, if key has been changed, then we need to change the cert
25     my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
26     my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
27    
28     @@ -63,7 +67,7 @@
29     $signatureAlg =~ s/^ *Signature Algorithm: //;
30    
31     # Test for expected subjectAltName
32     - # openssl x509 -text -noout -in /etc/dehydrated/certs/itx.pialasse.com/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
33     + # openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
34     $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
35     chomp $expected_subjectAltName;
36     if (
37     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key
38     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key 2021-05-30 22:12:33.596000000 -0400
39 jpp 1.2 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key 2021-05-31 01:49:45.114000000 -0400
40 jpp 1.1 @@ -1,26 +1,22 @@
41     {
42     use Cwd;
43     + use esmith::ssl;
44     my $here = getcwd;
45    
46     my $KeySize = $modSSL{KeySize} ||'4096';
47     my $FQDN = "$SystemName.$DomainName";
48     my $key = "/home/e-smith/ssl.key/$FQDN.key";
49     - if ( -f $key )
50     + # if key exists and good size, we use it
51     + if ( key_exists_good_size )
52     {
53     - # check key size openssl rsa -in /home/e-smith/ssl.key/sme10.test10.pialasse.com.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
54     - my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`;
55     - chomp $signatureKeySize;
56     - $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p;
57     - if ( $signatureKeySize == $KeySize ) {
58     - # Old key file is still good. Read it out - processTemplate will work
59     - # out that it hasn't changed, and leave the old one in place
60     - open(K, "$key") or die "Couldn't open key file: $!";
61     - my @key = <K>;
62     - chomp @key;
63     - $OUT = join "\n", @key;
64     - close(K);
65     - return;
66     - }
67     + # Old key file is still good. Read it out - processTemplate will work
68     + # out that it hasn't changed, and leave the old one in place
69     + open(K, "$key") or die "Couldn't open key file: $!";
70     + my @key = <K>;
71     + chomp @key;
72     + $OUT = join "\n", @key;
73     + close(K);
74     + return;
75     }
76     # go to somewhere private and safe where we can run programs
77     # as root
78     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl
79     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2021-05-30 22:12:33.789000000 -0400
80 jpp 1.2 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2021-05-31 01:49:44.221000000 -0400
81 jpp 1.1 @@ -1,13 +1,8 @@
82     {
83     $OUT = '';
84     - # if key is defined, we do not need to geenrate a self signed certificate
85     - # so we do not need to expand openssl.conf
86     - my $key = $modSSL{'key'};
87     - unless ($key and -e $key)
88     - {
89     - use esmith::templates;
90     - esmith::templates::processTemplate({
91     + # let's expand the /etc/openssl.conf configuration
92     + use esmith::templates;
93     + esmith::templates::processTemplate({
94     TEMPLATE_PATH => "/etc/openssl.conf"
95     });
96     - }
97     }
98     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key
99     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key 2021-05-30 22:12:33.789000000 -0400
100 jpp 1.2 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key 2021-05-31 01:49:44.474000000 -0400
101     @@ -1,18 +1,19 @@
102     {
103     + use esmith::ssl;
104     my $domain = $DomainName || "localdomain";
105 jpp 1.1 my $hostname = $SystemName || "localhost";
106     $OUT = '';
107    
108     - my $key = $modSSL{'key'};
109     - unless ($key and -e $key)
110     - {
111     - $key = "/home/e-smith/ssl.key/$hostname.$domain.key";
112     - use esmith::templates;
113     - esmith::templates::processTemplate({
114     - TEMPLATE_PATH => "/home/e-smith/ssl.key/key",
115     - OUTPUT_FILENAME => $key,
116     - });
117     - }
118     + # expand default key
119     + my $dkey = "/home/e-smith/ssl.key/$hostname.$domain.key";
120     + use esmith::templates;
121     + esmith::templates::processTemplate({
122     + TEMPLATE_PATH => "/home/e-smith/ssl.key/key",
123     + OUTPUT_FILENAME => $dkey,
124     + });
125     +
126     + # choose which key to put in pem
127 jpp 1.2 + my $key = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) ) ? $modSSL{'key'} : $dkey;
128 jpp 1.1 open(KEY, $key) or die "Could not open key file: $!";
129     my @key = <KEY>;
130     chomp @key;
131     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt
132     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt 2021-05-30 22:12:33.789000000 -0400
133 jpp 1.2 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt 2021-05-31 01:49:44.674000000 -0400
134     @@ -1,17 +1,18 @@
135     {
136     + use esmith::ssl;
137 jpp 1.1 my $domain = $DomainName || "localdomain";
138     my $hostname = $SystemName || "localhost";
139    
140     - my $crt = $modSSL{'crt'};
141     - unless ($crt and -e $crt)
142     - {
143     - $crt = "/home/e-smith/ssl.crt/$hostname.$domain.crt";
144     - use esmith::templates;
145     - esmith::templates::processTemplate({
146     - TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt",
147     - OUTPUT_FILENAME => $crt,
148     - });
149     - }
150     + # expand default self signed crt
151     + my $dcrt = "/home/e-smith/ssl.crt/$hostname.$domain.crt";
152     + use esmith::templates;
153     + esmith::templates::processTemplate({
154     + TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt",
155     + OUTPUT_FILENAME => $dcrt,
156     + });
157     +
158     + # choose crt to add to pem
159 jpp 1.2 + $crt = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) )? $modSSL{'crt'} : $dcrt;
160 jpp 1.1 open(CRT, $crt) or die "Could not open crt file: $!";
161     my @crt = <CRT>;
162     chomp @crt;
163     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem
164     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem 2021-05-30 22:12:33.789000000 -0400
165 jpp 1.2 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem 2021-05-31 01:49:44.893000000 -0400
166 jpp 1.1 @@ -1,4 +1,6 @@
167     {
168     + my $domain = $DomainName || "localdomain";
169     + my $hostname = $SystemName || "localhost";
170     my $pem = $modSSL{'CertificateChainFile'};
171     if ($pem and -e $pem)
172     {
173     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
174     --- e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 1969-12-31 19:00:00.000000000 -0500
175 jpp 1.2 +++ e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 2021-05-31 01:49:45.570000000 -0400
176     @@ -0,0 +1,154 @@
177 jpp 1.1 +package esmith::ssl;
178     +
179     +use strict;
180     +use warnings;
181     +use esmith::ConfigDB;
182     +
183     +
184     +our @ISA = qw(Exporter);
185     +our @EXPORT = qw( key_exists_good_size cert_exists_good_size );
186     +
187     +my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
188     +our $SystemName = $configdb->get('SystemName')->value;
189     +our $DomainName = $configdb->get('DomainName')->value;
190 jpp 1.2 +our $FQDN = "$SystemName.$DomainName";
191 jpp 1.1 +
192     +# test key size
193     +# test key exists
194     +=head1 NAME
195     +
196     +esmith::php - A few tools to help with php-fpm installed versions
197     +
198     +=head1 SYNOPSIS
199     +
200     + use esmith::ssl;
201     +
202     + my $booleanK=key_exists_good_size;
203     +
204     +=head1 DESCRIPTION
205     +
206     +This is intended to help playing with installed SSL self-generated certificates and keys.
207     +
208     +=head1 Methods
209     +
210     +
211     +=head2 key_exists_good_size
212     +test key exists, then test key size correct. Obviously it also test that the files is indeed a key
213     +planned to be called in :
214     +/etc/e-smith/templates/home/e-smith/ssl.crt
215     +/etc/e-smith/templates/home/e-smith/ssl.key
216     +
217     +returns 0 if key is missing or wrong size
218     +returns 1 if key exists and key size is correct
219     +
220     +=cut
221     +sub key_exists_good_size {
222     + my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
223     + my %modSSL = $configdb->as_hash('modSSL');
224     + my $KeySize = $modSSL{KeySize} ||'4096';
225     + my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
226 jpp 1.2 + if ( -f $key )
227 jpp 1.1 + {
228     + #print "$key exists\n";
229     + # check key size openssl rsa -in /home/e-smith/ssl.key/$host.$domain.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
230     + my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`;
231     + chomp $signatureKeySize;
232     + $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p;
233     + if ( $signatureKeySize == $KeySize ) {
234     + #print "key size is correct ($KeySize)\n";
235     + # key exists and key size is correct, we can proceed
236     + return 1;
237     + }
238     + }
239     + # key is either missing or wrong key size.
240     + return 0;
241     +}
242     +
243     +
244     +# test key is key
245     +#openssl rsa -check -in $key
246     +
247     +=head2 cert_exists_good_size
248     +# check cert exist
249     +# check cert is cert
250     +# check cert size Public-Key
251     +# openssl rsa -noout -modulus -in domain.key | openssl md5
252     +# openssl x509 -noout -modulus -in domain.crt | openssl md5
253     +
254     +=cut
255     +sub cert_exists_good_size {
256     + my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
257     + my %modSSL = $configdb->as_hash('modSSL');
258     + my $KeySize = $modSSL{KeySize} ||'4096';
259     + my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
260 jpp 1.2 + if ( -f $crt )
261 jpp 1.1 + {
262     + #openssl x509 -text -noout -in /home/e-smith/ssl.crt/$host.$domain.crt| sed -rn "s/Public-Key: \((.*) bit\)/\1/p"
263     + my $signatureKeySize = `openssl x509 -text -noout -in $crt | grep "Public-Key" | head -1`;
264     + chomp $signatureKeySize;
265     + $signatureKeySize =~ s/^ *Public-Key: \((.*) bit\)/$1/p;
266     + if ( $signatureKeySize == $KeySize ) {
267     + #print "$signatureKeySize\n";
268     + # cert is correct size and exists, we can proceed.
269     + # next check key and cert are related
270     + # next check cert is still valid
271     + # next check alt name are still the same
272     + return 1;
273     + }
274     + }
275     + return 0;
276     +}
277     +
278 jpp 1.2 +sub cert_is_cert {
279     + my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
280     + if ( -f $crt )
281     + {
282     + open my $oldout, ">&STDERR"; # "dup" the stdout filehandle
283     + close STDERR;
284     + my $exit_code=system("openssl","x509", "-noout", "-in", "$crt");
285     + open STDERR, '>&', $oldout; # restore the dup'ed filehandle to STDOUT
286     + if ($exit_code==0){
287     + #print "certificate is a certificate\n";
288     + return 1;
289     + }
290     + }
291     + return 0;
292     +}
293     +
294     +sub key_is_key {
295     + my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
296     + if ( -f $key )
297     + {
298     + open my $oldout, ">&STDERR"; # "dup" the stdout filehandle
299     + close STDERR;
300     + my $exit_code=system("openssl","rsa", "-noout", "-in", "$key");
301     + open STDERR, '>&', $oldout; # restore the dup'ed filehandle to STDOUT
302     + if ($exit_code==0){
303     + #print "key is a key\n";
304     + return 1;
305     + }
306     + }
307     + return 0;
308     +}
309     +
310     +sub related_key_cert {
311     + my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
312     + my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
313     + if ( key_is_key($key) and cert_is_cert($crt) )
314     + {
315     + # check the cert and the key are related, if key has been changed, then we need to change the cert
316     + my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
317     + my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
318     + #print "$key_md5 eq $crt_md5\n";
319     + return 1 if $key_md5 eq $crt_md5;
320     + }
321     + return 0;
322     +}
323 jpp 1.1 +##TODO migrate those actions from
324     +# check cert is related to key
325     +# => /etc/e-smith/templates/home/e-smith/ssl.crt
326     +# check cert domain and alt
327     +# => /etc/e-smith/templates/home/e-smith/ssl.crt
328     +# check is valid / expiry date
329     +# => /etc/e-smith/templates/home/e-smith/ssl.crt
330     +###################################

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed