e-smith-base/sme10/e-smith-base-5.8.0-bz11552-renewkey.patch

diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt      2021-05-30 22:12:33.595000000 -0400
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt  2021-05-31 01:49:45.333000000 -0400
@@ -1,5 +1,6 @@
 {
     use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365;
+    use esmith::ssl;
     use Date::Parse;
     use Cwd;
     use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
@@ -38,12 +39,15 @@
     $email = substr($email, 0, 64);
     $commonName = substr($commonName, 0, 64);
 
-    if ( -f $crt )
+    # if self-signed certificate files exists, is a certificate, and is still valid
+    if ( cert_exists_good_size )
     {
+       # check expiry date, if less than 2 days from now we update it.
         my $expire = `openssl x509 -enddate -noout -in $crt`;
         $expire =~ s/^notAfter=//;
         $expire = str2time($expire);
         my $ttl_days = ($expire - time()) / 60 / 60 / 24;
+       # check the cert and the key are related, if key has been changed, then we need to change the cert
        my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
        my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
 
@@ -63,7 +67,7 @@
             $signatureAlg =~ s/^ *Signature Algorithm: //;
            
            # Test for expected subjectAltName
-            # openssl x509 -text -noout -in /etc/dehydrated/certs/itx.pialasse.com/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
+            # openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
            $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
            chomp $expected_subjectAltName;
             if (
diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key      2021-05-30 22:12:33.596000000 -0400
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key  2021-05-31 01:49:45.114000000 -0400
@@ -1,26 +1,22 @@
 {
     use Cwd;
+    use esmith::ssl;
     my $here = getcwd;
 
     my $KeySize = $modSSL{KeySize} ||'4096';
     my $FQDN = "$SystemName.$DomainName";
     my $key = "/home/e-smith/ssl.key/$FQDN.key";
-    if ( -f $key )
+    # if key exists and good size, we use it
+    if ( key_exists_good_size )
     {
-       # check key size openssl rsa -in /home/e-smith/ssl.key/sme10.test10.pialasse.com.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
-        my $signatureKeySize = `openssl rsa -in  $key -text -noout | grep "Private-Key" | head -1`;
-        chomp $signatureKeySize;
-        $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p;
-       if ( $signatureKeySize == $KeySize ) {
-               # Old key file is still good. Read it out - processTemplate will work
-               # out that it hasn't changed, and leave the old one in place
-               open(K, "$key") or die "Couldn't open key file: $!";
-               my @key = <K>;
-               chomp @key;
-               $OUT = join "\n", @key;
-               close(K);
-               return;
-       }
+       # Old key file is still good. Read it out - processTemplate will work
+       # out that it hasn't changed, and leave the old one in place
+       open(K, "$key") or die "Couldn't open key file: $!";
+       my @key = <K>;
+       chomp @key;
+       $OUT = join "\n", @key;
+       close(K);
+       return;
     }
     # go to somewhere private and safe where we can run programs
     # as root
diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl    2021-05-30 22:12:33.789000000 -0400
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl        2021-05-31 01:49:44.221000000 -0400
@@ -1,13 +1,8 @@
 {
     $OUT = '';
-    # if key is defined, we do not need to geenrate a self signed certificate
-    # so we do not need to expand openssl.conf
-    my $key = $modSSL{'key'};
-    unless ($key and -e $key)
-    {
-        use esmith::templates;
-        esmith::templates::processTemplate({
+    # let's expand the /etc/openssl.conf configuration
+    use esmith::templates;
+    esmith::templates::processTemplate({
             TEMPLATE_PATH => "/etc/openssl.conf"
             });
-    }
 }
diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key        2021-05-30 22:12:33.789000000 -0400
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key    2021-05-31 01:49:44.474000000 -0400
@@ -1,18 +1,19 @@
 {
+    use esmith::ssl;
     my $domain = $DomainName || "localdomain";
     my $hostname = $SystemName || "localhost";
     $OUT = '';
 
-    my $key = $modSSL{'key'};
-    unless ($key and -e $key)
-    {
-       $key = "/home/e-smith/ssl.key/$hostname.$domain.key";
-       use esmith::templates;
-       esmith::templates::processTemplate({
-           TEMPLATE_PATH => "/home/e-smith/ssl.key/key",
-           OUTPUT_FILENAME => $key,
-           });
-    }
+    # expand default key
+    my $dkey = "/home/e-smith/ssl.key/$hostname.$domain.key";
+    use esmith::templates;
+    esmith::templates::processTemplate({
+        TEMPLATE_PATH => "/home/e-smith/ssl.key/key",
+        OUTPUT_FILENAME => $dkey,
+        });
+
+    # choose which key to put in pem
+    my $key = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) ) ? $modSSL{'key'}  : $dkey;
     open(KEY, $key) or die "Could not open key file: $!";
     my @key = <KEY>;
     chomp @key;
diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt        2021-05-30 22:12:33.789000000 -0400
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt    2021-05-31 01:49:44.674000000 -0400
@@ -1,17 +1,18 @@
 {
+    use esmith::ssl;
     my $domain = $DomainName || "localdomain";
     my $hostname = $SystemName || "localhost";
 
-    my $crt = $modSSL{'crt'};
-    unless ($crt and -e $crt)
-    {
-       $crt = "/home/e-smith/ssl.crt/$hostname.$domain.crt";
-       use esmith::templates;
-       esmith::templates::processTemplate({
-           TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt",
-           OUTPUT_FILENAME => $crt,
-           });
-    }
+    # expand default self signed crt
+    my $dcrt = "/home/e-smith/ssl.crt/$hostname.$domain.crt";
+    use esmith::templates;
+    esmith::templates::processTemplate({
+        TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt",
+        OUTPUT_FILENAME => $dcrt,
+        });
+
+    # choose crt to add to pem
+    $crt = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) )? $modSSL{'crt'} : $dcrt;
     open(CRT, $crt) or die "Could not open crt file: $!";
     my @crt = <CRT>;
     chomp @crt;
diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem        2021-05-30 22:12:33.789000000 -0400
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem    2021-05-31 01:49:44.893000000 -0400
@@ -1,4 +1,6 @@
 {
+    my $domain = $DomainName || "localdomain";
+    my $hostname = $SystemName || "localhost";
     my $pem = $modSSL{'CertificateChainFile'};
     if ($pem and -e $pem)
     {
diff -Nur --no-dereference e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
--- e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm       1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm   2021-05-31 01:49:45.570000000 -0400
@@ -0,0 +1,154 @@
+package esmith::ssl;
+
+use strict;
+use warnings;
+use esmith::ConfigDB;
+
+
+our @ISA = qw(Exporter);
+our @EXPORT = qw( key_exists_good_size cert_exists_good_size );
+
+my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
+our $SystemName = $configdb->get('SystemName')->value;
+our $DomainName = $configdb->get('DomainName')->value;
+our $FQDN = "$SystemName.$DomainName";
+
+# test key size
+# test key exists
+=head1 NAME
+
+esmith::php - A few tools to help with php-fpm installed versions
+
+=head1 SYNOPSIS
+
+    use esmith::ssl;
+
+    my $booleanK=key_exists_good_size;
+
+=head1 DESCRIPTION
+
+This is intended to help playing with installed SSL self-generated certificates and keys.
+
+=head1 Methods
+
+
+=head2 key_exists_good_size
+test key exists, then test key size correct. Obviously it also test that the files is indeed a key
+planned to be called in  :
+/etc/e-smith/templates/home/e-smith/ssl.crt
+/etc/e-smith/templates/home/e-smith/ssl.key
+
+returns 0 if key is missing or wrong size
+returns 1 if key exists and key size is correct
+
+=cut
+sub key_exists_good_size {
+    my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
+    my %modSSL = $configdb->as_hash('modSSL');
+    my $KeySize = $modSSL{KeySize} ||'4096';
+    my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
+    if ( -f $key ) 
+    {
+       #print "$key exists\n";
+        # check key size openssl rsa -in /home/e-smith/ssl.key/$host.$domain.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
+        my $signatureKeySize = `openssl rsa -in  $key -text -noout | grep "Private-Key" | head -1`;
+        chomp $signatureKeySize;
+        $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p;
+        if ( $signatureKeySize == $KeySize ) {
+               #print "key size is correct ($KeySize)\n";
+               # key exists and key size is correct, we can proceed
+                return 1;
+        }
+    } 
+    # key is either missing or wrong key size.
+    return 0;
+}
+
+
+# test key is key
+#openssl rsa -check -in $key
+
+=head2 cert_exists_good_size
+# check cert exist
+# check cert is cert
+# check cert size Public-Key
+# openssl rsa -noout -modulus -in domain.key | openssl md5
+# openssl x509 -noout -modulus -in domain.crt | openssl md5
+
+=cut
+sub cert_exists_good_size {
+    my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
+    my %modSSL = $configdb->as_hash('modSSL');
+    my $KeySize = $modSSL{KeySize} ||'4096';
+    my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
+    if ( -f $crt ) 
+    {
+       #openssl x509 -text -noout -in /home/e-smith/ssl.crt/$host.$domain.crt| sed -rn "s/Public-Key: \((.*) bit\)/\1/p"
+       my $signatureKeySize = `openssl x509 -text -noout -in $crt  | grep "Public-Key" | head -1`;
+       chomp $signatureKeySize;
+       $signatureKeySize =~ s/^ *Public-Key: \((.*) bit\)/$1/p;
+       if ( $signatureKeySize == $KeySize ) {
+               #print "$signatureKeySize\n";
+               # cert is  correct size and exists, we can proceed.
+               # next check key and cert are related
+               # next check cert is still valid
+               # next check alt name are still the same
+               return 1;
+       }
+    }
+    return 0;
+}
+
+sub cert_is_cert {
+    my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
+    if ( -f $crt ) 
+    {
+        open my $oldout, ">&STDERR";  # "dup" the stdout filehandle
+        close STDERR;
+       my $exit_code=system("openssl","x509", "-noout", "-in", "$crt");        
+        open STDERR, '>&', $oldout;  # restore the dup'ed filehandle to STDOUT
+        if ($exit_code==0){
+               #print "certificate is a certificate\n";
+                return 1;
+        }
+    }
+    return 0;
+}
+
+sub key_is_key {
+    my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
+    if ( -f $key )
+    {
+       open my $oldout, ">&STDERR";  # "dup" the stdout filehandle
+       close STDERR;
+        my $exit_code=system("openssl","rsa", "-noout", "-in", "$key");
+       open STDERR, '>&', $oldout;  # restore the dup'ed filehandle to STDOUT
+        if ($exit_code==0){
+                #print "key is a key\n";
+                return 1;
+        }
+    }
+    return 0;
+}
+
+sub related_key_cert {
+    my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
+    my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
+    if ( key_is_key($key) and cert_is_cert($crt) )
+    { 
+       # check the cert and the key are related, if key has been changed, then we need to change the cert
+       my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
+       my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
+       #print "$key_md5 eq $crt_md5\n";
+       return 1 if $key_md5 eq $crt_md5;
+    }
+    return 0;
+}
+##TODO migrate those actions from 
+# check cert is related to key
+# => /etc/e-smith/templates/home/e-smith/ssl.crt 
+# check cert domain and alt
+# => /etc/e-smith/templates/home/e-smith/ssl.crt 
+# check is valid / expiry date
+# => /etc/e-smith/templates/home/e-smith/ssl.crt 
+###################################
1	jpp	1.1	diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt
2			--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt 2021-05-30 22:12:33.595000000 -0400
3	jpp	1.2	+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt 2021-05-31 01:49:45.333000000 -0400
4	jpp	1.1	@@ -1,5 +1,6 @@
5			{
6			use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} \|\| 365;
7			+ use esmith::ssl;
8			use Date::Parse;
9			use Cwd;
10			use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
11			@@ -38,12 +39,15 @@
12			$email = substr($email, 0, 64);
13			$commonName = substr($commonName, 0, 64);
14
15			- if ( -f $crt )
16			+ # if self-signed certificate files exists, is a certificate, and is still valid
17			+ if ( cert_exists_good_size )
18			{
19			+ # check expiry date, if less than 2 days from now we update it.
20			my $expire = `openssl x509 -enddate -noout -in $crt`;
21			$expire =~ s/^notAfter=//;
22			$expire = str2time($expire);
23			my $ttl_days = ($expire - time()) / 60 / 60 / 24;
24			+ # check the cert and the key are related, if key has been changed, then we need to change the cert
25			my $crt_md5 = `openssl x509 -noout -modulus -in $crt \| openssl md5`;
26			my $key_md5 = `openssl rsa -noout -modulus -in $key \| openssl md5`;
27
28			@@ -63,7 +67,7 @@
29			$signatureAlg =~ s/^ *Signature Algorithm: //;
30
31			# Test for expected subjectAltName
32			- # openssl x509 -text -noout -in /etc/dehydrated/certs/itx.pialasse.com/cert.pem \| sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.\n//;:a;s/^\( \)\(.*\), /\2,\1/;ta;p;q; }'
33			+ # openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem \| sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.\n//;:a;s/^\( \)\(.*\), /\2,\1/;ta;p;q; }'
34			$expected_subjectAltName = `openssl x509 -text -noout -in $crt \| sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.\\n//;:a;s/^\\( \\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
35			chomp $expected_subjectAltName;
36			if (
37			diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key
38			--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key 2021-05-30 22:12:33.596000000 -0400
39	jpp	1.2	+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key 2021-05-31 01:49:45.114000000 -0400
40	jpp	1.1	@@ -1,26 +1,22 @@
41			{
42			use Cwd;
43			+ use esmith::ssl;
44			my $here = getcwd;
45
46			my $KeySize = $modSSL{KeySize} \|\|'4096';
47			my $FQDN = "$SystemName.$DomainName";
48			my $key = "/home/e-smith/ssl.key/$FQDN.key";
49			- if ( -f $key )
50			+ # if key exists and good size, we use it
51			+ if ( key_exists_good_size )
52			{
53			- # check key size openssl rsa -in /home/e-smith/ssl.key/sme10.test10.pialasse.com.key -text -noout \| sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
54			- my $signatureKeySize = `openssl rsa -in $key -text -noout \| grep "Private-Key" \| head -1`;
55			- chomp $signatureKeySize;
56			- $signatureKeySize =~ s/^ Private-Key: \((.) bit\)/$1/p;
57			- if ( $signatureKeySize == $KeySize ) {
58			- # Old key file is still good. Read it out - processTemplate will work
59			- # out that it hasn't changed, and leave the old one in place
60			- open(K, "$key") or die "Couldn't open key file: $!";
61			- my @key = <K>;
62			- chomp @key;
63			- $OUT = join "\n", @key;
64			- close(K);
65			- return;
66			- }
67			+ # Old key file is still good. Read it out - processTemplate will work
68			+ # out that it hasn't changed, and leave the old one in place
69			+ open(K, "$key") or die "Couldn't open key file: $!";
70			+ my @key = <K>;
71			+ chomp @key;
72			+ $OUT = join "\n", @key;
73			+ close(K);
74			+ return;
75			}
76			# go to somewhere private and safe where we can run programs
77			# as root
78			diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl
79			--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2021-05-30 22:12:33.789000000 -0400
80	jpp	1.2	+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2021-05-31 01:49:44.221000000 -0400
81	jpp	1.1	@@ -1,13 +1,8 @@
82			{
83			$OUT = '';
84			- # if key is defined, we do not need to geenrate a self signed certificate
85			- # so we do not need to expand openssl.conf
86			- my $key = $modSSL{'key'};
87			- unless ($key and -e $key)
88			- {
89			- use esmith::templates;
90			- esmith::templates::processTemplate({
91			+ # let's expand the /etc/openssl.conf configuration
92			+ use esmith::templates;
93			+ esmith::templates::processTemplate({
94			TEMPLATE_PATH => "/etc/openssl.conf"
95			});
96			- }
97			}
98			diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key
99			--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key 2021-05-30 22:12:33.789000000 -0400
100	jpp	1.2	+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key 2021-05-31 01:49:44.474000000 -0400
101			@@ -1,18 +1,19 @@
102			{
103			+ use esmith::ssl;
104			my $domain = $DomainName \|\| "localdomain";
105	jpp	1.1	my $hostname = $SystemName \|\| "localhost";
106			$OUT = '';
107
108			- my $key = $modSSL{'key'};
109			- unless ($key and -e $key)
110			- {
111			- $key = "/home/e-smith/ssl.key/$hostname.$domain.key";
112			- use esmith::templates;
113			- esmith::templates::processTemplate({
114			- TEMPLATE_PATH => "/home/e-smith/ssl.key/key",
115			- OUTPUT_FILENAME => $key,
116			- });
117			- }
118			+ # expand default key
119			+ my $dkey = "/home/e-smith/ssl.key/$hostname.$domain.key";
120			+ use esmith::templates;
121			+ esmith::templates::processTemplate({
122			+ TEMPLATE_PATH => "/home/e-smith/ssl.key/key",
123			+ OUTPUT_FILENAME => $dkey,
124			+ });
125			+
126			+ # choose which key to put in pem
127	jpp	1.2	+ my $key = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) ) ? $modSSL{'key'} : $dkey;
128	jpp	1.1	open(KEY, $key) or die "Could not open key file: $!";
129			my @key = <KEY>;
130			chomp @key;
131			diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt
132			--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt 2021-05-30 22:12:33.789000000 -0400
133	jpp	1.2	+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt 2021-05-31 01:49:44.674000000 -0400
134			@@ -1,17 +1,18 @@
135			{
136			+ use esmith::ssl;
137	jpp	1.1	my $domain = $DomainName \|\| "localdomain";
138			my $hostname = $SystemName \|\| "localhost";
139
140			- my $crt = $modSSL{'crt'};
141			- unless ($crt and -e $crt)
142			- {
143			- $crt = "/home/e-smith/ssl.crt/$hostname.$domain.crt";
144			- use esmith::templates;
145			- esmith::templates::processTemplate({
146			- TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt",
147			- OUTPUT_FILENAME => $crt,
148			- });
149			- }
150			+ # expand default self signed crt
151			+ my $dcrt = "/home/e-smith/ssl.crt/$hostname.$domain.crt";
152			+ use esmith::templates;
153			+ esmith::templates::processTemplate({
154			+ TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt",
155			+ OUTPUT_FILENAME => $dcrt,
156			+ });
157			+
158			+ # choose crt to add to pem
159	jpp	1.2	+ $crt = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) )? $modSSL{'crt'} : $dcrt;
160	jpp	1.1	open(CRT, $crt) or die "Could not open crt file: $!";
161			my @crt = <CRT>;
162			chomp @crt;
163			diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem
164			--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem 2021-05-30 22:12:33.789000000 -0400
165	jpp	1.2	+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem 2021-05-31 01:49:44.893000000 -0400
166	jpp	1.1	@@ -1,4 +1,6 @@
167			{
168			+ my $domain = $DomainName \|\| "localdomain";
169			+ my $hostname = $SystemName \|\| "localhost";
170			my $pem = $modSSL{'CertificateChainFile'};
171			if ($pem and -e $pem)
172			{
173			diff -Nur --no-dereference e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
174			--- e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 1969-12-31 19:00:00.000000000 -0500
175	jpp	1.2	+++ e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 2021-05-31 01:49:45.570000000 -0400
176			@@ -0,0 +1,154 @@
177	jpp	1.1	+package esmith::ssl;
178			+
179			+use strict;
180			+use warnings;
181			+use esmith::ConfigDB;
182			+
183			+
184			+our @ISA = qw(Exporter);
185			+our @EXPORT = qw( key_exists_good_size cert_exists_good_size );
186			+
187			+my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
188			+our $SystemName = $configdb->get('SystemName')->value;
189			+our $DomainName = $configdb->get('DomainName')->value;
190	jpp	1.2	+our $FQDN = "$SystemName.$DomainName";
191	jpp	1.1	+
192			+# test key size
193			+# test key exists
194			+=head1 NAME
195			+
196			+esmith::php - A few tools to help with php-fpm installed versions
197			+
198			+=head1 SYNOPSIS
199			+
200			+ use esmith::ssl;
201			+
202			+ my $booleanK=key_exists_good_size;
203			+
204			+=head1 DESCRIPTION
205			+
206			+This is intended to help playing with installed SSL self-generated certificates and keys.
207			+
208			+=head1 Methods
209			+
210			+
211			+=head2 key_exists_good_size
212			+test key exists, then test key size correct. Obviously it also test that the files is indeed a key
213			+planned to be called in :
214			+/etc/e-smith/templates/home/e-smith/ssl.crt
215			+/etc/e-smith/templates/home/e-smith/ssl.key
216			+
217			+returns 0 if key is missing or wrong size
218			+returns 1 if key exists and key size is correct
219			+
220			+=cut
221			+sub key_exists_good_size {
222			+ my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
223			+ my %modSSL = $configdb->as_hash('modSSL');
224			+ my $KeySize = $modSSL{KeySize} \|\|'4096';
225			+ my $key = shift \|\| "/home/e-smith/ssl.key/$FQDN.key";
226	jpp	1.2	+ if ( -f $key )
227	jpp	1.1	+ {
228			+ #print "$key exists\n";
229			+ # check key size openssl rsa -in /home/e-smith/ssl.key/$host.$domain.key -text -noout \| sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
230			+ my $signatureKeySize = `openssl rsa -in $key -text -noout \| grep "Private-Key" \| head -1`;
231			+ chomp $signatureKeySize;
232			+ $signatureKeySize =~ s/^ Private-Key: \((.) bit\)/$1/p;
233			+ if ( $signatureKeySize == $KeySize ) {
234			+ #print "key size is correct ($KeySize)\n";
235			+ # key exists and key size is correct, we can proceed
236			+ return 1;
237			+ }
238			+ }
239			+ # key is either missing or wrong key size.
240			+ return 0;
241			+}
242			+
243			+
244			+# test key is key
245			+#openssl rsa -check -in $key
246			+
247			+=head2 cert_exists_good_size
248			+# check cert exist
249			+# check cert is cert
250			+# check cert size Public-Key
251			+# openssl rsa -noout -modulus -in domain.key \| openssl md5
252			+# openssl x509 -noout -modulus -in domain.crt \| openssl md5
253			+
254			+=cut
255			+sub cert_exists_good_size {
256			+ my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
257			+ my %modSSL = $configdb->as_hash('modSSL');
258			+ my $KeySize = $modSSL{KeySize} \|\|'4096';
259			+ my $crt = shift \|\| "/home/e-smith/ssl.crt/$FQDN.crt";
260	jpp	1.2	+ if ( -f $crt )
261	jpp	1.1	+ {
262			+ #openssl x509 -text -noout -in /home/e-smith/ssl.crt/$host.$domain.crt\| sed -rn "s/Public-Key: \((.*) bit\)/\1/p"
263			+ my $signatureKeySize = `openssl x509 -text -noout -in $crt \| grep "Public-Key" \| head -1`;
264			+ chomp $signatureKeySize;
265			+ $signatureKeySize =~ s/^ Public-Key: \((.) bit\)/$1/p;
266			+ if ( $signatureKeySize == $KeySize ) {
267			+ #print "$signatureKeySize\n";
268			+ # cert is correct size and exists, we can proceed.
269			+ # next check key and cert are related
270			+ # next check cert is still valid
271			+ # next check alt name are still the same
272			+ return 1;
273			+ }
274			+ }
275			+ return 0;
276			+}
277			+
278	jpp	1.2	+sub cert_is_cert {
279			+ my $crt = shift \|\| "/home/e-smith/ssl.crt/$FQDN.crt";
280			+ if ( -f $crt )
281			+ {
282			+ open my $oldout, ">&STDERR"; # "dup" the stdout filehandle
283			+ close STDERR;
284			+ my $exit_code=system("openssl","x509", "-noout", "-in", "$crt");
285			+ open STDERR, '>&', $oldout; # restore the dup'ed filehandle to STDOUT
286			+ if ($exit_code==0){
287			+ #print "certificate is a certificate\n";
288			+ return 1;
289			+ }
290			+ }
291			+ return 0;
292			+}
293			+
294			+sub key_is_key {
295			+ my $key = shift \|\| "/home/e-smith/ssl.key/$FQDN.key";
296			+ if ( -f $key )
297			+ {
298			+ open my $oldout, ">&STDERR"; # "dup" the stdout filehandle
299			+ close STDERR;
300			+ my $exit_code=system("openssl","rsa", "-noout", "-in", "$key");
301			+ open STDERR, '>&', $oldout; # restore the dup'ed filehandle to STDOUT
302			+ if ($exit_code==0){
303			+ #print "key is a key\n";
304			+ return 1;
305			+ }
306			+ }
307			+ return 0;
308			+}
309			+
310			+sub related_key_cert {
311			+ my $key = shift \|\| "/home/e-smith/ssl.key/$FQDN.key";
312			+ my $crt = shift \|\| "/home/e-smith/ssl.crt/$FQDN.crt";
313			+ if ( key_is_key($key) and cert_is_cert($crt) )
314			+ {
315			+ # check the cert and the key are related, if key has been changed, then we need to change the cert
316			+ my $crt_md5 = `openssl x509 -noout -modulus -in $crt \| openssl md5`;
317			+ my $key_md5 = `openssl rsa -noout -modulus -in $key \| openssl md5`;
318			+ #print "$key_md5 eq $crt_md5\n";
319			+ return 1 if $key_md5 eq $crt_md5;
320			+ }
321			+ return 0;
322			+}
323	jpp	1.1	+##TODO migrate those actions from
324			+# check cert is related to key
325			+# => /etc/e-smith/templates/home/e-smith/ssl.crt
326			+# check cert domain and alt
327			+# => /etc/e-smith/templates/home/e-smith/ssl.crt
328			+# check is valid / expiry date
329			+# => /etc/e-smith/templates/home/e-smith/ssl.crt
330			+###################################