1 |
jpp |
1.1 |
diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt |
2 |
|
|
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt 2021-05-30 22:12:33.595000000 -0400 |
3 |
jpp |
1.3 |
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt 2021-06-01 17:53:56.640000000 -0400 |
4 |
jpp |
1.1 |
@@ -1,5 +1,6 @@ |
5 |
|
|
{ |
6 |
|
|
use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365; |
7 |
|
|
+ use esmith::ssl; |
8 |
|
|
use Date::Parse; |
9 |
|
|
use Cwd; |
10 |
|
|
use Net::IP qw(ip_is_ipv4 ip_is_ipv6); |
11 |
|
|
@@ -38,12 +39,15 @@ |
12 |
|
|
$email = substr($email, 0, 64); |
13 |
|
|
$commonName = substr($commonName, 0, 64); |
14 |
|
|
|
15 |
|
|
- if ( -f $crt ) |
16 |
|
|
+ # if self-signed certificate files exists, is a certificate, and is still valid |
17 |
|
|
+ if ( cert_exists_good_size ) |
18 |
|
|
{ |
19 |
|
|
+ # check expiry date, if less than 2 days from now we update it. |
20 |
|
|
my $expire = `openssl x509 -enddate -noout -in $crt`; |
21 |
|
|
$expire =~ s/^notAfter=//; |
22 |
|
|
$expire = str2time($expire); |
23 |
|
|
my $ttl_days = ($expire - time()) / 60 / 60 / 24; |
24 |
|
|
+ # check the cert and the key are related, if key has been changed, then we need to change the cert |
25 |
|
|
my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`; |
26 |
|
|
my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`; |
27 |
|
|
|
28 |
|
|
@@ -63,7 +67,7 @@ |
29 |
|
|
$signatureAlg =~ s/^ *Signature Algorithm: //; |
30 |
|
|
|
31 |
|
|
# Test for expected subjectAltName |
32 |
|
|
- # openssl x509 -text -noout -in /etc/dehydrated/certs/itx.pialasse.com/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }' |
33 |
|
|
+ # openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }' |
34 |
|
|
$expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`; |
35 |
|
|
chomp $expected_subjectAltName; |
36 |
|
|
if ( |
37 |
|
|
diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key |
38 |
|
|
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key 2021-05-30 22:12:33.596000000 -0400 |
39 |
jpp |
1.3 |
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key 2021-06-01 17:53:56.402000000 -0400 |
40 |
jpp |
1.1 |
@@ -1,26 +1,22 @@ |
41 |
|
|
{ |
42 |
|
|
use Cwd; |
43 |
|
|
+ use esmith::ssl; |
44 |
|
|
my $here = getcwd; |
45 |
|
|
|
46 |
|
|
my $KeySize = $modSSL{KeySize} ||'4096'; |
47 |
|
|
my $FQDN = "$SystemName.$DomainName"; |
48 |
|
|
my $key = "/home/e-smith/ssl.key/$FQDN.key"; |
49 |
|
|
- if ( -f $key ) |
50 |
|
|
+ # if key exists and good size, we use it |
51 |
|
|
+ if ( key_exists_good_size ) |
52 |
|
|
{ |
53 |
|
|
- # check key size openssl rsa -in /home/e-smith/ssl.key/sme10.test10.pialasse.com.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p" |
54 |
|
|
- my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`; |
55 |
|
|
- chomp $signatureKeySize; |
56 |
|
|
- $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p; |
57 |
|
|
- if ( $signatureKeySize == $KeySize ) { |
58 |
|
|
- # Old key file is still good. Read it out - processTemplate will work |
59 |
|
|
- # out that it hasn't changed, and leave the old one in place |
60 |
|
|
- open(K, "$key") or die "Couldn't open key file: $!"; |
61 |
|
|
- my @key = <K>; |
62 |
|
|
- chomp @key; |
63 |
|
|
- $OUT = join "\n", @key; |
64 |
|
|
- close(K); |
65 |
|
|
- return; |
66 |
|
|
- } |
67 |
|
|
+ # Old key file is still good. Read it out - processTemplate will work |
68 |
|
|
+ # out that it hasn't changed, and leave the old one in place |
69 |
|
|
+ open(K, "$key") or die "Couldn't open key file: $!"; |
70 |
|
|
+ my @key = <K>; |
71 |
|
|
+ chomp @key; |
72 |
|
|
+ $OUT = join "\n", @key; |
73 |
|
|
+ close(K); |
74 |
|
|
+ return; |
75 |
|
|
} |
76 |
|
|
# go to somewhere private and safe where we can run programs |
77 |
|
|
# as root |
78 |
|
|
diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl |
79 |
|
|
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2021-05-30 22:12:33.789000000 -0400 |
80 |
jpp |
1.3 |
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2021-06-01 17:53:55.469000000 -0400 |
81 |
jpp |
1.1 |
@@ -1,13 +1,8 @@ |
82 |
|
|
{ |
83 |
|
|
$OUT = ''; |
84 |
|
|
- # if key is defined, we do not need to geenrate a self signed certificate |
85 |
|
|
- # so we do not need to expand openssl.conf |
86 |
|
|
- my $key = $modSSL{'key'}; |
87 |
|
|
- unless ($key and -e $key) |
88 |
|
|
- { |
89 |
|
|
- use esmith::templates; |
90 |
|
|
- esmith::templates::processTemplate({ |
91 |
|
|
+ # let's expand the /etc/openssl.conf configuration |
92 |
|
|
+ use esmith::templates; |
93 |
|
|
+ esmith::templates::processTemplate({ |
94 |
|
|
TEMPLATE_PATH => "/etc/openssl.conf" |
95 |
|
|
}); |
96 |
|
|
- } |
97 |
|
|
} |
98 |
|
|
diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key |
99 |
|
|
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key 2021-05-30 22:12:33.789000000 -0400 |
100 |
jpp |
1.3 |
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key 2021-06-01 17:53:55.702000000 -0400 |
101 |
jpp |
1.2 |
@@ -1,18 +1,19 @@ |
102 |
|
|
{ |
103 |
|
|
+ use esmith::ssl; |
104 |
|
|
my $domain = $DomainName || "localdomain"; |
105 |
jpp |
1.1 |
my $hostname = $SystemName || "localhost"; |
106 |
|
|
$OUT = ''; |
107 |
|
|
|
108 |
|
|
- my $key = $modSSL{'key'}; |
109 |
|
|
- unless ($key and -e $key) |
110 |
|
|
- { |
111 |
|
|
- $key = "/home/e-smith/ssl.key/$hostname.$domain.key"; |
112 |
|
|
- use esmith::templates; |
113 |
|
|
- esmith::templates::processTemplate({ |
114 |
|
|
- TEMPLATE_PATH => "/home/e-smith/ssl.key/key", |
115 |
|
|
- OUTPUT_FILENAME => $key, |
116 |
|
|
- }); |
117 |
|
|
- } |
118 |
|
|
+ # expand default key |
119 |
|
|
+ my $dkey = "/home/e-smith/ssl.key/$hostname.$domain.key"; |
120 |
|
|
+ use esmith::templates; |
121 |
|
|
+ esmith::templates::processTemplate({ |
122 |
|
|
+ TEMPLATE_PATH => "/home/e-smith/ssl.key/key", |
123 |
|
|
+ OUTPUT_FILENAME => $dkey, |
124 |
|
|
+ }); |
125 |
|
|
+ |
126 |
|
|
+ # choose which key to put in pem |
127 |
jpp |
1.2 |
+ my $key = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) ) ? $modSSL{'key'} : $dkey; |
128 |
jpp |
1.1 |
open(KEY, $key) or die "Could not open key file: $!"; |
129 |
|
|
my @key = <KEY>; |
130 |
|
|
chomp @key; |
131 |
|
|
diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt |
132 |
|
|
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt 2021-05-30 22:12:33.789000000 -0400 |
133 |
jpp |
1.3 |
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt 2021-06-01 17:53:55.911000000 -0400 |
134 |
jpp |
1.2 |
@@ -1,17 +1,18 @@ |
135 |
|
|
{ |
136 |
|
|
+ use esmith::ssl; |
137 |
jpp |
1.1 |
my $domain = $DomainName || "localdomain"; |
138 |
|
|
my $hostname = $SystemName || "localhost"; |
139 |
|
|
|
140 |
|
|
- my $crt = $modSSL{'crt'}; |
141 |
|
|
- unless ($crt and -e $crt) |
142 |
|
|
- { |
143 |
|
|
- $crt = "/home/e-smith/ssl.crt/$hostname.$domain.crt"; |
144 |
|
|
- use esmith::templates; |
145 |
|
|
- esmith::templates::processTemplate({ |
146 |
|
|
- TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt", |
147 |
|
|
- OUTPUT_FILENAME => $crt, |
148 |
|
|
- }); |
149 |
|
|
- } |
150 |
|
|
+ # expand default self signed crt |
151 |
|
|
+ my $dcrt = "/home/e-smith/ssl.crt/$hostname.$domain.crt"; |
152 |
|
|
+ use esmith::templates; |
153 |
|
|
+ esmith::templates::processTemplate({ |
154 |
|
|
+ TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt", |
155 |
|
|
+ OUTPUT_FILENAME => $dcrt, |
156 |
|
|
+ }); |
157 |
|
|
+ |
158 |
|
|
+ # choose crt to add to pem |
159 |
jpp |
1.2 |
+ $crt = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) )? $modSSL{'crt'} : $dcrt; |
160 |
jpp |
1.1 |
open(CRT, $crt) or die "Could not open crt file: $!"; |
161 |
|
|
my @crt = <CRT>; |
162 |
|
|
chomp @crt; |
163 |
|
|
diff -Nur --no-dereference e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm |
164 |
|
|
--- e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 1969-12-31 19:00:00.000000000 -0500 |
165 |
jpp |
1.3 |
+++ e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 2021-06-01 17:53:56.856000000 -0400 |
166 |
jpp |
1.2 |
@@ -0,0 +1,154 @@ |
167 |
jpp |
1.1 |
+package esmith::ssl; |
168 |
|
|
+ |
169 |
|
|
+use strict; |
170 |
|
|
+use warnings; |
171 |
|
|
+use esmith::ConfigDB; |
172 |
|
|
+ |
173 |
|
|
+ |
174 |
|
|
+our @ISA = qw(Exporter); |
175 |
jpp |
1.4 |
+our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert); |
176 |
jpp |
1.1 |
+ |
177 |
|
|
+my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db"; |
178 |
|
|
+our $SystemName = $configdb->get('SystemName')->value; |
179 |
|
|
+our $DomainName = $configdb->get('DomainName')->value; |
180 |
jpp |
1.2 |
+our $FQDN = "$SystemName.$DomainName"; |
181 |
jpp |
1.1 |
+ |
182 |
|
|
+# test key size |
183 |
|
|
+# test key exists |
184 |
|
|
+=head1 NAME |
185 |
|
|
+ |
186 |
|
|
+esmith::php - A few tools to help with php-fpm installed versions |
187 |
|
|
+ |
188 |
|
|
+=head1 SYNOPSIS |
189 |
|
|
+ |
190 |
|
|
+ use esmith::ssl; |
191 |
|
|
+ |
192 |
|
|
+ my $booleanK=key_exists_good_size; |
193 |
|
|
+ |
194 |
|
|
+=head1 DESCRIPTION |
195 |
|
|
+ |
196 |
|
|
+This is intended to help playing with installed SSL self-generated certificates and keys. |
197 |
|
|
+ |
198 |
|
|
+=head1 Methods |
199 |
|
|
+ |
200 |
|
|
+ |
201 |
|
|
+=head2 key_exists_good_size |
202 |
|
|
+test key exists, then test key size correct. Obviously it also test that the files is indeed a key |
203 |
|
|
+planned to be called in : |
204 |
|
|
+/etc/e-smith/templates/home/e-smith/ssl.crt |
205 |
|
|
+/etc/e-smith/templates/home/e-smith/ssl.key |
206 |
|
|
+ |
207 |
|
|
+returns 0 if key is missing or wrong size |
208 |
|
|
+returns 1 if key exists and key size is correct |
209 |
|
|
+ |
210 |
|
|
+=cut |
211 |
|
|
+sub key_exists_good_size { |
212 |
|
|
+ my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db"; |
213 |
|
|
+ my %modSSL = $configdb->as_hash('modSSL'); |
214 |
|
|
+ my $KeySize = $modSSL{KeySize} ||'4096'; |
215 |
|
|
+ my $key = shift || "/home/e-smith/ssl.key/$FQDN.key"; |
216 |
jpp |
1.2 |
+ if ( -f $key ) |
217 |
jpp |
1.1 |
+ { |
218 |
|
|
+ #print "$key exists\n"; |
219 |
|
|
+ # check key size openssl rsa -in /home/e-smith/ssl.key/$host.$domain.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p" |
220 |
|
|
+ my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`; |
221 |
|
|
+ chomp $signatureKeySize; |
222 |
|
|
+ $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p; |
223 |
|
|
+ if ( $signatureKeySize == $KeySize ) { |
224 |
|
|
+ #print "key size is correct ($KeySize)\n"; |
225 |
|
|
+ # key exists and key size is correct, we can proceed |
226 |
|
|
+ return 1; |
227 |
|
|
+ } |
228 |
|
|
+ } |
229 |
|
|
+ # key is either missing or wrong key size. |
230 |
|
|
+ return 0; |
231 |
|
|
+} |
232 |
|
|
+ |
233 |
|
|
+ |
234 |
|
|
+# test key is key |
235 |
|
|
+#openssl rsa -check -in $key |
236 |
|
|
+ |
237 |
|
|
+=head2 cert_exists_good_size |
238 |
|
|
+# check cert exist |
239 |
|
|
+# check cert is cert |
240 |
|
|
+# check cert size Public-Key |
241 |
|
|
+# openssl rsa -noout -modulus -in domain.key | openssl md5 |
242 |
|
|
+# openssl x509 -noout -modulus -in domain.crt | openssl md5 |
243 |
|
|
+ |
244 |
|
|
+=cut |
245 |
|
|
+sub cert_exists_good_size { |
246 |
|
|
+ my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db"; |
247 |
|
|
+ my %modSSL = $configdb->as_hash('modSSL'); |
248 |
|
|
+ my $KeySize = $modSSL{KeySize} ||'4096'; |
249 |
|
|
+ my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt"; |
250 |
jpp |
1.2 |
+ if ( -f $crt ) |
251 |
jpp |
1.1 |
+ { |
252 |
|
|
+ #openssl x509 -text -noout -in /home/e-smith/ssl.crt/$host.$domain.crt| sed -rn "s/Public-Key: \((.*) bit\)/\1/p" |
253 |
|
|
+ my $signatureKeySize = `openssl x509 -text -noout -in $crt | grep "Public-Key" | head -1`; |
254 |
|
|
+ chomp $signatureKeySize; |
255 |
|
|
+ $signatureKeySize =~ s/^ *Public-Key: \((.*) bit\)/$1/p; |
256 |
|
|
+ if ( $signatureKeySize == $KeySize ) { |
257 |
|
|
+ #print "$signatureKeySize\n"; |
258 |
|
|
+ # cert is correct size and exists, we can proceed. |
259 |
|
|
+ # next check key and cert are related |
260 |
|
|
+ # next check cert is still valid |
261 |
|
|
+ # next check alt name are still the same |
262 |
|
|
+ return 1; |
263 |
|
|
+ } |
264 |
|
|
+ } |
265 |
|
|
+ return 0; |
266 |
|
|
+} |
267 |
|
|
+ |
268 |
jpp |
1.2 |
+sub cert_is_cert { |
269 |
|
|
+ my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt"; |
270 |
|
|
+ if ( -f $crt ) |
271 |
|
|
+ { |
272 |
|
|
+ open my $oldout, ">&STDERR"; # "dup" the stdout filehandle |
273 |
|
|
+ close STDERR; |
274 |
|
|
+ my $exit_code=system("openssl","x509", "-noout", "-in", "$crt"); |
275 |
|
|
+ open STDERR, '>&', $oldout; # restore the dup'ed filehandle to STDOUT |
276 |
|
|
+ if ($exit_code==0){ |
277 |
|
|
+ #print "certificate is a certificate\n"; |
278 |
|
|
+ return 1; |
279 |
|
|
+ } |
280 |
|
|
+ } |
281 |
|
|
+ return 0; |
282 |
|
|
+} |
283 |
|
|
+ |
284 |
|
|
+sub key_is_key { |
285 |
|
|
+ my $key = shift || "/home/e-smith/ssl.key/$FQDN.key"; |
286 |
|
|
+ if ( -f $key ) |
287 |
|
|
+ { |
288 |
|
|
+ open my $oldout, ">&STDERR"; # "dup" the stdout filehandle |
289 |
|
|
+ close STDERR; |
290 |
|
|
+ my $exit_code=system("openssl","rsa", "-noout", "-in", "$key"); |
291 |
|
|
+ open STDERR, '>&', $oldout; # restore the dup'ed filehandle to STDOUT |
292 |
|
|
+ if ($exit_code==0){ |
293 |
|
|
+ #print "key is a key\n"; |
294 |
|
|
+ return 1; |
295 |
|
|
+ } |
296 |
|
|
+ } |
297 |
|
|
+ return 0; |
298 |
|
|
+} |
299 |
|
|
+ |
300 |
|
|
+sub related_key_cert { |
301 |
|
|
+ my $key = shift || "/home/e-smith/ssl.key/$FQDN.key"; |
302 |
|
|
+ my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt"; |
303 |
|
|
+ if ( key_is_key($key) and cert_is_cert($crt) ) |
304 |
|
|
+ { |
305 |
|
|
+ # check the cert and the key are related, if key has been changed, then we need to change the cert |
306 |
|
|
+ my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`; |
307 |
|
|
+ my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`; |
308 |
|
|
+ #print "$key_md5 eq $crt_md5\n"; |
309 |
|
|
+ return 1 if $key_md5 eq $crt_md5; |
310 |
|
|
+ } |
311 |
|
|
+ return 0; |
312 |
|
|
+} |
313 |
jpp |
1.1 |
+##TODO migrate those actions from |
314 |
|
|
+# check cert is related to key |
315 |
|
|
+# => /etc/e-smith/templates/home/e-smith/ssl.crt |
316 |
|
|
+# check cert domain and alt |
317 |
|
|
+# => /etc/e-smith/templates/home/e-smith/ssl.crt |
318 |
|
|
+# check is valid / expiry date |
319 |
|
|
+# => /etc/e-smith/templates/home/e-smith/ssl.crt |
320 |
|
|
+################################### |