/[smeserver]/rpms/e-smith-base/sme10/e-smith-base-5.8.0-bz11552-renewkey.patch
ViewVC logotype

Annotation of /rpms/e-smith-base/sme10/e-smith-base-5.8.0-bz11552-renewkey.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.5 - (hide annotations) (download)
Sun Jun 6 20:38:39 2021 UTC (3 years, 5 months ago) by jpp
Branch: MAIN
CVS Tags: HEAD
Changes since 1.4: +0 -0 lines
FILE REMOVED
5.8.1

1 jpp 1.1 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt
2     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt 2021-05-30 22:12:33.595000000 -0400
3 jpp 1.3 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt 2021-06-01 17:53:56.640000000 -0400
4 jpp 1.1 @@ -1,5 +1,6 @@
5     {
6     use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365;
7     + use esmith::ssl;
8     use Date::Parse;
9     use Cwd;
10     use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
11     @@ -38,12 +39,15 @@
12     $email = substr($email, 0, 64);
13     $commonName = substr($commonName, 0, 64);
14    
15     - if ( -f $crt )
16     + # if self-signed certificate files exists, is a certificate, and is still valid
17     + if ( cert_exists_good_size )
18     {
19     + # check expiry date, if less than 2 days from now we update it.
20     my $expire = `openssl x509 -enddate -noout -in $crt`;
21     $expire =~ s/^notAfter=//;
22     $expire = str2time($expire);
23     my $ttl_days = ($expire - time()) / 60 / 60 / 24;
24     + # check the cert and the key are related, if key has been changed, then we need to change the cert
25     my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
26     my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
27    
28     @@ -63,7 +67,7 @@
29     $signatureAlg =~ s/^ *Signature Algorithm: //;
30    
31     # Test for expected subjectAltName
32     - # openssl x509 -text -noout -in /etc/dehydrated/certs/itx.pialasse.com/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
33     + # openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
34     $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
35     chomp $expected_subjectAltName;
36     if (
37     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key
38     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key 2021-05-30 22:12:33.596000000 -0400
39 jpp 1.3 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key 2021-06-01 17:53:56.402000000 -0400
40 jpp 1.1 @@ -1,26 +1,22 @@
41     {
42     use Cwd;
43     + use esmith::ssl;
44     my $here = getcwd;
45    
46     my $KeySize = $modSSL{KeySize} ||'4096';
47     my $FQDN = "$SystemName.$DomainName";
48     my $key = "/home/e-smith/ssl.key/$FQDN.key";
49     - if ( -f $key )
50     + # if key exists and good size, we use it
51     + if ( key_exists_good_size )
52     {
53     - # check key size openssl rsa -in /home/e-smith/ssl.key/sme10.test10.pialasse.com.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
54     - my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`;
55     - chomp $signatureKeySize;
56     - $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p;
57     - if ( $signatureKeySize == $KeySize ) {
58     - # Old key file is still good. Read it out - processTemplate will work
59     - # out that it hasn't changed, and leave the old one in place
60     - open(K, "$key") or die "Couldn't open key file: $!";
61     - my @key = <K>;
62     - chomp @key;
63     - $OUT = join "\n", @key;
64     - close(K);
65     - return;
66     - }
67     + # Old key file is still good. Read it out - processTemplate will work
68     + # out that it hasn't changed, and leave the old one in place
69     + open(K, "$key") or die "Couldn't open key file: $!";
70     + my @key = <K>;
71     + chomp @key;
72     + $OUT = join "\n", @key;
73     + close(K);
74     + return;
75     }
76     # go to somewhere private and safe where we can run programs
77     # as root
78     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl
79     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2021-05-30 22:12:33.789000000 -0400
80 jpp 1.3 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2021-06-01 17:53:55.469000000 -0400
81 jpp 1.1 @@ -1,13 +1,8 @@
82     {
83     $OUT = '';
84     - # if key is defined, we do not need to geenrate a self signed certificate
85     - # so we do not need to expand openssl.conf
86     - my $key = $modSSL{'key'};
87     - unless ($key and -e $key)
88     - {
89     - use esmith::templates;
90     - esmith::templates::processTemplate({
91     + # let's expand the /etc/openssl.conf configuration
92     + use esmith::templates;
93     + esmith::templates::processTemplate({
94     TEMPLATE_PATH => "/etc/openssl.conf"
95     });
96     - }
97     }
98     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key
99     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key 2021-05-30 22:12:33.789000000 -0400
100 jpp 1.3 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key 2021-06-01 17:53:55.702000000 -0400
101 jpp 1.2 @@ -1,18 +1,19 @@
102     {
103     + use esmith::ssl;
104     my $domain = $DomainName || "localdomain";
105 jpp 1.1 my $hostname = $SystemName || "localhost";
106     $OUT = '';
107    
108     - my $key = $modSSL{'key'};
109     - unless ($key and -e $key)
110     - {
111     - $key = "/home/e-smith/ssl.key/$hostname.$domain.key";
112     - use esmith::templates;
113     - esmith::templates::processTemplate({
114     - TEMPLATE_PATH => "/home/e-smith/ssl.key/key",
115     - OUTPUT_FILENAME => $key,
116     - });
117     - }
118     + # expand default key
119     + my $dkey = "/home/e-smith/ssl.key/$hostname.$domain.key";
120     + use esmith::templates;
121     + esmith::templates::processTemplate({
122     + TEMPLATE_PATH => "/home/e-smith/ssl.key/key",
123     + OUTPUT_FILENAME => $dkey,
124     + });
125     +
126     + # choose which key to put in pem
127 jpp 1.2 + my $key = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) ) ? $modSSL{'key'} : $dkey;
128 jpp 1.1 open(KEY, $key) or die "Could not open key file: $!";
129     my @key = <KEY>;
130     chomp @key;
131     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt
132     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt 2021-05-30 22:12:33.789000000 -0400
133 jpp 1.3 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt 2021-06-01 17:53:55.911000000 -0400
134 jpp 1.2 @@ -1,17 +1,18 @@
135     {
136     + use esmith::ssl;
137 jpp 1.1 my $domain = $DomainName || "localdomain";
138     my $hostname = $SystemName || "localhost";
139    
140     - my $crt = $modSSL{'crt'};
141     - unless ($crt and -e $crt)
142     - {
143     - $crt = "/home/e-smith/ssl.crt/$hostname.$domain.crt";
144     - use esmith::templates;
145     - esmith::templates::processTemplate({
146     - TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt",
147     - OUTPUT_FILENAME => $crt,
148     - });
149     - }
150     + # expand default self signed crt
151     + my $dcrt = "/home/e-smith/ssl.crt/$hostname.$domain.crt";
152     + use esmith::templates;
153     + esmith::templates::processTemplate({
154     + TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt",
155     + OUTPUT_FILENAME => $dcrt,
156     + });
157     +
158     + # choose crt to add to pem
159 jpp 1.2 + $crt = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) )? $modSSL{'crt'} : $dcrt;
160 jpp 1.1 open(CRT, $crt) or die "Could not open crt file: $!";
161     my @crt = <CRT>;
162     chomp @crt;
163     diff -Nur --no-dereference e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
164     --- e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 1969-12-31 19:00:00.000000000 -0500
165 jpp 1.3 +++ e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 2021-06-01 17:53:56.856000000 -0400
166 jpp 1.2 @@ -0,0 +1,154 @@
167 jpp 1.1 +package esmith::ssl;
168     +
169     +use strict;
170     +use warnings;
171     +use esmith::ConfigDB;
172     +
173     +
174     +our @ISA = qw(Exporter);
175 jpp 1.4 +our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert);
176 jpp 1.1 +
177     +my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
178     +our $SystemName = $configdb->get('SystemName')->value;
179     +our $DomainName = $configdb->get('DomainName')->value;
180 jpp 1.2 +our $FQDN = "$SystemName.$DomainName";
181 jpp 1.1 +
182     +# test key size
183     +# test key exists
184     +=head1 NAME
185     +
186     +esmith::php - A few tools to help with php-fpm installed versions
187     +
188     +=head1 SYNOPSIS
189     +
190     + use esmith::ssl;
191     +
192     + my $booleanK=key_exists_good_size;
193     +
194     +=head1 DESCRIPTION
195     +
196     +This is intended to help playing with installed SSL self-generated certificates and keys.
197     +
198     +=head1 Methods
199     +
200     +
201     +=head2 key_exists_good_size
202     +test key exists, then test key size correct. Obviously it also test that the files is indeed a key
203     +planned to be called in :
204     +/etc/e-smith/templates/home/e-smith/ssl.crt
205     +/etc/e-smith/templates/home/e-smith/ssl.key
206     +
207     +returns 0 if key is missing or wrong size
208     +returns 1 if key exists and key size is correct
209     +
210     +=cut
211     +sub key_exists_good_size {
212     + my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
213     + my %modSSL = $configdb->as_hash('modSSL');
214     + my $KeySize = $modSSL{KeySize} ||'4096';
215     + my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
216 jpp 1.2 + if ( -f $key )
217 jpp 1.1 + {
218     + #print "$key exists\n";
219     + # check key size openssl rsa -in /home/e-smith/ssl.key/$host.$domain.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
220     + my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`;
221     + chomp $signatureKeySize;
222     + $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p;
223     + if ( $signatureKeySize == $KeySize ) {
224     + #print "key size is correct ($KeySize)\n";
225     + # key exists and key size is correct, we can proceed
226     + return 1;
227     + }
228     + }
229     + # key is either missing or wrong key size.
230     + return 0;
231     +}
232     +
233     +
234     +# test key is key
235     +#openssl rsa -check -in $key
236     +
237     +=head2 cert_exists_good_size
238     +# check cert exist
239     +# check cert is cert
240     +# check cert size Public-Key
241     +# openssl rsa -noout -modulus -in domain.key | openssl md5
242     +# openssl x509 -noout -modulus -in domain.crt | openssl md5
243     +
244     +=cut
245     +sub cert_exists_good_size {
246     + my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
247     + my %modSSL = $configdb->as_hash('modSSL');
248     + my $KeySize = $modSSL{KeySize} ||'4096';
249     + my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
250 jpp 1.2 + if ( -f $crt )
251 jpp 1.1 + {
252     + #openssl x509 -text -noout -in /home/e-smith/ssl.crt/$host.$domain.crt| sed -rn "s/Public-Key: \((.*) bit\)/\1/p"
253     + my $signatureKeySize = `openssl x509 -text -noout -in $crt | grep "Public-Key" | head -1`;
254     + chomp $signatureKeySize;
255     + $signatureKeySize =~ s/^ *Public-Key: \((.*) bit\)/$1/p;
256     + if ( $signatureKeySize == $KeySize ) {
257     + #print "$signatureKeySize\n";
258     + # cert is correct size and exists, we can proceed.
259     + # next check key and cert are related
260     + # next check cert is still valid
261     + # next check alt name are still the same
262     + return 1;
263     + }
264     + }
265     + return 0;
266     +}
267     +
268 jpp 1.2 +sub cert_is_cert {
269     + my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
270     + if ( -f $crt )
271     + {
272     + open my $oldout, ">&STDERR"; # "dup" the stdout filehandle
273     + close STDERR;
274     + my $exit_code=system("openssl","x509", "-noout", "-in", "$crt");
275     + open STDERR, '>&', $oldout; # restore the dup'ed filehandle to STDOUT
276     + if ($exit_code==0){
277     + #print "certificate is a certificate\n";
278     + return 1;
279     + }
280     + }
281     + return 0;
282     +}
283     +
284     +sub key_is_key {
285     + my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
286     + if ( -f $key )
287     + {
288     + open my $oldout, ">&STDERR"; # "dup" the stdout filehandle
289     + close STDERR;
290     + my $exit_code=system("openssl","rsa", "-noout", "-in", "$key");
291     + open STDERR, '>&', $oldout; # restore the dup'ed filehandle to STDOUT
292     + if ($exit_code==0){
293     + #print "key is a key\n";
294     + return 1;
295     + }
296     + }
297     + return 0;
298     +}
299     +
300     +sub related_key_cert {
301     + my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
302     + my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
303     + if ( key_is_key($key) and cert_is_cert($crt) )
304     + {
305     + # check the cert and the key are related, if key has been changed, then we need to change the cert
306     + my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
307     + my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
308     + #print "$key_md5 eq $crt_md5\n";
309     + return 1 if $key_md5 eq $crt_md5;
310     + }
311     + return 0;
312     +}
313 jpp 1.1 +##TODO migrate those actions from
314     +# check cert is related to key
315     +# => /etc/e-smith/templates/home/e-smith/ssl.crt
316     +# check cert domain and alt
317     +# => /etc/e-smith/templates/home/e-smith/ssl.crt
318     +# check is valid / expiry date
319     +# => /etc/e-smith/templates/home/e-smith/ssl.crt
320     +###################################

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed