/[smeserver]/rpms/e-smith-base/sme10/e-smith-base-5.8.0-bz11552-renewkey.patch
ViewVC logotype

Contents of /rpms/e-smith-base/sme10/e-smith-base-5.8.0-bz11552-renewkey.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.5 - (show annotations) (download)
Sun Jun 6 20:38:39 2021 UTC (3 years, 5 months ago) by jpp
Branch: MAIN
CVS Tags: HEAD
Changes since 1.4: +0 -0 lines
FILE REMOVED
5.8.1

1 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt
2 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt 2021-05-30 22:12:33.595000000 -0400
3 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt 2021-06-01 17:53:56.640000000 -0400
4 @@ -1,5 +1,6 @@
5 {
6 use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365;
7 + use esmith::ssl;
8 use Date::Parse;
9 use Cwd;
10 use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
11 @@ -38,12 +39,15 @@
12 $email = substr($email, 0, 64);
13 $commonName = substr($commonName, 0, 64);
14
15 - if ( -f $crt )
16 + # if self-signed certificate files exists, is a certificate, and is still valid
17 + if ( cert_exists_good_size )
18 {
19 + # check expiry date, if less than 2 days from now we update it.
20 my $expire = `openssl x509 -enddate -noout -in $crt`;
21 $expire =~ s/^notAfter=//;
22 $expire = str2time($expire);
23 my $ttl_days = ($expire - time()) / 60 / 60 / 24;
24 + # check the cert and the key are related, if key has been changed, then we need to change the cert
25 my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
26 my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
27
28 @@ -63,7 +67,7 @@
29 $signatureAlg =~ s/^ *Signature Algorithm: //;
30
31 # Test for expected subjectAltName
32 - # openssl x509 -text -noout -in /etc/dehydrated/certs/itx.pialasse.com/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
33 + # openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
34 $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
35 chomp $expected_subjectAltName;
36 if (
37 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key
38 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key 2021-05-30 22:12:33.596000000 -0400
39 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key 2021-06-01 17:53:56.402000000 -0400
40 @@ -1,26 +1,22 @@
41 {
42 use Cwd;
43 + use esmith::ssl;
44 my $here = getcwd;
45
46 my $KeySize = $modSSL{KeySize} ||'4096';
47 my $FQDN = "$SystemName.$DomainName";
48 my $key = "/home/e-smith/ssl.key/$FQDN.key";
49 - if ( -f $key )
50 + # if key exists and good size, we use it
51 + if ( key_exists_good_size )
52 {
53 - # check key size openssl rsa -in /home/e-smith/ssl.key/sme10.test10.pialasse.com.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
54 - my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`;
55 - chomp $signatureKeySize;
56 - $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p;
57 - if ( $signatureKeySize == $KeySize ) {
58 - # Old key file is still good. Read it out - processTemplate will work
59 - # out that it hasn't changed, and leave the old one in place
60 - open(K, "$key") or die "Couldn't open key file: $!";
61 - my @key = <K>;
62 - chomp @key;
63 - $OUT = join "\n", @key;
64 - close(K);
65 - return;
66 - }
67 + # Old key file is still good. Read it out - processTemplate will work
68 + # out that it hasn't changed, and leave the old one in place
69 + open(K, "$key") or die "Couldn't open key file: $!";
70 + my @key = <K>;
71 + chomp @key;
72 + $OUT = join "\n", @key;
73 + close(K);
74 + return;
75 }
76 # go to somewhere private and safe where we can run programs
77 # as root
78 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl
79 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2021-05-30 22:12:33.789000000 -0400
80 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2021-06-01 17:53:55.469000000 -0400
81 @@ -1,13 +1,8 @@
82 {
83 $OUT = '';
84 - # if key is defined, we do not need to geenrate a self signed certificate
85 - # so we do not need to expand openssl.conf
86 - my $key = $modSSL{'key'};
87 - unless ($key and -e $key)
88 - {
89 - use esmith::templates;
90 - esmith::templates::processTemplate({
91 + # let's expand the /etc/openssl.conf configuration
92 + use esmith::templates;
93 + esmith::templates::processTemplate({
94 TEMPLATE_PATH => "/etc/openssl.conf"
95 });
96 - }
97 }
98 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key
99 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key 2021-05-30 22:12:33.789000000 -0400
100 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key 2021-06-01 17:53:55.702000000 -0400
101 @@ -1,18 +1,19 @@
102 {
103 + use esmith::ssl;
104 my $domain = $DomainName || "localdomain";
105 my $hostname = $SystemName || "localhost";
106 $OUT = '';
107
108 - my $key = $modSSL{'key'};
109 - unless ($key and -e $key)
110 - {
111 - $key = "/home/e-smith/ssl.key/$hostname.$domain.key";
112 - use esmith::templates;
113 - esmith::templates::processTemplate({
114 - TEMPLATE_PATH => "/home/e-smith/ssl.key/key",
115 - OUTPUT_FILENAME => $key,
116 - });
117 - }
118 + # expand default key
119 + my $dkey = "/home/e-smith/ssl.key/$hostname.$domain.key";
120 + use esmith::templates;
121 + esmith::templates::processTemplate({
122 + TEMPLATE_PATH => "/home/e-smith/ssl.key/key",
123 + OUTPUT_FILENAME => $dkey,
124 + });
125 +
126 + # choose which key to put in pem
127 + my $key = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) ) ? $modSSL{'key'} : $dkey;
128 open(KEY, $key) or die "Could not open key file: $!";
129 my @key = <KEY>;
130 chomp @key;
131 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt
132 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt 2021-05-30 22:12:33.789000000 -0400
133 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt 2021-06-01 17:53:55.911000000 -0400
134 @@ -1,17 +1,18 @@
135 {
136 + use esmith::ssl;
137 my $domain = $DomainName || "localdomain";
138 my $hostname = $SystemName || "localhost";
139
140 - my $crt = $modSSL{'crt'};
141 - unless ($crt and -e $crt)
142 - {
143 - $crt = "/home/e-smith/ssl.crt/$hostname.$domain.crt";
144 - use esmith::templates;
145 - esmith::templates::processTemplate({
146 - TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt",
147 - OUTPUT_FILENAME => $crt,
148 - });
149 - }
150 + # expand default self signed crt
151 + my $dcrt = "/home/e-smith/ssl.crt/$hostname.$domain.crt";
152 + use esmith::templates;
153 + esmith::templates::processTemplate({
154 + TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt",
155 + OUTPUT_FILENAME => $dcrt,
156 + });
157 +
158 + # choose crt to add to pem
159 + $crt = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) )? $modSSL{'crt'} : $dcrt;
160 open(CRT, $crt) or die "Could not open crt file: $!";
161 my @crt = <CRT>;
162 chomp @crt;
163 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
164 --- e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 1969-12-31 19:00:00.000000000 -0500
165 +++ e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 2021-06-01 17:53:56.856000000 -0400
166 @@ -0,0 +1,154 @@
167 +package esmith::ssl;
168 +
169 +use strict;
170 +use warnings;
171 +use esmith::ConfigDB;
172 +
173 +
174 +our @ISA = qw(Exporter);
175 +our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert);
176 +
177 +my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
178 +our $SystemName = $configdb->get('SystemName')->value;
179 +our $DomainName = $configdb->get('DomainName')->value;
180 +our $FQDN = "$SystemName.$DomainName";
181 +
182 +# test key size
183 +# test key exists
184 +=head1 NAME
185 +
186 +esmith::php - A few tools to help with php-fpm installed versions
187 +
188 +=head1 SYNOPSIS
189 +
190 + use esmith::ssl;
191 +
192 + my $booleanK=key_exists_good_size;
193 +
194 +=head1 DESCRIPTION
195 +
196 +This is intended to help playing with installed SSL self-generated certificates and keys.
197 +
198 +=head1 Methods
199 +
200 +
201 +=head2 key_exists_good_size
202 +test key exists, then test key size correct. Obviously it also test that the files is indeed a key
203 +planned to be called in :
204 +/etc/e-smith/templates/home/e-smith/ssl.crt
205 +/etc/e-smith/templates/home/e-smith/ssl.key
206 +
207 +returns 0 if key is missing or wrong size
208 +returns 1 if key exists and key size is correct
209 +
210 +=cut
211 +sub key_exists_good_size {
212 + my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
213 + my %modSSL = $configdb->as_hash('modSSL');
214 + my $KeySize = $modSSL{KeySize} ||'4096';
215 + my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
216 + if ( -f $key )
217 + {
218 + #print "$key exists\n";
219 + # check key size openssl rsa -in /home/e-smith/ssl.key/$host.$domain.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
220 + my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`;
221 + chomp $signatureKeySize;
222 + $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p;
223 + if ( $signatureKeySize == $KeySize ) {
224 + #print "key size is correct ($KeySize)\n";
225 + # key exists and key size is correct, we can proceed
226 + return 1;
227 + }
228 + }
229 + # key is either missing or wrong key size.
230 + return 0;
231 +}
232 +
233 +
234 +# test key is key
235 +#openssl rsa -check -in $key
236 +
237 +=head2 cert_exists_good_size
238 +# check cert exist
239 +# check cert is cert
240 +# check cert size Public-Key
241 +# openssl rsa -noout -modulus -in domain.key | openssl md5
242 +# openssl x509 -noout -modulus -in domain.crt | openssl md5
243 +
244 +=cut
245 +sub cert_exists_good_size {
246 + my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
247 + my %modSSL = $configdb->as_hash('modSSL');
248 + my $KeySize = $modSSL{KeySize} ||'4096';
249 + my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
250 + if ( -f $crt )
251 + {
252 + #openssl x509 -text -noout -in /home/e-smith/ssl.crt/$host.$domain.crt| sed -rn "s/Public-Key: \((.*) bit\)/\1/p"
253 + my $signatureKeySize = `openssl x509 -text -noout -in $crt | grep "Public-Key" | head -1`;
254 + chomp $signatureKeySize;
255 + $signatureKeySize =~ s/^ *Public-Key: \((.*) bit\)/$1/p;
256 + if ( $signatureKeySize == $KeySize ) {
257 + #print "$signatureKeySize\n";
258 + # cert is correct size and exists, we can proceed.
259 + # next check key and cert are related
260 + # next check cert is still valid
261 + # next check alt name are still the same
262 + return 1;
263 + }
264 + }
265 + return 0;
266 +}
267 +
268 +sub cert_is_cert {
269 + my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
270 + if ( -f $crt )
271 + {
272 + open my $oldout, ">&STDERR"; # "dup" the stdout filehandle
273 + close STDERR;
274 + my $exit_code=system("openssl","x509", "-noout", "-in", "$crt");
275 + open STDERR, '>&', $oldout; # restore the dup'ed filehandle to STDOUT
276 + if ($exit_code==0){
277 + #print "certificate is a certificate\n";
278 + return 1;
279 + }
280 + }
281 + return 0;
282 +}
283 +
284 +sub key_is_key {
285 + my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
286 + if ( -f $key )
287 + {
288 + open my $oldout, ">&STDERR"; # "dup" the stdout filehandle
289 + close STDERR;
290 + my $exit_code=system("openssl","rsa", "-noout", "-in", "$key");
291 + open STDERR, '>&', $oldout; # restore the dup'ed filehandle to STDOUT
292 + if ($exit_code==0){
293 + #print "key is a key\n";
294 + return 1;
295 + }
296 + }
297 + return 0;
298 +}
299 +
300 +sub related_key_cert {
301 + my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
302 + my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
303 + if ( key_is_key($key) and cert_is_cert($crt) )
304 + {
305 + # check the cert and the key are related, if key has been changed, then we need to change the cert
306 + my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
307 + my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
308 + #print "$key_md5 eq $crt_md5\n";
309 + return 1 if $key_md5 eq $crt_md5;
310 + }
311 + return 0;
312 +}
313 +##TODO migrate those actions from
314 +# check cert is related to key
315 +# => /etc/e-smith/templates/home/e-smith/ssl.crt
316 +# check cert domain and alt
317 +# => /etc/e-smith/templates/home/e-smith/ssl.crt
318 +# check is valid / expiry date
319 +# => /etc/e-smith/templates/home/e-smith/ssl.crt
320 +###################################

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed