/[smeserver]/rpms/e-smith-base/sme10/e-smith-base-5.8.0-bz11552-renewkey.patch

Diff of /rpms/e-smith-base/sme10/e-smith-base-5.8.0-bz11552-renewkey.patch

Parent Directory | Revision Log | View Revision Graph Revision Graph | View Patch Patch

-Revision 1.1 by jpp,
Mon May 31 03:19:21 2021 UTC
+Revision 1.3 by jpp,
Tue Jun  1 22:04:44 2021 UTC
 Line 1
  diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt
  --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt      2021-05-30 22:12:33.595000000 -0400
- +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt  2021-05-30 23:06:09.991000000 -0400
+ +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt  2021-06-01 17:53:56.640000000 -0400
  @@ -1,5 +1,6 @@
   {
       use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365;
 Line 36 
 diff -Nur --no-dereference e-smith-base-
               if (
  diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key
  --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key      2021-05-30 22:12:33.596000000 -0400
- +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key  2021-05-30 23:06:09.728000000 -0400
+ +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key  2021-06-01 17:53:56.402000000 -0400
  @@ -1,26 +1,22 @@
   {
       use Cwd;
 Line 77 
 diff -Nur --no-dereference e-smith-base-
       # as root
  diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl
  --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl    2021-05-30 22:12:33.789000000 -0400
- +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl        2021-05-30 23:06:08.793000000 -0400
+ +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl        2021-06-01 17:53:55.469000000 -0400
  @@ -1,13 +1,8 @@
   {
       $OUT = '';
 Line 97 
 diff -Nur --no-dereference e-smith-base-
   }
  diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key
  --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key        2021-05-30 22:12:33.789000000 -0400
- +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key    2021-05-30 23:06:08.992000000 -0400
+ +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key    2021-06-01 17:53:55.702000000 -0400
- @@ -3,16 +3,16 @@
+ @@ -1,18 +1,19 @@
+  {
+ +    use esmith::ssl;
+      my $domain = $DomainName || "localdomain";
       my $hostname = $SystemName || "localhost";
       $OUT = '';
-Line 121 
 diff -Nur --no-dereference e-smith-base-
+Line 124 
 diff -Nur --no-dereference e-smith-base-
  +        });
  +
  +    # choose which key to put in pem
- +    my $key = ( defined $modSSL{'key'} and -f $modSSL{'key'} ) ? $modSSL{'key'}  : $dkey;
+ +    my $key = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) ) ? $modSSL{'key'}  : $dkey;
       open(KEY, $key) or die "Could not open key file: $!";
       my @key = <KEY>;
       chomp @key;
  diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt
  --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt        2021-05-30 22:12:33.789000000 -0400
- +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt    2021-05-30 23:06:09.234000000 -0400
+ +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt    2021-06-01 17:53:55.911000000 -0400
- @@ -2,16 +2,16 @@
+ @@ -1,17 +1,18 @@
+  {
+ +    use esmith::ssl;
       my $domain = $DomainName || "localdomain";
       my $hostname = $SystemName || "localhost";
-Line 151 
 diff -Nur --no-dereference e-smith-base-
+Line 156 
 diff -Nur --no-dereference e-smith-base-
  +        });
  +
  +    # choose crt to add to pem
- +    $crt = ( defined $modSSL{'crt'} and  -f $modSSL{'crt'} )? $modSSL{'crt'} : $dcrt;
+ +    $crt = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) )? $modSSL{'crt'} : $dcrt;
       open(CRT, $crt) or die "Could not open crt file: $!";
       my @crt = <CRT>;
       chomp @crt;
- diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem
- --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem        2021-05-30 22:12:33.789000000 -0400
- +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem    2021-05-30 23:06:09.486000000 -0400
- @@ -1,4 +1,6 @@
-  {
- +    my $domain = $DomainName || "localdomain";
- +    my $hostname = $SystemName || "localhost";
-      my $pem = $modSSL{'CertificateChainFile'};
-      if ($pem and -e $pem)
-      {
  diff -Nur --no-dereference e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
  --- e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm       1969-12-31 19:00:00.000000000 -0500
- +++ e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm   2021-05-30 23:06:10.229000000 -0400
+ +++ e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm   2021-06-01 17:53:56.856000000 -0400
- @@ -0,0 +1,110 @@
+ @@ -0,0 +1,154 @@
  +package esmith::ssl;
  +
  +use strict;
-Line 182 
 diff -Nur --no-dereference e-smith-base-
+Line 177 
 diff -Nur --no-dereference e-smith-base-
  +my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
  +our $SystemName = $configdb->get('SystemName')->value;
  +our $DomainName = $configdb->get('DomainName')->value;
+ +our $FQDN = "$SystemName.$DomainName";
  +
  +# test key size
  +# test key exists
-Line 216 
 diff -Nur --no-dereference e-smith-base-
+Line 212 
 diff -Nur --no-dereference e-smith-base-
  +    my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
  +    my %modSSL = $configdb->as_hash('modSSL');
  +    my $KeySize = $modSSL{KeySize} ||'4096';
- +    my $FQDN = "$SystemName.$DomainName";
  +    my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
  +    if ( -f $key )
  +    {
  +       #print "$key exists\n";
  +        # check key size openssl rsa -in /home/e-smith/ssl.key/$host.$domain.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
-Line 251 
 diff -Nur --no-dereference e-smith-base-
+Line 246 
 diff -Nur --no-dereference e-smith-base-
  +    my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
  +    my %modSSL = $configdb->as_hash('modSSL');
  +    my $KeySize = $modSSL{KeySize} ||'4096';
- +    my $FQDN = "$SystemName.$DomainName";
  +    my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
  +    if ( -f $crt )
  +    {
  +       #openssl x509 -text -noout -in /home/e-smith/ssl.crt/$host.$domain.crt| sed -rn "s/Public-Key: \((.*) bit\)/\1/p"
  +       my $signatureKeySize = `openssl x509 -text -noout -in $crt  | grep "Public-Key" | head -1`;
-Line 271 
 diff -Nur --no-dereference e-smith-base-
+Line 265 
 diff -Nur --no-dereference e-smith-base-
  +    return 0;
  +}
  +
+ +sub cert_is_cert {
+ +    my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
+ +    if ( -f $crt )
+ +    {
+ +        open my $oldout, ">&STDERR";  # "dup" the stdout filehandle
+ +        close STDERR;
+ +       my $exit_code=system("openssl","x509", "-noout", "-in", "$crt");
+ +        open STDERR, '>&', $oldout;  # restore the dup'ed filehandle to STDOUT
+ +        if ($exit_code==0){
+ +               #print "certificate is a certificate\n";
+ +                return 1;
+ +        }
+ +    }
+ +    return 0;
+ +}
+ +
+ +sub key_is_key {
+ +    my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
+ +    if ( -f $key )
+ +    {
+ +       open my $oldout, ">&STDERR";  # "dup" the stdout filehandle
+ +       close STDERR;
+ +        my $exit_code=system("openssl","rsa", "-noout", "-in", "$key");
+ +       open STDERR, '>&', $oldout;  # restore the dup'ed filehandle to STDOUT
+ +        if ($exit_code==0){
+ +                #print "key is a key\n";
+ +                return 1;
+ +        }
+ +    }
+ +    return 0;
+ +}
+ +
+ +sub related_key_cert {
+ +    my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
+ +    my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
+ +    if ( key_is_key($key) and cert_is_cert($crt) )
+ +    {
+ +       # check the cert and the key are related, if key has been changed, then we need to change the cert
+ +       my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
+ +       my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
+ +       #print "$key_md5 eq $crt_md5\n";
+ +       return 1 if $key_md5 eq $crt_md5;
+ +    }
+ +    return 0;
+ +}
  +##TODO migrate those actions from
  +# check cert is related to key
  +# => /etc/e-smith/templates/home/e-smith/ssl.crt

 Legend:



Removed lines/characters
 


Changed lines/characters


 
Added lines/characters
 Legend:



Removed lines/characters
 


Changed lines/characters


 
Added lines/characters
-Removed lines/characters
+Added lines/characters

admin@koozali.org	ViewVC Help
Powered by ViewVC 1.2.1