diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt 2021-05-30 22:12:33.595000000 -0400 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt 2021-06-01 17:53:56.640000000 -0400 @@ -1,5 +1,6 @@ { use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365; + use esmith::ssl; use Date::Parse; use Cwd; use Net::IP qw(ip_is_ipv4 ip_is_ipv6); @@ -38,12 +39,15 @@ $email = substr($email, 0, 64); $commonName = substr($commonName, 0, 64); - if ( -f $crt ) + # if self-signed certificate files exists, is a certificate, and is still valid + if ( cert_exists_good_size ) { + # check expiry date, if less than 2 days from now we update it. my $expire = `openssl x509 -enddate -noout -in $crt`; $expire =~ s/^notAfter=//; $expire = str2time($expire); my $ttl_days = ($expire - time()) / 60 / 60 / 24; + # check the cert and the key are related, if key has been changed, then we need to change the cert my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`; my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`; @@ -63,7 +67,7 @@ $signatureAlg =~ s/^ *Signature Algorithm: //; # Test for expected subjectAltName - # openssl x509 -text -noout -in /etc/dehydrated/certs/itx.pialasse.com/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }' + # openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }' $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`; chomp $expected_subjectAltName; if ( diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key 2021-05-30 22:12:33.596000000 -0400 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key 2021-06-01 17:53:56.402000000 -0400 @@ -1,26 +1,22 @@ { use Cwd; + use esmith::ssl; my $here = getcwd; my $KeySize = $modSSL{KeySize} ||'4096'; my $FQDN = "$SystemName.$DomainName"; my $key = "/home/e-smith/ssl.key/$FQDN.key"; - if ( -f $key ) + # if key exists and good size, we use it + if ( key_exists_good_size ) { - # check key size openssl rsa -in /home/e-smith/ssl.key/sme10.test10.pialasse.com.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p" - my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`; - chomp $signatureKeySize; - $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p; - if ( $signatureKeySize == $KeySize ) { - # Old key file is still good. Read it out - processTemplate will work - # out that it hasn't changed, and leave the old one in place - open(K, "$key") or die "Couldn't open key file: $!"; - my @key = ; - chomp @key; - $OUT = join "\n", @key; - close(K); - return; - } + # Old key file is still good. Read it out - processTemplate will work + # out that it hasn't changed, and leave the old one in place + open(K, "$key") or die "Couldn't open key file: $!"; + my @key = ; + chomp @key; + $OUT = join "\n", @key; + close(K); + return; } # go to somewhere private and safe where we can run programs # as root diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2021-05-30 22:12:33.789000000 -0400 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2021-06-01 17:53:55.469000000 -0400 @@ -1,13 +1,8 @@ { $OUT = ''; - # if key is defined, we do not need to geenrate a self signed certificate - # so we do not need to expand openssl.conf - my $key = $modSSL{'key'}; - unless ($key and -e $key) - { - use esmith::templates; - esmith::templates::processTemplate({ + # let's expand the /etc/openssl.conf configuration + use esmith::templates; + esmith::templates::processTemplate({ TEMPLATE_PATH => "/etc/openssl.conf" }); - } } diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key 2021-05-30 22:12:33.789000000 -0400 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key 2021-06-01 17:53:55.702000000 -0400 @@ -1,18 +1,19 @@ { + use esmith::ssl; my $domain = $DomainName || "localdomain"; my $hostname = $SystemName || "localhost"; $OUT = ''; - my $key = $modSSL{'key'}; - unless ($key and -e $key) - { - $key = "/home/e-smith/ssl.key/$hostname.$domain.key"; - use esmith::templates; - esmith::templates::processTemplate({ - TEMPLATE_PATH => "/home/e-smith/ssl.key/key", - OUTPUT_FILENAME => $key, - }); - } + # expand default key + my $dkey = "/home/e-smith/ssl.key/$hostname.$domain.key"; + use esmith::templates; + esmith::templates::processTemplate({ + TEMPLATE_PATH => "/home/e-smith/ssl.key/key", + OUTPUT_FILENAME => $dkey, + }); + + # choose which key to put in pem + my $key = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) ) ? $modSSL{'key'} : $dkey; open(KEY, $key) or die "Could not open key file: $!"; my @key = ; chomp @key; diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt 2021-05-30 22:12:33.789000000 -0400 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt 2021-06-01 17:53:55.911000000 -0400 @@ -1,17 +1,18 @@ { + use esmith::ssl; my $domain = $DomainName || "localdomain"; my $hostname = $SystemName || "localhost"; - my $crt = $modSSL{'crt'}; - unless ($crt and -e $crt) - { - $crt = "/home/e-smith/ssl.crt/$hostname.$domain.crt"; - use esmith::templates; - esmith::templates::processTemplate({ - TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt", - OUTPUT_FILENAME => $crt, - }); - } + # expand default self signed crt + my $dcrt = "/home/e-smith/ssl.crt/$hostname.$domain.crt"; + use esmith::templates; + esmith::templates::processTemplate({ + TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt", + OUTPUT_FILENAME => $dcrt, + }); + + # choose crt to add to pem + $crt = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) )? $modSSL{'crt'} : $dcrt; open(CRT, $crt) or die "Could not open crt file: $!"; my @crt = ; chomp @crt; diff -Nur --no-dereference e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm --- e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 2021-06-01 17:53:56.856000000 -0400 @@ -0,0 +1,154 @@ +package esmith::ssl; + +use strict; +use warnings; +use esmith::ConfigDB; + + +our @ISA = qw(Exporter); +our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert); + +my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db"; +our $SystemName = $configdb->get('SystemName')->value; +our $DomainName = $configdb->get('DomainName')->value; +our $FQDN = "$SystemName.$DomainName"; + +# test key size +# test key exists +=head1 NAME + +esmith::php - A few tools to help with php-fpm installed versions + +=head1 SYNOPSIS + + use esmith::ssl; + + my $booleanK=key_exists_good_size; + +=head1 DESCRIPTION + +This is intended to help playing with installed SSL self-generated certificates and keys. + +=head1 Methods + + +=head2 key_exists_good_size +test key exists, then test key size correct. Obviously it also test that the files is indeed a key +planned to be called in : +/etc/e-smith/templates/home/e-smith/ssl.crt +/etc/e-smith/templates/home/e-smith/ssl.key + +returns 0 if key is missing or wrong size +returns 1 if key exists and key size is correct + +=cut +sub key_exists_good_size { + my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db"; + my %modSSL = $configdb->as_hash('modSSL'); + my $KeySize = $modSSL{KeySize} ||'4096'; + my $key = shift || "/home/e-smith/ssl.key/$FQDN.key"; + if ( -f $key ) + { + #print "$key exists\n"; + # check key size openssl rsa -in /home/e-smith/ssl.key/$host.$domain.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p" + my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`; + chomp $signatureKeySize; + $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p; + if ( $signatureKeySize == $KeySize ) { + #print "key size is correct ($KeySize)\n"; + # key exists and key size is correct, we can proceed + return 1; + } + } + # key is either missing or wrong key size. + return 0; +} + + +# test key is key +#openssl rsa -check -in $key + +=head2 cert_exists_good_size +# check cert exist +# check cert is cert +# check cert size Public-Key +# openssl rsa -noout -modulus -in domain.key | openssl md5 +# openssl x509 -noout -modulus -in domain.crt | openssl md5 + +=cut +sub cert_exists_good_size { + my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db"; + my %modSSL = $configdb->as_hash('modSSL'); + my $KeySize = $modSSL{KeySize} ||'4096'; + my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt"; + if ( -f $crt ) + { + #openssl x509 -text -noout -in /home/e-smith/ssl.crt/$host.$domain.crt| sed -rn "s/Public-Key: \((.*) bit\)/\1/p" + my $signatureKeySize = `openssl x509 -text -noout -in $crt | grep "Public-Key" | head -1`; + chomp $signatureKeySize; + $signatureKeySize =~ s/^ *Public-Key: \((.*) bit\)/$1/p; + if ( $signatureKeySize == $KeySize ) { + #print "$signatureKeySize\n"; + # cert is correct size and exists, we can proceed. + # next check key and cert are related + # next check cert is still valid + # next check alt name are still the same + return 1; + } + } + return 0; +} + +sub cert_is_cert { + my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt"; + if ( -f $crt ) + { + open my $oldout, ">&STDERR"; # "dup" the stdout filehandle + close STDERR; + my $exit_code=system("openssl","x509", "-noout", "-in", "$crt"); + open STDERR, '>&', $oldout; # restore the dup'ed filehandle to STDOUT + if ($exit_code==0){ + #print "certificate is a certificate\n"; + return 1; + } + } + return 0; +} + +sub key_is_key { + my $key = shift || "/home/e-smith/ssl.key/$FQDN.key"; + if ( -f $key ) + { + open my $oldout, ">&STDERR"; # "dup" the stdout filehandle + close STDERR; + my $exit_code=system("openssl","rsa", "-noout", "-in", "$key"); + open STDERR, '>&', $oldout; # restore the dup'ed filehandle to STDOUT + if ($exit_code==0){ + #print "key is a key\n"; + return 1; + } + } + return 0; +} + +sub related_key_cert { + my $key = shift || "/home/e-smith/ssl.key/$FQDN.key"; + my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt"; + if ( key_is_key($key) and cert_is_cert($crt) ) + { + # check the cert and the key are related, if key has been changed, then we need to change the cert + my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`; + my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`; + #print "$key_md5 eq $crt_md5\n"; + return 1 if $key_md5 eq $crt_md5; + } + return 0; +} +##TODO migrate those actions from +# check cert is related to key +# => /etc/e-smith/templates/home/e-smith/ssl.crt +# check cert domain and alt +# => /etc/e-smith/templates/home/e-smith/ssl.crt +# check is valid / expiry date +# => /etc/e-smith/templates/home/e-smith/ssl.crt +###################################