/[smeserver]/rpms/e-smith-base/sme10/e-smith-base-5.8.0-bz11552-renewkey.patch
ViewVC logotype

Contents of /rpms/e-smith-base/sme10/e-smith-base-5.8.0-bz11552-renewkey.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Mon May 31 03:19:21 2021 UTC (3 years, 5 months ago) by jpp
Branch: MAIN
WIP crt

1 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt
2 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt 2021-05-30 22:12:33.595000000 -0400
3 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt 2021-05-30 23:06:09.991000000 -0400
4 @@ -1,5 +1,6 @@
5 {
6 use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365;
7 + use esmith::ssl;
8 use Date::Parse;
9 use Cwd;
10 use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
11 @@ -38,12 +39,15 @@
12 $email = substr($email, 0, 64);
13 $commonName = substr($commonName, 0, 64);
14
15 - if ( -f $crt )
16 + # if self-signed certificate files exists, is a certificate, and is still valid
17 + if ( cert_exists_good_size )
18 {
19 + # check expiry date, if less than 2 days from now we update it.
20 my $expire = `openssl x509 -enddate -noout -in $crt`;
21 $expire =~ s/^notAfter=//;
22 $expire = str2time($expire);
23 my $ttl_days = ($expire - time()) / 60 / 60 / 24;
24 + # check the cert and the key are related, if key has been changed, then we need to change the cert
25 my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
26 my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
27
28 @@ -63,7 +67,7 @@
29 $signatureAlg =~ s/^ *Signature Algorithm: //;
30
31 # Test for expected subjectAltName
32 - # openssl x509 -text -noout -in /etc/dehydrated/certs/itx.pialasse.com/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
33 + # openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
34 $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
35 chomp $expected_subjectAltName;
36 if (
37 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key
38 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key 2021-05-30 22:12:33.596000000 -0400
39 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key 2021-05-30 23:06:09.728000000 -0400
40 @@ -1,26 +1,22 @@
41 {
42 use Cwd;
43 + use esmith::ssl;
44 my $here = getcwd;
45
46 my $KeySize = $modSSL{KeySize} ||'4096';
47 my $FQDN = "$SystemName.$DomainName";
48 my $key = "/home/e-smith/ssl.key/$FQDN.key";
49 - if ( -f $key )
50 + # if key exists and good size, we use it
51 + if ( key_exists_good_size )
52 {
53 - # check key size openssl rsa -in /home/e-smith/ssl.key/sme10.test10.pialasse.com.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
54 - my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`;
55 - chomp $signatureKeySize;
56 - $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p;
57 - if ( $signatureKeySize == $KeySize ) {
58 - # Old key file is still good. Read it out - processTemplate will work
59 - # out that it hasn't changed, and leave the old one in place
60 - open(K, "$key") or die "Couldn't open key file: $!";
61 - my @key = <K>;
62 - chomp @key;
63 - $OUT = join "\n", @key;
64 - close(K);
65 - return;
66 - }
67 + # Old key file is still good. Read it out - processTemplate will work
68 + # out that it hasn't changed, and leave the old one in place
69 + open(K, "$key") or die "Couldn't open key file: $!";
70 + my @key = <K>;
71 + chomp @key;
72 + $OUT = join "\n", @key;
73 + close(K);
74 + return;
75 }
76 # go to somewhere private and safe where we can run programs
77 # as root
78 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl
79 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2021-05-30 22:12:33.789000000 -0400
80 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2021-05-30 23:06:08.793000000 -0400
81 @@ -1,13 +1,8 @@
82 {
83 $OUT = '';
84 - # if key is defined, we do not need to geenrate a self signed certificate
85 - # so we do not need to expand openssl.conf
86 - my $key = $modSSL{'key'};
87 - unless ($key and -e $key)
88 - {
89 - use esmith::templates;
90 - esmith::templates::processTemplate({
91 + # let's expand the /etc/openssl.conf configuration
92 + use esmith::templates;
93 + esmith::templates::processTemplate({
94 TEMPLATE_PATH => "/etc/openssl.conf"
95 });
96 - }
97 }
98 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key
99 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key 2021-05-30 22:12:33.789000000 -0400
100 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key 2021-05-30 23:06:08.992000000 -0400
101 @@ -3,16 +3,16 @@
102 my $hostname = $SystemName || "localhost";
103 $OUT = '';
104
105 - my $key = $modSSL{'key'};
106 - unless ($key and -e $key)
107 - {
108 - $key = "/home/e-smith/ssl.key/$hostname.$domain.key";
109 - use esmith::templates;
110 - esmith::templates::processTemplate({
111 - TEMPLATE_PATH => "/home/e-smith/ssl.key/key",
112 - OUTPUT_FILENAME => $key,
113 - });
114 - }
115 + # expand default key
116 + my $dkey = "/home/e-smith/ssl.key/$hostname.$domain.key";
117 + use esmith::templates;
118 + esmith::templates::processTemplate({
119 + TEMPLATE_PATH => "/home/e-smith/ssl.key/key",
120 + OUTPUT_FILENAME => $dkey,
121 + });
122 +
123 + # choose which key to put in pem
124 + my $key = ( defined $modSSL{'key'} and -f $modSSL{'key'} ) ? $modSSL{'key'} : $dkey;
125 open(KEY, $key) or die "Could not open key file: $!";
126 my @key = <KEY>;
127 chomp @key;
128 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt
129 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt 2021-05-30 22:12:33.789000000 -0400
130 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt 2021-05-30 23:06:09.234000000 -0400
131 @@ -2,16 +2,16 @@
132 my $domain = $DomainName || "localdomain";
133 my $hostname = $SystemName || "localhost";
134
135 - my $crt = $modSSL{'crt'};
136 - unless ($crt and -e $crt)
137 - {
138 - $crt = "/home/e-smith/ssl.crt/$hostname.$domain.crt";
139 - use esmith::templates;
140 - esmith::templates::processTemplate({
141 - TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt",
142 - OUTPUT_FILENAME => $crt,
143 - });
144 - }
145 + # expand default self signed crt
146 + my $dcrt = "/home/e-smith/ssl.crt/$hostname.$domain.crt";
147 + use esmith::templates;
148 + esmith::templates::processTemplate({
149 + TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt",
150 + OUTPUT_FILENAME => $dcrt,
151 + });
152 +
153 + # choose crt to add to pem
154 + $crt = ( defined $modSSL{'crt'} and -f $modSSL{'crt'} )? $modSSL{'crt'} : $dcrt;
155 open(CRT, $crt) or die "Could not open crt file: $!";
156 my @crt = <CRT>;
157 chomp @crt;
158 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem
159 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem 2021-05-30 22:12:33.789000000 -0400
160 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem 2021-05-30 23:06:09.486000000 -0400
161 @@ -1,4 +1,6 @@
162 {
163 + my $domain = $DomainName || "localdomain";
164 + my $hostname = $SystemName || "localhost";
165 my $pem = $modSSL{'CertificateChainFile'};
166 if ($pem and -e $pem)
167 {
168 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
169 --- e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 1969-12-31 19:00:00.000000000 -0500
170 +++ e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 2021-05-30 23:06:10.229000000 -0400
171 @@ -0,0 +1,110 @@
172 +package esmith::ssl;
173 +
174 +use strict;
175 +use warnings;
176 +use esmith::ConfigDB;
177 +
178 +
179 +our @ISA = qw(Exporter);
180 +our @EXPORT = qw( key_exists_good_size cert_exists_good_size );
181 +
182 +my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
183 +our $SystemName = $configdb->get('SystemName')->value;
184 +our $DomainName = $configdb->get('DomainName')->value;
185 +
186 +# test key size
187 +# test key exists
188 +=head1 NAME
189 +
190 +esmith::php - A few tools to help with php-fpm installed versions
191 +
192 +=head1 SYNOPSIS
193 +
194 + use esmith::ssl;
195 +
196 + my $booleanK=key_exists_good_size;
197 +
198 +=head1 DESCRIPTION
199 +
200 +This is intended to help playing with installed SSL self-generated certificates and keys.
201 +
202 +=head1 Methods
203 +
204 +
205 +=head2 key_exists_good_size
206 +test key exists, then test key size correct. Obviously it also test that the files is indeed a key
207 +planned to be called in :
208 +/etc/e-smith/templates/home/e-smith/ssl.crt
209 +/etc/e-smith/templates/home/e-smith/ssl.key
210 +
211 +returns 0 if key is missing or wrong size
212 +returns 1 if key exists and key size is correct
213 +
214 +=cut
215 +sub key_exists_good_size {
216 + my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
217 + my %modSSL = $configdb->as_hash('modSSL');
218 + my $KeySize = $modSSL{KeySize} ||'4096';
219 + my $FQDN = "$SystemName.$DomainName";
220 + my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
221 + if ( -f $key )
222 + {
223 + #print "$key exists\n";
224 + # check key size openssl rsa -in /home/e-smith/ssl.key/$host.$domain.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
225 + my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`;
226 + chomp $signatureKeySize;
227 + $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p;
228 + if ( $signatureKeySize == $KeySize ) {
229 + #print "key size is correct ($KeySize)\n";
230 + # key exists and key size is correct, we can proceed
231 + return 1;
232 + }
233 + }
234 + # key is either missing or wrong key size.
235 + return 0;
236 +}
237 +
238 +
239 +# test key is key
240 +#openssl rsa -check -in $key
241 +
242 +=head2 cert_exists_good_size
243 +# check cert exist
244 +# check cert is cert
245 +# check cert size Public-Key
246 +# openssl rsa -noout -modulus -in domain.key | openssl md5
247 +# openssl x509 -noout -modulus -in domain.crt | openssl md5
248 +
249 +=cut
250 +sub cert_exists_good_size {
251 + my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
252 + my %modSSL = $configdb->as_hash('modSSL');
253 + my $KeySize = $modSSL{KeySize} ||'4096';
254 + my $FQDN = "$SystemName.$DomainName";
255 + my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
256 + if ( -f $crt )
257 + {
258 + #openssl x509 -text -noout -in /home/e-smith/ssl.crt/$host.$domain.crt| sed -rn "s/Public-Key: \((.*) bit\)/\1/p"
259 + my $signatureKeySize = `openssl x509 -text -noout -in $crt | grep "Public-Key" | head -1`;
260 + chomp $signatureKeySize;
261 + $signatureKeySize =~ s/^ *Public-Key: \((.*) bit\)/$1/p;
262 + if ( $signatureKeySize == $KeySize ) {
263 + #print "$signatureKeySize\n";
264 + # cert is correct size and exists, we can proceed.
265 + # next check key and cert are related
266 + # next check cert is still valid
267 + # next check alt name are still the same
268 + return 1;
269 + }
270 + }
271 + return 0;
272 +}
273 +
274 +##TODO migrate those actions from
275 +# check cert is related to key
276 +# => /etc/e-smith/templates/home/e-smith/ssl.crt
277 +# check cert domain and alt
278 +# => /etc/e-smith/templates/home/e-smith/ssl.crt
279 +# check is valid / expiry date
280 +# => /etc/e-smith/templates/home/e-smith/ssl.crt
281 +###################################

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed