/[smeserver]/rpms/e-smith-base/sme10/e-smith-base-5.8.0.bz8156.wildcard-certificate-and-subjaltname.patch
ViewVC logotype

Annotation of /rpms/e-smith-base/sme10/e-smith-base-5.8.0.bz8156.wildcard-certificate-and-subjaltname.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.2 - (hide annotations) (download)
Sun Jun 6 20:38:54 2021 UTC (3 years, 5 months ago) by jpp
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +0 -0 lines
FILE REMOVED
5.8.1

1 jpp 1.1 diff -Nur e-smith-base-5.8.0.old/createlinks e-smith-base-5.8.0/createlinks
2     --- e-smith-base-5.8.0.old/createlinks 2020-05-24 21:54:20.596000000 -0400
3     +++ e-smith-base-5.8.0/createlinks 2020-05-24 22:27:18.340000000 -0400
4     @@ -110,6 +110,17 @@
5     templates2events("/etc/updatedb.conf", qw(
6     bootstrap-console-save
7     ));
8     +templates2events("/etc/openssl.conf", qw(
9     + console-save
10     + bootstrap-console-save
11     + post-install
12     + post-upgrade
13     + domain-create
14     + domain-delete
15     + network-create
16     + network-delete
17     + ip-change
18     + ));
19    
20     # conf-routes
21     event_link("update-ifcfg", "network-create", "05");
22     diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/05config e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/05config
23     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/05config 1969-12-31 19:00:00.000000000 -0500
24     +++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/05config 2020-05-24 21:56:25.742000000 -0400
25     @@ -0,0 +1,38 @@
26     +{
27     +# use Data::Validate::IP;
28     + use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
29     + our $KeySize = $modSSL{KeySize} ||'4096';
30     + our $FQDN = "$SystemName.$DomainName";
31     + our $Country = $modSSL{Country} || "--";
32     + our $State = $modSSL{State} || "----";
33     + our $commonName = $modSSL{CommonName} || $FQDN;
34     + our $crt = "/home/e-smith/ssl.crt/$FQDN.crt";
35     + our $key = "/home/e-smith/ssl.key/$FQDN.key";
36     + our $defaultCity = $ldap{defaultCity};
37     + our $defaultCompany = $ldap{defaultCompany};
38     + our $defaultDepartment = $ldap{defaultDepartment};
39     + our $email = "admin\@$DomainName";
40     + our @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`;
41     + chomp @subjectAlt;
42     + our $subjectAltName = "";
43     + my $i=0;
44     + for my $elem (@subjectAlt) {
45     + $subjectAltName .= ", " if $i>0;
46     + $i++;
47     + if (ip_is_ipv4($elem) || ip_is_ipv6($elem) ){
48     + $subjectAltName .= "IP:$elem";
49     + next;
50     + }
51     + $subjectAltName .= "DNS:$elem";
52     + }
53     + $subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName;
54     +
55     + # crop fields that are too long for X509:
56     + $Country = substr($Country, 0, 2);
57     + $defaultCity = substr($defaultCity, 0, 128);
58     + $defaultCompany = substr($defaultCompany, 0, 64);
59     + $defaultDepartment = substr($defaultDepartment, 0, 64);
60     + $email = substr($email, 0, 64);
61     + $commonName = substr($commonName, 0, 64);
62     + $OUT="";
63     +}
64     diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/40req e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/40req
65     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/40req 1969-12-31 19:00:00.000000000 -0500
66     +++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/40req 2020-05-24 21:56:25.790000000 -0400
67     @@ -0,0 +1,10 @@
68     +[ req ]
69     +default_bits = {$KeySize}
70     +prompt = no
71     +default_md = sha256
72     +default_keyfile = {$key}
73     +distinguished_name = req_distinguished_name
74     +attributes = req_attributes
75     +x509_extensions = v3_ca
76     +req_extensions = v3_req
77     +
78     diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name
79     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name 1969-12-31 19:00:00.000000000 -0500
80     +++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name 2020-05-24 21:56:25.817000000 -0400
81     @@ -0,0 +1,9 @@
82     +[ req_distinguished_name ]
83     +C = {$Country}
84     +ST = {$State}
85     +L = {$defaultCity}
86     +O = {$defaultCompany}
87     +OU = {$defaultDepartment}
88     +CN = {$commonName}
89     +emailAddress = {$email}
90     +
91     diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes
92     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes 1969-12-31 19:00:00.000000000 -0500
93     +++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes 2020-05-24 21:56:25.840000000 -0400
94     @@ -0,0 +1,3 @@
95     +[ req_attributes ]
96     +
97     +
98     diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/50v3_req e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/50v3_req
99     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/50v3_req 1969-12-31 19:00:00.000000000 -0500
100     +++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/50v3_req 2020-05-24 21:56:25.864000000 -0400
101     @@ -0,0 +1,3 @@
102     +[ v3_req ]
103     +subjectAltName = {$subjectAltName}
104     +
105     diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca
106     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca 1969-12-31 19:00:00.000000000 -0500
107     +++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca 2020-05-24 21:56:25.902000000 -0400
108     @@ -0,0 +1,5 @@
109     +[ v3_ca ]
110     +subjectKeyIdentifier=hash
111     +authorityKeyIdentifier=keyid:always,issuer:always
112     +basicConstraints = CA:true
113     +
114     diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt
115     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt 2020-05-24 21:54:20.613000000 -0400
116     +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt 2020-05-24 22:00:04.300000000 -0400
117     @@ -1,9 +1,12 @@
118     {
119     - use constant KEYLIFEINDAYS => 365;
120     + use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365;
121     use Date::Parse;
122     use Cwd;
123     + use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
124     my $here = getcwd;
125    
126     + my $Country = $modSSL{Country} || "--";
127     + my $State = $modSSL{State} || "----";
128     my $FQDN = "$SystemName.$DomainName";
129     my $commonName = $modSSL{CommonName} || $FQDN;
130     my $crt = "/home/e-smith/ssl.crt/$FQDN.crt";
131     @@ -12,8 +15,23 @@
132     my $defaultCompany = $ldap{defaultCompany};
133     my $defaultDepartment = $ldap{defaultDepartment};
134     my $email = "admin\@$DomainName";
135     -
136     + my @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`;
137     + chomp @subjectAlt;
138     + our $subjectAltName = "";
139     + my $i=0;
140     + for my $elem (@subjectAlt) {
141     + $subjectAltName .= "," if $i>0;
142     + $i++;
143     + if (ip_is_ipv4($elem) || ip_is_ipv6($elem) ){
144     + $subjectAltName .= "IP Address:$elem";
145     + next;
146     + }
147     + $subjectAltName .= "DNS:$elem";
148     + }
149     + $subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName;
150     + chomp $subjectAltName;
151     # crop fields that are too long for X509:
152     + $Country = substr($Country, 0, 2);
153     $defaultCity = substr($defaultCity, 0, 128);
154     $defaultCompany = substr($defaultCompany, 0, 64);
155     $defaultDepartment = substr($defaultDepartment, 0, 64);
156     @@ -26,10 +44,12 @@
157     $expire =~ s/^notAfter=//;
158     $expire = str2time($expire);
159     my $ttl_days = ($expire - time()) / 60 / 60 / 24;
160     + my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
161     + my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
162    
163     - if ( $ttl_days > 2 ) {
164     - my $expected_issuer = '/C=--' .
165     - '/ST=----';
166     + if ( ($ttl_days > 2) && ( "$crt_md5" eq "$key_md5" ) ) {
167     + my $expected_issuer = '/C='.$Country .
168     + '/ST='.$State;
169     $expected_issuer .= '/L=' . ($defaultCity ? $defaultCity : 'Default City');
170     $expected_issuer .= '/O=' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd');
171     $expected_issuer .= "/OU=$defaultDepartment" if $defaultDepartment;
172     @@ -41,10 +61,15 @@
173     my $signatureAlg = `openssl x509 -text -noout -in $crt | grep "Signature Algorithm" | head -1`;
174     chomp $signatureAlg;
175     $signatureAlg =~ s/^ *Signature Algorithm: //;
176     -
177     +
178     + # Test for expected subjectAltName
179     + # openssl x509 -text -noout -in /etc/dehydrated/certs/itx.pialasse.com/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
180     + $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
181     + chomp $expected_subjectAltName;
182     if (
183     ($issuer eq $expected_issuer)
184     && ($signatureAlg ne "sha1WithRSAEncryption")
185     + && ($subjectAltName eq $expected_subjectAltName)
186     )
187     {
188     # Old key file is still good. Read it out - processTemplate will work
189     @@ -70,38 +95,17 @@
190    
191     unless (open(SSL,"-|"))
192     {
193     - my $pid = open(RSACERT, "|-");
194     - if ($pid)
195     - {
196     - # parent
197     -
198     - foreach (
199     - "--",
200     - "----",
201     - "$defaultCity",
202     - "$defaultCompany",
203     - "$defaultDepartment",
204     - "$commonName",
205     - "$email"
206     - )
207     - {
208     - print RSACERT "$_\n";
209     - }
210     - close(RSACERT) || die "RSACERT kid exited $?";
211     - exit (0);
212     - }
213     - else
214     - {
215     # child
216     exec("/usr/bin/openssl",
217     qw(req -new -key),
218     $key,
219     - qw(-sha256 -x509 -days), KEYLIFEINDAYS,
220     + qw( -sha256 -x509 -days), KEYLIFEINDAYS,
221     qw(-set_serial), time(),
222     + qw(-extensions v3_req),
223     + qw(-config), "/etc/openssl.conf"
224     )
225     || die "can't exec program: $!";
226     # NOTREACHED
227     - }
228     }
229     while (<SSL>)
230     {
231     diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key
232     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key 2014-03-23 22:47:23.000000000 -0400
233     +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key 2020-05-24 22:02:57.282000000 -0400
234     @@ -2,18 +2,25 @@
235     use Cwd;
236     my $here = getcwd;
237    
238     + my $KeySize = $modSSL{KeySize} ||'4096';
239     my $FQDN = "$SystemName.$DomainName";
240     my $key = "/home/e-smith/ssl.key/$FQDN.key";
241     if ( -f $key )
242     {
243     - # Old key file is still good. Read it out - processTemplate will work
244     - # out that it hasn't changed, and leave the old one in place
245     - open(K, "$key") or die "Couldn't open key file: $!";
246     - my @key = <K>;
247     - chomp @key;
248     - $OUT = join "\n", @key;
249     - close(K);
250     - return;
251     + # check key size openssl rsa -in /home/e-smith/ssl.key/sme10.test10.pialasse.com.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
252     + my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`;
253     + chomp $signatureKeySize;
254     + $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p;
255     + if ( $signatureKeySize == $KeySize ) {
256     + # Old key file is still good. Read it out - processTemplate will work
257     + # out that it hasn't changed, and leave the old one in place
258     + open(K, "$key") or die "Couldn't open key file: $!";
259     + my @key = <K>;
260     + chomp @key;
261     + $OUT = join "\n", @key;
262     + close(K);
263     + return;
264     + }
265     }
266     # go to somewhere private and safe where we can run programs
267     # as root
268     @@ -42,7 +49,7 @@
269     /proc/rtc
270     /proc/uptime
271     )),
272     - '2048')
273     + "$KeySize")
274     || die "can't exec program: $!";
275     }
276     while (<SSL>)
277     diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl
278     --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 1969-12-31 19:00:00.000000000 -0500
279     +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2020-05-24 22:26:40.181000000 -0400
280     @@ -0,0 +1,13 @@
281     +{
282     + $OUT = '';
283     + # if key is defined, we do not need to geenrate a self signed certificate
284     + # so we do not need to expand openssl.conf
285     + my $key = $modSSL{'key'};
286     + unless ($key)
287     + {
288     + use esmith::templates;
289     + esmith::templates::processTemplate({
290     + TEMPLATE_PATH => "/etc/openssl.conf"
291     + });
292     + }
293     +}
294     diff -Nur e-smith-base-5.8.0.old/root/sbin/e-smith/generate-subjectaltnames e-smith-base-5.8.0/root/sbin/e-smith/generate-subjectaltnames
295     --- e-smith-base-5.8.0.old/root/sbin/e-smith/generate-subjectaltnames 1969-12-31 19:00:00.000000000 -0500
296     +++ e-smith-base-5.8.0/root/sbin/e-smith/generate-subjectaltnames 2020-05-24 21:59:09.488000000 -0400
297     @@ -0,0 +1,91 @@
298     +#!/usr/bin/perl -w
299     +
300     +#----------------------------------------------------------------------
301     +#
302     +# generate-subjectaltnames
303     +#
304     +# This script returns a list of hostnames and IP addresses that
305     +# can be used to construct the list of subjectAltName entries
306     +# for a web server certificate.
307     +#
308     +# Usage: generate-subjectaltnames
309     +#
310     +# Copyright 1999-2003 Mitel Networks Corporation
311     +# This program is free software; you can redistribute it and/or
312     +# modify it under the same terms as Perl itself.
313     +#
314     +#----------------------------------------------------------------------
315     +
316     +use esmith::ConfigDB;
317     +
318     +my $configuration = esmith::ConfigDB->open_ro('configuration')
319     + or die "Couldn't open configuration DB\n";
320     +
321     +my %results_dict = ();
322     +
323     +#----------------------------------------------------------------------
324     +# Add FQDN, system name and the domain name.
325     +#----------------------------------------------------------------------
326     +
327     +$SystemName = $configuration->get('SystemName')->value;
328     +$DomainName = $configuration->get('DomainName')->value;
329     +
330     +$results_dict{$SystemName . '.' . $DomainName} = 1;
331     +$results_dict{$SystemName} = 1;
332     +$results_dict{$DomainName} = 1;
333     +
334     +#----------------------------------------------------------------------
335     +# Add a wildcard entry for domain name.
336     +#----------------------------------------------------------------------
337     +
338     +$results_dict{'*.' . $DomainName} = 1;
339     +
340     +#----------------------------------------------------------------------
341     +# Add IP addresses for the various interfaces.
342     +#----------------------------------------------------------------------
343     +
344     +foreach $Interface ('InternalInterface',
345     + 'ExternalInterface',
346     + 'ExternalInterface2')
347     +{
348     + $Interface_Record = $configuration->get($Interface);
349     + if ($Interface_Record)
350     + {
351     + if ($Interface_Record->prop('Configuration') eq 'static')
352     + {
353     + if ($Interface_Record->prop('IPAddress'))
354     + {
355     + $results_dict{$Interface_Record->prop('IPAddress')} = 1;
356     + }
357     + }
358     + }
359     +}
360     +
361     +#----------------------------------------------------------------------
362     +# Add any alternate names specified in the modSSL config DB.
363     +#----------------------------------------------------------------------
364     +
365     +$modSSL = $configuration->get('modSSL');
366     +if ($modSSL)
367     +{
368     + $AlternateNames = $modSSL->prop('AlternateNames');
369     + if ($AlternateNames)
370     + {
371     + foreach $AlternateName (split(',', $AlternateNames))
372     + {
373     + $AlternateName =~ s/\s//g;
374     + $results_dict{$AlternateName} = 1;
375     + }
376     + }
377     +}
378     +
379     +#----------------------------------------------------------------------
380     +# Output the sorted list of entries.
381     +#----------------------------------------------------------------------
382     +
383     +foreach (sort keys %results_dict)
384     +{
385     + print "$_\n";
386     +}
387     +
388     +exit(0);

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed