e-smith-base/sme10/e-smith-base-5.8.0.bz8156.wildcard-certificate-and-subjaltname.patch

diff -Nur e-smith-base-5.8.0.old/createlinks e-smith-base-5.8.0/createlinks
--- e-smith-base-5.8.0.old/createlinks  2020-05-24 21:54:20.596000000 -0400
+++ e-smith-base-5.8.0/createlinks      2020-05-24 22:27:18.340000000 -0400
@@ -110,6 +110,17 @@
 templates2events("/etc/updatedb.conf", qw(
     bootstrap-console-save
 ));
+templates2events("/etc/openssl.conf",  qw(
+        console-save
+        bootstrap-console-save
+        post-install
+        post-upgrade
+       domain-create
+       domain-delete
+       network-create
+       network-delete
+        ip-change
+        ));
 
 # conf-routes
 event_link("update-ifcfg", "network-create", "05");
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/05config e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/05config
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/05config 1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/05config     2020-05-24 21:56:25.742000000 -0400
@@ -0,0 +1,38 @@
+{
+#    use Data::Validate::IP;
+    use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
+    our $KeySize = $modSSL{KeySize} ||'4096';
+    our $FQDN = "$SystemName.$DomainName";
+    our $Country = $modSSL{Country} || "--";
+    our $State = $modSSL{State} || "----";
+    our $commonName = $modSSL{CommonName} || $FQDN;
+    our $crt = "/home/e-smith/ssl.crt/$FQDN.crt";
+    our $key = "/home/e-smith/ssl.key/$FQDN.key";
+    our $defaultCity = $ldap{defaultCity};
+    our $defaultCompany = $ldap{defaultCompany};
+    our $defaultDepartment = $ldap{defaultDepartment};
+    our $email = "admin\@$DomainName";
+    our @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`;
+    chomp @subjectAlt;
+    our $subjectAltName = "";
+       my $i=0;
+       for my $elem (@subjectAlt) {
+               $subjectAltName .= ", " if $i>0;
+               $i++;
+               if (ip_is_ipv4($elem) || ip_is_ipv6($elem) ){
+               $subjectAltName .= "IP:$elem";
+               next;
+               }
+               $subjectAltName .= "DNS:$elem";
+       }
+    $subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName;
+
+    # crop fields that are too long for X509:
+    $Country = substr($Country, 0, 2);
+    $defaultCity = substr($defaultCity, 0, 128);
+    $defaultCompany = substr($defaultCompany, 0, 64);
+    $defaultDepartment = substr($defaultDepartment, 0, 64);
+    $email = substr($email, 0, 64);
+    $commonName = substr($commonName, 0, 64);
+    $OUT="";
+}
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/40req e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/40req
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/40req    1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/40req        2020-05-24 21:56:25.790000000 -0400
@@ -0,0 +1,10 @@
+[ req ]
+default_bits            = {$KeySize}
+prompt                         = no
+default_md             = sha256
+default_keyfile         = {$key}
+distinguished_name      = req_distinguished_name
+attributes              = req_attributes
+x509_extensions                = v3_ca
+req_extensions         = v3_req
+
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name 1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name     2020-05-24 21:56:25.817000000 -0400
@@ -0,0 +1,9 @@
+[ req_distinguished_name ]
+C                              = {$Country}
+ST                             = {$State}
+L                               = {$defaultCity}
+O                              = {$defaultCompany}
+OU                             = {$defaultDepartment}
+CN                             = {$commonName}
+emailAddress                    = {$email}
+
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes 1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes     2020-05-24 21:56:25.840000000 -0400
@@ -0,0 +1,3 @@
+[ req_attributes ]
+
+
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/50v3_req e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/50v3_req
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/50v3_req 1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/50v3_req     2020-05-24 21:56:25.864000000 -0400
@@ -0,0 +1,3 @@
+[ v3_req ]
+subjectAltName = {$subjectAltName}
+
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca  1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca      2020-05-24 21:56:25.902000000 -0400
@@ -0,0 +1,5 @@
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true
+
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt      2020-05-24 21:54:20.613000000 -0400
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt  2020-05-24 22:00:04.300000000 -0400
@@ -1,9 +1,12 @@
 {
-    use constant KEYLIFEINDAYS => 365;
+    use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365;
     use Date::Parse;
     use Cwd;
+    use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
     my $here = getcwd;
 
+    my $Country = $modSSL{Country} || "--";
+    my $State = $modSSL{State} || "----";
     my $FQDN = "$SystemName.$DomainName";
     my $commonName = $modSSL{CommonName} || $FQDN;
     my $crt = "/home/e-smith/ssl.crt/$FQDN.crt";
@@ -12,8 +15,23 @@
     my $defaultCompany = $ldap{defaultCompany};
     my $defaultDepartment = $ldap{defaultDepartment};
     my $email = "admin\@$DomainName";
-
+    my @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`;
+    chomp @subjectAlt;
+    our $subjectAltName = "";
+        my $i=0;
+        for my $elem (@subjectAlt) {
+                $subjectAltName .= "," if $i>0;
+                $i++;
+                if (ip_is_ipv4($elem) || ip_is_ipv6($elem) ){
+                $subjectAltName .= "IP Address:$elem";
+                next;
+                }
+                $subjectAltName .= "DNS:$elem";
+        }
+    $subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName;
+    chomp $subjectAltName;
     # crop fields that are too long for X509:
+    $Country = substr($Country, 0, 2);
     $defaultCity = substr($defaultCity, 0, 128); 
     $defaultCompany = substr($defaultCompany, 0, 64); 
     $defaultDepartment = substr($defaultDepartment, 0, 64); 
@@ -26,10 +44,12 @@
         $expire =~ s/^notAfter=//;
         $expire = str2time($expire);
         my $ttl_days = ($expire - time()) / 60 / 60 / 24;
+       my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
+       my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
 
-        if ( $ttl_days > 2 ) {
-            my $expected_issuer = '/C=--' .
-                              '/ST=----';
+        if ( ($ttl_days > 2) && ( "$crt_md5" eq "$key_md5" ) ) {
+            my $expected_issuer = '/C='.$Country .
+                              '/ST='.$State;
             $expected_issuer .= '/L=' . ($defaultCity ? $defaultCity : 'Default City');
             $expected_issuer .= '/O=' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd');
             $expected_issuer .= "/OU=$defaultDepartment" if $defaultDepartment;
@@ -41,10 +61,15 @@
             my $signatureAlg = `openssl x509 -text -noout -in $crt | grep "Signature Algorithm" | head -1`;
             chomp $signatureAlg;
             $signatureAlg =~ s/^ *Signature Algorithm: //;
-
+           
+           # Test for expected subjectAltName
+            # openssl x509 -text -noout -in /etc/dehydrated/certs/itx.pialasse.com/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
+           $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
+           chomp $expected_subjectAltName;
             if (
                         ($issuer eq $expected_issuer)
                      && ($signatureAlg ne "sha1WithRSAEncryption")
+                     && ($subjectAltName eq $expected_subjectAltName)
             )
            {
                # Old key file is still good. Read it out - processTemplate will work
@@ -70,38 +95,17 @@
 
     unless (open(SSL,"-|"))
     {
-       my $pid = open(RSACERT, "|-");
-       if ($pid)
-       {
-           # parent
-
-           foreach (
-                   "--",
-                   "----",
-                   "$defaultCity",
-                   "$defaultCompany",
-                   "$defaultDepartment",
-                   "$commonName",
-                   "$email"
-                   )
-           {
-               print RSACERT "$_\n";
-           }
-           close(RSACERT) || die "RSACERT kid exited $?";
-           exit (0);
-       }
-       else
-       {
            # child
            exec("/usr/bin/openssl",
                qw(req -new -key),
                $key,
-               qw(-sha256 -x509 -days), KEYLIFEINDAYS,
+               qw( -sha256 -x509 -days), KEYLIFEINDAYS,
                qw(-set_serial), time(),
+               qw(-extensions v3_req),
+               qw(-config), "/etc/openssl.conf" 
                )
                    || die "can't exec program: $!";
            # NOTREACHED
-       }
     }
     while (<SSL>)
     {
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key      2014-03-23 22:47:23.000000000 -0400
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key  2020-05-24 22:02:57.282000000 -0400
@@ -2,18 +2,25 @@
     use Cwd;
     my $here = getcwd;
 
+    my $KeySize = $modSSL{KeySize} ||'4096';
     my $FQDN = "$SystemName.$DomainName";
     my $key = "/home/e-smith/ssl.key/$FQDN.key";
     if ( -f $key )
     {
-       # Old key file is still good. Read it out - processTemplate will work
-       # out that it hasn't changed, and leave the old one in place
-       open(K, "$key") or die "Couldn't open key file: $!";
-       my @key = <K>;
-       chomp @key;
-       $OUT = join "\n", @key;
-       close(K);
-       return;
+       # check key size openssl rsa -in /home/e-smith/ssl.key/sme10.test10.pialasse.com.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
+        my $signatureKeySize = `openssl rsa -in  $key -text -noout | grep "Private-Key" | head -1`;
+        chomp $signatureKeySize;
+        $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p;
+       if ( $signatureKeySize == $KeySize ) {
+               # Old key file is still good. Read it out - processTemplate will work
+               # out that it hasn't changed, and leave the old one in place
+               open(K, "$key") or die "Couldn't open key file: $!";
+               my @key = <K>;
+               chomp @key;
+               $OUT = join "\n", @key;
+               close(K);
+               return;
+       }
     }
     # go to somewhere private and safe where we can run programs
     # as root
@@ -42,7 +49,7 @@
                /proc/rtc
                /proc/uptime
                )),
-           '2048')
+           "$KeySize")
            || die "can't exec program: $!";
     }
     while (<SSL>)
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl    1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl        2020-05-24 22:26:40.181000000 -0400
@@ -0,0 +1,13 @@
+{
+    $OUT = '';
+    # if key is defined, we do not need to geenrate a self signed certificate
+    # so we do not need to expand openssl.conf
+    my $key = $modSSL{'key'};
+    unless ($key)
+    {
+        use esmith::templates;
+        esmith::templates::processTemplate({
+            TEMPLATE_PATH => "/etc/openssl.conf"
+            });
+    }
+}
diff -Nur e-smith-base-5.8.0.old/root/sbin/e-smith/generate-subjectaltnames e-smith-base-5.8.0/root/sbin/e-smith/generate-subjectaltnames
--- e-smith-base-5.8.0.old/root/sbin/e-smith/generate-subjectaltnames   1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/sbin/e-smith/generate-subjectaltnames       2020-05-24 21:59:09.488000000 -0400
@@ -0,0 +1,91 @@
+#!/usr/bin/perl -w
+
+#----------------------------------------------------------------------
+#
+# generate-subjectaltnames
+#
+# This script returns a list of hostnames and IP addresses that
+# can be used to construct the list of subjectAltName entries
+# for a web server certificate.
+#
+# Usage:  generate-subjectaltnames
+#
+# Copyright 1999-2003 Mitel Networks Corporation
+# This program is free software; you can redistribute it and/or
+# modify it under the same terms as Perl itself.
+#
+#----------------------------------------------------------------------
+
+use esmith::ConfigDB;
+
+my $configuration = esmith::ConfigDB->open_ro('configuration')
+    or die "Couldn't open configuration DB\n";
+
+my %results_dict = ();
+
+#----------------------------------------------------------------------
+# Add FQDN, system name and the domain name.
+#----------------------------------------------------------------------
+
+$SystemName = $configuration->get('SystemName')->value;
+$DomainName = $configuration->get('DomainName')->value;
+
+$results_dict{$SystemName . '.' . $DomainName} = 1;
+$results_dict{$SystemName} = 1;
+$results_dict{$DomainName} = 1;
+
+#----------------------------------------------------------------------
+# Add a wildcard entry for domain name.
+#----------------------------------------------------------------------
+
+$results_dict{'*.' . $DomainName} = 1;
+
+#----------------------------------------------------------------------
+# Add IP addresses for the various interfaces.
+#----------------------------------------------------------------------
+
+foreach $Interface ('InternalInterface',
+                    'ExternalInterface',
+                    'ExternalInterface2')
+{
+    $Interface_Record = $configuration->get($Interface);
+    if ($Interface_Record)
+    {
+        if ($Interface_Record->prop('Configuration') eq 'static')
+        {
+            if ($Interface_Record->prop('IPAddress'))
+            {
+                $results_dict{$Interface_Record->prop('IPAddress')} = 1;
+            }
+        }
+    }
+}
+
+#----------------------------------------------------------------------
+# Add any alternate names specified in the modSSL config DB.
+#----------------------------------------------------------------------
+
+$modSSL = $configuration->get('modSSL');
+if ($modSSL)
+{
+    $AlternateNames = $modSSL->prop('AlternateNames');
+    if ($AlternateNames)
+    {
+        foreach $AlternateName (split(',', $AlternateNames))
+        {
+            $AlternateName =~ s/\s//g;
+            $results_dict{$AlternateName} = 1;
+        }
+    }
+}
+
+#----------------------------------------------------------------------
+# Output the sorted list of entries.
+#----------------------------------------------------------------------
+
+foreach (sort keys %results_dict)
+{
+    print "$_\n";
+}
+
+exit(0);
1	diff -Nur e-smith-base-5.8.0.old/createlinks e-smith-base-5.8.0/createlinks
2	--- e-smith-base-5.8.0.old/createlinks 2020-05-24 21:54:20.596000000 -0400
3	+++ e-smith-base-5.8.0/createlinks 2020-05-24 22:27:18.340000000 -0400
4	@@ -110,6 +110,17 @@
5	templates2events("/etc/updatedb.conf", qw(
6	bootstrap-console-save
7	));
8	+templates2events("/etc/openssl.conf", qw(
9	+ console-save
10	+ bootstrap-console-save
11	+ post-install
12	+ post-upgrade
13	+ domain-create
14	+ domain-delete
15	+ network-create
16	+ network-delete
17	+ ip-change
18	+ ));
19
20	# conf-routes
21	event_link("update-ifcfg", "network-create", "05");
22	diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/05config e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/05config
23	--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/05config 1969-12-31 19:00:00.000000000 -0500
24	+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/05config 2020-05-24 21:56:25.742000000 -0400
25	@@ -0,0 +1,38 @@
26	+{
27	+# use Data::Validate::IP;
28	+ use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
29	+ our $KeySize = $modSSL{KeySize} \|\|'4096';
30	+ our $FQDN = "$SystemName.$DomainName";
31	+ our $Country = $modSSL{Country} \|\| "--";
32	+ our $State = $modSSL{State} \|\| "----";
33	+ our $commonName = $modSSL{CommonName} \|\| $FQDN;
34	+ our $crt = "/home/e-smith/ssl.crt/$FQDN.crt";
35	+ our $key = "/home/e-smith/ssl.key/$FQDN.key";
36	+ our $defaultCity = $ldap{defaultCity};
37	+ our $defaultCompany = $ldap{defaultCompany};
38	+ our $defaultDepartment = $ldap{defaultDepartment};
39	+ our $email = "admin\@$DomainName";
40	+ our @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`;
41	+ chomp @subjectAlt;
42	+ our $subjectAltName = "";
43	+ my $i=0;
44	+ for my $elem (@subjectAlt) {
45	+ $subjectAltName .= ", " if $i>0;
46	+ $i++;
47	+ if (ip_is_ipv4($elem) \|\| ip_is_ipv6($elem) ){
48	+ $subjectAltName .= "IP:$elem";
49	+ next;
50	+ }
51	+ $subjectAltName .= "DNS:$elem";
52	+ }
53	+ $subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName;
54	+
55	+ # crop fields that are too long for X509:
56	+ $Country = substr($Country, 0, 2);
57	+ $defaultCity = substr($defaultCity, 0, 128);
58	+ $defaultCompany = substr($defaultCompany, 0, 64);
59	+ $defaultDepartment = substr($defaultDepartment, 0, 64);
60	+ $email = substr($email, 0, 64);
61	+ $commonName = substr($commonName, 0, 64);
62	+ $OUT="";
63	+}
64	diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/40req e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/40req
65	--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/40req 1969-12-31 19:00:00.000000000 -0500
66	+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/40req 2020-05-24 21:56:25.790000000 -0400
67	@@ -0,0 +1,10 @@
68	+[ req ]
69	+default_bits = {$KeySize}
70	+prompt = no
71	+default_md = sha256
72	+default_keyfile = {$key}
73	+distinguished_name = req_distinguished_name
74	+attributes = req_attributes
75	+x509_extensions = v3_ca
76	+req_extensions = v3_req
77	+
78	diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name
79	--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name 1969-12-31 19:00:00.000000000 -0500
80	+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name 2020-05-24 21:56:25.817000000 -0400
81	@@ -0,0 +1,9 @@
82	+[ req_distinguished_name ]
83	+C = {$Country}
84	+ST = {$State}
85	+L = {$defaultCity}
86	+O = {$defaultCompany}
87	+OU = {$defaultDepartment}
88	+CN = {$commonName}
89	+emailAddress = {$email}
90	+
91	diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes
92	--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes 1969-12-31 19:00:00.000000000 -0500
93	+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes 2020-05-24 21:56:25.840000000 -0400
94	@@ -0,0 +1,3 @@
95	+[ req_attributes ]
96	+
97	+
98	diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/50v3_req e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/50v3_req
99	--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/50v3_req 1969-12-31 19:00:00.000000000 -0500
100	+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/50v3_req 2020-05-24 21:56:25.864000000 -0400
101	@@ -0,0 +1,3 @@
102	+[ v3_req ]
103	+subjectAltName = {$subjectAltName}
104	+
105	diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca
106	--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca 1969-12-31 19:00:00.000000000 -0500
107	+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca 2020-05-24 21:56:25.902000000 -0400
108	@@ -0,0 +1,5 @@
109	+[ v3_ca ]
110	+subjectKeyIdentifier=hash
111	+authorityKeyIdentifier=keyid:always,issuer:always
112	+basicConstraints = CA:true
113	+
114	diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt
115	--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt 2020-05-24 21:54:20.613000000 -0400
116	+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt 2020-05-24 22:00:04.300000000 -0400
117	@@ -1,9 +1,12 @@
118	{
119	- use constant KEYLIFEINDAYS => 365;
120	+ use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} \|\| 365;
121	use Date::Parse;
122	use Cwd;
123	+ use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
124	my $here = getcwd;
125
126	+ my $Country = $modSSL{Country} \|\| "--";
127	+ my $State = $modSSL{State} \|\| "----";
128	my $FQDN = "$SystemName.$DomainName";
129	my $commonName = $modSSL{CommonName} \|\| $FQDN;
130	my $crt = "/home/e-smith/ssl.crt/$FQDN.crt";
131	@@ -12,8 +15,23 @@
132	my $defaultCompany = $ldap{defaultCompany};
133	my $defaultDepartment = $ldap{defaultDepartment};
134	my $email = "admin\@$DomainName";
135	-
136	+ my @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`;
137	+ chomp @subjectAlt;
138	+ our $subjectAltName = "";
139	+ my $i=0;
140	+ for my $elem (@subjectAlt) {
141	+ $subjectAltName .= "," if $i>0;
142	+ $i++;
143	+ if (ip_is_ipv4($elem) \|\| ip_is_ipv6($elem) ){
144	+ $subjectAltName .= "IP Address:$elem";
145	+ next;
146	+ }
147	+ $subjectAltName .= "DNS:$elem";
148	+ }
149	+ $subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName;
150	+ chomp $subjectAltName;
151	# crop fields that are too long for X509:
152	+ $Country = substr($Country, 0, 2);
153	$defaultCity = substr($defaultCity, 0, 128);
154	$defaultCompany = substr($defaultCompany, 0, 64);
155	$defaultDepartment = substr($defaultDepartment, 0, 64);
156	@@ -26,10 +44,12 @@
157	$expire =~ s/^notAfter=//;
158	$expire = str2time($expire);
159	my $ttl_days = ($expire - time()) / 60 / 60 / 24;
160	+ my $crt_md5 = `openssl x509 -noout -modulus -in $crt \| openssl md5`;
161	+ my $key_md5 = `openssl rsa -noout -modulus -in $key \| openssl md5`;
162
163	- if ( $ttl_days > 2 ) {
164	- my $expected_issuer = '/C=--' .
165	- '/ST=----';
166	+ if ( ($ttl_days > 2) && ( "$crt_md5" eq "$key_md5" ) ) {
167	+ my $expected_issuer = '/C='.$Country .
168	+ '/ST='.$State;
169	$expected_issuer .= '/L=' . ($defaultCity ? $defaultCity : 'Default City');
170	$expected_issuer .= '/O=' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd');
171	$expected_issuer .= "/OU=$defaultDepartment" if $defaultDepartment;
172	@@ -41,10 +61,15 @@
173	my $signatureAlg = `openssl x509 -text -noout -in $crt \| grep "Signature Algorithm" \| head -1`;
174	chomp $signatureAlg;
175	$signatureAlg =~ s/^ *Signature Algorithm: //;
176	-
177	+
178	+ # Test for expected subjectAltName
179	+ # openssl x509 -text -noout -in /etc/dehydrated/certs/itx.pialasse.com/cert.pem \| sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.\n//;:a;s/^\( \)\(.*\), /\2,\1/;ta;p;q; }'
180	+ $expected_subjectAltName = `openssl x509 -text -noout -in $crt \| sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.\\n//;:a;s/^\\( \\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
181	+ chomp $expected_subjectAltName;
182	if (
183	($issuer eq $expected_issuer)
184	&& ($signatureAlg ne "sha1WithRSAEncryption")
185	+ && ($subjectAltName eq $expected_subjectAltName)
186	)
187	{
188	# Old key file is still good. Read it out - processTemplate will work
189	@@ -70,38 +95,17 @@
190
191	unless (open(SSL,"-\|"))
192	{
193	- my $pid = open(RSACERT, "\|-");
194	- if ($pid)
195	- {
196	- # parent
197	-
198	- foreach (
199	- "--",
200	- "----",
201	- "$defaultCity",
202	- "$defaultCompany",
203	- "$defaultDepartment",
204	- "$commonName",
205	- "$email"
206	- )
207	- {
208	- print RSACERT "$_\n";
209	- }
210	- close(RSACERT) \|\| die "RSACERT kid exited $?";
211	- exit (0);
212	- }
213	- else
214	- {
215	# child
216	exec("/usr/bin/openssl",
217	qw(req -new -key),
218	$key,
219	- qw(-sha256 -x509 -days), KEYLIFEINDAYS,
220	+ qw( -sha256 -x509 -days), KEYLIFEINDAYS,
221	qw(-set_serial), time(),
222	+ qw(-extensions v3_req),
223	+ qw(-config), "/etc/openssl.conf"
224	)
225	\|\| die "can't exec program: $!";
226	# NOTREACHED
227	- }
228	}
229	while (<SSL>)
230	{
231	diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key
232	--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key 2014-03-23 22:47:23.000000000 -0400
233	+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key 2020-05-24 22:02:57.282000000 -0400
234	@@ -2,18 +2,25 @@
235	use Cwd;
236	my $here = getcwd;
237
238	+ my $KeySize = $modSSL{KeySize} \|\|'4096';
239	my $FQDN = "$SystemName.$DomainName";
240	my $key = "/home/e-smith/ssl.key/$FQDN.key";
241	if ( -f $key )
242	{
243	- # Old key file is still good. Read it out - processTemplate will work
244	- # out that it hasn't changed, and leave the old one in place
245	- open(K, "$key") or die "Couldn't open key file: $!";
246	- my @key = <K>;
247	- chomp @key;
248	- $OUT = join "\n", @key;
249	- close(K);
250	- return;
251	+ # check key size openssl rsa -in /home/e-smith/ssl.key/sme10.test10.pialasse.com.key -text -noout \| sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
252	+ my $signatureKeySize = `openssl rsa -in $key -text -noout \| grep "Private-Key" \| head -1`;
253	+ chomp $signatureKeySize;
254	+ $signatureKeySize =~ s/^ Private-Key: \((.) bit\)/$1/p;
255	+ if ( $signatureKeySize == $KeySize ) {
256	+ # Old key file is still good. Read it out - processTemplate will work
257	+ # out that it hasn't changed, and leave the old one in place
258	+ open(K, "$key") or die "Couldn't open key file: $!";
259	+ my @key = <K>;
260	+ chomp @key;
261	+ $OUT = join "\n", @key;
262	+ close(K);
263	+ return;
264	+ }
265	}
266	# go to somewhere private and safe where we can run programs
267	# as root
268	@@ -42,7 +49,7 @@
269	/proc/rtc
270	/proc/uptime
271	)),
272	- '2048')
273	+ "$KeySize")
274	\|\| die "can't exec program: $!";
275	}
276	while (<SSL>)
277	diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl
278	--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 1969-12-31 19:00:00.000000000 -0500
279	+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2020-05-24 22:26:40.181000000 -0400
280	@@ -0,0 +1,13 @@
281	+{
282	+ $OUT = '';
283	+ # if key is defined, we do not need to geenrate a self signed certificate
284	+ # so we do not need to expand openssl.conf
285	+ my $key = $modSSL{'key'};
286	+ unless ($key)
287	+ {
288	+ use esmith::templates;
289	+ esmith::templates::processTemplate({
290	+ TEMPLATE_PATH => "/etc/openssl.conf"
291	+ });
292	+ }
293	+}
294	diff -Nur e-smith-base-5.8.0.old/root/sbin/e-smith/generate-subjectaltnames e-smith-base-5.8.0/root/sbin/e-smith/generate-subjectaltnames
295	--- e-smith-base-5.8.0.old/root/sbin/e-smith/generate-subjectaltnames 1969-12-31 19:00:00.000000000 -0500
296	+++ e-smith-base-5.8.0/root/sbin/e-smith/generate-subjectaltnames 2020-05-24 21:59:09.488000000 -0400
297	@@ -0,0 +1,91 @@
298	+#!/usr/bin/perl -w
299	+
300	+#----------------------------------------------------------------------
301	+#
302	+# generate-subjectaltnames
303	+#
304	+# This script returns a list of hostnames and IP addresses that
305	+# can be used to construct the list of subjectAltName entries
306	+# for a web server certificate.
307	+#
308	+# Usage: generate-subjectaltnames
309	+#
310	+# Copyright 1999-2003 Mitel Networks Corporation
311	+# This program is free software; you can redistribute it and/or
312	+# modify it under the same terms as Perl itself.
313	+#
314	+#----------------------------------------------------------------------
315	+
316	+use esmith::ConfigDB;
317	+
318	+my $configuration = esmith::ConfigDB->open_ro('configuration')
319	+ or die "Couldn't open configuration DB\n";
320	+
321	+my %results_dict = ();
322	+
323	+#----------------------------------------------------------------------
324	+# Add FQDN, system name and the domain name.
325	+#----------------------------------------------------------------------
326	+
327	+$SystemName = $configuration->get('SystemName')->value;
328	+$DomainName = $configuration->get('DomainName')->value;
329	+
330	+$results_dict{$SystemName . '.' . $DomainName} = 1;
331	+$results_dict{$SystemName} = 1;
332	+$results_dict{$DomainName} = 1;
333	+
334	+#----------------------------------------------------------------------
335	+# Add a wildcard entry for domain name.
336	+#----------------------------------------------------------------------
337	+
338	+$results_dict{'*.' . $DomainName} = 1;
339	+
340	+#----------------------------------------------------------------------
341	+# Add IP addresses for the various interfaces.
342	+#----------------------------------------------------------------------
343	+
344	+foreach $Interface ('InternalInterface',
345	+ 'ExternalInterface',
346	+ 'ExternalInterface2')
347	+{
348	+ $Interface_Record = $configuration->get($Interface);
349	+ if ($Interface_Record)
350	+ {
351	+ if ($Interface_Record->prop('Configuration') eq 'static')
352	+ {
353	+ if ($Interface_Record->prop('IPAddress'))
354	+ {
355	+ $results_dict{$Interface_Record->prop('IPAddress')} = 1;
356	+ }
357	+ }
358	+ }
359	+}
360	+
361	+#----------------------------------------------------------------------
362	+# Add any alternate names specified in the modSSL config DB.
363	+#----------------------------------------------------------------------
364	+
365	+$modSSL = $configuration->get('modSSL');
366	+if ($modSSL)
367	+{
368	+ $AlternateNames = $modSSL->prop('AlternateNames');
369	+ if ($AlternateNames)
370	+ {
371	+ foreach $AlternateName (split(',', $AlternateNames))
372	+ {
373	+ $AlternateName =~ s/\s//g;
374	+ $results_dict{$AlternateName} = 1;
375	+ }
376	+ }
377	+}
378	+
379	+#----------------------------------------------------------------------
380	+# Output the sorted list of entries.
381	+#----------------------------------------------------------------------
382	+
383	+foreach (sort keys %results_dict)
384	+{
385	+ print "$_\n";
386	+}
387	+
388	+exit(0);