diff -Nur e-smith-base-5.8.0.old/createlinks e-smith-base-5.8.0/createlinks --- e-smith-base-5.8.0.old/createlinks 2020-05-24 21:54:20.596000000 -0400 +++ e-smith-base-5.8.0/createlinks 2020-05-24 22:27:18.340000000 -0400 @@ -110,6 +110,17 @@ templates2events("/etc/updatedb.conf", qw( bootstrap-console-save )); +templates2events("/etc/openssl.conf", qw( + console-save + bootstrap-console-save + post-install + post-upgrade + domain-create + domain-delete + network-create + network-delete + ip-change + )); # conf-routes event_link("update-ifcfg", "network-create", "05"); diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/05config e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/05config --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/05config 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/05config 2020-05-24 21:56:25.742000000 -0400 @@ -0,0 +1,38 @@ +{ +# use Data::Validate::IP; + use Net::IP qw(ip_is_ipv4 ip_is_ipv6); + our $KeySize = $modSSL{KeySize} ||'4096'; + our $FQDN = "$SystemName.$DomainName"; + our $Country = $modSSL{Country} || "--"; + our $State = $modSSL{State} || "----"; + our $commonName = $modSSL{CommonName} || $FQDN; + our $crt = "/home/e-smith/ssl.crt/$FQDN.crt"; + our $key = "/home/e-smith/ssl.key/$FQDN.key"; + our $defaultCity = $ldap{defaultCity}; + our $defaultCompany = $ldap{defaultCompany}; + our $defaultDepartment = $ldap{defaultDepartment}; + our $email = "admin\@$DomainName"; + our @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`; + chomp @subjectAlt; + our $subjectAltName = ""; + my $i=0; + for my $elem (@subjectAlt) { + $subjectAltName .= ", " if $i>0; + $i++; + if (ip_is_ipv4($elem) || ip_is_ipv6($elem) ){ + $subjectAltName .= "IP:$elem"; + next; + } + $subjectAltName .= "DNS:$elem"; + } + $subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName; + + # crop fields that are too long for X509: + $Country = substr($Country, 0, 2); + $defaultCity = substr($defaultCity, 0, 128); + $defaultCompany = substr($defaultCompany, 0, 64); + $defaultDepartment = substr($defaultDepartment, 0, 64); + $email = substr($email, 0, 64); + $commonName = substr($commonName, 0, 64); + $OUT=""; +} diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/40req e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/40req --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/40req 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/40req 2020-05-24 21:56:25.790000000 -0400 @@ -0,0 +1,10 @@ +[ req ] +default_bits = {$KeySize} +prompt = no +default_md = sha256 +default_keyfile = {$key} +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca +req_extensions = v3_req + diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name 2020-05-24 21:56:25.817000000 -0400 @@ -0,0 +1,9 @@ +[ req_distinguished_name ] +C = {$Country} +ST = {$State} +L = {$defaultCity} +O = {$defaultCompany} +OU = {$defaultDepartment} +CN = {$commonName} +emailAddress = {$email} + diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes 2020-05-24 21:56:25.840000000 -0400 @@ -0,0 +1,3 @@ +[ req_attributes ] + + diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/50v3_req e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/50v3_req --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/50v3_req 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/50v3_req 2020-05-24 21:56:25.864000000 -0400 @@ -0,0 +1,3 @@ +[ v3_req ] +subjectAltName = {$subjectAltName} + diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca 2020-05-24 21:56:25.902000000 -0400 @@ -0,0 +1,5 @@ +[ v3_ca ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints = CA:true + diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt 2020-05-24 21:54:20.613000000 -0400 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt 2020-05-24 22:00:04.300000000 -0400 @@ -1,9 +1,12 @@ { - use constant KEYLIFEINDAYS => 365; + use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365; use Date::Parse; use Cwd; + use Net::IP qw(ip_is_ipv4 ip_is_ipv6); my $here = getcwd; + my $Country = $modSSL{Country} || "--"; + my $State = $modSSL{State} || "----"; my $FQDN = "$SystemName.$DomainName"; my $commonName = $modSSL{CommonName} || $FQDN; my $crt = "/home/e-smith/ssl.crt/$FQDN.crt"; @@ -12,8 +15,23 @@ my $defaultCompany = $ldap{defaultCompany}; my $defaultDepartment = $ldap{defaultDepartment}; my $email = "admin\@$DomainName"; - + my @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`; + chomp @subjectAlt; + our $subjectAltName = ""; + my $i=0; + for my $elem (@subjectAlt) { + $subjectAltName .= "," if $i>0; + $i++; + if (ip_is_ipv4($elem) || ip_is_ipv6($elem) ){ + $subjectAltName .= "IP Address:$elem"; + next; + } + $subjectAltName .= "DNS:$elem"; + } + $subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName; + chomp $subjectAltName; # crop fields that are too long for X509: + $Country = substr($Country, 0, 2); $defaultCity = substr($defaultCity, 0, 128); $defaultCompany = substr($defaultCompany, 0, 64); $defaultDepartment = substr($defaultDepartment, 0, 64); @@ -26,10 +44,12 @@ $expire =~ s/^notAfter=//; $expire = str2time($expire); my $ttl_days = ($expire - time()) / 60 / 60 / 24; + my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`; + my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`; - if ( $ttl_days > 2 ) { - my $expected_issuer = '/C=--' . - '/ST=----'; + if ( ($ttl_days > 2) && ( "$crt_md5" eq "$key_md5" ) ) { + my $expected_issuer = '/C='.$Country . + '/ST='.$State; $expected_issuer .= '/L=' . ($defaultCity ? $defaultCity : 'Default City'); $expected_issuer .= '/O=' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd'); $expected_issuer .= "/OU=$defaultDepartment" if $defaultDepartment; @@ -41,10 +61,15 @@ my $signatureAlg = `openssl x509 -text -noout -in $crt | grep "Signature Algorithm" | head -1`; chomp $signatureAlg; $signatureAlg =~ s/^ *Signature Algorithm: //; - + + # Test for expected subjectAltName + # openssl x509 -text -noout -in /etc/dehydrated/certs/itx.pialasse.com/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }' + $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`; + chomp $expected_subjectAltName; if ( ($issuer eq $expected_issuer) && ($signatureAlg ne "sha1WithRSAEncryption") + && ($subjectAltName eq $expected_subjectAltName) ) { # Old key file is still good. Read it out - processTemplate will work @@ -70,38 +95,17 @@ unless (open(SSL,"-|")) { - my $pid = open(RSACERT, "|-"); - if ($pid) - { - # parent - - foreach ( - "--", - "----", - "$defaultCity", - "$defaultCompany", - "$defaultDepartment", - "$commonName", - "$email" - ) - { - print RSACERT "$_\n"; - } - close(RSACERT) || die "RSACERT kid exited $?"; - exit (0); - } - else - { # child exec("/usr/bin/openssl", qw(req -new -key), $key, - qw(-sha256 -x509 -days), KEYLIFEINDAYS, + qw( -sha256 -x509 -days), KEYLIFEINDAYS, qw(-set_serial), time(), + qw(-extensions v3_req), + qw(-config), "/etc/openssl.conf" ) || die "can't exec program: $!"; # NOTREACHED - } } while () { diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key 2014-03-23 22:47:23.000000000 -0400 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key 2020-05-24 22:02:57.282000000 -0400 @@ -2,18 +2,25 @@ use Cwd; my $here = getcwd; + my $KeySize = $modSSL{KeySize} ||'4096'; my $FQDN = "$SystemName.$DomainName"; my $key = "/home/e-smith/ssl.key/$FQDN.key"; if ( -f $key ) { - # Old key file is still good. Read it out - processTemplate will work - # out that it hasn't changed, and leave the old one in place - open(K, "$key") or die "Couldn't open key file: $!"; - my @key = ; - chomp @key; - $OUT = join "\n", @key; - close(K); - return; + # check key size openssl rsa -in /home/e-smith/ssl.key/sme10.test10.pialasse.com.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p" + my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`; + chomp $signatureKeySize; + $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p; + if ( $signatureKeySize == $KeySize ) { + # Old key file is still good. Read it out - processTemplate will work + # out that it hasn't changed, and leave the old one in place + open(K, "$key") or die "Couldn't open key file: $!"; + my @key = ; + chomp @key; + $OUT = join "\n", @key; + close(K); + return; + } } # go to somewhere private and safe where we can run programs # as root @@ -42,7 +49,7 @@ /proc/rtc /proc/uptime )), - '2048') + "$KeySize") || die "can't exec program: $!"; } while () diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2020-05-24 22:26:40.181000000 -0400 @@ -0,0 +1,13 @@ +{ + $OUT = ''; + # if key is defined, we do not need to geenrate a self signed certificate + # so we do not need to expand openssl.conf + my $key = $modSSL{'key'}; + unless ($key) + { + use esmith::templates; + esmith::templates::processTemplate({ + TEMPLATE_PATH => "/etc/openssl.conf" + }); + } +} diff -Nur e-smith-base-5.8.0.old/root/sbin/e-smith/generate-subjectaltnames e-smith-base-5.8.0/root/sbin/e-smith/generate-subjectaltnames --- e-smith-base-5.8.0.old/root/sbin/e-smith/generate-subjectaltnames 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-base-5.8.0/root/sbin/e-smith/generate-subjectaltnames 2020-05-24 21:59:09.488000000 -0400 @@ -0,0 +1,91 @@ +#!/usr/bin/perl -w + +#---------------------------------------------------------------------- +# +# generate-subjectaltnames +# +# This script returns a list of hostnames and IP addresses that +# can be used to construct the list of subjectAltName entries +# for a web server certificate. +# +# Usage: generate-subjectaltnames +# +# Copyright 1999-2003 Mitel Networks Corporation +# This program is free software; you can redistribute it and/or +# modify it under the same terms as Perl itself. +# +#---------------------------------------------------------------------- + +use esmith::ConfigDB; + +my $configuration = esmith::ConfigDB->open_ro('configuration') + or die "Couldn't open configuration DB\n"; + +my %results_dict = (); + +#---------------------------------------------------------------------- +# Add FQDN, system name and the domain name. +#---------------------------------------------------------------------- + +$SystemName = $configuration->get('SystemName')->value; +$DomainName = $configuration->get('DomainName')->value; + +$results_dict{$SystemName . '.' . $DomainName} = 1; +$results_dict{$SystemName} = 1; +$results_dict{$DomainName} = 1; + +#---------------------------------------------------------------------- +# Add a wildcard entry for domain name. +#---------------------------------------------------------------------- + +$results_dict{'*.' . $DomainName} = 1; + +#---------------------------------------------------------------------- +# Add IP addresses for the various interfaces. +#---------------------------------------------------------------------- + +foreach $Interface ('InternalInterface', + 'ExternalInterface', + 'ExternalInterface2') +{ + $Interface_Record = $configuration->get($Interface); + if ($Interface_Record) + { + if ($Interface_Record->prop('Configuration') eq 'static') + { + if ($Interface_Record->prop('IPAddress')) + { + $results_dict{$Interface_Record->prop('IPAddress')} = 1; + } + } + } +} + +#---------------------------------------------------------------------- +# Add any alternate names specified in the modSSL config DB. +#---------------------------------------------------------------------- + +$modSSL = $configuration->get('modSSL'); +if ($modSSL) +{ + $AlternateNames = $modSSL->prop('AlternateNames'); + if ($AlternateNames) + { + foreach $AlternateName (split(',', $AlternateNames)) + { + $AlternateName =~ s/\s//g; + $results_dict{$AlternateName} = 1; + } + } +} + +#---------------------------------------------------------------------- +# Output the sorted list of entries. +#---------------------------------------------------------------------- + +foreach (sort keys %results_dict) +{ + print "$_\n"; +} + +exit(0);