e-smith-base/sme10/e-smith-base-5.8.0.bz8156.wildcard-certificate-and-subjaltname.patch

diff -Nur e-smith-base-5.8.0.old/createlinks e-smith-base-5.8.0/createlinks
--- e-smith-base-5.8.0.old/createlinks  2020-05-24 21:54:20.596000000 -0400
+++ e-smith-base-5.8.0/createlinks      2020-05-24 22:27:18.340000000 -0400
@@ -110,6 +110,17 @@
 templates2events("/etc/updatedb.conf", qw(
     bootstrap-console-save
 ));
+templates2events("/etc/openssl.conf",  qw(
+        console-save
+        bootstrap-console-save
+        post-install
+        post-upgrade
+       domain-create
+       domain-delete
+       network-create
+       network-delete
+        ip-change
+        ));
 
 # conf-routes
 event_link("update-ifcfg", "network-create", "05");
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/05config e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/05config
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/05config 1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/05config     2020-05-24 21:56:25.742000000 -0400
@@ -0,0 +1,38 @@
+{
+#    use Data::Validate::IP;
+    use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
+    our $KeySize = $modSSL{KeySize} ||'4096';
+    our $FQDN = "$SystemName.$DomainName";
+    our $Country = $modSSL{Country} || "--";
+    our $State = $modSSL{State} || "----";
+    our $commonName = $modSSL{CommonName} || $FQDN;
+    our $crt = "/home/e-smith/ssl.crt/$FQDN.crt";
+    our $key = "/home/e-smith/ssl.key/$FQDN.key";
+    our $defaultCity = $ldap{defaultCity};
+    our $defaultCompany = $ldap{defaultCompany};
+    our $defaultDepartment = $ldap{defaultDepartment};
+    our $email = "admin\@$DomainName";
+    our @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`;
+    chomp @subjectAlt;
+    our $subjectAltName = "";
+       my $i=0;
+       for my $elem (@subjectAlt) {
+               $subjectAltName .= ", " if $i>0;
+               $i++;
+               if (ip_is_ipv4($elem) || ip_is_ipv6($elem) ){
+               $subjectAltName .= "IP:$elem";
+               next;
+               }
+               $subjectAltName .= "DNS:$elem";
+       }
+    $subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName;
+
+    # crop fields that are too long for X509:
+    $Country = substr($Country, 0, 2);
+    $defaultCity = substr($defaultCity, 0, 128);
+    $defaultCompany = substr($defaultCompany, 0, 64);
+    $defaultDepartment = substr($defaultDepartment, 0, 64);
+    $email = substr($email, 0, 64);
+    $commonName = substr($commonName, 0, 64);
+    $OUT="";
+}
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/40req e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/40req
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/40req    1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/40req        2020-05-24 21:56:25.790000000 -0400
@@ -0,0 +1,10 @@
+[ req ]
+default_bits            = {$KeySize}
+prompt                         = no
+default_md             = sha256
+default_keyfile         = {$key}
+distinguished_name      = req_distinguished_name
+attributes              = req_attributes
+x509_extensions                = v3_ca
+req_extensions         = v3_req
+
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name 1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name     2020-05-24 21:56:25.817000000 -0400
@@ -0,0 +1,9 @@
+[ req_distinguished_name ]
+C                              = {$Country}
+ST                             = {$State}
+L                               = {$defaultCity}
+O                              = {$defaultCompany}
+OU                             = {$defaultDepartment}
+CN                             = {$commonName}
+emailAddress                    = {$email}
+
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes 1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes     2020-05-24 21:56:25.840000000 -0400
@@ -0,0 +1,3 @@
+[ req_attributes ]
+
+
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/50v3_req e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/50v3_req
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/50v3_req 1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/50v3_req     2020-05-24 21:56:25.864000000 -0400
@@ -0,0 +1,3 @@
+[ v3_req ]
+subjectAltName = {$subjectAltName}
+
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca  1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca      2020-05-24 21:56:25.902000000 -0400
@@ -0,0 +1,5 @@
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true
+
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt      2020-05-24 21:54:20.613000000 -0400
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt  2020-05-24 22:00:04.300000000 -0400
@@ -1,9 +1,12 @@
 {
-    use constant KEYLIFEINDAYS => 365;
+    use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365;
     use Date::Parse;
     use Cwd;
+    use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
     my $here = getcwd;
 
+    my $Country = $modSSL{Country} || "--";
+    my $State = $modSSL{State} || "----";
     my $FQDN = "$SystemName.$DomainName";
     my $commonName = $modSSL{CommonName} || $FQDN;
     my $crt = "/home/e-smith/ssl.crt/$FQDN.crt";
@@ -12,8 +15,23 @@
     my $defaultCompany = $ldap{defaultCompany};
     my $defaultDepartment = $ldap{defaultDepartment};
     my $email = "admin\@$DomainName";
-
+    my @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`;
+    chomp @subjectAlt;
+    our $subjectAltName = "";
+        my $i=0;
+        for my $elem (@subjectAlt) {
+                $subjectAltName .= "," if $i>0;
+                $i++;
+                if (ip_is_ipv4($elem) || ip_is_ipv6($elem) ){
+                $subjectAltName .= "IP Address:$elem";
+                next;
+                }
+                $subjectAltName .= "DNS:$elem";
+        }
+    $subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName;
+    chomp $subjectAltName;
     # crop fields that are too long for X509:
+    $Country = substr($Country, 0, 2);
     $defaultCity = substr($defaultCity, 0, 128); 
     $defaultCompany = substr($defaultCompany, 0, 64); 
     $defaultDepartment = substr($defaultDepartment, 0, 64); 
@@ -26,10 +44,12 @@
         $expire =~ s/^notAfter=//;
         $expire = str2time($expire);
         my $ttl_days = ($expire - time()) / 60 / 60 / 24;
+       my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
+       my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
 
-        if ( $ttl_days > 2 ) {
-            my $expected_issuer = '/C=--' .
-                              '/ST=----';
+        if ( ($ttl_days > 2) && ( "$crt_md5" eq "$key_md5" ) ) {
+            my $expected_issuer = '/C='.$Country .
+                              '/ST='.$State;
             $expected_issuer .= '/L=' . ($defaultCity ? $defaultCity : 'Default City');
             $expected_issuer .= '/O=' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd');
             $expected_issuer .= "/OU=$defaultDepartment" if $defaultDepartment;
@@ -41,10 +61,15 @@
             my $signatureAlg = `openssl x509 -text -noout -in $crt | grep "Signature Algorithm" | head -1`;
             chomp $signatureAlg;
             $signatureAlg =~ s/^ *Signature Algorithm: //;
-
+           
+           # Test for expected subjectAltName
+            # openssl x509 -text -noout -in /etc/dehydrated/certs/itx.pialasse.com/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
+           $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
+           chomp $expected_subjectAltName;
             if (
                         ($issuer eq $expected_issuer)
                      && ($signatureAlg ne "sha1WithRSAEncryption")
+                     && ($subjectAltName eq $expected_subjectAltName)
             )
            {
                # Old key file is still good. Read it out - processTemplate will work
@@ -70,38 +95,17 @@
 
     unless (open(SSL,"-|"))
     {
-       my $pid = open(RSACERT, "|-");
-       if ($pid)
-       {
-           # parent
-
-           foreach (
-                   "--",
-                   "----",
-                   "$defaultCity",
-                   "$defaultCompany",
-                   "$defaultDepartment",
-                   "$commonName",
-                   "$email"
-                   )
-           {
-               print RSACERT "$_\n";
-           }
-           close(RSACERT) || die "RSACERT kid exited $?";
-           exit (0);
-       }
-       else
-       {
            # child
            exec("/usr/bin/openssl",
                qw(req -new -key),
                $key,
-               qw(-sha256 -x509 -days), KEYLIFEINDAYS,
+               qw( -sha256 -x509 -days), KEYLIFEINDAYS,
                qw(-set_serial), time(),
+               qw(-extensions v3_req),
+               qw(-config), "/etc/openssl.conf" 
                )
                    || die "can't exec program: $!";
            # NOTREACHED
-       }
     }
     while (<SSL>)
     {
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key      2014-03-23 22:47:23.000000000 -0400
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key  2020-05-24 22:02:57.282000000 -0400
@@ -2,18 +2,25 @@
     use Cwd;
     my $here = getcwd;
 
+    my $KeySize = $modSSL{KeySize} ||'4096';
     my $FQDN = "$SystemName.$DomainName";
     my $key = "/home/e-smith/ssl.key/$FQDN.key";
     if ( -f $key )
     {
-       # Old key file is still good. Read it out - processTemplate will work
-       # out that it hasn't changed, and leave the old one in place
-       open(K, "$key") or die "Couldn't open key file: $!";
-       my @key = <K>;
-       chomp @key;
-       $OUT = join "\n", @key;
-       close(K);
-       return;
+       # check key size openssl rsa -in /home/e-smith/ssl.key/sme10.test10.pialasse.com.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
+        my $signatureKeySize = `openssl rsa -in  $key -text -noout | grep "Private-Key" | head -1`;
+        chomp $signatureKeySize;
+        $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p;
+       if ( $signatureKeySize == $KeySize ) {
+               # Old key file is still good. Read it out - processTemplate will work
+               # out that it hasn't changed, and leave the old one in place
+               open(K, "$key") or die "Couldn't open key file: $!";
+               my @key = <K>;
+               chomp @key;
+               $OUT = join "\n", @key;
+               close(K);
+               return;
+       }
     }
     # go to somewhere private and safe where we can run programs
     # as root
@@ -42,7 +49,7 @@
                /proc/rtc
                /proc/uptime
                )),
-           '2048')
+           "$KeySize")
            || die "can't exec program: $!";
     }
     while (<SSL>)
diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl
--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl    1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl        2020-05-24 22:26:40.181000000 -0400
@@ -0,0 +1,13 @@
+{
+    $OUT = '';
+    # if key is defined, we do not need to geenrate a self signed certificate
+    # so we do not need to expand openssl.conf
+    my $key = $modSSL{'key'};
+    unless ($key)
+    {
+        use esmith::templates;
+        esmith::templates::processTemplate({
+            TEMPLATE_PATH => "/etc/openssl.conf"
+            });
+    }
+}
diff -Nur e-smith-base-5.8.0.old/root/sbin/e-smith/generate-subjectaltnames e-smith-base-5.8.0/root/sbin/e-smith/generate-subjectaltnames
--- e-smith-base-5.8.0.old/root/sbin/e-smith/generate-subjectaltnames   1969-12-31 19:00:00.000000000 -0500
+++ e-smith-base-5.8.0/root/sbin/e-smith/generate-subjectaltnames       2020-05-24 21:59:09.488000000 -0400
@@ -0,0 +1,91 @@
+#!/usr/bin/perl -w
+
+#----------------------------------------------------------------------
+#
+# generate-subjectaltnames
+#
+# This script returns a list of hostnames and IP addresses that
+# can be used to construct the list of subjectAltName entries
+# for a web server certificate.
+#
+# Usage:  generate-subjectaltnames
+#
+# Copyright 1999-2003 Mitel Networks Corporation
+# This program is free software; you can redistribute it and/or
+# modify it under the same terms as Perl itself.
+#
+#----------------------------------------------------------------------
+
+use esmith::ConfigDB;
+
+my $configuration = esmith::ConfigDB->open_ro('configuration')
+    or die "Couldn't open configuration DB\n";
+
+my %results_dict = ();
+
+#----------------------------------------------------------------------
+# Add FQDN, system name and the domain name.
+#----------------------------------------------------------------------
+
+$SystemName = $configuration->get('SystemName')->value;
+$DomainName = $configuration->get('DomainName')->value;
+
+$results_dict{$SystemName . '.' . $DomainName} = 1;
+$results_dict{$SystemName} = 1;
+$results_dict{$DomainName} = 1;
+
+#----------------------------------------------------------------------
+# Add a wildcard entry for domain name.
+#----------------------------------------------------------------------
+
+$results_dict{'*.' . $DomainName} = 1;
+
+#----------------------------------------------------------------------
+# Add IP addresses for the various interfaces.
+#----------------------------------------------------------------------
+
+foreach $Interface ('InternalInterface',
+                    'ExternalInterface',
+                    'ExternalInterface2')
+{
+    $Interface_Record = $configuration->get($Interface);
+    if ($Interface_Record)
+    {
+        if ($Interface_Record->prop('Configuration') eq 'static')
+        {
+            if ($Interface_Record->prop('IPAddress'))
+            {
+                $results_dict{$Interface_Record->prop('IPAddress')} = 1;
+            }
+        }
+    }
+}
+
+#----------------------------------------------------------------------
+# Add any alternate names specified in the modSSL config DB.
+#----------------------------------------------------------------------
+
+$modSSL = $configuration->get('modSSL');
+if ($modSSL)
+{
+    $AlternateNames = $modSSL->prop('AlternateNames');
+    if ($AlternateNames)
+    {
+        foreach $AlternateName (split(',', $AlternateNames))
+        {
+            $AlternateName =~ s/\s//g;
+            $results_dict{$AlternateName} = 1;
+        }
+    }
+}
+
+#----------------------------------------------------------------------
+# Output the sorted list of entries.
+#----------------------------------------------------------------------
+
+foreach (sort keys %results_dict)
+{
+    print "$_\n";
+}
+
+exit(0);
1	jpp	1.1	diff -Nur e-smith-base-5.8.0.old/createlinks e-smith-base-5.8.0/createlinks
2			--- e-smith-base-5.8.0.old/createlinks 2020-05-24 21:54:20.596000000 -0400
3			+++ e-smith-base-5.8.0/createlinks 2020-05-24 22:27:18.340000000 -0400
4			@@ -110,6 +110,17 @@
5			templates2events("/etc/updatedb.conf", qw(
6			bootstrap-console-save
7			));
8			+templates2events("/etc/openssl.conf", qw(
9			+ console-save
10			+ bootstrap-console-save
11			+ post-install
12			+ post-upgrade
13			+ domain-create
14			+ domain-delete
15			+ network-create
16			+ network-delete
17			+ ip-change
18			+ ));
19
20			# conf-routes
21			event_link("update-ifcfg", "network-create", "05");
22			diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/05config e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/05config
23			--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/05config 1969-12-31 19:00:00.000000000 -0500
24			+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/05config 2020-05-24 21:56:25.742000000 -0400
25			@@ -0,0 +1,38 @@
26			+{
27			+# use Data::Validate::IP;
28			+ use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
29			+ our $KeySize = $modSSL{KeySize} \|\|'4096';
30			+ our $FQDN = "$SystemName.$DomainName";
31			+ our $Country = $modSSL{Country} \|\| "--";
32			+ our $State = $modSSL{State} \|\| "----";
33			+ our $commonName = $modSSL{CommonName} \|\| $FQDN;
34			+ our $crt = "/home/e-smith/ssl.crt/$FQDN.crt";
35			+ our $key = "/home/e-smith/ssl.key/$FQDN.key";
36			+ our $defaultCity = $ldap{defaultCity};
37			+ our $defaultCompany = $ldap{defaultCompany};
38			+ our $defaultDepartment = $ldap{defaultDepartment};
39			+ our $email = "admin\@$DomainName";
40			+ our @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`;
41			+ chomp @subjectAlt;
42			+ our $subjectAltName = "";
43			+ my $i=0;
44			+ for my $elem (@subjectAlt) {
45			+ $subjectAltName .= ", " if $i>0;
46			+ $i++;
47			+ if (ip_is_ipv4($elem) \|\| ip_is_ipv6($elem) ){
48			+ $subjectAltName .= "IP:$elem";
49			+ next;
50			+ }
51			+ $subjectAltName .= "DNS:$elem";
52			+ }
53			+ $subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName;
54			+
55			+ # crop fields that are too long for X509:
56			+ $Country = substr($Country, 0, 2);
57			+ $defaultCity = substr($defaultCity, 0, 128);
58			+ $defaultCompany = substr($defaultCompany, 0, 64);
59			+ $defaultDepartment = substr($defaultDepartment, 0, 64);
60			+ $email = substr($email, 0, 64);
61			+ $commonName = substr($commonName, 0, 64);
62			+ $OUT="";
63			+}
64			diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/40req e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/40req
65			--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/40req 1969-12-31 19:00:00.000000000 -0500
66			+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/40req 2020-05-24 21:56:25.790000000 -0400
67			@@ -0,0 +1,10 @@
68			+[ req ]
69			+default_bits = {$KeySize}
70			+prompt = no
71			+default_md = sha256
72			+default_keyfile = {$key}
73			+distinguished_name = req_distinguished_name
74			+attributes = req_attributes
75			+x509_extensions = v3_ca
76			+req_extensions = v3_req
77			+
78			diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name
79			--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name 1969-12-31 19:00:00.000000000 -0500
80			+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/45req_distinguished_name 2020-05-24 21:56:25.817000000 -0400
81			@@ -0,0 +1,9 @@
82			+[ req_distinguished_name ]
83			+C = {$Country}
84			+ST = {$State}
85			+L = {$defaultCity}
86			+O = {$defaultCompany}
87			+OU = {$defaultDepartment}
88			+CN = {$commonName}
89			+emailAddress = {$email}
90			+
91			diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes
92			--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes 1969-12-31 19:00:00.000000000 -0500
93			+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/47req_attributes 2020-05-24 21:56:25.840000000 -0400
94			@@ -0,0 +1,3 @@
95			+[ req_attributes ]
96			+
97			+
98			diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/50v3_req e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/50v3_req
99			--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/50v3_req 1969-12-31 19:00:00.000000000 -0500
100			+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/50v3_req 2020-05-24 21:56:25.864000000 -0400
101			@@ -0,0 +1,3 @@
102			+[ v3_req ]
103			+subjectAltName = {$subjectAltName}
104			+
105			diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca
106			--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca 1969-12-31 19:00:00.000000000 -0500
107			+++ e-smith-base-5.8.0/root/etc/e-smith/templates/etc/openssl.conf/60v3_ca 2020-05-24 21:56:25.902000000 -0400
108			@@ -0,0 +1,5 @@
109			+[ v3_ca ]
110			+subjectKeyIdentifier=hash
111			+authorityKeyIdentifier=keyid:always,issuer:always
112			+basicConstraints = CA:true
113			+
114			diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt
115			--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt 2020-05-24 21:54:20.613000000 -0400
116			+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt 2020-05-24 22:00:04.300000000 -0400
117			@@ -1,9 +1,12 @@
118			{
119			- use constant KEYLIFEINDAYS => 365;
120			+ use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} \|\| 365;
121			use Date::Parse;
122			use Cwd;
123			+ use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
124			my $here = getcwd;
125
126			+ my $Country = $modSSL{Country} \|\| "--";
127			+ my $State = $modSSL{State} \|\| "----";
128			my $FQDN = "$SystemName.$DomainName";
129			my $commonName = $modSSL{CommonName} \|\| $FQDN;
130			my $crt = "/home/e-smith/ssl.crt/$FQDN.crt";
131			@@ -12,8 +15,23 @@
132			my $defaultCompany = $ldap{defaultCompany};
133			my $defaultDepartment = $ldap{defaultDepartment};
134			my $email = "admin\@$DomainName";
135			-
136			+ my @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`;
137			+ chomp @subjectAlt;
138			+ our $subjectAltName = "";
139			+ my $i=0;
140			+ for my $elem (@subjectAlt) {
141			+ $subjectAltName .= "," if $i>0;
142			+ $i++;
143			+ if (ip_is_ipv4($elem) \|\| ip_is_ipv6($elem) ){
144			+ $subjectAltName .= "IP Address:$elem";
145			+ next;
146			+ }
147			+ $subjectAltName .= "DNS:$elem";
148			+ }
149			+ $subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName;
150			+ chomp $subjectAltName;
151			# crop fields that are too long for X509:
152			+ $Country = substr($Country, 0, 2);
153			$defaultCity = substr($defaultCity, 0, 128);
154			$defaultCompany = substr($defaultCompany, 0, 64);
155			$defaultDepartment = substr($defaultDepartment, 0, 64);
156			@@ -26,10 +44,12 @@
157			$expire =~ s/^notAfter=//;
158			$expire = str2time($expire);
159			my $ttl_days = ($expire - time()) / 60 / 60 / 24;
160			+ my $crt_md5 = `openssl x509 -noout -modulus -in $crt \| openssl md5`;
161			+ my $key_md5 = `openssl rsa -noout -modulus -in $key \| openssl md5`;
162
163			- if ( $ttl_days > 2 ) {
164			- my $expected_issuer = '/C=--' .
165			- '/ST=----';
166			+ if ( ($ttl_days > 2) && ( "$crt_md5" eq "$key_md5" ) ) {
167			+ my $expected_issuer = '/C='.$Country .
168			+ '/ST='.$State;
169			$expected_issuer .= '/L=' . ($defaultCity ? $defaultCity : 'Default City');
170			$expected_issuer .= '/O=' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd');
171			$expected_issuer .= "/OU=$defaultDepartment" if $defaultDepartment;
172			@@ -41,10 +61,15 @@
173			my $signatureAlg = `openssl x509 -text -noout -in $crt \| grep "Signature Algorithm" \| head -1`;
174			chomp $signatureAlg;
175			$signatureAlg =~ s/^ *Signature Algorithm: //;
176			-
177			+
178			+ # Test for expected subjectAltName
179			+ # openssl x509 -text -noout -in /etc/dehydrated/certs/itx.pialasse.com/cert.pem \| sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.\n//;:a;s/^\( \)\(.*\), /\2,\1/;ta;p;q; }'
180			+ $expected_subjectAltName = `openssl x509 -text -noout -in $crt \| sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.\\n//;:a;s/^\\( \\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
181			+ chomp $expected_subjectAltName;
182			if (
183			($issuer eq $expected_issuer)
184			&& ($signatureAlg ne "sha1WithRSAEncryption")
185			+ && ($subjectAltName eq $expected_subjectAltName)
186			)
187			{
188			# Old key file is still good. Read it out - processTemplate will work
189			@@ -70,38 +95,17 @@
190
191			unless (open(SSL,"-\|"))
192			{
193			- my $pid = open(RSACERT, "\|-");
194			- if ($pid)
195			- {
196			- # parent
197			-
198			- foreach (
199			- "--",
200			- "----",
201			- "$defaultCity",
202			- "$defaultCompany",
203			- "$defaultDepartment",
204			- "$commonName",
205			- "$email"
206			- )
207			- {
208			- print RSACERT "$_\n";
209			- }
210			- close(RSACERT) \|\| die "RSACERT kid exited $?";
211			- exit (0);
212			- }
213			- else
214			- {
215			# child
216			exec("/usr/bin/openssl",
217			qw(req -new -key),
218			$key,
219			- qw(-sha256 -x509 -days), KEYLIFEINDAYS,
220			+ qw( -sha256 -x509 -days), KEYLIFEINDAYS,
221			qw(-set_serial), time(),
222			+ qw(-extensions v3_req),
223			+ qw(-config), "/etc/openssl.conf"
224			)
225			\|\| die "can't exec program: $!";
226			# NOTREACHED
227			- }
228			}
229			while (<SSL>)
230			{
231			diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key
232			--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key 2014-03-23 22:47:23.000000000 -0400
233			+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key 2020-05-24 22:02:57.282000000 -0400
234			@@ -2,18 +2,25 @@
235			use Cwd;
236			my $here = getcwd;
237
238			+ my $KeySize = $modSSL{KeySize} \|\|'4096';
239			my $FQDN = "$SystemName.$DomainName";
240			my $key = "/home/e-smith/ssl.key/$FQDN.key";
241			if ( -f $key )
242			{
243			- # Old key file is still good. Read it out - processTemplate will work
244			- # out that it hasn't changed, and leave the old one in place
245			- open(K, "$key") or die "Couldn't open key file: $!";
246			- my @key = <K>;
247			- chomp @key;
248			- $OUT = join "\n", @key;
249			- close(K);
250			- return;
251			+ # check key size openssl rsa -in /home/e-smith/ssl.key/sme10.test10.pialasse.com.key -text -noout \| sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
252			+ my $signatureKeySize = `openssl rsa -in $key -text -noout \| grep "Private-Key" \| head -1`;
253			+ chomp $signatureKeySize;
254			+ $signatureKeySize =~ s/^ Private-Key: \((.) bit\)/$1/p;
255			+ if ( $signatureKeySize == $KeySize ) {
256			+ # Old key file is still good. Read it out - processTemplate will work
257			+ # out that it hasn't changed, and leave the old one in place
258			+ open(K, "$key") or die "Couldn't open key file: $!";
259			+ my @key = <K>;
260			+ chomp @key;
261			+ $OUT = join "\n", @key;
262			+ close(K);
263			+ return;
264			+ }
265			}
266			# go to somewhere private and safe where we can run programs
267			# as root
268			@@ -42,7 +49,7 @@
269			/proc/rtc
270			/proc/uptime
271			)),
272			- '2048')
273			+ "$KeySize")
274			\|\| die "can't exec program: $!";
275			}
276			while (<SSL>)
277			diff -Nur e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl
278			--- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 1969-12-31 19:00:00.000000000 -0500
279			+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl 2020-05-24 22:26:40.181000000 -0400
280			@@ -0,0 +1,13 @@
281			+{
282			+ $OUT = '';
283			+ # if key is defined, we do not need to geenrate a self signed certificate
284			+ # so we do not need to expand openssl.conf
285			+ my $key = $modSSL{'key'};
286			+ unless ($key)
287			+ {
288			+ use esmith::templates;
289			+ esmith::templates::processTemplate({
290			+ TEMPLATE_PATH => "/etc/openssl.conf"
291			+ });
292			+ }
293			+}
294			diff -Nur e-smith-base-5.8.0.old/root/sbin/e-smith/generate-subjectaltnames e-smith-base-5.8.0/root/sbin/e-smith/generate-subjectaltnames
295			--- e-smith-base-5.8.0.old/root/sbin/e-smith/generate-subjectaltnames 1969-12-31 19:00:00.000000000 -0500
296			+++ e-smith-base-5.8.0/root/sbin/e-smith/generate-subjectaltnames 2020-05-24 21:59:09.488000000 -0400
297			@@ -0,0 +1,91 @@
298			+#!/usr/bin/perl -w
299			+
300			+#----------------------------------------------------------------------
301			+#
302			+# generate-subjectaltnames
303			+#
304			+# This script returns a list of hostnames and IP addresses that
305			+# can be used to construct the list of subjectAltName entries
306			+# for a web server certificate.
307			+#
308			+# Usage: generate-subjectaltnames
309			+#
310			+# Copyright 1999-2003 Mitel Networks Corporation
311			+# This program is free software; you can redistribute it and/or
312			+# modify it under the same terms as Perl itself.
313			+#
314			+#----------------------------------------------------------------------
315			+
316			+use esmith::ConfigDB;
317			+
318			+my $configuration = esmith::ConfigDB->open_ro('configuration')
319			+ or die "Couldn't open configuration DB\n";
320			+
321			+my %results_dict = ();
322			+
323			+#----------------------------------------------------------------------
324			+# Add FQDN, system name and the domain name.
325			+#----------------------------------------------------------------------
326			+
327			+$SystemName = $configuration->get('SystemName')->value;
328			+$DomainName = $configuration->get('DomainName')->value;
329			+
330			+$results_dict{$SystemName . '.' . $DomainName} = 1;
331			+$results_dict{$SystemName} = 1;
332			+$results_dict{$DomainName} = 1;
333			+
334			+#----------------------------------------------------------------------
335			+# Add a wildcard entry for domain name.
336			+#----------------------------------------------------------------------
337			+
338			+$results_dict{'*.' . $DomainName} = 1;
339			+
340			+#----------------------------------------------------------------------
341			+# Add IP addresses for the various interfaces.
342			+#----------------------------------------------------------------------
343			+
344			+foreach $Interface ('InternalInterface',
345			+ 'ExternalInterface',
346			+ 'ExternalInterface2')
347			+{
348			+ $Interface_Record = $configuration->get($Interface);
349			+ if ($Interface_Record)
350			+ {
351			+ if ($Interface_Record->prop('Configuration') eq 'static')
352			+ {
353			+ if ($Interface_Record->prop('IPAddress'))
354			+ {
355			+ $results_dict{$Interface_Record->prop('IPAddress')} = 1;
356			+ }
357			+ }
358			+ }
359			+}
360			+
361			+#----------------------------------------------------------------------
362			+# Add any alternate names specified in the modSSL config DB.
363			+#----------------------------------------------------------------------
364			+
365			+$modSSL = $configuration->get('modSSL');
366			+if ($modSSL)
367			+{
368			+ $AlternateNames = $modSSL->prop('AlternateNames');
369			+ if ($AlternateNames)
370			+ {
371			+ foreach $AlternateName (split(',', $AlternateNames))
372			+ {
373			+ $AlternateName =~ s/\s//g;
374			+ $results_dict{$AlternateName} = 1;
375			+ }
376			+ }
377			+}
378			+
379			+#----------------------------------------------------------------------
380			+# Output the sorted list of entries.
381			+#----------------------------------------------------------------------
382			+
383			+foreach (sort keys %results_dict)
384			+{
385			+ print "$_\n";
386			+}
387			+
388			+exit(0);