e-smith-base/sme10/e-smith-base-5.8.1-bz11772-ellipticcert.patch

diff -Nur --no-dereference e-smith-base-5.8.1.old/createlinks e-smith-base-5.8.1/createlinks
--- e-smith-base-5.8.1.old/createlinks  2021-06-06 16:30:37.000000000 -0400
+++ e-smith-base-5.8.1/createlinks      2021-11-23 23:25:51.831000000 -0500
@@ -304,6 +304,10 @@
 event_link("remove-templates-custom", $event, "02");
 templates2events("/etc/smartd.conf", $event);
 templates2events("/home/e-smith/ssl.pem/pem", $event);
+templates2events("/etc/raddb/certs/radiusd.pem", $event);
+templates2events("/service/qpsmtpd/ssl/cert.pem", $event);
+templates2events("/etc/dovecot/ssl/imapd.pem", $event);
+templates2events("/etc/openldap/ssl/slapd.pem", $event);
 templates2events("/usr/lib/systemd/system/dhcpd.service.d/50koozali.conf", $event);
 event_link("fix-startup", $event, "05");
 event_link("rotate_timestamped_logfiles", $event, "05");
@@ -329,6 +333,13 @@
 safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/dhcpd");
 safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/rsyslog");
 safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/crond");
+# because of certs
+safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
+safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/dovecot");
+safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/qpsmtpd");
+safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/sqpsmtpd");
+safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/radiusd");
+safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/ldap");
 
 #--------------------------------------------------
 # actions for console-save event
diff -Nur --no-dereference e-smith-base-5.8.1.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm e-smith-base-5.8.1/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
--- e-smith-base-5.8.1.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm       2021-06-06 16:30:37.000000000 -0400
+++ e-smith-base-5.8.1/root/usr/share/perl5/vendor_perl/esmith/ssl.pm   2021-11-23 23:18:53.220000000 -0500
@@ -6,7 +6,7 @@
 
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert);
+our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key key_is_ec related_key_cert);
 
 my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
 our $SystemName = $configdb->get('SystemName')->value;
@@ -51,7 +51,8 @@
     {
        #print "$key exists\n";
         # check key size openssl rsa -in /home/e-smith/ssl.key/$host.$domain.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
-        my $signatureKeySize = `openssl rsa -in  $key -text -noout | grep "Private-Key" | head -1`;
+        my $algo = (key_is_ec($key)) ? 'ec' :'rsa';
+        my $signatureKeySize = `openssl $algo -in  $key -text -noout | grep "Private-Key" | head -1`;
         chomp $signatureKeySize;
         $signatureKeySize =~ s/^ *Private-Key: \((.*) bit\)/$1/p;
         if ( $signatureKeySize == $KeySize ) {
@@ -122,6 +123,7 @@
        open my $oldout, ">&STDERR";  # "dup" the stdout filehandle
        close STDERR;
         my $exit_code=system("openssl","rsa", "-noout", "-in", "$key");
+       $exit_code=system("openssl","ec", "-noout", "-in", "$key") unless ($exit_code==0);
        open STDERR, '>&', $oldout;  # restore the dup'ed filehandle to STDOUT
         if ($exit_code==0){
                 #print "key is a key\n";
@@ -131,14 +133,31 @@
     return 0;
 }
 
+sub key_is_ec {
+    my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
+    if ( -f $key )
+    {
+        open my $oldout, ">&STDERR";  # "dup" the stdout filehandle
+        close STDERR;
+       my $exit_code=system("openssl","ec", "-noout", "-in", "$key");
+        if ($exit_code==0){
+                #print "key is a key\n";
+                return 1;
+        }
+    }
+    return 0;
+}
+
 sub related_key_cert {
     my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
     my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
     if ( key_is_key($key) and cert_is_cert($crt) )
     { 
        # check the cert and the key are related, if key has been changed, then we need to change the cert
-       my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
-       my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
+       #my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
+       #my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
+       my $crt_md5 = `openssl x509 -pubkey -noout -in $crt | openssl md5`;
+       my $key_md5 = `openssl pkey -pubout -in $key | openssl md5`;
        #print "$key_md5 eq $crt_md5\n";
        return 1 if $key_md5 eq $crt_md5;
     }
1	diff -Nur --no-dereference e-smith-base-5.8.1.old/createlinks e-smith-base-5.8.1/createlinks
2	--- e-smith-base-5.8.1.old/createlinks 2021-06-06 16:30:37.000000000 -0400
3	+++ e-smith-base-5.8.1/createlinks 2021-11-23 23:25:51.831000000 -0500
4	@@ -304,6 +304,10 @@
5	event_link("remove-templates-custom", $event, "02");
6	templates2events("/etc/smartd.conf", $event);
7	templates2events("/home/e-smith/ssl.pem/pem", $event);
8	+templates2events("/etc/raddb/certs/radiusd.pem", $event);
9	+templates2events("/service/qpsmtpd/ssl/cert.pem", $event);
10	+templates2events("/etc/dovecot/ssl/imapd.pem", $event);
11	+templates2events("/etc/openldap/ssl/slapd.pem", $event);
12	templates2events("/usr/lib/systemd/system/dhcpd.service.d/50koozali.conf", $event);
13	event_link("fix-startup", $event, "05");
14	event_link("rotate_timestamped_logfiles", $event, "05");
15	@@ -329,6 +333,13 @@
16	safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/dhcpd");
17	safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/rsyslog");
18	safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/crond");
19	+# because of certs
20	+safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
21	+safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/dovecot");
22	+safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/qpsmtpd");
23	+safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/sqpsmtpd");
24	+safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/radiusd");
25	+safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/ldap");
26
27	#--------------------------------------------------
28	# actions for console-save event
29	diff -Nur --no-dereference e-smith-base-5.8.1.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm e-smith-base-5.8.1/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
30	--- e-smith-base-5.8.1.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 2021-06-06 16:30:37.000000000 -0400
31	+++ e-smith-base-5.8.1/root/usr/share/perl5/vendor_perl/esmith/ssl.pm 2021-11-23 23:18:53.220000000 -0500
32	@@ -6,7 +6,7 @@
33
34
35	our @ISA = qw(Exporter);
36	-our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert);
37	+our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key key_is_ec related_key_cert);
38
39	my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
40	our $SystemName = $configdb->get('SystemName')->value;
41	@@ -51,7 +51,8 @@
42	{
43	#print "$key exists\n";
44	# check key size openssl rsa -in /home/e-smith/ssl.key/$host.$domain.key -text -noout \| sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
45	- my $signatureKeySize = `openssl rsa -in $key -text -noout \| grep "Private-Key" \| head -1`;
46	+ my $algo = (key_is_ec($key)) ? 'ec' :'rsa';
47	+ my $signatureKeySize = `openssl $algo -in $key -text -noout \| grep "Private-Key" \| head -1`;
48	chomp $signatureKeySize;
49	$signatureKeySize =~ s/^ Private-Key: \((.) bit\)/$1/p;
50	if ( $signatureKeySize == $KeySize ) {
51	@@ -122,6 +123,7 @@
52	open my $oldout, ">&STDERR"; # "dup" the stdout filehandle
53	close STDERR;
54	my $exit_code=system("openssl","rsa", "-noout", "-in", "$key");
55	+ $exit_code=system("openssl","ec", "-noout", "-in", "$key") unless ($exit_code==0);
56	open STDERR, '>&', $oldout; # restore the dup'ed filehandle to STDOUT
57	if ($exit_code==0){
58	#print "key is a key\n";
59	@@ -131,14 +133,31 @@
60	return 0;
61	}
62
63	+sub key_is_ec {
64	+ my $key = shift \|\| "/home/e-smith/ssl.key/$FQDN.key";
65	+ if ( -f $key )
66	+ {
67	+ open my $oldout, ">&STDERR"; # "dup" the stdout filehandle
68	+ close STDERR;
69	+ my $exit_code=system("openssl","ec", "-noout", "-in", "$key");
70	+ if ($exit_code==0){
71	+ #print "key is a key\n";
72	+ return 1;
73	+ }
74	+ }
75	+ return 0;
76	+}
77	+
78	sub related_key_cert {
79	my $key = shift \|\| "/home/e-smith/ssl.key/$FQDN.key";
80	my $crt = shift \|\| "/home/e-smith/ssl.crt/$FQDN.crt";
81	if ( key_is_key($key) and cert_is_cert($crt) )
82	{
83	# check the cert and the key are related, if key has been changed, then we need to change the cert
84	- my $crt_md5 = `openssl x509 -noout -modulus -in $crt \| openssl md5`;
85	- my $key_md5 = `openssl rsa -noout -modulus -in $key \| openssl md5`;
86	+ #my $crt_md5 = `openssl x509 -noout -modulus -in $crt \| openssl md5`;
87	+ #my $key_md5 = `openssl rsa -noout -modulus -in $key \| openssl md5`;
88	+ my $crt_md5 = `openssl x509 -pubkey -noout -in $crt \| openssl md5`;
89	+ my $key_md5 = `openssl pkey -pubout -in $key \| openssl md5`;
90	#print "$key_md5 eq $crt_md5\n";
91	return 1 if $key_md5 eq $crt_md5;
92	}