Commit 0bf47b73 authored by Leigh B Stoller's avatar Leigh B Stoller

Add script to update existing certs using the original private keys,

so make them peoper Version 3 certificate. Add a driver script to handle
all the details of updating.
parent 21c684c9
......@@ -19,7 +19,8 @@ PSBIN_STUFF = register_resources expire_daemon gencrl postcrl \
update reregister cleanupticket listhistory \
register_sliver sa_daemon genadmincredential \
getchcredential genallow_extcred advt-merge.py \
reservevlans delgeniuser delegatecredential
reservevlans delgeniuser delegatecredential \
updatecert fixcerts
ifeq ($(ISMAINSITE),1)
PSBIN_STUFF += ch_daemon gencabundle
......
#!/usr/bin/perl -w
#
# GENIPUBLIC-COPYRIGHT
# Copyright (c) 2011 University of Utah and the Flux Group.
# All rights reserved.
#
use strict;
use English;
use Getopt::Std;
#
#
#
sub usage()
{
print STDERR "Usage: $0\n";
exit(-1);
}
my $optlist = "";
# Configure ...
my $TB = "@prefix@";
my $PROTOUSER = "elabman";
my $MKSYSCERT = "$TB/sbin/mksyscert";
my $UPDATECERT = "$TB/sbin/protogeni/updatecert";
my $ADDAUTHORITY = "$TB/sbin/protogeni/addauthority";
my $REREGISTER = "$TB/sbin/protogeni/reregister";
my $REGRESOURCES = "$TB/sbin/protogeni/register_resources";
my $SUDO = "/usr/local/bin/sudo";
my $FETCH = "/usr/bin/fetch";
my $CMCERT = "$TB/etc/genicm.pem";
my $SACERT = "$TB/etc/genisa.pem";
my $CHCERT = "$TB/etc/genich.pem";
my $SESCERT = "$TB/etc/genises.pem";
use lib '@prefix@/lib';
use GeniCertificate;
sub fatal($)
{
my ($msg) = @_;
die("*** $0:\n".
" $msg\n");
}
#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
my %options = ();
if (! getopts($optlist, \%options)) {
usage();
}
usage()
if (@ARGV);
my $stash = "$TB/etc/fixcerts.$$";
print "Creating backup directory: $stash\n";
system("/bin/mkdir $stash") == 0 or
fatal("Could not mkdir $stash");
print "Copying current certificates to backup directory\n";
system("/bin/cp -p $CMCERT $SACERT $stash");
system("/bin/cp -p $SESCERT $stash") if (-e $SESCERT);
#
# Grab the CH certificate from Utah.
#
print "Fetching clearinghouse certificate from Utah ...\n";
system("$FETCH -q -o $CHCERT http://boss.emulab.net/genich.pem") == 0
or fatal("Could not fetch clearinghouse certificate from Utah");
#
# Update our local certs. Certs are updated in place, old one saved.
#
print "Updating $SESCERT\n";
system("$UPDATECERT $SESCERT") == 0 or
fatal("Could not update $SESCERT");
print "Updating $CMCERT\n";
system("$UPDATECERT $CMCERT") == 0 or
fatal("Could not update $CMCERT");
print "Updating $SACERT\n";
system("$UPDATECERT $SACERT") == 0 or
fatal("Could not update $SACERT");
#
# Add certs to the local SA database.
#
print "Adding new certificates to SA database.\n";
system("$ADDAUTHORITY $SACERT sa") == 0
or fatal("Could not add SA certificate to SA DB");
system("$ADDAUTHORITY $CMCERT cm") == 0
or fatal("Could not add CM certificate to SA DB");
system("$ADDAUTHORITY $SESCERT ses") == 0
or fatal("Could not add SES certificate to SA DB");
#
# Add certs to the local CM database.
#
print "Adding new certificates to CM database.\n";
system("$ADDAUTHORITY -a $SACERT sa") == 0
or fatal("Could not add SA certificate to CM DB");
system("$ADDAUTHORITY -a $CMCERT cm") == 0
or fatal("Could not add CM certificate to CM DB");
#
# ReRegister our certs at the CM.
#
system("$REREGISTER") == 0
or fatal("Could not reregister certificates at the Clearinghouse");
#
# ReRegister our resources.
#
print "Registering resources at Clearinghouse\n";
system("$SUDO -u $PROTOUSER $REGRESOURCES -r") == 0
or fatal("Could not reregister resources at the Clearinghouse");
exit(0);
#!/usr/bin/perl -w
#
# GENIPUBLIC-COPYRIGHT
# Copyright (c) 2011 University of Utah and the Flux Group.
# All rights reserved.
#
use strict;
use English;
use Getopt::Std;
#
#
#
sub usage()
{
print STDERR "Usage: $0 [-o output_file] <certfile>\n";
exit(-1);
}
my $optlist = "i:o:";
my $ascm = 0;
my $outfile;
my $tmpfile;
# Configure ...
my $TB = "@prefix@";
my $PROTOUSER = "elabman";
my $MKSYSCERT = "$TB/sbin/mksyscert";
my $SUDO = "/usr/local/bin/sudo";
my $CMCERT = "$TB/etc/genicm.pem";
# Do this early so that we talk to the right DB.
use vars qw($GENI_DBNAME);
BEGIN { $GENI_DBNAME = "geni"; }
use lib '@prefix@/lib';
use GeniCertificate;
sub fatal($)
{
my ($msg) = @_;
die("*** $0:\n".
" $msg\n");
}
#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
my %options = ();
if (! getopts($optlist, \%options)) {
usage();
}
if (defined($options{"o"})) {
$outfile = 1;
}
usage()
if (@ARGV != 1);
my $infile = $ARGV[0];
#
# Load the input certificate.
#
my $certificate = GeniCertificate->LoadFromFile($infile);
if (!defined($certificate)) {
fatal("Could not load certificate from $infile\n");
}
# Associate private key, to ensure its in the file.
if ($certificate->LoadKeyFromFile($infile)) {
fatal("Could not load private key from $infile\n");
}
# Write key to a file by itself, for mksyscert.
my $keyfile = $certificate->WriteKeyToFile() or
fatal("Could not write private key to new file");
my $urn = $certificate->urn();
my $uuid = $certificate->uuid();
my $url = $certificate->URL();
my $hrn = $certificate->hrn();
my $arg = "-o ";
if (defined($outfile)) {
$arg .= $outfile;
}
else {
#
# Temporary file, then rename to original.
#
$tmpfile = "/tmp/cert-$$.pem";
$arg .= $tmpfile;
}
system("$SUDO -u $PROTOUSER $MKSYSCERT $arg ".
" -u $url -i $urn -k $keyfile $hrn $uuid" ) == 0
or fatal("Could not generate new certificate");
if (defined($tmpfile)) {
system("/bin/mv -f $infile ${infile}.$$") == 0 or
fatal("Could not rename $infile");
system("/bin/cp -f $tmpfile $infile") == 0 or
fatal("Could not rename $tmpfile to $infile");
}
exit(0);
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment