Add script to update existing certs using the original private keys,

so make them peoper Version 3 certificate. Add a driver script to handle all the details of updating.

Add script to update existing certs using the original private keys,
so make them peoper Version 3 certificate. Add a driver script to handle all the details of updating.
0bf47b73 · Leigh B Stoller · 21c684c9 · 0bf47b73 · 0bf47b73 · 0bf47b73
Commit 0bf47b73 authored Jul 29, 2011 by Leigh B Stoller
--- a/protogeni/scripts/GNUmakefile.in
+++ b/protogeni/scripts/GNUmakefile.in
@@ -19,7 +19,8 @@ PSBIN_STUFF	= register_resources expire_daemon gencrl postcrl \
 		  update reregister cleanupticket listhistory \
 		  register_sliver sa_daemon genadmincredential \
 		  getchcredential genallow_extcred advt-merge.py \
-		  reservevlans delgeniuser delegatecredential
+		  reservevlans delgeniuser delegatecredential \
+		  updatecert fixcerts

 ifeq ($(ISMAINSITE),1)
 PSBIN_STUFF     += ch_daemon gencabundle

--- a/protogeni/scripts/fixcerts.in
+++ b/protogeni/scripts/fixcerts.in
+#!/usr/bin/perl -w
+#
+# GENIPUBLIC-COPYRIGHT
+# Copyright (c) 2011 University of Utah and the Flux Group.
+# All rights reserved.
+#
+use strict;
+use English;
+use Getopt::Std;
+
+#
+#
+#
+sub usage()
+{
+    print STDERR "Usage: $0\n";
+    exit(-1);
+}
+my $optlist = "";
+
+# Configure ...
+my $TB		  = "@prefix@";
+my $PROTOUSER	  = "elabman";
+my $MKSYSCERT	  = "$TB/sbin/mksyscert";
+my $UPDATECERT	  = "$TB/sbin/protogeni/updatecert";
+my $ADDAUTHORITY  = "$TB/sbin/protogeni/addauthority";
+my $REREGISTER    = "$TB/sbin/protogeni/reregister";
+my $REGRESOURCES  = "$TB/sbin/protogeni/register_resources";
+my $SUDO	  = "/usr/local/bin/sudo";
+my $FETCH	  = "/usr/bin/fetch";
+my $CMCERT	  = "$TB/etc/genicm.pem";
+my $SACERT	  = "$TB/etc/genisa.pem";
+my $CHCERT	  = "$TB/etc/genich.pem";
+my $SESCERT	  = "$TB/etc/genises.pem";
+
+use lib '@prefix@/lib';
+use GeniCertificate;
+
+sub fatal($)
+{
+    my ($msg) = @_;
+
+    die("*** $0:\n".
+	"    $msg\n");
+}
+
+#
+# Parse command arguments. Once we return from getopts, all that should be
+# left are the required arguments.
+#
+my %options = ();
+if (! getopts($optlist, \%options)) {
+    usage();
+}
+usage()
+    if (@ARGV);
+
+my $stash = "$TB/etc/fixcerts.$$";
+print "Creating backup directory: $stash\n";
+system("/bin/mkdir $stash") == 0 or
+    fatal("Could not mkdir $stash");
+
+print "Copying current certificates to backup directory\n";
+system("/bin/cp -p $CMCERT $SACERT $stash");
+system("/bin/cp -p $SESCERT $stash") if (-e $SESCERT);
+
+#
+# Grab the CH certificate from Utah.
+#
+print "Fetching clearinghouse certificate from Utah ...\n";
+system("$FETCH -q -o $CHCERT http://boss.emulab.net/genich.pem") == 0
+    or fatal("Could not fetch clearinghouse certificate from Utah");
+
+#
+# Update our local certs. Certs are updated in place, old one saved. 
+#
+print "Updating $SESCERT\n";
+system("$UPDATECERT $SESCERT") == 0 or
+    fatal("Could not update $SESCERT");
+
+print "Updating $CMCERT\n";
+system("$UPDATECERT $CMCERT") == 0 or
+    fatal("Could not update $CMCERT");
+
+print "Updating $SACERT\n";
+system("$UPDATECERT $SACERT") == 0 or
+    fatal("Could not update $SACERT");
+
+#
+# Add certs to the local SA database.
+#
+print "Adding new certificates to SA database.\n";
+system("$ADDAUTHORITY $SACERT sa") == 0
+    or fatal("Could not add SA certificate to SA DB");
+system("$ADDAUTHORITY $CMCERT cm") == 0
+    or fatal("Could not add CM certificate to SA DB");
+system("$ADDAUTHORITY $SESCERT ses") == 0
+    or fatal("Could not add SES certificate to SA DB");
+
+#
+# Add certs to the local CM database.
+#
+print "Adding new certificates to CM database.\n";
+system("$ADDAUTHORITY -a $SACERT sa") == 0
+    or fatal("Could not add SA certificate to CM DB");
+system("$ADDAUTHORITY -a $CMCERT cm") == 0
+    or fatal("Could not add CM certificate to CM DB");
+
+#
+# ReRegister our certs at the CM.
+#
+system("$REREGISTER") == 0
+    or fatal("Could not reregister certificates at the Clearinghouse");
+
+#
+# ReRegister our resources.
+#
+print "Registering resources at Clearinghouse\n";
+system("$SUDO -u $PROTOUSER $REGRESOURCES -r") == 0
+    or fatal("Could not reregister resources at the Clearinghouse");
+
+exit(0);
+
+
--- a/protogeni/scripts/updatecert.in
+++ b/protogeni/scripts/updatecert.in
+#!/usr/bin/perl -w
+#
+# GENIPUBLIC-COPYRIGHT
+# Copyright (c) 2011 University of Utah and the Flux Group.
+# All rights reserved.
+#
+use strict;
+use English;
+use Getopt::Std;
+
+#
+#
+#
+sub usage()
+{
+    print STDERR "Usage: $0 [-o output_file] <certfile>\n";
+    exit(-1);
+}
+my $optlist = "i:o:";
+my $ascm    = 0;
+my $outfile;
+my $tmpfile;
+
+# Configure ...
+my $TB		  = "@prefix@";
+my $PROTOUSER	  = "elabman";
+my $MKSYSCERT	  = "$TB/sbin/mksyscert";
+my $SUDO	  = "/usr/local/bin/sudo";
+my $CMCERT	  = "$TB/etc/genicm.pem";
+
+# Do this early so that we talk to the right DB. 
+use vars qw($GENI_DBNAME);
+BEGIN { $GENI_DBNAME = "geni"; }
+
+use lib '@prefix@/lib';
+use GeniCertificate;
+
+sub fatal($)
+{
+    my ($msg) = @_;
+
+    die("*** $0:\n".
+	"    $msg\n");
+}
+
+#
+# Parse command arguments. Once we return from getopts, all that should be
+# left are the required arguments.
+#
+my %options = ();
+if (! getopts($optlist, \%options)) {
+    usage();
+}
+if (defined($options{"o"})) {
+    $outfile = 1;
+}
+usage()
+    if (@ARGV != 1);
+my $infile = $ARGV[0];
+
+#
+# Load the input certificate.
+#
+my $certificate = GeniCertificate->LoadFromFile($infile);
+if (!defined($certificate)) {
+    fatal("Could not load certificate from $infile\n");
+}
+# Associate private key, to ensure its in the file.
+if ($certificate->LoadKeyFromFile($infile)) {
+    fatal("Could not load private key from $infile\n");
+}
+# Write key to a file by itself, for mksyscert.
+my $keyfile = $certificate->WriteKeyToFile() or
+    fatal("Could not write private key to new file");
+
+my $urn  = $certificate->urn();
+my $uuid = $certificate->uuid();
+my $url  = $certificate->URL();
+my $hrn  = $certificate->hrn();
+my $arg  = "-o ";
+
+if (defined($outfile)) {
+    $arg .= $outfile;
+}
+else {
+    #
+    # Temporary file, then rename to original.
+    #
+    $tmpfile = "/tmp/cert-$$.pem";
+    $arg .= $tmpfile;
+}
+system("$SUDO -u $PROTOUSER $MKSYSCERT $arg ".
+       "  -u $url -i $urn -k $keyfile $hrn $uuid" ) == 0
+    or fatal("Could not generate new certificate");
+
+if (defined($tmpfile)) {
+    system("/bin/mv -f $infile ${infile}.$$") == 0 or
+	fatal("Could not rename $infile");
+    system("/bin/cp -f $tmpfile $infile") == 0 or
+	fatal("Could not rename $tmpfile to $infile");
+}
+exit(0);
+
+