From 0bf47b73a63e36acc33485b36c33ae061ba724f2 Mon Sep 17 00:00:00 2001 From: Leigh B Stoller Date: Fri, 29 Jul 2011 12:13:43 -0600 Subject: [PATCH] Add script to update existing certs using the original private keys, so make them peoper Version 3 certificate. Add a driver script to handle all the details of updating. --- protogeni/scripts/GNUmakefile.in | 3 +- protogeni/scripts/fixcerts.in | 124 +++++++++++++++++++++++++++++++ protogeni/scripts/updatecert.in | 104 ++++++++++++++++++++++++++ 3 files changed, 230 insertions(+), 1 deletion(-) create mode 100644 protogeni/scripts/fixcerts.in create mode 100644 protogeni/scripts/updatecert.in diff --git a/protogeni/scripts/GNUmakefile.in b/protogeni/scripts/GNUmakefile.in index 61b77f767..9ca59797a 100644 --- a/protogeni/scripts/GNUmakefile.in +++ b/protogeni/scripts/GNUmakefile.in @@ -19,7 +19,8 @@ PSBIN_STUFF = register_resources expire_daemon gencrl postcrl \ update reregister cleanupticket listhistory \ register_sliver sa_daemon genadmincredential \ getchcredential genallow_extcred advt-merge.py \ - reservevlans delgeniuser delegatecredential + reservevlans delgeniuser delegatecredential \ + updatecert fixcerts ifeq ($(ISMAINSITE),1) PSBIN_STUFF += ch_daemon gencabundle diff --git a/protogeni/scripts/fixcerts.in b/protogeni/scripts/fixcerts.in new file mode 100644 index 000000000..457ca5bc3 --- /dev/null +++ b/protogeni/scripts/fixcerts.in @@ -0,0 +1,124 @@ +#!/usr/bin/perl -w +# +# GENIPUBLIC-COPYRIGHT +# Copyright (c) 2011 University of Utah and the Flux Group. +# All rights reserved. +# +use strict; +use English; +use Getopt::Std; + +# +# +# +sub usage() +{ + print STDERR "Usage: $0\n"; + exit(-1); +} +my $optlist = ""; + +# Configure ... +my $TB = "@prefix@"; +my $PROTOUSER = "elabman"; +my $MKSYSCERT = "$TB/sbin/mksyscert"; +my $UPDATECERT = "$TB/sbin/protogeni/updatecert"; +my $ADDAUTHORITY = "$TB/sbin/protogeni/addauthority"; +my $REREGISTER = "$TB/sbin/protogeni/reregister"; +my $REGRESOURCES = "$TB/sbin/protogeni/register_resources"; +my $SUDO = "/usr/local/bin/sudo"; +my $FETCH = "/usr/bin/fetch"; +my $CMCERT = "$TB/etc/genicm.pem"; +my $SACERT = "$TB/etc/genisa.pem"; +my $CHCERT = "$TB/etc/genich.pem"; +my $SESCERT = "$TB/etc/genises.pem"; + +use lib '@prefix@/lib'; +use GeniCertificate; + +sub fatal($) +{ + my ($msg) = @_; + + die("*** $0:\n". + " $msg\n"); +} + +# +# Parse command arguments. Once we return from getopts, all that should be +# left are the required arguments. +# +my %options = (); +if (! getopts($optlist, \%options)) { + usage(); +} +usage() + if (@ARGV); + +my $stash = "$TB/etc/fixcerts.$$"; +print "Creating backup directory: $stash\n"; +system("/bin/mkdir $stash") == 0 or + fatal("Could not mkdir $stash"); + +print "Copying current certificates to backup directory\n"; +system("/bin/cp -p $CMCERT $SACERT $stash"); +system("/bin/cp -p $SESCERT $stash") if (-e $SESCERT); + +# +# Grab the CH certificate from Utah. +# +print "Fetching clearinghouse certificate from Utah ...\n"; +system("$FETCH -q -o $CHCERT http://boss.emulab.net/genich.pem") == 0 + or fatal("Could not fetch clearinghouse certificate from Utah"); + +# +# Update our local certs. Certs are updated in place, old one saved. +# +print "Updating $SESCERT\n"; +system("$UPDATECERT $SESCERT") == 0 or + fatal("Could not update $SESCERT"); + +print "Updating $CMCERT\n"; +system("$UPDATECERT $CMCERT") == 0 or + fatal("Could not update $CMCERT"); + +print "Updating $SACERT\n"; +system("$UPDATECERT $SACERT") == 0 or + fatal("Could not update $SACERT"); + +# +# Add certs to the local SA database. +# +print "Adding new certificates to SA database.\n"; +system("$ADDAUTHORITY $SACERT sa") == 0 + or fatal("Could not add SA certificate to SA DB"); +system("$ADDAUTHORITY $CMCERT cm") == 0 + or fatal("Could not add CM certificate to SA DB"); +system("$ADDAUTHORITY $SESCERT ses") == 0 + or fatal("Could not add SES certificate to SA DB"); + +# +# Add certs to the local CM database. +# +print "Adding new certificates to CM database.\n"; +system("$ADDAUTHORITY -a $SACERT sa") == 0 + or fatal("Could not add SA certificate to CM DB"); +system("$ADDAUTHORITY -a $CMCERT cm") == 0 + or fatal("Could not add CM certificate to CM DB"); + +# +# ReRegister our certs at the CM. +# +system("$REREGISTER") == 0 + or fatal("Could not reregister certificates at the Clearinghouse"); + +# +# ReRegister our resources. +# +print "Registering resources at Clearinghouse\n"; +system("$SUDO -u $PROTOUSER $REGRESOURCES -r") == 0 + or fatal("Could not reregister resources at the Clearinghouse"); + +exit(0); + + diff --git a/protogeni/scripts/updatecert.in b/protogeni/scripts/updatecert.in new file mode 100644 index 000000000..86cd7af91 --- /dev/null +++ b/protogeni/scripts/updatecert.in @@ -0,0 +1,104 @@ +#!/usr/bin/perl -w +# +# GENIPUBLIC-COPYRIGHT +# Copyright (c) 2011 University of Utah and the Flux Group. +# All rights reserved. +# +use strict; +use English; +use Getopt::Std; + +# +# +# +sub usage() +{ + print STDERR "Usage: $0 [-o output_file] \n"; + exit(-1); +} +my $optlist = "i:o:"; +my $ascm = 0; +my $outfile; +my $tmpfile; + +# Configure ... +my $TB = "@prefix@"; +my $PROTOUSER = "elabman"; +my $MKSYSCERT = "$TB/sbin/mksyscert"; +my $SUDO = "/usr/local/bin/sudo"; +my $CMCERT = "$TB/etc/genicm.pem"; + +# Do this early so that we talk to the right DB. +use vars qw($GENI_DBNAME); +BEGIN { $GENI_DBNAME = "geni"; } + +use lib '@prefix@/lib'; +use GeniCertificate; + +sub fatal($) +{ + my ($msg) = @_; + + die("*** $0:\n". + " $msg\n"); +} + +# +# Parse command arguments. Once we return from getopts, all that should be +# left are the required arguments. +# +my %options = (); +if (! getopts($optlist, \%options)) { + usage(); +} +if (defined($options{"o"})) { + $outfile = 1; +} +usage() + if (@ARGV != 1); +my $infile = $ARGV[0]; + +# +# Load the input certificate. +# +my $certificate = GeniCertificate->LoadFromFile($infile); +if (!defined($certificate)) { + fatal("Could not load certificate from $infile\n"); +} +# Associate private key, to ensure its in the file. +if ($certificate->LoadKeyFromFile($infile)) { + fatal("Could not load private key from $infile\n"); +} +# Write key to a file by itself, for mksyscert. +my $keyfile = $certificate->WriteKeyToFile() or + fatal("Could not write private key to new file"); + +my $urn = $certificate->urn(); +my $uuid = $certificate->uuid(); +my $url = $certificate->URL(); +my $hrn = $certificate->hrn(); +my $arg = "-o "; + +if (defined($outfile)) { + $arg .= $outfile; +} +else { + # + # Temporary file, then rename to original. + # + $tmpfile = "/tmp/cert-$$.pem"; + $arg .= $tmpfile; +} +system("$SUDO -u $PROTOUSER $MKSYSCERT $arg ". + " -u $url -i $urn -k $keyfile $hrn $uuid" ) == 0 + or fatal("Could not generate new certificate"); + +if (defined($tmpfile)) { + system("/bin/mv -f $infile ${infile}.$$") == 0 or + fatal("Could not rename $infile"); + system("/bin/cp -f $tmpfile $infile") == 0 or + fatal("Could not rename $tmpfile to $infile"); +} +exit(0); + + -- GitLab