diff --git a/account/mksyscert.in b/account/mksyscert.in index 92289fcf1e6ff28788143c4d2b200351121472f7..d520dc9ff0541e1938c28e9721e9e15f27f1cab5 100644 --- a/account/mksyscert.in +++ b/account/mksyscert.in @@ -22,14 +22,17 @@ use User; # sub usage() { - print("Usage: mksyscert [-d] [-o file] [-p password] [uuid]\n"); + print("Usage: mksyscert [-d] [-o file] [-p password] [-e email] ". + "[-u url] [-a authority] [uuid]\n"); exit(-1); } -my $optlist = "dp:o:e"; +my $optlist = "dp:o:ve:u:a:"; my $debug = 0; my $printcert= 0; my $outfile; my $password = ""; +my $email; +my $url; # # Configure variables @@ -38,19 +41,23 @@ my $TB = "@prefix@"; my $TBOPS = "@TBOPSEMAIL@"; my $TBLOGS = "@TBLOGSEMAIL@"; my $OURDOMAIN = "@OURDOMAIN@"; +my $PGENIDOMAIN = "@PROTOGENI_DOMAIN@"; +my $PGENISUPPORT= @PROTOGENI_SUPPORT@; my $CONTROL = "@USERNODE@"; my $BOSSNODE = "@BOSSNODE@"; # Locals my $USERDIR = USERROOT(); my $SSLDIR = "$TB/lib/ssl"; -my $TEMPLATE = "$SSLDIR/usercert.cnf"; +my $TEMPLATE = "$SSLDIR/syscert.cnf"; my $CACONFIG = "$SSLDIR/ca.cnf"; my $EMULAB_CERT = "$TB/etc/emulab.pem"; my $EMULAB_KEY = "$TB/etc/emulab.key"; my $OPENSSL = "/usr/bin/openssl"; my $WORKDIR = "$TB/ssl"; my $SAVEUID = $UID; +my $certfile = $EMULAB_CERT; +my $keyfile = $EMULAB_KEY; # Locals my $encrypted = 0; @@ -105,12 +112,29 @@ if (defined($options{"o"})) { else { die("Tainted arguments: $outfile\n"); } - + } if (defined($options{"d"})) { $debug = 1; } if (defined($options{"e"})) { + $email = $options{"e"}; +} +if (defined($options{"a"})) { + my $authority = $options{"a"}; + if ($authority =~ /^([-\w\.\/]+)$/) { + $authority = $1; + } + else { + die("Tainted arguments: $authority\n"); + } + $certfile = $authority; + $keyfile = $authority; +} +if (defined($options{"u"})) { + $url = $options{"u"}; +} +if (defined($options{"v"})) { $printcert = 1; } if (defined($options{"p"})) { @@ -152,6 +176,9 @@ if (!defined($uuid)) { if (!($uuid =~ /^\w+\-\w+\-\w+\-\w+\-\w+$/)) { fatal("uuid not in proper format"); } +if (!defined($email)) { + $email = $TBOPS; +} # # CD to the workdir, and then serialize on the lock file since there is @@ -197,6 +224,13 @@ open(TEMP, ">>syscert.cnf") print TEMP "OU\t\t= $orgunit\n"; print TEMP "CN\t\t= $uuid\n"; +print TEMP "emailAddress\t= $email\n"; + +print TEMP "\n"; +print TEMP "[ req_altname ]\n"; +if (defined($url)) { + print TEMP "URI=$url\n\n"; +} close(TEMP) or fatal("Could not close syscert.cnf: $!"); @@ -206,7 +240,7 @@ my $outline = ($debug ? "" : ">/dev/null 2>&1"); # # Create a client side private key and certificate request. # -system("$OPENSSL req -new -config syscert.cnf ". +system("$OPENSSL req -text -new -config syscert.cnf ". ($encrypted ? " -passout 'pass:${sh_password}' " : " -nodes ") . " -keyout syscert_key.pem -out syscert_req.pem $outline") == 0 or fatal("Could not create certificate request"); @@ -216,8 +250,8 @@ system("$OPENSSL req -new -config syscert.cnf ". # $UID = 0; system("$OPENSSL ca -batch -policy policy_sslxmlrpc ". - " -name CA_usercerts -config $CACONFIG ". - " -out syscert_cert.pem -cert $EMULAB_CERT -keyfile $EMULAB_KEY ". + " -name CA_syscerts -config $CACONFIG ". + " -out syscert_cert.pem -cert $certfile -keyfile $keyfile ". " -infiles syscert_req.pem $outline") == 0 or fatal("Could not sign certificate request"); $UID = $SAVEUID; diff --git a/account/mkusercert.in b/account/mkusercert.in index 60ab32a5c2c4c07a8431273d996f0c8e9c9c923e..f8f2dd27046a052b653dc1441f083126025b770d 100644 --- a/account/mkusercert.in +++ b/account/mkusercert.in @@ -38,6 +38,8 @@ my $TB = "@prefix@"; my $TBOPS = "@TBOPSEMAIL@"; my $TBLOGS = "@TBLOGSEMAIL@"; my $OURDOMAIN = "@OURDOMAIN@"; +my $PGENIDOMAIN = "@PROTOGENI_DOMAIN@"; +my $PGENISUPPORT= @PROTOGENI_SUPPORT@; my $CONTROL = "@USERNODE@"; my $BOSSNODE = "@BOSSNODE@"; my $OU = "sslxmlrpc"; # orgunit @@ -245,8 +247,14 @@ system("cp -f $TEMPLATE usercert.cnf") == 0 open(TEMP, ">>usercert.cnf") or fatal("Could not open $TEMPLATE for append: $!"); -print TEMP "OU\t\t= $OU\n"; +if ($PGENISUPPORT) { + print TEMP "OU\t\t= $PGENIDOMAIN.$user_uid\n"; +} +else { + print TEMP "OU\t\t= $user_uid\n"; +} print TEMP "CN\t\t= $user_uuid\n"; +print TEMP "emailAddress\t= $user_uid" . "\@" . "$OURDOMAIN\n"; close(TEMP) or fatal("Could not close usercert.cnf: $!");