Commit cbee4c88 authored by Leigh B. Stoller's avatar Leigh B. Stoller

Some small protogeni related changes.

parent 617862da
...@@ -22,14 +22,17 @@ use User; ...@@ -22,14 +22,17 @@ use User;
# #
sub usage() sub usage()
{ {
print("Usage: mksyscert [-d] [-o file] [-p password] <orgunit> [uuid]\n"); print("Usage: mksyscert [-d] [-o file] [-p password] [-e email] ".
"[-u url] [-a authority] <orgunit> [uuid]\n");
exit(-1); exit(-1);
} }
my $optlist = "dp:o:e"; my $optlist = "dp:o:ve:u:a:";
my $debug = 0; my $debug = 0;
my $printcert= 0; my $printcert= 0;
my $outfile; my $outfile;
my $password = ""; my $password = "";
my $email;
my $url;
# #
# Configure variables # Configure variables
...@@ -38,19 +41,23 @@ my $TB = "@prefix@"; ...@@ -38,19 +41,23 @@ my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@"; my $TBOPS = "@TBOPSEMAIL@";
my $TBLOGS = "@TBLOGSEMAIL@"; my $TBLOGS = "@TBLOGSEMAIL@";
my $OURDOMAIN = "@OURDOMAIN@"; my $OURDOMAIN = "@OURDOMAIN@";
my $PGENIDOMAIN = "@PROTOGENI_DOMAIN@";
my $PGENISUPPORT= @PROTOGENI_SUPPORT@;
my $CONTROL = "@USERNODE@"; my $CONTROL = "@USERNODE@";
my $BOSSNODE = "@BOSSNODE@"; my $BOSSNODE = "@BOSSNODE@";
# Locals # Locals
my $USERDIR = USERROOT(); my $USERDIR = USERROOT();
my $SSLDIR = "$TB/lib/ssl"; my $SSLDIR = "$TB/lib/ssl";
my $TEMPLATE = "$SSLDIR/usercert.cnf"; my $TEMPLATE = "$SSLDIR/syscert.cnf";
my $CACONFIG = "$SSLDIR/ca.cnf"; my $CACONFIG = "$SSLDIR/ca.cnf";
my $EMULAB_CERT = "$TB/etc/emulab.pem"; my $EMULAB_CERT = "$TB/etc/emulab.pem";
my $EMULAB_KEY = "$TB/etc/emulab.key"; my $EMULAB_KEY = "$TB/etc/emulab.key";
my $OPENSSL = "/usr/bin/openssl"; my $OPENSSL = "/usr/bin/openssl";
my $WORKDIR = "$TB/ssl"; my $WORKDIR = "$TB/ssl";
my $SAVEUID = $UID; my $SAVEUID = $UID;
my $certfile = $EMULAB_CERT;
my $keyfile = $EMULAB_KEY;
# Locals # Locals
my $encrypted = 0; my $encrypted = 0;
...@@ -105,12 +112,29 @@ if (defined($options{"o"})) { ...@@ -105,12 +112,29 @@ if (defined($options{"o"})) {
else { else {
die("Tainted arguments: $outfile\n"); die("Tainted arguments: $outfile\n");
} }
} }
if (defined($options{"d"})) { if (defined($options{"d"})) {
$debug = 1; $debug = 1;
} }
if (defined($options{"e"})) { if (defined($options{"e"})) {
$email = $options{"e"};
}
if (defined($options{"a"})) {
my $authority = $options{"a"};
if ($authority =~ /^([-\w\.\/]+)$/) {
$authority = $1;
}
else {
die("Tainted arguments: $authority\n");
}
$certfile = $authority;
$keyfile = $authority;
}
if (defined($options{"u"})) {
$url = $options{"u"};
}
if (defined($options{"v"})) {
$printcert = 1; $printcert = 1;
} }
if (defined($options{"p"})) { if (defined($options{"p"})) {
...@@ -152,6 +176,9 @@ if (!defined($uuid)) { ...@@ -152,6 +176,9 @@ if (!defined($uuid)) {
if (!($uuid =~ /^\w+\-\w+\-\w+\-\w+\-\w+$/)) { if (!($uuid =~ /^\w+\-\w+\-\w+\-\w+\-\w+$/)) {
fatal("uuid not in proper format"); fatal("uuid not in proper format");
} }
if (!defined($email)) {
$email = $TBOPS;
}
# #
# CD to the workdir, and then serialize on the lock file since there is # CD to the workdir, and then serialize on the lock file since there is
...@@ -197,6 +224,13 @@ open(TEMP, ">>syscert.cnf") ...@@ -197,6 +224,13 @@ open(TEMP, ">>syscert.cnf")
print TEMP "OU\t\t= $orgunit\n"; print TEMP "OU\t\t= $orgunit\n";
print TEMP "CN\t\t= $uuid\n"; print TEMP "CN\t\t= $uuid\n";
print TEMP "emailAddress\t= $email\n";
print TEMP "\n";
print TEMP "[ req_altname ]\n";
if (defined($url)) {
print TEMP "URI=$url\n\n";
}
close(TEMP) close(TEMP)
or fatal("Could not close syscert.cnf: $!"); or fatal("Could not close syscert.cnf: $!");
...@@ -206,7 +240,7 @@ my $outline = ($debug ? "" : ">/dev/null 2>&1"); ...@@ -206,7 +240,7 @@ my $outline = ($debug ? "" : ">/dev/null 2>&1");
# #
# Create a client side private key and certificate request. # Create a client side private key and certificate request.
# #
system("$OPENSSL req -new -config syscert.cnf ". system("$OPENSSL req -text -new -config syscert.cnf ".
($encrypted ? " -passout 'pass:${sh_password}' " : " -nodes ") . ($encrypted ? " -passout 'pass:${sh_password}' " : " -nodes ") .
" -keyout syscert_key.pem -out syscert_req.pem $outline") == 0 " -keyout syscert_key.pem -out syscert_req.pem $outline") == 0
or fatal("Could not create certificate request"); or fatal("Could not create certificate request");
...@@ -216,8 +250,8 @@ system("$OPENSSL req -new -config syscert.cnf ". ...@@ -216,8 +250,8 @@ system("$OPENSSL req -new -config syscert.cnf ".
# #
$UID = 0; $UID = 0;
system("$OPENSSL ca -batch -policy policy_sslxmlrpc ". system("$OPENSSL ca -batch -policy policy_sslxmlrpc ".
" -name CA_usercerts -config $CACONFIG ". " -name CA_syscerts -config $CACONFIG ".
" -out syscert_cert.pem -cert $EMULAB_CERT -keyfile $EMULAB_KEY ". " -out syscert_cert.pem -cert $certfile -keyfile $keyfile ".
" -infiles syscert_req.pem $outline") == 0 " -infiles syscert_req.pem $outline") == 0
or fatal("Could not sign certificate request"); or fatal("Could not sign certificate request");
$UID = $SAVEUID; $UID = $SAVEUID;
......
...@@ -38,6 +38,8 @@ my $TB = "@prefix@"; ...@@ -38,6 +38,8 @@ my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@"; my $TBOPS = "@TBOPSEMAIL@";
my $TBLOGS = "@TBLOGSEMAIL@"; my $TBLOGS = "@TBLOGSEMAIL@";
my $OURDOMAIN = "@OURDOMAIN@"; my $OURDOMAIN = "@OURDOMAIN@";
my $PGENIDOMAIN = "@PROTOGENI_DOMAIN@";
my $PGENISUPPORT= @PROTOGENI_SUPPORT@;
my $CONTROL = "@USERNODE@"; my $CONTROL = "@USERNODE@";
my $BOSSNODE = "@BOSSNODE@"; my $BOSSNODE = "@BOSSNODE@";
my $OU = "sslxmlrpc"; # orgunit my $OU = "sslxmlrpc"; # orgunit
...@@ -245,8 +247,14 @@ system("cp -f $TEMPLATE usercert.cnf") == 0 ...@@ -245,8 +247,14 @@ system("cp -f $TEMPLATE usercert.cnf") == 0
open(TEMP, ">>usercert.cnf") open(TEMP, ">>usercert.cnf")
or fatal("Could not open $TEMPLATE for append: $!"); or fatal("Could not open $TEMPLATE for append: $!");
print TEMP "OU\t\t= $OU\n"; if ($PGENISUPPORT) {
print TEMP "OU\t\t= $PGENIDOMAIN.$user_uid\n";
}
else {
print TEMP "OU\t\t= $user_uid\n";
}
print TEMP "CN\t\t= $user_uuid\n"; print TEMP "CN\t\t= $user_uuid\n";
print TEMP "emailAddress\t= $user_uid" . "\@" . "$OURDOMAIN\n";
close(TEMP) close(TEMP)
or fatal("Could not close usercert.cnf: $!"); or fatal("Could not close usercert.cnf: $!");
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment