mksyscert.in 6.9 KB
Newer Older
1 2 3
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
4
# Copyright (c) 2000-2009 University of Utah and the Flux Group.
5 6 7 8
# All rights reserved.
#
use strict;
use English;
9
use Getopt::Long;
10 11 12 13 14 15

#
# Load the Testbed support stuff.
#
use lib "@prefix@/lib";
use libaudit;
16
use emutil;
17 18 19 20 21 22 23
use libtestbed;

#
# Create system SSL certificates.
# 
sub usage()
{
24
    print("Usage: mksyscert [-d] [-o file] [-p password] [-e email] ".
25
	  "[-u url] [-i urn] [-k keyfile] [-a authority] <orgunit> [uuid]\n");
26 27 28 29 30 31
    exit(-1);
}
my $debug    = 0;
my $printcert= 0;
my $outfile;
my $password = "";
32
my $email;
33 34 35 36 37 38 39 40 41 42 43 44 45
my @urls;
my $urn;
my $oldkeyfile;
my $authority;
my %optlist = ( "debug" => \$debug,
		"password=s" => \$password,
		"output=s" => \$outfile,
		"verbose" => \$printcert,
		"email=s" => \$email,
		"url=s" => \@urls,
		"identifier=s" => \$urn,
		"keyfile=s" => \$oldkeyfile,
		"authority=s" => \$authority );
46 47 48 49 50 51 52 53

#
# Configure variables
#
my $TB		= "@prefix@";
my $TBOPS	= "@TBOPSEMAIL@";
my $TBLOGS	= "@TBLOGSEMAIL@";
my $OURDOMAIN   = "@OURDOMAIN@";
54 55
my $PGENIDOMAIN = "@PROTOGENI_DOMAIN@";
my $PGENISUPPORT= @PROTOGENI_SUPPORT@;
56 57 58

# Locals
my $SSLDIR      = "$TB/lib/ssl";
59
my $TEMPLATE    = "$SSLDIR/syscert.cnf";
60 61 62 63 64 65
my $CACONFIG    = "$SSLDIR/ca.cnf";
my $EMULAB_CERT = "$TB/etc/emulab.pem";
my $EMULAB_KEY  = "$TB/etc/emulab.key";
my $OPENSSL     = "/usr/bin/openssl";
my $WORKDIR     = "$TB/ssl";
my $SAVEUID	= $UID;
66 67
my $certfile    = $EMULAB_CERT;
my $keyfile     = $EMULAB_KEY;
68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109

# Locals
my $encrypted   = 0;
my $sh_password = "";

#
# We don't want to run this script unless its the real version.
#
if ($EUID != 0) {
    die("*** $0:\n".
	"    Must be setuid! Maybe its a development version?\n");
}

#
# This script is setuid, so please do not run it as root. Hard to track
# what has happened.
#
if ($UID == 0) {
    die("*** $0:\n".
	"    Please do not run this as root! Its already setuid!\n");
}

#
# Untaint the path
#
$ENV{'PATH'} = "$TB/bin:$TB/sbin:/bin:/usr/bin:/usr/bin:/usr/sbin";
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

#
# Turn off line buffering on output
#
$| = 1;

#
# Function prototypes
#
sub fatal($);

#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
110 111 112
GetOptions( %optlist ) or usage();

if( defined( $outfile ) ) {
113 114 115 116 117 118
    if ($outfile =~ /^([-\w\.\/]+)$/) {
	$outfile = $1;
    }
    else {
	die("Tainted arguments: $outfile\n");
    }
119
   
120
}
121 122 123 124 125 126 127 128
if( defined( $oldkeyfile ) ) {
    if ($oldkeyfile =~ /^([-\w\.\/]+)$/) {
	$oldkeyfile = $1;
    }
    else {
	die("Tainted arguments: $oldkeyfile\n");
    }
   
129
}
130
if( defined( $authority ) ) {
131 132 133 134 135 136 137 138 139
    if ($authority =~ /^([-\w\.\/]+)$/) {
	$authority = $1;
    }
    else {
	die("Tainted arguments: $authority\n");
    }
    $certfile = $authority;
    $keyfile  = $authority;
}
140
if( $password ) {
141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167
    #
    # Make sure its all escaped since any printable char is allowed.
    #
    if ($password =~ /^([\040-\176]*)$/) {
	$password = $1;
    }
    else {
	die("Tainted argument: $password\n");
    }
    $sh_password = $password;
    $sh_password =~ s/\'/\'\\\'\'/g;
    $sh_password = "$sh_password";
    $encrypted = 1;
}
if (@ARGV < 1) {
    usage();
}
my $orgunit = shift(@ARGV);
my $uuid    = (@ARGV ? shift(@ARGV) : undef);

# Generate/confirm uuid
if (!defined($uuid)) {
    $uuid = NewUUID();
    if (!defined($uuid)) {
	fatal("Could not generate a new uuid");
    }
}
168 169 170
if (!defined($email)) {
    $email = $TBOPS;
}
171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213

#
# CD to the workdir, and then serialize on the lock file since there is
# some shared goop that the ssl tools muck with (serial number, index, etc.).
# 
chdir("$WORKDIR") or
    fatal("Could not chdir to $WORKDIR: $!");

TBScriptLock("mkusercert") == 0 or
    fatal("Could not get the lock!");

#
# Need an index file, which is the openssl version of the DB.
#
if (! -e "index.txt") {
    open(IND, ">index.txt")
	or fatal("Could not create index.txt");
    close(IND);
}

#
# We have to figure out what the next serial number will be and write
# that into the file. We could let "ca' keep track, but with devel
# trees, we might end up with duplicate serial numbers.
#
# XXX Shared with mkusercert ...
#
my $serial = TBGetUniqueIndex("user_sslcerts");

open(SER, ">serial")
    or fatal("Could not create new serial file");
printf SER "%08x\n", $serial;
close(SER);

#
# Create a template conf file.
#
system("cp -f $TEMPLATE syscert.cnf") == 0
    or fatal("Could not copy $TEMPLATE to current dir");

open(TEMP, ">>syscert.cnf")
    or fatal("Could not open $TEMPLATE for append: $!");

214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229
if (@urls) {
    my $count = 0;
    foreach( @urls ) {
	# unregistered OID 2.25.305821105408246119474742976030998643995
	# (corresponding to UUID e61300a0-c4c5-11de-b14e-0002a5d5c51b)
	# is used to indicate generic ProtoGENI XMLRPC servers.
	print TEMP "authorityInfoAccess=2.25.305821105408246119474742976030998643995;URI:$_\n";
    }
}

print TEMP "\n";
print TEMP "[ req_distinguished_name ]\n";
print TEMP "C\t\t=@SSLCERT_COUNTRY@\n";
print TEMP "ST\t\t=@SSLCERT_STATE@\n";
print TEMP "L\t\t=@SSLCERT_LOCALITY@\n";
print TEMP "O\t\t=@SSLCERT_ORGNAME@\n";
Leigh Stoller's avatar
Leigh Stoller committed
230
print TEMP "OU\t\t= \"$orgunit\"\n";
231
print TEMP "CN\t\t= $uuid\n";
232 233 234 235
print TEMP "emailAddress\t= $email\n";

print TEMP "\n";
print TEMP "[ req_altname ]\n";
236 237 238
print TEMP "URI=$urn\n" if defined( $urn );
print TEMP "\n";

239 240 241 242 243 244
close(TEMP)
    or fatal("Could not close syscert.cnf: $!");

# Redirect output unless in debugging mode.
my $outline = ($debug ? "" : ">/dev/null 2>&1");

245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262
if( defined( $oldkeyfile ) ) {
    #
    # Create a certificate request using the specified key.
    #
    system("$OPENSSL req -text -new -key $oldkeyfile -config syscert.cnf ".
	   ($encrypted ? " -passout 'pass:${sh_password}' " : " -nodes ") .
	   " -out syscert_req.pem $outline") == 0
	   or fatal("Could not create certificate request");
    system("cp $oldkeyfile syscert_key.pem");
} else {
    #
    # Create a client side private key and certificate request.
    #
    system("$OPENSSL req -text -new -config syscert.cnf ".
	   ($encrypted ? " -passout 'pass:${sh_password}' " : " -nodes ") .
	   " -keyout syscert_key.pem -out syscert_req.pem $outline") == 0
	   or fatal("Could not create certificate request");
}
263 264 265 266 267 268

#
# Sign the client cert request, creating a client certificate.
#
$UID = 0;
system("$OPENSSL ca -batch -policy policy_sslxmlrpc ".
269 270
       " -name CA_syscerts -config $CACONFIG ".
       " -out syscert_cert.pem -cert $certfile -keyfile $keyfile ".
271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299
       " -infiles syscert_req.pem $outline") == 0
    or fatal("Could not sign certificate request");
$UID = $SAVEUID;
TBScriptUnlock();

#
# Combine the key and the certificate into one file
#
if (defined($outfile)) {
    system("cat syscert_key.pem syscert_cert.pem > $outfile") == 0
	or fatal("Could not combine cert and key into one file");

    if ($printcert) {
	system("cat syscert_cert.pem");
    }    
}
else {
    system("cat syscert_key.pem syscert_cert.pem") == 0
	or fatal("Could not combine cert and key");
}
exit(0);

sub fatal($) {
    my($mesg) = $_[0];

    TBScriptUnlock();
    die("*** $0:\n".
	"    $mesg\n");
}