Commit 427c9538 authored by Gary Wong's avatar Gary Wong

Turn off the CA flag for any GENI certificate that doesn't strictly need it.

parent dca4e2e6
......@@ -23,7 +23,8 @@ use libtestbed;
sub usage()
{
print("Usage: mksyscert [-d] [-o file] [-p password] [-e email] ".
"[-u url] [-i urn] [-k keyfile] [-a authority] <orgunit> [uuid]\n");
"[-u url] [-i urn] [-k keyfile] [-a authority] <orgunit> " .
"[-n] [uuid]\n");
exit(-1);
}
my $debug = 0;
......@@ -35,6 +36,7 @@ my @urls;
my $urn;
my $oldkeyfile;
my $authority;
my $notca = 0;
my %optlist = ( "debug" => \$debug,
"password=s" => \$password,
"output=s" => \$outfile,
......@@ -43,7 +45,8 @@ my %optlist = ( "debug" => \$debug,
"url=s" => \@urls,
"identifier=s" => \$urn,
"keyfile=s" => \$oldkeyfile,
"authority=s" => \$authority );
"authority=s" => \$authority,
"notca" => \$notca );
#
# Configure variables
......@@ -159,6 +162,8 @@ if (@ARGV < 1) {
my $orgunit = shift(@ARGV);
my $uuid = (@ARGV ? shift(@ARGV) : undef);
my $is_ca = !$notca;
# Moved before uuid generation. Might be a race, might not.
TBScriptLock("mkusercert") == 0 or
fatal("Could not get the lock!");
......@@ -213,6 +218,9 @@ system("cp -f $TEMPLATE syscert.cnf") == 0
open(TEMP, ">>syscert.cnf")
or fatal("Could not open $TEMPLATE for append: $!");
print TEMP "basicConstraints=critical,CA:" .
( $is_ca ? "TRUE" : "FALSE" ) . "\n\n";
if (@urls) {
my $count = 0;
foreach( @urls ) {
......
......@@ -176,7 +176,11 @@ sub Create($$;$)
if (!defined($uuid));
$url = (defined($url) ? "-u $url" : "");
if (! open(CERT, "$MKCERT -i \"$urn\" $url -e \"$email\" $hrn $uuid |")) {
my ($authority, $type, $name) = GeniHRN::Parse($urn);
my $caflag = $type eq "authority" ? "" : "-n";
if (! open(CERT, "$MKCERT $caflag -i \"$urn\" $url -e \"$email\" $hrn " .
"$uuid |")) {
print STDERR "Could not start $MKCERT\n";
return undef;
}
......
......@@ -12,8 +12,7 @@ oid_section = protogeni_oids
[ protogeni_oids ]
xmlrpc = 2.25.305821105408246119474742976030998643995
# This will be appended to by mkusercert.
# This will be appended to by mksyscert.
[ request_extensions ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
subjectAltName=@req_altname
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment