Commit 627660da authored by Gary Wong's avatar Gary Wong

Add more URN support: mainly on the clearinghouse side, and

communication with the clearinghouse, and modifications to the
certificate format (put the URN in subjectAltName and move any
URL to a private OID under subjectInfoAccess).
parent 7ee4b28a
...@@ -6,7 +6,7 @@ ...@@ -6,7 +6,7 @@
# #
use strict; use strict;
use English; use English;
use Getopt::Std; use Getopt::Long;
# #
# Load the Testbed support stuff. # Load the Testbed support stuff.
...@@ -22,16 +22,27 @@ use libtestbed; ...@@ -22,16 +22,27 @@ use libtestbed;
sub usage() sub usage()
{ {
print("Usage: mksyscert [-d] [-o file] [-p password] [-e email] ". print("Usage: mksyscert [-d] [-o file] [-p password] [-e email] ".
"[-u url] [-a authority] <orgunit> [uuid]\n"); "[-u url] [-i urn] [-k keyfile] [-a authority] <orgunit> [uuid]\n");
exit(-1); exit(-1);
} }
my $optlist = "dp:o:ve:u:a:";
my $debug = 0; my $debug = 0;
my $printcert= 0; my $printcert= 0;
my $outfile; my $outfile;
my $password = ""; my $password = "";
my $email; my $email;
my $url; my @urls;
my $urn;
my $oldkeyfile;
my $authority;
my %optlist = ( "debug" => \$debug,
"password=s" => \$password,
"output=s" => \$outfile,
"verbose" => \$printcert,
"email=s" => \$email,
"url=s" => \@urls,
"identifier=s" => \$urn,
"keyfile=s" => \$oldkeyfile,
"authority=s" => \$authority );
# #
# Configure variables # Configure variables
...@@ -96,12 +107,9 @@ sub fatal($); ...@@ -96,12 +107,9 @@ sub fatal($);
# Parse command arguments. Once we return from getopts, all that should be # Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments. # left are the required arguments.
# #
my %options = (); GetOptions( %optlist ) or usage();
if (! getopts($optlist, \%options)) {
usage(); if( defined( $outfile ) ) {
}
if (defined($options{"o"})) {
$outfile = $options{"o"};
if ($outfile =~ /^([-\w\.\/]+)$/) { if ($outfile =~ /^([-\w\.\/]+)$/) {
$outfile = $1; $outfile = $1;
} }
...@@ -110,14 +118,16 @@ if (defined($options{"o"})) { ...@@ -110,14 +118,16 @@ if (defined($options{"o"})) {
} }
} }
if (defined($options{"d"})) { if( defined( $oldkeyfile ) ) {
$debug = 1; if ($oldkeyfile =~ /^([-\w\.\/]+)$/) {
} $oldkeyfile = $1;
if (defined($options{"e"})) { }
$email = $options{"e"}; else {
die("Tainted arguments: $oldkeyfile\n");
}
} }
if (defined($options{"a"})) { if( defined( $authority ) ) {
my $authority = $options{"a"};
if ($authority =~ /^([-\w\.\/]+)$/) { if ($authority =~ /^([-\w\.\/]+)$/) {
$authority = $1; $authority = $1;
} }
...@@ -127,15 +137,7 @@ if (defined($options{"a"})) { ...@@ -127,15 +137,7 @@ if (defined($options{"a"})) {
$certfile = $authority; $certfile = $authority;
$keyfile = $authority; $keyfile = $authority;
} }
if (defined($options{"u"})) { if( $password ) {
$url = $options{"u"};
}
if (defined($options{"v"})) {
$printcert = 1;
}
if (defined($options{"p"})) {
$password = $options{"p"};
# #
# Make sure its all escaped since any printable char is allowed. # Make sure its all escaped since any printable char is allowed.
# #
...@@ -209,28 +211,55 @@ system("cp -f $TEMPLATE syscert.cnf") == 0 ...@@ -209,28 +211,55 @@ system("cp -f $TEMPLATE syscert.cnf") == 0
open(TEMP, ">>syscert.cnf") open(TEMP, ">>syscert.cnf")
or fatal("Could not open $TEMPLATE for append: $!"); or fatal("Could not open $TEMPLATE for append: $!");
if (@urls) {
my $count = 0;
foreach( @urls ) {
# unregistered OID 2.25.305821105408246119474742976030998643995
# (corresponding to UUID e61300a0-c4c5-11de-b14e-0002a5d5c51b)
# is used to indicate generic ProtoGENI XMLRPC servers.
print TEMP "authorityInfoAccess=2.25.305821105408246119474742976030998643995;URI:$_\n";
}
}
print TEMP "\n";
print TEMP "[ req_distinguished_name ]\n";
print TEMP "C\t\t=@SSLCERT_COUNTRY@\n";
print TEMP "ST\t\t=@SSLCERT_STATE@\n";
print TEMP "L\t\t=@SSLCERT_LOCALITY@\n";
print TEMP "O\t\t=@SSLCERT_ORGNAME@\n";
print TEMP "OU\t\t= \"$orgunit\"\n"; print TEMP "OU\t\t= \"$orgunit\"\n";
print TEMP "CN\t\t= $uuid\n"; print TEMP "CN\t\t= $uuid\n";
print TEMP "emailAddress\t= $email\n"; print TEMP "emailAddress\t= $email\n";
print TEMP "\n"; print TEMP "\n";
print TEMP "[ req_altname ]\n"; print TEMP "[ req_altname ]\n";
if (defined($url)) { print TEMP "URI=$urn\n" if defined( $urn );
print TEMP "URI=$url\n\n"; print TEMP "\n";
}
close(TEMP) close(TEMP)
or fatal("Could not close syscert.cnf: $!"); or fatal("Could not close syscert.cnf: $!");
# Redirect output unless in debugging mode. # Redirect output unless in debugging mode.
my $outline = ($debug ? "" : ">/dev/null 2>&1"); my $outline = ($debug ? "" : ">/dev/null 2>&1");
# if( defined( $oldkeyfile ) ) {
# Create a client side private key and certificate request. #
# # Create a certificate request using the specified key.
system("$OPENSSL req -text -new -config syscert.cnf ". #
($encrypted ? " -passout 'pass:${sh_password}' " : " -nodes ") . system("$OPENSSL req -text -new -key $oldkeyfile -config syscert.cnf ".
" -keyout syscert_key.pem -out syscert_req.pem $outline") == 0 ($encrypted ? " -passout 'pass:${sh_password}' " : " -nodes ") .
or fatal("Could not create certificate request"); " -out syscert_req.pem $outline") == 0
or fatal("Could not create certificate request");
system("cp $oldkeyfile syscert_key.pem");
} else {
#
# Create a client side private key and certificate request.
#
system("$OPENSSL req -text -new -config syscert.cnf ".
($encrypted ? " -passout 'pass:${sh_password}' " : " -nodes ") .
" -keyout syscert_key.pem -out syscert_req.pem $outline") == 0
or fatal("Could not create certificate request");
}
# #
# Sign the client cert request, creating a client certificate. # Sign the client cert request, creating a client certificate.
......
...@@ -151,7 +151,9 @@ sub Create($$$$$$) ...@@ -151,7 +151,9 @@ sub Create($$$$$$)
my $idx = TBGetUniqueIndex('next_aggregate', 1); my $idx = TBGetUniqueIndex('next_aggregate', 1);
# Create a cert pair, which gives us a new uuid. # Create a cert pair, which gives us a new uuid.
my $certificate = GeniCertificate->Create("aggregate", $hrn, $TBOPS); $nickname =~ /[.](.+)$/;
my $urn = GeniHRN::Generate( "@OURDOMAIN@", "component", $1 );
my $certificate = GeniCertificate->Create("aggregate", $urn, $hrn, $TBOPS);
if (!defined($certificate)) { if (!defined($certificate)) {
print STDERR "GeniAggregate::Create: ". print STDERR "GeniAggregate::Create: ".
"Could not generate new certificate and UUID for $hrn\n"; "Could not generate new certificate and UUID for $hrn\n";
......
...@@ -40,7 +40,7 @@ my %authorities = (); ...@@ -40,7 +40,7 @@ my %authorities = ();
BEGIN { use GeniUtil; GeniUtil::AddCache(\%authorities); } BEGIN { use GeniUtil; GeniUtil::AddCache(\%authorities); }
# #
# Lookup by uuid. # Lookup by URN (and also UUID, for compatibility).
# #
sub Lookup($$) sub Lookup($$)
{ {
...@@ -49,18 +49,29 @@ sub Lookup($$) ...@@ -49,18 +49,29 @@ sub Lookup($$)
my $uuid; my $uuid;
if (GeniHRN::IsValid($token)) { if (GeniHRN::IsValid($token)) {
my ($auth,$t,$id) = GeniHRN::Parse($token);
my $regexp = "/.[-[:alnum:]]+.${auth}";
$regexp =~ s/\./\\\./g;
$query_result = $query_result =
DBQueryWarn("select uuid from geni_authorities ". DBQueryWarn("select uuid from geni_authorities ".
"where url regexp '$regexp' and ". "where urn='$token'");
" type='$id'"); if( $query_result && $query_result->numrows ) {
return undef ($uuid) = $query_result->fetchrow_array();
if (! $query_result || !$query_result->numrows); } else {
# Fallback for backward compatibility (hunt for an
($uuid) = $query_result->fetchrow_array(); # authority in the database that was never registered with
# a URN). This is ugly and fragile and needs to go away
# as soon as all authorities have re-registered with URNs.
my ($auth,$t,$id) = GeniHRN::Parse($token);
my $regexp = "/.[-[:alnum:]]+.${auth}";
$regexp =~ s/\./\\\./g;
$query_result =
DBQueryWarn("select uuid from geni_authorities ".
"where url regexp '$regexp' and ".
" type='$id'");
return undef
if (! $query_result || !$query_result->numrows);
($uuid) = $query_result->fetchrow_array();
}
} }
elsif ($token =~ /^\w+\-\w+\-\w+\-\w+\-\w+$/) { elsif ($token =~ /^\w+\-\w+\-\w+\-\w+\-\w+$/) {
$uuid = $token; $uuid = $token;
...@@ -133,6 +144,7 @@ sub Create($$$$) ...@@ -133,6 +144,7 @@ sub Create($$$$)
my ($prefix) = ($certificate->uuid() =~ /^\w+\-\w+\-\w+\-\w+\-(\w+)$/); my ($prefix) = ($certificate->uuid() =~ /^\w+\-\w+\-\w+\-\w+\-(\w+)$/);
my $safe_hrn = DBQuoteSpecial($certificate->hrn()); my $safe_hrn = DBQuoteSpecial($certificate->hrn());
my $safe_urn = DBQuoteSpecial($certificate->URN());
my $safe_url = DBQuoteSpecial($url); my $safe_url = DBQuoteSpecial($url);
my $safe_uuid = DBQuoteSpecial($certificate->uuid()); my $safe_uuid = DBQuoteSpecial($certificate->uuid());
my $safe_prefix = DBQuoteSpecial($prefix); my $safe_prefix = DBQuoteSpecial($prefix);
...@@ -141,13 +153,14 @@ sub Create($$$$) ...@@ -141,13 +153,14 @@ sub Create($$$$)
# Now tack on other stuff we need. # Now tack on other stuff we need.
push(@insert_data, "created=now()"); push(@insert_data, "created=now()");
push(@insert_data, "hrn=$safe_hrn"); push(@insert_data, "hrn=$safe_hrn");
push(@insert_data, "urn=$safe_urn");
push(@insert_data, "url=$safe_url"); push(@insert_data, "url=$safe_url");
push(@insert_data, "uuid=$safe_uuid"); push(@insert_data, "uuid=$safe_uuid");
push(@insert_data, "uuid_prefix=$safe_prefix"); push(@insert_data, "uuid_prefix=$safe_prefix");
push(@insert_data, "type=$safe_type"); push(@insert_data, "type=$safe_type");
if ($certificate->Store() != 0) { if ($certificate->Store() != 0) {
print STDERR "Could not store certificate for new user.\n"; print STDERR "Could not store certificate for new authority.\n";
return undef; return undef;
} }
...@@ -156,12 +169,13 @@ sub Create($$$$) ...@@ -156,12 +169,13 @@ sub Create($$$$)
if (!DBQueryWarn("replace into geni_authorities set " . if (!DBQueryWarn("replace into geni_authorities set " .
join(",", @insert_data))); join(",", @insert_data)));
return GeniAuthority->Lookup($certificate->uuid()); return GeniAuthority->Lookup($certificate->URN());
} }
# accessors # accessors
sub field($$) { return ((! ref($_[0])) ? -1 : $_[0]->{'AUTHORITY'}->{$_[1]}); } sub field($$) { return ((! ref($_[0])) ? -1 : $_[0]->{'AUTHORITY'}->{$_[1]}); }
sub uuid($) { return field($_[0], "uuid"); } sub uuid($) { return field($_[0], "uuid"); }
sub uuid_prefix($) { return field($_[0], "uuid_prefix"); } sub uuid_prefix($) { return field($_[0], "uuid_prefix"); }
sub urn($) { return field($_[0], "urn"); }
sub url($) { return field($_[0], "url"); } sub url($) { return field($_[0], "url"); }
sub hrn($) { return field($_[0], "hrn"); } sub hrn($) { return field($_[0], "hrn"); }
sub type($) { return field($_[0], "type"); } sub type($) { return field($_[0], "type"); }
......
...@@ -585,6 +585,10 @@ sub Register($) ...@@ -585,6 +585,10 @@ sub Register($)
"Could not find URL in the certificate") "Could not find URL in the certificate")
if (!defined($url)); if (!defined($url));
return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
"Could not find URN in the certificate")
if (!defined( $certificate->URN() ) );
if ($certificate->hrn() =~ /^unknown/i) { if ($certificate->hrn() =~ /^unknown/i) {
return GeniResponse->Create(GENIRESPONSE_BADARGS, undef, return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
"Please define PROTOGENI_DOMAIN"); "Please define PROTOGENI_DOMAIN");
......
...@@ -44,22 +44,32 @@ my %certificates = (); ...@@ -44,22 +44,32 @@ my %certificates = ();
BEGIN { use GeniUtil; GeniUtil::AddCache(\%certificates); } BEGIN { use GeniUtil; GeniUtil::AddCache(\%certificates); }
# #
# Lookup by uuid only. # Lookup by URN (and also UUID, for compatibility).
# #
sub Lookup($$) sub Lookup($$)
{ {
my ($class, $token) = @_; my ($class, $token) = @_;
my $query_result; my $query_result;
my $uuid;
if (! ($token =~ /^\w+\-\w+\-\w+\-\w+\-\w+$/)) {
return undef;
}
# Look in cache first # Look in cache first
return $certificates{"$token"} return $certificates{"$token"}
if (exists($certificates{"$token"})); if (exists($certificates{"$token"}));
if (GeniHRN::IsValid($token)) {
$query_result =
DBQueryWarn("select uuid from geni_certificates ".
"where urn='$token'");
($uuid) = $query_result->fetchrow_array()
if( $query_result && $query_result->numrows );
} elsif ($token =~ /^\w+\-\w+\-\w+\-\w+\-\w+$/) {
$uuid = $token;
}
return undef unless defined( $uuid );
$query_result = $query_result =
DBQueryWarn("select * from geni_certificates where uuid='$token'"); DBQueryWarn("select * from geni_certificates where uuid='$uuid'");
return undef return undef
if (!$query_result || !$query_result->numrows); if (!$query_result || !$query_result->numrows);
...@@ -71,7 +81,9 @@ sub Lookup($$) ...@@ -71,7 +81,9 @@ sub Lookup($$)
my $cert = $self->cert(); my $cert = $self->cert();
# Add to cache. # Add to cache.
$certificates{$token} = $self; $certificates{$uuid} = $self;
$certificates{$token} = $self
if $token ne $uuid;
return $self; return $self;
} }
...@@ -99,6 +111,7 @@ sub privkey($) { return field($_[0], "privkey"); } ...@@ -99,6 +111,7 @@ sub privkey($) { return field($_[0], "privkey"); }
sub revoked($) { return field($_[0], "revoked"); } sub revoked($) { return field($_[0], "revoked"); }
sub certfile($) { return field($_[0], "certfile"); } sub certfile($) { return field($_[0], "certfile"); }
sub uri($) { return field($_[0], "uri"); } sub uri($) { return field($_[0], "uri"); }
sub urn($) { return field($_[0], "urn"); }
sub GetCertificate($) { return $_[0]; } sub GetCertificate($) { return $_[0]; }
# #
...@@ -130,15 +143,15 @@ sub email($) ...@@ -130,15 +143,15 @@ sub email($)
# #
# Create a certificate pair, which gives us a uuid to use for an object. # Create a certificate pair, which gives us a uuid to use for an object.
# #
sub Create($$$$;$$) sub Create($$$$$;$$)
{ {
my ($class, $what, $hrn, $email, $uuid, $url) = @_; my ($class, $what, $urn, $hrn, $email, $uuid, $url) = @_;
# Let mkcert generate a new one. # Let mkcert generate a new one.
$uuid = "" $uuid = ""
if (!defined($uuid)); if (!defined($uuid));
$url = (defined($url) ? "-u $url" : ""); $url = (defined($url) ? "-u $url" : "");
if (! open(CERT, "$MKCERT $url -e \"$email\" $hrn $uuid |")) { if (! open(CERT, "$MKCERT -i \"$urn\" $url -e \"$email\" $hrn $uuid |")) {
print STDERR "Could not start $MKCERT\n"; print STDERR "Could not start $MKCERT\n";
return undef; return undef;
} }
...@@ -255,6 +268,7 @@ sub LoadFromFile($$) ...@@ -255,6 +268,7 @@ sub LoadFromFile($$)
{ {
my ($class, $filename) = @_; my ($class, $filename) = @_;
my $url; my $url;
my $urn;
if (! open(X509, "$OPENSSL x509 -in $filename -subject -text |")) { if (! open(X509, "$OPENSSL x509 -in $filename -subject -text |")) {
print STDERR "Could not start $OPENSSL on $filename\n"; print STDERR "Could not start $OPENSSL on $filename\n";
...@@ -279,14 +293,26 @@ sub LoadFromFile($$) ...@@ -279,14 +293,26 @@ sub LoadFromFile($$)
# The text output is next. Look for the URL in the extensions. Stop # The text output is next. Look for the URL in the extensions. Stop
# when we get to the certificate line. # when we get to the certificate line.
# #
my ($alturi,$accessuri);
my $altname = 0;
my $accessinfo = 0;
while (@certlines) { while (@certlines) {
my $line = shift(@certlines); my $line = shift(@certlines);
last last
if ($line =~ /^-----BEGIN CERT/); if ($line =~ /^-----BEGIN CERT/);
if ($line =~ /^\s+URI:([-\w\.\/:]+)$/) { if( $line =~ /^\s+X509v3 Subject Alternative Name:\s*$/ ) {
$url = $1; $altname = 1;
chomp($url); } elsif( $line =~ /^\s+Authority Information Access:\s*$/ ) {
$accessinfo = 1;
} elsif( $altname ) {
m'^\s*URI:([-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$' and $alturi = $1
foreach split( /, /, $line );
$altname = 0;
} elsif( $accessinfo ) {
m'^\s*[0-9.]+ - URI:([-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$'
and $accessuri = $1 foreach split( /, /, $line );
$accessinfo = 0;
} }
} }
if (!@certlines) { if (!@certlines) {
...@@ -294,6 +320,16 @@ sub LoadFromFile($$) ...@@ -294,6 +320,16 @@ sub LoadFromFile($$)
return undef; return undef;
} }
if( defined( $alturi ) && $alturi =~ /^urn:/ ) {
$urn = $alturi;
}
if( defined( $accessuri ) ) {
$url = $accessuri;
} elsif( defined( $alturi ) && $alturi !~ /^urn:/ ) {
$url = $alturi;
}
# #
# Throw away last line; the cert is rest. # Throw away last line; the cert is rest.
# #
...@@ -323,6 +359,7 @@ sub LoadFromFile($$) ...@@ -323,6 +359,7 @@ sub LoadFromFile($$)
$self->{'CERT'}->{'created'} = undef; $self->{'CERT'}->{'created'} = undef;
$self->{'CERT'}->{'certfile'} = $filename; $self->{'CERT'}->{'certfile'} = $filename;
$self->{'CERT'}->{'uri'} = $url; $self->{'CERT'}->{'uri'} = $url;
$self->{'CERT'}->{'urn'} = $urn;
return $self; return $self;
} }
...@@ -345,6 +382,8 @@ sub Store($) ...@@ -345,6 +382,8 @@ sub Store($)
if (defined($self->privkey())); if (defined($self->privkey()));
push(@inserts, "uri=" . DBQuoteSpecial($self->uri())) push(@inserts, "uri=" . DBQuoteSpecial($self->uri()))
if (defined($self->uri())); if (defined($self->uri()));
push(@inserts, "urn=" . DBQuoteSpecial($self->urn()))
if (defined($self->urn()));
return -1 return -1
if (!DBQueryWarn("replace into geni_certificates set ". if (!DBQueryWarn("replace into geni_certificates set ".
...@@ -383,7 +422,7 @@ sub WriteToFile($;$) ...@@ -383,7 +422,7 @@ sub WriteToFile($;$)
sub URL($) sub URL($)
{ {
my ($self) = @_; my ($self) = @_;
my $url = $self->uri(); my $url = $self->{'URL'};
return $url return $url
if (defined($url)); if (defined($url));
...@@ -393,10 +432,18 @@ sub URL($) ...@@ -393,10 +432,18 @@ sub URL($)
print STDERR "Could not start $OPENSSL on $filename\n"; print STDERR "Could not start $OPENSSL on $filename\n";
return undef; return undef;
} }
# Note that we really want to put only URNs in the subjectAltName,
# and all URLs in the subjectInfoAccess. However, old certificates
# used subjectAltName for URLs, so for temporary backward compatibility
# we'll look in both places.
my ($alturl,$accessurl);
my $altname = 0; my $altname = 0;
my $accessinfo = 0;
while (<X509>) { while (<X509>) {
if( /^\s+x509v3 Subject Alternative Name:\s*$/ ) { if( /^\s+X509v3 Subject Alternative Name:\s*$/ ) {
$altname = 1; $altname = 1;
} elsif( /^\s+Authority Information Access:\s*$/ ) {
$accessinfo = 1;
} elsif( $altname ) { } elsif( $altname ) {
# Gah! OpenSSL is horrible. Apparently the text output format # Gah! OpenSSL is horrible. Apparently the text output format
# for the subject alternative name is fixed, and neither # for the subject alternative name is fixed, and neither
...@@ -405,20 +452,62 @@ sub URL($) ...@@ -405,20 +452,62 @@ sub URL($)
# but commas are legal characters in URIs (see RFC 3986, section # but commas are legal characters in URIs (see RFC 3986, section
# 2.2)! We'll have to assume the delimiter is the ", " (comma, # 2.2)! We'll have to assume the delimiter is the ", " (comma,
# space) pair... # space) pair...
m'^\s*URI:([-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$' and $url = $1 m'^\s*URI:([-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$' and $alturl = $1
foreach split( /, / ); foreach split( /, / );
$altname = 0; $altname = 0;
} elsif( $accessinfo ) {
m'^\s*[0-9.]+ - URI:([-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$' and $accessurl = $1
foreach split( /, / );
$accessinfo = 0;
} }
} }
$url = defined( $accessurl ) ? $accessurl :
defined( $alturl ) ? $alturl : undef;
if (!close(X509) || !defined($url)) { if (!close(X509) || !defined($url)) {
print STDERR "Could not find url in certificate from $filename\n"; print STDERR "Could not find url in certificate from $filename\n";
return undef; return undef;
} }
unlink($filename); unlink($filename);
$self->{'CERT'}->{'uri'} = $url; $self->{'CERT'}->{'uri'} = $url;
$self->{'URL'} = $url;
return $url; return $url;
} }
#
# The URN is slightly easier, since it is always in the same place.
#
sub URN($)
{
my ($self) = @_;
my $urn = $self->{'URN'};
return $urn
if (defined($urn));
my $filename = $self->WriteToFile();
if (! open(X509, "$OPENSSL x509 -in $filename -text -noout |")) {
print STDERR "Could not start $OPENSSL on $filename\n";
return undef;
}
my $altname = 0;
while (<X509>) {
if( /^\s+X509v3 Subject Alternative Name:\s*$/ ) {
$altname = 1;
} elsif( $altname ) {
m'^\s*URI:([-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$' and $urn = $1
foreach split( /, / );
$altname = 0;
}
}
if (!close(X509) || !defined($urn)) {
print STDERR "Could not find URN in certificate from $filename\n";
return undef;
}
unlink($filename);
$self->{'URN'} = $urn;
return $urn;
}
sub asText($) sub asText($)
{ {
my ($self) = @_; my ($self) = @_;
...@@ -513,6 +602,8 @@ sub cert($) { return field($_[0], "cert"); } ...@@ -513,6 +602,8 @@ sub cert($) { return field($_[0], "cert"); }
sub privkey($) { return field($_[0], "privkey"); } sub privkey($) { return field($_[0], "privkey"); }
sub revoked($) { return field($_[0], "revoked"); } sub revoked($) { return field($_[0], "revoked"); }
sub uri($) { return field($_[0], "uri"); } sub uri($) { return field($_[0], "uri"); }
sub URL($) { return undef; }
sub URN($) { return field($_[0], "uri"); }
# #
# Need to add DN to the emulab table. # Need to add DN to the emulab table.
......
...@@ -443,6 +443,7 @@ sub Register($) ...@@ -443,6 +443,7 @@ sub Register($)
} }
} }
my $urn = GeniHRN::Generate( "@OURDOMAIN@", "slice", $hrn );
# #
# When using this interface, the HRN does not correspond to an # When using this interface, the HRN does not correspond to an
# existing experiment in a project. It is just a token to call # existing experiment in a project. It is just a token to call
...@@ -455,7 +456,7 @@ sub Register($) ...@@ -455,7 +456,7 @@ sub Register($)
# #
# Generate a certificate (and uuid) for this new slice. # Generate a certificate (and uuid) for this new slice.
# #
my $certificate = GeniCertificate->Create("slice", $hrn, my $certificate = GeniCertificate->Create("slice", $urn, $hrn,
$this_user->email()); $this_user->email());
if (!defined($certificate)) { if (!defined($certificate)) {
print STDERR "Could not create new certificate for slice\n"; print STDERR "Could not create new certificate for slice\n";
......
...@@ -18,6 +18,7 @@ use GeniAuthority; ...@@ -18,6 +18,7 @@ use GeniAuthority;
use GeniCredential; use GeniCredential;
use GeniCertificate; use GeniCertificate;
use GeniAggregate; use GeniAggregate;
use GeniHRN;
use English; use English;