Commit 627660da authored by Gary Wong's avatar Gary Wong

Add more URN support: mainly on the clearinghouse side, and

communication with the clearinghouse, and modifications to the
certificate format (put the URN in subjectAltName and move any
URL to a private OID under subjectInfoAccess).
parent 7ee4b28a
......@@ -6,7 +6,7 @@
#
use strict;
use English;
use Getopt::Std;
use Getopt::Long;
#
# Load the Testbed support stuff.
......@@ -22,16 +22,27 @@ use libtestbed;
sub usage()
{
print("Usage: mksyscert [-d] [-o file] [-p password] [-e email] ".
"[-u url] [-a authority] <orgunit> [uuid]\n");
"[-u url] [-i urn] [-k keyfile] [-a authority] <orgunit> [uuid]\n");
exit(-1);
}
my $optlist = "dp:o:ve:u:a:";
my $debug = 0;
my $printcert= 0;
my $outfile;
my $password = "";
my $email;
my $url;
my @urls;
my $urn;
my $oldkeyfile;
my $authority;
my %optlist = ( "debug" => \$debug,
"password=s" => \$password,
"output=s" => \$outfile,
"verbose" => \$printcert,
"email=s" => \$email,
"url=s" => \@urls,
"identifier=s" => \$urn,
"keyfile=s" => \$oldkeyfile,
"authority=s" => \$authority );
#
# Configure variables
......@@ -96,12 +107,9 @@ sub fatal($);
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
my %options = ();
if (! getopts($optlist, \%options)) {
usage();
}
if (defined($options{"o"})) {
$outfile = $options{"o"};
GetOptions( %optlist ) or usage();
if( defined( $outfile ) ) {
if ($outfile =~ /^([-\w\.\/]+)$/) {
$outfile = $1;
}
......@@ -110,14 +118,16 @@ if (defined($options{"o"})) {
}
}
if (defined($options{"d"})) {
$debug = 1;
}
if (defined($options{"e"})) {
$email = $options{"e"};
if( defined( $oldkeyfile ) ) {
if ($oldkeyfile =~ /^([-\w\.\/]+)$/) {
$oldkeyfile = $1;
}
else {
die("Tainted arguments: $oldkeyfile\n");
}
}
if (defined($options{"a"})) {
my $authority = $options{"a"};
if( defined( $authority ) ) {
if ($authority =~ /^([-\w\.\/]+)$/) {
$authority = $1;
}
......@@ -127,15 +137,7 @@ if (defined($options{"a"})) {
$certfile = $authority;
$keyfile = $authority;
}
if (defined($options{"u"})) {
$url = $options{"u"};
}
if (defined($options{"v"})) {
$printcert = 1;
}
if (defined($options{"p"})) {
$password = $options{"p"};
if( $password ) {
#
# Make sure its all escaped since any printable char is allowed.
#
......@@ -209,28 +211,55 @@ system("cp -f $TEMPLATE syscert.cnf") == 0
open(TEMP, ">>syscert.cnf")
or fatal("Could not open $TEMPLATE for append: $!");
if (@urls) {
my $count = 0;
foreach( @urls ) {
# unregistered OID 2.25.305821105408246119474742976030998643995
# (corresponding to UUID e61300a0-c4c5-11de-b14e-0002a5d5c51b)
# is used to indicate generic ProtoGENI XMLRPC servers.
print TEMP "authorityInfoAccess=2.25.305821105408246119474742976030998643995;URI:$_\n";
}
}
print TEMP "\n";
print TEMP "[ req_distinguished_name ]\n";
print TEMP "C\t\t=@SSLCERT_COUNTRY@\n";
print TEMP "ST\t\t=@SSLCERT_STATE@\n";
print TEMP "L\t\t=@SSLCERT_LOCALITY@\n";
print TEMP "O\t\t=@SSLCERT_ORGNAME@\n";
print TEMP "OU\t\t= \"$orgunit\"\n";
print TEMP "CN\t\t= $uuid\n";
print TEMP "emailAddress\t= $email\n";
print TEMP "\n";
print TEMP "[ req_altname ]\n";
if (defined($url)) {
print TEMP "URI=$url\n\n";
}
print TEMP "URI=$urn\n" if defined( $urn );
print TEMP "\n";
close(TEMP)
or fatal("Could not close syscert.cnf: $!");
# Redirect output unless in debugging mode.
my $outline = ($debug ? "" : ">/dev/null 2>&1");
#
# Create a client side private key and certificate request.
#
system("$OPENSSL req -text -new -config syscert.cnf ".
if( defined( $oldkeyfile ) ) {
#
# Create a certificate request using the specified key.
#
system("$OPENSSL req -text -new -key $oldkeyfile -config syscert.cnf ".
($encrypted ? " -passout 'pass:${sh_password}' " : " -nodes ") .
" -out syscert_req.pem $outline") == 0
or fatal("Could not create certificate request");
system("cp $oldkeyfile syscert_key.pem");
} else {
#
# Create a client side private key and certificate request.
#
system("$OPENSSL req -text -new -config syscert.cnf ".
($encrypted ? " -passout 'pass:${sh_password}' " : " -nodes ") .
" -keyout syscert_key.pem -out syscert_req.pem $outline") == 0
or fatal("Could not create certificate request");
}
#
# Sign the client cert request, creating a client certificate.
......
......@@ -151,7 +151,9 @@ sub Create($$$$$$)
my $idx = TBGetUniqueIndex('next_aggregate', 1);
# Create a cert pair, which gives us a new uuid.
my $certificate = GeniCertificate->Create("aggregate", $hrn, $TBOPS);
$nickname =~ /[.](.+)$/;
my $urn = GeniHRN::Generate( "@OURDOMAIN@", "component", $1 );
my $certificate = GeniCertificate->Create("aggregate", $urn, $hrn, $TBOPS);
if (!defined($certificate)) {
print STDERR "GeniAggregate::Create: ".
"Could not generate new certificate and UUID for $hrn\n";
......
......@@ -40,7 +40,7 @@ my %authorities = ();
BEGIN { use GeniUtil; GeniUtil::AddCache(\%authorities); }
#
# Lookup by uuid.
# Lookup by URN (and also UUID, for compatibility).
#
sub Lookup($$)
{
......@@ -49,6 +49,16 @@ sub Lookup($$)
my $uuid;
if (GeniHRN::IsValid($token)) {
$query_result =
DBQueryWarn("select uuid from geni_authorities ".
"where urn='$token'");
if( $query_result && $query_result->numrows ) {
($uuid) = $query_result->fetchrow_array();
} else {
# Fallback for backward compatibility (hunt for an
# authority in the database that was never registered with
# a URN). This is ugly and fragile and needs to go away
# as soon as all authorities have re-registered with URNs.
my ($auth,$t,$id) = GeniHRN::Parse($token);
my $regexp = "/.[-[:alnum:]]+.${auth}";
$regexp =~ s/\./\\\./g;
......@@ -62,6 +72,7 @@ sub Lookup($$)
($uuid) = $query_result->fetchrow_array();
}
}
elsif ($token =~ /^\w+\-\w+\-\w+\-\w+\-\w+$/) {
$uuid = $token;
}
......@@ -133,6 +144,7 @@ sub Create($$$$)
my ($prefix) = ($certificate->uuid() =~ /^\w+\-\w+\-\w+\-\w+\-(\w+)$/);
my $safe_hrn = DBQuoteSpecial($certificate->hrn());
my $safe_urn = DBQuoteSpecial($certificate->URN());
my $safe_url = DBQuoteSpecial($url);
my $safe_uuid = DBQuoteSpecial($certificate->uuid());
my $safe_prefix = DBQuoteSpecial($prefix);
......@@ -141,13 +153,14 @@ sub Create($$$$)
# Now tack on other stuff we need.
push(@insert_data, "created=now()");
push(@insert_data, "hrn=$safe_hrn");
push(@insert_data, "urn=$safe_urn");
push(@insert_data, "url=$safe_url");
push(@insert_data, "uuid=$safe_uuid");
push(@insert_data, "uuid_prefix=$safe_prefix");
push(@insert_data, "type=$safe_type");
if ($certificate->Store() != 0) {
print STDERR "Could not store certificate for new user.\n";
print STDERR "Could not store certificate for new authority.\n";
return undef;
}
......@@ -156,12 +169,13 @@ sub Create($$$$)
if (!DBQueryWarn("replace into geni_authorities set " .
join(",", @insert_data)));
return GeniAuthority->Lookup($certificate->uuid());
return GeniAuthority->Lookup($certificate->URN());
}
# accessors
sub field($$) { return ((! ref($_[0])) ? -1 : $_[0]->{'AUTHORITY'}->{$_[1]}); }
sub uuid($) { return field($_[0], "uuid"); }
sub uuid_prefix($) { return field($_[0], "uuid_prefix"); }
sub urn($) { return field($_[0], "urn"); }
sub url($) { return field($_[0], "url"); }
sub hrn($) { return field($_[0], "hrn"); }
sub type($) { return field($_[0], "type"); }
......
......@@ -585,6 +585,10 @@ sub Register($)
"Could not find URL in the certificate")
if (!defined($url));
return GeniResponse->Create(GENIRESPONSE_ERROR, undef,
"Could not find URN in the certificate")
if (!defined( $certificate->URN() ) );
if ($certificate->hrn() =~ /^unknown/i) {
return GeniResponse->Create(GENIRESPONSE_BADARGS, undef,
"Please define PROTOGENI_DOMAIN");
......
......@@ -44,22 +44,32 @@ my %certificates = ();
BEGIN { use GeniUtil; GeniUtil::AddCache(\%certificates); }
#
# Lookup by uuid only.
# Lookup by URN (and also UUID, for compatibility).
#
sub Lookup($$)
{
my ($class, $token) = @_;
my $query_result;
my $uuid;
if (! ($token =~ /^\w+\-\w+\-\w+\-\w+\-\w+$/)) {
return undef;
}
# Look in cache first
return $certificates{"$token"}
if (exists($certificates{"$token"}));
if (GeniHRN::IsValid($token)) {
$query_result =
DBQueryWarn("select uuid from geni_certificates ".
"where urn='$token'");
($uuid) = $query_result->fetchrow_array()
if( $query_result && $query_result->numrows );
} elsif ($token =~ /^\w+\-\w+\-\w+\-\w+\-\w+$/) {
$uuid = $token;
}
return undef unless defined( $uuid );
$query_result =
DBQueryWarn("select * from geni_certificates where uuid='$token'");
DBQueryWarn("select * from geni_certificates where uuid='$uuid'");
return undef
if (!$query_result || !$query_result->numrows);
......@@ -71,7 +81,9 @@ sub Lookup($$)
my $cert = $self->cert();
# Add to cache.
$certificates{$token} = $self;
$certificates{$uuid} = $self;
$certificates{$token} = $self
if $token ne $uuid;
return $self;
}
......@@ -99,6 +111,7 @@ sub privkey($) { return field($_[0], "privkey"); }
sub revoked($) { return field($_[0], "revoked"); }
sub certfile($) { return field($_[0], "certfile"); }
sub uri($) { return field($_[0], "uri"); }
sub urn($) { return field($_[0], "urn"); }
sub GetCertificate($) { return $_[0]; }
#
......@@ -130,15 +143,15 @@ sub email($)
#
# Create a certificate pair, which gives us a uuid to use for an object.
#
sub Create($$$$;$$)
sub Create($$$$$;$$)
{
my ($class, $what, $hrn, $email, $uuid, $url) = @_;
my ($class, $what, $urn, $hrn, $email, $uuid, $url) = @_;
# Let mkcert generate a new one.
$uuid = ""
if (!defined($uuid));
$url = (defined($url) ? "-u $url" : "");
if (! open(CERT, "$MKCERT $url -e \"$email\" $hrn $uuid |")) {
if (! open(CERT, "$MKCERT -i \"$urn\" $url -e \"$email\" $hrn $uuid |")) {
print STDERR "Could not start $MKCERT\n";
return undef;
}
......@@ -255,6 +268,7 @@ sub LoadFromFile($$)
{
my ($class, $filename) = @_;
my $url;
my $urn;
if (! open(X509, "$OPENSSL x509 -in $filename -subject -text |")) {
print STDERR "Could not start $OPENSSL on $filename\n";
......@@ -279,14 +293,26 @@ sub LoadFromFile($$)
# The text output is next. Look for the URL in the extensions. Stop
# when we get to the certificate line.
#
my ($alturi,$accessuri);
my $altname = 0;
my $accessinfo = 0;
while (@certlines) {
my $line = shift(@certlines);
last
if ($line =~ /^-----BEGIN CERT/);
if ($line =~ /^\s+URI:([-\w\.\/:]+)$/) {
$url = $1;
chomp($url);
if( $line =~ /^\s+X509v3 Subject Alternative Name:\s*$/ ) {
$altname = 1;
} elsif( $line =~ /^\s+Authority Information Access:\s*$/ ) {
$accessinfo = 1;
} elsif( $altname ) {
m'^\s*URI:([-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$' and $alturi = $1
foreach split( /, /, $line );
$altname = 0;
} elsif( $accessinfo ) {
m'^\s*[0-9.]+ - URI:([-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$'
and $accessuri = $1 foreach split( /, /, $line );
$accessinfo = 0;
}
}
if (!@certlines) {
......@@ -294,6 +320,16 @@ sub LoadFromFile($$)
return undef;
}
if( defined( $alturi ) && $alturi =~ /^urn:/ ) {
$urn = $alturi;
}
if( defined( $accessuri ) ) {
$url = $accessuri;
} elsif( defined( $alturi ) && $alturi !~ /^urn:/ ) {
$url = $alturi;
}
#
# Throw away last line; the cert is rest.
#
......@@ -323,6 +359,7 @@ sub LoadFromFile($$)
$self->{'CERT'}->{'created'} = undef;
$self->{'CERT'}->{'certfile'} = $filename;
$self->{'CERT'}->{'uri'} = $url;
$self->{'CERT'}->{'urn'} = $urn;
return $self;
}
......@@ -345,6 +382,8 @@ sub Store($)
if (defined($self->privkey()));
push(@inserts, "uri=" . DBQuoteSpecial($self->uri()))
if (defined($self->uri()));
push(@inserts, "urn=" . DBQuoteSpecial($self->urn()))
if (defined($self->urn()));
return -1
if (!DBQueryWarn("replace into geni_certificates set ".
......@@ -383,7 +422,7 @@ sub WriteToFile($;$)
sub URL($)
{
my ($self) = @_;
my $url = $self->uri();
my $url = $self->{'URL'};
return $url
if (defined($url));
......@@ -393,10 +432,18 @@ sub URL($)
print STDERR "Could not start $OPENSSL on $filename\n";
return undef;
}
# Note that we really want to put only URNs in the subjectAltName,
# and all URLs in the subjectInfoAccess. However, old certificates
# used subjectAltName for URLs, so for temporary backward compatibility
# we'll look in both places.
my ($alturl,$accessurl);
my $altname = 0;
my $accessinfo = 0;
while (<X509>) {
if( /^\s+x509v3 Subject Alternative Name:\s*$/ ) {
if( /^\s+X509v3 Subject Alternative Name:\s*$/ ) {
$altname = 1;
} elsif( /^\s+Authority Information Access:\s*$/ ) {
$accessinfo = 1;
} elsif( $altname ) {
# Gah! OpenSSL is horrible. Apparently the text output format
# for the subject alternative name is fixed, and neither
......@@ -405,20 +452,62 @@ sub URL($)
# but commas are legal characters in URIs (see RFC 3986, section
# 2.2)! We'll have to assume the delimiter is the ", " (comma,
# space) pair...
m'^\s*URI:([-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$' and $url = $1
m'^\s*URI:([-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$' and $alturl = $1
foreach split( /, / );
$altname = 0;
} elsif( $accessinfo ) {
m'^\s*[0-9.]+ - URI:([-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$' and $accessurl = $1
foreach split( /, / );
$accessinfo = 0;
}
}
$url = defined( $accessurl ) ? $accessurl :
defined( $alturl ) ? $alturl : undef;
if (!close(X509) || !defined($url)) {
print STDERR "Could not find url in certificate from $filename\n";
return undef;
}
unlink($filename);
$self->{'CERT'}->{'uri'} = $url;
$self->{'URL'} = $url;
return $url;
}
#
# The URN is slightly easier, since it is always in the same place.
#
sub URN($)
{
my ($self) = @_;
my $urn = $self->{'URN'};
return $urn
if (defined($urn));
my $filename = $self->WriteToFile();
if (! open(X509, "$OPENSSL x509 -in $filename -text -noout |")) {
print STDERR "Could not start $OPENSSL on $filename\n";
return undef;
}
my $altname = 0;
while (<X509>) {
if( /^\s+X509v3 Subject Alternative Name:\s*$/ ) {
$altname = 1;
} elsif( $altname ) {
m'^\s*URI:([-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$' and $urn = $1
foreach split( /, / );
$altname = 0;
}
}
if (!close(X509) || !defined($urn)) {
print STDERR "Could not find URN in certificate from $filename\n";
return undef;
}
unlink($filename);
$self->{'URN'} = $urn;
return $urn;
}
sub asText($)
{
my ($self) = @_;
......@@ -513,6 +602,8 @@ sub cert($) { return field($_[0], "cert"); }
sub privkey($) { return field($_[0], "privkey"); }
sub revoked($) { return field($_[0], "revoked"); }
sub uri($) { return field($_[0], "uri"); }
sub URL($) { return undef; }
sub URN($) { return field($_[0], "uri"); }
#
# Need to add DN to the emulab table.
......
......@@ -443,6 +443,7 @@ sub Register($)
}
}
my $urn = GeniHRN::Generate( "@OURDOMAIN@", "slice", $hrn );
#
# When using this interface, the HRN does not correspond to an
# existing experiment in a project. It is just a token to call
......@@ -455,7 +456,7 @@ sub Register($)
#
# Generate a certificate (and uuid) for this new slice.
#
my $certificate = GeniCertificate->Create("slice", $hrn,
my $certificate = GeniCertificate->Create("slice", $urn, $hrn,
$this_user->email());
if (!defined($certificate)) {
print STDERR "Could not create new certificate for slice\n";
......
......@@ -18,6 +18,7 @@ use GeniAuthority;
use GeniCredential;
use GeniCertificate;
use GeniAggregate;
use GeniHRN;
use English;
use Date::Parse;
use Data::Dumper;
......@@ -256,11 +257,13 @@ sub CreateFromLocal($$$)
# XXX Form hrn from the domain.
#
my $hrn = "${PGENIDOMAIN}.slices." . $experiment->idx();
my $urn = GeniHRN::Generate( "@OURDOMAIN@", "slice",
"slices." . $experiment->idx() );
#
# Generate a certificate.
#
$certificate = GeniCertificate->Create("slice", $hrn, $user->email());
$certificate = GeniCertificate->Create("slice", $urn, $hrn, $user->email());
if (!defined($certificate)) {
print STDERR "GeniSlice::CreateFromLocal: ".
"Could not generate new certificate $experiment\n";
......
......@@ -21,6 +21,7 @@ use GeniCredential;
use GeniCertificate;
use GeniAggregate;
use GeniUsage;
use GeniHRN;
# Hate to import all this crap; need a utility library.
use emutil;
use Experiment;
......@@ -164,7 +165,9 @@ sub Create($$$$$$$$$)
return undef;
}
}
$certificate = GeniCertificate->Create("sliver", $hrn, $TBOPS, $uuid)
$hrn =~ /.*([^.]+)$/;
my $urn = GeniHRN::Generate( "@OURDOMAIN@", "sliver", $1 );
$certificate = GeniCertificate->Create("sliver", $urn, $hrn, $TBOPS, $uuid)
if (!defined($certificate));
if (!defined($certificate)) {
......
......@@ -67,6 +67,7 @@ delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
# Protos
sub fatal($);
sub UpdateCert($$$$);
#
# Turn off line buffering on output
......@@ -447,28 +448,39 @@ require GeniRegistry;
if (! -e $CMCERT) {
print "Creating CM certificate ...\n";
system("$SUDO -u $PROTOUSER $MKSYSCERT -o $CMCERT ".
" -u $TBBASE/protogeni/xmlrpc/cm $PGENIDOMAIN.cm") == 0
" -u $TBBASE/protogeni/xmlrpc/cm " .
" -i urn:publicid:IDN+${OURDOMAIN}+authority+cm " .
"$PGENIDOMAIN.cm") == 0
or fatal("Could not generate $CMCERT");
}
if (! -e $SACERT) {
print "Creating SA certificate ...\n";
system("$SUDO -u $PROTOUSER $MKSYSCERT -o $SACERT ".
" -u $TBBASE/protogeni/xmlrpc/sa $PGENIDOMAIN.sa") == 0
" -u $TBBASE/protogeni/xmlrpc/sa " .
" -i urn:publicid:IDN+${OURDOMAIN}+authority+sa " .
"$PGENIDOMAIN.sa") == 0
or fatal("Could not generate $SACERT");
}
if (! -e $SESCERT) {
print "Creating SES certificate ...\n";
system("$SUDO -u $PROTOUSER $MKSYSCERT -o $SESCERT ".
" -u $TBBASE/protogeni/xmlrpc/ses $PGENIDOMAIN.ses") == 0
" -u $TBBASE/protogeni/xmlrpc/ses " .
" -i urn:publicid:IDN+${OURDOMAIN}+authority+ses " .
"$PGENIDOMAIN.ses") == 0
or fatal("Could not generate $SESCERT");
}
if ($asch) {
if (! -e $CHCERT) {
print "Creating CH certificate ...\n";
system("$SUDO -u $PROTOUSER $MKSYSCERT -o $CHCERT ".
" -u $TBBASE/protogeni/xmlrpc/ch $PGENIDOMAIN.ch") == 0
" -u $TBBASE/protogeni/xmlrpc/ch " .
" -i urn:publicid:IDN+${OURDOMAIN}+authority+ch " .
"$PGENIDOMAIN.ch") == 0
or fatal("Could not generate $CHCERT");
}
UpdateCert( $CHCERT, "$TBBASE/protogeni/xmlrpc/ch",
"urn:publicid:IDN+${OURDOMAIN}+authority+ch",
"$PGENIDOMAIN.ch" );
#
# Copy the CH certificate out to the web interface, but only the public
# key of course.
......@@ -500,6 +512,19 @@ else {
or fatal("Could not fetch clearinghouse certificate from Utah");
}
#
# Update obsolete (pre-URN) certificates.
#
UpdateCert( $CMCERT, "$TBBASE/protogeni/xmlrpc/cm",
"urn:publicid:IDN+${OURDOMAIN}+authority+cm",
"$PGENIDOMAIN.cm" );
UpdateCert( $SACERT, "$TBBASE/protogeni/xmlrpc/sa",
"urn:publicid:IDN+${OURDOMAIN}+authority+sa",
"$PGENIDOMAIN.sa" );
UpdateCert( $SESCERT, "$TBBASE/protogeni/xmlrpc/ses",
"urn:publicid:IDN+${OURDOMAIN}+authority+ses",
"$PGENIDOMAIN.ses" );
#
# Load the SA cert to act as caller context.
#
......@@ -579,3 +604,41 @@ sub fatal($)
die("*** $0:\n".
" $msg\n");
}
# Add a URN to old certificates. (This is horrible, mainly because
# we want to reuse the same private keys.)
sub UpdateCert($$$$)
{
my ($cert, $url, $urn, $hrn) = @_;
if( system( "$OPENSSL x509 -text -noout < $cert | " .
"grep -q -i URI:urn:publicid:IDN" ) ) {
my $extfile = "/tmp/$$.ext"; # not worth trying to be secure
my $keyfile = "/tmp/$$.key";
my $uuid = qx{$OPENSSL x509 -subject -noout < $cert};
die "could not read subject from $cert"
unless defined( $uuid );
die "no UUID found in subject"
unless $uuid =~ /CN=([-a-f0-9]+)/;
$uuid = $1;
open( OLDFILE, "< $cert" ) or die "can't open $cert";
open( NEWFILE, "> $keyfile" ) or die "can't open $keyfile";
while( <OLDFILE> ) {
print NEWFILE;
last if /-----END RSA PRIVATE KEY-----/;
}
close OLDFILE;
close NEWFILE;
print "Adding URN to $cert...\n";
rename( "$cert", "${cert}.orig" ) or
die( "could not rename $cert" );
system("$SUDO -u $PROTOUSER $MKSYSCERT -o $cert ".
" -u $url -i $urn -k $keyfile $hrn $uuid" ) == 0
or fatal("Could not generate $cert");
}
}
#
# Add a URN field to the authority table.
#
use strict;
use GeniDB;
sub DoUpdate($$$)
{
my ($dbhandle, $dbname, $version) = @_;
DBSetDefault($dbhandle);
DBQueryFatal( "ALTER TABLE `geni_authorities` " .
"ADD COLUMN `urn` tinytext" )
unless DBSlotExists( "geni_authorities", "urn" );
return 0;
}
1;
#
# Add a URN field to the certificate table.
#
use strict;
use GeniDB;
sub DoUpdate($$$)
{
my ($dbhandle, $dbname, $version) = @_;
DBSetDefault($dbhandle);
DBQueryFatal( "ALTER TABLE `geni_certificates` " .
"ADD COLUMN `urn` tinytext" )
unless DBSlotExists( "geni_certificates", "urn" );
return 0;
}
1;
......@@ -7,15 +7,13 @@ default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
req_extensions = request_extensions
string_mask = nombstr
oid_section = protogeni_oids
[ protogeni_oids ]
xmlrpc = 2.25.305821105408246119474742976030998643995
# This will be appended to by mkusercert.
[ request_extensions ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
subjectAltName=@req_altname
# This will be appended to by mkusercert.
[ req_distinguished_name ]
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@