Commit 6808fa53 authored by Leigh Stoller's avatar Leigh Stoller

Move Gary's root cert fixing code (to add URN) into independent

script and call it from initsite.
parent 48288b68
#!/usr/bin/perl -w
#
# Copyright (c) 2008-2012 University of Utah and the Flux Group.
# Copyright (c) 2008-2013 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
......@@ -90,6 +90,7 @@ my $MYSQLDUMP = "/usr/local/bin/mysqldump";
my $PKG_INFO = "/usr/sbin/pkg_info";
my $FETCH = "/usr/bin/fetch";
my $OPENSSL = "/usr/bin/openssl";
my $FIXROOTCERT = "$TB/sbin/fixrootcert";
my $APACHE_START = "@APACHE_START_COMMAND@";
my $APACHE_CONF = "@INSTALL_APACHE_CONFIG@/httpd.conf";
my $APACHE_FLAGS = ("@APACHE_VERSION@" == "22" ?
......@@ -144,52 +145,10 @@ if ($PGENIDOMAIN =~ /^unknown/i) {
#
# Check for (and update) an old (pre-URN) root certificate.
#
system( "$OPENSSL x509 -text -noout < $TB/etc/emulab.pem | " .
"grep -q -i URI:urn:publicid:IDN" );
if( $? == -1 ) {
die( "could not inspect root certificate $TB/etc/emulab.pem" );
} elsif( $? & 0x7F ) {
die( "unexpected signal while inspecting root certificate" );
} elsif( $? ) {
# grep returned non-zero exit code (indicating no matches): this is
# an old certificate, so regenerate it.
my $extfile = "/tmp/$$"; # not worth trying to be secure
open( EXTFILE, "> $extfile" ) or die "can't open $extfile";
print EXTFILE "subjectAltName=URI:urn:publicid:IDN+${OURDOMAIN}+authority+root\n";
print EXTFILE "issuerAltName=URI:urn:publicid:IDN+${OURDOMAIN}+authority+root\n";
close EXTFILE;
print "Adding URN to root certificate...\n";
my $originalfile = "$TB/etc/emulab.pem.orig";
-f $originalfile and
die( "refusing to overwrite $originalfile" );
rename( "$TB/etc/emulab.pem", "$originalfile" ) or
die( "could not rename root certificate" );
my $serial = TBGetUniqueIndex( "user_sslcerts" );
# Save the new certificate to a temporary file: OpenSSL will reuse the
# plain text from the old certificate instead of the current version,
# so we regenerate the whole thing once we've finished to avoid
# horrible confusion.
system( "$OPENSSL x509 -days 2000 -text -extfile $extfile " .
"-set_serial $serial -signkey $TB/etc/emulab.key " .
"< $originalfile > $TB/etc/emulab.tmp" );
# For some reason, OpenSSL can return non-zero even when the certificate
# generation succeeded. Check the output file instead.
if( !( -s "$TB/etc/emulab.tmp" ) ) {
rename( "$originalfile", "$TB/etc/emulab.pem" );
die( "could not generate new root certificate" );
}
# Regenerate the certificate, so that the comments are up to date.
system( "$OPENSSL x509 -text < $TB/etc/emulab.tmp > $TB/etc/emulab.pem" );
unlink( "$TB/etc/emulab.tmp" );
print "Root certificate updated. You will need to send the new\n";
print "certificate to the clearing house.\n";
if (system($FIXROOTCERT)) {
fatal("Could not fix root certificate");
}
else {
unlink( "$TB/etc/.protogeni_federated" );
}
......
#
# Copyright (c) 2000-2012 University of Utah and the Flux Group.
# Copyright (c) 2000-2013 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -50,7 +50,7 @@ SBIN_SCRIPTS = vlandiff vlansync withadminprivs export_tables cvsupd.pl \
addvpubaddr imageinfo ctrladdr image_import \
prereserve_check tcppd addexternalnetwork \
update_sitevars delete_image sitecheckin sitecheckin_client \
mktestbedtest
mktestbedtest fixrootcert
WEB_SBIN_SCRIPTS= webnewnode webdeletenode webspewconlog webarchive_list \
webwanodecheckin webspewimage webdumpdescriptor \
......
#!/usr/bin/perl -w
#
# Copyright (c) 2008-2013 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
# GENI Public License
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and/or hardware specification (the "Work") to
# deal in the Work without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Work, and to permit persons to whom the Work
# is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Work.
#
# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
# IN THE WORK.
#
# }}}
#
use strict;
use English;
use Getopt::Std;
#
# Fix the root certificate to include the URN.
#
sub usage()
{
print "Usage: fixrootcert\n";
exit(1);
}
my $optlist = "";
#
# Configure variables
#
my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $OURDOMAIN = "@OURDOMAIN@";
my $PGENIDOMAIN = "@PROTOGENI_DOMAIN@";
my $PGENISUPPORT = @PROTOGENI_SUPPORT@;
my $PROTOGENI_URL = "@PROTOGENI_URL@";
my $OPENSSL = "/usr/bin/openssl";
# un-taint path
$ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin:/usr/site/bin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
# Protos
sub fatal($);
#
# Turn off line buffering on output
#
$| = 1;
# Load the Testbed support stuff.
use lib "@prefix@/lib";
use libtestbed;
use emdb;
use emutil qw(TBGetUniqueIndex);
if ($UID != 0) {
fatal("Must be root to run this script\n");
}
#
# Check args.
#
my %options = ();
if (! getopts($optlist, \%options)) {
usage();
}
#
# People seem to miss this.
#
if ($PGENIDOMAIN =~ /^unknown/i) {
print STDERR "Please define PROTOGENI_DOMAIN in your defs file!\n";
print STDERR "Then reconfig,rebuild,reinstall, then try this again.\n";
exit(1);
}
#
# Check for (and update) an old (pre-URN) root certificate.
#
system( "$OPENSSL x509 -text -noout < $TB/etc/emulab.pem | " .
"grep -q -i URI:urn:publicid:IDN" );
if( $? == -1 ) {
die( "could not inspect root certificate $TB/etc/emulab.pem" );
} elsif( $? & 0x7F ) {
die( "unexpected signal while inspecting root certificate" );
} elsif( $? ) {
# grep returned non-zero exit code (indicating no matches): this is
# an old certificate, so regenerate it.
my $extfile = "/tmp/$$"; # not worth trying to be secure
open( EXTFILE, "> $extfile" ) or die "can't open $extfile";
print EXTFILE "subjectAltName=URI:urn:publicid:IDN+${OURDOMAIN}+authority+root\n";
print EXTFILE "issuerAltName=URI:urn:publicid:IDN+${OURDOMAIN}+authority+root\n";
close EXTFILE;
print "Adding URN to root certificate...\n";
my $originalfile = "$TB/etc/emulab.pem.orig";
-f $originalfile and
die( "refusing to overwrite $originalfile" );
rename( "$TB/etc/emulab.pem", "$originalfile" ) or
die( "could not rename root certificate" );
my $serial = TBGetUniqueIndex( "user_sslcerts" );
# Save the new certificate to a temporary file: OpenSSL will reuse the
# plain text from the old certificate instead of the current version,
# so we regenerate the whole thing once we've finished to avoid
# horrible confusion.
system( "$OPENSSL x509 -days 3000 -text -extfile $extfile " .
"-set_serial $serial -signkey $TB/etc/emulab.key " .
"< $originalfile > $TB/etc/emulab.tmp" );
# For some reason, OpenSSL can return non-zero even when the certificate
# generation succeeded. Check the output file instead.
if( !( -s "$TB/etc/emulab.tmp" ) ) {
rename( "$originalfile", "$TB/etc/emulab.pem" );
die( "could not generate new root certificate" );
}
# Regenerate the certificate, so that the comments are up to date.
system( "$OPENSSL x509 -text < $TB/etc/emulab.tmp > $TB/etc/emulab.pem" );
unlink( "$TB/etc/emulab.tmp" );
print "Root certificate updated. You will need to send the new\n";
print "certificate to the clearing house.\n";
}
exit(0);
sub fatal($)
{
my ($msg) = @_;
die("*** $0:\n".
" $msg\n");
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment