Commit a9c1045e authored by Leigh Stoller's avatar Leigh Stoller

SSL version of the XMLRPC server.

* SSL based server (sslxmlrpc_server.py) that wraps the existing Python
  classes (what we export via the existing ssh XMLRPC server). I also have a
  demo client that is analogous the ssh demo client (sslxmlrpc_client.py).
  This client looks for an ssl cert in the user's .ssl directory, or you can
  specify one on the command line. The demo client is installed on ops, and
  is in the downloads directory with the rest of the xmlrpc stuff we export
  to users. The server runs as root, forking a child for each connection and
  logs connections to /usr/testbed/log/sslxmlrpc.log via syslog.

* New script (mkusercert) generates SSL certs for users. Two modes of
  operation; when called from the account creation path, generates a
  unencrypted private key and certificate for use on Emulab nodes (this is
  analagous to the unencrypted SSH key we generate for users). The other mode
  of operation is used to generate an encrypted private key so that the user
  can drag a certificate to their home/desktop machine.

* New webpage (gensslcert.php3) linked in from the My Emulab page that
  allows users to create a certificate. The user is prompted for a pass
  phrase to encrypt the private key, as well as the user's current Emulab
  login password. mkusercert is called to generate the certificate, and the
  result is stored in the user's ~/.ssl directory, and spit back to the user
  as a text file that can be downloaded and placed in the users homedir on
  their local machine.

* The server needs to associate a certificate with a user so that it can
  flip to that user in the child after it forks. To do that, I have stored
  the uid of the user in the certificate. When a connection comes in, I grab
  the uid out of the certificate and check it against the DB. If there is a
  match (see below) the child does the usual setgid,setgroups,setuid to the
  user, instantiates the Emulab server class, and dispatches the method. At
  the moment, only one request per connection is dispatched. I'm not sure
  how to do a persistant connection on the SSL path, but probably not a big
  deal right now.

* New DB table user_sslcerts that stores the PEM formatted certificates and
  private keys, as well as the serial number of the certificate, for each
  user. I also mark if the private key is encrypted or not, although not
  making any use of this data. At the moment, each user is allowed to get
  one unencrypted cert/key pair and one encrypted cert/key pair. No real
  reason except that I do not want to spend too much time on this until we
  see how/if it gets used. Anyway, the serial number is used as a crude form
  of certificate revocation. When the connection is made, I suck the serial
  number and uid out of the certificate, and look for a match in the table.
  If cert serial number does not match, the connection is rejected. In other
  words, revoking a certificate just means removing its entry from the DB
  for that user. I could also compare the certificate itself, but I am not
  sure what purpose that would serve since that is what the SSL handshake is
  supposed to take of, right?

* Updated the documentation for the XMLRPC server to mention the existence
  of the SSL server and client, with a pointer into the downloads directory
  where users can pick up the client.
parent 60c2a7ab
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2003 University of Utah and the Flux Group.
# Copyright (c) 2000-2004 University of Utah and the Flux Group.
# All rights reserved.
#
......@@ -12,8 +12,8 @@ UNIFIED = @UNIFIED_BOSS_AND_OPS@
include $(OBJDIR)/Makeconf
SBIN_STUFF = tbacct addsfskey addpubkey quotamail
LIBEXEC_STUFF = webtbacct webaddsfskey webaddpubkey
SBIN_STUFF = tbacct addsfskey addpubkey quotamail mkusercert
LIBEXEC_STUFF = webtbacct webaddsfskey webaddpubkey webmkusercert
#
# Force dependencies on the scripts so that they will be rerun through
......@@ -38,6 +38,8 @@ post-install:
chmod u+s $(INSTALL_SBINDIR)/tbacct
chown root $(INSTALL_SBINDIR)/addpubkey
chmod u+s $(INSTALL_SBINDIR)/addpubkey
chown root $(INSTALL_SBINDIR)/mkusercert
chmod u+s $(INSTALL_SBINDIR)/mkusercert
control-install:
......
#!/usr/bin/perl -wT
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2004 University of Utah and the Flux Group.
# All rights reserved.
#
use English;
use Getopt::Std;
use Fcntl ':flock';
#
# Create user SSL certificates.
#
sub usage()
{
print("Usage: mkusercert [-d] [-o] [-p password] <user>\n");
exit(-1);
}
my $optlist = "dp:o";
my $debug = 0;
my $output = 0;
my $password;
#
# Configure variables
#
my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $TBLOGS = "@TBLOGSEMAIL@";
my $OURDOMAIN = "@OURDOMAIN@";
my $CONTROL = "@USERNODE@";
my $BOSSNODE = "@BOSSNODE@";
# Locals
my $USERDIR = USERROOT();
my $SSLDIR = "$TB/lib/ssl";
my $TEMPLATE = "$SSLDIR/usercert.cnf";
my $CACONFIG = "$SSLDIR/ca.cnf";
my $EMULAB_CERT = "$TB/etc/emulab.pem";
my $EMULAB_KEY = "$TB/etc/emulab.key";
my $OPENSSL = "/usr/bin/openssl";
my $lockfile = "/var/tmp/testbed_mkusercert_lockfile";
my $WORKDIR = "$TB/ssl";
#
# We don't want to run this script unless its the real version.
#
if ($EUID != 0) {
die("*** $0:\n".
" Must be setuid! Maybe its a development version?\n");
}
#
# This script is setuid, so please do not run it as root. Hard to track
# what has happened.
#
if ($UID == 0) {
die("*** $0:\n".
" Please do not run this as root! Its already setuid!\n");
}
#
# Untaint the path
#
$ENV{'PATH'} = "$TB/bin:$TB/sbin:/bin:/usr/bin:/usr/bin:/usr/sbin";
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
#
# Turn off line buffering on output
#
$| = 1;
#
# Load the Testbed support stuff.
#
use lib "@prefix@/lib";
use libaudit;
use libdb;
use libtestbed;
#
# Rewrite audit version of ARGV to prevent password in mail logs.
#
my @NEWARGV = @ARGV;
for ($i = 0; $i < scalar(@NEWARGV); $i++) {
if ($NEWARGV[$i] eq "-p") {
$NEWARGV[$i + 1] = "**********";
}
}
AuditSetARGV(@NEWARGV);
#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
%options = ();
if (! getopts($optlist, \%options)) {
usage();
}
if (defined($options{"d"})) {
$debug = 1;
}
if (defined($options{"p"})) {
$password = $options{"p"};
#
# Make sure its all escaped since any printable char is allowed.
#
if ($password =~ /^([\040-\176]*)$/) {
$password = $1;
}
else {
die("Tainted argument: $password\n");
}
$password =~ s/\'/\'\\\'\'/g;
$password = "'$password'";
}
if (@ARGV != 1) {
usage();
}
my $user = $ARGV[0];
#
# Untaint the arguments.
#
if ($user =~ /^([-\w]+)$/i) {
$user = $1;
}
else {
die("Tainted argument: $user\n");
}
#
# This script is always audited. Mail is sent automatically upon exit.
#
if (AuditStart(0)) {
#
# Parent exits normally
#
exit(0);
}
#
# CD to the workdir, and then serialize on the lock file since there is
# some shared goop that the ssl tools muck with (serial number, index, etc.).
#
chdir("$WORKDIR") or
fatal("Could not chdir to $WORKDIR: $!");
open(LOCK, ">>$lockfile") || fatal("Couldn't open $lockfile\n");
$count = 0;
if (flock(LOCK, LOCK_EX|LOCK_NB) == 0) {
#
# If we don't get it the first time, we wait for:
# 1) The lock to become free, in which case we do our thing
# 2) The time on the lock to change, in which case we wait for that process
# to finish
#
my $oldlocktime = (stat(LOCK))[9];
my $gotlock = 0;
while (1) {
print "Another exports update in progress, waiting for it to finish\n";
if (flock(LOCK, LOCK_EX|LOCK_NB) != 0) {
# OK, got the lock, we can do what we're supposed to
$gotlock = 1;
last;
}
$locktime = (stat(LOCK))[9];
if ($locktime != $oldlocktime) {
$oldlocktime = $locktime;
last;
}
if ($count++ > 60) {
fatal("Could not get the lock after a long time!\n");
}
sleep(1);
}
$count = 0;
#
# If we didn't get the lock, wait for the processes that did to finish
#
if (!$gotlock) {
while (1) {
if ((stat(LOCK))[9] != $oldlocktime) {
exit(0);
}
if (flock(LOCK, LOCK_EX|LOCK_NB) != 0) {
close(LOCK);
exit(0);
}
if ($count++ > 20) {
fatal("Process with the lock did not finish after ".
"a long time!\n");
}
sleep(1);
}
}
}
#
# Perl-style touch(1)
#
my $now = time;
utime $now, $now, $lockfile;
#
# Get the user info (the user being operated on).
#
my $query_result =
DBQueryFatal("select u.usr_name,u.usr_email,u.admin,u.unix_uid ".
"from users as u ".
"where u.uid='$user'");
if ($query_result->numrows == 0) {
fatal("$user is not in the DB. This is bad.\n");
}
my @row = $query_result->fetchrow_array();
my $fullname = $row[0];
my $user_email = $row[1];
my $usr_admin = $row[2];
my $user_number = $row[3];
#
# Get the users earliest project membership to use as the default group
# for the case that the account is being (re)created. We convert that to
# the unix info.
#
my $default_groupname;
my $default_groupgid;
$query_result =
DBQueryFatal("select m.pid from group_membership as m ".
"where m.uid='$user' and m.pid=m.gid and m.trust!='none' ".
"order by date_approved asc limit 1");
if (my ($defpid) = $query_result->fetchrow_array) {
if (! TBGroupUnixInfo($defpid, $defpid,
\$default_groupgid, \$default_groupname)) {
fatal("No info for default project $defpid!");
}
}
else {
print "No group membership for $user; using the guest group!\n";
($default_groupname,undef,$default_groupgid,undef) = getgrnam("guest");
}
#
# Create a template conf file. We tack on the DN record based on the
# user particulars.
#
system("cp -f $TEMPLATE usercert.cnf") == 0
or fatal("Could not copy $TEMPLATE to current dir");
open(TEMP, ">>usercert.cnf")
or fatal("Could not open $TEMPLATE for append: $!");
print TEMP "OU\t\t= sslxmlrpc\n";
print TEMP "CN\t\t= $user\n";
print TEMP "emailAddress\t= $user" . "\@" . "$OURDOMAIN\n";
close(TEMP)
or fatal("Could not close usercert.cnf: $!");
#
# Create a client side private key and certificate request.
#
system("$OPENSSL req -new -config usercert.cnf ".
(defined($password) ? " -passout pass:${password} " : " -nodes ") .
" -keyout usercert_key.pem -out usercert_req.pem") == 0
or fatal("Could not create certificate request");
#
# Remove the index file. We keep track of things ourselves. We also have to
# figure out what the next serial number will be and write that into the
# file. We could let "ca' keep track, but with devel trees, we might end
# up with duplicate serial numbers.
#
open(IND, ">index.txt")
or fatal("Could not clear index.txt");
close(IND);
#
# Lock the table to avoid conflict with devel trees.
#
DBQueryFatal("lock tables emulab_indicies write");
$query_result =
DBQueryFatal("select idx from emulab_indicies ".
"where name='user_sslcerts'");
my ($curidx) = $query_result->fetchrow_array();
$curidx = 1
if (!defined($curidx));
my $nextidx = $curidx + 1;
DBQueryFatal("replace into emulab_indicies (name, idx) ".
"values ('user_sslcerts', $nextidx)");
DBQueryFatal("unlock tables");
open(SER, ">serial")
or fatal("Could not create new serial file");
printf SER "%08x\n", $curidx;
close(SER);
#
# Sign the client cert request, creating a client certificate.
#
system("$OPENSSL ca -batch -policy policy_sslxmlrpc -config $CACONFIG ".
" -name CA_usercerts ".
" -out usercert_cert.pem -cert $EMULAB_CERT -keyfile $EMULAB_KEY ".
" -infiles usercert_req.pem") == 0
or fatal("Could not sign certificate request");
#
# For now, there can be just one cert of each kind (encrypted, and
# unencrypted). Might change that at some point.
#
DBQueryFatal("delete from user_sslcerts ".
"where uid='$user' and ".
" encrypted=" . (defined($password) ? 1 : 0));
#
# Create a new entry in the table.
#
DBQueryFatal("insert into user_sslcerts (uid, idx, created, encrypted) ".
" values ('$user', $curidx, now(), ".
(defined($password) ? 1 : 0) . ")");
#
# Grab the cert path and strip off the header goo, then insert into
# the DB.
#
my $certstring = "";
open(CERT, "$OPENSSL x509 -in usercert_cert.pem |")
or fatal("Could not start x509 on usercert_cert.pem");
while (<CERT>) {
next
if ($_ =~ /^--.*--$/);
$certstring .= $_;
}
close(CERT);
#
# Now suck in the priv key.
#
my $pkeystring = "";
open(PKEY, "usercert_key.pem")
or fatal("Could open usercert_key.pem");
while (<PKEY>) {
next
if ($_ =~ /^--.*--$/);
$pkeystring .= $_;
}
close(PKEY);
$pkeystring = DBQuoteSpecial($pkeystring);
$certstring = DBQuoteSpecial($certstring);
DBQueryFatal("update user_sslcerts set cert=$certstring,privkey=$pkeystring ".
"where uid='$user' and idx=$curidx");
#
# Combine the key and the certificate into one file which is installed
# on each remote node and used by tmcc. Installed on boss too so
# we can test tmcc there.
#
system("cat usercert_key.pem usercert_cert.pem > usercert.pem") == 0
or fatal("Could not combine cert and key into one file");
#
# Copy the certificate to the users .ssl directory.
#
my $ssldir = "$USERDIR/$user/.ssl";
if (! -d $ssldir) {
mkdir($ssldir, 0700) or
fatal("Could not mkdir $ssldir: $!");
chown($user_number, $default_groupgid, $ssldir)
or fatal("Could not chown $ssldir: $!");
}
my $target;
if (defined($password)) {
$target = "$ssldir/encrypted.pem";
}
else {
$target = "$ssldir/emulab.pem";
}
system("cp -f usercert.pem $target") == 0
or fatal("Could not copy usercert.pem to $target");
chown($user_number, $default_groupgid, "$target")
or fatal("Could not chown $target: $!");
close(LOCK);
exit(0);
sub fatal($) {
my($mesg) = $_[0];
die("*** $0:\n".
" $mesg\n");
}
......@@ -50,6 +50,7 @@ my $CHPASS = "/usr/bin/chpass";
my $SFSKEYGEN = "/usr/local/bin/sfskey gen";
my $SETGROUPS = "$TB/sbin/setgroups";
my $GENELISTS = "$TB/sbin/genelists";
my $MKUSERCERT = "$TB/sbin/mkusercert";
my $SFSUPDATE = "$TB/sbin/sfskey_update";
my $PBAG = "$TB/sbin/paperbag";
my $EXPORTSSETUP= "$TB/sbin/exports_setup";
......@@ -305,6 +306,9 @@ sub AddUser()
# Add to elists.
system("$GENELISTS -u $user");
# Generate the SSL cert for the user.
system("$MKUSERCERT $user");
#
# Must update the exports file or else nodes will complain. There
# is a bit of race in here since this update happens after the
......
......@@ -1397,6 +1397,7 @@ esac
outfiles="$outfiles Makeconf GNUmakefile \
assign/GNUmakefile \
ssl/GNUmakefile ssl/mksig \
ssl/ca.cnf ssl/ctrlnode.cnf \
capture/GNUmakefile \
db/GNUmakefile db/nalloc db/nfree db/if2port db/backup \
db/webcontrol db/node_status db/genelists db/genelists.proxy \
......@@ -1423,7 +1424,7 @@ outfiles="$outfiles Makeconf GNUmakefile \
account/GNUmakefile account/tbacct account/webtbacct \
account/addpubkey account/webaddpubkey \
account/addsfskey account/webaddsfskey \
account/quotamail \
account/quotamail account/mkusercert account/webmkusercert \
tbsetup/GNUmakefile tbsetup/console_setup tbsetup/spewlogfile \
tbsetup/spewrpmtar tbsetup/gentopofile \
tbsetup/console_reset tbsetup/bwconfig tbsetup/power_rpc27.pm \
......
......@@ -6,6 +6,50 @@ This file is in the same format at the FreeBSD UPDATING file, whis is
to say, in reverse chronological order, with the date of the change
in YYYYMMDD format.
20040901:
New SSL version of the XMLRPC server.
* Install this port on both boss and ops:
/usr/ports/security/py-m2crypto
* Reconfig, rebuild, and reinstall the testbed software on your
boss node. Be sure to pick up changes in sql/database-migrate.
* Install some ssl files on boss:
cd /usr/object/tree/ssl
gmake usercert-install
* Install new version of testbed startup script on boss
cd /usr/object/tree/rc.d
sudo gmake install
* Generate SSL certificates for existing emulab users
cd /usr/src/tree/sql
./initcerts.pl
* Add the following lines to /etc/syslog.conf on boss
!sslxmlrpc
*.* /usr/testbed/log/sslxmlrpc.log
* Add the following line to /etc/newsyslog.conf on boss
/usr/testbed/log/sslxmlrpc.log 640 7 1000 * Z
* Create the log file and restart syslog on boss
sudo touch /usr/testbed/log/sslxmlrpc.log
sudo kill -HUP `cat /var/run/syslog.pid`
* Fire up the SSL XMLRPC server
sudo /usr/testbed/sbin/sslxmlrpc_server.py
20040816:
The event system has moved to users.emulab.net.
......
......@@ -123,7 +123,7 @@ my @LOGFILES = ("$LOGDIR/bootinfo.log", "$LOGDIR/tmcd.log",
"$LOGDIR/elvind.log", "$LOGDIR/stated.log", "$LOGDIR/osselect.log",
"$LOGDIR/tftpd.log", "$LOGDIR/sdcollectd.log", "$LOGDIR/genlastlog.log",
"$LOGDIR/sshxmlrpc.log", "$LOGDIR/plabgetfree.log", "$LOGDIR/xmlrpcbag.log",
"$LOGDIR/plabrenew.log");
"$LOGDIR/plabrenew.log", "$LOGDIR/sslxmlrpc.log");
my @CISCO_MIBS = ("CISCO-SMI", "CISCO-TC", "CISCO-VTP-MIB", "CISCO-PAGP-MIB",
"CISCO-PRIVATE-VLAN-MIB", "CISCO-STACK-MIB", "CISCO-VLAN-MEMBERSHIP-MIB");
......@@ -324,7 +324,8 @@ Phase "syslog", "Setting up syslog", sub {
"!plabgetfree","*.*\t\t\t\t\t\t$LOGDIR/plabgetfree.log",
"!plabrenew", "*.*\t\t\t\t\t\t$LOGDIR/plabrenew.log",
"!xmlrpcbag", "*.*\t\t\t\t\t\t$LOGDIR/xmlrpcbag.log",
"!sshxmlrpc", "*.*\t\t\t\t\t\t$LOGDIR/sshxmlrpc.log");
"!sshxmlrpc", "*.*\t\t\t\t\t\t$LOGDIR/sshxmlrpc.log",
"!sslxmlrpc", "*.*\t\t\t\t\t\t$LOGDIR/sslxmlrpc.log");
};
Phase "logdir", "Creating log directory", sub {
......@@ -373,7 +374,8 @@ Phase "syslog", "Setting up syslog", sub {
"$LOGDIR/plabmetrics.log 640 7 1000 * Z",
"$LOGDIR/plablinkdata.log 640 7 1000 * Z",
"$LOGDIR/xmlrpcbag.log 640 7 300 * Z",
"$LOGDIR/sshxmlrpc.log 640 7 300 * Z");
"$LOGDIR/sshxmlrpc.log 640 7 300 * Z",
"$LOGDIR/sslxmlrpc.log 640 7 300 * Z");
};
};
......
......@@ -64,6 +64,11 @@ case "$1" in
inetd -a @BOSSNODE@ -p /var/run/testbed-inetd.pid @prefix@/etc/inetd.conf
fi
if [ -x @prefix@/sbin/sslxmlrpc_server.py ]; then
echo -n " sslxmlrpc"
@prefix@/sbin/sslxmlrpc_server.py
fi
#
# Could trigger experiment creation, so make sure everything
# else is setup first; i.e., run this last!
......
......@@ -150,6 +150,16 @@ CREATE TABLE deltas (
PRIMARY KEY (delta_id)
) TYPE=MyISAM;
--
-- Table structure for table `emulab_indicies`
--
CREATE TABLE emulab_indicies (
name varchar(64) NOT NULL default '',
idx int(10) unsigned NOT NULL default 0,
PRIMARY KEY (name)
) TYPE=MyISAM;
--
-- Table structure for table `event_eventtypes`
--
......@@ -1572,6 +1582,20 @@ CREATE TABLE user_sfskeys (
PRIMARY KEY (uid,comment)
) TYPE=MyISAM;
--
-- Table structure for table `user_sslcerts`
--
CREATE TABLE user_sslcerts (
uid varchar(8) NOT NULL default '',
idx int(10) unsigned NOT NULL default 0,
cert text,
privkey text,
created datetime default NULL,
encrypted tinyint(1) NOT NULL default '0',
PRIMARY KEY (idx)
) TYPE=MyISAM;
--
-- Table structure for table `user_stats`
--
......
......@@ -1913,3 +1913,34 @@ last_net_act,last_cpu_act,last_ext_act);
'emulab-ops-FBSD47-STD',NULL,0);
Poplulate the default_firewall_rules table using sql/fwrules-create.sql.
1.272: Table to manage to SSL certs we create for people to access the
SSL version of the RPC server. In addition to storing text
versions of the cert and private keys, we also store the serial
number of the cert so we can "revoke" certificates at the
server simply by removing them from the table. The SSL server
checks the serial number to make sure its still valid.
CREATE TABLE user_sslcerts (
uid varchar(8) NOT NULL default '',
idx int(10) unsigned NOT NULL default 0,
cert text,
privkey text,
created datetime default NULL,
encrypted tinyint(1) NOT NULL default '0',
PRIMARY KEY (idx)
) TYPE=MyISAM;
This next table is to deal with the need for a unique index
that will not start from zero (filling in deleted rows) when
the DB is dropped. We have several tables like that, and we
should use this table for those too.
CREATE TABLE emulab_indicies (
name varchar(64) NOT NULL default '',
idx int(10) unsigned NOT NULL default 0,
PRIMARY KEY (name)
) TYPE=MyISAM;
The certs for all users are created from the doc/UPDATING file.
Please read that.
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2004 University of Utah and the Flux Group.
# All rights reserved.
#
use English;
use lib "/usr/testbed/lib";
use libdb;
use libtestbed;
#
# Untaint the path
#
$ENV{'PATH'} = '/bin:/usr/bin:/usr/sbin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
$query_result =
DBQueryFatal("select u.uid,s.encrypted from users as u ".
"left join user_sslcerts as s on u.uid=s.uid ".
"where u.status='active' and u.webonly=0 and ".
"s.encrypted is null");
# Avoid blizzard of audit email.
$ENV{'TBAUDITON'} = 1;
while (($uid) = $query_result->fetchrow_array()) {
system("/usr/local/bin/sudo -u $uid /usr/testbed/sbin/mkusercert $uid") == 0
or die("Failed to create SSL cert for user $uid\n");
}
......@@ -36,6 +36,7 @@ emulab.pem: dirsmade emulab.cnf
openssl req -new -x509 -days 1000 -config emulab.cnf \
-keyout cakey.pem -out cacert.pem
cp cacert.pem emulab.pem
cp cakey.pem emulab.key
server.pem: dirsmade server.cnf ca.cnf
#
......@@ -137,14 +138,26 @@ dirsmade:
touch index.txt
touch dirsmade
install-dirs:
-mkdir -p $(INSTALL_DIR)/ssl
-chmod 770 $(INSTALL_DIR)/ssl
-mkdir -p $(INSTALL_DIR)/ssl/certs
-mkdir -p $(INSTALL_DIR)/ssl/newcerts
-chmod 775 $(INSTALL_DIR)/ssl/newcerts
-mkdir -p $(INSTALL_DIR)/ssl/crl
echo "01" > $(INSTALL_DIR)/ssl/serial
touch $(INSTALL_DIR)/ssl/index.txt
touch install-dirs
#
# You do not want to run these targets unless you are sure you
# know what you are doing!
#
install: $(INSTALL_SBINDIR)/mksig
install: install-dirs $(INSTALL_SBINDIR)/mksig
@echo "BE VERY CAREFUL! INSTALLING NEW CERTS CAN CAUSE DISASTER!"
boss-installX: $(INSTALL_ETCDIR)/emulab.pem \
$(INSTALL_ETCDIR)/emulab.key \
$(INSTALL_ETCDIR)/server.pem \
$(INSTALL_ETCDIR)/pcplab.pem \
$(INSTALL_ETCDIR)/pcwa.pem \
......@@ -153,8 +166,11 @@ boss-installX: $(INSTALL_ETCDIR)/emulab.pem \
$(INSTALL_ETCDIR)/capture.pem \
$(INSTALL_ETCDIR)/emulab_privkey.pem \
$(INSTALL_ETCDIR)/emulab_pubkey.pem
$(INSTALL_DATA) $(SRCDIR)/usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
chmod 640 $(INSTALL_ETCDIR)/emulab.pem
chmod 600 $(INSTALL_ETCDIR)/emulab.key
chmod 640 $(INSTALL_ETCDIR)/server.pem
chmod 640 $(INSTALL_ETCDIR)/client.pem
chmod 640 $(INSTALL_ETCDIR)/pcplab.pem
......@@ -163,14 +179,19 @@ boss-installX: $(INSTALL_ETCDIR)/emulab.pem \
chmod 640 $(INSTALL_ETCDIR)/pcwa.pem
chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
remote-site-boss-install: $(INSTALL_ETCDIR)/emulab.pem \
remote-site-boss-install: install-dirs \
$(INSTALL_ETCDIR)/emulab.pem \
$(INSTALL_ETCDIR)/emulab.key \
$(INSTALL_ETCDIR)/capture.pem \
$(INSTALL_ETCDIR)/capture.fingerprint \
$(INSTALL_ETCDIR)/capture.sha1fingerprint \
$(INSTALL_ETCDIR)/ctrlnode.pem \
$(INSTALL_ETCDIR)/server.pem
$(INSTALL_DATA) $(SRCDIR)/usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
chmod 640 $(INSTALL_ETCDIR)/emulab.pem
chmod 600 $(INSTALL_ETCDIR)/emulab.key
chmod 640 $(INSTALL_ETCDIR)/capture.pem
chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
......@@ -194,6 +215,11 @@ control-install: $(INSTALL_SBINDIR)/capture.pem \
tipserv-install: $(INSTALL_SBINDIR)/capture.pem
chmod 640 $(INSTALL_SBINDIR)/capture.pem
usercert-install: install-dirs
-mkdir -p $(INSTALL_LIBDIR)/ssl
$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
$(INSTALL_DATA) $(SRCDIR)/usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
clean:
@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"
......
......@@ -52,6 +52,38 @@ organizationalUnitName = optional
commonName = match
emailAddress = optional