Commit cbee4c88 authored by Leigh Stoller's avatar Leigh Stoller

Some small protogeni related changes.

parent 617862da
......@@ -22,14 +22,17 @@ use User;
#
sub usage()
{
print("Usage: mksyscert [-d] [-o file] [-p password] <orgunit> [uuid]\n");
print("Usage: mksyscert [-d] [-o file] [-p password] [-e email] ".
"[-u url] [-a authority] <orgunit> [uuid]\n");
exit(-1);
}
my $optlist = "dp:o:e";
my $optlist = "dp:o:ve:u:a:";
my $debug = 0;
my $printcert= 0;
my $outfile;
my $password = "";
my $email;
my $url;
#
# Configure variables
......@@ -38,19 +41,23 @@ my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $TBLOGS = "@TBLOGSEMAIL@";
my $OURDOMAIN = "@OURDOMAIN@";
my $PGENIDOMAIN = "@PROTOGENI_DOMAIN@";
my $PGENISUPPORT= @PROTOGENI_SUPPORT@;
my $CONTROL = "@USERNODE@";
my $BOSSNODE = "@BOSSNODE@";
# Locals
my $USERDIR = USERROOT();
my $SSLDIR = "$TB/lib/ssl";
my $TEMPLATE = "$SSLDIR/usercert.cnf";
my $TEMPLATE = "$SSLDIR/syscert.cnf";
my $CACONFIG = "$SSLDIR/ca.cnf";
my $EMULAB_CERT = "$TB/etc/emulab.pem";
my $EMULAB_KEY = "$TB/etc/emulab.key";
my $OPENSSL = "/usr/bin/openssl";
my $WORKDIR = "$TB/ssl";
my $SAVEUID = $UID;
my $certfile = $EMULAB_CERT;
my $keyfile = $EMULAB_KEY;
# Locals
my $encrypted = 0;
......@@ -105,12 +112,29 @@ if (defined($options{"o"})) {
else {
die("Tainted arguments: $outfile\n");
}
}
if (defined($options{"d"})) {
$debug = 1;
}
if (defined($options{"e"})) {
$email = $options{"e"};
}
if (defined($options{"a"})) {
my $authority = $options{"a"};
if ($authority =~ /^([-\w\.\/]+)$/) {
$authority = $1;
}
else {
die("Tainted arguments: $authority\n");
}
$certfile = $authority;
$keyfile = $authority;
}
if (defined($options{"u"})) {
$url = $options{"u"};
}
if (defined($options{"v"})) {
$printcert = 1;
}
if (defined($options{"p"})) {
......@@ -152,6 +176,9 @@ if (!defined($uuid)) {
if (!($uuid =~ /^\w+\-\w+\-\w+\-\w+\-\w+$/)) {
fatal("uuid not in proper format");
}
if (!defined($email)) {
$email = $TBOPS;
}
#
# CD to the workdir, and then serialize on the lock file since there is
......@@ -197,6 +224,13 @@ open(TEMP, ">>syscert.cnf")
print TEMP "OU\t\t= $orgunit\n";
print TEMP "CN\t\t= $uuid\n";
print TEMP "emailAddress\t= $email\n";
print TEMP "\n";
print TEMP "[ req_altname ]\n";
if (defined($url)) {
print TEMP "URI=$url\n\n";
}
close(TEMP)
or fatal("Could not close syscert.cnf: $!");
......@@ -206,7 +240,7 @@ my $outline = ($debug ? "" : ">/dev/null 2>&1");
#
# Create a client side private key and certificate request.
#
system("$OPENSSL req -new -config syscert.cnf ".
system("$OPENSSL req -text -new -config syscert.cnf ".
($encrypted ? " -passout 'pass:${sh_password}' " : " -nodes ") .
" -keyout syscert_key.pem -out syscert_req.pem $outline") == 0
or fatal("Could not create certificate request");
......@@ -216,8 +250,8 @@ system("$OPENSSL req -new -config syscert.cnf ".
#
$UID = 0;
system("$OPENSSL ca -batch -policy policy_sslxmlrpc ".
" -name CA_usercerts -config $CACONFIG ".
" -out syscert_cert.pem -cert $EMULAB_CERT -keyfile $EMULAB_KEY ".
" -name CA_syscerts -config $CACONFIG ".
" -out syscert_cert.pem -cert $certfile -keyfile $keyfile ".
" -infiles syscert_req.pem $outline") == 0
or fatal("Could not sign certificate request");
$UID = $SAVEUID;
......
......@@ -38,6 +38,8 @@ my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $TBLOGS = "@TBLOGSEMAIL@";
my $OURDOMAIN = "@OURDOMAIN@";
my $PGENIDOMAIN = "@PROTOGENI_DOMAIN@";
my $PGENISUPPORT= @PROTOGENI_SUPPORT@;
my $CONTROL = "@USERNODE@";
my $BOSSNODE = "@BOSSNODE@";
my $OU = "sslxmlrpc"; # orgunit
......@@ -245,8 +247,14 @@ system("cp -f $TEMPLATE usercert.cnf") == 0
open(TEMP, ">>usercert.cnf")
or fatal("Could not open $TEMPLATE for append: $!");
print TEMP "OU\t\t= $OU\n";
if ($PGENISUPPORT) {
print TEMP "OU\t\t= $PGENIDOMAIN.$user_uid\n";
}
else {
print TEMP "OU\t\t= $user_uid\n";
}
print TEMP "CN\t\t= $user_uuid\n";
print TEMP "emailAddress\t= $user_uid" . "\@" . "$OURDOMAIN\n";
close(TEMP)
or fatal("Could not close usercert.cnf: $!");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment