Commit e1871b51 authored by Robert Ricci's avatar Robert Ricci

Stop hard-coding the digest of Utah's capture certificate, and read

it out of a file in /usr/testbed/etc .

We put it in a seperate file from the rest of the certificate, because
we need the fingerprint to be publically-readable.
parent b7c376c3
......@@ -6,6 +6,18 @@ This file is in the same format at the FreeBSD UPDATING file, whis is
to say, in reverse chronological order, with the date of the change
in YYYYMMDD format.
20040303:
Fixed the way we handle the certificate for capture with tiptunnel.
We no longer hard-code the certificate digest in nodetipacl.php3 .
However, as a result, we must place this fingerprint in a publically-
readable file on boss. So, if you have serial lines that you're
running with capture:
1) Copy your /usr/testbed/etc/capture.pem file from your tipserver to
boss, if it isn't there already.
2) In /usr/testbed/etc/ on boss, run: 'openssl x509 -sha -noout
-fingerprint -in capture.pem > capture.fingerprint', and make this
file world-readable.
20040302:
Changed the length of the node_id columns from 10 to 32. Make sure
you re-compile and restart all daemons written in C (such as
......
......@@ -15,7 +15,8 @@ include $(OBJDIR)/Makeconf
all: emulab.pem server.pem localnode.pem ronnode.pem pcwa.pem ctrlnode.pem \
keys mksig
remote-site: emulab.pem capture.pem server.pem localnode.pem
remote-site: emulab.pem capture.pem capture.fingerprint server.pem \
localnode.pem
include $(TESTBED_SRCDIR)/GNUmakerules
......@@ -84,6 +85,16 @@ capture.pem: dirsmade capture.cnf ca.cnf
cat capture_key.pem capture_cert.pem > capture.pem
rm -f newreq.pem
#
# Generate the fingerprint of the capture certificate
# NOTE: I'd rather use SHA1 than SHA, but we've widely distributed the
# tiptunnel binary, and it needs SHA
#
capture.fingerprint: capture.pem
openssl x509 -sha -noout -fingerprint -in capture.pem \
> capture.fingerprint
localnode.pem: dirsmade localnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
$(SRCDIR)/mkclient.sh localnode
......@@ -147,10 +158,13 @@ boss-installX: $(INSTALL_ETCDIR)/emulab.pem \
chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
remote-site-boss-install: $(INSTALL_ETCDIR)/emulab.pem \
$(INSTALL_ETCDIR)/capture.pem $(INSTALL_ETCDIR)/server.pem
$(INSTALL_ETCDIR)/capture.pem \
$(INSTALL_ETCDIR)/capture.fingerprint \
$(INSTALL_ETCDIR)/server.pem
$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
chmod 640 $(INSTALL_ETCDIR)/emulab.pem
chmod 640 $(INSTALL_ETCDIR)/capture.pem
chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
chmod 640 $(INSTALL_ETCDIR)/server.pem
chmod 640 $(INSTALL_ETCDIR)/client.pem
......
......@@ -43,6 +43,22 @@ if (mysql_num_rows($query_result) == 0) {
USERERROR("The node $node_id does not exist, or seem to have a tipline!", 1);
}
#
# Read in the fingerprint of capture's certificate
#
$capfile = "$TBETC_DIR/capture.fingerprint";
$lines = file($capfile,"r");
if (!$lines) {
TBERROR("Unable to open $capfile!",1);
}
$fingerline = rtrim($lines[0]);
if (!preg_match("/Fingerprint=([\w:]+)$/",$fingerline,$matches)) {
TBERROR("Unable to find fingerprint in string $fingerline!",1);
}
$certhash = str_replace(":","",strtolower($matches[1]));
$filename = $node_id . ".tbacl";
header("Content-Type: text/x-testbed-acl");
......@@ -58,10 +74,6 @@ $portnum = $row[portnum];
$keylen = $row[keylen];
$keydata = $row[keydata];
# XXX fix me!!!
# $certhash = "7161bb44818e7be5a5bcd58506163e1583e6aa1c";
$certhash = "0bc864551de711a3d46ac173dbd67cde75c36734";
echo "host: $server\n";
echo "port: $portnum\n";
echo "keylen: $keylen\n";
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment