Commit e1871b51 authored by Robert Ricci's avatar Robert Ricci

Stop hard-coding the digest of Utah's capture certificate, and read

it out of a file in /usr/testbed/etc .

We put it in a seperate file from the rest of the certificate, because
we need the fingerprint to be publically-readable.
parent b7c376c3
...@@ -6,6 +6,18 @@ This file is in the same format at the FreeBSD UPDATING file, whis is ...@@ -6,6 +6,18 @@ This file is in the same format at the FreeBSD UPDATING file, whis is
to say, in reverse chronological order, with the date of the change to say, in reverse chronological order, with the date of the change
in YYYYMMDD format. in YYYYMMDD format.
20040303:
Fixed the way we handle the certificate for capture with tiptunnel.
We no longer hard-code the certificate digest in nodetipacl.php3 .
However, as a result, we must place this fingerprint in a publically-
readable file on boss. So, if you have serial lines that you're
running with capture:
1) Copy your /usr/testbed/etc/capture.pem file from your tipserver to
boss, if it isn't there already.
2) In /usr/testbed/etc/ on boss, run: 'openssl x509 -sha -noout
-fingerprint -in capture.pem > capture.fingerprint', and make this
file world-readable.
20040302: 20040302:
Changed the length of the node_id columns from 10 to 32. Make sure Changed the length of the node_id columns from 10 to 32. Make sure
you re-compile and restart all daemons written in C (such as you re-compile and restart all daemons written in C (such as
......
...@@ -15,7 +15,8 @@ include $(OBJDIR)/Makeconf ...@@ -15,7 +15,8 @@ include $(OBJDIR)/Makeconf
all: emulab.pem server.pem localnode.pem ronnode.pem pcwa.pem ctrlnode.pem \ all: emulab.pem server.pem localnode.pem ronnode.pem pcwa.pem ctrlnode.pem \
keys mksig keys mksig
remote-site: emulab.pem capture.pem server.pem localnode.pem remote-site: emulab.pem capture.pem capture.fingerprint server.pem \
localnode.pem
include $(TESTBED_SRCDIR)/GNUmakerules include $(TESTBED_SRCDIR)/GNUmakerules
...@@ -84,6 +85,16 @@ capture.pem: dirsmade capture.cnf ca.cnf ...@@ -84,6 +85,16 @@ capture.pem: dirsmade capture.cnf ca.cnf
cat capture_key.pem capture_cert.pem > capture.pem cat capture_key.pem capture_cert.pem > capture.pem
rm -f newreq.pem rm -f newreq.pem
#
# Generate the fingerprint of the capture certificate
# NOTE: I'd rather use SHA1 than SHA, but we've widely distributed the
# tiptunnel binary, and it needs SHA
#
capture.fingerprint: capture.pem
openssl x509 -sha -noout -fingerprint -in capture.pem \
> capture.fingerprint
localnode.pem: dirsmade localnode.cnf ca.cnf $(SRCDIR)/mkclient.sh localnode.pem: dirsmade localnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
$(SRCDIR)/mkclient.sh localnode $(SRCDIR)/mkclient.sh localnode
...@@ -147,10 +158,13 @@ boss-installX: $(INSTALL_ETCDIR)/emulab.pem \ ...@@ -147,10 +158,13 @@ boss-installX: $(INSTALL_ETCDIR)/emulab.pem \
chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
remote-site-boss-install: $(INSTALL_ETCDIR)/emulab.pem \ remote-site-boss-install: $(INSTALL_ETCDIR)/emulab.pem \
$(INSTALL_ETCDIR)/capture.pem $(INSTALL_ETCDIR)/server.pem $(INSTALL_ETCDIR)/capture.pem \
$(INSTALL_ETCDIR)/capture.fingerprint \
$(INSTALL_ETCDIR)/server.pem
$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem $(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
chmod 640 $(INSTALL_ETCDIR)/emulab.pem chmod 640 $(INSTALL_ETCDIR)/emulab.pem
chmod 640 $(INSTALL_ETCDIR)/capture.pem chmod 640 $(INSTALL_ETCDIR)/capture.pem
chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
chmod 640 $(INSTALL_ETCDIR)/server.pem chmod 640 $(INSTALL_ETCDIR)/server.pem
chmod 640 $(INSTALL_ETCDIR)/client.pem chmod 640 $(INSTALL_ETCDIR)/client.pem
......
...@@ -43,6 +43,22 @@ if (mysql_num_rows($query_result) == 0) { ...@@ -43,6 +43,22 @@ if (mysql_num_rows($query_result) == 0) {
USERERROR("The node $node_id does not exist, or seem to have a tipline!", 1); USERERROR("The node $node_id does not exist, or seem to have a tipline!", 1);
} }
#
# Read in the fingerprint of capture's certificate
#
$capfile = "$TBETC_DIR/capture.fingerprint";
$lines = file($capfile,"r");
if (!$lines) {
TBERROR("Unable to open $capfile!",1);
}
$fingerline = rtrim($lines[0]);
if (!preg_match("/Fingerprint=([\w:]+)$/",$fingerline,$matches)) {
TBERROR("Unable to find fingerprint in string $fingerline!",1);
}
$certhash = str_replace(":","",strtolower($matches[1]));
$filename = $node_id . ".tbacl"; $filename = $node_id . ".tbacl";
header("Content-Type: text/x-testbed-acl"); header("Content-Type: text/x-testbed-acl");
...@@ -58,10 +74,6 @@ $portnum = $row[portnum]; ...@@ -58,10 +74,6 @@ $portnum = $row[portnum];
$keylen = $row[keylen]; $keylen = $row[keylen];
$keydata = $row[keydata]; $keydata = $row[keydata];
# XXX fix me!!!
# $certhash = "7161bb44818e7be5a5bcd58506163e1583e6aa1c";
$certhash = "0bc864551de711a3d46ac173dbd67cde75c36734";
echo "host: $server\n"; echo "host: $server\n";
echo "port: $portnum\n"; echo "port: $portnum\n";
echo "keylen: $keylen\n"; echo "keylen: $keylen\n";
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment