Commit 4809cd65 authored by Leigh B. Stoller's avatar Leigh B. Stoller

Minor changes to user certs to support certificate revocation lists

in the protogeni code. We no longer save the unencrypted certs after
they are revoked, since protogeni will ignore them. I redid the the
DB table as well, adding a revoked stamp, and the DN so that we can
generate the CRL list from the DB directly, without having to run them
all through openssl.

This commit requires all certs to be regenerated, and the ssl xmlrpc
server to be restarted.
parent 4afe264d
......@@ -59,6 +59,7 @@ my $SAVEUID = $UID;
my $encrypted = 0;
my $db_password = "''";
my $sh_password = "";
my $days = 1000;
#
# We don't want to run this script unless its the real version.
......@@ -116,7 +117,6 @@ if (defined($options{"d"})) {
$debug = 1;
}
if (defined($options{"g"})) {
$OU = "geni";
$geniflag = 1;
}
if (defined($options{"p"})) {
......@@ -136,6 +136,7 @@ if (defined($options{"p"})) {
$sh_password =~ s/\'/\'\\\'\'/g;
$sh_password = "$sh_password";
$encrypted = 1;
$days = 365;
}
if (@ARGV != 1) {
usage();
......@@ -247,11 +248,11 @@ system("cp -f $TEMPLATE usercert.cnf") == 0
open(TEMP, ">>usercert.cnf")
or fatal("Could not open $TEMPLATE for append: $!");
if ($PGENISUPPORT) {
if ($PGENISUPPORT && $encrypted) {
print TEMP "OU\t\t= $PGENIDOMAIN.$user_uid\n";
}
else {
print TEMP "OU\t\t= $user_uid\n";
print TEMP "OU\t\t= $OU\n";
}
print TEMP "CN\t\t= $user_uuid\n";
print TEMP "emailAddress\t= $user_uid" . "\@" . "$OURDOMAIN\n";
......@@ -270,7 +271,7 @@ system("$OPENSSL req -new -config usercert.cnf ".
# Sign the client cert request, creating a client certificate.
#
$UID = 0;
system("$OPENSSL ca -batch -policy policy_sslxmlrpc ".
system("$OPENSSL ca -batch -policy policy_sslxmlrpc -days $days ".
" -name CA_usercerts -config $CACONFIG ".
" -out usercert_cert.pem -cert $EMULAB_CERT -keyfile $EMULAB_KEY ".
" -infiles usercert_req.pem") == 0
......@@ -278,19 +279,17 @@ system("$OPENSSL ca -batch -policy policy_sslxmlrpc ".
$UID = $SAVEUID;
#
# We save all of the certs in the DB, but we are not worrying about
# revocation yet. By saving them, we can eventually do that. But we do
# have to set the status bit to revoked though or else we will not know
# later (okay, we can probably figure it out if we had to).
# We store the DN in the DB too, for creating the crl index file without
# having to reparse all the certs.
#
DBQueryFatal("update user_sslcerts set ".
" status='revoked',revoked=now() ".
"where uid_idx='$user_dbid' and encrypted=$encrypted");
DBQueryFatal("insert into user_sslcerts ".
"(uid,uid_idx,idx,created,encrypted,orgunit,status,password) ".
"values ('$user_uid', '$user_dbid', $serial, now(), ".
" $encrypted, '$OU', 'valid', $db_password)");
my $DN = `$OPENSSL x509 -subject -noout -in usercert_cert.pem`;
chomp($DN);
if ($DN =~ /^subject=\s*(\/[-\/\=\w\@\.\s]+)$/) {
$DN = $1;
}
else {
fatal("Could not parse DN from certificate");
}
#
# Grab the cert path and strip off the header goo, then insert into
......@@ -322,10 +321,38 @@ while (<PKEY>) {
}
close(PKEY);
$pkeystring = DBQuoteSpecial($pkeystring);
$certstring = DBQuoteSpecial($certstring);
DBQueryFatal("update user_sslcerts set cert=$certstring,privkey=$pkeystring ".
"where uid_idx='$user_dbid' and idx=$serial");
$pkeystring = DBQuoteSpecial($pkeystring);
$certstring = DBQuoteSpecial($certstring);
my $dnstring = DBQuoteSpecial($DN);
# Ensure we keep it past revocation.
$days++;
#
# We save all of the encrypted certs in the DB since we are going to issue
# CRLs for protogeni. We do not bother to save old unencrypted certs since
# they have a different OU and so protogeni will not accept them, they
# do not need to be revoked. The sslxmlrpc server checks the table directly
# so only the most recent is needed.
#
DBQueryFatal("insert into user_sslcerts ".
"(uid,uid_idx,idx,created,expires,encrypted,password, ".
" cert,privkey,DN) ".
"values ('$user_uid', '$user_dbid', $serial, now(), ".
" DATE_ADD(now(), INTERVAL $days DAY), ".
" $encrypted, $db_password, ".
" $certstring, $pkeystring, $dnstring)");
if ($encrypted) {
DBQueryFatal("update user_sslcerts set ".
" revoked=now() ".
"where uid_idx='$user_dbid' and idx!=$serial and ".
" encrypted=1");
}
else {
DBQueryFatal("delete from user_sslcerts ".
"where uid_idx='$user_dbid' and idx!=$serial and ".
" encrypted=0");
}
#
# Combine the key and the certificate into one file which is
......
......@@ -18,6 +18,22 @@ Note that some instructions may have steps that need to occur at a few
different points in the install process - these are marked with the
earliest time one of the steps needs to occur.
20080915: After install.
The user ssl certificate format has changed, so all user
certificates must be removed from the DB and regenerated.
mysql> delete from user_sslcerts;
And then run this script from the source directory:
sql/initcerts.pl
Then restart the ssl xmlrpc server.
sudo kill `cat /var/run/sslxmlrpc_server.pid`
/usr/testbed/sbin/sslxmlrpc_server.py
20080905: After install
In order to reduce the size of the main database, data in
......
......@@ -3293,14 +3293,14 @@ CREATE TABLE `user_sslcerts` (
`uid` varchar(8) NOT NULL default '',
`uid_idx` mediumint(8) unsigned NOT NULL default '0',
`idx` int(10) unsigned NOT NULL default '0',
`cert` text,
`privkey` text,
`created` datetime default NULL,
`encrypted` tinyint(1) NOT NULL default '0',
`status` enum('valid','revoked','expired') default 'valid',
`orgunit` tinytext,
`expires` datetime default NULL,
`revoked` datetime default NULL,
`password` tinytext,
`encrypted` tinyint(1) NOT NULL default '0',
`DN` text,
`cert` text,
`privkey` text,
PRIMARY KEY (`idx`),
KEY `uid` (`uid`),
KEY `uid_idx` (`uid_idx`)
......
......@@ -4593,3 +4593,36 @@ last_net_act,last_cpu_act,last_ext_act);
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
4.163: Fix to previous revision; skip to next entry.
4.164: Rework the certs table for protogeni and crls.
DROP TABLE IF EXISTS `user_sslcerts`;
CREATE TABLE `user_sslcerts` (
`uid` varchar(8) NOT NULL default '',
`uid_idx` mediumint(8) unsigned NOT NULL default '0',
`idx` int(10) unsigned NOT NULL default '0',
`created` datetime default NULL,
`expires` datetime default NULL,
`revoked` datetime default NULL,
`password` tinytext,
`encrypted` tinyint(1) NOT NULL default '0',
`DN` text,
`cert` text,
`privkey` text,
PRIMARY KEY (`idx`),
KEY `uid` (`uid`),
KEY `uid_idx` (`uid_idx`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
See the comments in doc/UPDATING. This must be done after
installation.
./initcerts.pl
Then restart the ssl xmlrpc server.
sudo kill `cat /var/run/sslxmlrpc_server.pid`
/usr/testbed/sbin/sslxmlrpc_server.py
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2004 University of Utah and the Flux Group.
# Copyright (c) 2000-2008 University of Utah and the Flux Group.
# All rights reserved.
#
use English;
......@@ -13,19 +13,20 @@ use libtestbed;
#
# Untaint the path
#
$ENV{'PATH'} = '/bin:/usr/bin:/usr/sbin';
$ENV{'PATH'} = '/bin:/usr/bin:/usr/sbin:/usr/testbed/sbin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
$query_result =
DBQueryFatal("select u.uid,s.encrypted from users as u ".
"left join user_sslcerts as s on u.uid=s.uid ".
"where u.status='active' and u.webonly=0 and ".
"s.encrypted is null");
DBQueryFatal("select u.uid from users as u ".
"left join user_stats as s on s.uid_idx=u.uid_idx ".
"where u.status='active' and u.webonly=0 ".
"order by s.weblogin_last desc");
# Avoid blizzard of audit email.
$ENV{'TBAUDITON'} = 1;
while (($uid) = $query_result->fetchrow_array()) {
system("/usr/local/bin/sudo -u $uid /usr/testbed/sbin/mkusercert $uid") == 0
print "Generating new emulab cert for $uid\n";
system("withadminprivs mkusercert $uid >/dev/null") == 0
or warn("Failed to create SSL cert for user $uid\n");
}
......@@ -109,7 +109,7 @@ CREATE TABLE experiment_template_input_data (
-- Auto generated unique index.
idx int(10) unsigned NOT NULL auto_increment,
-- MD5 of the input file.
md5 varchar(32) NOT NULL,
md5 varchar(32) NOT NULL default '',
-- The actual text of the input
input mediumtext,
PRIMARY KEY (idx),
......@@ -253,13 +253,15 @@ CREATE TABLE experiment_template_parameters (
#
# Hmm, the above table is a problem wrt experiment parsing.
#
CREATE TABLE virt_parameters (
pid varchar(12) NOT NULL default '',
eid varchar(32) NOT NULL default '',
name varchar(64) NOT NULL default '',
value tinytext,
PRIMARY KEY (pid,eid,name)
) TYPE=MyISAM;
CREATE TABLE `virt_parameters` (
`pid` varchar(12) NOT NULL default '',
`eid` varchar(32) NOT NULL default '',
`name` varchar(64) NOT NULL default '',
`value` tinytext,
`description` text,
PRIMARY KEY (`exptidx`,`name`),
UNIQUE KEY `pideid` (`pid`,`eid`,`name`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
#
# Events that are dynamically created by the user, as for analysis.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment