[LON-CAPA-cvs] cvs: loncom / CrCA.pl /interface londocs.pm
raeburn
raeburn at source.lon-capa.org
Mon Jul 8 19:00:17 EDT 2019
raeburn Mon Jul 8 23:00:17 2019 EDT
Modified files:
/loncom/interface londocs.pm
/loncom CrCA.pl
Log:
- Script to create a Certificate Authority (CA) for a LON-CAPA cluster.
- Can display preamble then exit.
- Prompt to create a new CA cert, even if an unexpired one exists.
- Prompt for CA certificate lifetime (days) whenever new CA cert is made.
- Remove some debug code.
-------------- next part --------------
Index: loncom/interface/londocs.pm
diff -u loncom/interface/londocs.pm:1.484.2.72.2.4 loncom/interface/londocs.pm:1.484.2.72.2.5
--- loncom/interface/londocs.pm:1.484.2.72.2.4 Thu Nov 16 23:45:03 2017
+++ loncom/interface/londocs.pm Sun Apr 29 17:33:52 2018
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Documents
#
-# $Id: londocs.pm,v 1.484.2.72.2.4 2017/11/16 23:45:03 raeburn Exp $
+# $Id: londocs.pm,v 1.484.2.72.2.5 2018/04/29 17:33:52 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -2598,7 +2598,8 @@
}
}
}
- for (my $i=0; $i<@LONCAPA::map::order; $i++) {
+ my $total = scalar(@LONCAPA::map::order) - 1;
+ for (my $i=$total; $i>=0; $i--) {
my $idx = $LONCAPA::map::order[$i];
if (defined($LONCAPA::map::resources[$idx])) {
my $changed;
@@ -2608,7 +2609,7 @@
splice(@LONCAPA::map::order,$i,1);
if (ref($currparam{$idx}) eq 'ARRAY') {
foreach my $name (@{$currparam{$idx}}) {
- &LONCAPA::map::delparameter($idx,'parameter_'.$name);
+ &LONCAPA::map::delparameter($idx,$name);
}
}
next;
@@ -2650,7 +2651,7 @@
foreach my $idx (keys(%remparam)) {
if (ref($remparam{$idx}) eq 'ARRAY') {
foreach my $name (@{$remparam{$idx}}) {
- &LONCAPA::map::delparameter($idx,'parameter_'.$name);
+ &LONCAPA::map::delparameter($idx,$name);
}
}
}
Index: loncom/CrCA.pl
diff -u loncom/CrCA.pl:1.2 loncom/CrCA.pl:1.3
--- loncom/CrCA.pl:1.2 Tue Jan 1 04:55:00 2019
+++ loncom/CrCA.pl Mon Jul 8 23:00:16 2019
@@ -2,7 +2,7 @@
# The LearningOnline Network with CAPA
# Script to create a Certificate Authority (CA) for a LON-CAPA cluster.
#
-# $Id: CrCA.pl,v 1.2 2019/01/01 04:55:00 raeburn Exp $
+# $Id: CrCA.pl,v 1.3 2019/07/08 23:00:16 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -26,13 +26,6 @@
# http://www.lon-capa.org/
use strict;
-use Sys::Hostname::FQDN();
-use Term::ReadKey;
-use Locale::Country;
-use Crypt::OpenSSL::X509;
-use DateTime::Format::x509;
-use File::Slurp;
-use Cwd;
#
# Expected structure
@@ -97,7 +90,19 @@
END
-#Proceed?
+ print ('Continue? [Y/n]');
+ my $go_on = &get_user_selection(1);
+ if (!$go_on) {
+ exit;
+ }
+
+ require Sys::Hostname::FQDN;
+ require Term::ReadKey;
+ require Locale::Country;
+ require Crypt::OpenSSL::X509;
+ require DateTime::Format::x509;
+ require File::Slurp;
+ require Cwd;
my ($dir,$hostname,%data);
@@ -152,7 +157,7 @@
A configuration file: $dir/lonca/opensslca.conf will be created.
The following information will be included:
-Country, State/Province, City, Cluster Name, Organizational Name, E-mail address, CA certificate lifetime (days), Default certificate lifetime (days), CRL re-creation interval (days)
+Country, State/Province, City, Cluster Name, Organizational Name, E-mail address, Default certificate lifetime (days), CRL re-creation interval (days)
END
$hostname = Sys::Hostname::FQDN::fqdn();
@@ -171,7 +176,7 @@
clustername => 'Cluster name',
organization => 'Organization name',
);
- my ($clustername,$organization,$country,$state,$city,$email,$cadays,$clusterhostname,$days,$crldays);
+ my ($clustername,$organization,$country,$state,$city,$email,$clusterhostname,$days,$crldays);
$clusterhostname = $hostname;
$country = &get_country($hostname);
print "Enter state or province name\n";
@@ -183,10 +188,8 @@
'This name will be included as the Common Name for the CA certificate.'."\n";
$clustername = &get_info($fieldname{'clustername'});
print 'Enter the organization name for this LON-CAPA cluster, e.g., "Lon CAPA certification authority"'."\n".
- 'This name will be included as the Oraganization for the CA certificate.'."\n";
+ 'This name will be included as the Organization for the CA certificate.'."\n";
$organization = &get_info($fieldname{'organization'});
- print "Enter the lifetime (in days) for the CA root certificate distributed to all nodes, e.g., 3650\n";
- $cadays = &get_days();
print "Enter the default lifetime (in days) for each certificate created/signed by the CA for individual nodes, e.g., 3650\n";
$days = &get_days();
print "Enter the re-creation interval (in days) for the CA's certificate revocation list (CRL), e.g., 180\n";
@@ -224,7 +227,7 @@
[ certificate_extensions ]
basicConstraints = CA:false
-crlDistributionPoints = URI:http://$clusterhostname/adm/dns/loncapaCAcrl
+crlDistributionPoints = URI:http://$clusterhostname/adm/dns/loncapaCRL
[ req ]
@@ -313,6 +316,7 @@
exit;
}
}
+ my $makecacert;
if (-e "$dir/lonca/cacert.pem") {
print "A CA certificate exists\n";
open(PIPE,"openssl pkey -in $dir/lonca/private/cakey.pem -passin pass:$sslkeypass -pubout -outform der | sha256sum |");
@@ -323,6 +327,7 @@
my $hashfromcert = <PIPE>;
close(PIPE);
chomp($hashfromcert);
+ my $defsel = 0;
if ($hashfromkey eq $hashfromcert) {
my ($now,$starttime,$endtime,$status,%cert);
my $x509 = Crypt::OpenSSL::X509->new_from_file("$dir/lonca/cacert.pem");
@@ -351,30 +356,38 @@
if ($endtime <= $now) {
$status = 'previous';
print "Current CA certificate expired $cert{'end'}\n";
+ print 'Create a new certificate? [Y/n]';
+ $defsel = 1;
} elsif ($starttime > $now) {
$status = 'future';
- print "Current CA certificate will be valid after $cert{'start'}\n";
+ print "Current CA certificate will be valid after $cert{'start'}\n";
+ print 'Create a new certificate? [y/N]';
} else {
$status eq 'active';
print "Current CA certificate valid until $cert{'end'}".' '.
"Signature Algorithm: $cert{'alg'}; Public Key size: $cert{'size'}\n";
- }
- if ($status eq 'previous') {
- print 'Create a new certificate? [Y/n]';
- if (&get_user_selection(1)) {
- unless (&make_ca_cert("$dir/lonca/private","$dir/lonca",$sslkeypass)) {
- print "Failed to create CA cert\n";
- exit;
- }
- }
+ print 'Create a new certificate? [y/N]';
}
} else {
print "Could not determine validity of current CA certificate\n";
- exit;
+ print 'Create a new certificate? [Y/n]';
+ $defsel = 1;
}
+ } else {
+ print "Current CA certificate does not match key.\n";
+ print 'Create a new certificate? [Y/n]';
+ $defsel = 1;
+ }
+ if (&get_user_selection($defsel)) {
+ $makecacert = 1;
}
} else {
- unless (&make_ca_cert("$dir/lonca/private","$dir/lonca",$sslkeypass)) {
+ $makecacert = 1;
+ }
+ if ($makecacert) {
+ print "Enter the lifetime (in days) for the CA root certificate distributed to all nodes, e.g., 3650\n";
+ my $cadays = &get_days();
+ unless (&make_ca_cert("$dir/lonca/private","$dir/lonca",$sslkeypass,$cadays)) {
print "Failed to create CA cert\n";
exit;
}
@@ -614,9 +627,9 @@
local $| = 1;
print $prompt.': ';
my $newpasswd = '';
- ReadMode 'raw';
+ Term::ReadKey::ReadMode('raw');
my $key;
- while(ord($key = ReadKey(0)) != 10) {
+ while(ord($key = Term::ReadKey::ReadKey(0)) != 10) {
if(ord($key) == 127 || ord($key) == 8) {
chop($newpasswd);
print "\b \b";
@@ -625,7 +638,7 @@
print '*';
}
}
- ReadMode 'normal';
+ Term::ReadKey::ReadMode('normal');
print "\n";
return $newpasswd;
}
@@ -661,28 +674,19 @@
#
sub make_ca_cert {
- my ($keydir,$certdir,$sslkeypass) = @_;
+ my ($keydir,$certdir,$sslkeypass,$cadays) = @_;
# generate SSL cert for CA
my $created;
- if ((-d $keydir) && (-d $certdir) && ($sslkeypass ne '')) {
- my $cmd = "openssl req -x509 -key $keydir/cakey.pem -passin pass:$sslkeypass -new -batch -config $certdir/opensslca.conf -out $certdir/cacert.pem";
- print "Calling ||$cmd||\n";
- open(PIPE,"openssl req -x509 -key $keydir/cakey.pem -passin pass:$sslkeypass -new -batch -config $certdir/opensslca.conf -out $certdir/cacert.pem |");
+ if ((-d $keydir) && (-d $certdir) && ($sslkeypass ne '') && ($cadays =~ /^\d+$/) && ($cadays > 0)) {
+ open(PIPE,"openssl req -x509 -key $keydir/cakey.pem -passin pass:$sslkeypass -new -days $cadays -batch -config $certdir/opensslca.conf -out $certdir/cacert.pem |");
close(PIPE);
if (-f "$certdir/cacert.pem") {
my $mode = 0600;
chmod $mode, "$certdir/cacert.pem";
-# chmod $mode, "$certdir/careq.pem";
-# open(PIPE,"openssl ca -create_serial -out $certdir/cacert.pem -days 3650 -keyfile $keydir/cakey.pem -selfsign -config ./openssl.cnf -infiles $certdir/careq.pem |");
-# close(PIPE);
-# if (-f "$certdir/cacert.pem") {
-# my $mode = 0600;
-# chmod $mode, "$certdir/cacert.pem";
-# }
$created= 1;
}
} else {
- print "Creation of CA root certificate failed. Missing one or more of: CA directory, CA key directory, or CA passphrase.\n";
+ print "Creation of CA root certificate failed. Missing one or more of: CA directory, CA key directory, CA passphrase, or certificate lifetime (number of days).\n";
}
return $created;
}
@@ -737,7 +741,7 @@
($posscountry) = ($desiredhostname =~ /\.(a-z){2}$/);
}
if ($posscountry) {
- my $countrydesc = &Locale::Country::code2country($posscountry);
+ my $countrydesc = Locale::Country::code2country($posscountry);
if ($countrydesc eq '') {
undef($posscountry);
}
@@ -754,7 +758,7 @@
my $choice=<STDIN>;
chomp($choice);
if ($choice ne '') {
- if (&Locale::Country::code2country(lc($choice))) {
+ if (Locale::Country::code2country(lc($choice))) {
$country=uc($choice);
$flag=1;
} else {
@@ -822,12 +826,11 @@
4) State or Province: $data{'state'}
5) City: $data{'city'}
6) E-mail: $data{'email'}
-7) CA certificate lifetime (days): $data{'cadays'}
-8) Default certificate lifetime for issued certs (days): $data{'days'}
-9) CRL recreation interval (days): $data{'crldays'}
-10) Everything is correct up above
+7) Default certificate lifetime for issued certs (days): $data{'days'}
+8) CRL recreation interval (days): $data{'crldays'}
+9) Everything is correct up above
-Enter a choice of 1-9 to change, otherwise enter 10:
+Enter a choice of 1-8 to change, otherwise enter 9:
END
my $choice=<STDIN>;
chomp($choice);
@@ -875,32 +878,23 @@
$data{'email'}=$choice2;
} elsif ($choice == 7) {
print(<<END);
-7) CA Root Certificate lifetime: $data{'cadays'}
-Enter new value:
-END
- my $choice2=<>;
- chomp($choice2);
- $choice2 =~ s/\D//g;
- $data{'cadays'}=$choice2;
- } elsif ($choice == 8) {
-print(<<END);
-8) Default certificate lifetime: $data{'days'}
+7) Default certificate lifetime: $data{'days'}
Enter new value:
END
my $choice2=<>;
chomp($choice2);
$choice2 =~ s/\D//g;
$data{'days'}=$choice2;
- } elsif ($choice == 9) {
+ } elsif ($choice == 8) {
print(<<END);
-9) CRL re-creation interval: $data{'crldays'}
+8) CRL re-creation interval: $data{'crldays'}
Enter new value:
END
my $choice2=<>;
chomp($choice2);
$choice2 =~ s/\D//g;
$data{'crldays'}=$choice2;
- } elsif ($choice == 10) {
+ } elsif ($choice == 9) {
$flag=1;
foreach my $key (keys(%data)) {
$data{$key} =~ s{/}{ }g;
More information about the LON-CAPA-cvs
mailing list