[LON-CAPA-cvs] cvs: loncom / Lond.pm /configuration SSL.pm

[raeburn]

raeburn		Sat Dec 22 17:06:06 2018 EDT

  Modified files:              
    /loncom	Lond.pm 
    /loncom/configuration	SSL.pm 
  Log:
  - LON-CAPA SSL certificate status incudes issuer comparison for CA cert and
    Connections and Replication certs.
  
  
Index: loncom/Lond.pm
diff -u loncom/Lond.pm:1.13 loncom/Lond.pm:1.14
--- loncom/Lond.pm:1.13	Mon Dec 10 18:56:18 2018
+++ loncom/Lond.pm	Sat Dec 22 17:06:02 2018
@@ -1,6 +1,6 @@
 # The LearningOnline Network
 #
-# $Id: Lond.pm,v 1.13 2018/12/10 18:56:18 raeburn Exp $
+# $Id: Lond.pm,v 1.14 2018/12/22 17:06:02 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -821,6 +821,12 @@
                      ca       => 'lonnetCertificateAuthority',
                    );
     my (%md5hash,%expected_cn,%expired,%revoked,%wrongcn,%info,$crlfile);
+    %info = (
+                key => {},
+                ca  => {},
+                host => {},
+                hostname => {},
+            ); 
     if (ref($perlvar) eq 'HASH') {
         $expected_cn{'host'} = $Apache::lonnet::serverhomeIDs{$hostname};
         $expected_cn{'hostname'} = 'internal-'.$hostname;
@@ -877,6 +883,7 @@
                             $info{$key}{'size'} = $x509->bit_length();
                             $info{$key}{'email'} = $x509->email();
                             $info{$key}{'serial'} = $x509->serial();
+                            $info{$key}{'issuerhash'} = $x509->issuer_hash();
                             if ($x509->checkend(0)) {
                                 $expired{$key} = 1;
                             }
@@ -939,6 +946,9 @@
                     $info{$key}{'status'} = 'expired';
                 } elsif ($wrongcn{$key}) {
                     $info{$key}{'status'} = 'wrongcn';
+                } elsif ((exists($info{'ca'}{'issuerhash'})) &&
+                         ($info{'ca'}{'issuerhash'} ne $info{$key}{'issuerhash'})) {
+                    $info{$key}{'status'} = 'mismatch';
                 } else {
                     $info{$key}{'status'} = 'ok';
                 }
Index: loncom/configuration/SSL.pm
diff -u loncom/configuration/SSL.pm:1.7 loncom/configuration/SSL.pm:1.8
--- loncom/configuration/SSL.pm:1.7	Sat Aug 18 22:07:53 2018
+++ loncom/configuration/SSL.pm	Sat Dec 22 17:06:06 2018
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Checksum installed LON-CAPA modules and some configuration files
 #
-# $Id: SSL.pm,v 1.7 2018/08/18 22:07:53 raeburn Exp $
+# $Id: SSL.pm,v 1.8 2018/12/22 17:06:06 raeburn Exp $
 #
 # The LearningOnline Network with CAPA
 #
@@ -65,6 +65,7 @@
                  'otherkey' => 'No matching key',
                  'revoked'  => 'Revoked by CA',
                  'wrongcn'  => 'Incorrect CN',
+                 'mismatch' => 'Mismatched Issuer',
     );
     my @files = qw(key host hostname ca);
     my @fields = qw(status cn start end alg size email);
@@ -153,7 +154,7 @@
                                 }
                             } elsif (($display eq 'nokey') || ($display eq 'otherkey') ||
                                      ($display eq 'revoked') || ($display eq 'expired') ||
-                                     ($display eq 'wrongcn')) {
+                                     ($display eq 'wrongcn') || ($display eq 'mismatch')) {
                                 if ($target eq 'web') {
                                     $display = $lt{$display};
                                 }