Attachment #4284 for bug #26572

(-)a/branches/ucs-3.0/ucs/base/univention-ssl/conffiles/etc/cron.daily/univention-ssl-validity (-1 / +1 lines)

Lines 1-7	Link Here

#!/bin/sh

#!/bin/sh

@%@UCRWARNING=# @%@

@%@UCRWARNING=# @%@

# Copyright 2004-2011 Univention GmbH

# Copyright 2004-2012 Univention GmbH

# http://www.univention.de/

# http://www.univention.de/

(-)a/branches/ucs-3.0/ucs/base/univention-ssl/debian/copyright (-3 / +1 lines)

Lines 1-4	Link Here

Copyright 2002-2011 Univention GmbH

Copyright 2002-2012 Univention GmbH

http://www.univention.de/

http://www.univention.de/

Lines 25-29 You should have received a copy of the GNU Affero General Public	Link Here

License with the Debian GNU/Linux or Univention distribution in file

License with the Debian GNU/Linux or Univention distribution in file

/usr/share/common-licenses/AGPL-3; if not, see

/usr/share/common-licenses/AGPL-3; if not, see

<http://www.gnu.org/licenses/>.

<http://www.gnu.org/licenses/>.

(-)a/branches/ucs-3.0/ucs/base/univention-ssl/debian/rules (-2 / +1 lines)

Lines 3-9	Link Here

# Univention SSL

# Univention SSL

#  rules file for the debian package

#  rules file for the debian package

# Copyright 2004-2011 Univention GmbH

# Copyright 2004-2012 Univention GmbH

# http://www.univention.de/

# http://www.univention.de/

Lines 44-47 override_dh_auto_test:	Link Here

%:

%:

	dh $@

	dh $@




# Univention SSL
#  postinst script
#
# Copyright 2004-2012 Univention GmbH
#
# http://www.univention.de/
#

		# Bug #13549
		rdate time.fu-berlin.de || rdate 130.133.1.10 || true

		. /usr/share/univention-ssl/make-certificates.sh
		init
		univention-certificate new -name "$hostname.$domainname"
		ln -sf "/etc/univention/ssl/$hostname.$domainname" "/etc/univention/ssl/$hostname"
	else
		echo "skipped. SSL Certificate found in $CERTPATH"
	fi
fi


fi

if [ "$1" = configure -a -n "$2" ] && dpkg --compare-versions "$2" lt 3.0.3-1; then
	ln -sf "/etc/univention/ssl/$hostname.$domainname" "/etc/univention/ssl/$hostname"
fi

if [ "$1" = "$configure" -a -z "$2" ]; then


if [ "$1" = "configure" ]; then
	if test -f /etc/init.d/univention-directory-listener
	then
		/etc/init.d/univention-directory-listener crestart || true
	fi
fi

(-)a/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postrm (-2 / +2 lines)

Lines 3-9	Link Here

# Univention SSL

# Univention SSL

#  postrm script

#  postrm script

# Copyright 2004-2011 Univention GmbH

# Copyright 2004-2012 Univention GmbH

# http://www.univention.de/

# http://www.univention.de/

Lines 32-38	Link Here

# postrm script for univention-ssl

# postrm script for univention-ssl

if [ "$1" = "purge" ]; then

if [ "$1" = "purge" ]; then

	rm -rf /etc/univention/ssl;

	rm -rf /etc/univention/ssl

fi

fi

#DEBHELPER#

#DEBHELPER#




[ssl/default/days]
Description[de]=Standard Lebensdauer für neue SSL-Zertifikate
Description[en]=Default lifetime of new SSL certificates
Type=int
Categories=system-ssl

[ssl/default/hashfunction]

[ssl/validity/check]
Description[de]=Aktiviere/Deaktiviere die regelmäßige Gültigkeitsprüfung für Zertifikate
Description[en]=Enable/Disable regular checks for certificate validity
Type=bool
Categories=system-ssl

[ssl/validity/days]
Description[de]=Anzahl an Tagen die das Root SSL-Zertifikat gültig ist
Description[en]=Number of days which the root certificate is valid
Type=int
Categories=system-ssl

[ssl/validity/warning]




createHostExtensionsFile () {
	local fqdn="$1"
	local hostname=${fqdn/.*/}
	local extFile=$(mktemp)
        local extFile=$(mktemp)

        cat <<EOF >>"$extFile"

	cat <<EOF >>"$extFile"
extensions = myx509v3
[ myx509v3 ]



# alternative name
subjectAltName = DNS:$fqdn, DNS:$hostname

EOF

        echo "$extFile"




# Univention SSL
#  listener ssl module
#
# Copyright 2004-2012 Univention GmbH
#
# http://www.univention.de/
#

# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

__package__=''	# workaround for PEP 366
from listener import *
import grp

import univention.debug
import univention.misc
import subprocess

name='gencertificate'
description='Generate new Certificates'

uidNumber = 0
gidNumber = 0
saved_uid = 65545
SSLDIR = '/etc/univention/ssl'

def set_privileges_cert(root=0):
	global saved_uid

		os.seteuid(saved_uid)

def initialize():
	univention.debug.debug(univention.debug.LISTENER, univention.debug.INFO, 'CERTIFICATE: Initialize')
	return

def handler(dn, new, old):
	global uidNumber

	try:
		try:
			uidNumber = int(new.get('uidNumber', ['0'])[0])
		except (LookupError, TypeError, ValueError):
			uidNumber = 0

		try:
			gidNumber = int(grp.getgrnam('DC Backup Hosts')[2])
		except (LookupError, TypeError, ValueError):
			univention.debug.debug(univention.debug.LISTENER, univention.debug.WARN, 'CERTIFICATE: Failed to get groupID for "%s"' % name)
			gidNumber = 0

		if new and not old:
			if new.has_key('associatedDomain'):
				domain=new['associatedDomain'][0]
			else:

				create_certificate(new['cn'][0], int(new['uidNumber'][0]), domainname=new_domain)
			else:
				# Reset permissions
				fqdn = "%s.%s" % (new['cn'][0], new_domain)
				certpath = os.path.join(SSLDIR, fqdn)
				a = os.path.walk(certpath, set_permissions, None)
	finally:
		set_privileges_cert(root=0)
	return

def set_permissions(tmp1, directory, filename):
	global uidNumber
	global gidNumber

	univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Set permissons for = %s with owner/group %s/%s' % (directory, gidNumber, uidNumber))
	os.chown(directory, uidNumber, gidNumber)
	os.chmod(directory, 0750)

	for f in filename:
		file = os.path.join(directory, f)
		univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Set permissons for = %s with owner/group %s/%s' % (file, gidNumber, uidNumber))
		os.chown(file, uidNumber, gidNumber)
		os.chmod(file, 0640)

def remove_dir(tmp1, directory, filename):
	"""Remove directory and all files within."""
	for f in filename:
		file = os.path.join(directory, f)
		os.remove(file)
	os.rmdir(directory)


	global uidNumber
	global gidNumber
	uidNumber = serverUidNumber
	
	ssldir='/etc/univention/ssl'
	univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Creating certificate %s' % name)

	fqdn = '%s.%s' % (name, domainname)
	certpath = os.path.join(SSLDIR, fqdn)
	link_path = os.path.join(SSLDIR, name)
		if not os.path.islink("%s/%s" % (ssldir,name)):
			p = os.popen('ln -sf %s/%s.%s %s/%s' % (ssldir,name,domainname,ssldir,name) )
			p.close
		a=os.path.walk(certpath,set_permissions, None)
		return

	if os.path.exists(certpath):
		univention.debug.debug(univention.debug.LISTENER, univention.debug.WARN, 'CERTIFICATE: Certificate for host %s already exists' % (fqdn,))
		if os.path.islink(link_path):
			return
	else:
		if len(fqdn) > 64:
			univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, 'CERTIFICATE: can\'t create certificate, Common Name too long: %s' % (fqdn,))
			return

		univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Creating certificate %s' % name)
		univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, 'CERTIFICATE: can\'t create certificate, Common Name too long: %s.%s' % (name,domainname))
		return

	p = os.popen('. /usr/share/univention-ssl/make-certificates.sh; gencert %s.%s %s.%s' % (name,domainname,name,domainname) )
	p.close()
	p = os.popen('ln -sf %s/%s.%s %s/%s' % (ssldir,name,domainname,ssldir,name) )
	p.close()

		subprocess.call('. /usr/share/univention-ssl/make-certificates.sh; gencert %s %s' % (fqdn, fqdn), shell=True)
	a=os.path.walk(certpath,set_permissions, None)

	# Create symlink
	try:
		os.remove(link_path)
	except OSError, e:
		pass
	try:
		os.symlink(certpath, link_path)
	except OSError, e:
		pass
	# Fix permissions
	a = os.path.walk(certpath, set_permissions, None)

def remove_certificate(name, domainname):
	fqdn = '%s.%s' % (name, domainname)
	univention.debug.debug(univention.debug.LISTENER, univention.debug.INFO, 'CERTIFICATE: Revoke certificate %s' % (fqdn,))
	subprocess.call(('/usr/sbin/univention-certificate', 'revoke', '-name', fqdn))

	link_path = os.path.join(SSLDIR, name)

	univention.debug.debug(univention.debug.LISTENER, univention.debug.INFO, 'CERTIFICATE: Revoke certificate %s.%s' % (name,domainname))
	p = os.popen('/usr/sbin/univention-certificate revoke -name %s.%s' % (name,domainname) )
	p.close()

	link_path=os.path.join(ssldir,name)
	if os.path.exists(link_path):
		os.remove(link_path)

	certpath = os.path.join(SSLDIR, fqdn)
	if os.path.exists(certpath):
		a = os.path.walk(certpath, remove_dir, None)

	return

def clean():
	return

def postrun():
	return





# Univention SSL
#  gencertificate script
#
# Copyright 2004-2012 Univention GmbH
#
# http://www.univention.de/
#

# http://www.pca.dfn.de/dfnpca/certify/ssl/handbuch/ossl092/

if [ -n "$sslbase" ]; then
	SSLBASE="$sslbase"
else
	SSLBASE=/etc/univention/ssl
fi

CA=ucsCA

fi

mk_config () {
    local outfile=$1
    local password=$2
    local password=$2;
    local days=$3
    local name=$4

	if test -e "$outfile"; then
		rm -f "$outfile"
	fi
	touch "$outfile"
	chmod 0600 "$outfile"

	eval "$(univention-config-registry shell ssl/country ssl/state ssl/locality ssl/organization ssl/organizationalunit ssl/email)"

    cat >"$outfile" <<EOF
    cat <<EOF >>$outfile

# HOME			= .
# RANDFILE		= \$ENV::HOME/.rnd
# oid_section		= new_oids

distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions		= v3_ca

EOF

	if [ -n "$password" ]; then
		cat >>"$outfile" <<EOF
input_password = $password
output_password = $password
EOF
	fi

	cat >>"$outfile" <<EOF

string_mask = nombstr
req_extensions = v3_req


issuerAltName           = issuer:copy
authorityKeyIdentifier  = keyid:always,issuer:always

EOF
	chmod 0600 "$outfile"

}

move_cert () {
    local count=0
	local OPWD=$(pwd)
    cd "$SSLBASE"

    local i
    for i in "$@"; do
		if [ -f "$i" ]
		then
			local new="${SSLBASE}/${CA}/certs/$(basename "$i")"
			mv "$i" "$new"
			local hash=$(openssl x509 -hash -noout -in "$new")
			while :
			do
				local linkname="${CA}/certs/${hash}.${count}"
				if [ -h "$linkname" ]
				then
					count=$((count + 1))
					continue
				else
					ln -s "$new" "$linkname"
					break
				fi
			done
		fi
	done
	cd "$OPWD"
}

init () {

		chmod 600 "$SSLBASE/password"
		makepasswd > "$SSLBASE/password"
	fi
	local PASSWD=`cat "$SSLBASE/password"`

	local OPWD=$(pwd)

	# create directory infrastructure
	cd "$SSLBASE"
	mkdir -m 700 -p "${CA}"
	mkdir -p "${CA}/"{certs,crl,newcerts,private}
	echo "01" >"${CA}/serial"
	touch "${CA}/index.txt"

	eval "$(ucr shell ssl/common)"

	# make the root-CA configuration file
	mk_config openssl.cnf "$PASSWD" "$DEFAULT_DAYS" "$ssl_common"

	openssl genrsa -des3 -passout pass:"$PASSWD" -out "${CA}/private/CAkey.pem" 2048
	yes '' | openssl req -config openssl.cnf -new -x509 -days "$DEFAULT_DAYS" -key "${CA}/private/CAkey.pem" -out "${CA}/CAcert.pem"
	yes '' | openssl req -config openssl.cnf -new -x509 -days $DEFAULT_DAYS -key ${CA}/private/CAkey.pem -out ${CA}/CAcert.pem

	# copy the public key to a place, from where browsers can access it
	openssl x509 -in "${CA}/CAcert.pem" -out /var/www/ucs-root-ca.crt

	# mv the certificate to the certs dir and link it to its hash value
	cp "${CA}/CAcert.pem" "${CA}/newcerts/00.pem"
	move_cert "${CA}/newcerts/00.pem"

	# generate root ca request
	openssl x509 -x509toreq -in "${CA}/CAcert.pem" -signkey "${CA}/private/CAkey.pem" -out "${CA}/CAreq.pem" -passin pass:"$PASSWD"

	find "${CA}" -type f -exec chmod 600 {} +
	find "${CA}" -type d -exec chmod 700 {} +

	chmod 755 "${CA}"
	chmod 644 "${CA}/CAcert.pem"
	#generate empty crl at installation time
	openssl ca -config openssl.cnf -gencrl -out "${CA}/crl/crl.pem" -passin pass:"$PASSWD"
	openssl crl -in "${CA}/crl/crl.pem" -out "/var/www/${CA}.crl" -inform pem -outform der

	cd "$OPWD"
}


list_cert_names () {
	local OPWD=$(pwd)
   cd "$SSLBASE"
   awk 'BEGIN { FS="\t"; }
    { if ( $1 == "V" )

		}
	    }
	}
    }' <"${CA}/index.txt"
    cd "$OPWD"
}


has_valid_cert () {
    list_cert_names | egrep -q "$1$"
}

renew_cert () {
	local OPWD=$(pwd)
	cd "$SSLBASE"

	if [ -z "$1" ]; then
		echo "missing certificate name" 1>&2
		return 1
	fi

	local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`
	if [ -z "$NUM" ]; then
		echo "no certificate for $1 registered" >&2
		return 1
	fi

	if [ -z "$2" ]; then
		days=$DEFAULT_DAYS
	fi

	# revoke cert
	revoke_cert "$1"

	# get host extension file
	hostExt=$(ucr get ssl/host/extensions)
	if [ -s "$hostExt" ]; then
		. "$hostExt"
		extFile=$(createHostExtensionsFile "$1")
	fi

	# sign the request
	if [ -s "$extFile" ]; then
		openssl ca -batch -config openssl.cnf -days "$days" -in "$1/req.pem" \
			-out "$1/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile"
		rm -f "$extFile"
	else
		openssl ca -batch -config openssl.cnf -days "$days" -in "$1/req.pem" \
			-out "$1/cert.pem" -passin pass:"$PASSWD"
	fi

	# move the new certificate to its place
	move_cert "${CA}/newcerts/"*
	cd "$OPWD"
}

# Parameter 1: Name des CN dessen Zertifikat wiederufen werden soll

revoke_cert () {
	local OPWD=`pwd`
	cd "$SSLBASE"

	if [ -z "$1" ]; then
		echo "missing certificate name" >&2
		return 1
	fi

	local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`
	if [ -z "$NUM" ]; then
		echo "no certificate for $1 registered" >&2
		return 1
	fi
	openssl ca -config openssl.cnf -revoke "${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD"
	openssl ca -config openssl.cnf -gencrl -out "${CA}/crl/crl.pem" -passin pass:"$PASSWD"
	openssl crl -in "${CA}/crl/crl.pem" -out "/var/www/${CA}.crl" -inform pem -outform der

	cd "$OPWD"
}



	local OPWD=`pwd`
	cd "$SSLBASE"
	if has_valid_cert "$2"; then
		revoke_cert "$2"
	fi

	local days=$(/usr/sbin/univention-config-registry get ssl/default/days)
	if [ -z "$days" ]; then
		days=$DEFAULT_DAYS
	fi
	# generate a key pair
	mkdir -pm 700 "$name"
	mk_config "$name/openssl.cnf" "" "$days" "$cn"
	openssl genrsa -out "$name/private.key" 1024
	yes '' | openssl req -config "$name/openssl.cnf" -new -key "$name/private.key" -out "$name/req.pem"

	# get host extension file
	local hostExt=$(ucr get ssl/host/extensions)
	if [ -s "$hostExt" ]; then
		. "$hostExt"
		local extFile=$(createHostExtensionsFile "$cn")
	fi

	# sign the key
	if [ -s "$extFile" ]; then
		openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \
			-out "$name/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile"
		rm -f "$extFile"
	else
		openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \
			-out "$name/cert.pem" -passin pass:"$PASSWD"
	fi

	# move the new certificate to its place
	move_cert "${CA}/newcerts/"*

	find "$name" -type f -exec chmod 600 {} +
	find "$name" -type d -exec chmod 700 {} +
	cd "$OPWD"
}

(-)a/branches/ucs-3.0/ucs/base/univention-ssl/ssl-sync (-1 / +1 lines)

Lines 3-9	Link Here

# Univention SSL

# Univention SSL

#  ssl sync script

#  ssl sync script

# Copyright 2004-2011 Univention GmbH

# Copyright 2004-2012 Univention GmbH

# http://www.univention.de/

# http://www.univention.de/




# Univention SSL
#  openssl wrapper
#
# Copyright 2004-2012 Univention GmbH
#
# http://www.univention.de/
#

# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.
set -o errfail

usage ()
{

	echo "        dump"
	echo "        list"
	echo ""
	echo "Options:"
	echo "        -name <name>"
	echo "        -days <days>"
	echo ""

	exit 2
}

command="$1"


if [ "$command" != "new" -a "$command" != "revoke" -a "$command" != "renew" -a "$command" != "check" -a "$command" != "list" -a "$command" != "dump" ]; then
	if [ -n "$command" ]; then
		usage "unknown command: $command" >&2
	else
		usage >&2
	fi
fi

while [ $# -gt 0 ]; do
	case "$1" in
	"-path")
		path="$2"
		shift 2 || usage "Missing argument to -path" >&2
		shift
		;;
	"-name")
		name="$2"
		shift 2 || usage "Missing argument to -name" >&2
		shift
		;;
	"-days")
		days="$2" || usage "Missing argument to -days" >&2
		shift 2
		shift
		;;
	*)
		usage "unknown option $1" >&2
		shift
		;;
	esac
done

if [ "$command" != "list" -a -z "$name" ]; then
	usage "missing -name" >&2
fi

cd /etc/univention/ssl

	"new")
		echo "Creating certificate: $name"
		gencert "/etc/univention/ssl/$name" "$name"
		if getent group "DC Backup Hosts" 2>&1 >/dev/null
		then
			chgrp -R "DC Backup Hosts" "/etc/univention/ssl/$name"
			chmod g+rx "/etc/univention/ssl/$name"
		fi
		;;
	"revoke")

		;;
	"renew")
		if [ -z "$days" ]; then
			usage "missing -days" >&2
		fi
		echo "Renew certificate: $name"
		renew_cert "$name" "$days"
		;;
	"check")
		echo -n "Certificate \"$name\" is "
		if has_valid_cert "$name"
		then
			echo "valid"
			exit 0
		else
			echo "invalid"
			exit 1
		fi
		;;
	"list")

		;;
	"dump")
		echo "Dump certificate: $name"
		openssl x509 -in "/etc/univention/ssl/$name/cert.pem" -noout -text
		;;
esac





# Univention SSL
#  checks validity of the local SSL certificate
#
# Copyright 2006-2012 Univention GmbH
#
# http://www.univention.de/
#


from M2Crypto import X509

from univention.config_registry import ConfigRegistry

_bc = ConfigRegistry()
_bc.load()

def get_validity_date(certFile):

Return to bug 26572