Attachment #4282 for bug #26572




createHostExtensionsFile () {
	local fqdn="$1"
	local hostname=${fqdn/.*/}
	local extFile=$(mktemp)
        local extFile=$(mktemp)

        cat <<EOF >>"$extFile"

	cat <<EOF >>"$extFile"
extensions = myx509v3
[ myx509v3 ]



# alternative name
subjectAltName = DNS:$fqdn, DNS:$hostname

EOF

        echo "$extFile"




# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

__package__=''	# workaround for PEP 366
from listener import *
import grp


			univention.debug.debug(univention.debug.LISTENER, univention.debug.WARN, 'CERTIFICATE: Failed to get groupID for "%s"' % name)
			gidNumber = 0

		if new and not old:
			if new.has_key('associatedDomain'):
				domain=new['associatedDomain'][0]
			else:

def set_permissions(tmp1, directory, filename):
	global uidNumber
	global gidNumber

	univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Set permissons for = %s with owner/group %s/%s' % (directory, gidNumber, uidNumber))
	os.chown(directory, uidNumber, gidNumber)
	os.chmod(directory, 0750)

	global uidNumber
	global gidNumber
	uidNumber = serverUidNumber

	ssldir='/etc/univention/ssl'
	univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Creating certificate %s' % name)


	p = os.popen('ln -sf %s/%s.%s %s/%s' % (ssldir,name,domainname,ssldir,name) )
	p.close()

	
	a=os.path.walk(certpath,set_permissions, None)

	return


def postrun():
	return





# Univention SSL
#  gencertificate script
#
# Copyright 2004-2012 Univention GmbH
#
# http://www.univention.de/
#

# http://www.pca.dfn.de/dfnpca/certify/ssl/handbuch/ossl092/

if [ -n "$sslbase" ]; then
	SSLBASE="$sslbase"
else
	SSLBASE=/etc/univention/ssl
fi

CA=ucsCA

fi

mk_config () {
    local outfile=$1
    local password=$2
    local password=$2;
    local days=$3
    local name=$4

	if test -e "$outfile"; then
		rm -f "$outfile"
	fi
	touch "$outfile"
	chmod 0600 "$outfile"

	eval "$(univention-config-registry shell ssl/country ssl/state ssl/locality ssl/organization ssl/organizationalunit ssl/email)"

    cat >"$outfile" <<EOF
    cat <<EOF >>$outfile

# HOME			= .
# RANDFILE		= \$ENV::HOME/.rnd
# oid_section		= new_oids

distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions		= v3_ca

EOF

	if [ -n "$password" ]; then
		cat >>"$outfile" <<EOF
input_password = $password
output_password = $password
EOF
	fi

	cat >>"$outfile" <<EOF

string_mask = nombstr
req_extensions = v3_req


issuerAltName           = issuer:copy
authorityKeyIdentifier  = keyid:always,issuer:always

EOF
	chmod 0600 "$outfile"

}

move_cert () {
    local count=0
	local OPWD=$(pwd)
    cd "$SSLBASE"

    local i
    for i in "$@"; do
		if [ -f "$i" ]
		then
			local new="${SSLBASE}/${CA}/certs/$(basename "$i")"
			mv "$i" "$new"
			local hash=$(openssl x509 -hash -noout -in "$new")
			while :
			do
				local linkname="${CA}/certs/${hash}.${count}"
				if [ -h "$linkname" ]
				then
					count=$((count + 1))
					continue
				else
					ln -s "$new" "$linkname"
					break
				fi
			done
		fi
	done
	cd "$OPWD"
}

init () {

		chmod 600 "$SSLBASE/password"
		makepasswd > "$SSLBASE/password"
	fi
	local PASSWD=`cat "$SSLBASE/password"`

	local OPWD=$(pwd)

	# create directory infrastructure
	cd "$SSLBASE"
	mkdir -m 700 -p "${CA}"
	mkdir -p "${CA}/"{certs,crl,newcerts,private}
	echo "01" >"${CA}/serial"
	touch "${CA}/index.txt"

	eval "$(ucr shell ssl/common)"

	# make the root-CA configuration file
	mk_config openssl.cnf "$PASSWD" "$DEFAULT_DAYS" "$ssl_common"

	openssl genrsa -des3 -passout pass:"$PASSWD" -out "${CA}/private/CAkey.pem" 2048
	yes '' | openssl req -config openssl.cnf -new -x509 -days "$DEFAULT_DAYS" -key "${CA}/private/CAkey.pem" -out "${CA}/CAcert.pem"
	yes '' | openssl req -config openssl.cnf -new -x509 -days $DEFAULT_DAYS -key ${CA}/private/CAkey.pem -out ${CA}/CAcert.pem

	# copy the public key to a place, from where browsers can access it
	openssl x509 -in "${CA}/CAcert.pem" -out /var/www/ucs-root-ca.crt

	# mv the certificate to the certs dir and link it to its hash value
	cp "${CA}/CAcert.pem" "${CA}/newcerts/00.pem"
	move_cert "${CA}/newcerts/00.pem"

	# generate root ca request
	openssl x509 -x509toreq -in "${CA}/CAcert.pem" -signkey "${CA}/private/CAkey.pem" -out "${CA}/CAreq.pem" -passin pass:"$PASSWD"

	find "${CA}" -type f -exec chmod 600 {} +
	find "${CA}" -type d -exec chmod 700 {} +

	chmod 755 "${CA}"
	chmod 644 "${CA}/CAcert.pem"
	#generate empty crl at installation time
	openssl ca -config openssl.cnf -gencrl -out "${CA}/crl/crl.pem" -passin pass:"$PASSWD"
	openssl crl -in "${CA}/crl/crl.pem" -out "/var/www/${CA}.crl" -inform pem -outform der

	cd "$OPWD"
}


list_cert_names () {
	local OPWD=$(pwd)
   cd "$SSLBASE"
   awk 'BEGIN { FS="\t"; }
    { if ( $1 == "V" )

		}
	    }
	}
    }' <"${CA}/index.txt"
    cd "$OPWD"
}


has_valid_cert () {
    list_cert_names | egrep -q "$1$"
}

renew_cert () {
	local OPWD=$(pwd)
	cd "$SSLBASE"

	if [ -z "$1" ]; then
		echo "missing certificate name" 1>&2
		return 1
	fi

	local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`
	if [ -z "$NUM" ]; then
		echo "no certificate for $1 registered" >&2
		return 1
	fi

	if [ -z "$2" ]; then
		days=$DEFAULT_DAYS
	fi

	# revoke cert
	revoke_cert "$1"

	# get host extension file
	hostExt=$(ucr get ssl/host/extensions)
	if [ -s "$hostExt" ]; then
		. "$hostExt"
		extFile=$(createHostExtensionsFile "$1")
	fi

	# sign the request
	if [ -s "$extFile" ]; then
		openssl ca -batch -config openssl.cnf -days "$days" -in "$1/req.pem" \
			-out "$1/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile"
		rm -f "$extFile"
	else
		openssl ca -batch -config openssl.cnf -days "$days" -in "$1/req.pem" \
			-out "$1/cert.pem" -passin pass:"$PASSWD"
	fi

	# move the new certificate to its place
	move_cert "${CA}/newcerts/"*
	cd "$OPWD"
}

# Parameter 1: Name des CN dessen Zertifikat wiederufen werden soll

revoke_cert () {
	local OPWD=`pwd`
	cd "$SSLBASE"

	if [ -z "$1" ]; then
		echo "missing certificate name" >&2
		return 1
	fi

	local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`
	if [ -z "$NUM" ]; then
		echo "no certificate for $1 registered" >&2
		return 1
	fi
	openssl ca -config openssl.cnf -revoke "${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD"
	openssl ca -config openssl.cnf -gencrl -out "${CA}/crl/crl.pem" -passin pass:"$PASSWD"
	openssl crl -in "${CA}/crl/crl.pem" -out "/var/www/${CA}.crl" -inform pem -outform der

	cd "$OPWD"
}



	local OPWD=`pwd`
	cd "$SSLBASE"
	if has_valid_cert "$2"; then
		revoke_cert "$2"
	fi

	local days=$(/usr/sbin/univention-config-registry get ssl/default/days)
	if [ -z "$days" ]; then
		days=$DEFAULT_DAYS
	fi
	# generate a key pair
	mkdir -pm 700 "$name"
	mk_config "$name/openssl.cnf" "" "$days" "$cn"
	openssl genrsa -out "$name/private.key" 1024
	yes '' | openssl req -config "$name/openssl.cnf" -new -key "$name/private.key" -out "$name/req.pem"

	# get host extension file
	local hostExt=$(ucr get ssl/host/extensions)
	if [ -s "$hostExt" ]; then
		. "$hostExt"
		local extFile=$(createHostExtensionsFile "$cn")
	fi

	# sign the key
	if [ -s "$extFile" ]; then
		openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \
			-out "$name/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile"
		rm -f "$extFile"
	else
		openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \
			-out "$name/cert.pem" -passin pass:"$PASSWD"
	fi

	# move the new certificate to its place
	move_cert "${CA}/newcerts/"*

	find "$name" -type f -exec chmod 600 {} +
	find "$name" -type d -exec chmod 700 {} +
	cd "$OPWD"
}




# Univention SSL
#  openssl wrapper
#
# Copyright 2004-2012 Univention GmbH
#
# http://www.univention.de/
#

# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.
set -o errfail

usage ()
{

	echo "        dump"
	echo "        list"
	echo ""
	echo "Options:"
	echo "        -name <name>"
	echo "        -days <days>"
	echo ""

	exit 2
}

command="$1"


if [ "$command" != "new" -a "$command" != "revoke" -a "$command" != "renew" -a "$command" != "check" -a "$command" != "list" -a "$command" != "dump" ]; then
	if [ -n "$command" ]; then
		usage "unknown command: $command" >&2
	else
		usage >&2
	fi
fi

while [ $# -gt 0 ]; do
	case "$1" in
	"-path")
		path="$2"
		shift 2 || usage "Missing argument to -path" >&2
		shift
		;;
	"-name")
		name="$2"
		shift 2 || usage "Missing argument to -name" >&2
		shift
		;;
	"-days")
		days="$2" || usage "Missing argument to -days" >&2
		shift 2
		shift
		;;
	*)
		usage "unknown option $1" >&2
		shift
		;;
	esac
done

if [ "$command" != "list" -a -z "$name" ]; then
	usage "missing -name" >&2
fi

cd /etc/univention/ssl

	"new")
		echo "Creating certificate: $name"
		gencert "/etc/univention/ssl/$name" "$name"
		if getent group "DC Backup Hosts" 2>&1 >/dev/null
		then
			chgrp -R "DC Backup Hosts" "/etc/univention/ssl/$name"
			chmod -R g+rx "/etc/univention/ssl/$name"
		fi

		;;
	"renew")
		if [ -z "$days" ]; then
			usage "missing -days" >&2
		fi
		echo "Renew certificate: $name"
		renew_cert "$name" "$days"
		;;
	"check")
		echo -n "Certificate \"$name\" is "
		if has_valid_cert "$name"
		then
			echo "valid"
			exit 0
		else
			echo "invalid"
			exit 1
		fi
		;;
	"list")

		;;
	"dump")
		echo "Dump certificate: $name"
		openssl x509 -in "/etc/univention/ssl/$name/cert.pem" -noout -text
		;;
esac


Lines 37-45 import calendar Link Here

(-)a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity (-2 / +2 lines)
37		37
38	from M2Crypto import X509	38	from M2Crypto import X509
39		39
40	import univention_baseconfig	40	from univention.config_registry import ConfigRegistry
41		41
42	_bc = univention_baseconfig.baseConfig()	42	_bc = ConfigRegistry()
43	_bc.load()	43	_bc.load()
44		44
45	def get_validity_date(certFile):	45	def get_validity_date(certFile):

Return to bug 26572

Lines 30-36 Link Here

(-)a/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py (-6 / +4 lines)
30	# /usr/share/common-licenses/AGPL-3; if not, see	30	# /usr/share/common-licenses/AGPL-3; if not, see
31	# <http://www.gnu.org/licenses/>.	31	# <http://www.gnu.org/licenses/>.
32		32
33	__package__='' # workaround for PEP 366	33	__package__='' # workaround for PEP 366
34	from listener import *	34	from listener import *
35	import grp	35	import grp
36		36
Lines 80-86 def handler(dn, new, old): Link Here
80	univention.debug.debug(univention.debug.LISTENER, univention.debug.WARN, 'CERTIFICATE: Failed to get groupID for "%s"' % name)	80	univention.debug.debug(univention.debug.LISTENER, univention.debug.WARN, 'CERTIFICATE: Failed to get groupID for "%s"' % name)
81	gidNumber = 0	81	gidNumber = 0
82		82
83	if new and not old:	83	if new and not old:
84	if new.has_key('associatedDomain'):	84	if new.has_key('associatedDomain'):
85	domain=new['associatedDomain'][0]	85	domain=new['associatedDomain'][0]
86	else:	86	else:
Lines 118-124 def handler(dn, new, old): Link Here
118	def set_permissions(tmp1, directory, filename):	118	def set_permissions(tmp1, directory, filename):
119	global uidNumber	119	global uidNumber
120	global gidNumber	120	global gidNumber
121		121
122	univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Set permissons for = %s with owner/group %s/%s' % (directory, gidNumber, uidNumber))	122	univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Set permissons for = %s with owner/group %s/%s' % (directory, gidNumber, uidNumber))
123	os.chown(directory, uidNumber, gidNumber)	123	os.chown(directory, uidNumber, gidNumber)
124	os.chmod(directory, 0750)	124	os.chmod(directory, 0750)
Lines 139-145 def create_certificate(name, serverUidNumber, domainname): Link Here
139	global uidNumber	139	global uidNumber
140	global gidNumber	140	global gidNumber
141	uidNumber = serverUidNumber	141	uidNumber = serverUidNumber
142		142
143	ssldir='/etc/univention/ssl'	143	ssldir='/etc/univention/ssl'
144	univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Creating certificate %s' % name)	144	univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Creating certificate %s' % name)
145		145
Lines 162-168 def create_certificate(name, serverUidNumber, domainname): Link Here
162	p = os.popen('ln -sf %s/%s.%s %s/%s' % (ssldir,name,domainname,ssldir,name) )	162	p = os.popen('ln -sf %s/%s.%s %s/%s' % (ssldir,name,domainname,ssldir,name) )
163	p.close()	163	p.close()
164		164
165
166	a=os.path.walk(certpath,set_permissions, None)	165	a=os.path.walk(certpath,set_permissions, None)
167		166
168	return	167	return
Lines 190-193 def clean(): Link Here
190		189
191	def postrun():	190	def postrun():
192	return	191	return
193

Lines 1-11 Link Here

(-)a/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh (-8 / +5 lines)
1	function createHostExtensionsFile () {	1	createHostExtensionsFile () {
2		2	local fqdn="$1"
3	local fqdn="$1"	3	local hostname=${fqdn/.*/}
4	local hostname=${fqdn/.*/}	4	local extFile=$(mktemp)
5	local extFile=$(mktemp)
6
7	cat <<EOF >>"$extFile"
8		5
		6	cat <<EOF >>"$extFile"
9	extensions = myx509v3	7	extensions = myx509v3
10	[ myx509v3 ]	8	[ myx509v3 ]
11		9
Lines 16-22 authorityKeyIdentifier = keyid,issuer:always Link Here
16		14
17	# alternative name	15	# alternative name
18	subjectAltName = DNS:$fqdn, DNS:$hostname	16	subjectAltName = DNS:$fqdn, DNS:$hostname
19
20	EOF	17	EOF
21		18
22	echo "$extFile"	19	echo "$extFile"

Lines 3-9 Link Here

(-)a/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh (-120 / +114 lines)
3	# Univention SSL	3	# Univention SSL
4	# gencertificate script	4	# gencertificate script
5	#	5	#
6	# Copyright 2004-2011 Univention GmbH	6	# Copyright 2004-2012 Univention GmbH
7	#	7	#
8	# http://www.univention.de/	8	# http://www.univention.de/
9	#	9	#
Lines 35-43 Link Here
35	# http://www.pca.dfn.de/dfnpca/certify/ssl/handbuch/ossl092/	35	# http://www.pca.dfn.de/dfnpca/certify/ssl/handbuch/ossl092/
36		36
37	if [ -n "$sslbase" ]; then	37	if [ -n "$sslbase" ]; then
38	SSLBASE="$sslbase"	38	SSLBASE="$sslbase"
39	else	39	else
40	SSLBASE=/etc/univention/ssl	40	SSLBASE=/etc/univention/ssl
41	fi	41	fi
42		42
43	CA=ucsCA	43	CA=ucsCA
Lines 57-79 else Link Here
57	fi	57	fi
58		58
59	mk_config () {	59	mk_config () {
60		60	local outfile=$1
61	local outfile=$1;	61	local password=$2
62	local password=$2;
63	local days=$3	62	local days=$3
64	local name=$4	63	local name=$4
65		64
66	if test -e $outfile; then	65	if test -e "$outfile"; then
67	rm $outfile;	66	rm -f "$outfile"
68	fi	67	fi
69	touch $outfile;	68	touch "$outfile"
70	chmod 0600 $outfile;	69	chmod 0600 "$outfile"
71		70
72	eval "$(univention-config-registry shell ssl/country ssl/state ssl/locality ssl/organization ssl/organizationalunit ssl/email)"	71	eval "$(univention-config-registry shell ssl/country ssl/state ssl/locality ssl/organization ssl/organizationalunit ssl/email)"
73		72
74		73	cat >"$outfile" <<EOF
75	cat <<EOF >>$outfile
76
77	# HOME = .	74	# HOME = .
78	# RANDFILE = \$ENV::HOME/.rnd	75	# RANDFILE = \$ENV::HOME/.rnd
79	# oid_section = new_oids	76	# oid_section = new_oids
Lines 136-152 default_keyfile = privkey.pem Link Here
136	distinguished_name = req_distinguished_name	133	distinguished_name = req_distinguished_name
137	attributes = req_attributes	134	attributes = req_attributes
138	x509_extensions = v3_ca	135	x509_extensions = v3_ca
139
140	EOF	136	EOF
141		137
142	if [ "$password" ]; then	138	if [ -n "$password" ]; then
143	cat <<EOF >>$outfile	139	cat >>"$outfile" <<EOF
144	input_password = $password	140	input_password = $password
145	output_password = $password	141	output_password = $password
146	EOF	142	EOF
147	fi;	143	fi
148		144
149	cat <<EOF >>$outfile	145	cat >>"$outfile" <<EOF
150		146
151	string_mask = nombstr	147	string_mask = nombstr
152	req_extensions = v3_req	148	req_extensions = v3_req
Lines 219-256 nsComment = This certificate is a Root CA Certificate Link Here
219		215
220	issuerAltName = issuer:copy	216	issuerAltName = issuer:copy
221	authorityKeyIdentifier = keyid:always,issuer:always	217	authorityKeyIdentifier = keyid:always,issuer:always
222
223	EOF	218	EOF
224	chmod 0600 $outfile	219	chmod 0600 "$outfile"
225
226	}	220	}
227		221
228	move_cert () {	222	move_cert () {
229	local new;	223	local count=0
230	local count=0;	224	local OPWD=$(pwd)
231	local linkname;	225	cd "$SSLBASE"
232	local hash;	226
233	local OPWD=`pwd`;	227	local i
234	cd "$SSLBASE";	228	for i in "$@"; do
235		229	if [ -f "$i" ]
236	for i; do	230	then
237	if [ -f "$i" ]; then	231	local new="${SSLBASE}/${CA}/certs/$(basename "$i")"
238	new="${SSLBASE}/${CA}/certs/"`basename $i`;	232	mv "$i" "$new"
239	mv "$i" "$new";	233	local hash=$(openssl x509 -hash -noout -in "$new")
240	hash=`openssl x509 -hash -noout -in "$new"`;	234	while :
241	while :; do	235	do
242	linkname="${CA}/certs/""$hash"".""$count";	236	local linkname="${CA}/certs/${hash}.${count}"
243	if [ -h "$linkname" ]; then	237	if [ -h "$linkname" ]
244	count=$((count + 1));	238	then
245	continue;	239	count=$((count + 1))
246	else	240	continue
247	ln -s "$new" "$linkname";	241	else
248	break;	242	ln -s "$new" "$linkname"
249	fi;	243	break
250	done;	244	fi
251	fi;	245	done
252	done;	246	fi
253	cd "$OPWD"	247	done
		248	cd "$OPWD"
254	}	249	}
255		250
256	init () {	251	init () {
Lines 266-316 init () { Link Here
266	chmod 600 "$SSLBASE/password"	261	chmod 600 "$SSLBASE/password"
267	makepasswd > "$SSLBASE/password"	262	makepasswd > "$SSLBASE/password"
268	fi	263	fi
269	PASSWD=`cat "$SSLBASE/password"`	264	local PASSWD=`cat "$SSLBASE/password"`
270		265
271	local OPWD=`pwd`;	266	local OPWD=$(pwd)
272		267
273	# create directory infrastructure	268	# create directory infrastructure
274	cd "$SSLBASE"	269	cd "$SSLBASE"
275	mkdir -m 700 -p ${CA};	270	mkdir -m 700 -p "${CA}"
276	mkdir -p ${CA}/{certs,crl,newcerts,private};	271	mkdir -p "${CA}/"{certs,crl,newcerts,private}
277	echo "01" > ${CA}/serial;	272	echo "01" >"${CA}/serial"
278	touch ${CA}/index.txt;	273	touch "${CA}/index.txt"
279		274
280	eval "$(ucr shell ssl/common)"	275	eval "$(ucr shell ssl/common)"
281		276
282	# make the root-CA configuration file	277	# make the root-CA configuration file
283	mk_config openssl.cnf $PASSWD $DEFAULT_DAYS "$ssl_common"	278	mk_config openssl.cnf "$PASSWD" "$DEFAULT_DAYS" "$ssl_common"
284		279
285		280	openssl genrsa -des3 -passout pass:"$PASSWD" -out "${CA}/private/CAkey.pem" 2048
286	openssl genrsa -des3 -passout pass:"$PASSWD" -out ${CA}/private/CAkey.pem 2048	281	yes '' \| openssl req -config openssl.cnf -new -x509 -days "$DEFAULT_DAYS" -key "${CA}/private/CAkey.pem" -out "${CA}/CAcert.pem"
287	yes '' \| openssl req -config openssl.cnf -new -x509 -days $DEFAULT_DAYS -key ${CA}/private/CAkey.pem -out ${CA}/CAcert.pem
288		282
289	# copy the public key to a place, from where browsers can access it	283	# copy the public key to a place, from where browsers can access it
290	openssl x509 -in ${CA}/CAcert.pem -out /var/www/ucs-root-ca.crt	284	openssl x509 -in "${CA}/CAcert.pem" -out /var/www/ucs-root-ca.crt
291		285
292	# mv the certificate to the certs dir and link it to its hash value	286	# mv the certificate to the certs dir and link it to its hash value
293	cp ${CA}/CAcert.pem ${CA}/newcerts/00.pem	287	cp "${CA}/CAcert.pem" "${CA}/newcerts/00.pem"
294	move_cert ${CA}/newcerts/00.pem	288	move_cert "${CA}/newcerts/00.pem"
295		289
296	# generate root ca request	290	# generate root ca request
297	openssl x509 -x509toreq -in ${CA}/CAcert.pem -signkey ${CA}/private/CAkey.pem -out ${CA}/CAreq.pem -passin pass:$PASSWD	291	openssl x509 -x509toreq -in "${CA}/CAcert.pem" -signkey "${CA}/private/CAkey.pem" -out "${CA}/CAreq.pem" -passin pass:"$PASSWD"
298		292
299	find ${CA} -type f \| xargs chmod 600	293	find "${CA}" -type f -exec chmod 600 {} +
300	find ${CA} -type d \| xargs chmod 700	294	find "${CA}" -type d -exec chmod 700 {} +
301		295
302	chmod 755 ${CA}	296	chmod 755 "${CA}"
303	chmod 644 ${CA}/CAcert.pem	297	chmod 644 "${CA}/CAcert.pem"
304	#generate empty crl at installation time	298	#generate empty crl at installation time
305	openssl ca -config openssl.cnf -gencrl -out ${CA}/crl/crl.pem -passin pass:"$PASSWD"	299	openssl ca -config openssl.cnf -gencrl -out "${CA}/crl/crl.pem" -passin pass:"$PASSWD"
306	openssl crl -in ${CA}/crl/crl.pem -out /var/www/${CA}.crl -inform pem -outform der	300	openssl crl -in "${CA}/crl/crl.pem" -out "/var/www/${CA}.crl" -inform pem -outform der
307		301
308	cd "$OPWD"	302	cd "$OPWD"
309	}	303	}
310		304
311		305
312	list_cert_names () {	306	list_cert_names () {
313	local OPWD=`pwd`	307	local OPWD=$(pwd)
314	cd "$SSLBASE"	308	cd "$SSLBASE"
315	awk 'BEGIN { FS="\t"; }	309	awk 'BEGIN { FS="\t"; }
316	{ if ( $1 == "V" )	310	{ if ( $1 == "V" )
Lines 323-402 list_cert_names () { Link Here
323	}	317	}
324	}	318	}
325	}	319	}
326	}'< ${CA}/index.txt	320	}' <"${CA}/index.txt"
327	cd "$OPWD"	321	cd "$OPWD"
328	}	322	}
329		323
330		324
331	has_valid_cert () {	325	has_valid_cert () {
332	list_cert_names \| egrep -q "$1$";	326	list_cert_names \| egrep -q "$1$"
333	}	327	}
334		328
335	renew_cert () {	329	renew_cert () {
336	local OPWD=`pwd`;	330	local OPWD=$(pwd)
337	cd "$SSLBASE";	331	cd "$SSLBASE"
338		332
339	if [ -z "$1" ]; then	333	if [ -z "$1" ]; then
340	echo "missing certificate name" 1>&2;	334	echo "missing certificate name" 1>&2
341	return 1;	335	return 1
342	fi	336	fi
343		337
344	local NUM=`list_cert_names \| grep "$1" \| sed -e 's/^\([0-9A-Fa-f]\)./\1/1'`;	338	local NUM=`list_cert_names \| grep "$1" \| sed -e 's/^\([0-9A-Fa-f]\)./\1/1'`
345	if [ -z "$NUM" ]; then	339	if [ -z "$NUM" ]; then
346	echo "no certificate for $1 registered" 1>&2;	340	echo "no certificate for $1 registered" >&2
347	return 1;	341	return 1
348	fi;	342	fi
349		343
350	if [ -z "$2" ]; then	344	if [ -z "$2" ]; then
351	days=$DEFAULT_DAYS	345	days=$DEFAULT_DAYS
352	fi	346	fi
353		347
354	# revoke cert	348	# revoke cert
355	revoke_cert $1	349	revoke_cert "$1"
356		350
357	# get host extension file	351	# get host extension file
358	hostExt=$(ucr get ssl/host/extensions)	352	hostExt=$(ucr get ssl/host/extensions)
359	if [ -s "$hostExt" ]; then	353	if [ -s "$hostExt" ]; then
360	source $hostExt	354	. "$hostExt"
361	extFile=$(createHostExtensionsFile "$1")	355	extFile=$(createHostExtensionsFile "$1")
362	fi	356	fi
363		357
364	# sign the request	358	# sign the request
365	if [ -s "$extFile" ]; then	359	if [ -s "$extFile" ]; then
366	openssl ca -batch -config openssl.cnf -days $days -in "$1/req.pem" \	360	openssl ca -batch -config openssl.cnf -days "$days" -in "$1/req.pem" \
367	-out "$1/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile"	361	-out "$1/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile"
368	rm -f "$extFile"	362	rm -f "$extFile"
369	else	363	else
370	openssl ca -batch -config openssl.cnf -days $days -in "$1/req.pem" \	364	openssl ca -batch -config openssl.cnf -days "$days" -in "$1/req.pem" \
371	-out "$1/cert.pem" -passin pass:"$PASSWD"	365	-out "$1/cert.pem" -passin pass:"$PASSWD"
372	fi	366	fi
373		367
374	# move the new certificate to its place	368	# move the new certificate to its place
375	move_cert ${CA}/newcerts/*;	369	move_cert "${CA}/newcerts/"*
376	cd "$OPWD";	370	cd "$OPWD"
377	}	371	}
378		372
379	# Parameter 1: Name des CN dessen Zertifikat wiederufen werden soll	373	# Parameter 1: Name des CN dessen Zertifikat wiederufen werden soll
380		374
381	revoke_cert () {	375	revoke_cert () {
382	local OPWD=`pwd`;	376	local OPWD=`pwd`
383	cd "$SSLBASE";	377	cd "$SSLBASE"
384		378
385	if [ -z "$1" ]; then	379	if [ -z "$1" ]; then
386	echo "missing certificate name" 1>&2;	380	echo "missing certificate name" >&2
387	return 1;	381	return 1
388	fi	382	fi
389		383
390	local NUM=`list_cert_names \| grep "$1" \| sed -e 's/^\([0-9A-Fa-f]\)./\1/1'`;	384	local NUM=`list_cert_names \| grep "$1" \| sed -e 's/^\([0-9A-Fa-f]\)./\1/1'`
391	if [ -z "$NUM" ]; then	385	if [ -z "$NUM" ]; then
392	echo "no certificate for $1 registered" 1>&2;	386	echo "no certificate for $1 registered" >&2
393	return 1;	387	return 1
394	fi;	388	fi
395	openssl ca -config openssl.cnf -revoke ${CA}/certs/${NUM}.pem -passin pass:"$PASSWD"	389	openssl ca -config openssl.cnf -revoke "${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD"
396	openssl ca -config openssl.cnf -gencrl -out ${CA}/crl/crl.pem -passin pass:"$PASSWD"	390	openssl ca -config openssl.cnf -gencrl -out "${CA}/crl/crl.pem" -passin pass:"$PASSWD"
397	openssl crl -in ${CA}/crl/crl.pem -out /var/www/${CA}.crl -inform pem -outform der	391	openssl crl -in "${CA}/crl/crl.pem" -out "/var/www/${CA}.crl" -inform pem -outform der
398		392
399	cd "$OPWD";	393	cd "$OPWD"
400	}	394	}
401		395
402		396
Lines 410-449 gencert () { Link Here
410	local OPWD=`pwd`	404	local OPWD=`pwd`
411	cd "$SSLBASE"	405	cd "$SSLBASE"
412	if has_valid_cert "$2"; then	406	if has_valid_cert "$2"; then
413	revoke_cert "$2";	407	revoke_cert "$2"
414	fi;	408	fi
415		409
416	days=$(/usr/sbin/univention-config-registry get ssl/default/days)	410	local days=$(/usr/sbin/univention-config-registry get ssl/default/days)
417	if [ -z "$days" ]; then	411	if [ -z "$days" ]; then
418	days=$DEFAULT_DAYS	412	days=$DEFAULT_DAYS
419	fi	413	fi
420	# generate a key pair	414	# generate a key pair
421	mkdir -pm 700 $name	415	mkdir -pm 700 "$name"
422	mk_config "$name/openssl.cnf" "" $days "$cn"	416	mk_config "$name/openssl.cnf" "" "$days" "$cn"
423	openssl genrsa -out "$name/private.key" 1024	417	openssl genrsa -out "$name/private.key" 1024
424	yes '' \| openssl req -config "$name/openssl.cnf" -new -key "$name/private.key" -out "$name/req.pem"	418	yes '' \| openssl req -config "$name/openssl.cnf" -new -key "$name/private.key" -out "$name/req.pem"
425		419
426	# get host extension file	420	# get host extension file
427	hostExt=$(ucr get ssl/host/extensions)	421	local hostExt=$(ucr get ssl/host/extensions)
428	if [ -s "$hostExt" ]; then	422	if [ -s "$hostExt" ]; then
429	source $hostExt	423	. "$hostExt"
430	extFile=$(createHostExtensionsFile "$cn")	424	local extFile=$(createHostExtensionsFile "$cn")
431	fi	425	fi
432		426
433	# sign the key	427	# sign the key
434	if [ -s "$extFile" ]; then	428	if [ -s "$extFile" ]; then
435	openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \	429	openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \
436	-out "$name/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile"	430	-out "$name/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile"
437	rm -f "$extFile"	431	rm -f "$extFile"
438	else	432	else
439	openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \	433	openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \
440	-out "$name/cert.pem" -passin pass:"$PASSWD"	434	-out "$name/cert.pem" -passin pass:"$PASSWD"
441	fi	435	fi
442		436
443	# move the new certificate to its place	437	# move the new certificate to its place
444	move_cert ${CA}/newcerts/*;	438	move_cert "${CA}/newcerts/"*
445		439
446	find $name -type f \| xargs chmod 600	440	find "$name" -type f -exec chmod 600 {} +
447	find $name -type d \| xargs chmod 700	441	find "$name" -type d -exec chmod 700 {} +
448	cd "$OPWD"	442	cd "$OPWD"
449	}	443	}