Attachment #8035 for bug #41013




	echo "Options:"
	echo "        -name <name>"
	echo "        -days <days>"
	echo "        -grace <grace>" # grace period, also in days

	[ -n "$1" ] && exit 2 || exit 0
}

command=
name=
days=
grace="0"
while [ $# -ge 1 ]
do
	case "$1" in

	dump) command="$1" ;;
	-name|--name) name="${2:?Missing argument to -name}" ; shift ;;
	-days|--days) days="${2:?Missing argument to -days}" ; shift ;;
	-grace|--grace) grace="${2:-0}" ; shift ;;
	-h|--help|--usage|-\?) usage ;;
	-*) usage "Unknown option: '$1'" >&2 ;;
	*) usage "Unknown command: '$1'" >&2 ;;

		run_only master exclusive
		: ${days:?Missing argument -days}
		echo "Renew certificate: $name"
		renew_cert "$name" "$days" "$grace"
}

check () {

Lines 43-48 Link Here

(-)/home/jhinrich/svn/dev/branches/ucs-4.1/ucs-4.1-3/base/univention-ssl/make-certificates.sh (-3 / +55 lines)
43	: ${DEFAULT_CRL_DAYS:=10}	43	: ${DEFAULT_CRL_DAYS:=10}
44	DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)"	44	DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)"
45	: ${DEFAULT_DAYS:=1825}	45	: ${DEFAULT_DAYS:=1825}
		46	DEFAULT_GRACE="$(/usr/sbin/univention-config-registry get ssl/default/grace)"
		47	: ${DEFAULT_GRACE:=0}
46	DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)"	48	DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)"
47	: ${DEFAULT_MD:=sha256}	49	: ${DEFAULT_MD:=sha256}
48	DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)"	50	DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)"
Lines 133-138 Link Here
133		135
134	policy = policy_match	136	policy = policy_match
135		137
		138	unique_subject = no
		139
136	[ policy_match ]	140	[ policy_match ]
137		141
138	countryName = match	142	countryName = match
Lines 336-342 Link Here
336	if ( X[i] ~ /^CN=/ ) {	340	if ( X[i] ~ /^CN=/ ) {
337	split ( X[i], Y, "=" );	341	split ( X[i], Y, "=" );
338	if ( name == Y[2] ) {	342	if ( name == Y[2] ) {
339	seq = $4;	343	if ( $1 == "V" ) {
		344	seq = seq$4" ";
		345	}
340	ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2;	346	ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2;
341	}	347	}
342	}	348	}
Lines 348-355 Link Here
348	renew_cert () {	354	renew_cert () {
349	local fqdn="${1:?Missing argument: common name}"	355	local fqdn="${1:?Missing argument: common name}"
350	local days="${2:-$DEFAULT_DAYS}"	356	local days="${2:-$DEFAULT_DAYS}"
		357	local grace="${3:-$DEFAULT_GRACE}"
351		358
352	revoke_cert "$fqdn" \|\| [ $? -eq 2 ] \|\| return $?	359	revoke_cert "$fqdn" "$grace" \|\| [ $? -eq 2 ] \|\| return $?
353		360
354	(	361	(
355	cd "$SSLBASE"	362	cd "$SSLBASE"
Lines 361-366 Link Here
361		368
362	revoke_cert () {	369	revoke_cert () {
363	local fqdn="${1:?Missing argument: common name}"	370	local fqdn="${1:?Missing argument: common name}"
		371	local grace="${2:-$DEFAULT_GRACE}"
364		372
365	local cn NUM	373	local cn NUM
366	[ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" \|\| cn="$fqdn"	374	[ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" \|\| cn="$fqdn"
Lines 371-377 Link Here
371	return 2	379	return 2
372	fi	380	fi
373		381
374	openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD"	382	if [ "$grace" -eq 0 ]; then
		383	# revoke all certificates of this fqdn
		384	for num in $NUM; do
		385	openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num}.pem" -passin pass:"$PASSWD"
		386	done
		387	else
		388	# remember all certificates of this fqdn for revocation after the grace period
		389	pending_file="${SSLBASE}/pending.txt"
		390	[ -f "$pending_file" ] \|\| touch "$pending_file"
		391	pending_certs="$(cat $pending_file)"
		392	>"$pending_file"
		393
		394	for num in $NUM; do
		395	echo "$num:$grace" >>"$pending_file"
		396	done
		397
		398	for cert in $pending_certs; do
		399	num="$(echo $cert \| sed 's/:.*//')"
		400	grace="$(echo $cert \| sed 's/.*://')"
		401	if [[ "$NUM" != "$num" ]]; then
		402	echo "$num:$grace" >>"$pending_file"
		403	fi
		404	done
		405	fi
		406
		407	gencrl
		408	}
		409
		410	update_pending_certs () {
		411	pending_file="${SSLBASE}/pending.txt"
		412	[ -f "$pending_file" ] \|\| touch "$pending_file"
		413	pending_certs="$(cat $pending_file)"
		414	>"$pending_file"
		415
		416	for cert in $pending_certs; do
		417	num="$(echo $cert \| sed 's/:.*//')"
		418	grace="$(echo $cert \| sed 's/.*://')"
		419	grace="$((grace-1))"
		420	if [ "$grace" -gt "0" ]; then
		421	echo "$num:$grace" >>"$pending_file"
		422	else
		423	openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num}.pem" -passin pass:"$PASSWD"
		424	fi
		425	done
		426
375	gencrl	427	gencrl
376	}	428	}
377		429

Return to bug 41013

Lines 50-55 Link Here

(-)/home/jhinrich/svn/dev/branches/ucs-4.1/ucs-4.1-3/base/univention-ssl/univention-certificate (-1 / +4 lines)
50	echo "Options:"	50	echo "Options:"
51	echo " -name <name>"	51	echo " -name <name>"
52	echo " -days <days>"	52	echo " -days <days>"
		53	echo " -grace <grace>" # grace period, also in days
53		54
54	[ -n "$1" ] && exit 2 \|\| exit 0	55	[ -n "$1" ] && exit 2 \|\| exit 0
55	}	56	}
Lines 75-80 Link Here
75	command=	76	command=
76	name=	77	name=
77	days=	78	days=
		79	grace="0"
78	while [ $# -ge 1 ]	80	while [ $# -ge 1 ]
79	do	81	do
80	case "$1" in	82	case "$1" in
Lines 86-91 Link Here
86	dump) command="$1" ;;	88	dump) command="$1" ;;
87	-name\|--name) name="${2:?Missing argument to -name}" ; shift ;;	89	-name\|--name) name="${2:?Missing argument to -name}" ; shift ;;
88	-days\|--days) days="${2:?Missing argument to -days}" ; shift ;;	90	-days\|--days) days="${2:?Missing argument to -days}" ; shift ;;
		91	-grace\|--grace) grace="${2:-0}" ; shift ;;
89	-h\|--help\|--usage\|-\?) usage ;;	92	-h\|--help\|--usage\|-\?) usage ;;
90	-*) usage "Unknown option: '$1'" >&2 ;;	93	-*) usage "Unknown option: '$1'" >&2 ;;
91	*) usage "Unknown command: '$1'" >&2 ;;	94	*) usage "Unknown command: '$1'" >&2 ;;
Lines 120-126 Link Here
120	run_only master exclusive	123	run_only master exclusive
121	: ${days:?Missing argument -days}	124	: ${days:?Missing argument -days}
122	echo "Renew certificate: $name"	125	echo "Renew certificate: $name"
123	renew_cert "$name" "$days"	126	renew_cert "$name" "$days" "$grace"
124	}	127	}
125		128
126	check () {	129	check () {