Attachment #8049 for bug #41013

Lines 1-3 Link Here

(-)base/univention-ssl/debian/changelog (+7 lines)
		1	univention-ssl (10.0.0-17ubuntu1) UNRELEASED; urgency=medium
		2
		3	* Bug #41013: univention-certificate should offer a renew-option with
		4	a transition period (-grace <grace period in days>)
		5
		6	-- Julius Hinrichs <hinrichs@univention.de> Wed, 28 Sep 2016 16:02:00 +0200
		7
1	univention-ssl (10.0.0-17) unstable; urgency=low	8	univention-ssl (10.0.0-17) unstable; urgency=low
2		9
3	* Bug #41917: Fix dash local variable quoting	10	* Bug #41917: Fix dash local variable quoting

Lines 1-4 Link Here

(-)base/univention-ssl/debian/univention-ssl.cron.daily (-2 / +4 lines)
1	#!/bin/sh	1	#!/bin/bash
2	# Copyright 2004-2016 Univention GmbH	2	# Copyright 2004-2016 Univention GmbH
3	#	3	#
4	# http://www.univention.de/	4	# http://www.univention.de/
Lines 28-33 Link Here
28		28
29	PATH=/usr/sbin:/usr/bin:/sbin:/bin	29	PATH=/usr/sbin:/usr/bin:/sbin:/bin
30		30
		31	. /usr/share/univention-ssl/make-certificates.sh
		32	update_pending_certs
		33
31	rv=0 tmp=$(mktemp)	34	rv=0 tmp=$(mktemp)
32	trap "rm -f '$tmp'" EXIT	35	trap "rm -f '$tmp'" EXIT
33	exec >"$tmp" 2>&1	36	exec >"$tmp" 2>&1
Lines 44-50 Link Here
44	interval=$(ucr get ssl/crl/interval)	47	interval=$(ucr get ssl/crl/interval)
45	[ "${interval:-0}" -ge 1 ] \|\| return 0	48	[ "${interval:-0}" -ge 1 ] \|\| return 0
46	[ -f "$crl" ] && [ -n "$(find "$crl" -mtime "-$interval")" ] && return 0	49	[ -f "$crl" ] && [ -n "$(find "$crl" -mtime "-$interval")" ] && return 0
47	. /usr/share/univention-ssl/make-certificates.sh
48	gencrl	50	gencrl
49	}	51	}
50	check_gen_crl \|\| rv=$?	52	check_gen_crl \|\| rv=$?

Lines 43-48 Link Here

(-)base/univention-ssl/make-certificates.sh (-3 / +65 lines)
43	: ${DEFAULT_CRL_DAYS:=10}	43	: ${DEFAULT_CRL_DAYS:=10}
44	DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)"	44	DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)"
45	: ${DEFAULT_DAYS:=1825}	45	: ${DEFAULT_DAYS:=1825}
		46	DEFAULT_GRACE="$(/usr/sbin/univention-config-registry get ssl/default/grace)"
		47	: ${DEFAULT_GRACE:=0}
46	DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)"	48	DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)"
47	: ${DEFAULT_MD:=sha256}	49	: ${DEFAULT_MD:=sha256}
48	DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)"	50	DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)"
Lines 133-138 Link Here
133		135
134	policy = policy_match	136	policy = policy_match
135		137
		138	unique_subject = no
		139
136	[ policy_match ]	140	[ policy_match ]
137		141
138	countryName = match	142	countryName = match
Lines 336-342 Link Here
336	if ( X[i] ~ /^CN=/ ) {	340	if ( X[i] ~ /^CN=/ ) {
337	split ( X[i], Y, "=" );	341	split ( X[i], Y, "=" );
338	if ( name == Y[2] ) {	342	if ( name == Y[2] ) {
339	seq = $4;	343	if ( $1 == "V" ) {
		344	seq = seq$4" ";
		345	}
340	ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2;	346	ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2;
341	}	347	}
342	}	348	}
Lines 348-355 Link Here
348	renew_cert () {	354	renew_cert () {
349	local fqdn="${1:?Missing argument: common name}"	355	local fqdn="${1:?Missing argument: common name}"
350	local days="${2:-$DEFAULT_DAYS}"	356	local days="${2:-$DEFAULT_DAYS}"
		357	local grace="${3:-$DEFAULT_GRACE}"
351		358
352	revoke_cert "$fqdn" \|\| [ $? -eq 2 ] \|\| return $?	359	revoke_cert "$fqdn" "$grace" \|\| [ $? -eq 2 ] \|\| return $?
353		360
354	(	361	(
355	cd "$SSLBASE"	362	cd "$SSLBASE"
Lines 361-366 Link Here
361		368
362	revoke_cert () {	369	revoke_cert () {
363	local fqdn="${1:?Missing argument: common name}"	370	local fqdn="${1:?Missing argument: common name}"
		371	local grace="${2:-$DEFAULT_GRACE}"
364		372
365	local cn NUM	373	local cn NUM
366	[ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" \|\| cn="$fqdn"	374	[ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" \|\| cn="$fqdn"
Lines 371-381 Link Here
371	return 2	379	return 2
372	fi	380	fi
373		381
374	openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD"	382	if [ "$grace" -eq 0 ]; then
		383	# revoke all certificates of this fqdn
		384	for num in "${NUM[@]}"; do
		385	local num1=$(sed 's/\s.*$//' <<< "$num")
		386	openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num1}.pem" -passin pass:"$PASSWD"
		387	done
		388	else
		389	# remember all certificates of this fqdn for revocation after the grace period
		390	pending_file="${SSLBASE}/pending.txt"
		391	[ -f "$pending_file" ] \|\| touch "$pending_file"
		392	chmod 600 "$pending_file"
		393	local pending_certs=$(cat "$pending_file")
		394	local temp=$(mktemp)
		395
		396	for num in "${NUM[@]}"; do
		397	local num=$(sed 's/\s.*$//' <<< "$num")
		398	local now=$(date +"%s")
		399	local expire="$(($now + ($grace * 3600 * 24)))"
		400	echo "$num:$expire" >>"$temp"
		401	done
		402
		403	for cert in "${pending_certs[@]}"; do
		404	local num=$(sed 's/:.*//' <<< "$cert")
		405	local expire=$(sed 's/.*://' <<< "$cert")
		406	if [[ "$NUM" != "$num" ]]; then
		407	echo "$num:$expire" >>"$temp"
		408	fi
		409	done
		410	mv "$temp" "$pending_file"
		411	chmod 600 "$pending_file"
		412	fi
		413
375	gencrl	414	gencrl
376	}	415	}
377		416
		417	update_pending_certs () {
		418	local pending_file="${SSLBASE}/pending.txt"
		419	[ -f "$pending_file" ] \|\| touch "$pending_file"
		420	chmod 600 "$pending_file"
		421	local pending_certs=$(cat "$pending_file")
		422	local temp=$(mktemp)
378		423
		424	for cert in "${pending_certs[@]}"; do
		425	local num=$(sed 's/:.*//' <<< "$cert")
		426	local expire=$(sed 's/.*://' <<< "$cert")
		427	local now=$(date +"%s")
		428	if [ "$now" -gt "$expire" ]; then
		429	openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num}.pem" -passin pass:"$PASSWD"
		430	else
		431	echo "$num:$expire" >>"$temp"
		432	fi
		433	done
		434
		435	mv "$temp" "$pending_file"
		436	chmod 600 "$pending_file"
		437	gencrl
		438	}
		439
		440
379	# Parameter 1: Name des Unterverzeichnisses, in dem das neue Zertifikat abgelegt werden soll	441	# Parameter 1: Name des Unterverzeichnisses, in dem das neue Zertifikat abgelegt werden soll
380	# Parameter 2: Name des CN für den das Zertifikat ausgestellt wird.	442	# Parameter 2: Name des CN für den das Zertifikat ausgestellt wird.
381		443




	echo "Options:"
	echo "        -name <name>"
	echo "        -days <days>"
	echo "        -grace <grace> (grace period, in days)"

	[ -n "$1" ] && exit 2 || exit 0
}

command=
name=
days=
grace=
while [ $# -ge 1 ]
do
	case "$1" in

	dump) command="$1" ;;
	-name|--name) name="${2:?Missing argument to -name}" ; shift ;;
	-days|--days) days="${2:?Missing argument to -days}" ; shift ;;
	-grace|--grace) grace="${2:?Missing argument to -grace}" ; shift ;;
	-h|--help|--usage|-\?) usage ;;
	-*) usage "Unknown option: '$1'" >&2 ;;
	*) usage "Unknown command: '$1'" >&2 ;;

		run_only master exclusive
		: ${days:?Missing argument -days}
		echo "Renew certificate: $name"
		renew_cert "$name" "$days" "$grace"
}

check () {




#!/usr/share/ucs-test/runner bash
## desc: Test if a certificate can be renewed with a grace period
## roles: [domaincontroller_master]
## exposure: dangerous
## bugs: [41013]

. "$TESTLIBPATH/base.sh" || exit 137
. "$TESTLIBPATH/random.sh" || exit 137

SSLBASE="${sslbase:-/etc/univention/ssl}"
pending_file="${SSLBASE}/pending.txt"

test_days=1825
test_grace=3

random=$(random_hostname)
test_cert_name="test_cert_$random"
while [ $(univention-certificate list | grep "$test_cert_name" | wc -l) -gt "0" ]; do
	random=$(random_hostname)
	test_cert_name="test_cert_$random"
done

list0=$(univention-certificate list)
univention-certificate new -name "$test_cert_name" >/dev/null 2>&1
[ $(univention-certificate list | grep "$test_cert_name" | wc -l) -eq "1" ] || fail_test 2

list1=$(univention-certificate list)
num1=$(comm -13 <(echo "$list0") <(echo "$list1") | sed 's/\t.*//')
univention-certificate renew -name "$test_cert_name" -days "$test_days" -grace "$test_grace" >/dev/null 2>&1
[ $(univention-certificate list | grep "$test_cert_name" | wc -l) -eq "2" ] || fail_test 3

list2=$(univention-certificate list)
num2=$(comm -13 <(echo "$list1") <(echo "$list2") | sed 's/\t.*//')
[ "$num1" != "$num2" ] || fail_test 4

/etc/cron.daily/univention-ssl >/dev/null 2>&1
[ $(univention-certificate list | grep "$test_cert_name" | wc -l) -eq "2" ] || fail_test 5

# change expire date to an earlier date
temp=$(mktemp)
pending_certs=$(cat "$pending_file")
for cert in "${pending_certs[@]}"; do
	num=$(sed 's/:.*//' <<< "$cert")
	expire=$(sed 's/.*://' <<< "$cert")
	if [ "$num" == "$num1" ]; then
		expire="$(($expire - ($test_grace * 3600 * 24)))"
	fi
	echo "$num:$expire" >>"$temp"
done
mv "$temp" "$pending_file"
chmod 600 "$pending_file"

/etc/cron.daily/univention-ssl >/dev/null 2>&1
[ $(univention-certificate list | grep "$test_cert_name" | wc -l) -eq "1" ] || fail_test 6

univention-certificate revoke -name $test_cert_name >/dev/null 2>&1
[ $(univention-certificate list | grep "$test_cert_name" | wc -l) -eq "0" ] || fail_test 7

exit 0

*

Return to bug 41013

Lines 50-55 Link Here

(-)base/univention-ssl/univention-certificate (-1 / +4 lines)
50	echo "Options:"	50	echo "Options:"
51	echo " -name <name>"	51	echo " -name <name>"
52	echo " -days <days>"	52	echo " -days <days>"
		53	echo " -grace <grace> (grace period, in days)"
53		54
54	[ -n "$1" ] && exit 2 \|\| exit 0	55	[ -n "$1" ] && exit 2 \|\| exit 0
55	}	56	}
Lines 75-80 Link Here
75	command=	76	command=
76	name=	77	name=
77	days=	78	days=
		79	grace=
78	while [ $# -ge 1 ]	80	while [ $# -ge 1 ]
79	do	81	do
80	case "$1" in	82	case "$1" in
Lines 86-91 Link Here
86	dump) command="$1" ;;	88	dump) command="$1" ;;
87	-name\|--name) name="${2:?Missing argument to -name}" ; shift ;;	89	-name\|--name) name="${2:?Missing argument to -name}" ; shift ;;
88	-days\|--days) days="${2:?Missing argument to -days}" ; shift ;;	90	-days\|--days) days="${2:?Missing argument to -days}" ; shift ;;
		91	-grace\|--grace) grace="${2:?Missing argument to -grace}" ; shift ;;
89	-h\|--help\|--usage\|-\?) usage ;;	92	-h\|--help\|--usage\|-\?) usage ;;
90	-*) usage "Unknown option: '$1'" >&2 ;;	93	-*) usage "Unknown option: '$1'" >&2 ;;
91	*) usage "Unknown command: '$1'" >&2 ;;	94	*) usage "Unknown command: '$1'" >&2 ;;
Lines 120-126 Link Here
120	run_only master exclusive	123	run_only master exclusive
121	: ${days:?Missing argument -days}	124	: ${days:?Missing argument -days}
122	echo "Renew certificate: $name"	125	echo "Renew certificate: $name"
123	renew_cert "$name" "$days"	126	renew_cert "$name" "$days" "$grace"
124	}	127	}
125		128
126	check () {	129	check () {

Line 0 Link Here

(-)test/ucs-test/tests/01_base/101_renew_certificate_with_grace_period (+61 lines)
	1	#!/usr/share/ucs-test/runner bash
	2	## desc: Test if a certificate can be renewed with a grace period
	3	## roles: [domaincontroller_master]
	4	## exposure: dangerous
	5	## bugs: [41013]
	6
	7	. "$TESTLIBPATH/base.sh" \|\| exit 137
	8	. "$TESTLIBPATH/random.sh" \|\| exit 137
	9
	10	SSLBASE="${sslbase:-/etc/univention/ssl}"
	11	pending_file="${SSLBASE}/pending.txt"
	12
	13	test_days=1825
	14	test_grace=3
	15
	16	random=$(random_hostname)
	17	test_cert_name="test_cert_$random"
	18	while [ $(univention-certificate list \| grep "$test_cert_name" \| wc -l) -gt "0" ]; do
	19	random=$(random_hostname)
	20	test_cert_name="test_cert_$random"
	21	done
	22
	23	list0=$(univention-certificate list)
	24	univention-certificate new -name "$test_cert_name" >/dev/null 2>&1
	25	[ $(univention-certificate list \| grep "$test_cert_name" \| wc -l) -eq "1" ] \|\| fail_test 2
	26
	27	list1=$(univention-certificate list)
	28	num1=$(comm -13 <(echo "$list0") <(echo "$list1") \| sed 's/\t.*//')
	29	univention-certificate renew -name "$test_cert_name" -days "$test_days" -grace "$test_grace" >/dev/null 2>&1
	30	[ $(univention-certificate list \| grep "$test_cert_name" \| wc -l) -eq "2" ] \|\| fail_test 3
	31
	32	list2=$(univention-certificate list)
	33	num2=$(comm -13 <(echo "$list1") <(echo "$list2") \| sed 's/\t.*//')
	34	[ "$num1" != "$num2" ] \|\| fail_test 4
	35
	36	/etc/cron.daily/univention-ssl >/dev/null 2>&1
	37	[ $(univention-certificate list \| grep "$test_cert_name" \| wc -l) -eq "2" ] \|\| fail_test 5
	38
	39	# change expire date to an earlier date
	40	temp=$(mktemp)
	41	pending_certs=$(cat "$pending_file")
	42	for cert in "${pending_certs[@]}"; do
	43	num=$(sed 's/:.*//' <<< "$cert")
	44	expire=$(sed 's/.*://' <<< "$cert")
	45	if [ "$num" == "$num1" ]; then
	46	expire="$(($expire - ($test_grace * 3600 * 24)))"
	47	fi
	48	echo "$num:$expire" >>"$temp"
	49	done
	50	mv "$temp" "$pending_file"
	51	chmod 600 "$pending_file"
	52
	53	/etc/cron.daily/univention-ssl >/dev/null 2>&1
	54	[ $(univention-certificate list \| grep "$test_cert_name" \| wc -l) -eq "1" ] \|\| fail_test 6
	55
	56	univention-certificate revoke -name $test_cert_name >/dev/null 2>&1
	57	[ $(univention-certificate list \| grep "$test_cert_name" \| wc -l) -eq "0" ] \|\| fail_test 7
	58
	59	exit 0
	60
	61	*