Univention Bugzilla – Attachment 4282 Details for
Bug 26572
univention-certificate -path ... / exit codes
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Cleanup univention-ssl
26572_univention-ssl_cleanup.diff (text/plain), 16.86 KB, created by
Philipp Hahn
on 2012-03-22 10:38:28 CET
(
hide
)
Description:
Cleanup univention-ssl
Filename:
MIME Type:
Creator:
Philipp Hahn
Created:
2012-03-22 10:38:28 CET
Size:
16.86 KB
patch
obsolete
>1. Fix handling of "univention-certificate -path ..." handling >2. Fix handling of missing arguments to options. >3. Return useful exit values for scripting usage. >4. Print error messages to stderr to help parsing output. >5. Quote variables (password!) >6. Replace univention-baseconfig by univention-config-registry >7. Make variables function local >8. Update copyright >9. Remove trailing blanks on lines >10. Remove semicolon on end of line >11. Remove space before tabs >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh b/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh >index 0670e6b..d243fa8 100644 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh >@@ -1,11 +1,9 @@ >-function createHostExtensionsFile () { >- >- local fqdn="$1" >- local hostname=${fqdn/.*/} >- local extFile=$(mktemp) >- >- cat <<EOF >>"$extFile" >+createHostExtensionsFile () { >+ local fqdn="$1" >+ local hostname=${fqdn/.*/} >+ local extFile=$(mktemp) > >+ cat <<EOF >>"$extFile" > extensions = myx509v3 > [ myx509v3 ] > >@@ -16,7 +14,6 @@ authorityKeyIdentifier = keyid,issuer:always > > # alternative name > subjectAltName = DNS:$fqdn, DNS:$hostname >- > EOF > > echo "$extFile" >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py b/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py >index c5d7d64..7183850 100644 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py >@@ -30,7 +30,7 @@ > # /usr/share/common-licenses/AGPL-3; if not, see > # <http://www.gnu.org/licenses/>. > >-__package__='' # workaround for PEP 366 >+__package__='' # workaround for PEP 366 > from listener import * > import grp > >@@ -80,7 +80,7 @@ def handler(dn, new, old): > univention.debug.debug(univention.debug.LISTENER, univention.debug.WARN, 'CERTIFICATE: Failed to get groupID for "%s"' % name) > gidNumber = 0 > >- if new and not old: >+ if new and not old: > if new.has_key('associatedDomain'): > domain=new['associatedDomain'][0] > else: >@@ -118,7 +118,7 @@ def handler(dn, new, old): > def set_permissions(tmp1, directory, filename): > global uidNumber > global gidNumber >- >+ > univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Set permissons for = %s with owner/group %s/%s' % (directory, gidNumber, uidNumber)) > os.chown(directory, uidNumber, gidNumber) > os.chmod(directory, 0750) >@@ -139,7 +139,7 @@ def create_certificate(name, serverUidNumber, domainname): > global uidNumber > global gidNumber > uidNumber = serverUidNumber >- >+ > ssldir='/etc/univention/ssl' > univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Creating certificate %s' % name) > >@@ -162,7 +162,6 @@ def create_certificate(name, serverUidNumber, domainname): > p = os.popen('ln -sf %s/%s.%s %s/%s' % (ssldir,name,domainname,ssldir,name) ) > p.close() > >- > a=os.path.walk(certpath,set_permissions, None) > > return >@@ -190,4 +189,3 @@ def clean(): > > def postrun(): > return >- >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh b/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh >index 361e8fb..c95d283 100755 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh >@@ -3,7 +3,7 @@ > # Univention SSL > # gencertificate script > # >-# Copyright 2004-2011 Univention GmbH >+# Copyright 2004-2012 Univention GmbH > # > # http://www.univention.de/ > # >@@ -35,9 +35,9 @@ > # http://www.pca.dfn.de/dfnpca/certify/ssl/handbuch/ossl092/ > > if [ -n "$sslbase" ]; then >- SSLBASE="$sslbase" >+ SSLBASE="$sslbase" > else >- SSLBASE=/etc/univention/ssl >+ SSLBASE=/etc/univention/ssl > fi > > CA=ucsCA >@@ -57,23 +57,20 @@ else > fi > > mk_config () { >- >- local outfile=$1; >- local password=$2; >+ local outfile=$1 >+ local password=$2 > local days=$3 > local name=$4 > >- if test -e $outfile; then >- rm $outfile; >+ if test -e "$outfile"; then >+ rm -f "$outfile" > fi >- touch $outfile; >- chmod 0600 $outfile; >+ touch "$outfile" >+ chmod 0600 "$outfile" > > eval "$(univention-config-registry shell ssl/country ssl/state ssl/locality ssl/organization ssl/organizationalunit ssl/email)" > >- >- cat <<EOF >>$outfile >- >+ cat >"$outfile" <<EOF > # HOME = . > # RANDFILE = \$ENV::HOME/.rnd > # oid_section = new_oids >@@ -136,17 +133,16 @@ default_keyfile = privkey.pem > distinguished_name = req_distinguished_name > attributes = req_attributes > x509_extensions = v3_ca >- > EOF > >-if [ "$password" ]; then >-cat <<EOF >>$outfile >+ if [ -n "$password" ]; then >+ cat >>"$outfile" <<EOF > input_password = $password > output_password = $password > EOF >-fi; >+ fi > >-cat <<EOF >>$outfile >+ cat >>"$outfile" <<EOF > > string_mask = nombstr > req_extensions = v3_req >@@ -219,38 +215,37 @@ nsComment = This certificate is a Root CA Certificate > > issuerAltName = issuer:copy > authorityKeyIdentifier = keyid:always,issuer:always >- > EOF >-chmod 0600 $outfile >- >+ chmod 0600 "$outfile" > } > > move_cert () { >- local new; >- local count=0; >- local linkname; >- local hash; >- local OPWD=`pwd`; >- cd "$SSLBASE"; >- >- for i; do >- if [ -f "$i" ]; then >- new="${SSLBASE}/${CA}/certs/"`basename $i`; >- mv "$i" "$new"; >- hash=`openssl x509 -hash -noout -in "$new"`; >- while :; do >- linkname="${CA}/certs/""$hash"".""$count"; >- if [ -h "$linkname" ]; then >- count=$((count + 1)); >- continue; >- else >- ln -s "$new" "$linkname"; >- break; >- fi; >- done; >- fi; >- done; >- cd "$OPWD" >+ local count=0 >+ local OPWD=$(pwd) >+ cd "$SSLBASE" >+ >+ local i >+ for i in "$@"; do >+ if [ -f "$i" ] >+ then >+ local new="${SSLBASE}/${CA}/certs/$(basename "$i")" >+ mv "$i" "$new" >+ local hash=$(openssl x509 -hash -noout -in "$new") >+ while : >+ do >+ local linkname="${CA}/certs/${hash}.${count}" >+ if [ -h "$linkname" ] >+ then >+ count=$((count + 1)) >+ continue >+ else >+ ln -s "$new" "$linkname" >+ break >+ fi >+ done >+ fi >+ done >+ cd "$OPWD" > } > > init () { >@@ -266,51 +261,50 @@ init () { > chmod 600 "$SSLBASE/password" > makepasswd > "$SSLBASE/password" > fi >- PASSWD=`cat "$SSLBASE/password"` >+ local PASSWD=`cat "$SSLBASE/password"` > >- local OPWD=`pwd`; >+ local OPWD=$(pwd) > > # create directory infrastructure > cd "$SSLBASE" >- mkdir -m 700 -p ${CA}; >- mkdir -p ${CA}/{certs,crl,newcerts,private}; >- echo "01" > ${CA}/serial; >- touch ${CA}/index.txt; >+ mkdir -m 700 -p "${CA}" >+ mkdir -p "${CA}/"{certs,crl,newcerts,private} >+ echo "01" >"${CA}/serial" >+ touch "${CA}/index.txt" > > eval "$(ucr shell ssl/common)" > > # make the root-CA configuration file >- mk_config openssl.cnf $PASSWD $DEFAULT_DAYS "$ssl_common" >+ mk_config openssl.cnf "$PASSWD" "$DEFAULT_DAYS" "$ssl_common" > >- >- openssl genrsa -des3 -passout pass:"$PASSWD" -out ${CA}/private/CAkey.pem 2048 >- yes '' | openssl req -config openssl.cnf -new -x509 -days $DEFAULT_DAYS -key ${CA}/private/CAkey.pem -out ${CA}/CAcert.pem >+ openssl genrsa -des3 -passout pass:"$PASSWD" -out "${CA}/private/CAkey.pem" 2048 >+ yes '' | openssl req -config openssl.cnf -new -x509 -days "$DEFAULT_DAYS" -key "${CA}/private/CAkey.pem" -out "${CA}/CAcert.pem" > > # copy the public key to a place, from where browsers can access it >- openssl x509 -in ${CA}/CAcert.pem -out /var/www/ucs-root-ca.crt >+ openssl x509 -in "${CA}/CAcert.pem" -out /var/www/ucs-root-ca.crt > > # mv the certificate to the certs dir and link it to its hash value >- cp ${CA}/CAcert.pem ${CA}/newcerts/00.pem >- move_cert ${CA}/newcerts/00.pem >+ cp "${CA}/CAcert.pem" "${CA}/newcerts/00.pem" >+ move_cert "${CA}/newcerts/00.pem" > > # generate root ca request >- openssl x509 -x509toreq -in ${CA}/CAcert.pem -signkey ${CA}/private/CAkey.pem -out ${CA}/CAreq.pem -passin pass:$PASSWD >+ openssl x509 -x509toreq -in "${CA}/CAcert.pem" -signkey "${CA}/private/CAkey.pem" -out "${CA}/CAreq.pem" -passin pass:"$PASSWD" > >- find ${CA} -type f | xargs chmod 600 >- find ${CA} -type d | xargs chmod 700 >+ find "${CA}" -type f -exec chmod 600 {} + >+ find "${CA}" -type d -exec chmod 700 {} + > >- chmod 755 ${CA} >- chmod 644 ${CA}/CAcert.pem >- #generate empty crl at installation time >- openssl ca -config openssl.cnf -gencrl -out ${CA}/crl/crl.pem -passin pass:"$PASSWD" >- openssl crl -in ${CA}/crl/crl.pem -out /var/www/${CA}.crl -inform pem -outform der >+ chmod 755 "${CA}" >+ chmod 644 "${CA}/CAcert.pem" >+ #generate empty crl at installation time >+ openssl ca -config openssl.cnf -gencrl -out "${CA}/crl/crl.pem" -passin pass:"$PASSWD" >+ openssl crl -in "${CA}/crl/crl.pem" -out "/var/www/${CA}.crl" -inform pem -outform der > > cd "$OPWD" > } > > > list_cert_names () { >- local OPWD=`pwd` >+ local OPWD=$(pwd) > cd "$SSLBASE" > awk 'BEGIN { FS="\t"; } > { if ( $1 == "V" ) >@@ -323,80 +317,80 @@ list_cert_names () { > } > } > } >- }'< ${CA}/index.txt >+ }' <"${CA}/index.txt" > cd "$OPWD" > } > > > has_valid_cert () { >- list_cert_names | egrep -q "$1$"; >+ list_cert_names | egrep -q "$1$" > } > > renew_cert () { >- local OPWD=`pwd`; >- cd "$SSLBASE"; >- >+ local OPWD=$(pwd) >+ cd "$SSLBASE" >+ > if [ -z "$1" ]; then >- echo "missing certificate name" 1>&2; >- return 1; >+ echo "missing certificate name" 1>&2 >+ return 1 > fi >- >- local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`; >+ >+ local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'` > if [ -z "$NUM" ]; then >- echo "no certificate for $1 registered" 1>&2; >- return 1; >- fi; >- >+ echo "no certificate for $1 registered" >&2 >+ return 1 >+ fi >+ > if [ -z "$2" ]; then > days=$DEFAULT_DAYS > fi >- >+ > # revoke cert >- revoke_cert $1 >+ revoke_cert "$1" > > # get host extension file > hostExt=$(ucr get ssl/host/extensions) > if [ -s "$hostExt" ]; then >- source $hostExt >+ . "$hostExt" > extFile=$(createHostExtensionsFile "$1") >- fi >- >+ fi >+ > # sign the request > if [ -s "$extFile" ]; then >- openssl ca -batch -config openssl.cnf -days $days -in "$1/req.pem" \ >- -out "$1/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile" >+ openssl ca -batch -config openssl.cnf -days "$days" -in "$1/req.pem" \ >+ -out "$1/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile" > rm -f "$extFile" > else >- openssl ca -batch -config openssl.cnf -days $days -in "$1/req.pem" \ >- -out "$1/cert.pem" -passin pass:"$PASSWD" >+ openssl ca -batch -config openssl.cnf -days "$days" -in "$1/req.pem" \ >+ -out "$1/cert.pem" -passin pass:"$PASSWD" > fi >- >+ > # move the new certificate to its place >- move_cert ${CA}/newcerts/*; >- cd "$OPWD"; >+ move_cert "${CA}/newcerts/"* >+ cd "$OPWD" > } > > # Parameter 1: Name des CN dessen Zertifikat wiederufen werden soll > > revoke_cert () { >- local OPWD=`pwd`; >- cd "$SSLBASE"; >+ local OPWD=`pwd` >+ cd "$SSLBASE" > > if [ -z "$1" ]; then >- echo "missing certificate name" 1>&2; >- return 1; >+ echo "missing certificate name" >&2 >+ return 1 > fi > >- local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`; >+ local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'` > if [ -z "$NUM" ]; then >- echo "no certificate for $1 registered" 1>&2; >- return 1; >- fi; >- openssl ca -config openssl.cnf -revoke ${CA}/certs/${NUM}.pem -passin pass:"$PASSWD" >- openssl ca -config openssl.cnf -gencrl -out ${CA}/crl/crl.pem -passin pass:"$PASSWD" >- openssl crl -in ${CA}/crl/crl.pem -out /var/www/${CA}.crl -inform pem -outform der >- >- cd "$OPWD"; >+ echo "no certificate for $1 registered" >&2 >+ return 1 >+ fi >+ openssl ca -config openssl.cnf -revoke "${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD" >+ openssl ca -config openssl.cnf -gencrl -out "${CA}/crl/crl.pem" -passin pass:"$PASSWD" >+ openssl crl -in "${CA}/crl/crl.pem" -out "/var/www/${CA}.crl" -inform pem -outform der >+ >+ cd "$OPWD" > } > > >@@ -410,40 +404,40 @@ gencert () { > local OPWD=`pwd` > cd "$SSLBASE" > if has_valid_cert "$2"; then >- revoke_cert "$2"; >- fi; >+ revoke_cert "$2" >+ fi > >- days=$(/usr/sbin/univention-config-registry get ssl/default/days) >+ local days=$(/usr/sbin/univention-config-registry get ssl/default/days) > if [ -z "$days" ]; then > days=$DEFAULT_DAYS > fi > # generate a key pair >- mkdir -pm 700 $name >- mk_config "$name/openssl.cnf" "" $days "$cn" >+ mkdir -pm 700 "$name" >+ mk_config "$name/openssl.cnf" "" "$days" "$cn" > openssl genrsa -out "$name/private.key" 1024 > yes '' | openssl req -config "$name/openssl.cnf" -new -key "$name/private.key" -out "$name/req.pem" > > # get host extension file >- hostExt=$(ucr get ssl/host/extensions) >+ local hostExt=$(ucr get ssl/host/extensions) > if [ -s "$hostExt" ]; then >- source $hostExt >- extFile=$(createHostExtensionsFile "$cn") >- fi >+ . "$hostExt" >+ local extFile=$(createHostExtensionsFile "$cn") >+ fi > > # sign the key > if [ -s "$extFile" ]; then > openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \ >- -out "$name/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile" >+ -out "$name/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile" > rm -f "$extFile" > else > openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \ >- -out "$name/cert.pem" -passin pass:"$PASSWD" >+ -out "$name/cert.pem" -passin pass:"$PASSWD" > fi > > # move the new certificate to its place >- move_cert ${CA}/newcerts/*; >+ move_cert "${CA}/newcerts/"* > >- find $name -type f | xargs chmod 600 >- find $name -type d | xargs chmod 700 >+ find "$name" -type f -exec chmod 600 {} + >+ find "$name" -type d -exec chmod 700 {} + > cd "$OPWD" > } >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate b/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate >index 6d1a963..9950253 100755 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate >@@ -3,7 +3,7 @@ > # Univention SSL > # openssl wrapper > # >-# Copyright 2004-2011 Univention GmbH >+# Copyright 2004-2012 Univention GmbH > # > # http://www.univention.de/ > # >@@ -29,7 +29,7 @@ > # License with the Debian GNU/Linux or Univention distribution in file > # /usr/share/common-licenses/AGPL-3; if not, see > # <http://www.gnu.org/licenses/>. >- >+set -o errfail > > usage () > { >@@ -50,12 +50,12 @@ usage () > echo " dump" > echo " list" > echo "" >- echo "Options" >+ echo "Options:" > echo " -name <name>" > echo " -days <days>" > echo "" > >- exit >+ exit 2 > } > > command="$1" >@@ -63,38 +63,34 @@ shift > > if [ "$command" != "new" -a "$command" != "revoke" -a "$command" != "renew" -a "$command" != "check" -a "$command" != "list" -a "$command" != "dump" ]; then > if [ -n "$command" ]; then >- usage "unknown command: $command" >+ usage "unknown command: $command" >&2 > else >- usage >+ usage >&2 > fi > fi > > while [ $# -gt 0 ]; do > case "$1" in > "-path") >- shift >- path="$1" >- shift >+ path="$2" >+ shift 2 || usage "Missing argument to -path" >&2 > ;; > "-name") >- shift >- name="$1" >- shift >+ name="$2" >+ shift 2 || usage "Missing argument to -name" >&2 > ;; > "-days") >- shift >- days="$1" >- shift >+ days="$2" || usage "Missing argument to -days" >&2 >+ shift 2 > ;; > *) >- usage "unknown option $1" >- shift >+ usage "unknown option $1" >&2 > ;; > esac > done > > if [ "$command" != "list" -a -z "$name" ]; then >- usage "missing -name" >+ usage "missing -name" >&2 > fi > > cd /etc/univention/ssl >@@ -105,8 +101,8 @@ case "$command" in > "new") > echo "Creating certificate: $name" > gencert "/etc/univention/ssl/$name" "$name" >- getent group "DC Backup Hosts" 2>&1 >/dev/null >- if [ $? = 0 ]; then >+ if getent group "DC Backup Hosts" 2>&1 >/dev/null >+ then > chgrp -R "DC Backup Hosts" "/etc/univention/ssl/$name" > chmod -R g+rx "/etc/univention/ssl/$name" > fi >@@ -117,18 +113,20 @@ case "$command" in > ;; > "renew") > if [ -z "$days" ]; then >- usage "missing -days" >+ usage "missing -days" >&2 > fi > echo "Renew certificate: $name" > renew_cert "$name" "$days" > ;; > "check") > echo -n "Certificate \"$name\" is " >- has_valid_cert $name >- if [ $? = 0 ]; then >+ if has_valid_cert "$name" >+ then > echo "valid" >+ exit 0 > else > echo "invalid" >+ exit 1 > fi > ;; > "list") >@@ -137,7 +135,6 @@ case "$command" in > ;; > "dump") > echo "Dump certificate: $name" >- openssl x509 -in /etc/univention/ssl/$name/cert.pem -noout -text >+ openssl x509 -in "/etc/univention/ssl/$name/cert.pem" -noout -text > ;; > esac >- >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity b/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity >index 98bbbca..c87bf26 100755 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity >@@ -37,9 +37,9 @@ import calendar > > from M2Crypto import X509 > >-import univention_baseconfig >+from univention.config_registry import ConfigRegistry > >-_bc = univention_baseconfig.baseConfig() >+_bc = ConfigRegistry() > _bc.load() > > def get_validity_date(certFile):
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=4282">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 26572
:
4282
|
4283
|
4284