Univention Bugzilla – Attachment 4284 Details for
Bug 26572
univention-certificate -path ... / exit codes
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
v3
26572_univention-ssl_cleanup.diff (text/plain), 27.68 KB, created by
Philipp Hahn
on 2012-03-22 11:56:35 CET
(
hide
)
Description:
v3
Filename:
MIME Type:
Creator:
Philipp Hahn
Created:
2012-03-22 11:56:35 CET
Size:
27.68 KB
patch
obsolete
>1. Fix handling of "univention-certificate -path ..." handling >2. Fix handling of missing arguments to options. >3. Return useful exit values for scripting usage. >4. Fix file permission for certificate: no +x needed. >5. Print error messages to stderr to help parsing output. >6. Quote variables (password!) >7. Replace univention-baseconfig by univention-config-registry >8. Use subprocess.call() instead of os.popen() >9. Make variables function local >10. Update copyright >11. Remove trailing blanks on lines >12. Remove semicolon on end of line >13. Remove space before tabs >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/conffiles/etc/cron.daily/univention-ssl-validity b/branches/ucs-3.0/ucs/base/univention-ssl/conffiles/etc/cron.daily/univention-ssl-validity >index 03bf2f2..0c65c5f 100755 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/conffiles/etc/cron.daily/univention-ssl-validity >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/conffiles/etc/cron.daily/univention-ssl-validity >@@ -1,7 +1,7 @@ > #!/bin/sh > @%@UCRWARNING=# @%@ > >-# Copyright 2004-2011 Univention GmbH >+# Copyright 2004-2012 Univention GmbH > # > # http://www.univention.de/ > # >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/debian/copyright b/branches/ucs-3.0/ucs/base/univention-ssl/debian/copyright >index 2a7dab8..c5cb6a4 100644 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/debian/copyright >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/debian/copyright >@@ -1,4 +1,4 @@ >-Copyright 2002-2011 Univention GmbH >+Copyright 2002-2012 Univention GmbH > > http://www.univention.de/ > >@@ -25,5 +25,3 @@ You should have received a copy of the GNU Affero General Public > License with the Debian GNU/Linux or Univention distribution in file > /usr/share/common-licenses/AGPL-3; if not, see > <http://www.gnu.org/licenses/>. >- >- >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/debian/rules b/branches/ucs-3.0/ucs/base/univention-ssl/debian/rules >index 737e4a9..0157c74 100755 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/debian/rules >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/debian/rules >@@ -3,7 +3,7 @@ > # Univention SSL > # rules file for the debian package > # >-# Copyright 2004-2011 Univention GmbH >+# Copyright 2004-2012 Univention GmbH > # > # http://www.univention.de/ > # >@@ -44,4 +44,3 @@ override_dh_auto_test: > > %: > dh $@ >- >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postinst b/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postinst >index 28c5e68..5d5995c 100755 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postinst >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postinst >@@ -3,7 +3,7 @@ > # Univention SSL > # postinst script > # >-# Copyright 2004-2011 Univention GmbH >+# Copyright 2004-2012 Univention GmbH > # > # http://www.univention.de/ > # >@@ -76,12 +76,12 @@ if [ "$server_role" = "domaincontroller_master" ] || [ -z "$server_role" ] || [ > # Bug #13549 > rdate time.fu-berlin.de || rdate 130.133.1.10 || true > >- . /usr/share/univention-ssl/make-certificates.sh; >- init; >- univention-certificate new -name $hostname.$domainname >- ln -sf /etc/univention/ssl/$hostname.$domainname /etc/univention/ssl/$hostname >+ . /usr/share/univention-ssl/make-certificates.sh >+ init >+ univention-certificate new -name "$hostname.$domainname" >+ ln -sf "/etc/univention/ssl/$hostname.$domainname" "/etc/univention/ssl/$hostname" > else >- echo "skipped. SSL Certificate found in $CERTPATH "; >+ echo "skipped. SSL Certificate found in $CERTPATH" > fi > fi > >@@ -93,7 +93,7 @@ if [ "$1" = configure -a -n "$2" ] && dpkg --compare-versions "$2" lt 1.3; then > fi > > if [ "$1" = configure -a -n "$2" ] && dpkg --compare-versions "$2" lt 3.0.3-1; then >- ln -sf /etc/univention/ssl/$hostname.$domainname /etc/univention/ssl/$hostname >+ ln -sf "/etc/univention/ssl/$hostname.$domainname" "/etc/univention/ssl/$hostname" > fi > > if [ "$1" = "$configure" -a -z "$2" ]; then >@@ -105,7 +105,7 @@ fi > > if [ "$1" = "configure" ]; then > if test -f /etc/init.d/univention-directory-listener >- then >+ then > /etc/init.d/univention-directory-listener crestart || true > fi > fi >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postrm b/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postrm >index faa8830..55866ab 100644 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postrm >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postrm >@@ -3,7 +3,7 @@ > # Univention SSL > # postrm script > # >-# Copyright 2004-2011 Univention GmbH >+# Copyright 2004-2012 Univention GmbH > # > # http://www.univention.de/ > # >@@ -32,7 +32,7 @@ > # postrm script for univention-ssl > > if [ "$1" = "purge" ]; then >- rm -rf /etc/univention/ssl; >+ rm -rf /etc/univention/ssl > fi > > #DEBHELPER# >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.univention-config-registry-variables b/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.univention-config-registry-variables >index 374df89..b6ffd5e 100644 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.univention-config-registry-variables >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.univention-config-registry-variables >@@ -43,7 +43,7 @@ Categories=system-ssl > [ssl/default/days] > Description[de]=Standard Lebensdauer für neue SSL-Zertifikate > Description[en]=Default lifetime of new SSL certificates >-Type=str >+Type=int > Categories=system-ssl > > [ssl/default/hashfunction] >@@ -55,13 +55,13 @@ Categories=system-ssl > [ssl/validity/check] > Description[de]=Aktiviere/Deaktiviere die regelmäÃige Gültigkeitsprüfung für Zertifikate > Description[en]=Enable/Disable regular checks for certificate validity >-Type=str >+Type=bool > Categories=system-ssl > > [ssl/validity/days] > Description[de]=Anzahl an Tagen die das Root SSL-Zertifikat gültig ist > Description[en]=Number of days which the root certificate is valid >-Type=str >+Type=int > Categories=system-ssl > > [ssl/validity/warning] >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh b/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh >index 0670e6b..d243fa8 100644 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh >@@ -1,11 +1,9 @@ >-function createHostExtensionsFile () { >- >- local fqdn="$1" >- local hostname=${fqdn/.*/} >- local extFile=$(mktemp) >- >- cat <<EOF >>"$extFile" >+createHostExtensionsFile () { >+ local fqdn="$1" >+ local hostname=${fqdn/.*/} >+ local extFile=$(mktemp) > >+ cat <<EOF >>"$extFile" > extensions = myx509v3 > [ myx509v3 ] > >@@ -16,7 +14,6 @@ authorityKeyIdentifier = keyid,issuer:always > > # alternative name > subjectAltName = DNS:$fqdn, DNS:$hostname >- > EOF > > echo "$extFile" >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py b/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py >index c5d7d64..e17cbf7 100644 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py >@@ -3,7 +3,7 @@ > # Univention SSL > # listener ssl module > # >-# Copyright 2004-2011 Univention GmbH >+# Copyright 2004-2012 Univention GmbH > # > # http://www.univention.de/ > # >@@ -30,12 +30,13 @@ > # /usr/share/common-licenses/AGPL-3; if not, see > # <http://www.gnu.org/licenses/>. > >-__package__='' # workaround for PEP 366 >+__package__='' # workaround for PEP 366 > from listener import * > import grp > > import univention.debug > import univention.misc >+import subprocess > > name='gencertificate' > description='Generate new Certificates' >@@ -46,6 +47,7 @@ attributes=[] > uidNumber = 0 > gidNumber = 0 > saved_uid = 65545 >+SSLDIR = '/etc/univention/ssl' > > def set_privileges_cert(root=0): > global saved_uid >@@ -56,8 +58,7 @@ def set_privileges_cert(root=0): > os.seteuid(saved_uid) > > def initialize(): >- univention.debug.debug(univention.debug.LISTENER, univention.debug.INFO, 'CERTIFICATE: Initialize' ) >- return >+ univention.debug.debug(univention.debug.LISTENER, univention.debug.INFO, 'CERTIFICATE: Initialize') > > def handler(dn, new, old): > global uidNumber >@@ -71,16 +72,16 @@ def handler(dn, new, old): > try: > try: > uidNumber = int(new.get('uidNumber', ['0'])[0]) >- except: >+ except (LookupError, TypeError, ValueError): > uidNumber = 0 > > try: > gidNumber = int(grp.getgrnam('DC Backup Hosts')[2]) >- except: >+ except (LookupError, TypeError, ValueError): > univention.debug.debug(univention.debug.LISTENER, univention.debug.WARN, 'CERTIFICATE: Failed to get groupID for "%s"' % name) > gidNumber = 0 > >- if new and not old: >+ if new and not old: > if new.has_key('associatedDomain'): > domain=new['associatedDomain'][0] > else: >@@ -108,30 +109,30 @@ def handler(dn, new, old): > create_certificate(new['cn'][0], int(new['uidNumber'][0]), domainname=new_domain) > else: > # Reset permissions >- ssldir='/etc/univention/ssl' >- certpath=os.path.join(ssldir,"%s.%s" % (new['cn'][0],new_domain)) >- a=os.path.walk(certpath,set_permissions, None) >+ fqdn = "%s.%s" % (new['cn'][0], new_domain) >+ certpath = os.path.join(SSLDIR, fqdn) >+ a = os.path.walk(certpath, set_permissions, None) > finally: > set_privileges_cert(root=0) >- return > > def set_permissions(tmp1, directory, filename): > global uidNumber > global gidNumber >- >+ > univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Set permissons for = %s with owner/group %s/%s' % (directory, gidNumber, uidNumber)) > os.chown(directory, uidNumber, gidNumber) > os.chmod(directory, 0750) > > for f in filename: >- file=os.path.join(directory,f) >+ file = os.path.join(directory, f) > univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Set permissons for = %s with owner/group %s/%s' % (file, gidNumber, uidNumber)) > os.chown(file, uidNumber, gidNumber) >- os.chmod(file, 0750) >+ os.chmod(file, 0640) > > def remove_dir(tmp1, directory, filename): >+ """Remove directory and all files within.""" > for f in filename: >- file=os.path.join(directory,f) >+ file = os.path.join(directory, f) > os.remove(file) > os.rmdir(directory) > >@@ -139,55 +140,51 @@ def create_certificate(name, serverUidNumber, domainname): > global uidNumber > global gidNumber > uidNumber = serverUidNumber >- >- ssldir='/etc/univention/ssl' >- univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Creating certificate %s' % name) > >- certpath=os.path.join(ssldir,name+'.'+domainname) >- if os.path.exists(certpath): >- univention.debug.debug(univention.debug.LISTENER, univention.debug.WARN, 'CERTIFICATE: Certificate for host %s.%s already exists' % (name,domainname)) >- if not os.path.islink("%s/%s" % (ssldir,name)): >- p = os.popen('ln -sf %s/%s.%s %s/%s' % (ssldir,name,domainname,ssldir,name) ) >- p.close >- a=os.path.walk(certpath,set_permissions, None) >- return >+ fqdn = '%s.%s' % (name, domainname) >+ certpath = os.path.join(SSLDIR, fqdn) >+ link_path = os.path.join(SSLDIR, name) > >+ if os.path.exists(certpath): >+ univention.debug.debug(univention.debug.LISTENER, univention.debug.WARN, 'CERTIFICATE: Certificate for host %s already exists' % (fqdn,)) >+ if os.path.islink(link_path): >+ return >+ else: >+ if len(fqdn) > 64: >+ univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, 'CERTIFICATE: can\'t create certificate, Common Name too long: %s' % (fqdn,)) >+ return > >- if len("%s.%s" % (name,domainname)) > 64: >- univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, 'CERTIFICATE: can\'t create certificate, Common Name too long: %s.%s' % (name,domainname)) >- return >- >- p = os.popen('. /usr/share/univention-ssl/make-certificates.sh; gencert %s.%s %s.%s' % (name,domainname,name,domainname) ) >- p.close() >- p = os.popen('ln -sf %s/%s.%s %s/%s' % (ssldir,name,domainname,ssldir,name) ) >- p.close() >+ univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Creating certificate %s' % name) > >- >- a=os.path.walk(certpath,set_permissions, None) >+ subprocess.call('. /usr/share/univention-ssl/make-certificates.sh; gencert %s %s' % (fqdn, fqdn), shell=True) > >- return >+ # Create symlink >+ try: >+ os.remove(link_path) >+ except OSError, e: >+ pass >+ try: >+ os.symlink(certpath, link_path) >+ except OSError, e: >+ pass >+ # Fix permissions >+ a = os.path.walk(certpath, set_permissions, None) > > def remove_certificate(name, domainname): >+ fqdn = '%s.%s' % (name, domainname) >+ univention.debug.debug(univention.debug.LISTENER, univention.debug.INFO, 'CERTIFICATE: Revoke certificate %s' % (fqdn,)) >+ subprocess.call(('/usr/sbin/univention-certificate', 'revoke', '-name', fqdn)) > >- ssldir='/etc/univention/ssl' >- >- univention.debug.debug(univention.debug.LISTENER, univention.debug.INFO, 'CERTIFICATE: Revoke certificate %s.%s' % (name,domainname)) >- p = os.popen('/usr/sbin/univention-certificate revoke -name %s.%s' % (name,domainname) ) >- p.close() >- >- link_path=os.path.join(ssldir,name) >+ link_path = os.path.join(SSLDIR, name) > if os.path.exists(link_path): > os.remove(link_path) > >- certpath=os.path.join(ssldir,"%s.%s" % (name,domainname)) >+ certpath = os.path.join(SSLDIR, fqdn) > if os.path.exists(certpath): >- a=os.path.walk(certpath,remove_dir, None) >- >- return >+ a = os.path.walk(certpath, remove_dir, None) > > def clean(): > return > > def postrun(): > return >- >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh b/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh >index 361e8fb..c95d283 100755 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh >@@ -3,7 +3,7 @@ > # Univention SSL > # gencertificate script > # >-# Copyright 2004-2011 Univention GmbH >+# Copyright 2004-2012 Univention GmbH > # > # http://www.univention.de/ > # >@@ -35,9 +35,9 @@ > # http://www.pca.dfn.de/dfnpca/certify/ssl/handbuch/ossl092/ > > if [ -n "$sslbase" ]; then >- SSLBASE="$sslbase" >+ SSLBASE="$sslbase" > else >- SSLBASE=/etc/univention/ssl >+ SSLBASE=/etc/univention/ssl > fi > > CA=ucsCA >@@ -57,23 +57,20 @@ else > fi > > mk_config () { >- >- local outfile=$1; >- local password=$2; >+ local outfile=$1 >+ local password=$2 > local days=$3 > local name=$4 > >- if test -e $outfile; then >- rm $outfile; >+ if test -e "$outfile"; then >+ rm -f "$outfile" > fi >- touch $outfile; >- chmod 0600 $outfile; >+ touch "$outfile" >+ chmod 0600 "$outfile" > > eval "$(univention-config-registry shell ssl/country ssl/state ssl/locality ssl/organization ssl/organizationalunit ssl/email)" > >- >- cat <<EOF >>$outfile >- >+ cat >"$outfile" <<EOF > # HOME = . > # RANDFILE = \$ENV::HOME/.rnd > # oid_section = new_oids >@@ -136,17 +133,16 @@ default_keyfile = privkey.pem > distinguished_name = req_distinguished_name > attributes = req_attributes > x509_extensions = v3_ca >- > EOF > >-if [ "$password" ]; then >-cat <<EOF >>$outfile >+ if [ -n "$password" ]; then >+ cat >>"$outfile" <<EOF > input_password = $password > output_password = $password > EOF >-fi; >+ fi > >-cat <<EOF >>$outfile >+ cat >>"$outfile" <<EOF > > string_mask = nombstr > req_extensions = v3_req >@@ -219,38 +215,37 @@ nsComment = This certificate is a Root CA Certificate > > issuerAltName = issuer:copy > authorityKeyIdentifier = keyid:always,issuer:always >- > EOF >-chmod 0600 $outfile >- >+ chmod 0600 "$outfile" > } > > move_cert () { >- local new; >- local count=0; >- local linkname; >- local hash; >- local OPWD=`pwd`; >- cd "$SSLBASE"; >- >- for i; do >- if [ -f "$i" ]; then >- new="${SSLBASE}/${CA}/certs/"`basename $i`; >- mv "$i" "$new"; >- hash=`openssl x509 -hash -noout -in "$new"`; >- while :; do >- linkname="${CA}/certs/""$hash"".""$count"; >- if [ -h "$linkname" ]; then >- count=$((count + 1)); >- continue; >- else >- ln -s "$new" "$linkname"; >- break; >- fi; >- done; >- fi; >- done; >- cd "$OPWD" >+ local count=0 >+ local OPWD=$(pwd) >+ cd "$SSLBASE" >+ >+ local i >+ for i in "$@"; do >+ if [ -f "$i" ] >+ then >+ local new="${SSLBASE}/${CA}/certs/$(basename "$i")" >+ mv "$i" "$new" >+ local hash=$(openssl x509 -hash -noout -in "$new") >+ while : >+ do >+ local linkname="${CA}/certs/${hash}.${count}" >+ if [ -h "$linkname" ] >+ then >+ count=$((count + 1)) >+ continue >+ else >+ ln -s "$new" "$linkname" >+ break >+ fi >+ done >+ fi >+ done >+ cd "$OPWD" > } > > init () { >@@ -266,51 +261,50 @@ init () { > chmod 600 "$SSLBASE/password" > makepasswd > "$SSLBASE/password" > fi >- PASSWD=`cat "$SSLBASE/password"` >+ local PASSWD=`cat "$SSLBASE/password"` > >- local OPWD=`pwd`; >+ local OPWD=$(pwd) > > # create directory infrastructure > cd "$SSLBASE" >- mkdir -m 700 -p ${CA}; >- mkdir -p ${CA}/{certs,crl,newcerts,private}; >- echo "01" > ${CA}/serial; >- touch ${CA}/index.txt; >+ mkdir -m 700 -p "${CA}" >+ mkdir -p "${CA}/"{certs,crl,newcerts,private} >+ echo "01" >"${CA}/serial" >+ touch "${CA}/index.txt" > > eval "$(ucr shell ssl/common)" > > # make the root-CA configuration file >- mk_config openssl.cnf $PASSWD $DEFAULT_DAYS "$ssl_common" >+ mk_config openssl.cnf "$PASSWD" "$DEFAULT_DAYS" "$ssl_common" > >- >- openssl genrsa -des3 -passout pass:"$PASSWD" -out ${CA}/private/CAkey.pem 2048 >- yes '' | openssl req -config openssl.cnf -new -x509 -days $DEFAULT_DAYS -key ${CA}/private/CAkey.pem -out ${CA}/CAcert.pem >+ openssl genrsa -des3 -passout pass:"$PASSWD" -out "${CA}/private/CAkey.pem" 2048 >+ yes '' | openssl req -config openssl.cnf -new -x509 -days "$DEFAULT_DAYS" -key "${CA}/private/CAkey.pem" -out "${CA}/CAcert.pem" > > # copy the public key to a place, from where browsers can access it >- openssl x509 -in ${CA}/CAcert.pem -out /var/www/ucs-root-ca.crt >+ openssl x509 -in "${CA}/CAcert.pem" -out /var/www/ucs-root-ca.crt > > # mv the certificate to the certs dir and link it to its hash value >- cp ${CA}/CAcert.pem ${CA}/newcerts/00.pem >- move_cert ${CA}/newcerts/00.pem >+ cp "${CA}/CAcert.pem" "${CA}/newcerts/00.pem" >+ move_cert "${CA}/newcerts/00.pem" > > # generate root ca request >- openssl x509 -x509toreq -in ${CA}/CAcert.pem -signkey ${CA}/private/CAkey.pem -out ${CA}/CAreq.pem -passin pass:$PASSWD >+ openssl x509 -x509toreq -in "${CA}/CAcert.pem" -signkey "${CA}/private/CAkey.pem" -out "${CA}/CAreq.pem" -passin pass:"$PASSWD" > >- find ${CA} -type f | xargs chmod 600 >- find ${CA} -type d | xargs chmod 700 >+ find "${CA}" -type f -exec chmod 600 {} + >+ find "${CA}" -type d -exec chmod 700 {} + > >- chmod 755 ${CA} >- chmod 644 ${CA}/CAcert.pem >- #generate empty crl at installation time >- openssl ca -config openssl.cnf -gencrl -out ${CA}/crl/crl.pem -passin pass:"$PASSWD" >- openssl crl -in ${CA}/crl/crl.pem -out /var/www/${CA}.crl -inform pem -outform der >+ chmod 755 "${CA}" >+ chmod 644 "${CA}/CAcert.pem" >+ #generate empty crl at installation time >+ openssl ca -config openssl.cnf -gencrl -out "${CA}/crl/crl.pem" -passin pass:"$PASSWD" >+ openssl crl -in "${CA}/crl/crl.pem" -out "/var/www/${CA}.crl" -inform pem -outform der > > cd "$OPWD" > } > > > list_cert_names () { >- local OPWD=`pwd` >+ local OPWD=$(pwd) > cd "$SSLBASE" > awk 'BEGIN { FS="\t"; } > { if ( $1 == "V" ) >@@ -323,80 +317,80 @@ list_cert_names () { > } > } > } >- }'< ${CA}/index.txt >+ }' <"${CA}/index.txt" > cd "$OPWD" > } > > > has_valid_cert () { >- list_cert_names | egrep -q "$1$"; >+ list_cert_names | egrep -q "$1$" > } > > renew_cert () { >- local OPWD=`pwd`; >- cd "$SSLBASE"; >- >+ local OPWD=$(pwd) >+ cd "$SSLBASE" >+ > if [ -z "$1" ]; then >- echo "missing certificate name" 1>&2; >- return 1; >+ echo "missing certificate name" 1>&2 >+ return 1 > fi >- >- local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`; >+ >+ local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'` > if [ -z "$NUM" ]; then >- echo "no certificate for $1 registered" 1>&2; >- return 1; >- fi; >- >+ echo "no certificate for $1 registered" >&2 >+ return 1 >+ fi >+ > if [ -z "$2" ]; then > days=$DEFAULT_DAYS > fi >- >+ > # revoke cert >- revoke_cert $1 >+ revoke_cert "$1" > > # get host extension file > hostExt=$(ucr get ssl/host/extensions) > if [ -s "$hostExt" ]; then >- source $hostExt >+ . "$hostExt" > extFile=$(createHostExtensionsFile "$1") >- fi >- >+ fi >+ > # sign the request > if [ -s "$extFile" ]; then >- openssl ca -batch -config openssl.cnf -days $days -in "$1/req.pem" \ >- -out "$1/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile" >+ openssl ca -batch -config openssl.cnf -days "$days" -in "$1/req.pem" \ >+ -out "$1/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile" > rm -f "$extFile" > else >- openssl ca -batch -config openssl.cnf -days $days -in "$1/req.pem" \ >- -out "$1/cert.pem" -passin pass:"$PASSWD" >+ openssl ca -batch -config openssl.cnf -days "$days" -in "$1/req.pem" \ >+ -out "$1/cert.pem" -passin pass:"$PASSWD" > fi >- >+ > # move the new certificate to its place >- move_cert ${CA}/newcerts/*; >- cd "$OPWD"; >+ move_cert "${CA}/newcerts/"* >+ cd "$OPWD" > } > > # Parameter 1: Name des CN dessen Zertifikat wiederufen werden soll > > revoke_cert () { >- local OPWD=`pwd`; >- cd "$SSLBASE"; >+ local OPWD=`pwd` >+ cd "$SSLBASE" > > if [ -z "$1" ]; then >- echo "missing certificate name" 1>&2; >- return 1; >+ echo "missing certificate name" >&2 >+ return 1 > fi > >- local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`; >+ local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'` > if [ -z "$NUM" ]; then >- echo "no certificate for $1 registered" 1>&2; >- return 1; >- fi; >- openssl ca -config openssl.cnf -revoke ${CA}/certs/${NUM}.pem -passin pass:"$PASSWD" >- openssl ca -config openssl.cnf -gencrl -out ${CA}/crl/crl.pem -passin pass:"$PASSWD" >- openssl crl -in ${CA}/crl/crl.pem -out /var/www/${CA}.crl -inform pem -outform der >- >- cd "$OPWD"; >+ echo "no certificate for $1 registered" >&2 >+ return 1 >+ fi >+ openssl ca -config openssl.cnf -revoke "${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD" >+ openssl ca -config openssl.cnf -gencrl -out "${CA}/crl/crl.pem" -passin pass:"$PASSWD" >+ openssl crl -in "${CA}/crl/crl.pem" -out "/var/www/${CA}.crl" -inform pem -outform der >+ >+ cd "$OPWD" > } > > >@@ -410,40 +404,40 @@ gencert () { > local OPWD=`pwd` > cd "$SSLBASE" > if has_valid_cert "$2"; then >- revoke_cert "$2"; >- fi; >+ revoke_cert "$2" >+ fi > >- days=$(/usr/sbin/univention-config-registry get ssl/default/days) >+ local days=$(/usr/sbin/univention-config-registry get ssl/default/days) > if [ -z "$days" ]; then > days=$DEFAULT_DAYS > fi > # generate a key pair >- mkdir -pm 700 $name >- mk_config "$name/openssl.cnf" "" $days "$cn" >+ mkdir -pm 700 "$name" >+ mk_config "$name/openssl.cnf" "" "$days" "$cn" > openssl genrsa -out "$name/private.key" 1024 > yes '' | openssl req -config "$name/openssl.cnf" -new -key "$name/private.key" -out "$name/req.pem" > > # get host extension file >- hostExt=$(ucr get ssl/host/extensions) >+ local hostExt=$(ucr get ssl/host/extensions) > if [ -s "$hostExt" ]; then >- source $hostExt >- extFile=$(createHostExtensionsFile "$cn") >- fi >+ . "$hostExt" >+ local extFile=$(createHostExtensionsFile "$cn") >+ fi > > # sign the key > if [ -s "$extFile" ]; then > openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \ >- -out "$name/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile" >+ -out "$name/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile" > rm -f "$extFile" > else > openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \ >- -out "$name/cert.pem" -passin pass:"$PASSWD" >+ -out "$name/cert.pem" -passin pass:"$PASSWD" > fi > > # move the new certificate to its place >- move_cert ${CA}/newcerts/*; >+ move_cert "${CA}/newcerts/"* > >- find $name -type f | xargs chmod 600 >- find $name -type d | xargs chmod 700 >+ find "$name" -type f -exec chmod 600 {} + >+ find "$name" -type d -exec chmod 700 {} + > cd "$OPWD" > } >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/ssl-sync b/branches/ucs-3.0/ucs/base/univention-ssl/ssl-sync >index 0f24f61..c76ca16 100644 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/ssl-sync >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/ssl-sync >@@ -3,7 +3,7 @@ > # Univention SSL > # ssl sync script > # >-# Copyright 2004-2011 Univention GmbH >+# Copyright 2004-2012 Univention GmbH > # > # http://www.univention.de/ > # >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate b/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate >index 6d1a963..9bab1d0 100755 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate >@@ -3,7 +3,7 @@ > # Univention SSL > # openssl wrapper > # >-# Copyright 2004-2011 Univention GmbH >+# Copyright 2004-2012 Univention GmbH > # > # http://www.univention.de/ > # >@@ -29,7 +29,7 @@ > # License with the Debian GNU/Linux or Univention distribution in file > # /usr/share/common-licenses/AGPL-3; if not, see > # <http://www.gnu.org/licenses/>. >- >+set -o errfail > > usage () > { >@@ -50,12 +50,12 @@ usage () > echo " dump" > echo " list" > echo "" >- echo "Options" >+ echo "Options:" > echo " -name <name>" > echo " -days <days>" > echo "" > >- exit >+ exit 2 > } > > command="$1" >@@ -63,38 +63,34 @@ shift > > if [ "$command" != "new" -a "$command" != "revoke" -a "$command" != "renew" -a "$command" != "check" -a "$command" != "list" -a "$command" != "dump" ]; then > if [ -n "$command" ]; then >- usage "unknown command: $command" >+ usage "unknown command: $command" >&2 > else >- usage >+ usage >&2 > fi > fi > > while [ $# -gt 0 ]; do > case "$1" in > "-path") >- shift >- path="$1" >- shift >+ path="$2" >+ shift 2 || usage "Missing argument to -path" >&2 > ;; > "-name") >- shift >- name="$1" >- shift >+ name="$2" >+ shift 2 || usage "Missing argument to -name" >&2 > ;; > "-days") >- shift >- days="$1" >- shift >+ days="$2" || usage "Missing argument to -days" >&2 >+ shift 2 > ;; > *) >- usage "unknown option $1" >- shift >+ usage "unknown option $1" >&2 > ;; > esac > done > > if [ "$command" != "list" -a -z "$name" ]; then >- usage "missing -name" >+ usage "missing -name" >&2 > fi > > cd /etc/univention/ssl >@@ -105,10 +101,10 @@ case "$command" in > "new") > echo "Creating certificate: $name" > gencert "/etc/univention/ssl/$name" "$name" >- getent group "DC Backup Hosts" 2>&1 >/dev/null >- if [ $? = 0 ]; then >+ if getent group "DC Backup Hosts" 2>&1 >/dev/null >+ then > chgrp -R "DC Backup Hosts" "/etc/univention/ssl/$name" >- chmod -R g+rx "/etc/univention/ssl/$name" >+ chmod g+rx "/etc/univention/ssl/$name" > fi > ;; > "revoke") >@@ -117,18 +113,20 @@ case "$command" in > ;; > "renew") > if [ -z "$days" ]; then >- usage "missing -days" >+ usage "missing -days" >&2 > fi > echo "Renew certificate: $name" > renew_cert "$name" "$days" > ;; > "check") > echo -n "Certificate \"$name\" is " >- has_valid_cert $name >- if [ $? = 0 ]; then >+ if has_valid_cert "$name" >+ then > echo "valid" >+ exit 0 > else > echo "invalid" >+ exit 1 > fi > ;; > "list") >@@ -137,7 +135,6 @@ case "$command" in > ;; > "dump") > echo "Dump certificate: $name" >- openssl x509 -in /etc/univention/ssl/$name/cert.pem -noout -text >+ openssl x509 -in "/etc/univention/ssl/$name/cert.pem" -noout -text > ;; > esac >- >diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity b/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity >index 98bbbca..639fd22 100755 >--- a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity >+++ b/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity >@@ -4,7 +4,7 @@ > # Univention SSL > # checks validity of the local SSL certificate > # >-# Copyright 2006-2011 Univention GmbH >+# Copyright 2006-2012 Univention GmbH > # > # http://www.univention.de/ > # >@@ -37,9 +37,9 @@ import calendar > > from M2Crypto import X509 > >-import univention_baseconfig >+from univention.config_registry import ConfigRegistry > >-_bc = univention_baseconfig.baseConfig() >+_bc = ConfigRegistry() > _bc.load() > > def get_validity_date(certFile):
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=4284">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 26572
:
4282
|
4283
| 4284