Univention Bugzilla – Attachment 8035 Details for
Bug 41013
univention-certificate should offer a renew-option with a transition period
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Suggested patch for univention-ssl package plus simple test
file_41013.txt (text/plain), 5.69 KB, created by
Julius Hinrichs
on 2016-09-26 17:26:14 CEST
(
hide
)
Description:
Suggested patch for univention-ssl package plus simple test
Filename:
MIME Type:
Creator:
Julius Hinrichs
Created:
2016-09-26 17:26:14 CEST
Size:
5.69 KB
patch
obsolete
>$ diff -u ~/svn/dev/branches/ucs-4.1/ucs-4.1-3/base/univention-ssl/univention-certificate ./univention-certificate >--- /home/jhinrich/svn/dev/branches/ucs-4.1/ucs-4.1-3/base/univention-ssl/univention-certificate 2016-09-06 09:19:15.738733229 +0200 >+++ ./univention-certificate 2016-09-26 17:06:41.765918395 +0200 >@@ -50,6 +50,7 @@ > echo "Options:" > echo " -name <name>" > echo " -days <days>" >+ echo " -grace <grace>" # grace period, also in days > > [ -n "$1" ] && exit 2 || exit 0 > } >@@ -75,6 +76,7 @@ > command= > name= > days= >+grace="0" > while [ $# -ge 1 ] > do > case "$1" in >@@ -86,6 +88,7 @@ > dump) command="$1" ;; > -name|--name) name="${2:?Missing argument to -name}" ; shift ;; > -days|--days) days="${2:?Missing argument to -days}" ; shift ;; >+ -grace|--grace) grace="${2:-0}" ; shift ;; > -h|--help|--usage|-\?) usage ;; > -*) usage "Unknown option: '$1'" >&2 ;; > *) usage "Unknown command: '$1'" >&2 ;; >@@ -120,7 +123,7 @@ > run_only master exclusive > : ${days:?Missing argument -days} > echo "Renew certificate: $name" >- renew_cert "$name" "$days" >+ renew_cert "$name" "$days" "$grace" > } > > check () { > > > > >$ diff -u ~/svn/dev/branches/ucs-4.1/ucs-4.1-3/base/univention-ssl/make-certificates.sh ./make-certificates.sh >--- /home/jhinrich/svn/dev/branches/ucs-4.1/ucs-4.1-3/base/univention-ssl/make-certificates.sh 2016-09-06 09:19:15.738733229 +0200 >+++ ./make-certificates.sh 2016-09-26 13:36:39.418874027 +0200 >@@ -43,6 +43,8 @@ > : ${DEFAULT_CRL_DAYS:=10} > DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)" > : ${DEFAULT_DAYS:=1825} >+DEFAULT_GRACE="$(/usr/sbin/univention-config-registry get ssl/default/grace)" >+: ${DEFAULT_GRACE:=0} > DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)" > : ${DEFAULT_MD:=sha256} > DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)" >@@ -133,6 +135,8 @@ > > policy = policy_match > >+unique_subject = no >+ > [ policy_match ] > > countryName = match >@@ -336,7 +340,9 @@ > if ( X[i] ~ /^CN=/ ) { > split ( X[i], Y, "=" ); > if ( name == Y[2] ) { >- seq = $4; >+ if ( $1 == "V" ) { >+ seq = seq$4" "; >+ } > ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2; > } > } >@@ -348,8 +354,9 @@ > renew_cert () { > local fqdn="${1:?Missing argument: common name}" > local days="${2:-$DEFAULT_DAYS}" >+ local grace="${3:-$DEFAULT_GRACE}" > >- revoke_cert "$fqdn" || [ $? -eq 2 ] || return $? >+ revoke_cert "$fqdn" "$grace" || [ $? -eq 2 ] || return $? > > ( > cd "$SSLBASE" >@@ -361,6 +368,7 @@ > > revoke_cert () { > local fqdn="${1:?Missing argument: common name}" >+ local grace="${2:-$DEFAULT_GRACE}" > > local cn NUM > [ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" || cn="$fqdn" >@@ -371,7 +379,51 @@ > return 2 > fi > >- openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD" >+ if [ "$grace" -eq 0 ]; then >+ # revoke all certificates of this fqdn >+ for num in $NUM; do >+ openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num}.pem" -passin pass:"$PASSWD" >+ done >+ else >+ # remember all certificates of this fqdn for revocation after the grace period >+ pending_file="${SSLBASE}/pending.txt" >+ [ -f "$pending_file" ] || touch "$pending_file" >+ pending_certs="$(cat $pending_file)" >+ >"$pending_file" >+ >+ for num in $NUM; do >+ echo "$num:$grace" >>"$pending_file" >+ done >+ >+ for cert in $pending_certs; do >+ num="$(echo $cert | sed 's/:.*//')" >+ grace="$(echo $cert | sed 's/.*://')" >+ if [[ "$NUM" != *"$num"* ]]; then >+ echo "$num:$grace" >>"$pending_file" >+ fi >+ done >+ fi >+ >+ gencrl >+} >+ >+update_pending_certs () { >+ pending_file="${SSLBASE}/pending.txt" >+ [ -f "$pending_file" ] || touch "$pending_file" >+ pending_certs="$(cat $pending_file)" >+ >"$pending_file" >+ >+ for cert in $pending_certs; do >+ num="$(echo $cert | sed 's/:.*//')" >+ grace="$(echo $cert | sed 's/.*://')" >+ grace="$((grace-1))" >+ if [ "$grace" -gt "0" ]; then >+ echo "$num:$grace" >>"$pending_file" >+ else >+ openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num}.pem" -passin pass:"$PASSWD" >+ fi >+ done >+ > gencrl > } > > > > >/etc/cron.daily/pending-certificates.sh > >#!/bin/bash ># ... > >. /usr/share/univention-ssl/make-certificates.sh >update_pending_certs > > > > >/usr/share/ucs-test/01_base/101_renew_certificate_with_grace_period > >#!/usr/share/ucs-test/runner bash >## desc: Test if univention-certificate can renew a certificate with a grace period >## roles: [domaincontroller_master] >## exposure: dangerous >## bugs: [41013] > >. "$TESTLIBPATH/base.sh" || exit 137 > >test_cert_name="test_cert_cbf8b858" >test_days=1825 >test_grace=2 > >[ "$(univention-certificate list | grep $test_cert_name | wc -l)" -eq "0" ] || RETVAL=1 > >univention-certificate new -name $test_cert_name >/dev/null 2>&1 >[ "$(univention-certificate list | grep $test_cert_name | wc -l)" -eq "1" ] || RETVAL=1 > >univention-certificate renew -name $test_cert_name -days $test_days -grace $test_grace >/dev/null 2>&1 >[ "$(univention-certificate list | grep $test_cert_name | wc -l)" -eq "2" ] || RETVAL=1 > >/etc/cron.daily/pending-certificates.sh >/dev/null 2>&1 >[ "$(univention-certificate list | grep $test_cert_name | wc -l)" -eq "2" ] || RETVAL=1 > >/etc/cron.daily/pending-certificates.sh >/dev/null 2>&1 >[ "$(univention-certificate list | grep $test_cert_name | wc -l)" -eq "1" ] || RETVAL=1 > >univention-certificate revoke -name $test_cert_name >/dev/null 2>&1 >[ "$(univention-certificate list | grep $test_cert_name | wc -l)" -eq "0" ] || RETVAL=1 > >exit ${RETVAL:-0}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8035">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 41013
:
8035
|
8045
|
8049