1. Fix handling of "univention-certificate -path ..." handling
2. Fix handling of missing arguments to options.
3. Return useful exit values for scripting usage.
4. Fix file permission for certificate: no +x needed.
5. Print error messages to stderr to help parsing output.
6. Quote variables (password!)
7. Replace univention-baseconfig by univention-config-registry
8. Use subprocess.call() instead of os.popen()
9. Make variables function local
10. Update copyright
11. Remove trailing blanks on lines
12. Remove semicolon on end of line
13. Remove space before tabs
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/conffiles/etc/cron.daily/univention-ssl-validity b/branches/ucs-3.0/ucs/base/univention-ssl/conffiles/etc/cron.daily/univention-ssl-validity
index 03bf2f2..0c65c5f 100755
--- a/branches/ucs-3.0/ucs/base/univention-ssl/conffiles/etc/cron.daily/univention-ssl-validity
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/conffiles/etc/cron.daily/univention-ssl-validity
@@ -1,7 +1,7 @@
#!/bin/sh
@%@UCRWARNING=# @%@
-# Copyright 2004-2011 Univention GmbH
+# Copyright 2004-2012 Univention GmbH
#
# http://www.univention.de/
#
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/debian/copyright b/branches/ucs-3.0/ucs/base/univention-ssl/debian/copyright
index 2a7dab8..c5cb6a4 100644
--- a/branches/ucs-3.0/ucs/base/univention-ssl/debian/copyright
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/debian/copyright
@@ -1,4 +1,4 @@
-Copyright 2002-2011 Univention GmbH
+Copyright 2002-2012 Univention GmbH
http://www.univention.de/
@@ -25,5 +25,3 @@ You should have received a copy of the GNU Affero General Public
License with the Debian GNU/Linux or Univention distribution in file
/usr/share/common-licenses/AGPL-3; if not, see
.
-
-
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/debian/rules b/branches/ucs-3.0/ucs/base/univention-ssl/debian/rules
index 737e4a9..0157c74 100755
--- a/branches/ucs-3.0/ucs/base/univention-ssl/debian/rules
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/debian/rules
@@ -3,7 +3,7 @@
# Univention SSL
# rules file for the debian package
#
-# Copyright 2004-2011 Univention GmbH
+# Copyright 2004-2012 Univention GmbH
#
# http://www.univention.de/
#
@@ -44,4 +44,3 @@ override_dh_auto_test:
%:
dh $@
-
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postinst b/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postinst
index 28c5e68..5d5995c 100755
--- a/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postinst
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postinst
@@ -3,7 +3,7 @@
# Univention SSL
# postinst script
#
-# Copyright 2004-2011 Univention GmbH
+# Copyright 2004-2012 Univention GmbH
#
# http://www.univention.de/
#
@@ -76,12 +76,12 @@ if [ "$server_role" = "domaincontroller_master" ] || [ -z "$server_role" ] || [
# Bug #13549
rdate time.fu-berlin.de || rdate 130.133.1.10 || true
- . /usr/share/univention-ssl/make-certificates.sh;
- init;
- univention-certificate new -name $hostname.$domainname
- ln -sf /etc/univention/ssl/$hostname.$domainname /etc/univention/ssl/$hostname
+ . /usr/share/univention-ssl/make-certificates.sh
+ init
+ univention-certificate new -name "$hostname.$domainname"
+ ln -sf "/etc/univention/ssl/$hostname.$domainname" "/etc/univention/ssl/$hostname"
else
- echo "skipped. SSL Certificate found in $CERTPATH ";
+ echo "skipped. SSL Certificate found in $CERTPATH"
fi
fi
@@ -93,7 +93,7 @@ if [ "$1" = configure -a -n "$2" ] && dpkg --compare-versions "$2" lt 1.3; then
fi
if [ "$1" = configure -a -n "$2" ] && dpkg --compare-versions "$2" lt 3.0.3-1; then
- ln -sf /etc/univention/ssl/$hostname.$domainname /etc/univention/ssl/$hostname
+ ln -sf "/etc/univention/ssl/$hostname.$domainname" "/etc/univention/ssl/$hostname"
fi
if [ "$1" = "$configure" -a -z "$2" ]; then
@@ -105,7 +105,7 @@ fi
if [ "$1" = "configure" ]; then
if test -f /etc/init.d/univention-directory-listener
- then
+ then
/etc/init.d/univention-directory-listener crestart || true
fi
fi
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postrm b/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postrm
index faa8830..55866ab 100644
--- a/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postrm
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.postrm
@@ -3,7 +3,7 @@
# Univention SSL
# postrm script
#
-# Copyright 2004-2011 Univention GmbH
+# Copyright 2004-2012 Univention GmbH
#
# http://www.univention.de/
#
@@ -32,7 +32,7 @@
# postrm script for univention-ssl
if [ "$1" = "purge" ]; then
- rm -rf /etc/univention/ssl;
+ rm -rf /etc/univention/ssl
fi
#DEBHELPER#
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.univention-config-registry-variables b/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.univention-config-registry-variables
index 374df89..b6ffd5e 100644
--- a/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.univention-config-registry-variables
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/debian/univention-ssl.univention-config-registry-variables
@@ -43,7 +43,7 @@ Categories=system-ssl
[ssl/default/days]
Description[de]=Standard Lebensdauer für neue SSL-Zertifikate
Description[en]=Default lifetime of new SSL certificates
-Type=str
+Type=int
Categories=system-ssl
[ssl/default/hashfunction]
@@ -55,13 +55,13 @@ Categories=system-ssl
[ssl/validity/check]
Description[de]=Aktiviere/Deaktiviere die regelmäßige Gültigkeitsprüfung für Zertifikate
Description[en]=Enable/Disable regular checks for certificate validity
-Type=str
+Type=bool
Categories=system-ssl
[ssl/validity/days]
Description[de]=Anzahl an Tagen die das Root SSL-Zertifikat gültig ist
Description[en]=Number of days which the root certificate is valid
-Type=str
+Type=int
Categories=system-ssl
[ssl/validity/warning]
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh b/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh
index 0670e6b..d243fa8 100644
--- a/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh
@@ -1,11 +1,9 @@
-function createHostExtensionsFile () {
-
- local fqdn="$1"
- local hostname=${fqdn/.*/}
- local extFile=$(mktemp)
-
- cat <>"$extFile"
+createHostExtensionsFile () {
+ local fqdn="$1"
+ local hostname=${fqdn/.*/}
+ local extFile=$(mktemp)
+ cat <>"$extFile"
extensions = myx509v3
[ myx509v3 ]
@@ -16,7 +14,6 @@ authorityKeyIdentifier = keyid,issuer:always
# alternative name
subjectAltName = DNS:$fqdn, DNS:$hostname
-
EOF
echo "$extFile"
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py b/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py
index c5d7d64..e17cbf7 100644
--- a/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py
@@ -3,7 +3,7 @@
# Univention SSL
# listener ssl module
#
-# Copyright 2004-2011 Univention GmbH
+# Copyright 2004-2012 Univention GmbH
#
# http://www.univention.de/
#
@@ -30,12 +30,13 @@
# /usr/share/common-licenses/AGPL-3; if not, see
# .
-__package__='' # workaround for PEP 366
+__package__='' # workaround for PEP 366
from listener import *
import grp
import univention.debug
import univention.misc
+import subprocess
name='gencertificate'
description='Generate new Certificates'
@@ -46,6 +47,7 @@ attributes=[]
uidNumber = 0
gidNumber = 0
saved_uid = 65545
+SSLDIR = '/etc/univention/ssl'
def set_privileges_cert(root=0):
global saved_uid
@@ -56,8 +58,7 @@ def set_privileges_cert(root=0):
os.seteuid(saved_uid)
def initialize():
- univention.debug.debug(univention.debug.LISTENER, univention.debug.INFO, 'CERTIFICATE: Initialize' )
- return
+ univention.debug.debug(univention.debug.LISTENER, univention.debug.INFO, 'CERTIFICATE: Initialize')
def handler(dn, new, old):
global uidNumber
@@ -71,16 +72,16 @@ def handler(dn, new, old):
try:
try:
uidNumber = int(new.get('uidNumber', ['0'])[0])
- except:
+ except (LookupError, TypeError, ValueError):
uidNumber = 0
try:
gidNumber = int(grp.getgrnam('DC Backup Hosts')[2])
- except:
+ except (LookupError, TypeError, ValueError):
univention.debug.debug(univention.debug.LISTENER, univention.debug.WARN, 'CERTIFICATE: Failed to get groupID for "%s"' % name)
gidNumber = 0
- if new and not old:
+ if new and not old:
if new.has_key('associatedDomain'):
domain=new['associatedDomain'][0]
else:
@@ -108,30 +109,30 @@ def handler(dn, new, old):
create_certificate(new['cn'][0], int(new['uidNumber'][0]), domainname=new_domain)
else:
# Reset permissions
- ssldir='/etc/univention/ssl'
- certpath=os.path.join(ssldir,"%s.%s" % (new['cn'][0],new_domain))
- a=os.path.walk(certpath,set_permissions, None)
+ fqdn = "%s.%s" % (new['cn'][0], new_domain)
+ certpath = os.path.join(SSLDIR, fqdn)
+ a = os.path.walk(certpath, set_permissions, None)
finally:
set_privileges_cert(root=0)
- return
def set_permissions(tmp1, directory, filename):
global uidNumber
global gidNumber
-
+
univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Set permissons for = %s with owner/group %s/%s' % (directory, gidNumber, uidNumber))
os.chown(directory, uidNumber, gidNumber)
os.chmod(directory, 0750)
for f in filename:
- file=os.path.join(directory,f)
+ file = os.path.join(directory, f)
univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Set permissons for = %s with owner/group %s/%s' % (file, gidNumber, uidNumber))
os.chown(file, uidNumber, gidNumber)
- os.chmod(file, 0750)
+ os.chmod(file, 0640)
def remove_dir(tmp1, directory, filename):
+ """Remove directory and all files within."""
for f in filename:
- file=os.path.join(directory,f)
+ file = os.path.join(directory, f)
os.remove(file)
os.rmdir(directory)
@@ -139,55 +140,51 @@ def create_certificate(name, serverUidNumber, domainname):
global uidNumber
global gidNumber
uidNumber = serverUidNumber
-
- ssldir='/etc/univention/ssl'
- univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Creating certificate %s' % name)
- certpath=os.path.join(ssldir,name+'.'+domainname)
- if os.path.exists(certpath):
- univention.debug.debug(univention.debug.LISTENER, univention.debug.WARN, 'CERTIFICATE: Certificate for host %s.%s already exists' % (name,domainname))
- if not os.path.islink("%s/%s" % (ssldir,name)):
- p = os.popen('ln -sf %s/%s.%s %s/%s' % (ssldir,name,domainname,ssldir,name) )
- p.close
- a=os.path.walk(certpath,set_permissions, None)
- return
+ fqdn = '%s.%s' % (name, domainname)
+ certpath = os.path.join(SSLDIR, fqdn)
+ link_path = os.path.join(SSLDIR, name)
+ if os.path.exists(certpath):
+ univention.debug.debug(univention.debug.LISTENER, univention.debug.WARN, 'CERTIFICATE: Certificate for host %s already exists' % (fqdn,))
+ if os.path.islink(link_path):
+ return
+ else:
+ if len(fqdn) > 64:
+ univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, 'CERTIFICATE: can\'t create certificate, Common Name too long: %s' % (fqdn,))
+ return
- if len("%s.%s" % (name,domainname)) > 64:
- univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, 'CERTIFICATE: can\'t create certificate, Common Name too long: %s.%s' % (name,domainname))
- return
-
- p = os.popen('. /usr/share/univention-ssl/make-certificates.sh; gencert %s.%s %s.%s' % (name,domainname,name,domainname) )
- p.close()
- p = os.popen('ln -sf %s/%s.%s %s/%s' % (ssldir,name,domainname,ssldir,name) )
- p.close()
+ univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Creating certificate %s' % name)
-
- a=os.path.walk(certpath,set_permissions, None)
+ subprocess.call('. /usr/share/univention-ssl/make-certificates.sh; gencert %s %s' % (fqdn, fqdn), shell=True)
- return
+ # Create symlink
+ try:
+ os.remove(link_path)
+ except OSError, e:
+ pass
+ try:
+ os.symlink(certpath, link_path)
+ except OSError, e:
+ pass
+ # Fix permissions
+ a = os.path.walk(certpath, set_permissions, None)
def remove_certificate(name, domainname):
+ fqdn = '%s.%s' % (name, domainname)
+ univention.debug.debug(univention.debug.LISTENER, univention.debug.INFO, 'CERTIFICATE: Revoke certificate %s' % (fqdn,))
+ subprocess.call(('/usr/sbin/univention-certificate', 'revoke', '-name', fqdn))
- ssldir='/etc/univention/ssl'
-
- univention.debug.debug(univention.debug.LISTENER, univention.debug.INFO, 'CERTIFICATE: Revoke certificate %s.%s' % (name,domainname))
- p = os.popen('/usr/sbin/univention-certificate revoke -name %s.%s' % (name,domainname) )
- p.close()
-
- link_path=os.path.join(ssldir,name)
+ link_path = os.path.join(SSLDIR, name)
if os.path.exists(link_path):
os.remove(link_path)
- certpath=os.path.join(ssldir,"%s.%s" % (name,domainname))
+ certpath = os.path.join(SSLDIR, fqdn)
if os.path.exists(certpath):
- a=os.path.walk(certpath,remove_dir, None)
-
- return
+ a = os.path.walk(certpath, remove_dir, None)
def clean():
return
def postrun():
return
-
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh b/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh
index 361e8fb..c95d283 100755
--- a/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh
@@ -3,7 +3,7 @@
# Univention SSL
# gencertificate script
#
-# Copyright 2004-2011 Univention GmbH
+# Copyright 2004-2012 Univention GmbH
#
# http://www.univention.de/
#
@@ -35,9 +35,9 @@
# http://www.pca.dfn.de/dfnpca/certify/ssl/handbuch/ossl092/
if [ -n "$sslbase" ]; then
- SSLBASE="$sslbase"
+ SSLBASE="$sslbase"
else
- SSLBASE=/etc/univention/ssl
+ SSLBASE=/etc/univention/ssl
fi
CA=ucsCA
@@ -57,23 +57,20 @@ else
fi
mk_config () {
-
- local outfile=$1;
- local password=$2;
+ local outfile=$1
+ local password=$2
local days=$3
local name=$4
- if test -e $outfile; then
- rm $outfile;
+ if test -e "$outfile"; then
+ rm -f "$outfile"
fi
- touch $outfile;
- chmod 0600 $outfile;
+ touch "$outfile"
+ chmod 0600 "$outfile"
eval "$(univention-config-registry shell ssl/country ssl/state ssl/locality ssl/organization ssl/organizationalunit ssl/email)"
-
- cat <>$outfile
-
+ cat >"$outfile" <>$outfile
+ if [ -n "$password" ]; then
+ cat >>"$outfile" <>$outfile
+ cat >>"$outfile" < "$SSLBASE/password"
fi
- PASSWD=`cat "$SSLBASE/password"`
+ local PASSWD=`cat "$SSLBASE/password"`
- local OPWD=`pwd`;
+ local OPWD=$(pwd)
# create directory infrastructure
cd "$SSLBASE"
- mkdir -m 700 -p ${CA};
- mkdir -p ${CA}/{certs,crl,newcerts,private};
- echo "01" > ${CA}/serial;
- touch ${CA}/index.txt;
+ mkdir -m 700 -p "${CA}"
+ mkdir -p "${CA}/"{certs,crl,newcerts,private}
+ echo "01" >"${CA}/serial"
+ touch "${CA}/index.txt"
eval "$(ucr shell ssl/common)"
# make the root-CA configuration file
- mk_config openssl.cnf $PASSWD $DEFAULT_DAYS "$ssl_common"
+ mk_config openssl.cnf "$PASSWD" "$DEFAULT_DAYS" "$ssl_common"
-
- openssl genrsa -des3 -passout pass:"$PASSWD" -out ${CA}/private/CAkey.pem 2048
- yes '' | openssl req -config openssl.cnf -new -x509 -days $DEFAULT_DAYS -key ${CA}/private/CAkey.pem -out ${CA}/CAcert.pem
+ openssl genrsa -des3 -passout pass:"$PASSWD" -out "${CA}/private/CAkey.pem" 2048
+ yes '' | openssl req -config openssl.cnf -new -x509 -days "$DEFAULT_DAYS" -key "${CA}/private/CAkey.pem" -out "${CA}/CAcert.pem"
# copy the public key to a place, from where browsers can access it
- openssl x509 -in ${CA}/CAcert.pem -out /var/www/ucs-root-ca.crt
+ openssl x509 -in "${CA}/CAcert.pem" -out /var/www/ucs-root-ca.crt
# mv the certificate to the certs dir and link it to its hash value
- cp ${CA}/CAcert.pem ${CA}/newcerts/00.pem
- move_cert ${CA}/newcerts/00.pem
+ cp "${CA}/CAcert.pem" "${CA}/newcerts/00.pem"
+ move_cert "${CA}/newcerts/00.pem"
# generate root ca request
- openssl x509 -x509toreq -in ${CA}/CAcert.pem -signkey ${CA}/private/CAkey.pem -out ${CA}/CAreq.pem -passin pass:$PASSWD
+ openssl x509 -x509toreq -in "${CA}/CAcert.pem" -signkey "${CA}/private/CAkey.pem" -out "${CA}/CAreq.pem" -passin pass:"$PASSWD"
- find ${CA} -type f | xargs chmod 600
- find ${CA} -type d | xargs chmod 700
+ find "${CA}" -type f -exec chmod 600 {} +
+ find "${CA}" -type d -exec chmod 700 {} +
- chmod 755 ${CA}
- chmod 644 ${CA}/CAcert.pem
- #generate empty crl at installation time
- openssl ca -config openssl.cnf -gencrl -out ${CA}/crl/crl.pem -passin pass:"$PASSWD"
- openssl crl -in ${CA}/crl/crl.pem -out /var/www/${CA}.crl -inform pem -outform der
+ chmod 755 "${CA}"
+ chmod 644 "${CA}/CAcert.pem"
+ #generate empty crl at installation time
+ openssl ca -config openssl.cnf -gencrl -out "${CA}/crl/crl.pem" -passin pass:"$PASSWD"
+ openssl crl -in "${CA}/crl/crl.pem" -out "/var/www/${CA}.crl" -inform pem -outform der
cd "$OPWD"
}
list_cert_names () {
- local OPWD=`pwd`
+ local OPWD=$(pwd)
cd "$SSLBASE"
awk 'BEGIN { FS="\t"; }
{ if ( $1 == "V" )
@@ -323,80 +317,80 @@ list_cert_names () {
}
}
}
- }'< ${CA}/index.txt
+ }' <"${CA}/index.txt"
cd "$OPWD"
}
has_valid_cert () {
- list_cert_names | egrep -q "$1$";
+ list_cert_names | egrep -q "$1$"
}
renew_cert () {
- local OPWD=`pwd`;
- cd "$SSLBASE";
-
+ local OPWD=$(pwd)
+ cd "$SSLBASE"
+
if [ -z "$1" ]; then
- echo "missing certificate name" 1>&2;
- return 1;
+ echo "missing certificate name" 1>&2
+ return 1
fi
-
- local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`;
+
+ local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`
if [ -z "$NUM" ]; then
- echo "no certificate for $1 registered" 1>&2;
- return 1;
- fi;
-
+ echo "no certificate for $1 registered" >&2
+ return 1
+ fi
+
if [ -z "$2" ]; then
days=$DEFAULT_DAYS
fi
-
+
# revoke cert
- revoke_cert $1
+ revoke_cert "$1"
# get host extension file
hostExt=$(ucr get ssl/host/extensions)
if [ -s "$hostExt" ]; then
- source $hostExt
+ . "$hostExt"
extFile=$(createHostExtensionsFile "$1")
- fi
-
+ fi
+
# sign the request
if [ -s "$extFile" ]; then
- openssl ca -batch -config openssl.cnf -days $days -in "$1/req.pem" \
- -out "$1/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile"
+ openssl ca -batch -config openssl.cnf -days "$days" -in "$1/req.pem" \
+ -out "$1/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile"
rm -f "$extFile"
else
- openssl ca -batch -config openssl.cnf -days $days -in "$1/req.pem" \
- -out "$1/cert.pem" -passin pass:"$PASSWD"
+ openssl ca -batch -config openssl.cnf -days "$days" -in "$1/req.pem" \
+ -out "$1/cert.pem" -passin pass:"$PASSWD"
fi
-
+
# move the new certificate to its place
- move_cert ${CA}/newcerts/*;
- cd "$OPWD";
+ move_cert "${CA}/newcerts/"*
+ cd "$OPWD"
}
# Parameter 1: Name des CN dessen Zertifikat wiederufen werden soll
revoke_cert () {
- local OPWD=`pwd`;
- cd "$SSLBASE";
+ local OPWD=`pwd`
+ cd "$SSLBASE"
if [ -z "$1" ]; then
- echo "missing certificate name" 1>&2;
- return 1;
+ echo "missing certificate name" >&2
+ return 1
fi
- local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`;
+ local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`
if [ -z "$NUM" ]; then
- echo "no certificate for $1 registered" 1>&2;
- return 1;
- fi;
- openssl ca -config openssl.cnf -revoke ${CA}/certs/${NUM}.pem -passin pass:"$PASSWD"
- openssl ca -config openssl.cnf -gencrl -out ${CA}/crl/crl.pem -passin pass:"$PASSWD"
- openssl crl -in ${CA}/crl/crl.pem -out /var/www/${CA}.crl -inform pem -outform der
-
- cd "$OPWD";
+ echo "no certificate for $1 registered" >&2
+ return 1
+ fi
+ openssl ca -config openssl.cnf -revoke "${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD"
+ openssl ca -config openssl.cnf -gencrl -out "${CA}/crl/crl.pem" -passin pass:"$PASSWD"
+ openssl crl -in "${CA}/crl/crl.pem" -out "/var/www/${CA}.crl" -inform pem -outform der
+
+ cd "$OPWD"
}
@@ -410,40 +404,40 @@ gencert () {
local OPWD=`pwd`
cd "$SSLBASE"
if has_valid_cert "$2"; then
- revoke_cert "$2";
- fi;
+ revoke_cert "$2"
+ fi
- days=$(/usr/sbin/univention-config-registry get ssl/default/days)
+ local days=$(/usr/sbin/univention-config-registry get ssl/default/days)
if [ -z "$days" ]; then
days=$DEFAULT_DAYS
fi
# generate a key pair
- mkdir -pm 700 $name
- mk_config "$name/openssl.cnf" "" $days "$cn"
+ mkdir -pm 700 "$name"
+ mk_config "$name/openssl.cnf" "" "$days" "$cn"
openssl genrsa -out "$name/private.key" 1024
yes '' | openssl req -config "$name/openssl.cnf" -new -key "$name/private.key" -out "$name/req.pem"
# get host extension file
- hostExt=$(ucr get ssl/host/extensions)
+ local hostExt=$(ucr get ssl/host/extensions)
if [ -s "$hostExt" ]; then
- source $hostExt
- extFile=$(createHostExtensionsFile "$cn")
- fi
+ . "$hostExt"
+ local extFile=$(createHostExtensionsFile "$cn")
+ fi
# sign the key
if [ -s "$extFile" ]; then
openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \
- -out "$name/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile"
+ -out "$name/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile"
rm -f "$extFile"
else
openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \
- -out "$name/cert.pem" -passin pass:"$PASSWD"
+ -out "$name/cert.pem" -passin pass:"$PASSWD"
fi
# move the new certificate to its place
- move_cert ${CA}/newcerts/*;
+ move_cert "${CA}/newcerts/"*
- find $name -type f | xargs chmod 600
- find $name -type d | xargs chmod 700
+ find "$name" -type f -exec chmod 600 {} +
+ find "$name" -type d -exec chmod 700 {} +
cd "$OPWD"
}
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/ssl-sync b/branches/ucs-3.0/ucs/base/univention-ssl/ssl-sync
index 0f24f61..c76ca16 100644
--- a/branches/ucs-3.0/ucs/base/univention-ssl/ssl-sync
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/ssl-sync
@@ -3,7 +3,7 @@
# Univention SSL
# ssl sync script
#
-# Copyright 2004-2011 Univention GmbH
+# Copyright 2004-2012 Univention GmbH
#
# http://www.univention.de/
#
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate b/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate
index 6d1a963..9950253 100755
--- a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate
@@ -3,7 +3,7 @@
# Univention SSL
# openssl wrapper
#
-# Copyright 2004-2011 Univention GmbH
+# Copyright 2004-2012 Univention GmbH
#
# http://www.univention.de/
#
@@ -29,7 +29,7 @@
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# .
-
+set -o errfail
usage ()
{
@@ -50,12 +50,12 @@ usage ()
echo " dump"
echo " list"
echo ""
- echo "Options"
+ echo "Options:"
echo " -name "
echo " -days "
echo ""
- exit
+ exit 2
}
command="$1"
@@ -63,38 +63,34 @@ shift
if [ "$command" != "new" -a "$command" != "revoke" -a "$command" != "renew" -a "$command" != "check" -a "$command" != "list" -a "$command" != "dump" ]; then
if [ -n "$command" ]; then
- usage "unknown command: $command"
+ usage "unknown command: $command" >&2
else
- usage
+ usage >&2
fi
fi
while [ $# -gt 0 ]; do
case "$1" in
"-path")
- shift
- path="$1"
- shift
+ path="$2"
+ shift 2 || usage "Missing argument to -path" >&2
;;
"-name")
- shift
- name="$1"
- shift
+ name="$2"
+ shift 2 || usage "Missing argument to -name" >&2
;;
"-days")
- shift
- days="$1"
- shift
+ days="$2" || usage "Missing argument to -days" >&2
+ shift 2
;;
*)
- usage "unknown option $1"
- shift
+ usage "unknown option $1" >&2
;;
esac
done
if [ "$command" != "list" -a -z "$name" ]; then
- usage "missing -name"
+ usage "missing -name" >&2
fi
cd /etc/univention/ssl
@@ -105,8 +101,8 @@ case "$command" in
"new")
echo "Creating certificate: $name"
gencert "/etc/univention/ssl/$name" "$name"
- getent group "DC Backup Hosts" 2>&1 >/dev/null
- if [ $? = 0 ]; then
+ if getent group "DC Backup Hosts" 2>&1 >/dev/null
+ then
chgrp -R "DC Backup Hosts" "/etc/univention/ssl/$name"
chmod -R g+rx "/etc/univention/ssl/$name"
fi
@@ -117,18 +113,20 @@ case "$command" in
;;
"renew")
if [ -z "$days" ]; then
- usage "missing -days"
+ usage "missing -days" >&2
fi
echo "Renew certificate: $name"
renew_cert "$name" "$days"
;;
"check")
echo -n "Certificate \"$name\" is "
- has_valid_cert $name
- if [ $? = 0 ]; then
+ if has_valid_cert "$name"
+ then
echo "valid"
+ exit 0
else
echo "invalid"
+ exit 1
fi
;;
"list")
@@ -137,7 +135,6 @@ case "$command" in
;;
"dump")
echo "Dump certificate: $name"
- openssl x509 -in /etc/univention/ssl/$name/cert.pem -noout -text
+ openssl x509 -in "/etc/univention/ssl/$name/cert.pem" -noout -text
;;
esac
-
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity b/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity
index 98bbbca..639fd22 100755
--- a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity
@@ -4,7 +4,7 @@
# Univention SSL
# checks validity of the local SSL certificate
#
-# Copyright 2006-2011 Univention GmbH
+# Copyright 2006-2012 Univention GmbH
#
# http://www.univention.de/
#
@@ -37,9 +37,9 @@ import calendar
from M2Crypto import X509
-import univention_baseconfig
+from univention.config_registry import ConfigRegistry
-_bc = univention_baseconfig.baseConfig()
+_bc = ConfigRegistry()
_bc.load()
def get_validity_date(certFile):