View | Details | Raw Unified | Return to bug 41013 | Differences between
and this patch

Collapse All | Expand All

(-)/home/jhinrich/svn/dev/branches/ucs-4.1/ucs-4.1-3/base/univention-ssl/univention-certificate (-1 / +4 lines)
 Lines 50-55    Link Here 
50
	echo "Options:"
50
	echo "Options:"
51
	echo "        -name <name>"
51
	echo "        -name <name>"
52
	echo "        -days <days>"
52
	echo "        -days <days>"
53
	echo "        -grace <grace>" # grace period, also in days
53
54
54
	[ -n "$1" ] && exit 2 || exit 0
55
	[ -n "$1" ] && exit 2 || exit 0
55
}
56
}
 Lines 75-80    Link Here 
75
command=
76
command=
76
name=
77
name=
77
days=
78
days=
79
grace="0"
78
while [ $# -ge 1 ]
80
while [ $# -ge 1 ]
79
do
81
do
80
	case "$1" in
82
	case "$1" in
 Lines 86-91    Link Here 
86
	dump) command="$1" ;;
88
	dump) command="$1" ;;
87
	-name|--name) name="${2:?Missing argument to -name}" ; shift ;;
89
	-name|--name) name="${2:?Missing argument to -name}" ; shift ;;
88
	-days|--days) days="${2:?Missing argument to -days}" ; shift ;;
90
	-days|--days) days="${2:?Missing argument to -days}" ; shift ;;
91
	-grace|--grace) grace="${2:-0}" ; shift ;;
89
	-h|--help|--usage|-\?) usage ;;
92
	-h|--help|--usage|-\?) usage ;;
90
	-*) usage "Unknown option: '$1'" >&2 ;;
93
	-*) usage "Unknown option: '$1'" >&2 ;;
91
	*) usage "Unknown command: '$1'" >&2 ;;
94
	*) usage "Unknown command: '$1'" >&2 ;;
 Lines 120-126    Link Here 
120
		run_only master exclusive
123
		run_only master exclusive
121
		: ${days:?Missing argument -days}
124
		: ${days:?Missing argument -days}
122
		echo "Renew certificate: $name"
125
		echo "Renew certificate: $name"
123
		renew_cert "$name" "$days"
126
		renew_cert "$name" "$days" "$grace"
124
}
127
}
125
128
126
check () {
129
check () {
(-)/home/jhinrich/svn/dev/branches/ucs-4.1/ucs-4.1-3/base/univention-ssl/make-certificates.sh (-3 / +55 lines)
 Lines 43-48    Link Here 
43
: ${DEFAULT_CRL_DAYS:=10}
43
: ${DEFAULT_CRL_DAYS:=10}
44
DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)"
44
DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)"
45
: ${DEFAULT_DAYS:=1825}
45
: ${DEFAULT_DAYS:=1825}
46
DEFAULT_GRACE="$(/usr/sbin/univention-config-registry get ssl/default/grace)"
47
: ${DEFAULT_GRACE:=0}
46
DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)"
48
DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)"
47
: ${DEFAULT_MD:=sha256}
49
: ${DEFAULT_MD:=sha256}
48
DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)"
50
DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)"
 Lines 133-138    Link Here 
133
135
134
policy              = policy_match
136
policy              = policy_match
135
137
138
unique_subject      = no
139
136
[ policy_match ]
140
[ policy_match ]
137
141
138
countryName		= match
142
countryName		= match
 Lines 336-342    Link Here 
336
			if ( X[i] ~ /^CN=/ ) {
340
			if ( X[i] ~ /^CN=/ ) {
337
				split ( X[i], Y, "=" );
341
				split ( X[i], Y, "=" );
338
				if ( name == Y[2] ) {
342
				if ( name == Y[2] ) {
339
					seq = $4;
343
					if ( $1 == "V" ) {
344
						seq = seq$4" ";
345
					}
340
					ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2;
346
					ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2;
341
				}
347
				}
342
			}
348
			}
 Lines 348-355    Link Here 
348
renew_cert () {
354
renew_cert () {
349
	local fqdn="${1:?Missing argument: common name}"
355
	local fqdn="${1:?Missing argument: common name}"
350
	local days="${2:-$DEFAULT_DAYS}"
356
	local days="${2:-$DEFAULT_DAYS}"
357
	local grace="${3:-$DEFAULT_GRACE}" 
351
358
352
	revoke_cert "$fqdn" || [ $? -eq 2 ] || return $?
359
	revoke_cert "$fqdn" "$grace" || [ $? -eq 2 ] || return $?
353
360
354
	(
361
	(
355
	cd "$SSLBASE"
362
	cd "$SSLBASE"
 Lines 361-366    Link Here 
361
368
362
revoke_cert () {
369
revoke_cert () {
363
	local fqdn="${1:?Missing argument: common name}"
370
	local fqdn="${1:?Missing argument: common name}"
371
	local grace="${2:-$DEFAULT_GRACE}"
364
372
365
	local cn NUM
373
	local cn NUM
366
	[ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" || cn="$fqdn"
374
	[ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" || cn="$fqdn"
 Lines 371-377    Link Here 
371
		return 2
379
		return 2
372
	fi
380
	fi
373
381
374
	openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD"
382
	if [ "$grace" -eq 0 ]; then
383
		# revoke all certificates of this fqdn
384
		for num in $NUM; do
385
			openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num}.pem" -passin pass:"$PASSWD"
386
		done
387
	else
388
		# remember all certificates of this fqdn for revocation after the grace period
389
		pending_file="${SSLBASE}/pending.txt"
390
		[ -f "$pending_file" ] || touch "$pending_file"
391
		pending_certs="$(cat $pending_file)"
392
		>"$pending_file"
393
394
		for num in $NUM; do
395
			echo "$num:$grace" >>"$pending_file"
396
		done
397
398
		for cert in $pending_certs; do
399
			num="$(echo $cert | sed 's/:.*//')"
400
			grace="$(echo $cert | sed 's/.*://')"
401
			if [[ "$NUM" != *"$num"* ]]; then
402
				echo "$num:$grace" >>"$pending_file"
403
			fi
404
		done
405
	fi
406
407
	gencrl
408
}
409
410
update_pending_certs () {
411
	pending_file="${SSLBASE}/pending.txt"
412
	[ -f "$pending_file" ] || touch "$pending_file"
413
	pending_certs="$(cat $pending_file)"
414
	>"$pending_file"
415
416
	for cert in $pending_certs; do
417
		num="$(echo $cert | sed 's/:.*//')"
418
		grace="$(echo $cert | sed 's/.*://')"
419
		grace="$((grace-1))"
420
		if [ "$grace" -gt "0" ]; then
421
			echo "$num:$grace" >>"$pending_file"
422
		else
423
			openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num}.pem" -passin pass:"$PASSWD"
424
		fi
425
	done
426
375
	gencrl
427
	gencrl
376
}
428
}
377
429

Return to bug 41013