Attachment #8045 for bug #41013

(-)base/univention-ssl/debian/changelog (+7 lines)

Lines 1-3	Link Here

univention-ssl (10.0.0-17ubuntu1) UNRELEASED; urgency=medium

  * Bug #41013: univention-certificate should offer a renew-option with

                a transition period (-grace <grace period in days>)

 -- Julius Hinrichs <hinrichs@univention.de>  Wed, 28 Sep 2016 16:02:00 +0200

univention-ssl (10.0.0-17) unstable; urgency=low

univention-ssl (10.0.0-17) unstable; urgency=low

  * Bug #41917: Fix dash local variable quoting

  * Bug #41917: Fix dash local variable quoting

(-)base/univention-ssl/debian/univention-ssl.cron.daily (-2 / +4 lines)

Lines 1-4	Link Here

#!/bin/sh

#!/bin/bash

# Copyright 2004-2016 Univention GmbH

# Copyright 2004-2016 Univention GmbH

# http://www.univention.de/

# http://www.univention.de/

Lines 28-33	Link Here

PATH=/usr/sbin:/usr/bin:/sbin:/bin

PATH=/usr/sbin:/usr/bin:/sbin:/bin

. /usr/share/univention-ssl/make-certificates.sh

update_pending_certs

rv=0 tmp=$(mktemp)

rv=0 tmp=$(mktemp)

trap "rm -f '$tmp'" EXIT

trap "rm -f '$tmp'" EXIT

exec >"$tmp" 2>&1

exec >"$tmp" 2>&1

Lines 44-50	Link Here

	interval=$(ucr get ssl/crl/interval)

	interval=$(ucr get ssl/crl/interval)

	[ "${interval:-0}" -ge 1 ] || return 0

	[ "${interval:-0}" -ge 1 ] || return 0

	[ -f "$crl" ] && [ -n "$(find "$crl" -mtime "-$interval")" ] && return 0

	[ -f "$crl" ] && [ -n "$(find "$crl" -mtime "-$interval")" ] && return 0

	. /usr/share/univention-ssl/make-certificates.sh

	gencrl

	gencrl

check_gen_crl || rv=$?

check_gen_crl || rv=$?

(-)base/univention-ssl/make-certificates.sh (-3 / +65 lines)

Lines 43-48	Link Here

: ${DEFAULT_CRL_DAYS:=10}

: ${DEFAULT_CRL_DAYS:=10}

DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)"

DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)"

: ${DEFAULT_DAYS:=1825}

: ${DEFAULT_DAYS:=1825}

DEFAULT_GRACE="$(/usr/sbin/univention-config-registry get ssl/default/grace)"

: ${DEFAULT_GRACE:=0}

DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)"

DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)"

: ${DEFAULT_MD:=sha256}

: ${DEFAULT_MD:=sha256}

DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)"

DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)"

Lines 133-138	Link Here

133

135

134

policy              = policy_match

136

policy              = policy_match

135

137

138

unique_subject      = no

139

136

[ policy_match ]

140

[ policy_match ]

137

141

138

countryName		= match

142

countryName		= match

Lines 336-342	Link Here

336

			if ( X[i] ~ /^CN=/ ) {

340

			if ( X[i] ~ /^CN=/ ) {

337

				split ( X[i], Y, "=" );

341

				split ( X[i], Y, "=" );

338

				if ( name == Y[2] ) {

342

				if ( name == Y[2] ) {

339

					seq = $4;

343

					if ( $1 == "V" ) {

344

						seq = seq$4" ";

345

340

					ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2;

346

					ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2;

341

347

342

348

Lines 348-355	Link Here

348

renew_cert () {

354

renew_cert () {

349

	local fqdn="${1:?Missing argument: common name}"

355

	local fqdn="${1:?Missing argument: common name}"

350

	local days="${2:-$DEFAULT_DAYS}"

356

	local days="${2:-$DEFAULT_DAYS}"

357

	local grace="${3:-$DEFAULT_GRACE}"

351

358

352

	revoke_cert "$fqdn" || [ $? -eq 2 ] || return $?

359

	revoke_cert "$fqdn" "$grace" || [ $? -eq 2 ] || return $?

353

360

354

361

355

	cd "$SSLBASE"

362

	cd "$SSLBASE"

Lines 361-366	Link Here

361

368

362

revoke_cert () {

369

revoke_cert () {

363

	local fqdn="${1:?Missing argument: common name}"

370

	local fqdn="${1:?Missing argument: common name}"

371

	local grace="${2:-$DEFAULT_GRACE}"

364

372

365

	local cn NUM

373

	local cn NUM

366

	[ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" || cn="$fqdn"

374

	[ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" || cn="$fqdn"

Lines 371-381	Link Here

371

		return 2

379

		return 2

372

fi

380

fi

373

381

374

	openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD"

382

	if [ "$grace" -eq 0 ]; then

383

		# revoke all certificates of this fqdn

384

		for num in "${NUM[@]}"; do

385

			local num1=$(sed 's/\s.*$//' <<< "$num")

386

			openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num1}.pem" -passin pass:"$PASSWD"

387

		done

388

	else

389

		# remember all certificates of this fqdn for revocation after the grace period

390

		pending_file="${SSLBASE}/pending.txt"

391

		[ -f "$pending_file" ] || touch "$pending_file"

392

		chmod 600 "$pending_file"

393

		local pending_certs=$(cat "$pending_file")

394

		local temp=$(mktemp)

395

396

		for num in "${NUM[@]}"; do

397

			local num=$(sed 's/\s.*$//' <<< "$num")

398

			local now=$(date +"%s")

399

			local expire="$(($now + ($grace * 3600 * 24)))"

400

			echo "$num:$expire" >>"$temp"

401

		done

402

403

		for cert in "${pending_certs[@]}"; do

404

			local num=$(sed 's/:.*//' <<< "$cert")

405

			local expire=$(sed 's/.*://' <<< "$cert")

406

			if [[ "$NUM" != *"$num"* ]]; then

407

				echo "$num:$expire" >>"$temp"

408

fi

409

		done

410

		mv "$temp" "$pending_file"

411

		chmod 600 "$pending_file"

412

fi

413

375

	gencrl

414

	gencrl

376

415

377

416

417

update_pending_certs () {

418

	local pending_file="${SSLBASE}/pending.txt"

419

	[ -f "$pending_file" ] || touch "$pending_file"

420

	chmod 600 "$pending_file"

421

	local pending_certs=$(cat "$pending_file")

422

	local temp=$(mktemp)

378

423

424

	for cert in "${pending_certs[@]}"; do

425

		local num=$(sed 's/:.*//' <<< "$cert")

426

		local expire=$(sed 's/.*://' <<< "$cert")

427

		local now=$(date +"%s")

428

		if [ "$now" -gt "$expire" ]; then

429

			openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num}.pem" -passin pass:"$PASSWD"

430

		else

431

			echo "$num:$expire" >>"$temp"

432

fi

433

	done

434

435

	mv "$temp" "$pending_file"

436

	chmod 600 "$pending_file"

437

	gencrl

438

439

440

379

# Parameter 1: Name des Unterverzeichnisses, in dem das neue Zertifikat abgelegt werden soll

441

# Parameter 1: Name des Unterverzeichnisses, in dem das neue Zertifikat abgelegt werden soll

380

# Parameter 2: Name des CN für den das Zertifikat ausgestellt wird.

442

# Parameter 2: Name des CN für den das Zertifikat ausgestellt wird.

381

443




	echo "Options:"
	echo "        -name <name>"
	echo "        -days <days>"
	echo "        -grace <grace> (grace period, in days)"

	[ -n "$1" ] && exit 2 || exit 0
}

command=
name=
days=
grace=
while [ $# -ge 1 ]
do
	case "$1" in

	dump) command="$1" ;;
	-name|--name) name="${2:?Missing argument to -name}" ; shift ;;
	-days|--days) days="${2:?Missing argument to -days}" ; shift ;;
	-grace|--grace) grace="${2:?Missing argument to -grace}" ; shift ;;
	-h|--help|--usage|-\?) usage ;;
	-*) usage "Unknown option: '$1'" >&2 ;;
	*) usage "Unknown command: '$1'" >&2 ;;

		run_only master exclusive
		: ${days:?Missing argument -days}
		echo "Renew certificate: $name"
		renew_cert "$name" "$days" "$grace"
}

check () {




#!/usr/share/ucs-test/runner bash
## desc: Test if a certificate can be renewed with a grace period
## roles: [domaincontroller_master]
## exposure: dangerous
## bugs: [41013]

SSLBASE="${sslbase:-/etc/univention/ssl}"
pending_file="${SSLBASE}/pending.txt"

test_cert_name="test_cert_45690870"
test_days=1825
test_grace=3

if [ ! $(univention-certificate list | grep "$test_cert_name" | wc -l) -eq "0" ]; then
	echo "Test not possible. A certificate for $test_cert_name already exists."
	exit 1
fi

list0=$(univention-certificate list)
univention-certificate new -name "$test_cert_name" >/dev/null 2>&1
[ $(univention-certificate list | grep "$test_cert_name" | wc -l) -eq "1" ] || exit 2

list1=$(univention-certificate list)
num1=$(comm -13 <(echo "$list0") <(echo "$list1") | sed 's/\t.*//')
univention-certificate renew -name "$test_cert_name" -days "$test_days" -grace "$test_grace" >/dev/null 2>&1
[ $(univention-certificate list | grep "$test_cert_name" | wc -l) -eq "2" ] || exit 3

list2=$(univention-certificate list)
num2=$(comm -13 <(echo "$list1") <(echo "$list2") | sed 's/\t.*//')
[ "$num1" != "$num2" ] || exit 4

/etc/cron.daily/univention-ssl >/dev/null 2>&1
[ $(univention-certificate list | grep "$test_cert_name" | wc -l) -eq "2" ] || exit 5

# change expire date to an earlier date
temp=$(mktemp)
pending_certs=$(cat "$pending_file")
for cert in "${pending_certs[@]}"; do
	num=$(sed 's/:.*//' <<< "$cert")
	expire=$(sed 's/.*://' <<< "$cert")
	if [ "$num" == "$num1" ]; then
		expire="$(($expire - ($test_grace * 3600 * 24)))"
	fi
	echo "$num:$expire" >>"$temp"
done
mv "$temp" "$pending_file"
chmod 600 "$pending_file"

/etc/cron.daily/univention-ssl >/dev/null 2>&1
[ $(univention-certificate list | grep "$test_cert_name" | wc -l) -eq "1" ] || exit 6

univention-certificate revoke -name $test_cert_name >/dev/null 2>&1
[ $(univention-certificate list | grep "$test_cert_name" | wc -l) -eq "0" ] || exit 7

exit 0

*

Return to bug 41013