smeserver/smeserver-base
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Thu Jun 12 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-33.sme

Browse Source 
- fix autorenew of self-signed certificate [SME: 12218]
  strips unsupported characters, use utf8 encoding
This commit is contained in:
Jean-Philippe Pialasse 2025-06-12 10:06:01 -04:00
parent 6957c1ab9c
commit 08d064bd3d
2 changed files with 54 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
root/etc/e-smith/templates/home/e-smith/ssl.crt
View File

@ -2,6 +2,7 @@
use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365; use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365;
use esmith::ssl; use esmith::ssl;
use Date::Parse; use Date::Parse;
use utf8;
use Cwd; use Cwd;
use Net::IP qw(ip_is_ipv4 ip_is_ipv6); use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
use esmith::Logger; use esmith::Logger;
@ -38,65 +39,69 @@
$defaultCity = substr($defaultCity, 0, 128); $defaultCity = substr($defaultCity, 0, 128);
$defaultCompany = substr($defaultCompany, 0, 64); $defaultCompany = substr($defaultCompany, 0, 64);
$defaultDepartment = substr($defaultDepartment, 0, 64); $defaultDepartment = substr($defaultDepartment, 0, 64);
$defaultDepartment =~ s/[''"]//g;
$email = substr($email, 0, 64); $email = substr($email, 0, 64);
$commonName = substr($commonName, 0, 64); $commonName = substr($commonName, 0, 64);
# if self-signed certificate files exists, is a certificate, and is still valid # if self-signed certificate files exists, is a certificate, and is still valid
if ( cert_exists_good_size ) if ( cert_exists_good_size )
{ {
# check expiry date, if less than 2 days from now we update it. # check expiry date, if less than 2 days from now we update it.
my $expire = `openssl x509 -enddate -noout -in $crt`; my $expire = `openssl x509 -enddate -noout -in $crt`;
$expire =~ s/^notAfter=//; $expire =~ s/^notAfter=//;
$expire = str2time($expire); $expire = str2time($expire);
my $ttl_days = ($expire - time()) / 60 / 60 / 24; my $ttl_days = ($expire - time()) / 60 / 60 / 24;
# check the cert and the key are related, if key has been changed, then we need to change the cert # check the cert and the key are related, if key has been changed, then we need to change the cert
my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`; my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`; my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
if ( ($ttl_days > 2) && ( "$crt_md5" eq "$key_md5" ) ) { if ( ($ttl_days > 2) && ( "$crt_md5" eq "$key_md5" ) ) {
my $expected_issuer = 'C = '.$Country . my $expected_issuer = 'C='.$Country .
', ST = '.$State; ', ST='.$State;
$expected_issuer .= ', L = ' . ($defaultCity ? $defaultCity : 'Default City'); $expected_issuer .= ', L=' . ($defaultCity ? $defaultCity : 'Default City');
$expected_issuer .= ', O = ' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd'); $expected_issuer .= ', O=' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd');
$expected_issuer .= ", OU = $defaultDepartment" if $defaultDepartment; $expected_issuer .= ", OU=$defaultDepartment" if $defaultDepartment;
$expected_issuer .= ", CN = $commonName" . $expected_issuer .= ", CN=$commonName" .
", emailAddress = $email"; ", emailAddress=$email";
my $issuer = `openssl x509 -issuer -noout -in $crt`; # format so we can compare with right encoding
my $issuer = `openssl x509 -issuer -nameopt dump_der -noout -in $crt`;
chomp $issuer; chomp $issuer;
$issuer =~ s/^issuer=//; $issuer =~ s/^issuer=//;
# we remove any "
$issuer =~ s/["]//g;
my $signatureAlg = `openssl x509 -text -noout -in $crt | grep "Signature Algorithm" | head -1`; my $signatureAlg = `openssl x509 -text -noout -in $crt | grep "Signature Algorithm" | head -1`;
chomp $signatureAlg; chomp $signatureAlg;
$signatureAlg =~ s/^ *Signature Algorithm: //; $signatureAlg =~ s/^ *Signature Algorithm: //;
# Test for expected subjectAltName # Test for expected subjectAltName
# openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }' # openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
$expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`; $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
chomp $expected_subjectAltName; chomp $expected_subjectAltName;
print FH "Self-Signed Cert: $issuer\n expected $expected_issuer" unless ($issuer eq $expected_issuer); print FH "Self-Signed Cert: $issuer\n expected $expected_issuer" unless ($issuer eq $expected_issuer);
print FH "Self-Signed Cert: $signatureAlg "unless ($signatureAlg ne "sha1WithRSAEncryption"); print FH "Self-Signed Cert: $signatureAlg "unless ($signatureAlg ne "sha1WithRSAEncryption");
print FH "Self-Signed Cert: $subjectAltName\n expected: $expected_subjectAltName" unless ($subjectAltName eq $expected_subjectAltName); print FH "Self-Signed Cert: $subjectAltName\n expected: $expected_subjectAltName" unless ($subjectAltName eq $expected_subjectAltName);
if ( if (
($issuer eq $expected_issuer) ($issuer eq $expected_issuer)
&& ($signatureAlg ne "sha1WithRSAEncryption") && ($signatureAlg ne "sha1WithRSAEncryption")
&& ($subjectAltName eq $expected_subjectAltName) && ($subjectAltName eq $expected_subjectAltName)
) )
{ {
# Old key file is still good. Read it out - processTemplate will work # Old key file is still good. Read it out - processTemplate will work
# out that it hasn't changed, and leave the old one in place # out that it hasn't changed, and leave the old one in place
open(C, "$crt") or die "Couldn't open crt file: $!"; open(C, "$crt") or die "Couldn't open crt file: $!";
my @crt = <C>; my @crt = <C>;
chomp @crt; chomp @crt;
$OUT = join "\n", @crt; $OUT = join "\n", @crt;
close(C); close(C);
return; return;
} }
} }
} }
# go to somewhere private and safe where we can run programs # go to somewhere private and safe where we can run programs
# as root # as root
unless (-e "/tmp/ssl") unless (-e "/tmp/ssl")
{ {
mkdir "/tmp/ssl", 0700; mkdir "/tmp/ssl", 0700;
} }
chdir "/tmp/ssl" or die "Couldn't change to secure directory: $!"; chdir "/tmp/ssl" or die "Couldn't change to secure directory: $!";
@ -104,21 +109,21 @@
unless (open(SSL,"-|")) unless (open(SSL,"-|"))
{ {
# child # child
exec("/usr/bin/openssl", exec("/usr/bin/openssl",
qw(req -new -key), qw(req -new -key),
$key, $key,
qw( -sha256 -x509 -days), KEYLIFEINDAYS, qw( -sha256 -x509 -days), KEYLIFEINDAYS,
qw(-set_serial), time(), qw(-set_serial), time(),
qw(-extensions v3_req), qw(-extensions v3_req),
qw(-config), "/etc/openssl.conf" qw(-config), "/etc/openssl.conf"
) )
|| die "can't exec program: $!"; || die "can't exec program: $!";
# NOTREACHED # NOTREACHED
} }
while (<SSL>) while (<SSL>)
{ {
$OUT .= $_; $OUT .= $_;
} }
close(SSL) or die "Closing openssl pipe reported: $!"; close(SSL) or die "Closing openssl pipe reported: $!";
chdir $here; chdir $here;

6
smeserver-base.spec
View File

@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module
%define name smeserver-base %define name smeserver-base
Name: %{name} Name: %{name}
%define version 11.0.0 %define version 11.0.0
%define release 32 %define release 33
Version: %{version} Version: %{version}
Release: %{release}%{?dist} Release: %{release}%{?dist}
License: GPL License: GPL
@ -182,6 +182,10 @@ fi
%changelog %changelog
* Thu Jun 12 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-33.sme
- fix autorenew of self-signed certificate [SME: 12218]
strips unsupported characters, use utf8 encoding
* Thu Jun 05 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-32.sme * Thu Jun 05 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-32.sme
- Replicate user accounts to samba Active Directory [SME: 12799] - Replicate user accounts to samba Active Directory [SME: 12799]