smeserver/smeserver-base
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

initial commit of file from CVS for e-smith-base on Thu 26 Oct 11:24:52 BST 2023

Browse Source
This commit is contained in:
Brian Read
2023-10-26 11:24:52 +01:00
parent bbc22988a8
commit 9510d1a360
678 changed files with 22721 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
root/etc/e-smith/templates/home/e-smith/ssl.crt Normal file
View File

@@ -0,0 +1,120 @@
{
use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365;
use esmith::ssl;
use Date::Parse;
use Cwd;
use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
my $here = getcwd;
my $Country = $modSSL{Country} || "--";
my $State = $modSSL{State} || "----";
my $FQDN = "$SystemName.$DomainName";
my $commonName = $modSSL{CommonName} || $FQDN;
my $crt = "/home/e-smith/ssl.crt/$FQDN.crt";
my $key = "/home/e-smith/ssl.key/$FQDN.key";
my $defaultCity = $ldap{defaultCity};
my $defaultCompany = $ldap{defaultCompany};
my $defaultDepartment = $ldap{defaultDepartment};
my $email = "admin\@$DomainName";
my @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`;
chomp @subjectAlt;
our $subjectAltName = "";
my $i=0;
for my $elem (@subjectAlt) {
$subjectAltName .= "," if $i>0;
$i++;
if (ip_is_ipv4($elem) || ip_is_ipv6($elem) ){
$subjectAltName .= "IP Address:$elem";
next;
}
$subjectAltName .= "DNS:$elem";
}
$subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName;
chomp $subjectAltName;
# crop fields that are too long for X509:
$Country = substr($Country, 0, 2);
$defaultCity = substr($defaultCity, 0, 128);
$defaultCompany = substr($defaultCompany, 0, 64);
$defaultDepartment = substr($defaultDepartment, 0, 64);
$email = substr($email, 0, 64);
$commonName = substr($commonName, 0, 64);
# if self-signed certificate files exists, is a certificate, and is still valid
if ( cert_exists_good_size )
{
# check expiry date, if less than 2 days from now we update it.
my $expire = `openssl x509 -enddate -noout -in $crt`;
$expire =~ s/^notAfter=//;
$expire = str2time($expire);
my $ttl_days = ($expire - time()) / 60 / 60 / 24;
# check the cert and the key are related, if key has been changed, then we need to change the cert
my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
if ( ($ttl_days > 2) && ( "$crt_md5" eq "$key_md5" ) ) {
my $expected_issuer = '/C='.$Country .
'/ST='.$State;
$expected_issuer .= '/L=' . ($defaultCity ? $defaultCity : 'Default City');
$expected_issuer .= '/O=' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd');
$expected_issuer .= "/OU=$defaultDepartment" if $defaultDepartment;
$expected_issuer .= "/CN=$commonName" .
"/emailAddress=$email";
my $issuer = `openssl x509 -issuer -noout -in $crt`;
chomp $issuer;
$issuer =~ s/^issuer= //;
my $signatureAlg = `openssl x509 -text -noout -in $crt | grep "Signature Algorithm" | head -1`;
chomp $signatureAlg;
$signatureAlg =~ s/^ *Signature Algorithm: //;
# Test for expected subjectAltName
# openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
$expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
chomp $expected_subjectAltName;
if (
($issuer eq $expected_issuer)
&& ($signatureAlg ne "sha1WithRSAEncryption")
&& ($subjectAltName eq $expected_subjectAltName)
)
{
# Old key file is still good. Read it out - processTemplate will work
# out that it hasn't changed, and leave the old one in place
open(C, "$crt") or die "Couldn't open crt file: $!";
my @crt = <C>;
chomp @crt;
$OUT = join "\n", @crt;
close(C);
return;
}
}
}
# go to somewhere private and safe where we can run programs
# as root
unless (-e "/tmp/ssl")
{
mkdir "/tmp/ssl", 0700;
}
chdir "/tmp/ssl" or die "Couldn't change to secure directory: $!";
$SIG{ALRM} = sub { die "whoops, $program pipe broke" };
unless (open(SSL,"-|"))
{
# child
exec("/usr/bin/openssl",
qw(req -new -key),
$key,
qw( -sha256 -x509 -days), KEYLIFEINDAYS,
qw(-set_serial), time(),
qw(-extensions v3_req),
qw(-config), "/etc/openssl.conf"
)
|| die "can't exec program: $!";
# NOTREACHED
}
while (<SSL>)
{
$OUT .= $_;
}
close(SSL) or die "Closing openssl pipe reported: $!";
chdir $here;
}

57
root/etc/e-smith/templates/home/e-smith/ssl.key Normal file
View File

@@ -0,0 +1,57 @@
{
use Cwd;
use esmith::ssl;
my $here = getcwd;
my $KeySize = $modSSL{KeySize} ||'4096';
my $FQDN = "$SystemName.$DomainName";
my $key = "/home/e-smith/ssl.key/$FQDN.key";
# if key exists and good size, we use it
if ( key_exists_good_size )
{
# Old key file is still good. Read it out - processTemplate will work
# out that it hasn't changed, and leave the old one in place
open(K, "$key") or die "Couldn't open key file: $!";
my @key = <K>;
chomp @key;
$OUT = join "\n", @key;
close(K);
return;
}
# go to somewhere private and safe where we can run programs
# as root
unless (-e "/tmp/ssl")
{
mkdir "/tmp/ssl", 0700;
}
chdir "/tmp/ssl" or die "Couldn't change to secure directory: $!";
my $program = "/usr/bin/openssl";
$SIG{ALRM} = sub { die "whoops, $program pipe broke" };
unless (open(SSL,"-|"))
{
exec("/usr/bin/openssl",
qw(genrsa -rand),
join(':',
qw(
/proc/cpuinfo
/proc/dma
/proc/filesystems
/proc/interrupts
/proc/ioports
/proc/bus/pci/devices
/proc/rtc
/proc/uptime
)),
"$KeySize")
|| die "can't exec program: $!";
}
while (<SSL>)
{
$OUT .= $_;
}
close(SSL) or die "Closing openssl pipe reported: $!";
chdir $here;
}

8
root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl Normal file
View File

@@ -0,0 +1,8 @@
{
$OUT = '';
# let's expand the /etc/openssl.conf configuration
use esmith::templates;
esmith::templates::processTemplate({
TEMPLATE_PATH => "/etc/openssl.conf"
});
}

22
root/etc/e-smith/templates/home/e-smith/ssl.pem/20key Normal file
View File

@@ -0,0 +1,22 @@
{
use esmith::ssl;
my $domain = $DomainName || "localdomain";
my $hostname = $SystemName || "localhost";
$OUT = '';
# expand default key
my $dkey = "/home/e-smith/ssl.key/$hostname.$domain.key";
use esmith::templates;
esmith::templates::processTemplate({
TEMPLATE_PATH => "/home/e-smith/ssl.key/key",
OUTPUT_FILENAME => $dkey,
});
# choose which key to put in pem
my $key = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) ) ? $modSSL{'key'} : $dkey;
open(KEY, $key) or die "Could not open key file: $!";
my @key = <KEY>;
chomp @key;
$OUT = join "\n", @key;
close KEY;
}

21
root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt Normal file
View File

@@ -0,0 +1,21 @@
{
use esmith::ssl;
my $domain = $DomainName || "localdomain";
my $hostname = $SystemName || "localhost";
# expand default self signed crt
my $dcrt = "/home/e-smith/ssl.crt/$hostname.$domain.crt";
use esmith::templates;
esmith::templates::processTemplate({
TEMPLATE_PATH => "/home/e-smith/ssl.crt/crt",
OUTPUT_FILENAME => $dcrt,
});
# choose crt to add to pem
$crt = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) )? $modSSL{'crt'} : $dcrt;
open(CRT, $crt) or die "Could not open crt file: $!";
my @crt = <CRT>;
chomp @crt;
$OUT = join "\n", @crt;
close CRT;
}

12
root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem Normal file
View File

@@ -0,0 +1,12 @@
{
my $pem = $modSSL{'CertificateChainFile'};
if ($pem and -e $pem)
{
open(PEM, $pem) or warn "Intermediate Certificate File defined, but cannot open $pem : $!";
my @pem = <PEM>;
chomp @pem;
$OUT = join "\n", @pem;
close PEM;
}
}