Jean-Philippe Pialasse
0777b5a082
- fix networking [SME: 12541] - require rsyslog [SME: 12544] - remove unsupported rsyslog option -c [SME: 12545] - remove duplicate entry logrotate for btmp and wtmp [SME: 12547] - rework systemd-default script (error and smartmatches) [SME: 12543] - fix self signed cert templates [SME: 12551]
155 lines
4.8 KiB
Perl
155 lines
4.8 KiB
Perl
package esmith::ssl;
|
|
|
|
use strict;
|
|
use warnings;
|
|
use esmith::ConfigDB;
|
|
|
|
|
|
our @ISA = qw(Exporter);
|
|
our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert);
|
|
|
|
my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
|
|
our $SystemName = $configdb->get('SystemName')->value;
|
|
our $DomainName = $configdb->get('DomainName')->value;
|
|
our $FQDN = "$SystemName.$DomainName";
|
|
|
|
# test key size
|
|
# test key exists
|
|
=head1 NAME
|
|
|
|
esmith::php - A few tools to help with php-fpm installed versions
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
use esmith::ssl;
|
|
|
|
my $booleanK=key_exists_good_size;
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
This is intended to help playing with installed SSL self-generated certificates and keys.
|
|
|
|
=head1 Methods
|
|
|
|
|
|
=head2 key_exists_good_size
|
|
test key exists, then test key size correct. Obviously it also test that the files is indeed a key
|
|
planned to be called in :
|
|
/etc/e-smith/templates/home/e-smith/ssl.crt
|
|
/etc/e-smith/templates/home/e-smith/ssl.key
|
|
|
|
returns 0 if key is missing or wrong size
|
|
returns 1 if key exists and key size is correct
|
|
|
|
=cut
|
|
sub key_exists_good_size {
|
|
my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
|
|
my %modSSL = $configdb->as_hash('modSSL');
|
|
my $KeySize = $modSSL{KeySize} ||'4096';
|
|
my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
|
|
if ( -f $key )
|
|
{
|
|
#print "$key exists\n";
|
|
# check key size openssl rsa -in /home/e-smith/ssl.key/$host.$domain.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
|
|
my $signatureKeySize = `openssl rsa -in $key -text -noout | grep "Private-Key" | head -1`;
|
|
chomp $signatureKeySize;
|
|
$signatureKeySize =~ s/^.*Private-Key: \((.*) bit.*\)/$1/p;
|
|
if ( $signatureKeySize == $KeySize ) {
|
|
#print "key size is correct ($KeySize)\n";
|
|
# key exists and key size is correct, we can proceed
|
|
return 1;
|
|
}
|
|
}
|
|
# key is either missing or wrong key size.
|
|
return 0;
|
|
}
|
|
|
|
|
|
# test key is key
|
|
#openssl rsa -check -in $key
|
|
|
|
=head2 cert_exists_good_size
|
|
# check cert exist
|
|
# check cert is cert
|
|
# check cert size Public-Key
|
|
# openssl rsa -noout -modulus -in domain.key | openssl md5
|
|
# openssl x509 -noout -modulus -in domain.crt | openssl md5
|
|
|
|
=cut
|
|
sub cert_exists_good_size {
|
|
my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
|
|
my %modSSL = $configdb->as_hash('modSSL');
|
|
my $KeySize = $modSSL{KeySize} ||'4096';
|
|
my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
|
|
if ( -f $crt )
|
|
{
|
|
#openssl x509 -text -noout -in /home/e-smith/ssl.crt/$host.$domain.crt| sed -rn "s/Public-Key: \((.*) bit\)/\1/p"
|
|
my $signatureKeySize = `openssl x509 -text -noout -in $crt | grep "Public-Key" | head -1`;
|
|
chomp $signatureKeySize;
|
|
$signatureKeySize =~ s/^.*Public-Key: \((.*) bit\)/$1/p;
|
|
if ( $signatureKeySize == $KeySize ) {
|
|
#print "$signatureKeySize\n";
|
|
# cert is correct size and exists, we can proceed.
|
|
# next check key and cert are related
|
|
# next check cert is still valid
|
|
# next check alt name are still the same
|
|
return 1;
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
sub cert_is_cert {
|
|
my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
|
|
if ( -f $crt )
|
|
{
|
|
open my $oldout, ">&STDERR"; # "dup" the stdout filehandle
|
|
close STDERR;
|
|
my $exit_code=system("openssl","x509", "-noout", "-in", "$crt");
|
|
open STDERR, '>&', $oldout; # restore the dup'ed filehandle to STDOUT
|
|
if ($exit_code==0){
|
|
#print "certificate is a certificate\n";
|
|
return 1;
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
sub key_is_key {
|
|
my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
|
|
if ( -f $key )
|
|
{
|
|
open my $oldout, ">&STDERR"; # "dup" the stdout filehandle
|
|
close STDERR;
|
|
my $exit_code=system("openssl","rsa", "-noout", "-in", "$key");
|
|
open STDERR, '>&', $oldout; # restore the dup'ed filehandle to STDOUT
|
|
if ($exit_code==0){
|
|
#print "key is a key\n";
|
|
return 1;
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
sub related_key_cert {
|
|
my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
|
|
my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
|
|
if ( key_is_key($key) and cert_is_cert($crt) )
|
|
{
|
|
# check the cert and the key are related, if key has been changed, then we need to change the cert
|
|
my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
|
|
my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
|
|
#print "$key_md5 eq $crt_md5\n";
|
|
return 1 if $key_md5 eq $crt_md5;
|
|
}
|
|
return 0;
|
|
}
|
|
##TODO migrate those actions from
|
|
# check cert is related to key
|
|
# => /etc/e-smith/templates/home/e-smith/ssl.crt
|
|
# check cert domain and alt
|
|
# => /etc/e-smith/templates/home/e-smith/ssl.crt
|
|
# check is valid / expiry date
|
|
# => /etc/e-smith/templates/home/e-smith/ssl.crt
|
|
###################################
|