Diff for /loncom/CrCA.pl between versions 1.3 and 1.4

version 1.3, 2019/07/08 23:00:16 version 1.4, 2019/07/18 00:28:04
Line 72  Term::ReadKey Line 72  Term::ReadKey
 Sys::Hostname::FQDN  Sys::Hostname::FQDN
 Locale::Country  Locale::Country
 Crypt::OpenSSL::X509  Crypt::OpenSSL::X509
   Crypt::X509::CRL
   MIME::Base64
 DateTime::Format::x509  DateTime::Format::x509
 File::Slurp  File::Slurp
   
Line 96  END Line 98  END
       exit;        exit;
   }    }
   
   require Sys::Hostname::FQDN;    eval { require Sys::Hostname::FQDN; };
   require Term::ReadKey;    if ($@) {
   require Locale::Country;        print "Could not find required perl module: Sys::Hostname::FQDN. Exiting.\n";
   require Crypt::OpenSSL::X509;        exit;
   require DateTime::Format::x509;    }
   require File::Slurp;    eval { require Term::ReadKey; };
   require Cwd;    if ($@) {
         print "Could not find required perl module: Term::ReadKey. Exiting\n";
         exit;
     }
     eval { require Locale::Country; };
     if ($@) {
         print "Could not find required perl module: Locale::Country. Exiting\n";
         exit;
     }
     eval { require Crypt::OpenSSL::X509; };
     if ($@) {
         print "Could not find required perl module: Crypt::OpenSSL::X509. Exiting\n";
         exit;
     }
     eval { require Crypt::X509::CRL; };
     if ($@) {
         print "Could not find required perl module: Crypt::X509::CRL. Exiting\n";
         exit;
     }
     eval { require DateTime::Format::x509; };
     if ($@) {
         print "Could not find required perl module: DateTime::Format::x509. Exiting\n";
         exit;
     }
     eval { require File::Slurp; };
     if ($@) {
         print "Could not find required perl module: File::Slurp. Exiting\n";
         exit;
     }
     eval { require MIME::Base64; };
     if ($@) {
         print "Could not find required perl core module: MIME::Base64\n";
         exit;
     }
     eval { require Cwd; };
     if ($@) {
         print "Could not find required perl core module: Cwd\n";
         exit;
     }
   
   my ($dir,$hostname,%data);    my ($dir,$hostname,%data);
   
Line 388  END Line 428  END
       print "Enter the lifetime (in days) for the CA root certificate distributed to all nodes, e.g., 3650\n";        print "Enter the lifetime (in days) for the CA root certificate distributed to all nodes, e.g., 3650\n";
       my $cadays = &get_days();        my $cadays = &get_days();
       unless (&make_ca_cert("$dir/lonca/private","$dir/lonca",$sslkeypass,$cadays)) {        unless (&make_ca_cert("$dir/lonca/private","$dir/lonca",$sslkeypass,$cadays)) {
           print "Failed to create CA cert\n";            print "Failed to create CA certificate\n";
           exit;            exit;
       }        }
   }    }
Line 403  END Line 443  END
       print "lonca/index.txt file is missing\n";        print "lonca/index.txt file is missing\n";
       exit;         exit; 
   }        }    
 # echo 1000 > serial  
   
     my $defcrlsel = 1;
   unless (-e "$dir/lonca/crl/loncapaCAcrl.pem") {    if (!-e "$dir/lonca/crl/loncapaCAcrl.pem") {
       open(PIPE,"openssl ca -gencrl -keyfile $dir/lonca/private/cakey.pem -cert $dir/lonca/cacert.pem -out $dir".        print "No Revocation Certificate List found.\n";
                 "/lonca/crl/loncapaCAcrl.pem -config $dir/lonca/opensslca.conf -passin pass:$sslkeypass |");        print 'Create Certificate Revocation List [Y/n]';
       close(PIPE);    } else {
       if (-e "$dir/lonca/crl/loncapaCAcrl.pem") {        if (open(PIPE,"openssl crl -in $dir/lonca/crl/loncapaCAcrl.pem -inform pem -CAfile $dir/lonca/cacert.pem  -noout 2>&1 |")) {
           print "Certificate Revocation List created\n";            my $crlstatus = <PIPE>;
             close(PIPE);
             chomp($crlstatus);
             my $failmsg = "Could not determine 'valid from' and 'valid to' dates for Certificate Revocation List.\n";
             if ($crlstatus =~ /OK/) {
                 print "Current Certficate Revocation List is consistent with current CA certificate.\n";
                 if (open(my $fh,'<',"$dir/lonca/crl/loncapaCAcrl.pem")) {
                     my $pem_crl = '';
                     while (my $line=<$fh>) {
                         chomp($line);
                         next if ($line eq '-----BEGIN X509 CRL-----');
                         next if ($line eq '-----END X509 CRL-----');
                         $pem_crl .= $line;
                     }
                     close($fh);
                     my $der_crl = MIME::Base64::decode_base64($pem_crl);
                     if ($der_crl ne '') {
                         my $decoded = Crypt::X509::CRL->new( crl => $der_crl );
                         if (ref($decoded)) {
                             if ($decoded->error) {
                                 print $failmsg; 
                             } else {
                                 my $starttime = $decoded->this_update;
                                 my $endtime = $decoded->next_update;
                                 if (($endtime ne '') && ($endtime < time)) {
                                     print "Certificate Revocation List is no longer valid.\n";
                                 } elsif ($starttime > time) {
                                     print "Certificate Revocation List will become valid in the future.\n";
                                 } elsif (($starttime ne '') && ($endtime ne '')) {
                                     my $showstart = localtime($starttime);
                                     my $showend = localtime($endtime);
                                     print "Certificate Revocation List valid from: $showstart to: $showend\n";
                                     $defcrlsel = 0;
                                 } else {
                                     print $failmsg;
                                 }
                             }
                         } else {
                             print $failmsg; 
                         }
                     } else {
                         print $failmsg;
                     }
                 } else {
                     print $failmsg;
                 }
             } else {
                 print "Current Certificate Revocation List is not consistent with current CA certificate.\n";
             }
             if ($defcrlsel) {
                 print 'Create Certificate Revocation List [Y/n]';
             } else {
                 print 'Create Certificate Revocation List [y/N]';
             }
         } else {
             print "Could not check Certificate Revocation List status.\n";
             print 'Create Certificate Revocation List [Y/n]';
       }        }
   }    }
   if (-e "$dir/lonca/crl/loncapaCAcrl.pem") {    if (&get_user_selection($defcrlsel)) {
       open(PIPE,"openssl crl -in $dir/lonca/crl/loncapaCAcrl.pem -inform pem -CAfile $dir/lonca/cacert.pem  -noout 2>&1 |");        if (open(PIPE,"openssl ca -gencrl -keyfile $dir/lonca/private/cakey.pem -cert $dir/lonca/cacert.pem -out $dir".
       my $revoked = <PIPE>;                      "/lonca/crl/loncapaCAcrl.pem -config $dir/lonca/opensslca.conf -passin pass:$sslkeypass |")) {
       close(PIPE);            close(PIPE);
       chomp($revoked);            if (-e "$dir/lonca/crl/loncapaCAcrl.pem") {
       print "Revocation certificate status: $revoked\n";                if (open(PIPE,"openssl crl -in $dir/lonca/crl/loncapaCAcrl.pem -inform pem -CAfile $dir/lonca/cacert.pem  -noout 2>&1 |")) {
 # Create a new one?                     my $revoked = <PIPE>;
                     close(PIPE);
                     chomp($revoked);
                     if ($revoked eq 'verify OK') {
                         print "Certificate Revocation List created\n";
                     } else {
                         print "Certificate Revocation List status: $revoked\n";
                     }
                 } else {
                     print "Could not check Certificate Revocation List status\n";
                 }
             } else {
                 print "Failed to create Certificate Revocation List\n";
             }
         } else {
             print "Failed to create Certificate Revocation List\n";
         }
   }    }
     exit(0);
   
   
 sub cafield_to_key {  sub cafield_to_key {
     my %mapping = (      my %mapping = (
Line 818  sub confirm_config { Line 931  sub confirm_config {
         print(<<END);          print(<<END);
   
 The cluster name, organization name, country, state and city will be   The cluster name, organization name, country, state and city will be 
 included in the CA certificate  included in the CA certificate, and in signed certificate(s) issued to
   node(s) in the cluster (which will receive the default certficate lifetime).
   
 1) Cluster Name: $data{'clustername'}  1) Cluster Name: $data{'clustername'}
 2) Organization Name: $data{'organization'}  2) Organization Name: $data{'organization'}
Line 830  included in the CA certificate Line 944  included in the CA certificate
 8) CRL recreation interval (days): $data{'crldays'}  8) CRL recreation interval (days): $data{'crldays'}
 9) Everything is correct up above  9) Everything is correct up above
   
 Enter a choice of 1-8 to change, otherwise enter 9:   Enter a choice of 1-8 to change, otherwise enter 9:
 END  END
         my $choice=<STDIN>;          my $choice=<STDIN>;
         chomp($choice);          chomp($choice);

Removed from v.1.3  
changed lines
  Added in v.1.4


FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>