1: #!/usr/bin/perl
2: use strict;
3: use Sys::Hostname::FQDN();
4: use Term::ReadKey;
5: use Locale::Country;
6: use Crypt::OpenSSL::X509;
7: use DateTime::Format::x509;
8: use File::Slurp;
9: use Cwd;
10:
11: #
12: # Expected structure
13: #
14: # /lonca
15: # opensslca.cnf
16: # cacert.pem
17: # index.txt
18: # /certs
19: # /crl
20: # /private
21: # /requests
22: #
23:
24: print(<<END);
25:
26: ****** SSL Certificate Authority *****
27:
28: If you are running your own cluster of LON-CAPA nodes you will need to
29: create a Certificate Authority (CA) for your cluster. You will then use
30: the CA to sign LON-CAPA SSL certificate signing requests generated by
31: the nodes in your cluster.
32:
33: LON-CAPA SSL Certificates can be used in two different contexts:
34: (a) if you configure LON-CAPA to use a secure channel for exchange of
35: the shared encryption key when establishing an "internal" LON-CAPA
36: connection between nodes in your cluster, and (b) if you configure
37: LON-CAPA to use client SSL certificate validation when one node replicates
38: content from library node(s) in your cluster.
39:
40: Although a LON-CAPA cluster may contain multiple domains and/or multiple
41: library nodes, there will only be one LON-CAPA certificate authority (CA)
42: for the cluster. The CA certificate signing infrastructure need not be
43: housed on a LON-CAPA node; it can instead be installed on a separate
44: Linux instance. The instance housing the CA infrastructure needs to
45: have the following Linux packages installed:
46:
47: openssl
48: perl
49:
50: and the following perl modules from CPAN installed:
51:
52: Term::ReadKey
53: Sys::Hostname::FQDN
54: Locale::Country
55: Crypt::OpenSSL::X509
56: DateTime::Format::x509
57: File::Slurp
58:
59: You need to decide on a directory you wish to use to hold the
60: CA infrastructure. If necessary you should create a new directory.
61: Then move this script (CrCA.pl) to that directory, and run it with
62: the command: perl CrCA.pl
63:
64: The script will create any required subdirectories (and files)
65: within that directory, if they do not already exist.
66:
67: You will need to provide a password to be used for the openssl CA key
68: which will be stored in the /private subdirectory, and will be used
69: when signing certificate signing requests to create LON-CAPA certificates
70: for use in the cluster.
71:
72: END
73:
74: #Proceed?
75:
76: my ($dir,$hostname,%data);
77:
78: # Check if required subdirectories exist in current directory.
79: $dir = Cwd::getcwd();
80:
81: if (-e "$dir/lonca") {
82: if ((!-d "$dir/lonca") && (-f "$dir/lonca")) {
83: print "A lonca directory is required, but there is an existing file of that name.\n".
84: "Please either delete the lonca file, or change to a different directory, and ".
85: "create the CA infrastructure there.\n";
86: exit;
87: }
88: } else {
89: mkdir("$dir/lonca",0700);
90: system('chown root:root '."$dir/lonca");
91: }
92: if (-d "$dir/lonca") {
93: foreach my $subdir ('certs','crl','private','requests') {
94: if (!-d "$dir/lonca/$subdir") {
95: if (-f "$dir/lonca/$subdir") {
96: print "A $subdir sub-directory is required, but there is an existing file of that name.\n".
97: "Please either delete or move the $subdir file, then run this script again.\n";
98: exit;
99: } else {
100: mkdir("$dir/lonca/$subdir",0700);
101: system('chown root:root '."$dir/lonca/$subdir");
102: }
103: }
104: }
105: } else {
106: print "A lonca directory is required, but no directory exists\n";
107: exit;
108: }
109: if (-e "$dir/lonca/opensslca.conf") {
110: # retrieve existing config file and verify that if contains the required fields.
111: %data = &parse_config("$dir/lonca/opensslca.conf");
112: my %update = &confirm_config(%data);
113: my %changes;
114: foreach my $field ('clustername','organization','email','country','state','city','days','crldays') {
115: if ($data{$field} ne $update{$field}) {
116: $changes{$field} = $update{$field};
117: }
118: }
119: if (keys(%changes)) {
120: &save_config_changes("$dir/lonca/opensslca.conf",\%changes);
121: }
122: } else {
123: print(<<END);
124: ****** Certificate Authority Configuration File *****
125:
126: A configuration file: $dir/lonca/opensslca.conf will be created.
127:
128: The following information will be included:
129: Country, State/Province, City, Cluster Name, Organizational Name, E-mail address, CA certificate lifetime (days), Default certificate lifetime (days), CRL re-creation interval (days)
130:
131: END
132: $hostname = Sys::Hostname::FQDN::fqdn();
133: if ($hostname eq '') {
134: $hostname =&get_hostname();
135: } else {
136: print "Hostname detected: $hostname. Is that correct? [Y/n]";
137: if (!&get_user_selection(1)) {
138: $hostname =&get_hostname();
139: }
140: }
141:
142: my %fieldname = (
143: city => 'City',
144: state => 'State or Province',
145: clustername => 'Cluster name',
146: organization => 'Organization name',
147: );
148: my ($clustername,$organization,$country,$state,$city,$email,$cadays,$clusterhostname,$days,$crldays);
149: $clusterhostname = $hostname;
150: $country = &get_country($hostname);
151: print "Enter state or province name\n";
152: $state = &get_info($fieldname{'state'});
153: print "Enter city name\n";
154: $city = &get_info($fieldname{'city'});
155: $email = &get_camail();
156: print 'Enter a name for this LON-CAPA cluster, e.g., "Lon-CAPA learning network"'."\n".
157: 'This name will be included as the Common Name for the CA certificate.'."\n";
158: $clustername = &get_info($fieldname{'clustername'});
159: print 'Enter the organization name for this LON-CAPA cluster, e.g., "Lon CAPA certification authority"'."\n".
160: 'This name will be included as the Oraganization for the CA certificate.'."\n";
161: $organization = &get_info($fieldname{'organization'});
162: print "Enter the lifetime (in days) for the CA root certificate distributed to all nodes, e.g., 3650\n";
163: $cadays = &get_days();
164: print "Enter the default lifetime (in days) for each certificate created/signed by the CA for individual nodes, e.g., 3650\n";
165: $days = &get_days();
166: print "Enter the re-creation interval (in days) for the CA's certificate revocation list (CRL), e.g., 180\n";
167: $crldays = &get_days();
168:
169: if (open(my $fh,'>',"$dir/lonca/opensslca.conf")) {
170: print $fh <<"END";
171: [ ca ]
172: default_ca = loncapa
173:
174: [ loncapa ]
175: dir = $dir/lonca
176: certificate = $dir/lonca/cacert.pem
177: database = $dir/lonca/index.txt
178: new_certs_dir = $dir/lonca/certs
179: private_key = $dir/lonca/private/cakey.pem
180: serial = $dir/lonca/serial
181:
182: default_crl_days = $crldays
183: default_days = $days
184: default_md = sha256
185:
186: policy = loncapa_policy
187: x509_extensions = certificate_extensions
188:
189: [ loncapa_policy ]
190:
191: commonName = supplied
192: stateOrProvinceName = supplied
193: countryName = supplied
194: emailAddress = supplied
195: organizationName = supplied
196: organizationalUnitName = optional
197:
198: [ certificate_extensions ]
199:
200: basicConstraints = CA:false
201: crlDistributionPoints = URI:http://$clusterhostname/adm/dns/loncapaCAcrl
202:
203: [ req ]
204:
205: default_bits = 2048
206: distinguished_name = loncapa_ca
207:
208: x509_extensions = loncapa_ca_extensions
209:
210: [ loncapa_ca ]
211:
212: commonName = $clustername
213: localityName = $city
214: stateOrProvinceName = $state
215: countryName = $country
216: emailAddress = $email
217: organizationName = $organization
218:
219: [ loncapa_ca_extensions ]
220: basicConstraints = CA:true
221:
222: [ crl_ext ]
223:
224: authorityKeyIdentifier=keyid:always,issuer:always
225:
226:
227: END
228:
229: } else {
230: print 'Error: failed to wtite to '."$dir/lonca/opensslca.conf. Exiting.\n";
231: exit;
232: }
233: %data = &parse_config("$dir/lonca/opensslca.conf");
234: my %update = &confirm_config(%data);
235: my %changes;
236: foreach my $field ('clustername','organization','email','country','state','city','days','crldays') {
237: if ($data{$field} ne $update{$field}) {
238: $changes{$field} = $update{$field};
239: }
240: }
241: if (keys(%changes)) {
242: &save_config_changes("$dir/lonca/opensslca.conf",\%changes);
243: }
244: }
245:
246: my $sslkeypass;
247: if (-e "$dir/lonca/private/cakey.pem") {
248: my ($keyok,$try);
249: print "CA key aleady exists\n";
250: $try = 1;
251: while (!$keyok && $try) {
252: $sslkeypass = &get_password('Enter the password for the CA key');
253: if ($sslkeypass ne '') {
254: open(PIPE,"openssl rsa -noout -in lonca/private/cakey.pem -passin pass:$sslkeypass -check |");
255: my $check = <PIPE>;
256: close(PIPE);
257: chomp($check);
258: if ($check eq 'RSA key ok') {
259: $keyok = 1;
260: last;
261: } else {
262: print "CA key check failed. Try again? [Y/n]";
263: if (!&get_user_selection(1)) {
264: $try = 0;
265: }
266: }
267: }
268: }
269: unless ($keyok) {
270: print "CA key check failed. Create a new key? [Y/n]";
271: if (&get_user_selection(1)) {
272: $sslkeypass = &get_new_sslkeypass();
273: # generate SSL key
274: unless (&make_key("$dir/lonca/private",$sslkeypass)) {
275: print "Failed to create CA key\n";
276: exit;
277: }
278: } else {
279: exit;
280: }
281: }
282: } else {
283: $sslkeypass = &get_new_sslkeypass();
284: # generate SSL key
285: unless (&make_key("$dir/lonca/private",$sslkeypass)) {
286: print "Failed to create CA key\n";
287: exit;
288: }
289: }
290: if (-e "$dir/lonca/cacert.pem") {
291: print "A CA certificate exists\n";
292: open(PIPE,"openssl pkey -in $dir/lonca/private/cakey.pem -passin pass:$sslkeypass -pubout -outform der | sha256sum |");
293: my $hashfromkey = <PIPE>;
294: close(PIPE);
295: chomp($hashfromkey);
296: open(PIPE,"openssl x509 -in $dir/lonca/cacert.pem -pubkey | openssl pkey -pubin -pubout -outform der | sha256sum |");
297: my $hashfromcert = <PIPE>;
298: close(PIPE);
299: chomp($hashfromcert);
300: if ($hashfromkey eq $hashfromcert) {
301: my ($now,$starttime,$endtime,$status,%cert);
302: my $x509 = Crypt::OpenSSL::X509->new_from_file("$dir/lonca/cacert.pem");
303: my @items = split(/,\s+/,$x509->subject());
304: foreach my $item (@items) {
305: my ($name,$value) = split(/=/,$item);
306: if ($name eq 'CN') {
307: $cert{'cn'} = $value;
308: }
309: }
310: $cert{'start'} = $x509->notBefore();
311: $cert{'end'} = $x509->notAfter();
312: $cert{'alg'} = $x509->sig_alg_name();
313: $cert{'size'} = $x509->bit_length();
314: $cert{'email'} = $x509->email();
315: my $dt = DateTime::Format::x509->parse_datetime($cert{'start'});
316: if (ref($dt)) {
317: $starttime = $dt->epoch;
318: }
319: $dt = DateTime::Format::x509->parse_datetime($cert{'end'});
320: if (ref($dt)) {
321: $endtime = $dt->epoch;
322: }
323: $now = time;
324: if (($starttime ne '') && ($endtime ne '')) {
325: if ($endtime <= $now) {
326: $status = 'previous';
327: print "Current CA certificate expired $cert{'end'}\n";
328: } elsif ($starttime > $now) {
329: $status = 'future';
330: print "Current CA certificate will be valid after $cert{'start'}\n";
331: } else {
332: $status eq 'active';
333: print "Current CA certificate valid until $cert{'end'}".' '.
334: "Signature Algorithm: $cert{'alg'}; Public Key size: $cert{'size'}\n";
335: }
336: if ($status eq 'previous') {
337: print 'Create a new certificate? [Y/n]';
338: if (&get_user_selection(1)) {
339: unless (&make_ca_cert("$dir/lonca/private","$dir/lonca",$sslkeypass)) {
340: print "Failed to create CA cert\n";
341: exit;
342: }
343: }
344: }
345: } else {
346: print "Could not determine validity of current CA certificate\n";
347: exit;
348: }
349: }
350: } else {
351: unless (&make_ca_cert("$dir/lonca/private","$dir/lonca",$sslkeypass)) {
352: print "Failed to create CA cert\n";
353: exit;
354: }
355: }
356:
357: if (!-e "$dir/lonca/index.txt") {
358: File::Slurp::write_file("$dir/lonca/index.txt");
359: }
360: if (-e "$dir/lonca/index.txt") {
361: my $mode = 0600;
362: chmod $mode, "$dir/lonca/index.txt";
363: } else {
364: print "lonca/index.txt file is missing\n";
365: exit;
366: }
367: # echo 1000 > serial
368:
369:
370: unless (-e "$dir/lonca/crl/loncapaCAcrl.pem") {
371: open(PIPE,"openssl ca -gencrl -keyfile $dir/lonca/private/cakey.pem -cert $dir/lonca/cacert.pem -out $dir".
372: "/lonca/crl/loncapaCAcrl.pem -config $dir/lonca/opensslca.conf -passin pass:$sslkeypass |");
373: close(PIPE);
374: if (-e "$dir/lonca/crl/loncapaCAcrl.pem") {
375: print "Certificate Revocation List created\n";
376: }
377: }
378: if (-e "$dir/lonca/crl/loncapaCAcrl.pem") {
379: open(PIPE,"openssl crl -in $dir/lonca/crl/loncapaCAcrl.pem -inform pem -CAfile $dir/lonca/cacert.pem -noout 2>&1 |");
380: my $revoked = <PIPE>;
381: close(PIPE);
382: chomp($revoked);
383: print "Revocation certificate status: $revoked\n";
384: # Create a new one?
385: }
386:
387: sub cafield_to_key {
388: my %mapping = (
389: city => 'localityName',
390: state => 'stateOrProvinceName',
391: country => 'countryName',
392: email => 'emailAddress',
393: organization => 'organizationName',
394: clustername => 'commonName',
395: );
396: return %mapping;
397: }
398:
399: sub field_to_key {
400: my %mapping = (
401: days => 'default_days',
402: crldays => 'default_crl_days',
403: );
404: }
405:
406: sub parse_config {
407: my ($filepath) = @_;
408: my (%fields,%data);
409: if (open(my $fh,'<',$filepath)) {
410: my $currsection;
411: while(<$fh>) {
412: chomp();
413: s/(^\s+|\s+$)//g;
414: if (/^\[\s*([^\s]+)\s*\]/) {
415: $currsection = $1;
416: } elsif (/^([^=]+)=([^=]+)$/) {
417: my ($key,$value) = ($1,$2);
418: $key =~ s/\s+$//;
419: $value =~ s/^\s+//;
420: if ($currsection ne '') {
421: $fields{$currsection}{$key} = $value;
422: }
423: }
424: }
425: close($fh);
426: }
427: if (ref($fields{'loncapa_ca'}) eq 'HASH') {
428: my %ca_mapping = &cafield_to_key();
429: foreach my $key (keys(%ca_mapping)) {
430: $data{$key} = $fields{'loncapa_ca'}{$ca_mapping{$key}};
431: }
432: }
433: if (ref($fields{'loncapa'}) eq 'HASH') {
434: my %mapping = &field_to_key();
435: foreach my $key (keys(%mapping)) {
436: $data{$key} = $fields{'loncapa'}{$mapping{$key}};
437: }
438: }
439: return %data;
440: }
441:
442: sub save_config_changes {
443: my ($filepath,$updated) = @_;
444: return unless (ref($updated) eq 'HASH');
445: my %mapping = &field_to_key();
446: my %ca_mapping = &cafield_to_key();
447: my %revmapping = reverse(%mapping);
448: my %rev_ca_mapping = reverse(%ca_mapping);
449: my $lines;
450: if (open(my $fh,'<',$filepath)) {
451: my $currsection;
452: while(<$fh>) {
453: my $line = $_;
454: chomp();
455: s/(^\s+|\s+$)//g;
456: my $newline;
457: if (/^\[\s*([^\s]+)\s*\]/) {
458: $currsection = $1;
459: } elsif (/^([^=]+)=([^=]*)$/) {
460: my ($origkey,$origvalue) = ($1,$2);
461: my ($key,$value) = ($origkey,$origvalue);
462: $key =~ s/\s+$//;
463: $value =~ s/^\s+//;
464: if ($currsection eq 'loncapa_ca') {
465: if ((exists($rev_ca_mapping{$key})) && (exists($updated->{$rev_ca_mapping{$key}}))) {
466: if ($value eq '') {
467: if ($origvalue eq '') {
468: $origvalue = ' ';
469: }
470: $origvalue .= $updated->{$rev_ca_mapping{$key}};
471: } else {
472: $origvalue =~ s/\Q$value\E/$updated->{$rev_ca_mapping{$key}}/;
473: }
474: $newline = $origkey.'='.$origvalue."\n";
475: }
476: } elsif ($currsection eq 'loncapa') {
477: if ((exists($revmapping{$key})) && (exists($updated->{$revmapping{$key}}))) {
478: if ($value eq '') {
479: if ($origvalue eq '') {
480: $origvalue = ' ';
481: }
482: $origvalue .= $updated->{$revmapping{$key}};
483: } else {
484: $origvalue =~ s/\Q$value\E/$updated->{$revmapping{$key}}/;
485: }
486: $newline = $origkey.'='.$origvalue."\n";
487: }
488: }
489: }
490: if ($newline) {
491: $lines .= $newline;
492: } else {
493: $lines .= $line;
494: }
495: }
496: close($fh);
497: if (open(my $fout,'>',$filepath)) {
498: print $fout $lines;
499: close($fout);
500: } else {
501: print "Error: failed to open '$filepath' for writing\n";
502: }
503: }
504: return;
505: }
506:
507: #
508: # get_hostname() prompts the user to provide the server's hostname.
509: #
510: # If invalid input is provided, the routine is called recursively
511: # until, a valid hostname is provided.
512: #
513:
514: sub get_hostname {
515: my $hostname;
516: print 'Enter the hostname of this server, e.g., loncapa.somewhere.edu'."\n";
517: my $choice = <STDIN>;
518: chomp($choice);
519: $choice =~ s/(^\s+|\s+$)//g;
520: if ($choice eq '') {
521: print "Hostname you entered was either blank or contanied only white space.\n";
522: } elsif ($choice =~ /^[\w\.\-]+$/) {
523: $hostname = $choice;
524: } else {
525: print "Hostname you entered was invalid -- a hostname may only contain letters, numbers, - and .\n";
526: }
527: while ($hostname eq '') {
528: $hostname = &get_hostname();
529: }
530: print "\n";
531: return $hostname;
532: }
533:
534: sub get_new_sslkeypass {
535: my $sslkeypass;
536: my $flag=0;
537: # get password for SSL key
538: while (!$flag) {
539: $sslkeypass = &make_passphrase();
540: if ($sslkeypass) {
541: $flag = 1;
542: } else {
543: print "Invalid input (a password is required for the CA key).\n";
544: }
545: }
546: return $sslkeypass;
547: }
548:
549: sub make_passphrase {
550: my ($got_passwd,$firstpass,$secondpass,$passwd);
551: my $maxtries = 10;
552: my $trial = 0;
553: while ((!$got_passwd) && ($trial < $maxtries)) {
554: $firstpass = &get_password('Enter a password for the CA key (at least 6 characters long)');
555: if (length($firstpass) < 6) {
556: print('Password too short.'."\n".
557: 'Please choose a password with at least six characters.'."\n".
558: 'Please try again.'."\n");
559: } elsif (length($firstpass) > 30) {
560: print('Password too long.'."\n".
561: 'Please choose a password with no more than thirty characters.'."\n".
562: 'Please try again.'."\n");
563: } else {
564: my $pbad=0;
565: foreach (split(//,$firstpass)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
566: if ($pbad) {
567: print('Password contains invalid characters.'."\n".
568: 'Password must consist of standard ASCII characters.'."\n".
569: 'Please try again.'."\n");
570: } else {
571: $secondpass = &get_password('Enter password a second time');
572: if ($firstpass eq $secondpass) {
573: $got_passwd = 1;
574: $passwd = $firstpass;
575: } else {
576: print('Passwords did not match.'."\n".
577: 'Please try again.'."\n");
578: }
579: }
580: }
581: $trial ++;
582: }
583: return $passwd;
584: }
585:
586: sub get_password {
587: my ($prompt) = @_;
588: local $| = 1;
589: print $prompt.': ';
590: my $newpasswd = '';
591: ReadMode 'raw';
592: my $key;
593: while(ord($key = ReadKey(0)) != 10) {
594: if(ord($key) == 127 || ord($key) == 8) {
595: chop($newpasswd);
596: print "\b \b";
597: } elsif(!ord($key) < 32) {
598: $newpasswd .= $key;
599: print '*';
600: }
601: }
602: ReadMode 'normal';
603: print "\n";
604: return $newpasswd;
605: }
606:
607: #
608: # make_key() generates CA root key
609: #
610:
611: sub make_key {
612: my ($keydir,$sslkeypass) = @_;
613: # generate SSL key
614: my $created;
615: if (($keydir ne '') && ($sslkeypass ne '')) {
616: if (-f "$keydir/cakey.pem") {
617: my $mode = 0600;
618: chmod $mode, "$keydir/cakey.pem";
619: }
620: open(PIPE,"openssl genrsa -aes256 -passout pass:$sslkeypass -out $keydir/cakey.pem 2048 2>&1 |");
621: close(PIPE);
622: if (-f "$keydir/cakey.pem") {
623: my $mode = 0400;
624: chmod $mode, "$keydir/cakey.pem";
625: $created= 1;
626: }
627: } else {
628: print "Key creation failed. Missing one or more of: certificates directory, key name\n";
629: }
630: return $created;
631: }
632:
633: #
634: # make_ca_cert() generates CA root certificate
635: #
636:
637: sub make_ca_cert {
638: my ($keydir,$certdir,$sslkeypass) = @_;
639: # generate SSL cert for CA
640: my $created;
641: if ((-d $keydir) && (-d $certdir) && ($sslkeypass ne '')) {
642: my $cmd = "openssl req -x509 -key $keydir/cakey.pem -passin pass:$sslkeypass -new -batch -config $certdir/opensslca.conf -out $certdir/cacert.pem";
643: print "Calling ||$cmd||\n";
644: open(PIPE,"openssl req -x509 -key $keydir/cakey.pem -passin pass:$sslkeypass -new -batch -config $certdir/opensslca.conf -out $certdir/cacert.pem |");
645: close(PIPE);
646: if (-f "$certdir/cacert.pem") {
647: my $mode = 0600;
648: chmod $mode, "$certdir/cacert.pem";
649: # chmod $mode, "$certdir/careq.pem";
650: # open(PIPE,"openssl ca -create_serial -out $certdir/cacert.pem -days 3650 -keyfile $keydir/cakey.pem -selfsign -config ./openssl.cnf -infiles $certdir/careq.pem |");
651: # close(PIPE);
652: # if (-f "$certdir/cacert.pem") {
653: # my $mode = 0600;
654: # chmod $mode, "$certdir/cacert.pem";
655: # }
656: $created= 1;
657: }
658: } else {
659: print "Creation of CA root certificate failed. Missing one or more of: CA directory, CA key directory, or CA passphrase.\n";
660: }
661: return $created;
662: }
663:
664: sub get_camail {
665: my $camail;
666: my $flag=0;
667: # get Certificate Authority E-mail
668: while (!$flag) {
669: print(<<END);
670:
671: Enter e-mail address of Certificate Authority.
672: END
673:
674: my $choice=<>;
675: chomp($choice);
676: if (($choice ne '') && ($choice =~ /^[^\@]+\@[^\@]+$/)) {
677: $camail=$choice;
678: $flag=1;
679: } else {
680: print "Invalid input (a valid email address is required).\n";
681: }
682: }
683: return $camail;
684: }
685:
686: sub ssl_info {
687: print(<<END);
688:
689: ****** Information about Country, State or Province and City *****
690:
691: A two-letter country code, e.g., US, CA, DE etc. as defined by ISO 3166,
692: is required. A state or province, and a city are also required.
693: This locality information is included in two SSL certificates used internally
694: by LON-CAPA, unless you are running standalone.
695:
696: If your server will be part of either the production or development
697: clusters, then the certificate will need to be signed by the official
698: LON-CAPA Certificate Authority (CA). If you will be running your own
699: cluster then the cluster will need to create its own CA.
700:
701: END
702: }
703:
704: sub get_country {
705: my ($desiredhostname) = @_;
706: # get Country
707: my ($posscountry,$country);
708: if ($desiredhostname =~ /\.(edu|com|org)$/) {
709: $posscountry = 'us';
710: } else {
711: ($posscountry) = ($desiredhostname =~ /\.(a-z){2}$/);
712: }
713: if ($posscountry) {
714: my $countrydesc = &Locale::Country::code2country($posscountry);
715: if ($countrydesc eq '') {
716: undef($posscountry);
717: }
718: }
719:
720: my $flag=0;
721: while (!$flag) {
722: if ($posscountry) {
723: $posscountry = uc($posscountry);
724: print "Enter Two-Letter Country Code [$posscountry]:\n";
725: } else {
726: print "Enter the Two-Letter Country Code:\n";
727: }
728: my $choice=<STDIN>;
729: chomp($choice);
730: if ($choice ne '') {
731: if (&Locale::Country::code2country(lc($choice))) {
732: $country=uc($choice);
733: $flag=1;
734: } else {
735: print "Invalid input -- a valid two letter country code is required\n";
736: }
737: } elsif (($choice eq '') && ($posscountry ne '')) {
738: $country = $posscountry;
739: $flag = 1;
740: } else {
741: print "Invalid input -- a country code is required\n";
742: }
743: }
744: return $country;
745: }
746:
747: sub get_info {
748: my ($typename) = @_;
749: my $value;
750: my $choice = <STDIN>;
751: chomp($choice);
752: $choice =~ s/(^\s+|\s+$)//g;
753: if ($choice eq '') {
754: print "$typename you entered was either blank or contained only white space.\n";
755: } else {
756: $value = $choice;
757: }
758: while ($value eq '') {
759: $value = &get_info($typename);
760: }
761: print "\n";
762: return $value;
763: }
764:
765: sub get_days {
766: my $value;
767: my $choice = <STDIN>;
768: chomp($choice);
769: $choice =~ s/(^\s+|\s+$)//g;
770: if ($choice eq '') {
771: print "The value you entered was either blank or contained only white space.\n";
772: } elsif ($choice !~ /^\d+$/) {
773: print "The value you entered contained invalid characters -- you must enter just an integer.\n";
774: } else {
775: $value = $choice;
776: }
777: while ($value eq '') {
778: $value = &get_days();
779: }
780: print "\n";
781: return $value;
782: }
783:
784: sub confirm_config {
785: my (%data) = @_;
786: my $flag = 0;
787: while (!$flag) {
788: print(<<END);
789:
790: The cluster name, organization name, country, state and city will be
791: included in the CA certificate
792:
793: 1) Cluster Name: $data{'clustername'}
794: 2) Organization Name: $data{'organization'}
795: 3) Country: $data{'country'}
796: 4) State or Province: $data{'state'}
797: 5) City: $data{'city'}
798: 6) E-mail: $data{'email'}
799: 7) CA certificate lifetime (days): $data{'cadays'}
800: 8) Default certificate lifetime for issued certs (days): $data{'days'}
801: 9) CRL recreation interval (days): $data{'crldays'}
802: 10) Everything is correct up above
803:
804: Enter a choice of 1-9 to change, otherwise enter 10:
805: END
806: my $choice=<STDIN>;
807: chomp($choice);
808: if ($choice == 1) {
809: print(<<END);
810: 1) Cluster Name: $data{'clustername'}
811: Enter new value:
812: END
813: my $choice2=<STDIN>;
814: chomp($choice2);
815: $data{'clustername'}=$choice2;
816: chomp($choice2);
817: $data{'organization'}=$choice2;
818: } elsif ($choice == 3) {
819: print(<<END);
820: 3) Country: $data{'country'}
821: Enter new value (this should be a two-character code, e,g, US, CA, DE):
822: END
823: my $choice2=<STDIN>;
824: chomp($choice2);
825: $data{'country'} = uc($choice2);
826: } elsif ($choice == 4) {
827: print(<<END);
828: 4) State or Province: $data{'state'}
829: Enter new value:
830: END
831: my $choice2=<>;
832: chomp($choice2);
833: $data{'state'}=$choice2;
834: } elsif ($choice == 5) {
835: print(<<END);
836: 5) City: $data{'city'}
837: Enter new value:
838: END
839: my $choice2=<>;
840: chomp($choice2);
841: $data{'city'}=$choice2;
842: } elsif ($choice == 6) {
843: print(<<END);
844: 6) E-mail: $data{'email'}
845: Enter new value:
846: END
847: my $choice2=<>;
848: chomp($choice2);
849: $data{'email'}=$choice2;
850: } elsif ($choice == 7) {
851: print(<<END);
852: 7) CA Root Certificate lifetime: $data{'cadays'}
853: Enter new value:
854: END
855: my $choice2=<>;
856: chomp($choice2);
857: $choice2 =~ s/\D//g;
858: $data{'cadays'}=$choice2;
859: } elsif ($choice == 8) {
860: print(<<END);
861: 8) Default certificate lifetime: $data{'days'}
862: Enter new value:
863: END
864: my $choice2=<>;
865: chomp($choice2);
866: $choice2 =~ s/\D//g;
867: $data{'days'}=$choice2;
868: } elsif ($choice == 9) {
869: print(<<END);
870: 9) CRL re-creation interval: $data{'crldays'}
871: Enter new value:
872: END
873: my $choice2=<>;
874: chomp($choice2);
875: $choice2 =~ s/\D//g;
876: $data{'crldays'}=$choice2;
877: } elsif ($choice == 10) {
878: $flag=1;
879: foreach my $key (keys(%data)) {
880: $data{$key} =~ s{/}{ }g;
881: }
882: } else {
883: print "Invalid input.\n";
884: }
885: }
886: return %data;
887: }
888:
889: sub get_user_selection {
890: my ($defaultrun) = @_;
891: my $do_action = 0;
892: my $choice = <STDIN>;
893: chomp($choice);
894: $choice =~ s/(^\s+|\s+$)//g;
895: my $yes = 'y';
896: if ($defaultrun) {
897: if (($choice eq '') || ($choice =~ /^\Q$yes\E/i)) {
898: $do_action = 1;
899: }
900: } else {
901: if ($choice =~ /^\Q$yes\E/i) {
902: $do_action = 1;
903: }
904: }
905: return $do_action;
906: }
907:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to CrCA.pl CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom