--- loncom/CrGenerate.pl 2004/06/29 11:32:06 1.3 +++ loncom/CrGenerate.pl 2004/06/30 11:14:35 1.4 @@ -2,7 +2,7 @@ # The LearningOnline Network # CrGenerate - Generate a loncapa certificate request. # -# $Id: CrGenerate.pl,v 1.3 2004/06/29 11:32:06 foxr Exp $ +# $Id: CrGenerate.pl,v 1.4 2004/06/30 11:14:35 foxr Exp $ # # Copyright Michigan State University Board of Trustees # @@ -51,16 +51,23 @@ use strict; use MIME::Entity; use Mail::Mailer; use LONCAPA::Configuration; +use File::Copy; -# Global variable declarations: +# Global variable declarations:4 my $SSLCommand; # Full path to openssl command. my $CertificateDirectory; # LONCAPA Certificate directory. my $KeyFilename; # Key filename (within CertificateDirectory). -my $Passphrase="loncapawhatever"; # Initial passphrase for keyfile my $RequestEmail; # Email address of loncapa cert admin. +my $WebUID; # UID of web user. +my $WebGID; # GID of web user. +my $Passphrase="loncapawhatever"; # Initial passphrase for keyfile +my $RequestFile="loncapaRequest.pem"; # Name of Certificate request file. +my $EncodedKey="hostkey.pem"; # Name of encoded key file. +my $WebUser="www"; # Username running the web server. +my $WebGroup="www"; # Group name running the web server. # Debug/log support: # @@ -134,9 +141,122 @@ sub ReadConfig { else { die "Could not read SSLEmail coniguration key"; } + # The UID/GID of the web user: It's possible the web user's + # GID is not its primary, so we'll translate that form the + # group file separately. + + my ($login, $pass, $uid, $gid) = getpwnam($WebUser); + if($uid) { + $WebUID = $uid; + Debug("Web user: $WebUser -> UID: $WebUID"); + } + else { + die "Could not translate web user: $WebUser to a uid."; + } + my $gid = getgrnam($WebGroup); + if($gid) { + $WebGID = $gid; + Debug("Web group: $WebGroup -> GID $WebGID"); + } + else { + die "Unable to translate web group $WebGroup to a gid."; + } +} +# +# Generate a certificate request. +# The openssl command is issued to create a local host key and +# a certificate request. The key is initially encoded. +# We will eventually decode this, however, since the key +# passphrase is open source we'll protect even the initial +# encoded key file too. We'll need to decode the keyfile since +# otherwise, openssl will need a passphrase everytime an ssl connection +# is created (ouch). +# Implicit Inputs: +# Passphrase - Initial passphrase for the encoded key. +# RequestFile - Filename of the certificate request. +# EncodedKey - Filename of the encoded key file. +# +# Side-Effects: +# +sub GenerateRequest { + Debug("Generating the request and key"); + + print "We are now going to generate the certificate request\n"; + print "You will be prompted by openssl for several pieces of \n"; + print "information. Most of this information is for documentation\n"; + print "purposes only, so it's not critical if you make a mistake.\n"; + print "However: The generated certificate will be sent to the \n"; + print "Email address you provide, and you should leave the optional\n"; + print "Challenge password blank.\n"; + + my $requestcmd = $SSLCommand." req -newkey rsa:1024 " + ." -keyout hostkey.pem " + ." -keyform PEM " + ." -out request.pem " + ." -outform PEM " + ." -passout pass:$Passphrase"; + my $status = system($requestcmd); + if($status) { + die "Certificate request generation failed: $status"; + } + + chmod(0600, "hostkey.pem"); # Protect key since passphrase is opensrc. + + Debug("Decoding the key"); + my $decodecmd = $SSLCommand." rsa -in hostkey.pem" + ." -out hostkey.dec" + ." -passin pass:$Passphrase"; + my $status = system($decodecmd); + if($status) { + die "Host key decode failed"; + } + + chmod(0600, "hostkey.dec"); # Protect the decoded hostkey. + Debug("Done"); +} +# +# Installs the decoded host key (hostkey.dec) in the +# certificate directory with the correct permissions. +# +# Implicit Inputs: +# hostkey.dec - the name of the host key file. +# $CertificateDirectory - where the key file gets installed +# $KeyFilename - Final name of the key file. +# $WebUser - User who should own the key file. +# $WebGroup - Group who should own the key file. +# 0400 - Permissions to give to the installed key +# file. +# 0700 - Permissions given to the certificate +# directory if created. +# Side-Effects: +# If necessary, $CertificateDirectory is created. +# $CertificateDirectory/$KeyFilename is ovewritten with the +# contents of hostkey.dec in the cwd. +# +sub InstallKey { + Debug("InstallKey"); + + Debug("Need to create certificate directory?"); + if(!(-d $CertificateDirectory)) { + + Debug("Creating"); + mkdir($CertificateDirectory, 0700); + chown($WebUID, $WebGID, $CertificateDirectory); + } + else { + Debug("Exists"); + } + + Debug("Installing the key file:"); + my $FullKeyPath = $CertificateDirectory."/".$KeyFilename; + copy("hostkey.dec", $FullKeyPath); + + Debug("Setting ownership and permissions"); + chmod(0400, $FullKeyPath); + chown($WebUID, $WebGID, $FullKeyPath); + + Debug("Done"); } -sub GenerateRequest {} -sub InstallKey {} sub MailRequest {} sub Cleanup {}