File:
[LON-CAPA] /
loncom /
CrGenerate.pl
Revision
1.7:
download - view:
text,
annotated -
select for diffs
Fri Jul 2 10:19:59 2004 UTC (20 years, 3 months ago) by
foxr
Branches:
MAIN
CVS tags:
version_1_1_99_1,
HEAD
Write pod documentation on this script. Presumably this would be manified.
The installation script writers will need to decide if this script should
be automatically invoked at install time or added to the installation
documentaiton. Note that it is not necessary to run this script at update
time unless the user is upgrading from insecure to secure. So we probably
want to just ship the script and document it for updaters.
1: #!/usr/bin/perl
2: # The LearningOnline Network
3: # CrGenerate - Generate a loncapa certificate request.
4: #
5: # $Id: CrGenerate.pl,v 1.7 2004/07/02 10:19:59 foxr Exp $
6: #
7: # Copyright Michigan State University Board of Trustees
8: #
9: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
10: #
11: # LON-CAPA is free software; you can redistribute it and/or modify
12: # it under the terms of the GNU General Public License as published by
13: # the Free Software Foundation; either version 2 of the License, or
14: # (at your option) any later version.
15: #
16: # LON-CAPA is distributed in the hope that it will be useful,
17: # but WITHOUT ANY WARRANTY; without even the implied warranty of
18: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19: # GNU General Public License for more details.
20: #
21: # You should have received a copy of the GNU General Public License
22: # along with LON-CAPA; if not, write to the Free Software
23: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24: #
25: # /home/httpd/html/adm/gpl.txt
26: #
27:
28:
29: # http://www.lon-capa.org/
30: #
31: #
32: # This script:
33: # 1. Generates a private host key and certificate request/
34: # 2. Decodes the private host key
35: # 3. Installs the private host key with appropriate permissions
36: # in the appropriate directory (sorry to be vague about this, but
37: # the installation directory is determined by external configuration
38: # info).
39: # 4. Constructs an email to the loncapa cluster administrator
40: # consisting of a generic heading and the certificate request as a MIME
41: # attachment.
42: # 5. Sends the email and
43: # 6. Cleans up after itself by removing any temp files generated.
44: #
45: #
46:
47:
48: # Import section:
49:
50: use strict;
51: use lib '/home/httpd/lib/perl';
52: use MIME::Entity;
53: use LONCAPA::Configuration;
54: use File::Copy;
55:
56: # Global variable declarations:4
57:
58: my $SSLCommand; # Full path to openssl command.
59: my $CertificateDirectory; # LONCAPA Certificate directory.
60: my $KeyFilename; # Key filename (within CertificateDirectory).
61: my $RequestEmail; # Email address of loncapa cert admin.
62: my $WebUID; # UID of web user.
63: my $WebGID; # GID of web user.
64:
65: my $Passphrase="loncapawhatever"; # Initial passphrase for keyfile
66: my $RequestFile="loncapaRequest.pem"; # Name of Certificate request file.
67: my $EncodedKey="hostkey.pem"; # Name of encoded key file.
68:
69: my $WebUser="www"; # Username running the web server.
70: my $WebGroup="www"; # Group name running the web server.
71:
72: # Debug/log support:
73: #
74: my $DEBUG = 0; # 1 for on, 0 for off.
75:
76: # Send debugging to stderr.
77: # Parameters:
78: # msg - Message to send to stderr.
79: # Implicit Inputs:
80: # $DEBUG - message is only written if this is true.
81: #
82: sub Debug {
83: my $msg = shift;
84: if($DEBUG) {
85: print STDERR "$msg\n";
86: }
87: }
88:
89: #
90: # Decodes the email address from a textual certificate request
91: # file:
92: # Parameters:
93: # $RequestFile - Name of the file containing the textual
94: # version of the certificate request.
95: # Returns:
96: # Email address contained in the request.
97: # Failure:
98: # If unable to open or unable to fine an email address in the file,
99: # dies with a message.
100: #
101: sub DecodeEmailFromRequest {
102: Debug("DecodeEmailFromRequest");
103:
104: my $RequestFile = shift;
105: Debug("Request file is called $RequestFile");
106:
107: # We need to look for the line that has a "/Email=" in it.
108:
109: Debug("opening $RequestFile");
110: open REQUEST, "< $RequestFile" or
111: die "Unable to open $RequestFile to parse return email address";
112:
113: Debug("Parsing request file");
114: my $line;
115: my $found = 0;
116: while($line = <REQUEST>) {
117: chomp($line); # Never a bad idea.
118: if($line =~ /\/Email=/) {
119: $found = 1;
120: last;
121: }
122: }
123: if(!$found) {
124: die "There does not appear to be an email address in $RequestFile";
125: }
126:
127: close REQUEST;
128:
129: Debug("Found /Email in $line");
130:
131: # $line contains a bunch of comma separated key=value pairs.
132: # The problem is that after these is a /Email=<what-we-want>
133: # first we'll split the line up at the commas.
134: # Then we'll look for the entity with the /Email in it.
135: # That line will get split at the / and then the Email=<what-we-want>
136: # gets split at the =. I'm sure there's some clever regular expression
137: # substitution that will get it all in a single line, but I think
138: # this approach is gonna be much easier to understand than punctuation
139: # sneezed all over the page:
140:
141: my @commalist = split(/,/, $line);
142: my $item;
143: my $emailequals = "";
144: foreach $item (@commalist) {
145: if($item =~ /\/Email=/) { # gotcha...
146: $emailequals = $item;
147: last;
148: }
149: }
150:
151: Debug("Pulled out $emailequals from $line");
152: my ($trash, $addressequals) = split(/\//, $emailequals);
153: Debug("Futher pulled out $addressequals");
154:
155: my ($junk, $address) = split(/=/, $addressequals);
156: Debug("Parsed final email addresss as $address");
157:
158:
159:
160: return $address;
161: }
162:
163: #
164: # Read the LonCAPA web config files to get the values of the
165: # configuration global variables we need:
166: # Implicit inputs:
167: # loncapa.conf - configuration file to read (user specific).
168: # Implicit outputs (see global variables section):
169: # SSLCommand,
170: # CertificateDirectory
171: # KeyfileName
172: # RequestEmail
173: # Side-Effects:
174: # Exit with error if cannot complete.
175: #
176: sub ReadConfig {
177:
178: Debug("Reading configuration");
179: my $perlvarref = LONCAPA::Configuration::read_conf('loncapa.conf');
180:
181: # Name of the SSL Program
182:
183: if($perlvarref->{SSLProgram}) {
184: $SSLCommand = $perlvarref->{SSLProgram};
185: Debug("SSL Command: $SSLCommand");
186: }
187: else {
188: die "Unable to read the SSLCommand configuration option\n";
189: }
190:
191: # Where the certificates, and host key are installed:
192:
193: if($perlvarref->{lonCertificateDirectory}) {
194: $CertificateDirectory = $perlvarref->{lonCertificateDirectory};
195: Debug("Local certificate Directory: $CertificateDirectory");
196: }
197: else {
198: die "Unable to read SSLDirectory configuration option\n";
199: }
200: # The name of the host key file (to be installed in SSLDirectory).
201: #
202: if($perlvarref->{lonnetPrivateKey}) {
203: $KeyFilename = $perlvarref->{lonnetPrivateKey};
204: Debug("Private key will be installed as $KeyFilename");
205: }
206: else {
207: die "Unable to read lonnetPrivateKey conrig paraemter\n";
208: }
209: # The email address to which the certificate request is sent:
210:
211: if($perlvarref->{SSLEmail}) {
212: $RequestEmail = $perlvarref->{SSLEmail};
213: Debug("Certificate request will be sent to $RequestEmail");
214: }
215: else {
216: die "Could not read SSLEmail coniguration key";
217: }
218: # The UID/GID of the web user: It's possible the web user's
219: # GID is not its primary, so we'll translate that form the
220: # group file separately.
221:
222: my ($login, $pass, $uid, $gid) = getpwnam($WebUser);
223: if($uid) {
224: $WebUID = $uid;
225: Debug("Web user: $WebUser -> UID: $WebUID");
226: }
227: else {
228: die "Could not translate web user: $WebUser to a uid.";
229: }
230: my $gid = getgrnam($WebGroup);
231: if($gid) {
232: $WebGID = $gid;
233: Debug("Web group: $WebGroup -> GID $WebGID");
234: }
235: else {
236: die "Unable to translate web group $WebGroup to a gid.";
237: }
238: }
239: #
240: # Generate a certificate request.
241: # The openssl command is issued to create a local host key and
242: # a certificate request. The key is initially encoded.
243: # We will eventually decode this, however, since the key
244: # passphrase is open source we'll protect even the initial
245: # encoded key file too. We'll need to decode the keyfile since
246: # otherwise, openssl will need a passphrase everytime an ssl connection
247: # is created (ouch).
248: # Implicit Inputs:
249: # Passphrase - Initial passphrase for the encoded key.
250: # RequestFile - Filename of the certificate request.
251: # EncodedKey - Filename of the encoded key file.
252: #
253: # Side-Effects:
254: #
255: sub GenerateRequest {
256: Debug("Generating the request and key");
257:
258: print "We are now going to generate the certificate request\n";
259: print "You will be prompted by openssl for several pieces of \n";
260: print "information. Most of this information is for documentation\n";
261: print "purposes only, so it's not critical if you make a mistake.\n";
262: print "However: The generated certificate will be sent to the \n";
263: print "Email address you provide, and you should leave the optional\n";
264: print "Challenge password blank.\n";
265:
266: my $requestcmd = $SSLCommand." req -newkey rsa:1024 "
267: ." -keyout hostkey.pem "
268: ." -keyform PEM "
269: ." -out request.pem "
270: ." -outform PEM "
271: ." -passout pass:$Passphrase";
272: my $status = system($requestcmd);
273: if($status) {
274: die "Certificate request generation failed: $status";
275: }
276:
277: chmod(0600, "hostkey.pem"); # Protect key since passphrase is opensrc.
278:
279: Debug("Decoding the key");
280: my $decodecmd = $SSLCommand." rsa -in hostkey.pem"
281: ." -out hostkey.dec"
282: ." -passin pass:$Passphrase";
283: $status = system($decodecmd);
284: if($status) {
285: die "Host key decode failed";
286: }
287:
288: chmod(0600, "hostkey.dec"); # Protect the decoded hostkey.
289:
290: # Create the textual version of the request too:
291:
292: Debug("Creating textual version of the request for users.");
293: my $textcmd = $SSLCommand." req -in request.pem -text "
294: ." -out request.txt";
295: $status = system($textcmd);
296: if($status) {
297: die "Textualization of the certificate request failed";
298: }
299:
300:
301: Debug("Done");
302: }
303: #
304: # Installs the decoded host key (hostkey.dec) in the
305: # certificate directory with the correct permissions.
306: #
307: # Implicit Inputs:
308: # hostkey.dec - the name of the host key file.
309: # $CertificateDirectory - where the key file gets installed
310: # $KeyFilename - Final name of the key file.
311: # $WebUser - User who should own the key file.
312: # $WebGroup - Group who should own the key file.
313: # 0400 - Permissions to give to the installed key
314: # file.
315: # 0700 - Permissions given to the certificate
316: # directory if created.
317: # Side-Effects:
318: # If necessary, $CertificateDirectory is created.
319: # $CertificateDirectory/$KeyFilename is ovewritten with the
320: # contents of hostkey.dec in the cwd.
321: #
322: sub InstallKey {
323: Debug("InstallKey");
324:
325: Debug("Need to create certificate directory?");
326: if(!(-d $CertificateDirectory)) {
327:
328: Debug("Creating");
329: mkdir($CertificateDirectory, 0700);
330: chown($WebUID, $WebGID, $CertificateDirectory);
331: }
332: else {
333: Debug("Exists");
334: }
335:
336: Debug("Installing the key file:");
337: my $FullKeyPath = $CertificateDirectory."/".$KeyFilename;
338: copy("hostkey.dec", $FullKeyPath);
339:
340: Debug("Setting ownership and permissions");
341: chmod(0400, $FullKeyPath);
342: chown($WebUID, $WebGID, $FullKeyPath);
343:
344: Debug("Done");
345: }
346: #
347: # Package up a certificate request and email it to the loncapa
348: # admin. The email sent:
349: # - Has the subject: "LonCAPA certificate request for hostname
350: # - Has, as the body, the text version of the certificate.
351: # This can be inspected by the human issuing the certificate
352: # to decide if they want to really grant it... it will
353: # have the return email and all the documentation fields.
354: # - Has a text attachment that consists of the .pem version of the
355: # request. This is extracted by the human granting the
356: # certificate and used as input to the CrGrant.pl script.
357: #
358: #
359: # Implicit inputs:
360: # request.pem - The certificate request file.
361: # request.txt - Textual version of the request file.
362: # $RequestEmail - Email address to which the key is sent.
363: #
364: sub MailRequest {
365: Debug("Mailing request");
366:
367: # First we need to pull out the return address from the textual
368: # form of the certificate request:
369:
370: my $FromEmail = DecodeEmailFromRequest("request.txt");
371: if(!$FromEmail) {
372: die "From email address cannot be decoded from certificate request";
373: }
374: Debug("Certificate will be sent back to $FromEmail");
375:
376: # Create the email message headers and all:
377: #
378: Debug("Creating top...level...");
379: my $top = MIME::Entity->build(Type => "multipart/mixed",
380: From => $FromEmail,
381: To => $RequestEmail,
382: Subject => "LonCAPA certificate request");
383: if(!$top) {
384: die "Unable to create top level mime document";
385: }
386: Debug("Attaching Text formatted certificate request");
387: $top->attach(Path => "request.txt");
388:
389:
390: Debug("Attaching PEM formatted certificate request...");
391: $top->attach(Type => "text/plain",
392: Path => "request.pem");
393:
394: # Now send the email via sendmail this should work as long as
395: # sendmail or postfix are configured properly. Most other mailers
396: # define the sendmail command too for compatibility with what
397: # we're trying to do. I decided to use sendmail directly because
398: # otherwise I'm not sure the mail headers I created in $top
399: # will get properly passed as headers to other mailer thingies.
400: #
401:
402: Debug("Mailing..");
403:
404: open MAILPIPE, "| /usr/lib/sendmail -t -oi -oem" or
405: die "Failed to open pipe to sendmail: $!";
406: $top->print(\*MAILPIPE);
407: close MAILPIPE;
408:
409:
410:
411: Debug("Done");
412: }
413:
414: #
415: # Cleans up the detritus that's been created by this
416: # script (see Implicit inputs below).
417: # Implicit inputs:
418: # request.pem - Name of certificate request file in PEM format
419: # which will be deleted.
420: # request.txt - Name of textual equivalent of request file
421: # which will also be deleted.
422: # hostkey.pem - Encrypted host key which will be deleted.
423: # hostkey.dec - Decoded host key, which will be deleted.
424: #
425: sub Cleanup {
426: Debug("Cleaning up generated, temporary files");
427: unlink("request.pem", "request.txt", "hostkey.pem", "hostkey.dec");
428: Debug("done!");
429: }
430:
431:
432:
433: # Entry point:
434:
435: Debug("Starting program");
436: ReadConfig; # Read loncapa apache config file.
437: GenerateRequest; # Generate certificate request.
438: InstallKey; # Install the user's key.
439: MailRequest; # Mail certificate request to loncapa
440: Cleanup; # Cleanup temp files created.
441:
442: Debug("Done");
443:
444: #---------------------- POD documentatio --------------------
445:
446: =head1 NAME
447:
448: CrGenerate - Generate a loncapa certificate request.
449:
450: =head1 SYNOPSIS
451:
452: Usage: B<CrGenerate>
453:
454: This should probably be run automatically at system
455: installation time. Root must run this as write access is
456: required to /home/httpd.
457:
458: This is a command line script that:
459:
460: - Generates a hostkey and certificate request.
461: - Installs the protected/decoded host key where
462: secure lond/lonc can find it.
463: - Emails the certificate request to the loncapa certificate
464: manager.
465:
466: In due course if all is legitimate, the loncapa certificate
467: manager will email a certificate installation script to
468: the local loncapa system administrator.
469:
470: =head1 DESCRIPTION
471:
472: Using the default openssl configuration file, a certificate
473: request and local hostkey are created in the current working
474: directory. The local host key is decoded and installed in the
475: loncapa certificate directory. This allows the secure versions
476: of lonc and lond to locate them when attempting to form
477: external connections. The key file is given mode
478: 0400 to secure it from prying eyes.
479:
480: The certificate request in PEM form is attached to an email that
481: contains the textual equivalent of the certificate request
482: and sent to the loncapa certificate manager. All temporary
483: files (certificate request, keys etc.) are removed from the
484: current working directory.
485:
486: It is recommended that the directory this script is run in have
487: permission mask 0700 to ensure that there are no timing holes
488: during which the decoded host key file can be stolen.
489:
490: During certificate generation, the user will receive several
491: prompts. For the default LonCAPA openssl configuration,
492: these prompts, and documentation and sample responses
493: in angle brackets (<>) are shown below:
494:
495: Country Name (2 letter code) [GB]: <your country e.g. US>
496: State or Province Name (full name) [Berkshire]: <State, province prefecture etc. e.g. Michigan>
497: Locality Name (eg, city) [Newbury]: <City township or municipality e.g. East Lansing>
498: Organization Name (eg, company) [My Company Ltd]: <corporate entity e.g. Michigan State University>
499: Organizational Unit Name (eg, section) []: <unit within Organization e.g. LITE lab>
500: Common Name (eg, your name or your server's host name) [] <server's hostname e.g. myhost.university.edu>
501: Email Address []: <Address to which the granted certificate should be sent e.g. me@university.edu>
502:
503: Please enter the following 'extra' attributes
504: to be sent with your certificate request
505: A challenge password []: <leave this blank!!!!!>
506: An optional company name []: <Put whatever you want or leave blank>
507:
508:
509: =head1 DEPENDENCIES
510:
511: - MIME::Entity Used to create the email message.
512: - LONCAPA::Configuration Used to parse the loncapa configuration files.
513: - File::Copy Used to install the key file.
514: - /usr/lib/sendmail Properly configured sendmail, used to send the
515: certificate request email to the loncapa
516: certificate administrator.
517: - /etc/httpd/conf/* Loncapa configuration files read to locate
518: the certificate directory etc.
519:
520: =head1 FILES
521:
522: The following temporary files are created in the cwd
523:
524: hostkey.pem - PEM formatted version of the encrypted host key.
525: hostkey.dec - PEM formatted decrypted version of the host key.
526: request.pem - PEM formatted certificate request.
527: request.txt - Textual rendering of the certificate request.
528:
529: The following permanent file is created:
530:
531: $CertDir/$Keyfile - The installed decoded host key file. $CertDir
532: is defined by the Perl variable lonCertificateDirectory
533: in /etc/loncapa_apache.conf while $Keyfile is
534: defined by the perl variable lonnetPrivateKey in the
535: same configuration file.
536:
537: =head1 COPYRIGHT:
538:
539: Copyright Michigan State University Board of Trustees
540:
541: This file is part of the LearningOnline Network with CAPA (LON-CAPA).
542:
543: LON-CAPA is free software; you can redistribute it and/or modify
544: it under the terms of the GNU General Public License as published by
545: the Free Software Foundation; either version 2 of the License, or
546: (at your option) any later version.
547:
548: LON-CAPA is distributed in the hope that it will be useful,
549: but WITHOUT ANY WARRANTY; without even the implied warranty of
550: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
551: GNU General Public License for more details.
552:
553: You should have received a copy of the GNU General Public License
554: along with LON-CAPA; if not, write to the Free Software
555: Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
556:
557: /home/httpd/html/adm/gpl.txt
558:
559:
560: =cut
561:
562:
563:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>