--- loncom/Lond.pm	2018/08/09 14:04:30	1.11
+++ loncom/Lond.pm	2018/08/18 22:07:48	1.12
@@ -1,6 +1,6 @@
 # The LearningOnline Network
 #
-# $Id: Lond.pm,v 1.11 2018/08/09 14:04:30 raeburn Exp $
+# $Id: Lond.pm,v 1.12 2018/08/18 22:07:48 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -38,7 +38,7 @@ use LONCAPA;
 use Apache::lonnet;
 use GDBM_File;
 use Crypt::OpenSSL::X509;
-
+use Crypt::PKCS10;
 
 sub dump_with_regexp {
     my ( $tail, $clientversion ) = @_;
@@ -813,17 +813,20 @@ sub is_course {
 }
 
 sub server_certs {
-    my ($perlvar) = @_;
+    my ($perlvar,$lonhost,$hostname) = @_;
     my %pemfiles = (
                      key      => 'lonnetPrivateKey',
                      host     => 'lonnetCertificate',
                      hostname => 'lonnetHostnameCertificate',
                      ca       => 'lonnetCertificateAuthority',
                    );
-    my (%md5hash,%info);
+    my (%md5hash,%expected_cn,%expired,%revoked,%wrongcn,%info,$crlfile);
     if (ref($perlvar) eq 'HASH') {
+        $expected_cn{'host'} = $lonhost;
+        $expected_cn{'hostname'} = 'internal-'.$hostname;
         my $certsdir = $perlvar->{'lonCertificateDirectory'};
         if (-d $certsdir) {
+            $crlfile = $certsdir.'/'.$perlvar->{'lonnetCertRevocationList'};
             foreach my $key (keys(%pemfiles)) {
                 if ($perlvar->{$pemfiles{$key}}) {
                     my $file = $certsdir.'/'.$perlvar->{$pemfiles{$key}};
@@ -838,6 +841,7 @@ sub server_certs {
                             if (open(PIPE,"openssl rsa -noout -modulus -in $file | openssl md5 |")) {
                                 $md5hash{$key} = <PIPE>;
                                 close(PIPE);
+                                chomp($md5hash{$key});
                             }
                         } else {
                             if ($key eq 'ca') {
@@ -856,6 +860,7 @@ sub server_certs {
                                 if (open(PIPE,"openssl x509 -noout -modulus -in $file | openssl md5 |")) {
                                     $md5hash{$key} = <PIPE>;
                                     close(PIPE);
+                                    chomp($md5hash{$key});
                                 }
                             }
                             my $x509 = Crypt::OpenSSL::X509->new_from_file($file);
@@ -871,6 +876,54 @@ sub server_certs {
                             $info{$key}{'alg'} = $x509->sig_alg_name();
                             $info{$key}{'size'} = $x509->bit_length();
                             $info{$key}{'email'} = $x509->email();
+                            $info{$key}{'serial'} = $x509->serial();
+                            if ($x509->checkend(0)) {
+                                $expired{$key} = 1;
+                            }
+                            if (($key eq 'host') || ($key eq 'hostname')) {
+                                if ($info{$key}{'cn'} ne $expected_cn{$key}) {
+                                    $wrongcn{$key} = 1;
+                                }
+                                if ((-e $crlfile) && ($info{$key}{'serial'} =~ /^\w+$/)) {
+                                    my $serial = $info{$key}{'serial'};
+                                    if (open(PIPE,"openssl crl -inform PEM -text -in $crlfile | grep $serial |")) {
+                                        my $result = <PIPE>;
+                                        close(PIPE);
+                                        chomp($result);
+                                        if ($result ne '') {
+                                            $revoked{$key} = 1;
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                    if (($key eq 'host') || ($key eq 'hostname')) {
+                        my $csrfile = $file;
+                        $csrfile =~ s/\.pem$/.csr/;
+                        if (-e $csrfile) {
+                            if (open(PIPE,"openssl req -noout -modulus -in $csrfile |openssl md5 |")) {
+                                my $csrhash = <PIPE>;
+                                close(PIPE);
+                                chomp($csrhash);
+                                if ((!-e $file) || ($csrhash ne $md5hash{$key}) || ($expired{$key}) ||
+                                    ($wrongcn{$key}) || ($revoked{$key})) {
+                                    Crypt::PKCS10->setAPIversion(1);
+                                    my $decoded = Crypt::PKCS10->new( $csrfile,(PEMonly => 1, readFile => 1));
+                                    if (ref($decoded)) {
+                                        if ($decoded->commonName() eq $expected_cn{$key}) {
+                                            $info{$key.'-csr'}{'cn'} = $decoded->commonName();
+                                            $info{$key.'-csr'}{'alg'} = $decoded->pkAlgorithm();
+                                            $info{$key.'-csr'}{'email'} = $decoded->emailAddress();
+                                            my $params = $decoded->subjectPublicKeyParams();
+                                            if (ref($params) eq 'HASH') {
+                                                $info{$key.'-csr'}{'size'} = $params->{keylen};
+                                            }
+                                            $md5hash{$key.'-csr'} = $csrhash;
+                                        }
+                                    }
+                                }
+                            }
                         }
                     }
                 }
@@ -880,13 +933,30 @@ sub server_certs {
     foreach my $key ('host','hostname') {
         if ($md5hash{$key}) {
             if ($md5hash{$key} eq $md5hash{'key'}) {
-                $info{$key}{'status'} = 'ok';
+                if ($revoked{$key}) {
+                    $info{$key}{'status'} = 'revoked';
+                } elsif ($expired{$key}) {
+                    $info{$key}{'status'} = 'expired';
+                } elsif ($wrongcn{$key}) {
+                    $info{$key}{'status'} = 'wrongcn';
+                } else {
+                    $info{$key}{'status'} = 'ok';
+                }
             } elsif ($info{'key'}{'status'} =~ /ok/) {
                 $info{$key}{'status'} = 'otherkey';
             } else {
                 $info{$key}{'status'} = 'nokey';
             }
         }
+        if ($md5hash{$key.'-csr'}) {
+            if ($md5hash{$key.'-csr'} eq $md5hash{'key'}) {
+                $info{$key.'-csr'}{'status'} = 'ok';
+            } elsif ($info{'key'}{'status'} =~ /ok/) {
+                $info{$key.'-csr'}{'status'} = 'otherkey';
+            } else {
+                $info{$key.'-csr'}{'status'} = 'nokey';
+            }
+        }
     }
     my $result;
     foreach my $key (keys(%info)) {