--- loncom/Lond.pm 2018/12/22 17:06:02 1.14 +++ loncom/Lond.pm 2019/07/11 18:12:01 1.15 @@ -1,6 +1,6 @@ # The LearningOnline Network # -# $Id: Lond.pm,v 1.14 2018/12/22 17:06:02 raeburn Exp $ +# $Id: Lond.pm,v 1.15 2019/07/11 18:12:01 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -37,7 +37,9 @@ use lib '/home/httpd/lib/perl/'; use LONCAPA; use Apache::lonnet; use GDBM_File; +use MIME::Base64; use Crypt::OpenSSL::X509; +use Crypt::X509::CRL; use Crypt::PKCS10; sub dump_with_regexp { @@ -819,25 +821,77 @@ sub server_certs { host => 'lonnetCertificate', hostname => 'lonnetHostnameCertificate', ca => 'lonnetCertificateAuthority', + crl => 'lonnetCertRevocationList', ); - my (%md5hash,%expected_cn,%expired,%revoked,%wrongcn,%info,$crlfile); + my (%md5hash,%expected_cn,%expired,%revoked,%wrongcn,%info,$crlfile,$cafile, + %rvkcerts,$numrvk); %info = ( key => {}, ca => {}, host => {}, hostname => {}, - ); + crl => {}, + ); + my @ordered = ('crl','key','ca','host','hostname'); if (ref($perlvar) eq 'HASH') { $expected_cn{'host'} = $Apache::lonnet::serverhomeIDs{$hostname}; $expected_cn{'hostname'} = 'internal-'.$hostname; my $certsdir = $perlvar->{'lonCertificateDirectory'}; if (-d $certsdir) { - $crlfile = $certsdir.'/'.$perlvar->{'lonnetCertRevocationList'}; - foreach my $key (keys(%pemfiles)) { + $crlfile = $certsdir.'/'.$perlvar->{$pemfiles{'crl'}}; + $cafile = $certsdir.'/'.$perlvar->{$pemfiles{'ca'}}; + foreach my $key (@ordered) { if ($perlvar->{$pemfiles{$key}}) { my $file = $certsdir.'/'.$perlvar->{$pemfiles{$key}}; if (-e $file) { - if ($key eq 'key') { + if ($key eq 'crl') { + if ((-e $crlfile) && (-e $cafile)) { + if (open(PIPE,"openssl crl -in $crlfile -inform pem -CAfile $cafile -noout 2>&1 |")) { + my $crlstatus = ; + close(PIPE); + chomp($crlstatus); + if ($crlstatus =~ /OK/) { + $info{$key}{'status'} = 'ok'; + $info{$key}{'details'} = 'CRL valid for CA'; + } + } + } + if (open(my $fh,'<',$crlfile)) { + my $pem_crl = ''; + while (my $line=<$fh>) { + chomp($line); + next if ($line eq '-----BEGIN X509 CRL-----'); + next if ($line eq '-----END X509 CRL-----'); + $pem_crl .= $line; + } + close($fh); + my $der_crl = MIME::Base64::decode_base64($pem_crl); + if ($der_crl ne '') { + my $decoded = Crypt::X509::CRL->new( crl => $der_crl ); + if ($decoded->error) { + $info{$key}{'status'} = 'error'; + } elsif (ref($decoded)) { + $info{$key}{'start'} = $decoded->this_update; + $info{$key}{'end'} = $decoded->next_update; + $info{$key}{'alg'} = $decoded->SigEncAlg.' '.$decoded->SigHashAlg; + $info{$key}{'cn'} = $decoded->issuer_cn; + $info{$key}{'email'} = $decoded->issuer_email; + $info{$key}{'size'} = $decoded->signature_length; + my $rlref = $decoded->revocation_list; + if (ref($rlref) eq 'HASH') { + foreach my $key (keys(%{$rlref})) { + my $hkey = sprintf("%X",$key); + $rvkcerts{$hkey} = 1; + } + $numrvk = scalar(keys(%{$rlref})); + if ($numrvk) { + $info{$key}{'details'} .= " ($numrvk revoked)"; + } + } + } + } + } + } elsif ($key eq 'key') { if (open(PIPE,"openssl rsa -noout -in $file -check |")) { my $check = ; close(PIPE); @@ -882,7 +936,7 @@ sub server_certs { $info{$key}{'alg'} = $x509->sig_alg_name(); $info{$key}{'size'} = $x509->bit_length(); $info{$key}{'email'} = $x509->email(); - $info{$key}{'serial'} = $x509->serial(); + $info{$key}{'serial'} = uc($x509->serial()); $info{$key}{'issuerhash'} = $x509->issuer_hash(); if ($x509->checkend(0)) { $expired{$key} = 1; @@ -891,15 +945,9 @@ sub server_certs { if ($info{$key}{'cn'} ne $expected_cn{$key}) { $wrongcn{$key} = 1; } - if ((-e $crlfile) && ($info{$key}{'serial'} =~ /^\w+$/)) { - my $serial = $info{$key}{'serial'}; - if (open(PIPE,"openssl crl -inform PEM -text -in $crlfile | grep $serial |")) { - my $result = ; - close(PIPE); - chomp($result); - if ($result ne '') { - $revoked{$key} = 1; - } + if (($numrvk) && ($info{$key}{'serial'})) { + if ($rvkcerts{$info{$key}{'serial'}}) { + $revoked{$key} = 1; } } }