File:
[LON-CAPA] /
loncom /
CrGenerate.pl
Revision
1.4:
download - view:
text,
annotated -
select for diffs
Wed Jun 30 11:14:35 2004 UTC (20 years, 2 months ago) by
foxr
Branches:
MAIN
CVS tags:
HEAD
Implement:
GenerateRequest - Generate the hostkey and the certificate request for
the host.
InstallKey - Install the host key, if necessary creating the
target directory.
Note that keys are locked down tight, even the encoded key. This is because:
- The encoded key's passphrase is 'well known'.
- The decoded key can be used to forge signatures certificates etc. and that would be
bad.
#!/usr/bin/perl
# The LearningOnline Network
# CrGenerate - Generate a loncapa certificate request.
#
# $Id: CrGenerate.pl,v 1.4 2004/06/30 11:14:35 foxr Exp $
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#
#
# This script:
# 1. Generates a private host key and certificate request/
# 2. Decodes the private host key
# 3. Installs the private host key with appropriate permissions
# in the appropriate directory (sorry to be vague about this, but
# the installation directory is determined by external configuration
# info).
# 4. Constructs an email to the loncapa cluster administrator
# consisting of a generic heading and the certificate request as a MIME
# attachment.
# 5. Sends the email and
# 6. Cleans up after itself by removing any temp files generated.
#
#
# Import section:
use strict;
use MIME::Entity;
use Mail::Mailer;
use LONCAPA::Configuration;
use File::Copy;
# Global variable declarations:4
my $SSLCommand; # Full path to openssl command.
my $CertificateDirectory; # LONCAPA Certificate directory.
my $KeyFilename; # Key filename (within CertificateDirectory).
my $RequestEmail; # Email address of loncapa cert admin.
my $WebUID; # UID of web user.
my $WebGID; # GID of web user.
my $Passphrase="loncapawhatever"; # Initial passphrase for keyfile
my $RequestFile="loncapaRequest.pem"; # Name of Certificate request file.
my $EncodedKey="hostkey.pem"; # Name of encoded key file.
my $WebUser="www"; # Username running the web server.
my $WebGroup="www"; # Group name running the web server.
# Debug/log support:
#
my $DEBUG = 1; # 1 for on, 0 for off.
# Send debugging to stderr.
# Parameters:
# msg - Message to send to stderr.
# Implicit Inputs:
# $DEBUG - message is only written if this is true.
#
sub Debug {
my $msg = shift;
if($DEBUG) {
print STDERR "$msg\n";
}
}
#
# Read the LonCAPA web config files to get the values of the
# configuration global variables we need:
# Implicit inputs:
# loncapa.conf - configuration file to read (user specific).
# Implicit outputs (see global variables section):
# SSLCommand,
# CertificateDirectory
# KeyfileName
# RequestEmail
# Side-Effects:
# Exit with error if cannot complete.
#
sub ReadConfig {
Debug("Reading configuration");
my $perlvarref = LONCAPA::Configuration::read_conf('loncapa.conf');
# Name of the SSL Program
if($perlvarref->{SSLProgram}) {
$SSLCommand = $perlvarref->{SSLProgram};
Debug("SSL Command: $SSLCommand");
}
else {
die "Unable to read the SSLCommand configuration option\n";
}
# Where the certificates, and host key are installed:
if($perlvarref->{lonCertificateDirectory}) {
$CertificateDirectory = $perlvarref->{lonCertificateDirectory};
Debug("Local certificate Directory: $CertificateDirectory");
}
else {
die "Unable to read SSLDirectory configuration option\n";
}
# The name of the host key file (to be installed in SSLDirectory).
#
if($perlvarref->{lonnetPrivateKey}) {
$KeyFilename = $perlvarref->{lonnetPrivateKey};
Debug("Private key will be installed as $KeyFilename");
}
else {
die "Unable to read lonnetPrivateKey conrig paraemter\n";
}
# The email address to which the certificate request is sent:
if($perlvarref->{SSLEmail}) {
$RequestEmail = $perlvarref->{SSLEmail};
Debug("Certificate request will be sent to $RequestEmail");
}
else {
die "Could not read SSLEmail coniguration key";
}
# The UID/GID of the web user: It's possible the web user's
# GID is not its primary, so we'll translate that form the
# group file separately.
my ($login, $pass, $uid, $gid) = getpwnam($WebUser);
if($uid) {
$WebUID = $uid;
Debug("Web user: $WebUser -> UID: $WebUID");
}
else {
die "Could not translate web user: $WebUser to a uid.";
}
my $gid = getgrnam($WebGroup);
if($gid) {
$WebGID = $gid;
Debug("Web group: $WebGroup -> GID $WebGID");
}
else {
die "Unable to translate web group $WebGroup to a gid.";
}
}
#
# Generate a certificate request.
# The openssl command is issued to create a local host key and
# a certificate request. The key is initially encoded.
# We will eventually decode this, however, since the key
# passphrase is open source we'll protect even the initial
# encoded key file too. We'll need to decode the keyfile since
# otherwise, openssl will need a passphrase everytime an ssl connection
# is created (ouch).
# Implicit Inputs:
# Passphrase - Initial passphrase for the encoded key.
# RequestFile - Filename of the certificate request.
# EncodedKey - Filename of the encoded key file.
#
# Side-Effects:
#
sub GenerateRequest {
Debug("Generating the request and key");
print "We are now going to generate the certificate request\n";
print "You will be prompted by openssl for several pieces of \n";
print "information. Most of this information is for documentation\n";
print "purposes only, so it's not critical if you make a mistake.\n";
print "However: The generated certificate will be sent to the \n";
print "Email address you provide, and you should leave the optional\n";
print "Challenge password blank.\n";
my $requestcmd = $SSLCommand." req -newkey rsa:1024 "
." -keyout hostkey.pem "
." -keyform PEM "
." -out request.pem "
." -outform PEM "
." -passout pass:$Passphrase";
my $status = system($requestcmd);
if($status) {
die "Certificate request generation failed: $status";
}
chmod(0600, "hostkey.pem"); # Protect key since passphrase is opensrc.
Debug("Decoding the key");
my $decodecmd = $SSLCommand." rsa -in hostkey.pem"
." -out hostkey.dec"
." -passin pass:$Passphrase";
my $status = system($decodecmd);
if($status) {
die "Host key decode failed";
}
chmod(0600, "hostkey.dec"); # Protect the decoded hostkey.
Debug("Done");
}
#
# Installs the decoded host key (hostkey.dec) in the
# certificate directory with the correct permissions.
#
# Implicit Inputs:
# hostkey.dec - the name of the host key file.
# $CertificateDirectory - where the key file gets installed
# $KeyFilename - Final name of the key file.
# $WebUser - User who should own the key file.
# $WebGroup - Group who should own the key file.
# 0400 - Permissions to give to the installed key
# file.
# 0700 - Permissions given to the certificate
# directory if created.
# Side-Effects:
# If necessary, $CertificateDirectory is created.
# $CertificateDirectory/$KeyFilename is ovewritten with the
# contents of hostkey.dec in the cwd.
#
sub InstallKey {
Debug("InstallKey");
Debug("Need to create certificate directory?");
if(!(-d $CertificateDirectory)) {
Debug("Creating");
mkdir($CertificateDirectory, 0700);
chown($WebUID, $WebGID, $CertificateDirectory);
}
else {
Debug("Exists");
}
Debug("Installing the key file:");
my $FullKeyPath = $CertificateDirectory."/".$KeyFilename;
copy("hostkey.dec", $FullKeyPath);
Debug("Setting ownership and permissions");
chmod(0400, $FullKeyPath);
chown($WebUID, $WebGID, $FullKeyPath);
Debug("Done");
}
sub MailRequest {}
sub Cleanup {}
# Entry point:
Debug("Starting program");
ReadConfig; # Read loncapa apache config file.
GenerateRequest; # Generate certificate request.
InstallKey; # Install the user's key.
MailRequest; # Mail certificate request to loncapa
Cleanup; # Cleanup temp files created.
Debug("Done");
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>