Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 299430 Details for
Bug 346731
Port crypto-utils to use NSS library for cryptography
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
source diff
crypto-utils.nss.patch (text/x-patch), 40.37 KB, created by
Elio Maldonado Batiz
on 2008-03-28 03:40:40 UTC
(
hide
)
Description:
source diff
Filename:
MIME Type:
Creator:
Elio Maldonado Batiz
Created:
2008-03-28 03:40:40 UTC
Size:
40.37 KB
patch
obsolete
>diff -up crypto-utils/devel/Makefile.orig crypto-utils/devel/Makefile >--- crypto-utils/devel/Makefile.orig 2008-02-22 13:34:22.000000000 -0800 >+++ crypto-utils/devel/Makefile 2008-03-24 08:55:43.000000000 -0700 >@@ -20,13 +20,18 @@ endif > > include $(MAKEFILE_COMMON) > >-certwatch: certwatch.c >- gcc -Wall -Werror -O2 -g $< -o $@ -lcrypto >+certwatch: certwatch.c pemutil.c traceutil.c >+ gcc -Wall -Werror -O2 -g $^ -o $@ \ >+ -lnspr4 -lnss3 -I/usr/include/nspr4 -I/usr/include/nss3 > > test-certwatch: certwatch > ./certwatch > >-genkey: genkey.pl Makefile >+keyutil: keyutil.c >+ gcc -Wall -Werror -O2 -g $< -o $@ \ >+ -lnspr4 -lnss3 -I/usr/include/nspr4 -I/usr/include/nss3 >+ >+genkey: genkey.pl keyutil Makefile > sed -e "s|^\$$bindir.*$$|\$$bindir = \"/usr/bin\";|" \ > -e "s|^\$$ssltop.*$$|\$$ssltop = \"$(PWD)\";|" \ > -e "s|^\$$sslconf.*$$|\$$sslconf = \"/etc/pki/tls/openssl.cnf\";|" \ >@@ -40,6 +45,27 @@ test-genkey: genkey > mkdir -p certs private > ./genkey --test `hostname` > >+######################################################################### >+# FIXME -- Test targets, some require a database and dump temporay files >+######################################################################### >+test-genkey-db: genkey Makefile >+ mkdir -p certs private >+ ./genkey --test --verbose --password=0 --usenssdb --directory=/etc/http/alias `hostname` >+ >+test-genreq: genkey Makefile >+ perl ./genkey --genreq --verbose `hostname` >+ >+test-genreq-db: genkey Makefile >+ perl ./genkey --genreq --verbose --password=0 --usenssdb --directory=/etc/http/alias `hostname` >+ >+test-makeca: genkey Makefile >+ perl ./genkey --makeca --verbose --password=0 --directory=/etc/http/alias MYCA >+ >+test-makeca-using-db: genkey Makefile >+ perl ./genkey --makeca --verbose --password=0 --makeca --usenssdb --directory=/etc/http/alias MYCA >+ >+######################################################################### >+ > date.xml: > date +"%e %B %Y" | tr -d '\n' > $@ > >diff -up crypto-utils/devel/genkey.xml.orig crypto-utils/devel/genkey.xml >--- crypto-utils/devel/genkey.xml.orig 2007-10-30 09:15:10.000000000 -0700 >+++ crypto-utils/devel/genkey.xml 2008-03-23 18:03:40.000000000 -0700 >@@ -35,6 +35,12 @@ > <arg><option>--genreq</option></arg> > <arg><option>--makeca</option></arg> > </group> >+ <group> >+ <arg><option>--usenssdb</option></arg> >+ <arg><option>--certdir</option></arg> >+ <arg><option>--password</option> >+ <arg><option>--pwdfile</option></arg> >+ </group> > <arg choice="req"><replaceable>hostname</replaceable></arg> > </cmdsynopsis> > </refsynopsisdiv> >@@ -47,7 +53,8 @@ > Signing Requests (CSR). Generated certificates are stored in the > directory <filename>/etc/pki/tls/certs/</filename>, and the > corresponding private key in >- <filename>/etc/pki/tls/private/</filename>. </para> >+ <filename>/etc/pki/tls/private/</filename>. If using nss >+ they are stored in the nss key and certficate databases. </para> > > <para><command>genkey</command> will prompt for the size of key > desired; whether or not to generate a CSR; whether or not an >@@ -58,6 +65,18 @@ > private key using the truerand library and also by prompting the > user for entry of random text.</para> > >+ <para><option>usenssdb</option> indicates that nss database >+ should be used.</para> >+ >+ <para><option>certdir</option> specifies the location of the >+ nss database when usingnssdb is set.</para> >+ >+ <para><option>password</option> supply a password to the data- >+ base module.</para> >+ >+ <para><option>pwdfile</option> specifies a text file containing the >+ passphrase required to acces the key database if so configured.</para> >+ > </refsect1> > > <refsect1> >diff -up crypto-utils/devel/certwatch.c.orig crypto-utils/devel/certwatch.c >--- crypto-utils/devel/certwatch.c.orig 2008-02-22 13:33:13.000000000 -0800 >+++ crypto-utils/devel/certwatch.c 2008-03-24 08:52:47.000000000 -0700 >@@ -27,13 +27,63 @@ > > */ > >+/* ***** BEGIN LICENSE BLOCK ***** >+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 >+ * >+ * The contents of this file are subject to the Mozilla Public License Version >+ * 1.1 (the "License"); you may not use this file except in compliance with >+ * the License. You may obtain a copy of the License at >+ * http://www.mozilla.org/MPL/ >+ * >+ * Software distributed under the License is distributed on an "AS IS" basis, >+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License >+ * for the specific language governing rights and limitations under the >+ * License. >+ * >+ * The Original Code is the Netscape security libraries. >+ * >+ * The Initial Developer of the Original Code is >+ * Netscape Communications Corporation. >+ * Portions created by the Initial Developer are Copyright (C) 1994-2000 >+ * the Initial Developer. All Rights Reserved. >+ * >+ * Contributor(s): >+ * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories >+ * >+ * Alternatively, the contents of this file may be used under the terms of >+ * either the GNU General Public License Version 2 or later (the "GPL"), or >+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), >+ * in which case the provisions of the GPL or the LGPL are applicable instead >+ * of those above. If you wish to allow use of your version of this file only >+ * under the terms of either the GPL or the LGPL, and not to allow others to >+ * use your version of this file under the terms of the MPL, indicate your >+ * decision by deleting the provisions above and replace them with the notice >+ * and other provisions required by the GPL or the LGPL. If you do not delete >+ * the provisions above, a recipient may use your version of this file under >+ * the terms of any one of the MPL, the GPL or the LGPL. >+ * >+ * ***** END LICENSE BLOCK ***** */ >+ >+ > /* $Id: certwatch.c,v 1.10 2007/08/23 10:09:40 jorton Exp $ */ > > /* Certificate expiry warning generation code, based on code from > * Stronghold. Joe Orton <jorton@redhat.com> */ > >-#include <openssl/x509.h> >-#include <openssl/pem.h> >+/* Replaced usage of OpenSSL with NSS calls. >+ * Elio Maldonado <emaldona@redhat.com> */ >+ >+#include <nspr.h> >+#include <nss.h> >+#include <cert.h> >+#include <certt.h> >+#include <prlong.h> >+#include <prtime.h> >+#include <pk11func.h> >+#include <assert.h> >+#include <secmod.h> >+#include <base64.h> >+#include <seccomon.h> > > #include <stdio.h> > #include <string.h> >@@ -41,47 +91,113 @@ > #include <getopt.h> > #include <time.h> > >+ >+/* >+extern int ossl_get_cert_times(const char *filename, time_t *begin, time_t *end); >+extern void DumpTime(PRTime time, PRFileDesc *outfile); >+*/ >+extern char * AsciiTime(PRTime time); >+ >+/* Return a certificate structure from a pem-encoded cert in a file; >+ * or NULL on failure. Semantics similar to the OpenSSL call >+ * PEM_read_X509(fp, NULL, NULL, NULL); >+ */ >+extern CERTCertificate * >+PEMUTIL_PEM_read_X509(const char *filename); >+ >+/* size big enough for formatting time buffer */ >+#define TIME_SIZE 30 >+ > static int warn_period = 30; > static char *warn_address = "root"; > >-/* Turn an ASN.1 UTCTIME object into a time_t. */ >-static time_t decode_utctime(const ASN1_UTCTIME *utc) >+/* Uses the password passed in the -f(pwfile) argument of the command line. >+ * After use once, null it out otherwise PKCS11 calls us forever.? >+ * >+ * Code based on SECU_GetModulePassword from the Mozilla NSS secutils >+ * imternal librart. >+ */ >+static char *GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg) > { >- struct tm tm = {0}; >- int i = utc->length; >+ int i; >+ unsigned char phrase[200]; >+ PRFileDesc *fd; >+ PRInt32 nb; >+ char *pwFile = arg; >+ >+ if (!pwFile) return 0; >+ if (retry) return 0; /* no good retrying - file contents will be the same */ >+ if (!(fd = PR_Open(pwFile, PR_RDONLY, 0))) return 0; > >- if (i < 10) >- return -1; >- for (i = 0; i < 10; i++) >- if ((utc->data[i] > '9') || (utc->data[i] < '0')) >- return -1; >- >- tm.tm_year = (utc->data[0]-'0') * 10 + (utc->data[1]-'0'); >- >- /* Deal with Year 2000 like eay did */ >- if (tm.tm_year < 70) >- tm.tm_year += 100; >- >- tm.tm_mon = (utc->data[2]-'0') * 10 + (utc->data[3]-'0') - 1; >- tm.tm_mday = (utc->data[4]-'0') * 10 + (utc->data[5]-'0'); >- tm.tm_hour = (utc->data[6]-'0') * 10 + (utc->data[7]-'0'); >- tm.tm_min = (utc->data[8]-'0') * 10 + (utc->data[9]-'0'); >- tm.tm_sec = (utc->data[10]-'0') * 10 + (utc->data[11]-'0'); >+ nb = PR_Read(fd, phrase, sizeof(phrase)); >+ PR_Close(fd); >+ >+ /* handle the Windows EOL case */ >+ i = 0; >+ while (phrase[i] != '\r' && phrase[i] != '\n' && i < nb) i++; >+ phrase[i] = '\0'; >+ if (nb == 0) return NULL; > >- return mktime(&tm) - timezone; >+ return (char*) PORT_Strdup((char*)phrase); >+} >+ >+/* Returns the difference in days between two times in the same year. */ >+int days_diff(PRTime end, PRTime start) >+{ >+ PRExplodedTime explodedEnd; >+ PRExplodedTime explodedStart; >+ PRTime prtimeDiff; >+ int diff_sec; >+ >+ PR_ExplodeTime(end, PR_GMTParameters, &explodedEnd); >+ PR_ExplodeTime(start, PR_GMTParameters, &explodedStart); >+ >+ if (explodedEnd.tm_year == explodedStart.tm_year) >+ return (explodedEnd.tm_yday - explodedStart.tm_yday); >+ >+ LL_SUB(prtimeDiff, end, start); >+ LL_L2I(diff_sec, prtimeDiff); >+ >+ return diff_sec; >+} >+ >+/* Format a PRTime value into a buffer with format "%a %b %d %H:%M:%S %Y"; >+ * semantics are those of ctime_r(). */ >+char *pr_ctime(PRTime time, char *buf, int size) >+{ >+ PRUint32 bytesCopied; >+ PRExplodedTime et; >+ PR_ExplodeTime(time, PR_GMTParameters, &et); >+ bytesCopied = PR_FormatTime(buf, size, "%a %b %d %H:%M:%S %Y", &et); >+ if (!bytesCopied) return NULL; >+ return buf; > } > > /* Print a warning message that the certificate in 'filename', issued > * to hostname 'hostname', will expire (or has expired). */ > static int warning(FILE *out, const char *filename, const char *hostname, >- time_t start, time_t end, time_t now, int quiet) >+ SECCertTimeValidity validity, >+ PRTime start, PRTime end, PRTime now, int quiet) > { >- int renew = 1, days = (end - now) / (3600 * 24); /* days till expiry */ >+ /* Note that filename can be the cert nickname. */ >+ int renew = 1, days; /* days till expiry */ > char subj[50]; >- >- if (start > now) { >+ PRTime prtimeDiff; >+ >+ LL_SUB(prtimeDiff, end, start); >+ >+ printf("not before %s\n", AsciiTime(start)); >+ printf("not after %s\n", AsciiTime(end)); >+ printf("and now is %s\n", AsciiTime(now)); >+ >+ LL_SUB(prtimeDiff, end, start); >+ LL_L2I(days, prtimeDiff); >+ days = (days) / (3600 * 24) - FUDGE_FACTOR; >+ >+ if ( LL_CMP(start, >, now) ) { > strcpy(subj, "is not yet valid"); > renew = 0; >+ /* > } else if (days < 0) { > strcpy(subj, "has expired"); > } else if (days == 0) { >@@ -90,6 +206,13 @@ static int warning(FILE *out, const char > sprintf(subj, "will expire tomorrow"); > } else if (days < warn_period) { > sprintf(subj, "will expire in %d days", days); >+ */ >+ } else if (LL_EQ(now, end)) { >+ strcpy(subj, "will expire today"); >+ } else if (LL_EQ(prtimeDiff, 1)) { >+ sprintf(subj, "will expire tomorrow"); >+ } else if (LL_CMP(prtimeDiff, <, warn_period)) { >+ sprintf(subj, "will expire on %s", AsciiTime(end)); > } else { > return 0; /* nothing to warn about. */ > } >@@ -104,7 +227,7 @@ static int warning(FILE *out, const char > " ################# SSL Certificate Warning ################\n\n"); > > fprintf(out, >- " Certificate for hostname '%s', in file:\n" >+ " Certificate for hostname '%s', in file (or by nickname):\n" > " %s\n\n", > hostname, filename); > >@@ -115,9 +238,10 @@ static int warning(FILE *out, const char > " web site using SSL until the certificate is renewed.\n", > out); > } else { >- char until[30] = "(unknown date)"; >- ctime_r(&start, until); >- if (strlen(until) > 2) until[strlen(until)-1] = '\0'; >+ char until[TIME_SIZE]; /* assume big enough */ >+ char *result = pr_ctime(start, until, TIME_SIZE); >+ assert(result == until); >+ if (strlen(until) < sizeof(until)) until[strlen(until)] = '\0'; > fprintf(out, > " The certificate is not valid until %s.\n\n" > " Browsers will not be able to correctly connect to this\n" >@@ -133,56 +257,71 @@ static int warning(FILE *out, const char > } > > /* Extract the common name of 'cert' into 'buf'. */ >-static int get_common_name(X509 *cert, char *buf, size_t bufsiz) >+static int get_common_name(CERTCertificate *cert, char *buf, size_t bufsiz) > { >- X509_NAME *name = X509_get_subject_name(cert); >- >+ /* FIXME --- truncating names with spaces */ >+ size_t namelen; >+ char *name = CERT_GetCommonName(&cert->subject); > if (!name) return -1; > >- return X509_NAME_get_text_by_NID(name, NID_commonName, buf, bufsiz) == -1; >+ namelen = strlen(name); >+ if (bufsiz < namelen+1) return -1; >+ >+ strncpy(buf, name, namelen); >+ buf[namelen] = '\0'; >+ PORT_Free(name); >+ return 0; > } > >-/* Check whether the certificate in filename 'filename' has expired; >+/* Check whether the certificate in filename 'name' has expired; > * issue a warning message if 'quiet' is zero. If quiet is non-zero, > * returns one to indicate that a warning would have been issued, zero >- * to indicate no warning would be issued, or -1 if an error >- * occurred. */ >-static int check_cert(const char *filename, int quiet) >-{ >- X509 *cert; >- FILE *fp; >- ASN1_UTCTIME *notAfter, *notBefore; >- time_t begin, end, now; >+ * to indicate no warning would be issued, or -1 if an error >+ * occurred. >+ * >+ * When byNickname is 1 then 'name' is a nickname to search >+ * for in the database otherwise it's the certificate file. >+ */ >+static int check_cert(const char *name, int byNickname, int quiet) >+{ >+ CERTCertificate *cert; >+ SECCertTimeValidity validity; >+ PRTime notBefore, notAfter; > char cname[128]; >+ >+ int doWarning = 0; > > /* parse the cert */ >- if ((fp = fopen(filename, "r")) == NULL) return -1; >- cert = PEM_read_X509(fp, NULL, NULL, NULL); >- fclose(fp); >+ cert = byNickname >+ ? CERT_FindCertByNickname(CERT_GetDefaultCertDB(), (char *)name) >+ : PEMUTIL_PEM_read_X509(name); > if (cert == NULL) return -1; > > /* determine the validity period of the cert. */ >- notAfter = X509_get_notAfter(cert); >- notBefore = X509_get_notBefore(cert); >- >- /* get time_t's out of X509 times */ >- begin = decode_utctime(notBefore); >- end = decode_utctime(notAfter); >- now = time(NULL); >- if (end == -1 || begin == -1 || now == -1) return -1; >+ validity = CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE); >+ if (validity == secCertTimeUndetermined) goto cleanup; > >+ /* get times out of the cert */ >+ if (CERT_GetCertTimes(cert, ¬Before, ¬After) >+ != SECSuccess) goto cleanup; >+ > /* find the subject's commonName attribute */ > if (get_common_name(cert, cname, sizeof cname)) >- return -1; >- >- X509_free(cert); >+ goto cleanup; > >- /* don't warn about the automatically generate certificate */ >+ /* don't warn about the automatically generated certificate */ > if (strcmp(cname, "localhost") == 0 || > strcmp(cname, "localhost.localdomain") == 0) >- return -1; >+ goto cleanup; > >- return warning(stdout, filename, cname, begin, end, now, quiet); >+ doWarning = 1; /* ok so far, may do the warning */ >+ >+cleanup: >+ if (cert) CERT_DestroyCertificate(cert); >+ if (!doWarning) return -1; >+ >+ return warning(stdout, name, cname, validity, >+ notBefore, notAfter, PR_Now(), quiet); > } > > int main(int argc, char **argv) >@@ -192,14 +331,25 @@ int main(int argc, char **argv) > { "quiet", no_argument, NULL, 'q' }, > { "period", required_argument, NULL, 'p' }, > { "address", required_argument, NULL, 'a' }, >+ { "configdir", required_argument, NULL, 'd' }, >+ { "passwordfile", required_argument, NULL, 'w' }, >+ { "certdbprefix", required_argument, NULL, 'w' }, >+ { "keydbprexix", required_argument, NULL, 'w' }, > { NULL } > }; > >+ char *certDBPrefix = ""; >+ char *keyDBPrefix = ""; >+ >+ char *configdir = NULL; /* contains the cert database */ >+ char *passwordfile = NULL; /* module password file */ >+ int byNickname = 0; /* whether to search by nickname */ >+ > /* The 'timezone' global is needed to adjust local times from > * mktime() back to UTC: */ > tzset(); > >- while ((optc = getopt_long(argc, argv, "qp:a:", options, NULL)) != -1) { >+ while ((optc = getopt_long(argc, argv, "qp:a:d:w:", options, NULL)) != -1) { > switch (optc) { > case 'q': > quiet = 1; >@@ -210,11 +360,50 @@ int main(int argc, char **argv) > case 'a': > warn_address = strdup(optarg); > break; >+ case 'd': >+ configdir = strdup(optarg); >+ byNickname = 1; >+ break; >+ case 'w': >+ passwordfile = strdup(optarg); >+ break; >+ case 'c': >+ certDBPrefix = strdup(optarg); >+ break; >+ case 'k': >+ keyDBPrefix = strdup(optarg); >+ break; > default: > exit(2); > break; > } > } >+ >+ /* NSS initialization */ >+ >+ if (byNickname) { >+ /* cert in database */ >+ if (NSS_Initialize(configdir, certDBPrefix, keyDBPrefix, >+ SECMOD_DB, NSS_INIT_READONLY) != SECSuccess) { >+ return EXIT_FAILURE; >+ } >+ /* in case module requires a password */ >+ if (passwordfile) { >+ PK11_SetPasswordFunc(GetModulePassword); >+ } >+ } else { >+ /* cert in a pem file */ >+ char *certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */ >+ if (!certDir) { >+ certDir = "/etc/pki/nssdb"; >+ } >+ if (NSS_Initialize(certDir, certDBPrefix, keyDBPrefix, >+ SECMOD_DB, NSS_INIT_READONLY) != SECSuccess) { >+ printf("NSS_Init(\"%s\") failed\n", certDir); >+ return EXIT_FAILURE; >+ } >+ } > >- return check_cert(argv[optind], quiet) == 1 ? EXIT_SUCCESS : EXIT_FAILURE; >+ /* When byNickname is 1 argv[optind] is a nickname otherwise a filename. */ >+ return check_cert(argv[optind], byNickname, quiet) == 1 ? EXIT_SUCCESS : EXIT_FAILURE; > } >diff -up crypto-utils/devel/crypto-utils.spec.orig crypto-utils/devel/crypto-utils.spec >--- crypto-utils/devel/crypto-utils.spec.orig 2008-03-17 20:29:02.000000000 -0700 >+++ crypto-utils/devel/crypto-utils.spec 2008-03-16 14:20:14.000000000 -0700 >@@ -4,7 +4,7 @@ > Summary: SSL certificate and key management utilities > Name: crypto-utils > Version: 2.3 >-Release: 9 >+Release: 11 > Source: crypto-rand-%{crver}.tar.gz > Source1: genkey.pl > Source2: certwatch.c >@@ -14,13 +14,16 @@ Source5: genkey.xml > Source6: keyrand.c > Source7: COPYING > Source8: keyrand.xml >+Source9: pemutil.c > Group: Applications/System > License: MIT and GPLv2+ > BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root > BuildRequires: openssl-devel, pkgconfig, newt-devel, xmlto > BuildRequires: perl-devel, perl(Newt), perl(ExtUtils::MakeMaker) >+BuildRequires: nss-devel > Requires: perl(Newt), openssl >= 0.9.7f-4 > Requires: %(eval `perl -V:version`; echo "perl(:MODULE_COMPAT_$version)") >+Requires: nss, nspr > Obsoletes: crypto-rand > > %description >@@ -32,10 +35,11 @@ SSL certificates and keys. > > %build > %configure --with-newt=%{_prefix} CFLAGS="$CFLAGS -fPIC" >+%configure --with-nss=%{_prefix} CFLAGS="$CFLAGS -fPIC" > make -C librand > >-cc $RPM_OPT_FLAGS -Wall -Werror -I/usr/include/openssl \ >- $RPM_SOURCE_DIR/certwatch.c -o certwatch -lcrypto >+cc $RPM_OPT_FLAGS -Wall -Werror -I/usr/include/nspr4 -I/usr/include/nss3 \ >+ $RPM_SOURCE_DIR/certwatch.c $RPM_SOURCE_DIR/pemutil.c -o certwatch -lcrypto -lnspr4 -lnss3 > > cc $RPM_OPT_FLAGS -Wall -Werror \ > $RPM_SOURCE_DIR/keyrand.c -o keyrand -lnewt >@@ -110,6 +114,9 @@ chmod -R u+w $RPM_BUILD_ROOT > %{perl_vendorarch}/auto/Crypt > > %changelog >+* Mon Mar 3 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 2.3-10 >+- rebuild for new perl again >+ > * Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 2.3-9 > - Autorebuild for GCC 4.3 > >diff -up crypto-utils/devel/certwatch.cron.orig crypto-utils/devel/certwatch.cron >--- crypto-utils/devel/certwatch.cron.orig 2008-02-22 13:33:35.000000000 -0800 >+++ crypto-utils/devel/certwatch.cron 2008-03-16 16:12:10.000000000 -0700 >@@ -6,6 +6,47 @@ > # CERTWATCH_OPTS variable; see the man page for details. > # > >+# For certificates in pem files >+test_files() >+{ >+ test -x /etc/httpd/modules/mod_ssl.so || return 0 >+ test -r /etc/httpd/conf/httpd.conf || return 0 >+ >+ set -o pipefail # pick up exit code of httpd not sort >+ >+ certs=`${httpd} ${OPTIONS} -t -DDUMP_CERTS 2>/dev/null | /bin/sort -u` >+ RETVAL=$? >+ test $RETVAL -eq 0 || return >+ >+ for c in $certs; do >+ # Check whether a warning message is needed, then issue one if so. >+ /usr/bin/certwatch $CERTWATCH_OPTS -q "$c" && >+ /usr/bin/certwatch $CERTWATCH_OPTS "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null >+ done >+} >+ >+# For certificates in the database >+test_database() >+{ >+ test -x /usr/bin/certutil || return 0 >+ test -x /usr/lib/httpd/modules/libmodnss.so || return 0 >+ test -r /etc/httpd/conf.d/nss.conf || return 0 >+ >+ # find path to mod_nss' database >+ database=`/usr/bin/gawk '/^NSSCertificateDatabase/ { print $2 }' /etc/httpd/conf.d/nss.conf` >+ >+ set -o pipefail # pick up exit code of certutil not gawk >+ nicknames=`certutil -L -d $database | /usr/bin/gawk '{ print $1 }'` >+ RETVAL=$? >+ test $RETVAL -eq 0 || return 0 >+ >+ for n in $nicknames; do >+ # Check whether a warning message is needed, then issue one if so. >+ /usr/bin/certwatch $CERTWATCH_OPTS -q -d "$database" "$n" && >+ /usr/bin/certwatch $CERTWATCH_OPTS -d "$database" "$n" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null >+ done >+} >+ > [ -r /etc/sysconfig/httpd ] && . /etc/sysconfig/httpd > > # Use configured httpd binary >@@ -15,19 +56,8 @@ httpd=${HTTPD-/usr/sbin/httpd} > test -z "${NOCERTWATCH}" || exit 0 > test -x ${httpd} || exit 0 > test -x /usr/bin/certwatch || exit 0 >-test -r /etc/httpd/conf/httpd.conf || exit 0 > test -x /usr/sbin/sendmail || exit 0 >-test -x /etc/httpd/modules/mod_ssl.so || exit 0 > test -x /bin/sort || exit 0 > >-set -o pipefail # pick up exit code of httpd not sort >- >-certs=`${httpd} ${OPTIONS} -t -DDUMP_CERTS 2>/dev/null | /bin/sort -u` >-RETVAL=$? >-test $RETVAL -eq 0 || exit 0 >- >-for c in $certs; do >- # Check whether a warning message is needed, then issue one if so. >- /usr/bin/certwatch $CERTWATCH_OPTS -q "$c" && >- /usr/bin/certwatch $CERTWATCH_OPTS "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null >-done >+test_files >+test_database >diff -up crypto-utils/devel/genkey.pl.orig crypto-utils/devel/genkey.pl >--- crypto-utils/devel/genkey.pl.orig 2007-10-30 09:15:10.000000000 -0700 >+++ crypto-utils/devel/genkey.pl 2008-03-24 08:52:33.000000000 -0700 >@@ -32,6 +32,7 @@ > # 200308 Adapted for Taroon > # 200308 Fix warnings in UTF-8 locale > # 200409 Added --days support >+# 200803 Added support for NSS > # > # > $bindir = "%INSTDIR%/bin"; >@@ -66,12 +67,32 @@ sub FinishRoot > > sub usage > { >+############################################# >+# Notes for reviewers: >+# >+# 1) Adding three options >+# --usenssdb, --directory, and --pwdfile, >+# to the command line is something I don't quite like. >+# It could be avoided at the cost of prompting the user >+# for that information. >+# >+# 2) I still have to think of a sensible default for the certdir. >+# 3) I'm assumning that asking for usenssdb without specifying a >+# password file means that nss should be used without any password. >+# > print STDERR <<EOH; > Usage: genkey [options] servername > --test Test mode, skip random data creation, overwrite existing key > --genreq Just generate a CSR from an existing key > --makeca Generate a private CA key instead > --days Days until expiry of self-signed certificate (default 30) >+ --password Use a password when using nss db (default 0 or true) >+ --usenssdb Use the nss database for keys and certificates >+ --directory Database directory containing the certificate and key database files (requires usenssdb) >+ --pwdfile Password file from which to extract the password to include in a certificate or >+ to access a certificate database. This is a plain-text file containing one password. >+ Be sure to prevent unauthorized access to this file. (requires usenssdb) >+ --verbose verbose with verification of the results (requires usenssdb) > EOH > exit 1; > } >@@ -114,19 +135,40 @@ sub RunForm > # main > # > >+my $SPACE = " "; > my $test_mode = ''; > my $genreq_mode = ''; > my $ca_mode = ''; > my $cert_days = 30; >+my $ca_days = 730; >+my $usenssdb=''; >+my $verbose=''; >+my $directory = "/etc/httpd/alias"; >+my $pasword = 0; >+my $pwdfile = ''; > GetOptions('test|t' => \$test_mode, > 'genreq' => \$genreq_mode, >- 'days=i' => \$cert_days, >+ 'days=i' => \$cert_days, >+ 'usenssdb|u' => \$usenssdb, >+ 'directory=s' => \$directory, >+ 'password=i' => \$pasword, >+ 'pwdfile=s' => \$pwdfile, >+ 'verbose|v' => \$verbose, > 'makeca' => \$ca_mode) or usage(); > usage() unless @ARGV != 0; > $skip_random = $test_mode; > $overwrite_key = $test_mode; > $servername = $ARGV[0]; >+$keysize = 1024; >+ > $randfile = $ssltop."/.rand.".$$; >+ >+# this a temporary password file and >+# must be cleared before exiting >+$tmp_password_file = "/tmp/password.".$$; >+$subject_file = "/tmp/subject.".$$; >+$arguments_file = "/tmp/arguments.".$$; >+ > $keyfile = $ssltop."/private/".$servername.".key"; > if ($ca_mode) { > $keyfile = $cadir."/private/".$servername; >@@ -137,6 +179,7 @@ my $bits = 0; > my $myca = "Other"; > my $useca = 0; > my $cadetails; >+my $subject = ""; > # > > Newt::Init(); >@@ -160,12 +203,14 @@ if (!$genreq_mode && -f $keyfile && !$ov > exit 1; > } > >+if (!$usenssdb) { > if ($genreq_mode && !(-f $keyfile)) { > Newt::newtWinMessage("Error", "Close", > "You do not have a key file for this host"); > Newt::Finished(); > exit 1; > } >+} > > ###################################################################### > # Main >@@ -187,27 +232,36 @@ if ($genreq_mode) { > ); > $doingwhat="CSR generation"; > } elsif ($ca_mode) { >+ if ($usenssdb) { >+ @windows = buildWindowList($password); >+ } else { > @windows = (CAwelcomeWindow, > getkeysizeWindow, > customKeySizeWindow, > getRandomDataWindow, ## leaves newt suspended >- generateKey, >+ generateKey, ## resumes newt as a side-effect > genCACertWindow, > encryptKeyWindow, > ); >+ } > $doingwhat="CA key generation"; > } else { >+ # $test_mode >+ if ($usenssdb) { >+ @windows = buildWindowList($password); >+ } else { > @windows = (welcomeWindow, > getkeysizeWindow, > customKeySizeWindow, > getRandomDataWindow, ## leaves newt suspended >- generateKey, >+ generateKey, ## resumes newt as a side-effect > wantCAWindow, > genReqWindow, > genCertWindow, > encryptKeyWindow, > ### @EXTRA@ ### Leave this comment here. > ); >+ } > $doingwhat="key generation"; > } > >@@ -254,6 +308,46 @@ exit 0; > ###################################################################### > # Handy functions > >+# Builds a windows list for $ca_mode and $test_mode cases. >+sub buildWindowList >+{ >+ my ($password) = @_; >+ if ($ca_mode) { >+ if ($password) { >+ return (CAwelcomeWindow, getkeysizeWindow, customKeySizeWindow, >+ getRandomDataWindow, ## leaves newt suspended >+ releaseRandomFileAndResumeNewt, ## resume newt >+ passwordWindow, genCACertWindow, >+ ); >+ } else { >+ return (CAwelcomeWindow, getkeysizeWindow, customKeySizeWindow, >+ getRandomDataWindow, ## leaves newt suspended >+ releaseRandomFileAndResumeNewt, ## resume newt >+ genCACertWindow, >+ ); >+ } >+ } else { >+ # test_mode >+ if ($pasword) { >+ return (welcomeWindow, getkeysizeWindow, customKeySizeWindow, >+ getRandomDataWindow, ## leaves newt suspended >+ releaseRandomFileAndResumeNewt, ## no key gen but must resume newt >+ passwordWindow, ## prompt for a password >+ wantCAWindow, genReqWindow, genCertWindow, >+ ### @EXTRA@ ### Leave this comment here. >+ ); >+ } else { >+ return (welcomeWindow, getkeysizeWindow, >+ customKeySizeWindow, getRandomDataWindow, ## leaves newt suspended >+ releaseRandomFileAndResumeNewt, ## no key gen but must resume newt >+ wantCAWindow, genReqWindow, genCertWindow, >+ ### @EXTRA@ ### Leave this comment here. >+ ); >+ } >+ >+ } >+} >+ > # Returns a panel containing two buttons of given names. > sub DoubleButton { > my ($left, $right) = @_; >@@ -522,25 +616,44 @@ sub wantCAWindow > return "Next"; > } > >-sub encryptKeyWindow >+# Obtain a password from the user >+# >+sub passwordWindow > { >+ if ( $usenssdb && ($pwdfile || !$password) ) { >+ # Nothing to do, user already specified >+ # file containing the password >+ return "Next"; >+ } >+ >+ # Promp the user user for a password and either >+ # save it to a file or return it for encrypting >+ # the private key. >+ > my $message = <<EOT; > At this stage you can set the passphrase on your private key. If you > set the passphrase you will have to enter it every time the server > starts. The passphrase you use to encrypt your key must be the same > for all the keys used by the same server installation. > >-If you do not encrypt your passphrase, if someone breaks into your >+If you do not encrypt your key, if someone breaks into your > server and grabs the file containing your key, they will be able to > decrypt all communications to and from the server that were negotiated >-using that key. If your passphrase is encrypted it would be much more >+using that key. If your key is password protected it would be much more > work for someone to retrieve the private key. > EOT >+ my $checkboxLabel; >+ if ($usenssdb) { >+ $checkboxLabel = "Save passphrase to $tmp_password_file"; >+ } else { >+ $checkboxLabel = "Encrypt the private key"; >+ } >+ > $panel = Newt::Panel(1, 3, "Protecting your private key"); > > $panel->Add(0, 0, Newt::Textbox(70, 11, 0, $message)); > >- my $checkbox = Newt::Checkbox("Encrypt the private key"); >+ my $checkbox = Newt::Checkbox("$checkboxLabel"); > $panel->Add(0, 1, $checkbox); > > $panel->Add(0, 2, NextBackCancelButton()); >@@ -560,8 +673,8 @@ EOT > $message = <<EOT; > Now we are going to set the passphrase on the private key. This > passphrase is used to encrypt your private key when it is stored >-on disk. You will have to type this passphrase when the server >-starts. >+on disk, or if using NSS it will be saved to access the database. >+You will have to type this passphrase when the server starts. > > -- DO NOT LOSE THIS PASS PHRASE -- > >@@ -617,10 +730,46 @@ EOT > > return $ret if ($ret eq "Back" or $ret eq "Cancel"); > >+ if ($usenssdb && $password) { >+ # Save the passphrase to a file >+ if (!open (SESAME, ">$tmp_password_file")) { >+ Newt::newtWinMessage("Error", "Close", >+ "Unable to save passphrase to $pwdfile". >+ "\n\nPress return to continue"); >+ return "Back"; >+ } >+ print SESAME $pass1."\n"; >+ close(SESAME); >+ } >+ $pwdfile = $tmp_password_file; >+ >+ return "Next"; >+} >+ >+sub encryptKeyWindow >+{ >+ $ret = passwordWindow(); >+ >+ return $ret if ($ret eq "Back" or $ret eq "Cancel"); >+ > my $enckey = $keyfile . ".tmp"; > > unlink($enckey); > >+ ###################################################################### >+ # NSS's certutil only does public key crypto, but even when using >+ # flat files we may still want to do the private key wrapping via >+ # nss. A key-wrapping utility may be a good idea. >+ # >+ #if (!open (PIPE, >+ # "| $bindir/keyutil rsa -des3 -in $keyfile -passout stdin ". >+ # "-out $enckey")) { >+ # Newt::newtWinMessage("Error", "Close", >+ # "Unable to set passphrase". >+ # "\n\nPress return to continue"); >+ # return "Back"; >+ #} >+ ###################################################################### > if (!open (PIPE, > "|$bindir/openssl rsa -des3 -in $keyfile -passout stdin ". > "-out $enckey")) { >@@ -677,6 +826,136 @@ EOT > } > > # >+# make certificate using the database >+# >+sub makeCertUsingDB >+{ >+ my ($keysize, $certfile, $subject, $days, >+ $directory, $randfile) = @_; >+ >+ if (!$subject) { >+ Newt::newtWinMessage("Error", "Close", >+ "$subject : is not a proper name.". >+ "host:\n\nPress return to exit"); >+ Newt::Finished(); >+ exit 1; >+ >+ } >+ # If no days specified it's a ca so use 2 years >+ my $valid_months = $days ? $days / 30 : 24; >+ my $trustargs = "Cu,Cu,Cu"; >+ >+ # Save the arguments to a file >+ if ($verbose) { >+ if (!open (ARGUMENTS, ">$arguments_file")) { >+ Newt::newtWinMessage("Error", "Close", >+ "Unable to save argements to $arguments_file ". >+ "\n\nPress return to continue"); >+ return "Back"; >+ } >+ } >+ my $QUOTE = '"'; >+ my $args = "-S -a -k rsa"; >+ $args = $args . $SPACE . "-g" . $SPACE . "$keysize" if $keysize; >+ $args = $args . $SPACE . "-n" . $SPACE . "$servername" if $servername; >+ $args = $args . $SPACE . "-s" . $SPACE . "$subject" if $subject; >+ $args = $args . $SPACE . "-t" . $SPACE . "$trustargs" if $trustargs; >+ $args = $args . $SPACE . "-v" . $SPACE . "$valid_months" if $valid_months; >+ $args = $args . $SPACE . "-z" . $SPACE . "$randfile" if $randfile; >+ >+ if ($pwdfile) { >+ $args .= $args . $SPACE . "-f". $SPACE . "$pwdfile"; >+ } >+ if ($verbose) { >+ print ARGUMENTS $args."\n"; >+ close(ARGUMENTS); >+ } >+ >+ system("$bindir/certutil $args -out $certfile"); >+ if (0 && !open (PIPE, >+ "| $bindir/certutil $args". >+ " -out $certfile")) { >+ Newt::newtWinMessage("Error", "Close", >+ "Unable to save cert to $certfile". >+ "\n\nPress return to continue"); >+ return "Back"; >+ } >+ >+ >+ if (!-f $certfile) { >+ Newt::newtWinMessage("Error", "Close", >+ "Was not able to create a certificate for this ". >+ "host:\n\nPress return to exit"); >+ Newt::Finished(); >+ exit 1; >+ } >+ >+} >+ >+# >+# makeCSR >+# >+# Create a certificate-signing request file that can be submitted to a >+# Certificate Authority (CA) for processing into a finished certificate. >+# >+sub makeCSR >+{ >+ my ($keysize, $csrfile, $subject, $days, $directory, $pwfile) = @_; >+ >+ if (!$subject) { >+ Newt::newtWinMessage("Error", "Close", >+ "$subject : is not a proper name.". >+ "host:\n\nPress return to exit"); >+ Newt::Finished(); >+ exit 1; >+ >+ } >+ >+ $valid_months = $days ? $days / 30 : 24; >+ >+ # Save the arguments to a file >+ if (!open (ARGUMENTS, ">$arguments_file")) { >+ Newt::newtWinMessage("Error", "Close", >+ "Unable to save arguments to $arguments_file". >+ "\n\nPress return to continue"); >+ return "Back"; >+ } >+ >+ my $args = "-R -a -k rsa"; >+ $args = $args . $SPACE . "-g" . $SPACE . "$keysize" if $keysize; >+ $args = $args . $SPACE . "-s" . $SPACE . "$subject" if $subject; >+ $args = $args . $SPACE . "-v" . $SPACE . "$valid_months" if $valid_months; >+ $args = $args . $SPACE . "-d" . $SPACE . "$directory" if $directory; >+ $args = $args . $SPACE . "-z" . $SPACE . "$randfile" if $randfile; >+ >+ if ($pwdfile) { >+ $args = $args . $SPACE . "-f" . $SPACE . "$pwdfile"; >+ } >+ print ARGUMENTS $args."\n"; >+ close(ARGUMENTS); >+ >+ #system("$bindir/certutil $args > $csrfile"); >+ system("$bindir/certutil $args -o $csrfile"); >+ # $bindir/certutil $args > $csrfile; >+ if (0 && !open (PIPE, >+ "| $bindir/certutil $args". >+ " -out $csrfile")) { >+ Newt::newtWinMessage("Error", "Close", >+ "Unable to save CSR to $csrfile". >+ "\n\nPress return to continue"); >+ return "Back"; >+ } >+ >+ if (!-f $csrfile) { >+ Newt::newtWinMessage("Error", "Close", >+ "Was not able to create a CSR for this ". >+ "host:\n\nPress return to exit"); >+ Newt::Finished(); >+ exit 1; >+ } >+} >+ >+# > # makeCert > # > # Given a keyfile, expiry date, and set of certificate information >@@ -685,6 +964,9 @@ EOT > > sub makeCert > { >+ # This routine has overloaded functionality. >+ # It generates a CSR and also a cert based on a csr. >+ > my ($keyfile,$certfile,$cert,$days) = @_; > use Fcntl; > >@@ -815,10 +1097,26 @@ sub getCertDetails > $cert{'O'} = $ents{'O'}->Get(); > $cert{'OU'} = $ents{'OU'}->Get(); > $cert{'CN'} = $ents{'CN'}->Get(); >+ >+ if (!$cert{'CN'}) { >+ Newt::newtWinMessage("Error", "Close", >+ "Common Name is required". >+ "\n\nPress return to continue"); >+ exit "Back"; >+ } >+ $SEP = ", "; >+ $subject = 'CN' . "=" . $cert{'CN'}; >+ $subject = $subject . $SEP . 'OU' . "=" . $cert{'OU'} if $cert{'OU'}; >+ $subject = $subject . $SEP . 'O' . "=" . $cert{'O'} if $cert{'O'}; >+ $subject = $subject . $SEP . 'L' . "=" . $cert{'L'} if $cert{'L'}; >+ $subject = $subject . $SEP . 'ST' . "=" . $cert{'ST'} if $cert{'ST'}; >+ $subject = $subject . $SEP . 'C' . "=" . $cert{'C'} if $cert{'C'}; > > if ($iscsr) { > $cert{'CompanyName'} = $ents{'CompanyName'}->Get(); > $cert{'Challenge'} = $ents{'Challenge'}->Get(); >+ $subject = $subject . $SEP . 'CompanyName' ."=" . $cert{'CompanyName'} if $cert{'CompanyName'}; >+ $subject = $subject . $SEP . 'Challenge' ."=" . $cert{'Challenge'} if $cert{'Challenge'}; > } > > $panel->Hide(); >@@ -827,6 +1125,20 @@ sub getCertDetails > undef $panel; > > $cadetails = $cert; >+ $subject = "\"" . "$subject" . "\""; >+ >+ if ($verbose) { >+ # Save the subject distinguished name to a file >+ # for error diagnostics. >+ if (!open (SUBJECT, ">$subject_file")) { >+ Newt::newtWinMessage("Error", "Close", >+ "Unable to save subject to $subject_file ". >+ "\n\nPress return to continue"); >+ return "Back"; >+ } >+ print SUBJECT $subject."\n"; >+ close(SUBJECT); >+ } > > return "Next"; > } >@@ -888,14 +1200,23 @@ sub genReqWindow > my $ret = getCertDetails($servername,$msg, 1); > return $ret unless ($ret eq "Next"); > >+ if ($usenssdb) { >+ makeCSR($keysize, $csrfile, $subject, $cert_days, $directory, $pwdfile); >+ } else { > makeCert($keyfile,$csrfile,$cadetails,""); >+ } > >-# Now make a temporary cert >+# Now make a temporary cert from the csr made above > > if (!$genreq_mode) { > if (!-f $certfile) { >+ if ($usenssdb) { >+ makeCertUsingDB($keysize,$certfile,$subject,$cert_days, >+ $directory,$randfile); >+ } else { > makeCert($keyfile,$certfile,$cadetails,"-days $cert_days -x509"); >- } >+ } >+ } > } > > undef $csrtext; >@@ -998,8 +1319,12 @@ sub genCertWindow > my $ret = getCertDetails($servername,$msg, 0); > return $ret unless ($ret eq "Next"); > >+ if ($usenssdb) { >+ makeCertUsingDB($keysize,$certfile,$subject,$directory,$randfile,$cert_days); >+ } else { > makeCert($keyfile,$certfile,$cadetails,"-days $cert_days -x509"); >- >+ } >+ > return "Next"; > } > >@@ -1019,7 +1344,11 @@ sub genCACertWindow > my $ret = getCertDetails("",$msg, 0); > return $ret unless ($ret eq "Next"); > >+ if ($usenssdb) { >+ makeCSR($bits,$certfile,$subject,$directory,$ca_days,$pwdfile); >+ } else { > makeCert($keyfile,$certfile,$cadetails,"-days 730 -x509"); >+ } > > return "Next"; > } >@@ -1047,6 +1376,11 @@ sub getRandomDataWindow() > return "Next"; > } > >+sub releaseRandomFileAndResumeNewt() { >+ unlink($randfile); >+ Newt::Resume(); >+} >+ > sub generateKey() > { > print STDERR "\nPlease wait - generating the key (this may take some time)\n\n"; >@@ -1067,3 +1401,9 @@ sub generateKey() > > return "Skip"; > } >+ >+sub clearTempfile >+{ >+ >+} >+
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=299430">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 346731
:
299417
|
299418
|
299429
|
299430
|
299432
|
304057
|
304280
|
304281
|
304282
|
304284
|
304285
|
304286
|
304287
|
304288
|
304289
|
304290
|
305047
|
305048
|
308356
|
320816
|
320817
|
320818
|
320819
|
320820
|
320821
|
320822
|
320823
|
321049
|
321051
|
321681
|
321682
|
321683
|
321684