Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 299432 Details for
Bug 346731
Port crypto-utils to use NSS library for cryptography
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
The right diff file
crypto-utils.nss.patch (text/plain), 45.47 KB, created by
Elio Maldonado Batiz
on 2008-03-28 04:04:19 UTC
(
hide
)
Description:
The right diff file
Filename:
MIME Type:
Creator:
Elio Maldonado Batiz
Created:
2008-03-28 04:04:19 UTC
Size:
45.47 KB
patch
obsolete
>diff -up crypto-utils/devel/Makefile.orig crypto-utils/devel/Makefile >--- crypto-utils/devel/Makefile.orig 2008-02-22 13:34:22.000000000 -0800 >+++ crypto-utils/devel/Makefile 2008-03-27 20:30:06.000000000 -0700 >@@ -20,13 +20,18 @@ endif > > include $(MAKEFILE_COMMON) > >-certwatch: certwatch.c >- gcc -Wall -Werror -O2 -g $< -o $@ -lcrypto >+certwatch: certwatch.c pemutil.c traceutil.c >+ gcc -Wall -Werror -O2 -g $^ -o $@ \ >+ -lnspr4 -lnss3 -I/usr/include/nspr4 -I/usr/include/nss3 > > test-certwatch: certwatch > ./certwatch > >-genkey: genkey.pl Makefile >+keyutil: keyutil.c >+ gcc -Wall -Werror -O2 -g $< -o $@ \ >+ -lnspr4 -lnss3 -I/usr/include/nspr4 -I/usr/include/nss3 >+ >+genkey: genkey.pl keyutil Makefile > sed -e "s|^\$$bindir.*$$|\$$bindir = \"/usr/bin\";|" \ > -e "s|^\$$ssltop.*$$|\$$ssltop = \"$(PWD)\";|" \ > -e "s|^\$$sslconf.*$$|\$$sslconf = \"/etc/pki/tls/openssl.cnf\";|" \ >@@ -40,6 +45,27 @@ test-genkey: genkey > mkdir -p certs private > ./genkey --test `hostname` > >+######################################################################### >+# FIXME -- Test targets, some require a database and dump temporay files >+######################################################################### >+test-genkey-db: genkey Makefile >+ mkdir -p certs private >+ ./genkey --test --traceon --usenssdb `hostname` >+ >+test-genreq: genkey Makefile >+ perl ./genkey --genreq --traceon `hostname` >+ >+test-genreq-db: genkey Makefile >+ perl ./genkey --genreq --traceon --usenssdb `hostname` >+ >+test-makeca: genkey Makefile >+ perl ./genkey --makeca --traceon MYCA >+ >+test-makeca-using-db: genkey Makefile >+ perl ./genkey --traceon --makeca --usenssdb MYCA >+ >+######################################################################### >+ > date.xml: > date +"%e %B %Y" | tr -d '\n' > $@ > >diff -up crypto-utils/devel/genkey.xml.orig crypto-utils/devel/genkey.xml >--- crypto-utils/devel/genkey.xml.orig 2007-10-30 09:15:10.000000000 -0700 >+++ crypto-utils/devel/genkey.xml 2008-03-23 18:03:40.000000000 -0700 >@@ -35,6 +35,12 @@ > <arg><option>--genreq</option></arg> > <arg><option>--makeca</option></arg> > </group> >+ <group> >+ <arg><option>--usenssdb</option></arg> >+ <arg><option>--certdir</option></arg> >+ <arg><option>--password</option> >+ <arg><option>--pwdfile</option></arg> >+ </group> > <arg choice="req"><replaceable>hostname</replaceable></arg> > </cmdsynopsis> > </refsynopsisdiv> >@@ -47,7 +53,8 @@ > Signing Requests (CSR). Generated certificates are stored in the > directory <filename>/etc/pki/tls/certs/</filename>, and the > corresponding private key in >- <filename>/etc/pki/tls/private/</filename>. </para> >+ <filename>/etc/pki/tls/private/</filename>. If using nss >+ they are stored in the nss key and certficate databases. </para> > > <para><command>genkey</command> will prompt for the size of key > desired; whether or not to generate a CSR; whether or not an >@@ -58,6 +65,18 @@ > private key using the truerand library and also by prompting the > user for entry of random text.</para> > >+ <para><option>usenssdb</option> indicates that nss database >+ should be used.</para> >+ >+ <para><option>certdir</option> specifies the location of the >+ nss database when usingnssdb is set.</para> >+ >+ <para><option>password</option> supply a password to the data- >+ base module.</para> >+ >+ <para><option>pwdfile</option> specifies a text file containing the >+ passphrase required to acces the key database if so configured.</para> >+ > </refsect1> > > <refsect1> >diff -up crypto-utils/devel/certwatch.c.orig crypto-utils/devel/certwatch.c >--- crypto-utils/devel/certwatch.c.orig 2008-02-22 13:33:13.000000000 -0800 >+++ crypto-utils/devel/certwatch.c 2008-03-27 20:29:31.000000000 -0700 >@@ -27,13 +27,63 @@ > > */ > >+/* ***** BEGIN LICENSE BLOCK ***** >+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 >+ * >+ * The contents of this file are subject to the Mozilla Public License Version >+ * 1.1 (the "License"); you may not use this file except in compliance with >+ * the License. You may obtain a copy of the License at >+ * http://www.mozilla.org/MPL/ >+ * >+ * Software distributed under the License is distributed on an "AS IS" basis, >+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License >+ * for the specific language governing rights and limitations under the >+ * License. >+ * >+ * The Original Code is the Netscape security libraries. >+ * >+ * The Initial Developer of the Original Code is >+ * Netscape Communications Corporation. >+ * Portions created by the Initial Developer are Copyright (C) 1994-2000 >+ * the Initial Developer. All Rights Reserved. >+ * >+ * Contributor(s): >+ * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories >+ * >+ * Alternatively, the contents of this file may be used under the terms of >+ * either the GNU General Public License Version 2 or later (the "GPL"), or >+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), >+ * in which case the provisions of the GPL or the LGPL are applicable instead >+ * of those above. If you wish to allow use of your version of this file only >+ * under the terms of either the GPL or the LGPL, and not to allow others to >+ * use your version of this file under the terms of the MPL, indicate your >+ * decision by deleting the provisions above and replace them with the notice >+ * and other provisions required by the GPL or the LGPL. If you do not delete >+ * the provisions above, a recipient may use your version of this file under >+ * the terms of any one of the MPL, the GPL or the LGPL. >+ * >+ * ***** END LICENSE BLOCK ***** */ >+ >+ > /* $Id: certwatch.c,v 1.10 2007/08/23 10:09:40 jorton Exp $ */ > > /* Certificate expiry warning generation code, based on code from > * Stronghold. Joe Orton <jorton@redhat.com> */ > >-#include <openssl/x509.h> >-#include <openssl/pem.h> >+/* Replaced usage of OpenSSL with NSS calls. >+ * Elio Maldonado <emaldona@redhat.com> */ >+ >+#include <nspr.h> >+#include <nss.h> >+#include <cert.h> >+#include <certt.h> >+#include <prlong.h> >+#include <prtime.h> >+#include <pk11func.h> >+#include <assert.h> >+#include <secmod.h> >+#include <base64.h> >+#include <seccomon.h> > > #include <stdio.h> > #include <string.h> >@@ -41,47 +91,116 @@ > #include <getopt.h> > #include <time.h> > >+ >+/* >+extern int ossl_get_cert_times(const char *filename, time_t *begin, time_t *end); >+extern void DumpTime(PRTime time, PRFileDesc *outfile); >+*/ >+extern char * AsciiTime(PRTime time); >+ >+/* Return a certificate structure from a pem-encoded cert in a file; >+ * or NULL on failure. Semantics similar to the OpenSSL call >+ * PEM_read_X509(fp, NULL, NULL, NULL); >+ */ >+extern CERTCertificate * >+PEMUTIL_PEM_read_X509(const char *filename); >+ >+/* size big enough for formatting time buffer */ >+#define TIME_SIZE 30 >+ > static int warn_period = 30; > static char *warn_address = "root"; > >-/* Turn an ASN.1 UTCTIME object into a time_t. */ >-static time_t decode_utctime(const ASN1_UTCTIME *utc) >+/* Uses the password passed in the -f(pwfile) argument of the command line. >+ * After use once, null it out otherwise PKCS11 calls us forever.? >+ * >+ * Code based on SECU_GetModulePassword from the Mozilla NSS secutils >+ * imternal librart. >+ */ >+static char *GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg) >+{ >+ int i; >+ unsigned char phrase[200]; >+ PRFileDesc *fd; >+ PRInt32 nb; >+ char *pwFile = arg; >+ >+ if (!pwFile) return 0; >+ if (retry) return 0; /* no good retrying - file contents will be the same */ >+ if (!(fd = PR_Open(pwFile, PR_RDONLY, 0))) return 0; >+ >+ nb = PR_Read(fd, phrase, sizeof(phrase)); >+ PR_Close(fd); >+ >+ /* handle the Windows EOL case */ >+ i = 0; >+ while (phrase[i] != '\r' && phrase[i] != '\n' && i < nb) i++; >+ phrase[i] = '\0'; >+ if (nb == 0) return NULL; >+ >+ return (char*) PORT_Strdup((char*)phrase); >+} >+ >+/* Returns the difference in days between two times in the same year. */ >+int time_diff(PRTime end, PRTime start) > { >- struct tm tm = {0}; >- int i = utc->length; >+ /* FIXME: this function is returning negative numbers >+ * when it shouldn't. >+ */ >+ PRExplodedTime explodedEnd; >+ PRExplodedTime explodedStart; >+ PRTime prtimeDiff; >+ int diff_sec; >+ >+ PR_ExplodeTime(end, PR_GMTParameters, &explodedEnd); >+ PR_ExplodeTime(start, PR_GMTParameters, &explodedStart); > >- if (i < 10) >- return -1; >- for (i = 0; i < 10; i++) >- if ((utc->data[i] > '9') || (utc->data[i] < '0')) >- return -1; >- >- tm.tm_year = (utc->data[0]-'0') * 10 + (utc->data[1]-'0'); >- >- /* Deal with Year 2000 like eay did */ >- if (tm.tm_year < 70) >- tm.tm_year += 100; >- >- tm.tm_mon = (utc->data[2]-'0') * 10 + (utc->data[3]-'0') - 1; >- tm.tm_mday = (utc->data[4]-'0') * 10 + (utc->data[5]-'0'); >- tm.tm_hour = (utc->data[6]-'0') * 10 + (utc->data[7]-'0'); >- tm.tm_min = (utc->data[8]-'0') * 10 + (utc->data[9]-'0'); >- tm.tm_sec = (utc->data[10]-'0') * 10 + (utc->data[11]-'0'); >+ if (explodedEnd.tm_year == explodedStart.tm_year) >+ return (explodedEnd.tm_yday - explodedStart.tm_yday); > >- return mktime(&tm) - timezone; >+ LL_SUB(prtimeDiff, end, start); >+ LL_L2I(diff_sec, prtimeDiff); >+ >+ return diff_sec; >+} >+ >+/* Format a PRTime value into a buffer with format "%a %b %d %H:%M:%S %Y"; >+ * semantics are those of ctime_r(). */ >+char *pr_ctime(PRTime time, char *buf, int size) >+{ >+ PRUint32 bytesCopied; >+ PRExplodedTime et; >+ PR_ExplodeTime(time, PR_GMTParameters, &et); >+ bytesCopied = PR_FormatTime(buf, size, "%a %b %d %H:%M:%S %Y", &et); >+ if (!bytesCopied) return NULL; >+ return buf; > } > > /* Print a warning message that the certificate in 'filename', issued > * to hostname 'hostname', will expire (or has expired). */ > static int warning(FILE *out, const char *filename, const char *hostname, >- time_t start, time_t end, time_t now, int quiet) >+ SECCertTimeValidity validity, >+ PRTime start, PRTime end, PRTime now, int quiet) > { >- int renew = 1, days = (end - now) / (3600 * 24); /* days till expiry */ >+ /* Note that filename can be the cert nickname. */ >+ int renew = 1, days; /* days till expiry */ > char subj[50]; >- >- if (start > now) { >+ PRTime prtimeDiff; >+ >+ LL_SUB(prtimeDiff, end, start); >+ >+ printf("not before %s\n", AsciiTime(start)); >+ printf("not after %s\n", AsciiTime(end)); >+ printf("and now is %s\n", AsciiTime(now)); >+ >+ LL_SUB(prtimeDiff, end, start); >+ LL_L2I(days, prtimeDiff); >+ days = (days) / (3600 * 24) - FUDGE_FACTOR; >+ >+ if ( LL_CMP(start, >, now) ) { > strcpy(subj, "is not yet valid"); > renew = 0; >+ /* > } else if (days < 0) { > strcpy(subj, "has expired"); > } else if (days == 0) { >@@ -90,6 +209,13 @@ static int warning(FILE *out, const char > sprintf(subj, "will expire tomorrow"); > } else if (days < warn_period) { > sprintf(subj, "will expire in %d days", days); >+ */ >+ } else if (LL_EQ(now, end)) { >+ strcpy(subj, "will expire today"); >+ } else if (LL_EQ(prtimeDiff, 1)) { >+ sprintf(subj, "will expire tomorrow"); >+ } else if (LL_CMP(prtimeDiff, <, warn_period)) { >+ sprintf(subj, "will expire on %s", AsciiTime(end)); > } else { > return 0; /* nothing to warn about. */ > } >@@ -104,7 +230,7 @@ static int warning(FILE *out, const char > " ################# SSL Certificate Warning ################\n\n"); > > fprintf(out, >- " Certificate for hostname '%s', in file:\n" >+ " Certificate for hostname '%s', in file (or by nickname):\n" > " %s\n\n", > hostname, filename); > >@@ -115,9 +241,10 @@ static int warning(FILE *out, const char > " web site using SSL until the certificate is renewed.\n", > out); > } else { >- char until[30] = "(unknown date)"; >- ctime_r(&start, until); >- if (strlen(until) > 2) until[strlen(until)-1] = '\0'; >+ char until[TIME_SIZE]; /* assume big enough */ >+ char *result = pr_ctime(start, until, TIME_SIZE); >+ assert(result == until); >+ if (strlen(until) < sizeof(until)) until[strlen(until)] = '\0'; > fprintf(out, > " The certificate is not valid until %s.\n\n" > " Browsers will not be able to correctly connect to this\n" >@@ -133,56 +260,73 @@ static int warning(FILE *out, const char > } > > /* Extract the common name of 'cert' into 'buf'. */ >-static int get_common_name(X509 *cert, char *buf, size_t bufsiz) >+static int get_common_name(CERTCertificate *cert, char *buf, size_t bufsiz) > { >- X509_NAME *name = X509_get_subject_name(cert); >- >+ /* FIXME --- truncating names with spaces */ >+ size_t namelen; >+ char *name = CERT_GetCommonName(&cert->subject); >+ > if (!name) return -1; > >- return X509_NAME_get_text_by_NID(name, NID_commonName, buf, bufsiz) == -1; >+ namelen = strlen(name); >+ if (bufsiz < namelen+1) return -1; >+ >+ strncpy(buf, name, namelen); >+ buf[namelen] = '\0'; >+ PORT_Free(name); >+ >+ return 0; > } > >-/* Check whether the certificate in filename 'filename' has expired; >+/* Check whether the certificate in filename 'name' has expired; > * issue a warning message if 'quiet' is zero. If quiet is non-zero, > * returns one to indicate that a warning would have been issued, zero >- * to indicate no warning would be issued, or -1 if an error >- * occurred. */ >-static int check_cert(const char *filename, int quiet) >-{ >- X509 *cert; >- FILE *fp; >- ASN1_UTCTIME *notAfter, *notBefore; >- time_t begin, end, now; >+ * to indicate no warning would be issued, or -1 if an error >+ * occurred. >+ * >+ * When byNickname is 1 then 'name' is a nickname to search >+ * for in the database otherwise it's the certificate file. >+ */ >+static int check_cert(const char *name, int byNickname, int quiet) >+{ >+ CERTCertificate *cert; >+ SECCertTimeValidity validity; >+ PRTime notBefore, notAfter; > char cname[128]; >+ >+ int doWarning = 0; > > /* parse the cert */ >- if ((fp = fopen(filename, "r")) == NULL) return -1; >- cert = PEM_read_X509(fp, NULL, NULL, NULL); >- fclose(fp); >+ cert = byNickname >+ ? CERT_FindCertByNickname(CERT_GetDefaultCertDB(), (char *)name) >+ : PEMUTIL_PEM_read_X509(name); > if (cert == NULL) return -1; > > /* determine the validity period of the cert. */ >- notAfter = X509_get_notAfter(cert); >- notBefore = X509_get_notBefore(cert); >- >- /* get time_t's out of X509 times */ >- begin = decode_utctime(notBefore); >- end = decode_utctime(notAfter); >- now = time(NULL); >- if (end == -1 || begin == -1 || now == -1) return -1; >+ validity = CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE); >+ if (validity == secCertTimeUndetermined) goto cleanup; > >+ /* get times out of the cert */ >+ if (CERT_GetCertTimes(cert, ¬Before, ¬After) >+ != SECSuccess) goto cleanup; >+ > /* find the subject's commonName attribute */ > if (get_common_name(cert, cname, sizeof cname)) >- return -1; >+ goto cleanup; > >- X509_free(cert); >- >- /* don't warn about the automatically generate certificate */ >+ /* don't warn about the automatically generated certificate */ > if (strcmp(cname, "localhost") == 0 || > strcmp(cname, "localhost.localdomain") == 0) >- return -1; >+ goto cleanup; >+ >+ doWarning = 1; /* ok so far, may do the warning */ >+ >+cleanup: >+ if (cert) CERT_DestroyCertificate(cert); >+ if (!doWarning) return -1; > >- return warning(stdout, filename, cname, begin, end, now, quiet); >+ return warning(stdout, name, cname, validity, >+ notBefore, notAfter, PR_Now(), quiet); > } > > int main(int argc, char **argv) >@@ -192,14 +336,25 @@ int main(int argc, char **argv) > { "quiet", no_argument, NULL, 'q' }, > { "period", required_argument, NULL, 'p' }, > { "address", required_argument, NULL, 'a' }, >+ { "configdir", required_argument, NULL, 'd' }, >+ { "passwordfile", required_argument, NULL, 'w' }, >+ { "certdbprefix", required_argument, NULL, 'w' }, >+ { "keydbprexix", required_argument, NULL, 'w' }, > { NULL } > }; > >+ char *certDBPrefix = ""; >+ char *keyDBPrefix = ""; >+ >+ char *configdir = NULL; /* contains the cert database */ >+ char *passwordfile = NULL; /* module password file */ >+ int byNickname = 0; /* whether to search by nickname */ >+ > /* The 'timezone' global is needed to adjust local times from > * mktime() back to UTC: */ > tzset(); > >- while ((optc = getopt_long(argc, argv, "qp:a:", options, NULL)) != -1) { >+ while ((optc = getopt_long(argc, argv, "qp:a:d:w:", options, NULL)) != -1) { > switch (optc) { > case 'q': > quiet = 1; >@@ -210,11 +365,50 @@ int main(int argc, char **argv) > case 'a': > warn_address = strdup(optarg); > break; >+ case 'd': >+ configdir = strdup(optarg); >+ byNickname = 1; >+ break; >+ case 'w': >+ passwordfile = strdup(optarg); >+ break; >+ case 'c': >+ certDBPrefix = strdup(optarg); >+ break; >+ case 'k': >+ keyDBPrefix = strdup(optarg); >+ break; > default: > exit(2); > break; > } > } >+ >+ /* NSS initialization */ >+ >+ if (byNickname) { >+ /* cert in database */ >+ if (NSS_Initialize(configdir, certDBPrefix, keyDBPrefix, >+ SECMOD_DB, NSS_INIT_READONLY) != SECSuccess) { >+ return EXIT_FAILURE; >+ } >+ /* in case module requires a password */ >+ if (passwordfile) { >+ PK11_SetPasswordFunc(GetModulePassword); >+ } >+ } else { >+ /* cert in a pem file */ >+ char *certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */ >+ if (!certDir) { >+ certDir = "/etc/pki/nssdb"; >+ } >+ if (NSS_Initialize(certDir, certDBPrefix, keyDBPrefix, >+ SECMOD_DB, NSS_INIT_READONLY) != SECSuccess) { >+ printf("NSS_Init(\"%s\") failed\n", certDir); >+ return EXIT_FAILURE; >+ } >+ } > >- return check_cert(argv[optind], quiet) == 1 ? EXIT_SUCCESS : EXIT_FAILURE; >+ /* When byNickname is 1 argv[optind] is a nickname otherwise a filename. */ >+ return check_cert(argv[optind], byNickname, quiet) == 1 ? EXIT_SUCCESS : EXIT_FAILURE; > } >diff -up crypto-utils/devel/crypto-utils.spec.orig crypto-utils/devel/crypto-utils.spec >--- crypto-utils/devel/crypto-utils.spec.orig 2008-03-17 20:29:02.000000000 -0700 >+++ crypto-utils/devel/crypto-utils.spec 2008-03-27 20:23:40.000000000 -0700 >@@ -4,7 +4,7 @@ > Summary: SSL certificate and key management utilities > Name: crypto-utils > Version: 2.3 >-Release: 9 >+Release: 11 > Source: crypto-rand-%{crver}.tar.gz > Source1: genkey.pl > Source2: certwatch.c >@@ -14,13 +14,17 @@ Source5: genkey.xml > Source6: keyrand.c > Source7: COPYING > Source8: keyrand.xml >+Source9: pemutil.c >+Source10: keyutil.c > Group: Applications/System > License: MIT and GPLv2+ > BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root > BuildRequires: openssl-devel, pkgconfig, newt-devel, xmlto > BuildRequires: perl-devel, perl(Newt), perl(ExtUtils::MakeMaker) >+BuildRequires: nss-devel > Requires: perl(Newt), openssl >= 0.9.7f-4 > Requires: %(eval `perl -V:version`; echo "perl(:MODULE_COMPAT_$version)") >+Requires: nss, nspr > Obsoletes: crypto-rand > > %description >@@ -32,10 +36,14 @@ SSL certificates and keys. > > %build > %configure --with-newt=%{_prefix} CFLAGS="$CFLAGS -fPIC" >+%configure --with-nss=%{_prefix} CFLAGS="$CFLAGS -fPIC" > make -C librand > >-cc $RPM_OPT_FLAGS -Wall -Werror -I/usr/include/openssl \ >- $RPM_SOURCE_DIR/certwatch.c -o certwatch -lcrypto >+cc $RPM_OPT_FLAGS -Wall -Werror -I/usr/include/nspr4 -I/usr/include/nss3 \ >+ $RPM_SOURCE_DIR/certwatch.c $RPM_SOURCE_DIR/pemutil.c -o certwatch -lnspr4 -lnss3 >+ >+cc $RPM_OPT_FLAGS -Wall -Werror -I/usr/include/nspr4 -I/usr/include/nss3 \ >+ $RPM_SOURCE_DIR/keyutil.c -o keyutil -lnspr4 -lnss3 > > cc $RPM_OPT_FLAGS -Wall -Werror \ > $RPM_SOURCE_DIR/keyrand.c -o keyrand -lnewt >@@ -85,6 +93,9 @@ for f in certwatch genkey keyrand; do > install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 > done > >+# install keyutil >+install -c -m 755 keyutil $RPM_BUILD_ROOT%{_bindir}/keyutil >+ > # install genkey > sed -e "s|^\$bindir.*$|\$bindir = \"%{_bindir}\";|" \ > -e "s|^\$ssltop.*$|\$ssltop = \"/etc/pki/tls\";|" \ >@@ -110,6 +121,9 @@ chmod -R u+w $RPM_BUILD_ROOT > %{perl_vendorarch}/auto/Crypt > > %changelog >+* Mon Mar 3 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 2.3-10 >+- rebuild for new perl again >+ > * Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 2.3-9 > - Autorebuild for GCC 4.3 > >diff -up crypto-utils/devel/certwatch.cron.orig crypto-utils/devel/certwatch.cron >--- crypto-utils/devel/certwatch.cron.orig 2008-02-22 13:33:35.000000000 -0800 >+++ crypto-utils/devel/certwatch.cron 2008-03-27 20:28:59.000000000 -0700 >@@ -6,6 +6,47 @@ > # CERTWATCH_OPTS variable; see the man page for details. > # > >+# For certificates in pem files >+watch_files_certs() >+{ >+ test -x /etc/httpd/modules/mod_ssl.so || return 0 >+ test -r /etc/httpd/conf/httpd.conf || return 0 >+ >+ set -o pipefail # pick up exit code of httpd not sort >+ >+ certs=`${httpd} ${OPTIONS} -t -DDUMP_CERTS 2>/dev/null | /bin/sort -u` >+ RETVAL=$? >+ test $RETVAL -eq 0 || return >+ >+ for c in $certs; do >+ # Check whether a warning message is needed, then issue one if so. >+ /usr/bin/certwatch $CERTWATCH_OPTS -q "$c" && >+ /usr/bin/certwatch $CERTWATCH_OPTS "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null >+ done >+} >+ >+# For certificates in the database >+watch_database_certs() >+{ >+ test -x /usr/bin/certutil || return 0 >+ test -x /usr/lib/httpd/modules/libmodnss.so || return 0 >+ test -r /etc/httpd/conf.d/nss.conf || return 0 >+ >+ # find path to mod_nss' database >+ database=`/usr/bin/gawk '/^NSSCertificateDatabase/ { print $2 }' /etc/httpd/conf.d/nss.conf` >+ >+ set -o pipefail # pick up exit code of certutil not gawk >+ nicknames=`certutil -L -d $database | /usr/bin/gawk '{ print $1 }'` >+ RETVAL=$? >+ test $RETVAL -eq 0 || return 0 >+ >+ for n in $nicknames; do >+ # Check whether a warning message is needed, then issue one if so. >+ /usr/bin/certwatch $CERTWATCH_OPTS -q -d "$database" "$n" && >+ /usr/bin/certwatch $CERTWATCH_OPTS -d "$database" "$n" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null >+ done >+} >+ > [ -r /etc/sysconfig/httpd ] && . /etc/sysconfig/httpd > > # Use configured httpd binary >@@ -15,19 +56,8 @@ httpd=${HTTPD-/usr/sbin/httpd} > test -z "${NOCERTWATCH}" || exit 0 > test -x ${httpd} || exit 0 > test -x /usr/bin/certwatch || exit 0 >-test -r /etc/httpd/conf/httpd.conf || exit 0 > test -x /usr/sbin/sendmail || exit 0 >-test -x /etc/httpd/modules/mod_ssl.so || exit 0 > test -x /bin/sort || exit 0 > >-set -o pipefail # pick up exit code of httpd not sort >- >-certs=`${httpd} ${OPTIONS} -t -DDUMP_CERTS 2>/dev/null | /bin/sort -u` >-RETVAL=$? >-test $RETVAL -eq 0 || exit 0 >- >-for c in $certs; do >- # Check whether a warning message is needed, then issue one if so. >- /usr/bin/certwatch $CERTWATCH_OPTS -q "$c" && >- /usr/bin/certwatch $CERTWATCH_OPTS "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null >-done >+watch_files_certs >+watch_database_certs >diff -up crypto-utils/devel/genkey.pl.orig crypto-utils/devel/genkey.pl >--- crypto-utils/devel/genkey.pl.orig 2007-10-30 09:15:10.000000000 -0700 >+++ crypto-utils/devel/genkey.pl 2008-03-27 20:28:17.000000000 -0700 >@@ -32,6 +32,7 @@ > # 200308 Adapted for Taroon > # 200308 Fix warnings in UTF-8 locale > # 200409 Added --days support >+# 200803 Adding support for NSS - work in progress > # > # > $bindir = "%INSTDIR%/bin"; >@@ -72,6 +73,8 @@ Usage: genkey [options] servername > --genreq Just generate a CSR from an existing key > --makeca Generate a private CA key instead > --days Days until expiry of self-signed certificate (default 30) >+ --usenssdb Use the nss database for keys and certificates >+ --traceon help for debugging (requires usenssdb) > EOH > exit 1; > } >@@ -110,23 +113,62 @@ sub RunForm > die "unhandled event ", $reason, " ", $data, "\n"; > } > >+sub getDatabaseDirectory { >+ # wished there was an environment variable I could use >+ my $mod_nss_config_file = "/etc/httpd/conf.d/nss.conf"; >+ >+ if (!-f $mod_nss_config_file) { >+ Newt::newtWinMessage("Error", "Close", >+ "mod_nss config file is not at /etc/httpd/conf.d/nss.conf". >+ "host:\n\nPress return to exit"); >+ Newt::Finished(); >+ exit 1; >+ } >+ >+ # database=`/usr/bin/gawk '/^NSSCertificateDatabase/ { print $2 }' /etc/httpd/conf.d/nss.conf` >+ my $awk_cmd ='/usr/bin/gawk \'/^NSSCertificateDatabase/ { print $2 }\'' . " $mod_nss_config_file"; >+ >+ $gawk_result_file = "/tmp/dbdirectory.".$$; >+ system("$awk_cmd > $gawk_result_file"); >+ open(DIR, "<$gawk_result_file"); >+ return <DIR>; >+} >+ > # > # main > # > >+my $SPACE = " "; > my $test_mode = ''; > my $genreq_mode = ''; > my $ca_mode = ''; > my $cert_days = 30; >+my $ca_days = 730; >+my $usenssdb=''; >+my $traceon=''; >+my $directory = ''; >+my $pasword = 0; >+my $pwdfile = ''; > GetOptions('test|t' => \$test_mode, > 'genreq' => \$genreq_mode, > 'days=i' => \$cert_days, >+ 'usenssdb|u' => \$usenssdb, >+ 'traceon|t' => \$traceon, > 'makeca' => \$ca_mode) or usage(); > usage() unless @ARGV != 0; > $skip_random = $test_mode; > $overwrite_key = $test_mode; > $servername = $ARGV[0]; >+$keysize = 1024; >+ >+$directory = getDatabaseDirectory() if $usenssdb; >+print ("database directory: $directory \n") if $traceon; >+ > $randfile = $ssltop."/.rand.".$$; >+$tmp_password_file = ''; >+$subject_file = "/tmp/subject.".$$; >+$arguments_file = "/tmp/arguments.".$$; >+ > $keyfile = $ssltop."/private/".$servername.".key"; > if ($ca_mode) { > $keyfile = $cadir."/private/".$servername; >@@ -137,6 +179,7 @@ my $bits = 0; > my $myca = "Other"; > my $useca = 0; > my $cadetails; >+my $subject = ""; > # > > Newt::Init(); >@@ -160,12 +203,14 @@ if (!$genreq_mode && -f $keyfile && !$ov > exit 1; > } > >+if (!$usenssdb) { > if ($genreq_mode && !(-f $keyfile)) { > Newt::newtWinMessage("Error", "Close", > "You do not have a key file for this host"); > Newt::Finished(); > exit 1; > } >+} > > ###################################################################### > # Main >@@ -187,6 +232,12 @@ if ($genreq_mode) { > ); > $doingwhat="CSR generation"; > } elsif ($ca_mode) { >+ if ($usenssdb) { >+ @windows = buildCAModeWindowList($password); >+ } else { >+ # this for when we don't want leave anything in the database, >+ # we generate the key, the ca cert, and finally encrypt >+ # the key just as was done when using openssl > @windows = (CAwelcomeWindow, > getkeysizeWindow, > customKeySizeWindow, >@@ -195,8 +246,16 @@ if ($genreq_mode) { > genCACertWindow, > encryptKeyWindow, > ); >+ } > $doingwhat="CA key generation"; > } else { >+ # $test_mode >+ if ($usenssdb) { >+ @windows = buildTestModeWindowList($password); >+ } else { >+ # this for when we don't want leave anything in the database >+ # we generate the key, the csr, the cert and finally encrypt >+ # the key just as was done when using openssl > @windows = (welcomeWindow, > getkeysizeWindow, > customKeySizeWindow, >@@ -208,6 +267,7 @@ if ($genreq_mode) { > encryptKeyWindow, > ### @EXTRA@ ### Leave this comment here. > ); >+ } > $doingwhat="key generation"; > } > >@@ -246,6 +306,8 @@ while ($screen <= $#windows) { > $screen = $nextscreen; > } > >+clearTempPasswordFile(); >+ > # Exit > Newt::Finished(); > exit 1 if ($result eq "Cancel"); >@@ -254,6 +316,53 @@ exit 0; > ###################################################################### > # Handy functions > >+# Builds a window list for $ca_mode when usingnssdb. >+sub buildCAModeWindowList { >+ my ($password) = @_; >+ return ($password) >+ ? (CAwelcomeWindow, >+ getkeysizeWindow, >+ customKeySizeWindow, >+ getRandomDataWindow, ## leaves newt suspended >+ releaseRandomFileAndResumeNewt, ## resumes newt >+ passwordWindow, >+ genCACertWindow, >+ ) >+ : (CAwelcomeWindow, >+ getkeysizeWindow, >+ customKeySizeWindow, >+ getRandomDataWindow, ## leaves newt suspended >+ releaseRandomFileAndResumeNewt, ## resumes newt >+ genCACertWindow, >+ ); >+} >+ >+# Builds a window list for $test_mode when usingnssdb. >+sub buildTestModeWindowList { >+ my ($password) = @_; >+ return ($password) >+ ? (welcomeWindow, >+ getkeysizeWindow, >+ customKeySizeWindow, >+ getRandomDataWindow, ## leaves newt suspended >+ releaseRandomFileAndResumeNewt, ## resumes newt >+ passwordWindow, ## prompt for a password >+ wantCAWindow, >+ genReqWindow, >+ genCertWindow, >+ ### @EXTRA@ ### Leave this comment here. >+ ) >+ : (welcomeWindow, >+ getkeysizeWindow, >+ customKeySizeWindow, getRandomDataWindow, ## leaves newt suspended >+ releaseRandomFileAndResumeNewt, ## resumes newt >+ wantCAWindow, >+ genReqWindow, >+ genCertWindow, >+ ### @EXTRA@ ### Leave this comment here. >+ ); >+} >+ > # Returns a panel containing two buttons of given names. > sub DoubleButton { > my ($left, $right) = @_; >@@ -522,25 +631,62 @@ sub wantCAWindow > return "Next"; > } > >-sub encryptKeyWindow >+# Save the passphrase to a file >+sub savePassword >+{ >+ my ($passwd) = @_; >+ >+ if (!open (SESAME, ">$pwdfile")) { >+ Newt::newtWinMessage("Error", "Close", >+ "Unable to save passphrase to $pwdfile". >+ "\n\nPress return to continue"); >+ $pwdfile = ""; # unset it >+ return "Back"; >+ } >+ print SESAME $passwd."\n"; >+ close(SESAME); >+ # temp file must be cleared before exiting >+ >+ return "Next"; >+} >+ >+# Obtain a password from the user >+sub passwordWindow > { >+ if ( $usenssdb && ($pwdfile || !$password) ) { >+ # Nothing to do, a file containing the password >+ # was specified or no pasword is being used. >+ return "Next"; >+ } >+ >+ # Prompt the user user for a password to either >+ # save it or use it for encrypting the private key. >+ > my $message = <<EOT; > At this stage you can set the passphrase on your private key. If you > set the passphrase you will have to enter it every time the server > starts. The passphrase you use to encrypt your key must be the same > for all the keys used by the same server installation. > >-If you do not encrypt your passphrase, if someone breaks into your >+If you do not encrypt your key, if someone breaks into your > server and grabs the file containing your key, they will be able to > decrypt all communications to and from the server that were negotiated >-using that key. If your passphrase is encrypted it would be much more >+using that key. If your key is password protected it would be much more > work for someone to retrieve the private key. > EOT >+ my $checkboxLabel; >+ if ($usenssdb) { >+ $pwdfile = "/tmp/password.".$$; >+ $checkboxLabel = "Save passphrase to $pwdfile"; >+ } else { >+ $checkboxLabel = "Encrypt the private key"; >+ } >+ > $panel = Newt::Panel(1, 3, "Protecting your private key"); > > $panel->Add(0, 0, Newt::Textbox(70, 11, 0, $message)); > >- my $checkbox = Newt::Checkbox("Encrypt the private key"); >+ my $checkbox = Newt::Checkbox("$checkboxLabel"); > $panel->Add(0, 1, $checkbox); > > $panel->Add(0, 2, NextBackCancelButton()); >@@ -560,8 +706,8 @@ EOT > $message = <<EOT; > Now we are going to set the passphrase on the private key. This > passphrase is used to encrypt your private key when it is stored >-on disk. You will have to type this passphrase when the server >-starts. >+on disk, or if using NSS database, it will be saved to access it. >+You will have to type this passphrase when the server starts. > > -- DO NOT LOSE THIS PASS PHRASE -- > >@@ -617,10 +763,32 @@ EOT > > return $ret if ($ret eq "Back" or $ret eq "Cancel"); > >+ $ret = savePassword($pass1); >+ >+ return $ret if ($ret eq "Back" or $ret eq "Cancel"); >+} >+ >+# >+# encryptKeyWindow pbe-encrypts a private key >+# with a password it obtains from the user >+# >+sub encryptKeyWindow >+{ > my $enckey = $keyfile . ".tmp"; > > unlink($enckey); > >+# ------------------------------------------------------- >+# As soon as it's ready we want to use NSS's own keyutil >+# >+# if (!open (PIPE, >+# "|$bindir/keyutil --command=wrapkey --input=$keyfile --passout=$pwdfile --output=$enckey")) { >+# Newt::newtWinMessage("Error", "Close", >+# "Unable to encrypt the private key". >+# "\n\nPress return to continue"); >+# return "Back"; >+# } >+# > if (!open (PIPE, > "|$bindir/openssl rsa -des3 -in $keyfile -passout stdin ". > "-out $enckey")) { >@@ -677,12 +845,139 @@ EOT > } > > # >+# make certificate using the database >+# >+sub makeCertUsingDB >+{ >+ my ($keysize, $certfile, $subject, $days, >+ $directory, $randfile) = @_; >+ >+ if (!$subject) { >+ Newt::newtWinMessage("Error", "Close", >+ "$subject : is not a proper name.". >+ "host:\n\nPress return to exit"); >+ Newt::Finished(); >+ exit 1; >+ >+ } >+ # If no days specified it's a ca so use 2 years >+ my $valid_months = $days ? $days / 30 : 24; >+ my $trustargs = "Cu,Cu,Cu"; >+ >+ # Save the arguments to a file >+ if ($traceon) { >+ if (!open (ARGUMENTS, ">$arguments_file")) { >+ Newt::newtWinMessage("Error", "Close", >+ "Unable to save argements to $arguments_file ". >+ "\n\nPress return to continue"); >+ return "Back"; >+ } >+ } >+ my $QUOTE = '"'; >+ my $args = "-S -a -k rsa"; >+ $args = $args . $SPACE . "-g" . $SPACE . "$keysize" if $keysize; >+ $args = $args . $SPACE . "-n" . $SPACE . "$servername" if $servername; >+ $args = $args . $SPACE . "-s" . $SPACE . "$subject" if $subject; >+ $args = $args . $SPACE . "-t" . $SPACE . "$trustargs" if $trustargs; >+ $args = $args . $SPACE . "-v" . $SPACE . "$valid_months" if $valid_months; >+ $args = $args . $SPACE . "-z" . $SPACE . "$randfile" if $randfile; >+ >+ if ($pwdfile) { >+ $args .= $args . $SPACE . "-f". $SPACE . "$pwdfile"; >+ } >+ if ($traceon) { >+ print ARGUMENTS $args."\n"; >+ close(ARGUMENTS); >+ } >+ >+ system("$bindir/certutil $args -out $certfile"); >+ if (0 && !open (PIPE, >+ "| $bindir/certutil $args". >+ " -out $certfile")) { >+ Newt::newtWinMessage("Error", "Close", >+ "Unable to save cert to $certfile". >+ "\n\nPress return to continue"); >+ return "Back"; >+ } >+ >+ if (!-f $certfile) { >+ Newt::newtWinMessage("Error", "Close", >+ "Unable to create a certificate for this ". >+ "host:\n\nPress return to exit"); >+ Newt::Finished(); >+ exit 1; >+ } >+} >+ >+# >+# makeCSRUsingDB >+# >+# Create a certificate-signing request file that can be submitted to a >+# Certificate Authority (CA) for processing into a finished certificate. >+# >+sub makeCSRUsingDB >+{ >+ my ($keysize, $csrfile, $subject, $days, $directory, $pwfile) = @_; >+ >+ if (!$subject) { >+ Newt::newtWinMessage("Error", "Close", >+ "subject distinguished name is null.". >+ "host:\n\nPress return to exit"); >+ Newt::Finished(); >+ exit 1; >+ >+ } >+ >+ $valid_months = $days ? $days / 30 : 24; >+ >+ # Save the arguments to a file for debugging >+ if ($traceon) { >+ if (!open (ARGUMENTS, ">$arguments_file")) { >+ Newt::newtWinMessage("Error", "Close", >+ "Unable to save arguments to $arguments_file". >+ "\n\nPress return to continue"); >+ return "Back"; >+ } >+ } >+ >+ my $args = "-R -a -k rsa"; >+ $args = $args . $SPACE . "-g" . $SPACE . "$keysize" if $keysize; >+ $args = $args . $SPACE . "-s" . $SPACE . "$subject" if $subject; >+ $args = $args . $SPACE . "-v" . $SPACE . "$valid_months" if $valid_months; >+ $args = $args . $SPACE . "-d" . $SPACE . "$directory" if $directory; >+ $args = $args . $SPACE . "-z" . $SPACE . "$randfile" if $randfile; >+ >+ if ($pwdfile) { >+ $args = $args . $SPACE . "-f" . $SPACE . "$pwdfile"; >+ } >+ >+ if ($traceon) { >+ print $args."\n"; >+ print ARGUMENTS $args."\n"; >+ close(ARGUMENTS); >+ } >+ >+ system("$bindir/certutil $args -o $csrfile"); >+ >+ if (!-f $csrfile) { >+ Newt::newtWinMessage("Error", "Close", >+ "Was not able to create a CSR for this ". >+ "host:\n\nPress return to exit"); >+ Newt::Finished(); >+ exit 1; >+ } >+} >+ >+# > # makeCert > # > # Given a keyfile, expiry date, and set of certificate information > # create a X509 certificate to make a key and store it > # >- >+# makeCert is overloaded, it can also be called to make a CSR >+# when in $makeca_mode, also in $test_mode via a !gen_mode test. >+# see openssl related comment below. >+# > sub makeCert > { > my ($keyfile,$certfile,$cert,$days) = @_; >@@ -703,7 +998,75 @@ sub makeCert > } > close(OUT); > >+ # According to http://www.openssl.org/docs/apps/req.html# >+ # the req command primarily creates and processes certificate requests in PKCS#10 format. >+ # It can additionally create self signed certificates for use as root CAs for example. >+ # this routine invokes the command for both cert request and cert creation >+ > system("$bindir/openssl req -config $sslconf -new -key $keyfile $days -out $certfile < $tempfile 2> /dev/null"); >+ >+ # >+ # Notice the -config $sslconf and -new options >+ # The -new option generates a new certificate request. >+ # It will prompt the user for the relevant field values. The actual fields >+ # prompted for and their maximum and minimum sizes are specified in the >+ # configuration file and any requested extensions. >+ # >+ # ------ There will be user prompts !!! >+ # >+ # Can I find a way to avoid them with keyutil? >+ # If not, then keyutil will have to parse the $sslconf file >+ # to determine these fields and prompt for them. Maybe I can >+ # do it here in the Perl script in and pass them down to keyutil. >+ # >+ # At first I'll rely on fixed values but soon I'll need >+ # find out what prompts are being made by openssl. >+ # >+ # Th docs also say that If the -key option is not used it will generate a new RSA private key using >+ # information specified in the configuration file. >+ # >+ # ------- Good, we are using -key so we pick up the private key made earlier. >+ # >+ # ------------------------------------------------------------------------------------------------ >+ # >+ # TODO: Call keyutil to do what I just explained. >+ >+ my $valid_months = $days ? $days / 30 : 24; >+ >+ ## system("$bindir/keyutil --command=genrsa --randfile=$randfile --keysize=$bits > $keyfile") >+ >+ my $args = ""; >+ if ($genreq_mode) { >+ # build the arguments for a gen request call >+ $args = "--command=genreq"; >+ $args = $args . $SPACE . "--keysize=" . "$bits" if $bits; >+ $args = $args . $SPACE . "--subject=" . "$subject" if $subject; # global variable, set in $cert was >+ $args = $args . $SPACE . "--validity=" . "$valid_months" if $valid_months; >+ $args = $args . $SPACE . "--outfile=" . "$certfile" if $certfile; # actually a csr file >+ $args = $args . $SPACE . "--noisefile=" . "$randfile" if $randfile; >+ >+ print "genreq command: $args\n" if $traceon; >+ >+ system("$bindir/keyutil %args"); >+ >+ } else { >+ # build the arguments for a gen cert call, self-signed >+ $args = "--command=gencert"; >+ $args = $args . $SPACE . "--keysize=" . "$bits" if $bits; >+ $args = $args . $SPACE . "--mdigest=" . "$mdigest" if $mdigest; ## default sha1 >+ $args = $args . $SPACE . "--subject=" . "$subject" if $subject; ## coolected earlier >+ $args = $args . $SPACE . "--validity=" . "$valid_months" if $valid_months; >+ $args = $args . $SPACE . "--noisefile=" . "$randfile" if $randfile; >+ >+ # FIXME ignoring for now >+ #if ($pwdfile) { $args = $args . $SPACE . "--pwfile" . $SPACE . "$pwdfile"; } >+ >+ print "gencert command: $args\n" if $traceon; >+ >+ system("$bindir/keyutil $args"); >+ } >+ # >+ #----------------------------------------------------------------- > unlink($tempfile); > > if (!-f $certfile) { >@@ -815,10 +1178,30 @@ sub getCertDetails > $cert{'O'} = $ents{'O'}->Get(); > $cert{'OU'} = $ents{'OU'}->Get(); > $cert{'CN'} = $ents{'CN'}->Get(); >+ >+ if (!$cert{'CN'}) { >+ Newt::newtWinMessage("Error", "Close", >+ "Common Name is required". >+ "\n\nPress return to continue"); >+ exit "Back"; >+ } >+ >+ # Let's build the subject dintinguished name here >+ # to pass on to certutils. >+ >+ $SEP = ", "; >+ $subject = 'CN' . "=" . $cert{'CN'}; >+ $subject = $subject . $SEP . 'OU' . "=" . $cert{'OU'} if $cert{'OU'}; >+ $subject = $subject . $SEP . 'O' . "=" . $cert{'O'} if $cert{'O'}; >+ $subject = $subject . $SEP . 'L' . "=" . $cert{'L'} if $cert{'L'}; >+ $subject = $subject . $SEP . 'ST' . "=" . $cert{'ST'} if $cert{'ST'}; >+ $subject = $subject . $SEP . 'C' . "=" . $cert{'C'} if $cert{'C'}; > > if ($iscsr) { > $cert{'CompanyName'} = $ents{'CompanyName'}->Get(); > $cert{'Challenge'} = $ents{'Challenge'}->Get(); >+ $subject = $subject . $SEP . 'CompanyName' ."=" . $cert{'CompanyName'} if $cert{'CompanyName'}; >+ $subject = $subject . $SEP . 'Challenge' ."=" . $cert{'Challenge'} if $cert{'Challenge'}; > } > > $panel->Hide(); >@@ -827,6 +1210,21 @@ sub getCertDetails > undef $panel; > > $cadetails = $cert; >+ $subject = "\"" . "$subject" . "\""; >+ >+ if ($traceon) { >+ # Save the subject distinguished name to a file >+ # for error diagnostics. >+ if (!open (SUBJECT, ">$subject_file")) { >+ Newt::newtWinMessage("Error", "Close", >+ "Unable to save subject to $subject_file ". >+ "\n\nPress return to continue"); >+ return "Back"; >+ } >+ print $subject."\n"; >+ print SUBJECT $subject."\n"; >+ close(SUBJECT); >+ } > > return "Next"; > } >@@ -888,14 +1286,26 @@ sub genReqWindow > my $ret = getCertDetails($servername,$msg, 1); > return $ret unless ($ret eq "Next"); > >+ if ($usenssdb) { >+ makeCSRUsingDB($keysize, $csrfile, $subject, $cert_days, $directory, $pwdfile); >+ } else { >+# The following makeCert call actually makes a signing request, makeCert is overloaded. > makeCert($keyfile,$csrfile,$cadetails,""); >+ #makeCSRNoDB($keyfile, $csrfile, $subject, $pwdfile); -- ? >+ } > > # Now make a temporary cert >- >+# !$genreq_mode means we are effectively in $makeca_mode > if (!$genreq_mode) { > if (!-f $certfile) { >+ if ($usenssdb) { >+ makeCertUsingDB($keysize,$certfile,$subject,$cert_days, >+ $directory,$randfile); >+ } else { > makeCert($keyfile,$certfile,$cadetails,"-days $cert_days -x509"); >- } >+ #makeCertNoDB($keysize,$certfile,$subject,$cert_days,$randfile); ? >+ } >+ } > } > > undef $csrtext; >@@ -998,7 +1408,12 @@ sub genCertWindow > my $ret = getCertDetails($servername,$msg, 0); > return $ret unless ($ret eq "Next"); > >+ if ($usenssdb) { >+ makeCertUsingDB($keysize,$certfile,$subject,$directory,$randfile,$cert_days); >+ } else { > makeCert($keyfile,$certfile,$cadetails,"-days $cert_days -x509"); >+ #makeCertNoDB($keyfile,$certfile,$cadetails,"$cert_days"); -- when ready >+ } > > return "Next"; > } >@@ -1016,10 +1431,15 @@ sub genCACertWindow > "enter is what is called a Distinguished Name or a DN. There are ". > "quite a few fields but you can leave some blank"; > >- my $ret = getCertDetails("",$msg, 0); >+ my $ret = getCertDetails("",$msg, 0); # no cn is suggested in prompt > return $ret unless ($ret eq "Next"); > >+ if ($usenssdb) { >+ makeCertUsingDB($keysize,$certfile,$subject,$directory,$randfile,"730"); >+ } else { >+ #makeCertNoDB($keyfile,$certfile,$cadetails,"730"); > makeCert($keyfile,$certfile,$cadetails,"-days 730 -x509"); >+ } > > return "Next"; > } >@@ -1047,6 +1467,11 @@ sub getRandomDataWindow() > return "Next"; > } > >+sub releaseRandomFileAndResumeNewt() { >+ unlink($randfile); >+ Newt::Resume(); >+} >+ > sub generateKey() > { > print STDERR "\nPlease wait - generating the key (this may take some time)\n\n"; >@@ -1054,16 +1479,28 @@ sub generateKey() > # Actually generate the key > # > system("$bindir/openssl genrsa -rand $randfile $bits > $keyfile"); >+ # to be replaced with somthing like the following >+ #system("$bindir/keyutil --command=genrsa --noisefile=$randfile --keysize=$bits > "); > unlink($randfile); > Newt::Resume(); > >- if (chmod(0400, $keyfile) != 1) { >+ if (chmod(0400, ) != 1) { > Newt::newtWinMessage("Error", "Close", > "Could not set permissions of private key file.\n". >- "$1 - $keyfile"); >+ "$1 - "); > Newt::Finished(); > exit 1; > } > > return "Skip"; > } >+ >+sub clearTempPasswordFile { >+ if ($pwdfile && -f $pwdfile) { >+ open (FH, "+< $pwdfile") or die "can't update $file: $!"; >+ truncate(FH, 0) or die "can't truncate $file: $!"; >+ close(FH); >+ $tmp_password_file = ''; >+ } >+} >+
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=299432">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 346731
:
299417
|
299418
|
299429
|
299430
|
299432
|
304057
|
304280
|
304281
|
304282
|
304284
|
304285
|
304286
|
304287
|
304288
|
304289
|
304290
|
305047
|
305048
|
308356
|
320816
|
320817
|
320818
|
320819
|
320820
|
320821
|
320822
|
320823
|
321049
|
321051
|
321681
|
321682
|
321683
|
321684