#!/bin/sh # # Copyright 1999-2006 University of Chicago # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # find_ca_dir() { cahash=$1 shift for x in "$@"; do if test -r "$x/$cahash.0"; then echo "${x}" return 0 fi done } get_security_dir() { cadir=$1 if test ! -z "${GRID_SECURITY_DIR}" ; then echo "${GRID_SECURITY_DIR}" elif test "$cadir" = "/etc/grid-security/certificates"; then echo "/etc/grid-security" else echo "${sysconfdir}" fi } get_hashes() { cadir=$1 ls ${cadir}/*.0 2> /dev/null | xargs } show_default() { DEFAULTCAHASH="NONE" gsconf="" if test -r "${GRID_SECURITY_DIR}/grid-security.conf"; then gsconf=${GRID_SECURITY_DIR}/grid-security.conf elif test -r "/etc/grid-security/grid-security.conf"; then gsconf="/etc/grid-security/grid-security.conf" elif test -r "${sysconfdir}/grid-security.conf"; then gsconf="${sysconfdir}/grid-security.conf" fi DEFAULTCACONFFILE=`ls -l "$gsconf" 2>/dev/null | sed -e "s|.*-> \(.*\)|\1|"` DEFAULTCAHASH=`echo "$DEFAULTCACONFFILE" | sed -e "s|.*\.\(.*\)$|\1|"` for x in "$@"; do if test -r "${x}/$DEFAULTCAHASH.0"; then DEFAULT_SUBJECT=`"$openssl" x509 -in ${x}/$DEFAULTCAHASH.0 -noout -subject -nameopt sep_multiline | sed -e '/^subject=/d' -e 's!^\s*!/!' | tr -d '\n'` echo echo "The default CA is: $DEFAULT_SUBJECT" echo " Location: ${x}/$DEFAULTCAHASH.0" echo break fi done } ca_list() { echo "The available CA configurations installed on this host are:" echo index=1 for x in "$@"; do cert_hashes=`get_hashes ${x}` if test -n "${cert_hashes}"; then echo "Directory: ${x}" echo for cert in ${cert_hashes}; do if test -r "${cert}" ; then eval "CA${index}=${cert}" TEMP_SUBJECT=`"$openssl" x509 -in "${cert}" -noout -subject -nameopt sep_multiline | sed -e '/^subject=/d' -e 's!^\s*!/!' | tr -d '\n'` eval "CA_SUBJECT${index}=\"${TEMP_SUBJECT}\"" TEMP_HASH=`echo ${cert} | sed -e "s|.*/\([^/]*\)\.0|\1|"` eval "CA_HASH${index}=$TEMP_HASH" eval "echo \"$index) \${CA_HASH${index}} - \${CA_SUBJECT${index}}\"" index=`expr $index + 1` fi done echo fi done show_default "$@" } interactive() { ca_list "$@" CA_CHOSEN_INDEX="" while [ -z "$CA_CHOSEN_INDEX" ] do echo printf "Enter the index number of the CA to set as the default [q to quit]: " read CA_CHOSEN_INDEX if [ "${CA_CHOSEN_INDEX}" = "" ] || \ [ "${CA_CHOSEN_INDEX}" = "q" ]; then exit 1; fi # Check for number if test ${CA_CHOSEN_INDEX} -eq ${CA_CHOSEN_INDEX} 2>/dev/null ; then if [ 1 -gt ${CA_CHOSEN_INDEX} ] || [ $index -le ${CA_CHOSEN_INDEX} ]; then echo "${CA_CHOSEN_INDEX} is not a valid index!" CA_CHOSEN_INDEX="" fi else echo "${CA_CHOSEN_INDEX} is not a valid index!" CA_CHOSEN_INDEX="" fi done eval "CA_SUBJECT=\${CA_SUBJECT${CA_CHOSEN_INDEX}}" eval "CA_CERT=\${CA${CA_CHOSEN_INDEX}}" CA_CERT_DIR=`echo $CA_CERT | sed -e "s|/[^\/]*$||"` } globus_args_short_usage() { cat 1>&2 <&2 <&2 < : Set the default CA non-interactively Deprecated Options: -dir : Set GRID_SECURITY_DIR and X509_CERT_DIR instead EOF } ############################################################ # main code section ############################################################ openssl="/cvmfs/dirac.egi.eu/dirac/v8.0.10/Linux-x86_64/bin/openssl" prefix="${GLOBUS_LOCATION-/cvmfs/dirac.egi.eu/dirac/v8.0.10/Linux-x86_64}" exec_prefix="${prefix}" bindir="${exec_prefix}/bin" sbindir="${exec_prefix}/sbin" datarootdir="${prefix}/share" datadir="${datarootdir}" sysconfdir="${prefix}/etc" PATH=${bindir}:${sbindir}:${PATH} PROGRAM_NAME=`echo $0 | sed 's|.*/||g'` PROGRAM_VERSION="10.8" VERSION="10.8" PACKAGE="globus_gsi_cert_utils" DIRT_TIMESTAMP="1629915172" DIRT_BRANCH_ID="0" short_usage="$PROGRAM_NAME [-help] [ options ...]" if ! "$openssl" version > /dev/null 2> /dev/null; then echo "Unable to locate openssl binary in $bindir or PATH" 1>&2 exit 1 fi readCommandLine "$@" # reset positional parameters for x in "$@"; do shift done # look for trusted certs directories if test -n "${X509_CERT_DIR}" ; then set -- "${X509_CERT_DIR}" if test -n "${GRID_SECURITY_DIR}"; then set -- "$@" "${GRID_SECURITY_DIR}" fi fi if test -d "/etc/grid-security/certificates/." ; then set -- "$@" "/etc/grid-security/certificates" fi if test -d "${datadir}/certificates/."; then set -- "$@" "${datadir}/certificates" fi found_ca=0 for x in "$@"; do if test -n "`get_hashes ${x}`"; then found_ca=1 fi done if test $found_ca -eq 0; then echo echo "There does not appear to be a valid CA" echo "located in any of the following directories:" echo "" for x in "$@"; do echo " ${x}" done echo "" echo "To specify a different location where the grid security" echo "configuration files were installed, set the X509_CERT_DIR" echo "set the GRID_SECURITY_DIR environment variables." echo "" exit 1 fi if [ -n "$JUSTLIST" ]; then ca_list "$@" exit fi if [ -z "$ca_to_use" ]; then interactive "$@" else CA_CERT_DIR=`find_ca_dir $ca_to_use "$@"` CA_CERT="$CA_CERT_DIR/$ca_to_use.0" if test ! -r "${CA_CERT}" ; then echo echo "Cannot find a CA with hash ${ca_to_use}." echo "Use grid-default-ca -list to see a list of CA hashes " echo "available on this machine." echo exit 1 fi CA_SUBJECT=`"$openssl" x509 -in "${CA_CERT}" -noout -subject -nameopt sep_multiline | sed -e '/^subject=/d' -e 's!^\s*!/!' | tr -d '\n'` fi secconfdir=`get_security_dir ${CA_CERT_DIR}` if [ ! -w "${secconfdir}" ]; then echo echo "You do not have permission to set the default CA configuration at" echo echo $secconfdir echo exit 1 fi echo echo "setting the default CA to: ${CA_SUBJECT}" echo NEW_DEFAULT_CA_HASH=`"$openssl" x509 -in "${CA_CERT}" -noout -hash` GRID_SECURITY_FILE=${CA_CERT_DIR}/grid-security.conf.${NEW_DEFAULT_CA_HASH} CA_SSL_HOST_CONFIG_FILE=${CA_CERT_DIR}/globus-host-ssl.conf.${NEW_DEFAULT_CA_HASH} CA_SSL_USER_CONFIG_FILE=${CA_CERT_DIR}/globus-user-ssl.conf.${NEW_DEFAULT_CA_HASH} DIRECTIONS_FILE=${CA_CERT_DIR}/directions.${NEW_DEFAULT_CA_HASH} if [ -w ${GRID_SECURITY_FILE} ]; then echo "linking ${GRID_SECURITY_FILE} to" echo " ${secconfdir}/grid-security.conf" echo rm -f ${secconfdir}/grid-security.conf ln -s ${GRID_SECURITY_FILE} ${secconfdir}/grid-security.conf else error GRID_SECURITY_FILE fi if [ -w ${CA_SSL_HOST_CONFIG_FILE} ]; then echo "linking ${CA_SSL_HOST_CONFIG_FILE} to" echo " ${secconfdir}/globus-host-ssl.conf" echo rm -f ${secconfdir}/globus-host-ssl.conf ln -s ${CA_SSL_HOST_CONFIG_FILE} ${secconfdir}/globus-host-ssl.conf else error CA_SSL_HOST_CONFIG_FILE fi if [ -w ${CA_SSL_USER_CONFIG_FILE} ]; then echo "linking ${CA_SSL_USER_CONFIG_FILE} to" echo " ${secconfdir}/globus-user-ssl.conf" echo rm -f ${secconfdir}/globus-user-ssl.conf ln -s ${CA_SSL_USER_CONFIG_FILE} ${secconfdir}/globus-user-ssl.conf else error CA_SSL_USER_CONFIG_FILE fi if [ -w ${DIRECTIONS_FILE} ]; then echo "linking ${DIRECTIONS_FILE} to" echo " ${secconfdir}/directions" echo rm -f ${secconfdir}/directions ln -s ${DIRECTIONS_FILE} ${secconfdir}/directions else if test -r ${secconfdir}/directions ; then echo "removing link ${secconfdir}/directions" echo rm -f ${secconfdir}/directions fi fi echo echo "...done." echo exit 0