#!/bin/sh # # Copyright 1999-2006 University of Chicago # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # openssl="/cvmfs/dirac.egi.eu/dirac/v8.0.58/Linux-x86_64/bin/openssl" find_ca_dir() { cahash=$1 shift for x in "$@"; do if test -f "$x/$cahash.0"; then echo "${x}" return 0 fi done } get_security_dir() { cadir=$1 if test ! -z "${GRID_SECURITY_DIR}" ; then echo "${GRID_SECURITY_DIR}" elif test "$cadir" = "/etc/grid-security/certificates"; then echo "/etc/grid-security" else echo "${sysconfdir}" fi } get_hashes() { cadir=$1 ls ${cadir}/*.0 2> /dev/null || true } ca_list() { echo "The available CA configurations installed on this host are:" echo index=1 for x in "$@"; do cert_hashes="$(get_hashes ${x})" if test -n "${cert_hashes}"; then echo "Directory: ${x}" echo for cert in ${cert_hashes}; do if test -r "${cert}" ; then TEMP_SUBJECT=`"$openssl" x509 -in ${cert} -noout -subject -nameopt sep_multiline | sed -e '/^subject=/d' -e 's!^\s*!/!' | tr -d '\n'` TEMP_HASH="${cert##*/}" TEMP_HASH="${TEMP_HASH%.0}" eval "CA${index}=${cert}" eval "CA_SUBJECT${index}=\"/${TEMP_SUBJECT#*/}\"" eval "CA_HASH${index}=$TEMP_HASH" eval "echo \"$index) \${CA_HASH${index}} - \${CA_SUBJECT${index}}\"" index=$(($index + 1)) fi done echo fi done } interactive() { ca_list "$@" CA_CHOSEN_INDEX="" while [ -z "$CA_CHOSEN_INDEX" ] do echo printf "Enter the index number of the CA to package [q to quit]: " read CA_CHOSEN_INDEX if [ "${CA_CHOSEN_INDEX}" = "" ] || \ [ "${CA_CHOSEN_INDEX}" = "q" ]; then exit 1; fi # Check for number if test ${CA_CHOSEN_INDEX} -eq ${CA_CHOSEN_INDEX} 2>/dev/null ; then if [ 1 -gt ${CA_CHOSEN_INDEX} ] || [ $index -le ${CA_CHOSEN_INDEX} ]; then echo "${CA_CHOSEN_INDEX} is not a valid index!" CA_CHOSEN_INDEX="" fi else echo "${CA_CHOSEN_INDEX} is not a valid index!" CA_CHOSEN_INDEX="" fi done eval "CA_SUBJECT=\${CA_SUBJECT${CA_CHOSEN_INDEX}}" eval "CA_CERT=\${CA${CA_CHOSEN_INDEX}}" CA_CERT_DIR=`echo $CA_CERT | sed -e "s|/[^\/]*$||"` } create_source_package_tarball() { _tmpdir="${TMPDIR:-/tmp}" _capath="${1}" _cadir="${2}" _casubject="${3}" _simpleca="${4}" _cahash=`"$openssl" x509 -hash -noout -in "${_capath}"` _certdir="share/certificates" _srcdir="globus-simple-ca-${_cahash}" _source_package_tarball="globus_simple_ca_${_cahash}.tar.gz" _pkgdir="" printf "Creating RPM source tarball... " while [ -z "$_pkgdir" ]; do mkdir -m 0755 "${_pkgdir:=${_tmpdir}/globus_simple_ca.$("$openssl" rand -base64 6 | tr / _)}" rc=$? if [ $rc != 0 -o ! -d "${_pkgdir}" ]; then _pkgdir="" fi done cd "${_pkgdir}" mkdir "${_srcdir}" if [ "${_simpleca}" -eq 0 ]; then cp "${_capath}" "${_srcdir}/${_cahash}.0" cp "${_cadir}/${_cahash}.signing_policy" "${_srcdir}/${_cahash}.signing_policy" if [ -r "${_cadir}/grid-security.conf.${_cahash}" ]; then cp "${_cadir}/grid-security.conf.${_cahash}" "${_srcdir}/" fi if [ -r "${_cadir}/globus-user-ssl.conf.${_cahash}" ]; then cp "${_cadir}/globus-user-ssl.conf.${_cahash}" "${_srcdir}/" fi if [ -r "${_cadir}/globus-host-ssl.conf.${_cahash}" ]; then cp "${_cadir}/globus-host-ssl.conf.${_cahash}" "${_srcdir}/" fi else cp "${_capath}" "${_srcdir}/${_cahash}.0" cp "${_cadir}/signing-policy" "${_srcdir}/${_cahash}.signing_policy" if [ -r "${_cadir}/grid-security.conf" ]; then cp "${_cadir}/grid-security.conf" \ "${_srcdir}/grid-security.conf.${_cahash}" fi if [ -r "${_cadir}/globus-user-ssl.conf" ]; then cp "${_cadir}/globus-user-ssl.conf" \ "${_srcdir}/globus-user-ssl.conf.${_cahash}" fi if [ -r "${_cadir}/globus-host-ssl.conf" ]; then cp "${_cadir}/globus-host-ssl.conf" \ "${_srcdir}/globus-host-ssl.conf.${_cahash}" fi fi # RPM packaging cat <<-EOF 1> "${_srcdir}/globus-simple-ca-${_cahash}.spec" # This spec file creates a binary RPM that can be used to deploy the CA # and its related configuration files. The name of the package is based # on the hash of the CA certificate *on the machine which created the # CA*. If that was using OpenSSL 0.9.x, it will be different than the # hash used by OpenSSL 1.x. When this package is built, the hashes are # set to whichever version of OpenSSL is used on the package build # machine. Presumably that won't change within a specific OS version. # This package does not attempt to make this CA the default CA for # tools like grid-cert-request, but will remove the links to this CA if # it has been made the default CA by calling grid-default-ca with its # hash. %define cadir %{_sysconfdir}/grid-security/certificates Name: globus-simple-ca-${_cahash} Version: 1.0 Release: 1%{?dist} Summary: Simple CA Configuration for ${_casubject} Group: Development/Tools License: ASL 2.0 Source: ${_source_package_tarball} BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: openssl Requires: openssl BuildArch: noarch %description This package contains the CA certificate and related policy files needed to allow the Grid Community Toolkit to trust the CA with the subject name: "${_casubject}" as well as request certificates from that CA. %prep %setup -q -n globus-simple-ca-${_cahash} %build %define cahash \`openssl x509 -noout -hash -in "${_cahash}.0"\` mkdir -m 0755 -p \$RPM_BUILD_ROOT/%{cadir} cp "${_cahash}.0" "\$RPM_BUILD_ROOT/%{cadir}/%{cahash}.0" cp "${_cahash}.signing_policy" "\$RPM_BUILD_ROOT/%{cadir}/%{cahash}.signing_policy" if [ -r "grid-security.conf.${_cahash}" ]; then cp "grid-security.conf.${_cahash}" \ "\$RPM_BUILD_ROOT/%{cadir}/grid-security.conf.%{cahash}" fi if [ -r "globus-host-ssl.conf.${_cahash}" ]; then cp "globus-host-ssl.conf.${_cahash}" "\$RPM_BUILD_ROOT/%{cadir}/globus-host-ssl.conf.%{cahash}" fi if [ -r "globus-user-ssl.conf.${_cahash}" ]; then cp "globus-user-ssl.conf.${_cahash}" "\$RPM_BUILD_ROOT/%{cadir}/globus-user-ssl.conf.%{cahash}" fi # Save the hash that was used to generate the binary package to a file so that # we can determine whether we need to remove symlinks during uninstall time. echo "%{cahash}" > "\$RPM_BUILD_ROOT/%{cadir}/${_cahash}.installed_hash" %clean rm -rf \$RPM_BUILD_ROOT %preun installed_hash="\$(cat %{cadir}/${_cahash}.installed_hash)" # Compare file serial numbers to see if the default CA is linked to this one. If so # remove the links. if [ -h "%{cadir}/grid-security.conf" ]; then if [ "\$(ls -H1i "%{cadir}/grid-security.conf" | cut -d' ' -f1)" = \ "\$(ls -H1i "%{cadir}/grid-security.conf.\$installed_hash" | cut -d' ' -f1)" ]; then rm %{cadir}/grid-security.conf fi fi if [ -h "%{cadir}/globus-host-ssl.conf" ]; then if [ "\$(ls -H1i "%{cadir}/globus-host-ssl.conf" | cut -d' ' -f1)" = \ "\$(ls -H1i "%{cadir}/globus-host-ssl.conf.\$installed_hash" | cut -d' ' -f1)" ]; then rm %{cadir}/globus-host-ssl.conf fi fi if [ -h "%{cadir}/globus-user-ssl.conf" ]; then if [ "\$(ls -H1i "%{cadir}/globus-user-ssl.conf" | cut -d' ' -f1)" = \ "\$(ls -H1i "%{cadir}/globus-user-ssl.conf.\$installed_hash" | cut -d' ' -f1)" ]; then rm %{cadir}/globus-user-ssl.conf fi fi %files %defattr(-,root,root,-) %{_sysconfdir}/grid-security/certificates EOF # Debian packaging mkdir ${_srcdir}/debian cat 1> ${_srcdir}/debian/control <<-EOF Source: ${_srcdir} Section: net Priority: extra Maintainer: ${LOGNAME}@${HOST} Package: ${_srcdir} Architecture: all Depends: \${shlibs:Depends}, \${misc:Depends} Description: CA Package for ${_casubject} This package contains the CA certificate and related policy files needed to allow the Grid Community Toolkit to trust the CA with the subject name: "${_casubject}" as well as request certificates from that CA. EOF cat 1> ${_srcdir}/debian/rules <> debian/\$(name).install; \\ fi ; \\ done clean:: dh_clean debian/*.install EOF chmod a+x ${_srcdir}/debian/rules cat 1> ${_srcdir}/debian/changelog <<-EOF ${_srcdir} (0.0) UNRELEASED; urgency=low * Initial release. -- ${LOGNAME} <${LOGNAME}@${HOST}> $(date +"%a, %d %b %Y %H:%m:%S %z") EOF echo 5 1> ${_srcdir}/debian/compat echo /etc/grid-security/certificates 1> ${_srcdir}/debian/dirs tar cf - ${_srcdir} | gzip > "${OLDPWD}/${_source_package_tarball}" cd "${OLDPWD}" rm -rf "${_pkgdir}" echo "done" printf "\t${_source_package_tarball}\n" } create_rpm_binary_package() { _tarball="${1}" _cahash="${2}" _pkgdir="" if test ! -f /etc/redhat-release && test ! -f /etc/SuSE-release; then echo "Skipping RPM binary" return 0 fi printf "Creating RPM binary..." while [ -z "$_pkgdir" ]; do mkdir -m 0755 "${_pkgdir:=${_tmpdir}/globus_simple_ca.$("$openssl" rand -base64 6 | tr / _)}" rc=$? if [ $rc != 0 -o ! -d "${_pkgdir}" ]; then _pkgdir="" fi done OLDHOME="$HOME" HOME=${_pkgdir} cd $HOME mkdir rpmbuild tmp for x in BUILD BUILDROOT SOURCES RPMS SPECS SRPMS; do mkdir -p "rpmbuild/$x" done cat <<-EOF > .rpmmacros %_topdir $HOME/rpmbuild %_tmppath $HOME/tmp EOF rpmbuild -tb "$_tarball" HOME="$OLDHOME" cd - unset OLDHOME find ${_pkgdir} -name '*.rpm' -exec cp "{}" "." ";" rm -rf "$_pkgdir" } create_debian_binary_package() { _tarball="${1}" _cahash="${2}" _pkgdir="" if ! test -f /etc/debian_version; then echo "Skipping debian binary" return 0 fi printf "Creating debian binary..." while [ -z "$_pkgdir" ]; do mkdir -m 0755 "${_pkgdir:=${_tmpdir}/globus_simple_ca.$("$openssl" rand -base64 6 | tr / _)}" rc=$? if [ $rc != 0 -o ! -d "${_pkgdir}" ]; then _pkgdir="" fi done olddir="$(pwd)" cd ${_pkgdir} gzip -dc ${_tarball} | tar xf - cd globus-simple-ca-${_cahash} fakeroot dpkg-buildpackage -uc -us cd ${_pkgdir} find . -name '*.deb' -exec cp "{}" "$olddir" ";" cd $olddir rm -rf "$_pkgdir" } create_rpm_tarball=1 create_rpm_binary=0 create_debian_binary=0 readCommandLine () { # Expects $* from the shell invocation while [ "X$1" != "X" ] do case $1 in -\?|-h|-help|-usage|--help|--usage) long_usage exit 0 ;; -ca|--ca) ca_to_use="$2" shift 2 ;; -cadir|--cadir) cadir="$2" shift 2 ;; -r) create_rpm_binary=1 shift; ;; -d) create_debian_binary=1 shift; ;; -version|--version) if [ "X${PROGRAM_NAME}" != "X" -a \ "X${PROGRAM_VERSION}" != "X" ]; then echo "${PROGRAM_NAME}: ${PROGRAM_VERSION}" elif [ "X${PACKAGE}" != "X" -a \ "X${VERSION}" != "X" ]; then echo "${PACKAGE}: ${VERSION}" else echo "No version information available." fi exit 0 ;; -versions|--versions) __AT='@' if [ -n "${PACKAGE}" -a -n "${VERSION}" -a \ -n "${DIRT_TIMESTAMP}" -a -n "${DIRT_BRANCH_ID}" -a \ "X${DIRT_TIMESTAMP}" != "X${__AT}DIRT_TIMESTAMP${__AT}" -a \ "X${DIRT_BRANCH_ID}" != "X${__AT}DIRT_BRANCH_ID${__AT}" ]; then echo "${PACKAGE}: ${VERSION} (${DIRT_TIMESTAMP}-${DIRT_BRANCH_ID})" else echo "No DiRT information available." fi exit 0; ;; *) echo "ERROR: option $1 : unrecognized option" short_usage exit 1 ;; esac done } error() { eval "missing_file=\$$1" echo echo "The file: ${missing_file} does not exist" echo "The CA: ${CA_SUBJECT}" echo "has not been setup correctly." echo exit 1 } printhelp() { option="${1}" helpstr="${2}" optwidth="${optwidth:-$((${COLUMNS:-80} / 3))}" if [ "$optwidth" -gt 30 ]; then optwidth=30 fi helpwidth="${helpwidth:-$((${COLUMNS:-80} - $optwidth - 6))}" helpstrformatted="$(echo "${helpstr}" | tr -sd '\n\t' ' ' | \ fold -sw ${helpwidth})" OLDIFS="$IFS" IFS=" " first=1 for x in $helpstrformatted; do printf " %-${optwidth}s %-${helpwidth}s\n" "${first:+$option}" "$x" first="" done IFS="$OLDIFS" } long_usage () { echo "${short_usage}" printhelp "-help, -h, -?, -usage" "Display this help message" printhelp "-version" "Print $PROGRAM_NAME version number" printhelp "-versions" "Print detailed package version for $PACKAGE" printhelp "-ca HASH" "Create packages for the CA with HASH as its subject hash [prompt for value]" printhelp "-r" "Create an RPM binary package [unset]" printhelp "-d" "Create an debian binary package [unset]" } ############################################################ # main code section ############################################################ prefix="${GLOBUS_LOCATION-/cvmfs/dirac.egi.eu/dirac/v8.0.58/Linux-x86_64}" exec_prefix="${prefix}" sbindir="${exec_prefix}/sbin" bindir="${exec_prefix}/bin" includedir="/cvmfs/dirac.egi.eu/dirac/v8.0.58/Linux-x86_64/include/globus" datarootdir="${prefix}/share" datadir="${datarootdir}" libexecdir="/cvmfs/dirac.egi.eu/dirac/v8.0.58/Linux-x86_64/share/globus" sysconfdir="${prefix}/etc" sharedstatedir="${prefix}/com" localstatedir="${prefix}/var" PROGRAM_NAME="${0##*/}" PROGRAM_VERSION="5.3" VERSION="5.3" PACKAGE="globus_simple_ca" DIRT_TIMESTAMP="1629915172" DIRT_BRANCH_ID="0" short_usage="$PROGRAM_NAME [-help] [ options ...]" readCommandLine "$@" # reset positional parameters shift "$#" # look for trusted certs directories if test -n "${X509_CERT_DIR}" ; then set -- "${X509_CERT_DIR}" if test -n "${GRID_SECURITY_DIR}"; then set -- "$@" "${GRID_SECURITY_DIR}" fi fi if test -d "/etc/grid-security/certificates/." ; then set -- "$@" "/etc/grid-security/certificates" fi if test -d "${sysconfdir}/grid-security/certificates/." ; then set -- "$@" "${sysconfdir}/grid-security/certificates" fi if test -d "${datadir}/certificates/."; then set -- "$@" "${datadir}/certificates" fi if [ -n "$cadir" ]; then CA_CERT_DIR="$cadir" CA_CERT="$CA_CERT_DIR/cacert.pem" CA_SUBJECT=`"$openssl" x509 -in "${CA_CERT}" -noout -subject -nameopt sep_multiline | sed -e '/^subject=/d' -e 's!^\s*!/!' | tr -d '\n'` simpleca=1 else found_ca=0 simpleca=0 for x in "$@"; do if test -n "`get_hashes ${x}`"; then found_ca=1 break fi done if test $found_ca -eq 0; then echo echo "There does not appear to be a valid CA" echo "located in any of the following directories:" echo "" for x in "$@"; do echo " ${x}" done echo "" echo "To specify a different location where the grid security" echo "configuration files were installed, set the X509_CERT_DIR" echo "set the GRID_SECURITY_DIR environment variables." echo "" exit 1 fi if [ -z "$ca_to_use" ]; then interactive "$@" else CA_CERT_DIR=`find_ca_dir $ca_to_use "$@"` CA_CERT="$CA_CERT_DIR/$ca_to_use.0" if test ! -r "${CA_CERT}" ; then echo echo "Cannot find a CA with hash ${ca_to_use}." echo "Use grid-default-ca -list to see a list of CA hashes " echo "available on this machine." echo exit 1 fi CA_SUBJECT=`"$openssl" x509 -in "${CA_CERT}" -noout -subject -nameopt sep_multiline | sed -e '/^subject=/d' -e 's!^\s*!/!' | tr -d '\n'` fi fi if [ "$create_rpm_tarball" -eq 1 ]; then create_source_package_tarball "$CA_CERT" "$CA_CERT_DIR" "$CA_SUBJECT" "${simpleca}" ca_cert_hash=`"$openssl" x509 -hash -noout -in "${CA_CERT}"` source_package_tarball="globus_simple_ca_${ca_cert_hash}.tar.gz" if [ "$create_rpm_binary" -eq 1 ]; then create_rpm_binary_package "$(pwd)/${source_package_tarball}" "${ca_cert_hash}" fi if [ "$create_debian_binary" -eq 1 ]; then create_debian_binary_package "$(pwd)/${source_package_tarball}" "${ca_cert_hash}" fi fi exit 0