File: grid-ca-sign.in

package info (click to toggle)
globus-simple-ca 5.0-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 544 kB
  • sloc: sh: 5,231; perl: 267; makefile: 98
file content (502 lines) | stat: -rwxr-xr-x 14,790 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
#! /bin/sh

# 
# Copyright 1999-2006 University of Chicago
# 
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# 
# http://www.apache.org/licenses/LICENSE-2.0
# 
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# 


openssl_cmd="@OPENSSL@"

# catch the kill signal (ctrl-c) and do cleanup
trap do_trap 1 2 3 6 9 13 15

############################################################
# main code section
############################################################
prefix="${GLOBUS_LOCATION-@prefix@}"
exec_prefix="@exec_prefix@"
sbindir="@sbindir@"
bindir="@bindir@"
includedir="@includedir@"
datarootdir="@datarootdir@"
datadir="@datadir@"
libexecdir="@libexecdir@"
sysconfdir="@sysconfdir@"
sharedstatedir="@sharedstatedir@"
localstatedir="@localstatedir@"

PROGRAM_NAME="${0##*/}"
PROGRAM_VERSION="@VERSION@"
PACKAGE="@PACKAGE@"
VERSION="@VERSION@"
DIRT_TIMESTAMP="@DIRT_TIMESTAMP@"
DIRT_BRANCH_ID="@DIRT_BRANCH_ID@"

CYGPATH_W="@CYGPATH_W@"
host_os="@host_os@"

short_usage="$PROGRAM_NAME [-help] -in REQUEST -out CERTIFICATE [options ...]"

openssl_options=""

alias construct_path=echo
if test x"$CYGPATH_W" != x; then
    case $host_os in
        *mingw32*)
            alias construct_path="$CYGPATH_W"
            ;;
    esac
fi

printhelp() {
    option="${1}"
    helpstr="${2}"
    optwidth="${optwidth:-$((${COLUMNS:-80} / 3))}"
    if [ "$optwidth" -gt 30 ]; then
        optwidth=30
    fi
    helpwidth="${helpwidth:-$((${COLUMNS:-80} - $optwidth - 6))}"
    helpstrformatted="$(echo "${helpstr}" | tr -sd '\n\t' ' ' | \
            fold -sw ${helpwidth})"

    OLDIFS="$IFS"
    IFS="
"
    first=1

    for x in $helpstrformatted; do
        printf "    %-${optwidth}s %-${helpwidth}s\n" "${first:+$option}" "$x"
        first=""
    done
    if [ "$first" = "1" ]; then
        printf "    %-${optwidth}s\n" "${first:+$option}"
    fi
    IFS="$OLDIFS"
}

long_usage () {
    cat <<EOF

${short_usage}

  Sign a certificate request located in the file named by the argument to the
  -in parameter, writing the new certificate to the file named by the argument
  to the -out parameter.

  Options:
EOF
    printhelp "-help, -h, -?, -usage" "Print this usage message and exit"
    printhelp "-version" "Print $PROGRAM_NAME version number"
    printhelp "-versions" "Print detailed package version for $PACKAGE"
    printhelp "-in REQUEST" "Read the certificate request from
            the file REQUEST"
    printhelp "-out CERTIFICATE" "Write the new certificate to the path
            CERTIFICATE"
    printhelp "-force" "Sign a certificate request with subject that matches an
            already signed certificate."
    printhelp "-dir DIR" "Use the Simple CA certificate and configuration
            located in the directory DIR"
    printhelp "-openssl-help" "Print options to the openssl ca command"
    printhelp "[OPENSSL-OPTIONS]" "Any of the options allowed with the 
            openssl ca command, such as -passin pass:PASSWORD"
}

readCommandLine() {

    while test -n "$1" 
    do
        case $1 in
            -\?|-h|-help|-usage|--help|--usage)
                long_usage
                exit 0
                ;;
            -force|--force)
                force_sign="true"
                shift;
                ;;
            -dir|--dir)
                shift;
                GRID_CA_DIR=$1;
                shift;
                ;;
            -in|--in)
                shift;
                INPUT_REQ_FILE=$1;
                shift;
                ;;
            -out|--out)
                shift;
                SIGNED_OUTPUT_FILE=$1;
                shift;
                ;;
            -openssl-help|--openssl-help)
                shift;
		"$openssl" ca -help
		exit;
		;;
             -version|--version)
                if [ "X${PROGRAM_NAME}" != "X" -a \
                      "X${PROGRAM_VERSION}" != "X" ]; then
                    echo "${PROGRAM_NAME}: ${PROGRAM_VERSION}"
                elif [ "X${PACKAGE}" != "X" -a \
                       "X${VERSION}" != "X" ]; then
                    echo "${PACKAGE}: ${VERSION}"
                else
                    echo "No version information available."
                fi
                exit 0
                ;;
             -versions|--versions)
                __AT='@'
                if [ -n "${PACKAGE}" -a -n "${VERSION}" -a \
                     -n "${DIRT_TIMESTAMP}" -a -n "${DIRT_BRANCH_ID}" -a \
                     "X${DIRT_TIMESTAMP}" != "X${__AT}DIRT_TIMESTAMP${__AT}" -a \
                     "X${DIRT_BRANCH_ID}" != "X${__AT}DIRT_BRANCH_ID${__AT}" ];
                then
                    echo "${PACKAGE}: ${VERSION} (${DIRT_TIMESTAMP}-${DIRT_BRANCH_ID})"
                else
                    echo "No DiRT information available."
                fi
                exit 0;
                ;;
	    *)
                openssl_options="$openssl_options $1"
                shift;
                ;;
        esac
    done
    
    if test -z "$INPUT_REQ_FILE"; then
        echo ""
        echo "ERROR: Please specify a request file using the -in option"
        echo ""
        exit 1
    else
        if test ! -r ${INPUT_REQ_FILE}; then
            echo ""
            echo "ERROR: The file: ${INPUT_REQ_FILE} is not readable"
            echo ""
            exit 1
        fi
    fi

    if test -z "$SIGNED_OUTPUT_FILE"; then
        echo ""
        echo "ERROR: Please specify a output file using the -out option"
        echo ""
        exit 1
    fi
}

do_trap() {

    echo ""
    echo "Normal program execution interrupted.  Exiting."
    echo ""
    do_cleanup
    exit 1
}

do_cleanup() {

    rm -f ${tmp_output}
}

do_password_input() {
    if test $need_password_input; then
        stty -echo
        echo ""
        echo $@
        printf "please enter the password for the CA key: "
    fi
}        

end_password_input() {
    if test $need_password_input; then
        stty echo
        echo ""
    fi
}

do_sign() {
 
do_password_input "To sign the request"
tmp_output=/tmp/tmp_output.$$
"${openssl_cmd}" ca $openssl_options -batch -config $(construct_path ${grid_ca_conf}) \
                  -in $(construct_path ${INPUT_REQ_FILE}) \
                  -out $(construct_path ${SIGNED_OUTPUT_FILE}) \
                  > $tmp_output 2>&1

openssl_result=$?
end_password_input
 
# check to see if an error occurred while signing
if test ${openssl_result} != 0; then

    # check that a certificate with the same subject has not
    # already been signed
    already_signed=`grep \
                        "ERROR:There is already a certificate" \
                        ${tmp_output}`
    already_signed2=`grep \
                        "unique_subject = \"yes\"" \
                        ${tmp_output}`
    already_signed3=`grep \
                        "TXT_DB error number 2" \
                        ${tmp_output}`
    if test -n "${already_signed}" || test -n "${already_signed2}" \
                                   || test -n "${already_signed3}"; then

        subj_tmp_output=/tmp/tmp_output.$$
        "${openssl_cmd}" req -noout -in $(construct_path ${INPUT_REQ_FILE}) \
                           -subject -nameopt rfc2253,-dn_rev \
                           > ${subj_tmp_output} 2>&1
        res=$?
        if test $res != 0; then
            echo ""
            echo "ERROR: Failed to get subject of request ${INPUT_REQ_FILE}"
            echo ""
            do_cleanup
            exit 1
        fi
        
        req_subj=`grep "^subject=" < ${subj_tmp_output} \
                             | sed -e "s|subject= *|/|" -e "s|,|/|g"` 
        # find signed cert
        for p in ${GRID_CA_DIR}/newcerts/*.pem; do
            subj_tmp_output=/tmp/tmp_output.$$
            "${openssl_cmd}" x509 -noout -subject -in $(construct_path ${p}) \
                               > ${subj_tmp_output} 2>&1
            res=$?
            if test $res != 0; then
                echo ""
                echo "ERROR: Failed to get subject of signed cert at: ${p}"
                echo ""
            fi

            signed_subj="$(sed -e "s|subject= *|/|" -e "s|,|/|g" < "${subj_tmp_output}")"

            if test "${signed_subj}" = "${req_subj}"; then
                SIGNED_CERT=${p}
            fi
        done

        if test -z "${SIGNED_CERT}"; then
            echo ""
            echo "ERROR: Failed to find signed cert in CA cert store with subject:"
            echo "       ${req_subj}"
            echo ""
            do_cleanup
            exit 1
        fi

        if test ! -f "${SIGNED_CERT}"; then
            echo ""
            echo "ERROR: Could not find cert file to revoke in certificate store:"
            echo "       ${SIGNED_CERT}"
            echo ""
            do_cleanup
            exit 1
        fi

        SIGNED_SUBJECT="${req_subj}"
        expired=$("${openssl_cmd}" x509 -in $(construct_path ${SIGNED_CERT}) -checkend 0 > /dev/null; echo $?)

        if test -n "${force_sign}" || test "${expired}" = "0"; then

            echo ""
            echo "Revoking previous certificate"

            tmp_revoke_output=/tmp/tmp_revoke_out.$$

            do_password_input "To revoke the current certificate"
            "${openssl_cmd}" ca $openssl_options -batch -config $(construct_path ${grid_ca_conf}) \
                    -revoke $(construct_path ${SIGNED_CERT}) \
                    2> ${tmp_revoke_output}
	    res=$?
	    end_password_input
            if test $res != 0; then
                echo ""
	        echo "ERROR: Failed to revoke previous certificate with subject:"
		echo "       ${SIGNED_SUBJECT}"
                echo ""
    		echo "========== ERROR MESSAGES FROM OPENSSL =========="
    		cat ${tmp_revoke_output} 1>&2
    		echo "================================================="
	        echo ""
                rm -f ${tmp_revoke_output}
                do_cleanup
                exit 1
            else
                
                rm -f ${tmp_revoke_output}
                echo ""
                echo "Signing new certificate"
                do_sign;
                return;
            fi

        else
            echo ""
            echo "There is already a valid certificate that matches this subject at:"
            echo
            echo "${SIGNED_CERT}"
            echo
            echo "You can use the -force option to overwrite"
            echo "this certificate and create a new one."
            echo ""

            rm -f ${subj_tmp_output}
            
            do_cleanup
            exit 1
        fi
    fi

    echo ""
    echo "ERROR running command:"
    echo ""
    echo " ${openssl_cmd} ca $openssl_options \\"
    echo "    -batch -config $(construct_path ${grid_ca_conf}) \\"
    echo "    -in $(construct_path ${INPUT_REQ_FILE}) -out $(construct_path ${SIGNED_OUTPUT_FILE})"
    echo ""
    echo "========== ERROR MESSAGES FROM OPENSSL =========="
    cat ${tmp_output} 1>&2
    echo "================================================="

    # check if the error was with 
    no_config_file=`grep "error loading the config file" ${tmp_output}`
    if test -n "${no_config_file}"; then

        echo ""
        echo "ERROR: No CA config file found."
        echo "Either simple CA setup package is not installed,"
        echo "or the config file is not located at:"
        echo ""
        echo "  ${grid_ca_conf}"
        echo ""
    fi

    # check if the CA's private key could be loaded
    wrong_password=`grep "unable to load CA private key" ${tmp_output}`
    if test -n "${wrong_password}"; then
    
        echo ""
        echo "ERROR: The CA private key could not be loaded."
        echo "Possibly an incorrect password for the CA key was used."
        echo ""
    fi

    # check that the cert request matches the CA cert
    wrong_org=`grep "field needed to be the same" ${tmp_output}`
    if test -n "${wrong_org}"; then
    
        echo "" 
        echo "ERROR: The cert request does not match CA cert"
        echo "Check that the correct security config files are"
        echo "set during grid-cert-request"
        echo ""
        echo "The default configuration can be set using either"
        echo "the command:  grid-default-ca, or via the -ca option"
        echo "to grid-cert-request."
        echo ""
    fi

    rm -f ${tmp_output}

    echo ""
    do_cleanup
    exit 1
fi

}

readCommandLine "$@"

if test -z "$GRID_CA_DIR"; then
    if test -w "${localstatedir}/lib/globus/simple_ca/."; then
        GRID_CA_DIR="${localstatedir}/lib/globus/simple_ca" 
    elif test -d "${HOME}/.globus/simpleCA/."; then
        GRID_CA_DIR="${HOME}/.globus/simpleCA"
    else
        exec 1>&2
        echo ""
        echo "ERROR: No usable Simple CA directory found at \${HOME}/.globus/simpleCA or "
        echo "\${localstatedir}/lib/globus/simple_ca"
        echo ""
        echo "Either specify a directory with -dir, or run"
        echo "grid-ca-create to create a CA"
        echo ""
        exit 1
    fi
fi

if test ! -f ${GRID_CA_DIR}/cacert.pem; then
    exec 1>&2
    echo ""
    echo "ERROR: No CA certificate found at ${GRID_CA_DIR}/cacert.pem"
    echo "The CA certificate is missing!"
    echo "Please run setup-simple-ca before"
    echo "signing certificates."
    echo ""
    exit 1
fi

grid_ca_conf=${GRID_CA_DIR}/grid-ca-ssl.conf

echo "${openssl_options}" | grep -- -passin > /dev/null
res1=$?
if test ! $res1 = 0; then
    echo ${openssl_options} | grep -- -key > /dev/null
    res1=$?
fi
if test ! $res1 = 0; then
    if test -f ${GRID_CA_DIR}/passwd; then
        openssl_options="${openssl_options} -passin file:$(construct_path ${GRID_CA_DIR}/passwd)"
        res1=0
    fi
fi

if test ! $res1 = 0; then
    need_password_input=1
    openssl_options="${openssl_options} -passin stdin"
fi

do_sign;

if test ! -f ${SIGNED_OUTPUT_FILE}; then
        exec 1>&2
	echo "ERROR: ${SIGNED_OUTPUT_FILE} does not exist.  Invalid internal state, exiting..."
	echo ""
	exit 1
fi

NEW_SERIAL="$("${openssl_cmd}" x509 -in $(construct_path ${SIGNED_OUTPUT_FILE}) -noout -serial)"
res=$?
if test $res != 0; then
        exec 1>&2
	echo ""
	echo "ERROR: Failed to get serial number of newly signed cert at: ${SIGNED_OUTPUT_FILE}"
	echo ""
fi

NEW_SERIAL="${NEW_SERIAL##serial=}"

echo ""
echo "The new signed certificate is at: ${GRID_CA_DIR}/newcerts/${NEW_SERIAL}.pem"
echo ""

do_cleanup
exit