Setting tag myplc-5.3-3
[myplc.git] / plc.d / ssl
1 #!/bin/bash
2 #
3 # priority: 300
4 #
5 # Generate SSL certificates
6 #
7 # Mark Huang <mlhuang@cs.princeton.edu>
8 # Copyright (C) 2006 The Trustees of Princeton University
9 #
10
11 # Source function library and configuration
12 . /etc/plc.d/functions
13 . /etc/planetlab/plc_config
14
15 # Be verbose
16 set -x
17
18 # Print the CNAME of an SSL certificate
19 ssl_cname ()
20 {
21     openssl x509 -noout -in $1 -subject | \
22         sed -n -e 's@.*/CN=\([^/]*\).*@\1@p' | \
23         lower
24 }
25
26 backup_file ()
27 {
28     filepath=$1
29     filename=$(basename ${filepath})
30     dir=$(dirname ${filepath})
31     mv -f ${filepath} ${dir}/${filename}-`date +%Y-%m-%d-%H-%M-%S`.bak
32 }
33
34 # Verify a certificate. If invalid, generate a new self-signed
35 # certificate.
36 verify_or_generate_certificate() {
37     crt=$1
38     key=$2
39     ca=$3
40     cname=$(lower $4)
41
42     # If the CA certificate does not exist, assume that the
43     # certificate is self-signed.
44     if [ ! -f $ca ] ; then
45         cp -a $crt $ca
46     fi
47
48     if [ -f $crt ] ; then
49         # Check if certificate is valid
50         # Backup if invalid or if the subject has changed
51         if openssl verify -CAfile $ca $crt | grep -q "error" || \
52             [ "$(ssl_cname $crt)" != "$cname" ] ; then
53             backup_file $crt
54             backup_file $ca
55             backup_file $key
56         fi
57     fi
58
59     if [ ! -f $crt ] ; then
60         # Set subject
61         subj=
62         if [ -n "$cname" ] ; then
63             subj="$subj/CN=$cname"
64         fi
65
66         # Generate new self-signed certificate
67         mkdir -p $(dirname $crt)
68         openssl req -new -x509 -days 3650 -set_serial $RANDOM \
69             -batch -subj "$subj" \
70             -nodes -keyout $key -out $crt
71         check
72
73         # The certificate it self-signed, so it is its own CA
74         cp -a $crt $ca
75     fi
76
77     # Fix permissions
78     chmod 644 $crt $ca
79 }
80
81 case "$1" in
82     start)
83
84         # Generate HTTPS certificates if necessary. We generate a
85         # certificate for each enabled server with a different
86         # hostname. These self-signed certificates may be overridden
87         # later.
88         MESSAGE=$"Generating SSL certificates for"
89         dialog "$MESSAGE"
90
91         for server in WWW API BOOT MONITOR; do
92             eval "a=\$PLC_${server}_ENABLED"
93             echo $a
94             if [ "$a" -ne 1 ] ; then
95                 echo "Skipping"
96                 continue
97             fi
98             dialog "$server"
99             ssl_key=PLC_${server}_SSL_KEY
100             ssl_crt=PLC_${server}_SSL_CRT
101             ca_ssl_crt=PLC_${server}_CA_SSL_CRT
102             hostname=PLC_${server}_HOST
103
104             # Check if we have already generated a certificate for
105             # the same hostname.
106             for previous_server in WWW API BOOT MONITOR; do
107                 if [ "$server" = "$previous_server" ] ; then
108                     break
109                 fi
110                 previous_ssl_key=PLC_${previous_server}_SSL_KEY
111                 previous_ssl_crt=PLC_${previous_server}_SSL_CRT
112                 previous_ca_ssl_crt=PLC_${previous_server}_CA_SSL_CRT
113                 previous_hostname=PLC_${previous_server}_HOST
114
115                 if [ -f ${!previous_ssl_crt} ] && \
116                     [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
117                     cp -a ${!previous_ssl_key} ${!ssl_key}
118                     cp -a ${!previous_ssl_crt} ${!ssl_crt}
119                     cp -a ${!previous_ca_ssl_crt} ${!ca_ssl_crt}
120                     break
121                 fi
122             done
123
124             verify_or_generate_certificate \
125                 ${!ssl_crt} ${!ssl_key} ${!ca_ssl_crt} \
126                 ${!hostname}
127         done
128
129         # Install HTTPS certificates into both /etc/pki (Fedora Core
130         # 4) and /etc/httpd/conf (Fedora Core 2). If the API, boot,
131         # and web servers are all running on the same machine, the web
132         # server certificate takes precedence.
133         for server in API BOOT MONITOR WWW; do
134             enabled=PLC_${server}_ENABLED
135             if [ "${!enabled}" != "1" ] ; then
136                 continue
137             fi
138             ssl_key=PLC_${server}_SSL_KEY
139             ssl_crt=PLC_${server}_SSL_CRT
140             ssl_ca_crt=PLC_${server}_CA_SSL_CRT
141
142             symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
143             symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
144             symlink ${!ssl_ca_crt} /etc/pki/tls/certs/server-chain.crt
145             symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
146             symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key
147         done
148
149         # Ensure that the server-chain gets used, as it is off by
150         # default.
151         sed -i -e 's/^#SSLCertificateChainFile /SSLCertificateChainFile /' \
152             /etc/httpd/conf.d/ssl.conf
153
154         result "$MESSAGE"
155         ;;
156 esac
157
158 exit $ERRORS