|
From: <ki...@us...> - 2010-10-19 11:47:31
|
Revision: 7917
http://syscheck.svn.sourceforge.net/syscheck/?rev=7917&view=rev
Author: kinneh
Date: 2010-10-19 11:47:24 +0000 (Tue, 19 Oct 2010)
Log Message:
-----------
Close #40 change 905_publish_crl.sh to make sure you get a new CRL before we remove the old one
Modified Paths:
--------------
trunk/syscheck/config/905.conf
trunk/syscheck/config/common.conf
trunk/syscheck/lang/905.english
trunk/syscheck/related-available/905_publish_crl.sh
Modified: trunk/syscheck/config/905.conf
===================================================================
--- trunk/syscheck/config/905.conf 2010-10-19 05:36:47 UTC (rev 7916)
+++ trunk/syscheck/config/905.conf 2010-10-19 11:47:24 UTC (rev 7917)
@@ -1,41 +1,46 @@
# config for 905_publish_crl.sh
HOURTHRESHOLD=1
-CRLDIRECTORY=/srv/www/htdocs/crl/
CANAME[0]=MSDomainLogonCA
-VERIFY_HOST[0]=localhost
-CRLTO_DIR[0]='/srv/www/htdocs/'
+REMOTE_HOST[0]=localhost
+CRLTO_DIR[0]='/srv/www/htdocs/crl/'
+CRL_NAME[0]=MSDomainLogonCA.crl
SSHUSER[0]=
SSHKEY[0]=
CANAME[1]=eSignCA
-VERIFY_HOST[1]=localhost
-CRLTO_DIR[1]='/srv/www/htdocs/'
+REMOTE_HOST[1]=localhost
+CRLTO_DIR[1]='/srv/www/htdocs/crl/'
+CRL_NAME[1]=eSignCA.crl
SSHUSER[1]=
SSHKEY[1]=
CANAME[2]=ServerCA
-CRLTO_DIR[2]='/srv/www/htdocs/'
-VERIFY_HOST[2]=localhost
+CRLTO_DIR[2]='/srv/www/htdocs/crl/'
+REMOTE_HOST[2]=localhost
+CRL_NAME[2]=ServerCA.crl
SSHUSER[2]=
SSHKEY[2]=
CANAME[3]=eIDCA
-CRLTO_DIR[3]='/srv/www/htdocs/'
-VERIFY_HOST[3]=localhost
+CRLTO_DIR[3]='/srv/www/htdocs/crl/'
+REMOTE_HOST[3]=localhost
+CRL_NAME[3]=eIDCA.crl
SSHUSER[3]=
SSHKEY[3]=
CANAME[4]=MachineCertCA
-CRLTO_DIR[4]='/srv/www/htdocs/'
-VERIFY_HOST[4]=localhost
+CRLTO_DIR[4]='/srv/www/htdocs/crl/'
+REMOTE_HOST[4]=localhost
+CRL_NAME[4]=MachineCertCA.crl
SSHUSER[4]=
SSHKEY[4]=
CANAME[5]=SoftTokenCA
-CRLTO_DIR[5]='/srv/www/htdocs/'
-VERIFY_HOST[5]=localhost
+CRLTO_DIR[5]='/srv/www/htdocs/crl/'
+REMOTE_HOST[5]=localhost
+CRL_NAME[5]=SoftTokenCA.crl
SSHUSER[5]=
SSHKEY[5]=
Modified: trunk/syscheck/config/common.conf
===================================================================
--- trunk/syscheck/config/common.conf 2010-10-19 05:36:47 UTC (rev 7916)
+++ trunk/syscheck/config/common.conf 2010-10-19 11:47:24 UTC (rev 7917)
@@ -44,6 +44,10 @@
#Path to active jboss config
JBOSS_HOME=${JBOSS_HOME:-"/usr/local/jboss"}
+if [ "x$TMPDIR" = "x" ] ; then
+ TMPDIR="/tmp/"
+fi
+
# List indicating CAs to activate, should contain a list of caname and PIN separated by space.
# Also used for handling CRLs.
CANAME[0]="eIDCA"
Modified: trunk/syscheck/lang/905.english
===================================================================
--- trunk/syscheck/lang/905.english 2010-10-19 05:36:47 UTC (rev 7916)
+++ trunk/syscheck/lang/905.english 2010-10-19 11:47:24 UTC (rev 7917)
@@ -1,9 +1,25 @@
-PUBL_DESCR_1="Publish certificate run successfully"
-PUBL_DESCR_2="Publish failed (%s) "
-PUBL_HELP_2="Check connectivity to the host (%s) "
-PUBL_DESCR_3="Publish certificate failed, script called without file"
+PUBL_HELP="Script to publish the CRL:s from the CA, supports local and remote publishing by SSH"
+
+PUBL_DESCR_1="Publish CRL run successfully (%s)"
+PUBL_HELP_1="No action needed"
+
+PUBL_DESCR_2="Publish to remote host failed crl:(%s) host:(%s)"
+PUBL_HELP_2="Try manually to run this command and setup ssh-keys and check username"
+
+PUBL_DESCR_3="Publish CRL failed, can't copy crl to destination %s/%s"
+PUBL_HELP_3="Check permissions for the path:s"
+
PUBL_DESCR_4="File not found"
-PUBL_DESCR_5="CRL is not the right size"
-PUBL_DESCR_6="Could not get a CRL from ejbca"
-PUBL_HELP_6="Check that EJBCA is running"
-PUBL_DESCR_7="CRL is outdated %s %s (%s)"
+PUBL_HELP_4="Verify the configuration of this script so it reflects the existing CA:s"
+
+PUBL_DESCR_5="Couldn't stat the file to get the filesize"
+PUBL_HELP_5="Probably some problem getting the file/or filerights"
+
+PUBL_DESCR_6="File size of CRL is 0 (%s)"
+PUBL_HELP_6="Probably some problem getting the file/or filerights"
+
+PUBL_DESCR_7="CRL is outdated %s (%s)"
+PUBL_HELP_7="This script cant get a new CRL, check the CA-logs"
+
+PUBL_DESCR_8="CRL:%s is published to host:%s"
+PUBL_HELP_8="no action needed"
Modified: trunk/syscheck/related-available/905_publish_crl.sh
===================================================================
--- trunk/syscheck/related-available/905_publish_crl.sh 2010-10-19 05:36:47 UTC (rev 7916)
+++ trunk/syscheck/related-available/905_publish_crl.sh 2010-10-19 11:47:24 UTC (rev 7917)
@@ -1,10 +1,6 @@
#!/bin/bash
-# The script fetches a crl from the ca and scp the crl to a webserver.
-# Change $HTTPSERVER, $SSHUSER and $SSHSERVER_DIR. Define the crl's and the servers in the end.
-# Usage:
-# get example.crl # This gets the crl from the CA server.
-# put 192.168.10.10 # This sends the crl to the webserver.
+# The script fetches a crl from the ca and copies to a local dir or scp the crl to a webserver.
# Set SYSCHECK_HOME if not already set.
@@ -41,6 +37,7 @@
ERRNO_5=${SCRIPTID}5
ERRNO_6=${SCRIPTID}6
ERRNO_7=${SCRIPTID}7
+ERRNO_8=${SCRIPTID}8
@@ -52,110 +49,110 @@
fi
-
-if [ ! -d $CRLDIRECTORY ] ; then
- mkdir $CRLDIRECTORY
-fi
-
-VERIFYCRLDIRECTORY="/var/tmp/crl-verify"
-if [ ! -d $VERIFYCRLDIRECTORY ] ; then
- mkdir $VERIFYCRLDIRECTORY
-fi
-
+### get crl ###
+### CRLFILE will be overwritten and migth be empty
+### soo call me with a temporary file!!!
get () {
- CRLNAME=$1
- CRLFILE=$2
- rm -f $CRLDIRECTORY/$CRLFILE
- cd ${EJBCA_HOME}
- printtoscreen "${EJBCA_HOME}/bin/ejbca.sh ca getcrl $CRLNAME $CRLDIRECTORY/$CRLFILE"
- ${EJBCA_HOME}/bin/ejbca.sh ca getcrl $CRLNAME $CRLDIRECTORY/$CRLFILE
- if [ $? != 0 -o ! -r $CRLDIRECTORY/$CRLFILE ] ; then
- printlogmess $ERROR $ERRNO_6 "$PUBL_DESCR_6" $CRLNAME
- fi
+ CRLNAME=$1
+ CRLFILE=$2
+ cd ${EJBCA_HOME}
+ printtoscreen "${EJBCA_HOME}/bin/ejbca.sh ca getcrl $CRLNAME $CRLFILE"
+ ${EJBCA_HOME}/bin/ejbca.sh ca getcrl $CRLNAME "$CRLFILE"
+ if [ $? != 0 -o ! -r $CRLFILE ] ; then
+ printlogmess $ERROR $ERRNO_6 "$PUBL_DESCR_6" "$CRLNAME/$CRLFILE"
+ fi
+
}
+
+### put crl ###
put () {
- CRLHOST=$1
- CRLFILE=$2
- SSHSERVER_DIR=$3
- SSHKEY=$4
- SSHUSER=$5
+ REMOTEHOST=$1
+ CRLFILE=$2
+ REMOTEDIR=$3
+ SSHKEY=$4
+ SSHUSER=$5
+
+ $SYSCHECK_HOME/related-enabled/906_ssh-copy-to-remote-machine.sh -s $CRLFILE $REMOTEHOST $REMOTEDIR $SSHUSER $SSHKEY
- cd $CRLDIRECTORY
- $SYSCHECK_HOME/related-enabled/906_ssh-copy-to-remote-machine.sh -s $CRLFILE $CRLHOST $SSHSERVER_DIR $SSHUSER $SSHKEY
- if [ $? != 0 ] ; then
- printlogmess $ERROR $ERRNO_2 "$PUBL_DESCR_2" $CRLHOST $CRLNAME
- fi
+ if [ $? = 0 ] ; then
+ printlogmess $INFO $ERRNO_8 "$PUBL_DESCR_8" $CRLNAME $CRLHOST
+ else
+ printlogmess $ERROR $ERRNO_2 "$PUBL_DESCR_2" $CRLNAME $CRLHOST
+ fi
}
-### FOR NOW WE DO THIS HERE, next we should use syscheck who does this
+
+### check crl ###
checkcrl () {
- CRLHOST=$1
- CRLNAME=$2
- SSHSERVER_DIR=$3
- SSHKEY=$4
- SSHUSER=$5
+ CRLFILE=$1
- cd $VERIFYCRLDIRECTORY
- rm -f $VERIFYCRLDIRECTORY/$CRLNAME
- if [ "x${CRLHOST}" != "xlocalhost" ] ; then
- printtoscreen "scp -o ConnectTimeout=10 -i $SSHKEY $SSHUSER@${CRLHOST}:$SSHSERVER_DIR/$CRLNAME $VERIFYCRLDIRECTORY/$CRLNAME "
- scp -o ConnectTimeout=10 -i $SSHKEY $SSHUSER@${CRLHOST}:$SSHSERVER_DIR/$CRLNAME $VERIFYCRLDIRECTORY/$CRLNAME
- if [ $? -ne 0 ] ; then
- printlogmess $ERROR $ERRNO_3 "$PUBL_DESCR_3" $CRLHOST $CRLNAME
- exit
- fi
- else
- cp -f $SSHSERVER_DIR/$CRLNAME $VERIFYCRLDIRECTORY/$CRLNAME
- fi
-
# file not found where it should be
- if [ ! -f $VERIFYCRLDIRECTORY/$CRLNAME ] ; then
- printlogmess $ERROR $ERRNO_4 "$PUBL_DESCR_4" $CRLHOST $CRLNAME
- exit 1
- fi
+ if [ ! -f $CRLFILE ] ; then
+ printlogmess $ERROR $ERRNO_4 "$PUBL_DESCR_4" $CRLFILE
+ return 4
+ fi
- CRL_FILE_SIZE=`stat -c"%s" $VERIFYCRLDIRECTORY/$CRLNAME`
# stat return check
- if [ $? -ne 0 ] ; then
- printlogmess $ERROR $ERRNO_5 "$PUBL_DESCR_5" $CRLHOST $CRLNAME
- exit
- fi
+ CRL_FILE_SIZE=`stat -c"%s" $CRLFILE`
+ if [ $? -ne 0 ] ; then
+ printlogmess $ERROR $ERRNO_5 "$PUBL_DESCR_5" $CRLFILE
+ return 5
+ fi
# crl of 0 size?
- if [ "x$CRL_FILE_SIZE" = "x0" ] ; then
- printlogmess $ERROR $ERRNO_6 "$PUBL_DESCR_6" $CRLHOST $CRLNAME
- exit
- fi
+ if [ "x$CRL_FILE_SIZE" = "x0" ] ; then
+ printlogmess $ERROR $ERRNO_6 "$PUBL_DESCR_6" $CRLFILE
+ return 6
+ fi
# now we can check the crl:s best before date is in the future with atleast HOURTHRESHOLD hours (defined in resources)
- TEMPDATE=`openssl crl -inform der -in $CRLNAME -lastupdate -noout`
- DATE=${TEMPDATE:11}
- HOURSSINCEGENERATION=`${SYSCHECK_HOME}/lib/cmp_dates.pl "$DATE"`
-
- if [ "$HOURSSINCEGENERATION" -gt "$HOURTHRESHOLD" ] ; then
- printlogmess $ERROR $ERRNO_7 "$PUBL_DESCR_7" $CRLNAME $CRLHOST "old: ${HOURSSINCEGENERATION}) limit: ${HOURTHRESHOLD}"
- else
- printlogmess $INFO $ERRNO_1 "$PUBL_DESCR_1" $CRLHOST $CRLNAME
- fi
+ TEMPDATE=`openssl crl -inform der -in $CRLFILE -nextupdate -noout`
+ DATE=${TEMPDATE:11}
+ HOURSLEFT=`${SYSCHECK_HOME}/lib/cmp_dates.pl "$DATE"`
+
+ if [ "$HOURSLEFT" -lt "$HOURTHRESHOLD" ] ; then
+ printlogmess $ERROR $ERRNO_7 "$PUBL_DESCR_7" $CRLFILE "hoursleft: ${HOURSLEFT} limit: ${HOURTHRESHOLD}"
+ return 7
+ else
+# printlogmess $INFO $ERRNO_1 "$PUBL_DESCR_1" $CRLFILE
+ return 0
+ fi
}
+
for (( i=0; i < ${#CANAME[@]} ; i++ )){
- if [ "x${VERIFY_HOST[$i]}" = "xlocalhost" ] ; then
- get ${CANAME[$i]} "${CANAME[$i]}.crl"
-# todo fix verification date calc problems
-# checkcrl ${VERIFY_HOST[$i]} "${CANAME[$i]}.crl" ${CRLTO_DIR[$i]}
+ tempdir=$(mktemp -d)
+ trap 'rm -rf "$tempdir"' EXIT
+
+ CRLFILE=${tempdir}/${CRL_NAME[$i]}
+
+ get ${CANAME[$i]} "${CRLFILE}"
+ checkcrl "${CRLFILE}"
+ if [ $? -ne 0 ] ; then
+ # check crl didn't pass the crl so we'll not publish this one and continue with the next
+ rm -rf $tempdir
+ continue
+ fi
+
+ if [ "x${REMOTE_HOST[$i]}" = "xlocalhost" ] ; then
+ cp -f ${CRLFILE} "${CRLTO_DIR[$i]}/${CRL_NAME[$i]}"
+ if [ $? -eq 0 ] ;then
+ printlogmess $INFO $ERRNO_1 "$PUBL_DESCR_1" ${CANAME[$i]}
else
- get ${CANAME[$i]} "${CANAME[$i]}.crl"
- put ${VERIFY_HOST[$i]} "${CANAME[$i]}.crl" ${CRLTO_DIR[$i]} ${SSHKEY[$i]} ${SSHUSER[$i]}
- checkcrl ${VERIFY_HOST[$i]} "${CANAME[$i]}.crl" ${CRLTO_DIR[$i]} ${SSHKEY[$i]} ${SSHUSER[$i]}
+ printlogmess $ERROR $ERRNO_3 "$PUBL_DESCR_3" ${CRL_NAME[$i]} "${CRLTO_DIR[$i]}/${CRL_NAME[$i]}"
fi
+
+ else
+ put ${REMOTE_HOST[$i]} ${CRLFILE} ${CRLTO_DIR[$i]} ${SSHKEY[$i]} ${SSHUSER[$i]}
+
+ fi
+ rm -rf $tempdir
}
-
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
