X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=plc.d%2Fssl;h=c1811565f4f9a5cb19e4ee349f8f064ac611694a;hb=8f37b50e45efe32bc3926e8d6f9788bc27b5d25d;hp=34e83afa6c78281b7d7a91a7b77059804c1c74ee;hpb=0205069c73ebbfdb16108288bb4b45dd3c874d27;p=myplc.git

diff --git a/plc.d/ssl b/plc.d/ssl
index 34e83af..c181156 100755
--- a/plc.d/ssl
+++ b/plc.d/ssl
@@ -7,7 +7,7 @@
 # Mark Huang <mlhuang@cs.princeton.edu>
 # Copyright (C) 2006 The Trustees of Princeton University
 #
-# $Id: ssl,v 1.9 2006/07/17 21:28:55 mlhuang Exp $
+# $Id: ssl,v 1.11 2007/01/18 18:44:18 mlhuang Exp $
 #
 
 # Source function library and configuration
@@ -21,14 +21,8 @@ set -x
 ssl_cname ()
 {
     openssl x509 -noout -in $1 -subject | \
-	sed -n -e 's@.*/CN=\([^/]*\).*@\1@p'
-}
-
-# Print the emailAddress of an SSL certificate
-ssl_email ()
-{
-    openssl x509 -noout -in $1 -subject | \
-	sed -n -e 's@.*/emailAddress=\([^/]*\).*@\1@p'
+	sed -n -e 's@.*/CN=\([^/]*\).*@\1@p' | \
+	lower
 }
 
 # Verify a certificate. If invalid, generate a new self-signed
@@ -37,8 +31,7 @@ verify_or_generate_certificate() {
     crt=$1
     key=$2
     ca=$3
-    cname=$4
-    email=$5
+    cname=$(lower $4)
 
     # If the CA certificate does not exist, assume that the
     # certificate is self-signed.
@@ -51,8 +44,7 @@ verify_or_generate_certificate() {
 	verify=$(openssl verify -CAfile $ca $crt)
 	# Delete if invalid or if the subject has changed
 	if grep -q "error" <<<$verify || \
-	    [ "$(ssl_cname $crt)" != "$cname" ] || \
-	    [ "$(ssl_email $crt)" != "$email" ] ; then
+	    [ "$(ssl_cname $crt)" != "$cname" ] ; then
 	    rm -f $crt $ca
 	fi
     fi
@@ -63,9 +55,6 @@ verify_or_generate_certificate() {
 	if [ -n "$cname" ] ; then
 	    subj="$subj/CN=$cname"
 	fi
-	if [ -n "$email" ] ; then
-	    subj="$subj/emailAddress=$email"
-	fi
 
 	# Generate new self-signed certificate
 	mkdir -p $(dirname $crt)
@@ -73,11 +62,13 @@ verify_or_generate_certificate() {
 	    -batch -subj "$subj" \
 	    -nodes -keyout $key -out $crt
 	check
-	chmod 644 $crt
 
 	# The certificate it self-signed, so it is its own CA
 	cp -a $crt $ca
     fi
+
+    # Fix permissions
+    chmod 644 $crt $ca
 }
 
 case "$1" in
@@ -85,24 +76,6 @@ case "$1" in
 	MESSAGE=$"Generating SSL certificates"
 	dialog "$MESSAGE"
 
-	# Verify or generate MA/SA certificate if necessary. This
-	# self-signed certificate may be overridden later.
-	verify_or_generate_certificate \
-	    $PLC_MA_SA_SSL_CRT $PLC_MA_SA_SSL_KEY $PLC_MA_SA_CA_SSL_CRT \
-	    "$PLC_NAME Management and Slice Authority" \
-	    $PLC_MAIL_SUPPORT_ADDRESS
-
-	# Make MA/SA key readable by apache so that the API can sign
-	# certificates
-	chown apache $PLC_MA_SA_SSL_KEY
-	chmod 600 $PLC_MA_SA_SSL_KEY
-
-	# Extract the public key of the root CA (if any) that signed
-	# the MA/SA certificate.
-	openssl x509 -in $PLC_MA_SA_CA_SSL_CRT -noout -pubkey >$PLC_MA_SA_CA_SSL_KEY_PUB
-	check
-	chmod 644 $PLC_MA_SA_CA_SSL_KEY_PUB
-
 	# Generate HTTPS certificates if necessary. We generate a
 	# certificate for each enabled server with a different
 	# hostname. These self-signed certificates may be overridden