From 629366505c7022d019a714c66affc9e1f10e9b55 Mon Sep 17 00:00:00 2001
From: Mark Huang <mlhuang@cs.princeton.edu>
Date: Thu, 18 Jan 2007 18:44:18 +0000
Subject: [PATCH] remove all traces of MA/CA certificate junk

---
 api-config     | 79 --------------------------------------------------
 plc.d/api      |  6 +---
 plc.d/ssl      | 20 +------------
 plc_config.xml | 63 +---------------------------------------
 4 files changed, 3 insertions(+), 165 deletions(-)
 delete mode 100755 api-config

diff --git a/api-config b/api-config
deleted file mode 100755
index e657641..0000000
--- a/api-config
+++ /dev/null
@@ -1,79 +0,0 @@
-#!/usr/bin/python
-#
-# Bootstraps the PLC database with a default administrator account and
-# a default site. Also generates the MA/SA API certificate.
-#
-# Mark Huang <mlhuang@cs.princeton.edu>
-# Copyright (C) 2006 The Trustees of Princeton University
-#
-# $Id: api-config,v 1.15 2006/07/11 20:57:25 mlhuang Exp $
-#
-
-from plc_config import PLCConfiguration
-import os
-import re
-import xml
-import CertOps, Certificate
-import Certificate
-import commands
-
-
-def main():
-    cfg = PLCConfiguration()
-    cfg.load()
-    variables = cfg.variables()
-
-    # Load variables into dictionaries
-    for category_id, (category, variablelist) in variables.iteritems():
-        globals()[category_id] = dict(zip(variablelist.keys(),
-                                       [variable['value'] for variable in variablelist.values()]))
-
-    # Get the issuer e-mail address and public key from the root CA certificate
-    root_ca_email = commands.getoutput("openssl x509 -in %s -noout -email" % \
-                                       plc_ma_sa['ca_ssl_crt'])
-    root_ca_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \
-                                         plc_ma_sa['ca_ssl_crt'])
-
-    # Verify API certificate
-    if os.path.exists(plc_ma_sa['api_crt']):
-        print "Verifying API certificate '%s'" % plc_ma_sa['api_crt']
-        try:
-            cert_xml = file(plc_ma_sa['api_crt']).read().strip()
-            # Verify root CA signature
-            CertOps.authenticate_cert(cert_xml, {root_ca_email: root_ca_key_pub})
-            # Check if MA/SA e-mail address has changed
-            dom = xml.dom.minidom.parseString(cert_xml)
-            for subject in dom.getElementsByTagName('subject'):
-                if subject.getAttribute('email') != plc_mail['support_address']:
-                    raise Exception, "E-mail address '%s' in certificate '%s' does not match support address '%s'" % \
-                          (subject.getAttribute('email'), plc_ma_sa['api_crt'], plc_mail['support_address'])
-        except Exception, e:
-            # Delete invalid API certificate
-            print "Warning: ", e
-            os.unlink(plc_ma_sa['api_crt'])
-
-    # Generate self-signed API certificate
-    if not os.path.exists(plc_ma_sa['api_crt']):
-        print "Generating new API certificate"
-        try:
-            cert = Certificate.Certificate('ticket-cert-0')
-            ma_sa_ssl_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \
-                                                   plc_ma_sa['ssl_crt'])
-            cert.add_subject_pubkey(pubkey = ma_sa_ssl_key_pub, email = plc_mail['support_address'])
-            root_ca_subject = commands.getoutput("openssl x509 -in %s -noout -subject" % \
-                                                 plc_ma_sa['ssl_crt'])
-            m = re.search('/CN=([^/]*).*', root_ca_subject)
-            if m is None:
-                root_ca_cn = plc['name'] + " Management and Slice Authority"
-            else:
-                root_ca_cn = m.group(1)
-            cert.set_issuer(email = root_ca_email, cn = root_ca_cn)
-            cert_xml = cert.sign(plc_ma_sa['ssl_key'])
-            ma_sa_api_crt = file(plc_ma_sa['api_crt'], "w")
-            ma_sa_api_crt.write(cert_xml)
-            ma_sa_api_crt.close()
-        except Exception, e:
-            print "Warning: Could not generate API certificate: ", e
-
-if __name__ == '__main__':
-    main()
diff --git a/plc.d/api b/plc.d/api
index 08d58c2..0c7a4a7 100755
--- a/plc.d/api
+++ b/plc.d/api
@@ -8,7 +8,7 @@
 # Mark Huang <mlhuang@cs.princeton.edu>
 # Copyright (C) 2006 The Trustees of Princeton University
 #
-# $Id: api,v 1.4 2006/06/23 21:41:31 mlhuang Exp $
+# $Id: api,v 1.5 2006/07/10 21:08:06 mlhuang Exp $
 #
 
 # Source function library and configuration
@@ -47,10 +47,6 @@ case "$1" in
 	)
 	plc-config --category=plc_api --variable=maintenance_sources --value="$PLC_API_MAINTENANCE_SOURCES" --save
 
-	# Generate old API configuration file
-	api-config
-	check
-
 	result "$MESSAGE"
 	;;
 esac
diff --git a/plc.d/ssl b/plc.d/ssl
index 34e83af..e2c8c02 100755
--- a/plc.d/ssl
+++ b/plc.d/ssl
@@ -7,7 +7,7 @@
 # Mark Huang <mlhuang@cs.princeton.edu>
 # Copyright (C) 2006 The Trustees of Princeton University
 #
-# $Id: ssl,v 1.9 2006/07/17 21:28:55 mlhuang Exp $
+# $Id: ssl,v 1.10 2006/07/24 19:30:45 mlhuang Exp $
 #
 
 # Source function library and configuration
@@ -85,24 +85,6 @@ case "$1" in
 	MESSAGE=$"Generating SSL certificates"
 	dialog "$MESSAGE"
 
-	# Verify or generate MA/SA certificate if necessary. This
-	# self-signed certificate may be overridden later.
-	verify_or_generate_certificate \
-	    $PLC_MA_SA_SSL_CRT $PLC_MA_SA_SSL_KEY $PLC_MA_SA_CA_SSL_CRT \
-	    "$PLC_NAME Management and Slice Authority" \
-	    $PLC_MAIL_SUPPORT_ADDRESS
-
-	# Make MA/SA key readable by apache so that the API can sign
-	# certificates
-	chown apache $PLC_MA_SA_SSL_KEY
-	chmod 600 $PLC_MA_SA_SSL_KEY
-
-	# Extract the public key of the root CA (if any) that signed
-	# the MA/SA certificate.
-	openssl x509 -in $PLC_MA_SA_CA_SSL_CRT -noout -pubkey >$PLC_MA_SA_CA_SSL_KEY_PUB
-	check
-	chmod 644 $PLC_MA_SA_CA_SSL_KEY_PUB
-
 	# Generate HTTPS certificates if necessary. We generate a
 	# certificate for each enabled server with a different
 	# hostname. These self-signed certificates may be overridden
diff --git a/plc_config.xml b/plc_config.xml
index 567babe..689b75b 100644
--- a/plc_config.xml
+++ b/plc_config.xml
@@ -6,7 +6,7 @@ Default PLC configuration file
 Mark Huang <mlhuang@cs.princeton.edu>
 Copyright (C) 2006 The Trustees of Princeton University
 
-$Id: plc_config.xml,v 1.16 2006/10/27 20:26:49 mlhuang Exp $
+$Id: plc_config.xml,v 1.17 2006/11/10 19:03:48 mlhuang Exp $
 -->
 
 <!DOCTYPE configuration PUBLIC "-//PlanetLab Central//DTD PLC configuration//EN" "plc_config.dtd">
@@ -104,66 +104,6 @@ $Id: plc_config.xml,v 1.16 2006/10/27 20:26:49 mlhuang Exp $
       </variablelist>
     </category>
 
-    <category id="plc_ma_sa">
-      <name>Management and Slice Authority</name>
-      <description>These variables control how your site interacts
-      with other PlanetLab sites as a Management Authority (MA) and/or
-      Slice Authority (SA).</description>
-
-      <variablelist>
-	<variable id="namespace" type="ip">
-	  <name>Namespace</name>
-	  <value>test</value>
-	  <description>The namespace of your MA/SA. This should be a
-	  globally unique value assigned by PlanetLab
-	  Central.</description>
-	</variable>
-
-	<variable id="ssl_key" type="file">
-	  <name>SSL Private Key</name>
-	  <value>/etc/planetlab/ma_sa_ssl.key</value>
-	  <description>The SSL private key used for signing documents
-	  with the signature of your MA/SA. If non-existent, one will
-	  be generated.</description>
-	</variable>
-
-	<variable id="ssl_crt" type="file">
-	  <name>SSL Public Certificate</name>
-	  <value>/etc/planetlab/ma_sa_ssl.crt</value>
-	  <description>The corresponding SSL public certificate. By
-	  default, this certificate is self-signed. You may replace
-	  the certificate later with one signed by the PLC root
-	  CA.</description>
-	</variable>
-
-	<variable id="ca_ssl_crt" type="file">
-	  <name>Root CA SSL Public Certificate</name>
-	  <value>/etc/planetlab/ma_sa_ca_ssl.crt</value>
-	  <description>If applicable, the certificate of the PLC root
-	  CA. If your MA/SA certificate is self-signed, then this file
-	  is the same as your MA/SA certificate.</description>
-	</variable>
-
-	<variable id="ca_ssl_key_pub" type="file">
-	  <name>Root CA SSL Public Key</name>
-	  <value>/etc/planetlab/ma_sa_ca_ssl.pub</value>
-	  <description>If applicable, the public key of the PLC root
-	  CA. If your MA/SA certificate is self-signed, then this file
-	  is the same as your MA/SA public key.</description>
-	</variable>
-
-	<variable id="api_crt" type="file">
-	  <name>API Certificate</name>
-	  <value>/etc/planetlab/ma_sa_api.xml</value>
-	  <description>The API Certificate is your MA/SA public key
-	  embedded in a digitally signed XML document. By default,
-	  this document is self-signed. You may replace this
-	  certificate later with one signed by the PLC root
-	  CA.</description>
-	</variable>
-      </variablelist>
-    </category>
-
     <category id="plc_net">
       <name>Network</name>
       <description>Network environment.</description>
@@ -656,7 +596,6 @@ $Id: plc_config.xml,v 1.16 2006/10/27 20:26:49 mlhuang Exp $
 	<!-- API server uses a few non-standard packages -->
 	<packagereq type="mandatory">PLCAPI</packagereq>
 	<packagereq type="mandatory">PyXML</packagereq>
-	<packagereq type="mandatory">PlanetLabAuth</packagereq>
 
 	<!-- API server uses SSL to sign tickets -->
 	<packagereq type="mandatory">xmlsec1</packagereq>
-- 
2.43.0