/[mwsec]/trunk/lcmaps-plugins-robot/tools/create_pusp
ViewVC logotype

Contents of /trunk/lcmaps-plugins-robot/tools/create_pusp

Parent Directory Parent Directory | Revision Log Revision Log


Revision 18553 - (show annotations) (download)
Wed Dec 23 16:17:41 2015 UTC (5 years, 11 months ago) by msalle
File size: 6593 byte(s)
Replace also sed by variable

1 #!/bin/sh
2 #
3 # Copyright (c) FOM-Nikhef 2014-
4 #
5 # Licensed under the Apache License, Version 2.0 (the "License");
6 # you may not use this file except in compliance with the License.
7 # You may obtain a copy of the License at
8 #
9 # http://www.apache.org/licenses/LICENSE-2.0
10 #
11 # Unless required by applicable law or agreed to in writing, software
12 # distributed under the License is distributed on an "AS IS" BASIS,
13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 # See the License for the specific language governing permissions and
15 # limitations under the License.
16 #
17 # Authors:
18 # 2014-
19 # Mischa Sall\'e <msalle@nikhef.nl>
20 # NIKHEF Amsterdam, the Netherlands
21 # <grid-mw-security@nikhef.nl>
22 #
23
24 # cmdline adaptable defaults:
25 VERB=0
26 user=""
27 PREFIX="user:"
28 X509_USER_CERT=${X509_USER_CERT:-$HOME/.globus/usercert.pem}
29 X509_USER_KEY=${X509_USER_KEY:-$HOME/.globus/userkey.pem}
30 PROXY_FILE=/tmp/x509up_u$(id -u)
31 PROXY_PATHLENGTH=-1 # PROXY_PATHLENGTH -1 for infinite
32 PROXY_INFO="" # set automatically based on pcPathLen
33 PROXY_POLICY=normal_policy # Proxy type: normal or limited
34
35 # Other defaults:
36 BITS=1024 # RSA keylength
37 HASH=sha256 # hash algorithm
38
39 # Programs
40 OD=$(which od)
41 TR=$(which tr)
42 RM=$(which rm)
43 CAT=$(which cat)
44 SED=$(which sed)
45 MKTEMP=$(which mktemp)
46 BASENAME=$(which basename)
47 OPENSSL=$(which openssl)
48
49 # Script name
50 prog=$($BASENAME $0)
51
52 ########################################################################
53
54 # Usage function
55 usage() {
56 echo "Usage: $($BASENAME $0) <options>"
57 echo "Options:"
58 echo " -h print this help text"
59 echo " -v be verbose"
60 echo " -u <user> username, added after \"/CN=${PREFIX}\", mandatory option"
61 echo " -P <prefix> prefix in /CN field, default: \"$PREFIX\""
62 echo " -c <cert> robot certificate, default: \"$X509_USER_CERT\""
63 echo " -k <key> robot key, default: \"$X509_USER_KEY\""
64 echo " -p <proxy> PUSP proxy filename, default: \"$PROXY_FILE\""
65 echo " -l create limited proxy, default: normal (impersonation) proxy"
66 if [ "$PROXY_PATHLENGTH" = "-1" ];then
67 echo " -L <length> PUSP proxy pathlength constraint, default: infinite"
68 else
69 echo " -L <length> PUSP proxy pathlength constraint, default: $PROXY_PATHLENGTH"
70 fi
71 exit 0
72 }
73
74 # Called for invalid options
75 illoption() {
76 case $1 in
77 :) echo "$prog: option \`-$2' requires an argument" >&2 ;;
78 ?) echo "$prog: invalid option -- $2" >&2 ;;
79 esac
80 echo "Try \`$prog -h' for more information" >&2
81 exit $3
82 }
83
84 # Verbose log
85 verb() {
86 if [ $VERB -eq 1 ];then
87 echo "$*"
88 fi
89 }
90
91 # Get command line options
92 while getopts ":hvu:c:k:p:P:lL:" i $*;do
93 case $i in
94 h) usage ;;
95 v) VERB=1 ;;
96 u) user=$OPTARG ;;
97 c) X509_USER_CERT=$OPTARG ;;
98 k) X509_USER_KEY=$OPTARG ;;
99 p) PROXY_FILE=$OPTARG ;;
100 P) PREFIX=$OPTARG ;;
101 l) PROXY_POLICY=limited_policy ;;
102 L) PROXY_PATHLENGTH=$OPTARG ;;
103 :) illoption $i $OPTARG 2 ;;
104 ?) illoption $i $OPTARG 2 ;;
105 esac
106 done
107
108 # Check mandatory arguments
109 if [ -z "$user" ];then
110 echo "$prog: Missing mandatory option -u <user>" >&2
111 echo "Try \`$prog -h' for more information" >&2
112 exit 1
113 fi
114
115 # Set correct pcPathLen parameters
116 if [ "$PROXY_PATHLENGTH" = "-1" ];then
117 PROXY_INFO=rfc3820_seq_sect_infinite
118 elif [ "$PROXY_PATHLENGTH" -ge 0 ] 2> /dev/null ;then
119 PROXY_INFO=rfc3820_seq_sect
120 else
121 echo "$prog: Invalid proxy pathlength constraint: \"$PROXY_PATHLENGTH\"" >&2
122 echo "Try \`$prog -h' for more information" >&2
123 exit 1
124 fi
125
126
127 # Subject of payload proxy
128 PROXY_CN="/CN=${PREFIX}$user"
129
130 # Set nameopts for getting subject from proxy
131 NAMEOPTS="esc_2253,esc_ctrl,utf8,dump_nostr,dump_der,sep_multiline,sname"
132
133 # New serial number: use 4 random bytes
134 SERIAL=$($OPENSSL rand 4|$OD -t u4 -A n|$TR -d '[:space:]')
135
136 # Enforce umask
137 umask 077
138
139 # Different tempfiles: put in separate directory in $TMPDIR or /tmp
140 PROXYTMPDIR=$($MKTEMP -d --tmpdir create_pusp_XXXXXX)
141 OPENSSL_CONF=$($MKTEMP --tmpdir=$PROXYTMPDIR openssl.cnf.XXXXXX)
142 PROXYREQ=$($MKTEMP --tmpdir=$PROXYTMPDIR proxyrequest.XXXXXX)
143 PROXYKEY=$($MKTEMP --tmpdir=$PROXYTMPDIR proxykey.XXXXXX)
144 PROXYCERT=$($MKTEMP --tmpdir=$PROXYTMPDIR proxycert.XXXXXX)
145 LOGFILE=$($MKTEMP --tmpdir=$PROXYTMPDIR logfile.XXXXXX)
146
147 cleanup() {
148 # Don't do a rm -rf for safety
149 for f in "$OPENSSL_CONF" "$PROXYREQ" "$PROXYKEY" "$PROXYCERT" "$LOGFILE";do
150 if [ -n "$f" -a -f "$f" ];then
151 $RM "$f"
152 fi
153 done
154 rmdir $PROXYTMPDIR || {
155 echo "Cleanup of $PROXYTMPDIR failed" >&2
156 }
157 }
158
159 myexit() {
160 cleanup
161 exit $1
162 }
163
164 # Create OpenSSL config file on the fly. Need RFC compliant proxy.
165 $CAT > $OPENSSL_CONF << EOF
166 extensions = rfc3820_proxy
167
168 [ rfc3820_proxy ]
169 keyUsage = critical,digitalSignature,keyEncipherment
170 1.3.6.1.5.5.7.1.14 = critical,ASN1:SEQUENCE:$PROXY_INFO
171
172 [ rfc3820_seq_sect ]
173 field1 = INTEGER:$PROXY_PATHLENGTH
174 field2 = SEQUENCE:$PROXY_POLICY
175
176 [ rfc3820_seq_sect_infinite ]
177 field1 = SEQUENCE:$PROXY_POLICY
178
179 [ normal_policy ]
180 p1 = OID:1.3.6.1.5.5.7.21.1
181
182 [ limited_policy ]
183 p1 = OID:1.3.6.1.4.1.3536.1.1.1.9
184 EOF
185
186 # Get subject from input proxy
187 SUBJ=$($OPENSSL x509 -in $X509_USER_CERT -noout -subject -nameopt $NAMEOPTS|\
188 $SED 's+/+\\/+g'|$SED '1d;s:^ *:/:'|$TR -d '\n')
189 if [ -z "$SUBJ" ];then
190 echo "Getting subject of $X509_USER_CERT failed" >&2
191 myexit 1
192 fi
193 verb "Got subject \"$SUBJ\""
194
195 # Create certificate signing request
196 verb "Generating $BITS bits RSA key and request"
197 $OPENSSL req \
198 -utf8 -new -nodes -newkey rsa:$BITS -subj "${SUBJ}${PROXY_CN}" \
199 -keyout $PROXYKEY -out $PROXYREQ 2> $LOGFILE || {
200 echo "Creating request failed, logfile:" >&2
201 $CAT $LOGFILE >&2
202 myexit 1
203 }
204
205 # Sign certificate signing request, creating proxy certificate
206 verb "Signing key and request to create proxy cert"
207 $OPENSSL x509 \
208 -req -CAkeyform pem -in $PROXYREQ -out $PROXYCERT \
209 -CA $X509_USER_CERT -CAkey $X509_USER_KEY \
210 -set_serial $SERIAL -days 1 -$HASH \
211 -extfile $OPENSSL_CONF 2> $LOGFILE || {
212 echo "Signing request failed, logfile:" >&2
213 $CAT $LOGFILE >&2
214 myexit 1
215 }
216
217 # Add new cert and key to proxy file
218 $CAT $PROXYCERT $PROXYKEY > $PROXY_FILE
219
220 # Append certificate only parts of input certificate
221 doprint=0
222 $CAT $X509_USER_CERT | while read line ; do
223 if [ "$line" = "-----BEGIN CERTIFICATE-----" ];then
224 echo "$line"
225 doprint=1
226 elif [ "$line" = "-----END CERTIFICATE-----" ];then
227 echo "$line"
228 doprint=0
229 elif [ $doprint -eq 1 ];then
230 echo "$line"
231 fi
232 done >> $PROXY_FILE
233
234 # Cleanup temp files
235 cleanup
236
237 verb "Proxy is left in $PROXY_FILE"

Properties

Name Value
svn:executable *

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28