1 |
davidg |
1758 |
#! /usr/bin/perl -w |
2 |
|
|
# |
3 |
|
|
# @(#)$Id$ |
4 |
|
|
# |
5 |
|
|
# Copyright 2010 David Groep, Nationaal instituut voor |
6 |
|
|
# subatomaire fysica NIKHEF |
7 |
|
|
# |
8 |
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); |
9 |
|
|
# you may not use this file except in compliance with the License. |
10 |
|
|
# You may obtain a copy of the License at |
11 |
|
|
# |
12 |
|
|
# http://www.apache.org/licenses/LICENSE-2.0 |
13 |
|
|
# |
14 |
|
|
# Unless required by applicable law or agreed to in writing, software |
15 |
|
|
# distributed under the License is distributed on an "AS IS" BASIS, |
16 |
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
17 |
|
|
# See the License for the specific language governing permissions and |
18 |
|
|
# limitations under the License. |
19 |
|
|
# |
20 |
|
|
# |
21 |
|
|
package main; |
22 |
|
|
|
23 |
|
|
use strict; |
24 |
|
|
use Getopt::Long qw(:config no_ignore_case bundling); |
25 |
|
|
use POSIX; |
26 |
|
|
eval { require LWP or die; }; $@ and die "Please install libwww-perl (LWP)\n"; |
27 |
|
|
|
28 |
|
|
# import modules that are needed but still external |
29 |
|
|
# (the installed version may have these packages embedded in-line) |
30 |
|
|
# |
31 |
|
|
require ConfigTiny and import ConfigTiny unless defined &ConfigTiny::new; |
32 |
|
|
require TrustAnchor and import TrustAnchor unless defined &TrustAnchor::new; |
33 |
|
|
require CRLWriter and import CRLWriter unless defined &CRLWriter::new; |
34 |
|
|
require FCLog and import FCLog unless defined &FCLog::new; |
35 |
|
|
require OSSL and import OSSL unless defined &OSSL::new; |
36 |
|
|
require CRL and import CRL unless defined &CRL::new; |
37 |
|
|
|
38 |
|
|
my $use_DataDumper = eval { require Data::Dumper; }; |
39 |
|
|
my $use_IOSelect = eval { require IO::Select; }; |
40 |
|
|
|
41 |
|
|
use vars qw/ $log $cnf /; |
42 |
|
|
|
43 |
|
|
|
44 |
|
|
# ########################################################################### |
45 |
|
|
# |
46 |
|
|
# |
47 |
|
|
($cnf,$log) = &init_configuration(); |
48 |
|
|
|
49 |
|
|
# verify local installation sanity for loaded modules |
50 |
|
|
$::log->getverbose > 6 and ! $use_DataDumper and |
51 |
|
|
$::log->err("Cannot set verbosity higher than 6 without Data::Dumper") and |
52 |
|
|
exit(1); |
53 |
|
|
$::cnf->{_}->{parallelism} and ! $use_IOSelect and |
54 |
|
|
$::log->err("Cannot use parallel retrieval without IO::Select") and |
55 |
|
|
exit(1); |
56 |
|
|
|
57 |
|
|
$use_DataDumper and $::log->verb(7,Data::Dumper::Dumper($cnf)); |
58 |
|
|
|
59 |
|
|
# set safe path if so requested |
60 |
|
|
$cnf->{_}->{path} and $ENV{"PATH"} = $cnf->{_}->{path} and |
61 |
|
|
$::log->verb(5,"Set PATH to",$ENV{"PATH"}); |
62 |
|
|
|
63 |
|
|
# wait up to randomwait seconds to spread download load |
64 |
|
|
$cnf->{_}->{randomwait} and do { |
65 |
|
|
my $wtime = int(rand($cnf->{_}->{randomwait})); |
66 |
|
|
$::log->verb(2,"Sleeping $wtime seconds before continuing"); |
67 |
|
|
sleep($wtime); |
68 |
|
|
}; |
69 |
|
|
|
70 |
|
|
|
71 |
|
|
# the list of trust anchors to process comes from the command line and |
72 |
|
|
# all files in the infodir that are metadata or crl urls |
73 |
|
|
# in the next phase, the suffix will be stripped and the info file |
74 |
|
|
# when present preferred over the crlurl |
75 |
|
|
# |
76 |
|
|
my @metafiles = @ARGV; |
77 |
|
|
$::cnf->{_}->{"infodir"} and do { |
78 |
|
|
foreach my $fn ( |
79 |
|
|
map { glob ( $::cnf->{_}->{"infodir"} . "/$_" ); } "*.info", "*.crl_url" |
80 |
|
|
) { |
81 |
|
|
$fn =~ /.*\/([^\/]+)(\.crl_url|\.info)$/; |
82 |
|
|
push @metafiles, $1 unless grep /$1/,@metafiles or not defined $1; |
83 |
|
|
} |
84 |
|
|
}; |
85 |
|
|
|
86 |
|
|
@metafiles or |
87 |
|
|
$log->err("No trust anchors to process") and exit($log->exitstatus); |
88 |
|
|
|
89 |
|
|
if ( $::cnf->{_}->{parallelism} ) { |
90 |
|
|
¶llel_metafiles($::cnf->{_}->{parallelism}, @metafiles); |
91 |
|
|
} else { |
92 |
|
|
&process_metafiles( @metafiles ); |
93 |
|
|
} |
94 |
|
|
|
95 |
|
|
$log->flush; |
96 |
|
|
exit($log->exitstatus); |
97 |
|
|
|
98 |
|
|
|
99 |
|
|
# ########################################################################### |
100 |
|
|
# |
101 |
|
|
# |
102 |
|
|
sub init_configuration() { |
103 |
|
|
my ($cnf,$log); |
104 |
|
|
|
105 |
|
|
my ($configfile,$agingtolerance,$infodir,$statedir,$cadir,$httptimeout); |
106 |
|
|
my ($output); |
107 |
|
|
my @formats; |
108 |
|
|
my $verbosity; |
109 |
|
|
my $quiet=0; |
110 |
|
|
my $help=0; |
111 |
|
|
my $debuglevel; |
112 |
|
|
my $parallelism=0; |
113 |
|
|
my $randomwait; |
114 |
|
|
|
115 |
|
|
$log = FCLog->new("qualified"); |
116 |
|
|
|
117 |
|
|
&GetOptions( |
118 |
|
|
"c|config=s" => \$configfile, |
119 |
|
|
"l|infodir=s" => \$infodir, |
120 |
|
|
"cadir=s" => \$cadir, |
121 |
|
|
"s|statedir=s" => \$statedir, |
122 |
|
|
"T|httptimeout=i" => \$httptimeout, |
123 |
|
|
"o|output=s" => \$output, |
124 |
|
|
"format=s@" => \@formats, |
125 |
|
|
"v|verbose+" => \$verbosity, |
126 |
|
|
"h|help+" => \$help, |
127 |
|
|
"q|quiet+" => \$quiet, |
128 |
|
|
"d|debug+" => \$debuglevel, |
129 |
|
|
"p|parallelism=i" => \$parallelism, |
130 |
|
|
"a|agingtolerance=i" => \$agingtolerance, |
131 |
|
|
"r|randomwait=i" => \$randomwait, |
132 |
|
|
) or &help and exit(1); |
133 |
|
|
|
134 |
|
|
$help and &help and exit(0); |
135 |
|
|
|
136 |
|
|
$configfile ||= ( -e "/etc/fetch-crl.cnf" and "/etc/fetch-crl.cnf" ); |
137 |
|
|
($quiet > 0) and $verbosity = -$quiet; |
138 |
|
|
|
139 |
|
|
$cnf = ConfigTiny->new(); |
140 |
|
|
$configfile and |
141 |
|
|
$cnf->read($configfile) || die "Invalid config file $configfile:\n " . |
142 |
|
|
$cnf->errstr . "\n"; |
143 |
|
|
|
144 |
|
|
# command-line option overrides |
145 |
|
|
$cnf->{_}->{agingtolerance} = $agingtolerance if defined $agingtolerance; |
146 |
|
|
$cnf->{_}->{infodir} = $infodir if defined $infodir; |
147 |
|
|
$cnf->{_}->{cadir} = $cadir if defined $cadir; |
148 |
|
|
$cnf->{_}->{statedir} = $statedir if defined $statedir; |
149 |
|
|
$cnf->{_}->{httptimeout} = $httptimeout if defined $httptimeout; |
150 |
|
|
$cnf->{_}->{verbosity} = $verbosity if defined $verbosity; |
151 |
|
|
$cnf->{_}->{debuglevel} = $debuglevel if defined $debuglevel; |
152 |
|
|
$cnf->{_}->{output} = $output if defined $output; |
153 |
|
|
$cnf->{_}->{formats} = join "",@formats if @formats; |
154 |
|
|
$cnf->{_}->{parallelism} = $parallelism if $parallelism; |
155 |
|
|
$cnf->{_}->{randomwait} = $randomwait if defined $randomwait; |
156 |
|
|
|
157 |
|
|
# key default values |
158 |
|
|
defined $cnf->{_}->{version} or $cnf->{_}->{version} = "3+"; |
159 |
|
|
defined $cnf->{_}->{packager} or $cnf->{_}->{packager} = "EUGridPMA"; |
160 |
|
|
defined $cnf->{_}->{openssl} or $cnf->{_}->{openssl} = "openssl"; |
161 |
|
|
defined $cnf->{_}->{agingtolerance} or $cnf->{_}->{agingtolerance} ||= 24; |
162 |
|
|
defined $cnf->{_}->{infodir} or $cnf->{_}->{infodir} = '/etc/grid-security/certificates'; |
163 |
|
|
defined $cnf->{_}->{output} or $cnf->{_}->{output} = $cnf->{_}->{infodir}; |
164 |
|
|
defined $cnf->{_}->{cadir} or $cnf->{_}->{cadir} = $cnf->{_}->{infodir}; |
165 |
|
|
defined $cnf->{_}->{statedir} or $cnf->{_}->{statedir} = "/var/cache/fetch-crl" if -d "/var/cache/fetch-crl" and -w "/var/cache/fetch-crl"; |
166 |
|
|
defined $cnf->{_}->{formats} or $cnf->{_}->{formats} = "openssl"; |
167 |
|
|
defined $cnf->{_}->{opensslmode} or $cnf->{_}->{opensslmode} = "dual"; |
168 |
|
|
defined $cnf->{_}->{httptimeout} or $cnf->{_}->{httptimeout} = 120; |
169 |
|
|
defined $cnf->{_}->{nametemplate_der} or |
170 |
|
|
$cnf->{_}->{nametemplate_der} = "\@ANCHORNAME\@.\@R\@.crl"; |
171 |
|
|
defined $cnf->{_}->{nametemplate_pem} or |
172 |
|
|
$cnf->{_}->{nametemplate_pem} = "\@ANCHORNAME\@.\@R\@.crl.pem"; |
173 |
|
|
defined $cnf->{_}->{catemplate} or |
174 |
|
|
$cnf->{_}->{catemplate} = "\@ALIAS\@.pem". |
175 |
|
|
"\@ALIAS\@.\@R\@\@ANCHORNAME\@.\@R\@"; |
176 |
|
|
|
177 |
|
|
$cnf->{_}->{nonssverify} ||= 0; |
178 |
|
|
$cnf->{_}->{nocache} ||= 0; |
179 |
|
|
$cnf->{_}->{verbosity} ||= 0; |
180 |
|
|
$cnf->{_}->{debuglevel} ||= 0; |
181 |
|
|
|
182 |
|
|
$cnf->{_}->{stateless} and delete $cnf->{_}->{statedir}; |
183 |
|
|
|
184 |
|
|
# expand array keys in config |
185 |
|
|
defined $cnf->{_}->{formats} and |
186 |
|
|
@{$cnf->{_}->{formats_}} = split(/[;,\s]+/,$cnf->{_}->{formats}); |
187 |
|
|
|
188 |
|
|
# sanity check on configuration |
189 |
|
|
$cnf->{_}->{statedir} and ! -d $cnf->{_}->{statedir} and |
190 |
|
|
die "Invalid state directory " . $cnf->{_}->{statedir} . "\n"; |
191 |
|
|
$cnf->{_}->{infodir} and ! -d $cnf->{_}->{infodir} and |
192 |
|
|
die "Invalid meta-data directory ".$cnf->{_}->{infodir}."\n"; |
193 |
|
|
|
194 |
|
|
# initialize logging |
195 |
|
|
$log->flush; |
196 |
|
|
$cnf->{_}->{logmode} and $log->destremove("qualified") and do { |
197 |
|
|
foreach ( split(/[,]+/,$cnf->{_}->{logmode}) ) { |
198 |
|
|
if ( /^syslog$/ ) { $log->destadd($_,$cnf->{_}->{syslogfacility}); } |
199 |
|
|
elsif ( /^(direct|qualified|cache)$/ ) { $log->destadd($_); } |
200 |
|
|
else { die "Invalid log destination $_, exiting.\n"; } |
201 |
|
|
} |
202 |
|
|
}; |
203 |
|
|
$log->setverbose($cnf->{_}->{verbosity}); |
204 |
|
|
$log->setdebug($cnf->{_}->{debuglevel}); |
205 |
|
|
|
206 |
|
|
return ($cnf,$log); |
207 |
|
|
} |
208 |
|
|
|
209 |
|
|
# ########################################################################### |
210 |
|
|
# |
211 |
|
|
# |
212 |
|
|
sub help() { |
213 |
|
|
(my $name = $0) =~ s/.*\///; |
214 |
|
|
print <<EOHELP; |
215 |
|
|
The fetch-crl utility will retrieve certificate revocation lists (CRLs) for |
216 |
|
|
a set of installed trust anchors, based on crl_url files or IGTF-style info |
217 |
|
|
files. It will install these for use with OpenSSL, NSS or third-party tools. |
218 |
|
|
|
219 |
|
|
Usage: $name [-c|--config configfile] [-l|--infodir path] |
220 |
|
|
[--cadir path] [-s|--statedir path] [-o|--output path] [--format \@formats] |
221 |
|
|
[-T|--httptimeout seconds] [-p|--parallelism n] |
222 |
|
|
[-a|--agingtolerance hours] [-r|--randomwait seconds] |
223 |
|
|
[-v|--verbose] [-h|--help] [-q|--quiet] [-d|--debug level] |
224 |
|
|
|
225 |
|
|
Options: |
226 |
|
|
-c | --config path |
227 |
|
|
Read configuration data from path, default: /etc/fetch-crl.cnf |
228 |
|
|
-l | --infodir path |
229 |
|
|
Location of the trust anchor meta-data files (crl_url or info), |
230 |
|
|
default: /etc/grid-security/certificates |
231 |
|
|
--cadir path |
232 |
|
|
Location of the trust anchors (default to infodir) |
233 |
|
|
-s | --statedir path |
234 |
|
|
Location of the historic state data (for caching and delayed-warning) |
235 |
|
|
-T | --httptimeout sec |
236 |
|
|
Maximum time in seconds to wait for retrieval or a single URL |
237 |
|
|
-o | --output path |
238 |
|
|
Location of the CRLs written (global default, defaults to infodir |
239 |
|
|
--format \@formats |
240 |
|
|
Format(s) in which the CRLs will be written (openssl, pem, der, nss) |
241 |
|
|
-v | --verbose |
242 |
|
|
Become more talkative |
243 |
|
|
-q | --quiet |
244 |
|
|
Become really quiet (overrides verbosity) |
245 |
|
|
-p | --parallelism n |
246 |
|
|
Run up to n parallel trust anchor retrieval processes |
247 |
|
|
-a | --agingtolerance hours |
248 |
|
|
Be quiet for up to hours hours before raising an error. Until |
249 |
|
|
the tolerance has passed, only warnings are raised |
250 |
|
|
-r | --randomwait seconds |
251 |
|
|
Introduce a random delay of up to seconds seconds before starting |
252 |
|
|
any retrieval processes |
253 |
|
|
-h | --help |
254 |
|
|
This help text |
255 |
|
|
|
256 |
|
|
EOHELP |
257 |
|
|
|
258 |
|
|
return 1; |
259 |
|
|
} |
260 |
|
|
|
261 |
|
|
# ########################################################################### |
262 |
|
|
# |
263 |
|
|
# |
264 |
|
|
sub process_metafiles(@) { |
265 |
|
|
my @metafiles = @_; |
266 |
|
|
|
267 |
|
|
foreach my $f ( @metafiles ) { |
268 |
|
|
my $ta = TrustAnchor->new(); |
269 |
|
|
$cnf->{_}->{"infodir"} and $ta->setInfodir($cnf->{_}->{"infodir"}); |
270 |
|
|
$ta->loadAnchor($f) or next; |
271 |
|
|
$ta->saveLogMode() and $ta->setLogMode(); |
272 |
|
|
$ta->loadCAfiles() or next; |
273 |
|
|
$ta->loadState() or next; |
274 |
|
|
$ta->retrieve or next; |
275 |
|
|
$ta->verifyAndConvertCRLs or next; |
276 |
|
|
|
277 |
|
|
my $writer = CRLWriter->new($ta); |
278 |
|
|
$writer->writeall() or next; |
279 |
|
|
$ta->saveState() or next; |
280 |
|
|
$ta->restoreLogMode(); |
281 |
|
|
} |
282 |
|
|
|
283 |
|
|
return 1; |
284 |
|
|
} |
285 |
|
|
|
286 |
|
|
sub parallel_metafiles($@) { |
287 |
|
|
my $parallelism = shift; |
288 |
|
|
my @metafiles = @_; |
289 |
|
|
|
290 |
|
|
my %pids = (); # file handle by processID |
291 |
|
|
my %metafile_by_fh = (); # reverse map |
292 |
|
|
my $readset = new IO::Select(); |
293 |
|
|
my %logoutput = (); |
294 |
|
|
|
295 |
|
|
$| = 1; |
296 |
|
|
|
297 |
|
|
$::log->verb(2,"starting up to $parallelism worker processes"); |
298 |
|
|
|
299 |
|
|
while ( @metafiles or scalar keys %pids ) { |
300 |
|
|
# loop until we have started all possible retrievals AND have |
301 |
|
|
# collected all possible output |
302 |
|
|
|
303 |
|
|
( @metafiles and (scalar keys %pids < $parallelism) ) and do { |
304 |
|
|
# we have metafiles left, and have spare process slots |
305 |
|
|
my $metafile = shift @metafiles; |
306 |
|
|
|
307 |
|
|
|
308 |
|
|
$logoutput{$metafile} = ""; |
309 |
|
|
|
310 |
|
|
my $cout; |
311 |
|
|
my $cpid = open $cout, "-|"; |
312 |
|
|
defined $cpid and defined $cout or |
313 |
|
|
$::log->err("Cannot fork ($metafile): $!") and next; |
314 |
|
|
|
315 |
|
|
$::log->verb(5,"LOOP: starting process $cpid for $metafile"); |
316 |
|
|
|
317 |
|
|
if ( $cpid == 0 ) { # I'm the child that should care for $metafile |
318 |
|
|
$0 = "fetch-crl worker $metafile"; |
319 |
|
|
$::log->cleanse(); |
320 |
|
|
$::log->destadd("qualified"); |
321 |
|
|
&process_metafiles($metafile); |
322 |
|
|
$::log->flush; |
323 |
|
|
exit($::log->exitstatus); |
324 |
|
|
} else { # parent |
325 |
|
|
$pids{$cpid} = $cout; |
326 |
|
|
$readset->add($cout); |
327 |
|
|
$metafile_by_fh{$cout} = $metafile; |
328 |
|
|
} |
329 |
|
|
}; |
330 |
|
|
|
331 |
|
|
# do a select loop over the outstanding requests to collect messages |
332 |
|
|
# if we are in the process of starting more processes, we just |
333 |
|
|
# briefly poll out pending output so as not to have blocking |
334 |
|
|
# children, but if we have started as many children as we ought to |
335 |
|
|
# we put in a longer timeout -- any output on a handle will |
336 |
|
|
# get us out of the select and into flushing mode again |
337 |
|
|
my $timeout = (@metafiles && (scalar keys %pids < $parallelism) ? 0.1:1); |
338 |
|
|
|
339 |
|
|
$::log->verb(6,"PLOOP: select with timeout $timeout"); |
340 |
|
|
my ( $rh_set ) = IO::Select->select($readset, undef, undef, $timeout); |
341 |
|
|
|
342 |
|
|
foreach my $fh ( @$rh_set ) { |
343 |
|
|
my $metafile = $metafile_by_fh{$fh}; |
344 |
|
|
# we know there is at least one byte to read, but also that |
345 |
|
|
# any client sends complete |
346 |
|
|
while (1) { |
347 |
|
|
my $char; |
348 |
|
|
my $length = sysread $fh, $char, 1; |
349 |
|
|
if ( $length ) { |
350 |
|
|
$logoutput{$metafile} .= $char; |
351 |
|
|
$char eq "\n" and last; |
352 |
|
|
} else { |
353 |
|
|
#expected a char but got eof |
354 |
|
|
$readset->remove($fh); |
355 |
|
|
close($fh); |
356 |
|
|
map { |
357 |
|
|
$pids{$_} == $fh and |
358 |
|
|
waitpid($_,WNOHANG) and |
359 |
|
|
delete $pids{$_} and |
360 |
|
|
$::log->verb(5,"Collected pid $_ (rc=$?),", |
361 |
|
|
length($logoutput{$metafile}),"bytes log output"); |
362 |
|
|
} keys %pids; |
363 |
|
|
last; |
364 |
|
|
} |
365 |
|
|
} |
366 |
|
|
} |
367 |
|
|
} |
368 |
|
|
|
369 |
|
|
# log out all collected log data from our children |
370 |
|
|
foreach my $metafile ( sort keys %logoutput ) { |
371 |
|
|
foreach my $line ( split(/\n/,$logoutput{$metafile}) ) { |
372 |
|
|
$line =~ /^ERROR\s+(.*)$/ and $::log->err($1); |
373 |
|
|
$line =~ /^WARN\s+(.*)$/ and $::log->warn($1); |
374 |
|
|
$line =~ /^VERBOSE\((\d+)\)\s+(.*)$/ and $::log->verb($1,$2); |
375 |
|
|
$line =~ /^DEBUG\((\d+)\)\s+(.*)$/ and $::log->debug($1,$2); |
376 |
|
|
} |
377 |
|
|
} |
378 |
|
|
|
379 |
|
|
return 1; |
380 |
|
|
} |