--- loncom/CrGenerate.pl 2004/07/01 10:58:29 1.5
+++ loncom/CrGenerate.pl 2009/02/02 13:27:45 1.9
@@ -2,7 +2,7 @@
# The LearningOnline Network
# CrGenerate - Generate a loncapa certificate request.
#
-# $Id: CrGenerate.pl,v 1.5 2004/07/01 10:58:29 foxr Exp $
+# $Id: CrGenerate.pl,v 1.9 2009/02/02 13:27:45 schafran Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -48,6 +48,7 @@
# Import section:
use strict;
+use lib '/home/httpd/lib/perl';
use MIME::Entity;
use LONCAPA::Configuration;
use File::Copy;
@@ -70,7 +71,7 @@ my $WebGroup="www"; # Group name runnin
# Debug/log support:
#
-my $DEBUG = 1; # 1 for on, 0 for off.
+my $DEBUG = 0; # 1 for on, 0 for off.
# Send debugging to stderr.
# Parameters:
@@ -79,7 +80,7 @@ my $DEBUG = 1; # 1 for on, 0 for off.
# $DEBUG - message is only written if this is true.
#
sub Debug {
- my $msg = shift;
+ my ($msg) = @_;
if($DEBUG) {
print STDERR "$msg\n";
}
@@ -100,14 +101,14 @@ sub Debug {
sub DecodeEmailFromRequest {
Debug("DecodeEmailFromRequest");
- my $RequestFile = shift;
+ my ($RequestFile) = @_;
Debug("Request file is called $RequestFile");
# We need to look for the line that has a "/Email=" in it.
Debug("opening $RequestFile");
open REQUEST, "< $RequestFile" or
- die "Unable to open $RequestFile to parse return email address";
+ die "Unable to open $RequestFile to parse return e-mail address";
Debug("Parsing request file");
my $line;
@@ -120,7 +121,7 @@ sub DecodeEmailFromRequest {
}
}
if(!$found) {
- die "There does not appear to be an email address in $RequestFile";
+ die "There does not appear to be an e-mail address in $RequestFile";
}
close REQUEST;
@@ -152,7 +153,7 @@ sub DecodeEmailFromRequest {
Debug("Futher pulled out $addressequals");
my ($junk, $address) = split(/=/, $addressequals);
- Debug("Parsed final email addresss as $address");
+ Debug("Parsed final e-mail address as $address");
@@ -259,7 +260,7 @@ sub GenerateRequest {
print "information. Most of this information is for documentation\n";
print "purposes only, so it's not critical if you make a mistake.\n";
print "However: The generated certificate will be sent to the \n";
- print "Email address you provide, and you should leave the optional\n";
+ print "E-mail address you provide, and you should leave the optional\n";
print "Challenge password blank.\n";
my $requestcmd = $SSLCommand." req -newkey rsa:1024 "
@@ -368,7 +369,7 @@ sub MailRequest {
my $FromEmail = DecodeEmailFromRequest("request.txt");
if(!$FromEmail) {
- die "From email address cannot be decoded from certificate request";
+ die "From e-mail address cannot be decoded from certificate request";
}
Debug("Certificate will be sent back to $FromEmail");
@@ -409,7 +410,23 @@ sub MailRequest {
Debug("Done");
}
-sub Cleanup {}
+
+#
+# Cleans up the detritus that's been created by this
+# script (see Implicit inputs below).
+# Implicit inputs:
+# request.pem - Name of certificate request file in PEM format
+# which will be deleted.
+# request.txt - Name of textual equivalent of request file
+# which will also be deleted.
+# hostkey.pem - Encrypted host key which will be deleted.
+# hostkey.dec - Decoded host key, which will be deleted.
+#
+sub Cleanup {
+ Debug("Cleaning up generated, temporary files");
+ unlink("request.pem", "request.txt", "hostkey.pem", "hostkey.dec");
+ Debug("done!");
+}
@@ -423,3 +440,124 @@ MailRequest; # Mail certificate reques
Cleanup; # Cleanup temp files created.
Debug("Done");
+
+#---------------------- POD documentatio --------------------
+
+=head1 NAME
+
+ CrGenerate - Generate a loncapa certificate request.
+
+=head1 SYNOPSIS
+
+Usage: B<CrGenerate>
+
+This should probably be run automatically at system
+installation time. Root must run this as write access is
+required to /home/httpd.
+
+This is a command line script that:
+
+ - Generates a hostkey and certificate request.
+ - Installs the protected/decoded host key where
+ secure lond/lonc can find it.
+ - Emails the certificate request to the loncapa certificate
+ manager.
+
+In due course if all is legitimate, the loncapa certificate
+manager will email a certificate installation script to
+the local loncapa system administrator.
+
+=head1 DESCRIPTION
+
+Using the default openssl configuration file, a certificate
+request and local hostkey are created in the current working
+directory. The local host key is decoded and installed in the
+loncapa certificate directory. This allows the secure versions
+of lonc and lond to locate them when attempting to form
+external connections. The key file is given mode
+0400 to secure it from prying eyes.
+
+The certificate request in PEM form is attached to an email that
+contains the textual equivalent of the certificate request
+and sent to the loncapa certificate manager. All temporary
+files (certificate request, keys etc.) are removed from the
+current working directory.
+
+It is recommended that the directory this script is run in have
+permission mask 0700 to ensure that there are no timing holes
+during which the decoded host key file can be stolen.
+
+During certificate generation, the user will receive several
+prompts. For the default LonCAPA openssl configuration,
+these prompts, and documentation and sample responses
+in angle brackets (<>) are shown below:
+
+ Country Name (2 letter code) [GB]: <your country e.g. US>
+ State or Province Name (full name) [Berkshire]: <State, province prefecture etc. e.g. Michigan>
+ Locality Name (eg, city) [Newbury]: <City township or municipality e.g. East Lansing>
+ Organization Name (eg, company) [My Company Ltd]: <corporate entity e.g. Michigan State University>
+ Organizational Unit Name (eg, section) []: <unit within Organization e.g. LITE lab>
+ Common Name (eg, your name or your server's host name) [] <server's hostname e.g. myhost.university.edu>
+ Email Address []: <Address to which the granted certificate should be sent e.g. me@university.edu>
+
+ Please enter the following 'extra' attributes
+ to be sent with your certificate request
+ A challenge password []: <leave this blank!!!!!>
+ An optional company name []: <Put whatever you want or leave blank>
+
+
+=head1 DEPENDENCIES
+
+ - MIME::Entity Used to create the email message.
+ - LONCAPA::Configuration Used to parse the loncapa configuration files.
+ - File::Copy Used to install the key file.
+ - /usr/lib/sendmail Properly configured sendmail, used to send the
+ certificate request email to the loncapa
+ certificate administrator.
+ - /etc/httpd/conf/* Loncapa configuration files read to locate
+ the certificate directory etc.
+
+=head1 FILES
+
+ The following temporary files are created in the cwd
+
+ hostkey.pem - PEM formatted version of the encrypted host key.
+ hostkey.dec - PEM formatted decrypted version of the host key.
+ request.pem - PEM formatted certificate request.
+ request.txt - Textual rendering of the certificate request.
+
+ The following permanent file is created:
+
+ $CertDir/$Keyfile - The installed decoded host key file. $CertDir
+ is defined by the Perl variable lonCertificateDirectory
+ in /etc/loncapa_apache.conf while $Keyfile is
+ defined by the perl variable lonnetPrivateKey in the
+ same configuration file.
+
+=head1 COPYRIGHT:
+
+ Copyright Michigan State University Board of Trustees
+
+ This file is part of the LearningOnline Network with CAPA (LON-CAPA).
+
+ LON-CAPA is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ LON-CAPA is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with LON-CAPA; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+ /home/httpd/html/adm/gpl.txt
+
+
+=cut
+
+
+