From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Mon, 25 Nov 2024 14:35:53 +0000 (+0100)
Subject: cert-enroll: Support three generations of CA certificates
X-Git-Tag: 6.0.0rc2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f59ca9698a39f617db6b6efbcbd7d9b18193a17c;p=thirdparty%2Fstrongswan.git

cert-enroll: Support three generations of CA certificates

If the lifetime of an issuing or sub CA is twice the lifetime of
the end entity certificates issued by it and the renewal cycle of
the issuing CAs is a little shorter than the validity of the end
entity certificates then three generations of CA certificates have
to be handled by the cert-enroll scripts.
---

diff --git a/src/cert-enroll/Makefile.am b/src/cert-enroll/Makefile.am
index f2eb9e6e01..745d7fc800 100644
--- a/src/cert-enroll/Makefile.am
+++ b/src/cert-enroll/Makefile.am
@@ -28,6 +28,8 @@ cert_install_availabledir = $(sysconfdir)/cert-enroll.d/cert-install-available
 cert_install_available_DATA = \
 	cert-install-ssl \
 	cert-install-sssd \
+	cert-install-ldaputils \
+	cert-install-cockpit \
 	cert-install-dirsrv \
 	cert-install-lighttpd \
 	cert-install-openxpki \
@@ -41,9 +43,10 @@ cert-install-ipsec : cert-install-ipsec.in
 
 EXTRA_DIST = \
 	cert-enroll.conf cert-enroll.in cert-enroll.service.in cert-enroll.timer \
-	cert-install-dirsrv cert-install-gitea cert-install-ipsec.in \
-	cert-install-lighttpd cert-install-openxpki cert-install-ssl \
-	cert-install-sssd cert-install-swanctl.in
+	cert-install-cockpit cert-install-dirsrv cert-install-gitea \
+	cert-install-ipsec.in cert-install-ldaputils cert-install-lighttpd \
+	cert-install-openxpki cert-install-ssl cert-install-sssd \
+	cert-install-swanctl.in
 
 man8_MANS = cert-enroll.8
 
diff --git a/src/cert-enroll/cert-enroll.conf b/src/cert-enroll/cert-enroll.conf
index d2b12c82f9..ab8a644ba5 100644
--- a/src/cert-enroll/cert-enroll.conf
+++ b/src/cert-enroll/cert-enroll.conf
@@ -22,8 +22,10 @@
 : ${CAOUT=cacert}
 : ${ROOTCA=$CAOUT.pem}
 : ${OLDROOTCA=$CAOUT-old.pem}
+: ${OLDERROOTCA=$CAOUT-older.pem}
 : ${SUBCA=$CAOUT-1.pem}
 : ${OLDSUBCA=$CAOUT-1-old.pem}
+: ${OLDERSUBCA=$CAOUT-1-older.pem}
 : ${RAOUT=racert}
 : ${RACERT=$RAOUT.pem}
 
diff --git a/src/cert-enroll/cert-enroll.in b/src/cert-enroll/cert-enroll.in
index 84251a9477..71ef7a4e13 100644
--- a/src/cert-enroll/cert-enroll.in
+++ b/src/cert-enroll/cert-enroll.in
@@ -155,6 +155,10 @@ function check_ca_certs()
   if [ $ROOTCA_CHANGED -ne 0 ]
   then
     echo "Warning: '$ROOTCA' has changed"
+    if [ -s old/$ROOTCA ]
+    then
+      mv old/$ROOTCA older
+    fi
     mv $ROOTCA old
     mv new/$ROOTCA .
   fi
@@ -164,6 +168,10 @@ function check_ca_certs()
   if [ $SUBCA_CHANGED -ne 0 ]
   then
     echo "Warning: '$SUBCA' has changed"
+    if [ -s old/$SUBCA ]
+    then
+      mv old/$SUBCA older
+    fi
     mv $SUBCA old
     mv new/$SUBCA .
   fi
@@ -192,6 +200,7 @@ function install_certs()
     KEYTYPE="$KEYTYPE" CERTDIR="$CERTDIR" HOSTKEY="$HOSTKEY" \
     HOSTCERT="$HOSTCERT" ROOTCA="$ROOTCA" SUBCA="$SUBCA" \
     OLDROOTCA="$OLDROOTCA" OLDSUBCA="$OLDSUBCA" \
+    OLDERROOTCA="$OLDERROOTCA" OLDERSUBCA="$OLDERSUBCA" \
     USER_GROUP="$USER_GROUP" SERVICE="$SERVICE" \
     /bin/bash $script || status=$?
     if [ $status -ne 0 ]
@@ -251,7 +260,7 @@ esac
 ##############################################################################
 # Create and change into certificates directory
 #
-mkdir -p $CERTDIR/new $CERTDIR/old
+mkdir -p $CERTDIR/new $CERTDIR/old $CERTDIR/older
 cd $CERTDIR
 echo "  changed into the '$CERTDIR' directory"
 
diff --git a/src/cert-enroll/cert-install-cockpit b/src/cert-enroll/cert-install-cockpit
new file mode 100644
index 0000000000..f985ab73e2
--- /dev/null
+++ b/src/cert-enroll/cert-install-cockpit
@@ -0,0 +1,50 @@
+#!/bin/bash
+# Install the generated key and certificate as TLS credentials for the Cockpit 
+# management interface.
+#
+# Copyright (C) 2024 Andreas Steffen
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+set -e
+
+##############################################################################
+# Set local paths 
+#
+
+# Path to the cockpit credentials 
+COCKPIT="/etc/cockpit/ws-certs.d"
+
+##############################################################################
+# Change into the certificates directory
+#
+cd $CERTDIR
+
+##############################################################################
+# Install the private key and certificate
+#
+cp $HOSTKEY  $COCKPIT/ldap.key
+cp $HOSTCERT $COCKPIT/ldap.crt
+
+##############################################################################
+# Restart the cockpit systemd service
+#
+/usr/bin/systemctl restart cockpit.service
+exit 0
+
diff --git a/src/cert-enroll/cert-install-dirsrv b/src/cert-enroll/cert-install-dirsrv
index da196f7565..8cffe2b921 100644
--- a/src/cert-enroll/cert-install-dirsrv
+++ b/src/cert-enroll/cert-install-dirsrv
@@ -88,6 +88,16 @@ then
   $CERTUTIL -d . -A -t "CT,," -n "Old Sub CA" -i $CERTDIR/old/$SUBCA \
             -f passwd.txt
 fi
+if [ -s $CERTDIR/older/$ROOTCA ]
+then
+  $CERTUTIL -d . -A -t "CT,," -n "Older Root CA" -i $CERTDIR/older/$ROOTCA \
+            -f passwd.txt
+fi
+if [ -s $CERTDIR/older/$SUBCA ]
+then
+  $CERTUTIL -d . -A -t "CT,," -n "Older Sub CA" -i $CERTDIR/older/$SUBCA \
+            -f passwd.txt
+fi
  
 ##############################################################################
 # Move the generated credentials to the correct place and delete the build dir 
diff --git a/src/cert-enroll/cert-install-ipsec.in b/src/cert-enroll/cert-install-ipsec.in
index 1eea8def0a..e50104caed 100644
--- a/src/cert-enroll/cert-install-ipsec.in
+++ b/src/cert-enroll/cert-install-ipsec.in
@@ -53,6 +53,22 @@ cp $HOSTCERT $IPSECDIR/certs
 # Install the CA certificates
 #
 cp $ROOTCA $SUBCA $IPSECDIR/cacerts
+if [ -s old/$ROOTCA ]
+then
+  cp old/$ROOTCA $IPSECDIR/cacerts/$OLDROOTCA
+fi
+if [ -s old/$SUBCA ]
+then
+  cp old/$SUBCA $IPSECDIR/cacerts/$OLDSUBCA
+fi
+if [ -s older/$ROOTCA ]
+then
+  cp older/$ROOTCA $IPSECDIR/cacerts/$OLDERROOTCA
+fi
+if [ -s older/$SUBCA ]
+then
+  cp older/$SUBCA $IPSECDIR/cacerts/$OLDERSUBCA
+fi
 
 ##############################################################################
 # Reload the strongSwan charon daemon if it is running
diff --git a/src/cert-enroll/cert-install-ldaputils b/src/cert-enroll/cert-install-ldaputils
new file mode 100644
index 0000000000..90160e4b6e
--- /dev/null
+++ b/src/cert-enroll/cert-install-ldaputils
@@ -0,0 +1,64 @@
+#!/bin/bash
+# Concatenate the present and past CA certificates into a single TLS_CACERT
+# file defined by ldap.conf so that the ldap-utils can verify the LDAP server
+# certificate.
+#
+# Copyright (C) 2024 Andreas Steffen
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+set -e
+
+##############################################################################
+# Set some local paths
+#
+
+# Path to the LDAP configuration file
+LDAP_CONF="/etc/ldap/ldap.conf"
+
+# Extract or set path to the LDAP TLS CA cert directory
+LDAP_TLS_CACERTS=$(awk '/TLS_CACERT/ {print $2}' $LDAP_CONF)
+
+##############################################################################
+# Change into the certificate directory
+#
+cd $CERTDIR
+
+##############################################################################
+# Concatenate the CA certificates into a single file
+#
+cat $ROOTCA $SUBCA > $LDAP_TLS_CACERTS
+if [ -s old/$ROOTCA ]
+then
+  cat old/$ROOTCA >> $LDAP_TLS_CACERTS
+fi
+if [ -s old/$SUBCA ]
+then
+  cat old/$SUBCA >> $LDAP_TLS_CACERTS
+fi
+if [ -s older/$ROOTCA ]
+then
+  cat older/$ROOTCA >> $LDAP_TLS_CACERTS
+fi
+if [ -s older/$SUBCA ]
+then
+  cat older/$SUBCA >> $LDAP_TLS_CACERTS
+fi
+
+exit 0
diff --git a/src/cert-enroll/cert-install-openxpki b/src/cert-enroll/cert-install-openxpki
index 3bed2a9f33..e30aa87a49 100644
--- a/src/cert-enroll/cert-install-openxpki
+++ b/src/cert-enroll/cert-install-openxpki
@@ -54,6 +54,14 @@ if [ -s old/$SUBCA ]
 then
   cp old/$SUBCA $OPENXPKI_TLS/chain/$OLDSUBCA
 fi
+if [ -s older/$ROOTCA ]
+then
+  cp older/$ROOTCA $OPENXPKI_TLS/chain/$OLDERROOTCA
+fi
+if [ -s older/$SUBCA ]
+then
+  cp older/$SUBCA $OPENXPKI_TLS/chain/$OLDERSUBCA
+fi
 
 rm -f $OPENXPKI_TLS/chain/*.0
 
diff --git a/src/cert-enroll/cert-install-ssl b/src/cert-enroll/cert-install-ssl
index 4db7c0b9cd..306e661b91 100644
--- a/src/cert-enroll/cert-install-ssl
+++ b/src/cert-enroll/cert-install-ssl
@@ -49,6 +49,14 @@ if [ -s $CERTDIR/old/$SUBCA ]
 then
   cat $CERTDIR/old/$SUBCA  >> $SSL_DIR/trusted.pem
 fi
+if [ -s $CERTDIR/older/$ROOTCA ]
+then
+  cat $CERTDIR/older/$ROOTCA >> $SSL_DIR/trusted.pem
+fi
+if [ -s $CERTDIR/older/$SUBCA ]
+then
+  cat $CERTDIR/older/$SUBCA  >> $SSL_DIR/trusted.pem
+fi
 
 ##############################################################################
 # Restart the systemd service if it is active
diff --git a/src/cert-enroll/cert-install-sssd b/src/cert-enroll/cert-install-sssd
index 260e1440f4..ae3d8bd2ed 100644
--- a/src/cert-enroll/cert-install-sssd
+++ b/src/cert-enroll/cert-install-sssd
@@ -53,6 +53,14 @@ if [ -s old/$SUBCA ]
 then
   cp old/$SUBCA $LDAP_TLS_CACERTDIR/$OLDSUBCA
 fi
+if [ -s older/$ROOTCA ]
+then
+  cp older/$ROOTCA $LDAP_TLS_CACERTDIR/$OLDERROOTCA
+fi
+if [ -s older/$SUBCA ]
+then
+  cp older/$SUBCA $LDAP_TLS_CACERTDIR/$OLDERSUBCA
+fi
 
 rm -f $LDAP_TLS_CACERTDIR/*.0
 
diff --git a/src/cert-enroll/cert-install-swanctl.in b/src/cert-enroll/cert-install-swanctl.in
index 2b2781d525..ff8aad7d84 100644
--- a/src/cert-enroll/cert-install-swanctl.in
+++ b/src/cert-enroll/cert-install-swanctl.in
@@ -69,6 +69,14 @@ if [ -s old/$SUBCA ]
 then
   cp old/$SUBCA ${SWANCTLDIR}/x509ca/$OLDSUBCA
 fi
+if [ -s older/$ROOTCA ]
+then
+  cp older/$ROOTCA ${SWANCTLDIR}/x509ca/$OLDERROOTCA
+fi
+if [ -s older/$SUBCA ]
+then
+  cp older/$SUBCA ${SWANCTLDIR}/x509ca/$OLDERSUBCA
+fi
 
 ##############################################################################
 # Reload the strongswan systemd service if it is running