From de3474501233fa7662485985d0f3932cd22f8449 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Oudot?= Date: Fri, 5 Jun 2015 14:33:36 +0000 Subject: [PATCH] Create key rotation script (#184) --- Makefile | 3 ++ debian/liblemonldap-ng-common-perl.install | 1 + lemonldap-ng-common/MANIFEST | 1 + lemonldap-ng-common/scripts/rotateOidcKeys | 56 ++++++++++++++++++++++ rpm/lemonldap-ng.spec | 1 + 5 files changed, 62 insertions(+) create mode 100755 lemonldap-ng-common/scripts/rotateOidcKeys diff --git a/Makefile b/Makefile index 4a0db98d3..6911a1e1c 100644 --- a/Makefile +++ b/Makefile @@ -244,6 +244,7 @@ install_bin: install_conf_dir ${SRCPORTALDIR}/example/scripts/buildPortalWSDL \ ${SRCCOMMONDIR}/scripts/convertConfig \ ${SRCCOMMONDIR}/scripts/lmMigrateConfFiles2ini \ + ${SRCCOMMONDIR}/scripts/rotateOidcKeys \ ${SRCMANAGERDIR}/scripts/lmConfigEditor \ ${SRCMANAGERDIR}/scripts/lemonldap-ng-cli \ $(RBINDIR) @@ -656,6 +657,7 @@ debian-diff: @$(DIFF) lemonldap-ng-common/lib/Lemonldap/NG/Common.pm $(DIFFPREFIX)/usr/share/perl5/Lemonldap/NG/Common.pm ||true @$(DIFF) lemonldap-ng-common/scripts/lmMigrateConfFiles2ini $(DIFFPREFIX)/usr/share/lemonldap-ng/bin/lmMigrateConfFiles2ini ||true @$(DIFF) lemonldap-ng-common/scripts/convertConfig $(DIFFPREFIX)/usr/share/lemonldap-ng/bin/convertConfig ||true + @$(DIFF) lemonldap-ng-common/scripts/rotateOidcKeys $(DIFFPREFIX)/usr/share/lemonldap-ng/bin/rotateOidcKeys ||true @# Manager @$(DIFF) lemonldap-ng-manager/lib/Lemonldap/NG/Manager $(DIFFPREFIX)/usr/share/perl5/Lemonldap/NG/Manager ||true @$(DIFF) lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm $(DIFFPREFIX)/usr/share/perl5/Lemonldap/NG/Manager.pm ||true @@ -682,6 +684,7 @@ default-diff: @$(DIFF) lemonldap-ng-common/lib/Lemonldap/NG/Common.pm /usr/local/share/perl/$(PERLVERSION)/Lemonldap/NG/Common.pm ||true @$(DIFF) lemonldap-ng-common/scripts/lmMigrateConfFiles2ini $(LMPREFIX)/bin/lmMigrateConfFiles2ini ||true @$(DIFF) lemonldap-ng-common/scripts/convertConfig $(LMPREFIX)/bin/convertConfig ||true + @$(DIFF) lemonldap-ng-common/scripts/rotateOidcKeys $(LMPREFIX)/bin/rotateOidcKeys ||true @# Manager @$(DIFF) lemonldap-ng-manager/lib/Lemonldap/NG/Manager /usr/local/share/perl/$(PERLVERSION)/Lemonldap/NG/Manager ||true @$(DIFF) lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm /usr/local/share/perl/$(PERLVERSION)/Lemonldap/NG/Manager.pm ||true diff --git a/debian/liblemonldap-ng-common-perl.install b/debian/liblemonldap-ng-common-perl.install index ca7c26453..d8ab6adc3 100644 --- a/debian/liblemonldap-ng-common-perl.install +++ b/debian/liblemonldap-ng-common-perl.install @@ -6,4 +6,5 @@ /usr/share/lemonldap-ng/ressources /usr/share/lemonldap-ng/bin/convertConfig /usr/share/lemonldap-ng/bin/lmMigrateConfFiles2ini +/usr/share/lemonldap-ng/bin/rotateOidcKeys /var/lib/lemonldap-ng/conf/ diff --git a/lemonldap-ng-common/MANIFEST b/lemonldap-ng-common/MANIFEST index cc8af8417..cee1269c2 100644 --- a/lemonldap-ng-common/MANIFEST +++ b/lemonldap-ng-common/MANIFEST @@ -45,6 +45,7 @@ META.yml README scripts/convertConfig scripts/lmMigrateConfFiles2ini +scripts/rotateOidcKeys t/01-Common-Conf.t t/02-Common-Conf-File.t t/03-Common-Conf-CDBI.t diff --git a/lemonldap-ng-common/scripts/rotateOidcKeys b/lemonldap-ng-common/scripts/rotateOidcKeys new file mode 100755 index 000000000..25d36c38b --- /dev/null +++ b/lemonldap-ng-common/scripts/rotateOidcKeys @@ -0,0 +1,56 @@ +#!/usr/bin/perl +#============================================================================= +# Rotation of OpenID Connect keys +# +# This module is written to be used by cron to rotate keys. +# +# This is part of LemonLDAP::NG product, released under GPL +#============================================================================= + +use strict; + +use Convert::PEM; +use Crypt::OpenSSL::RSA; +use Lemonldap::NG::Common::Conf; +use String::Random qw(random_string); + +my $debug = 0; + +#============================================================================= +# Load configuration +#============================================================================= +my $lmconf = Lemonldap::NG::Common::Conf->new() + or die $Lemonldap::NG::Common::Conf::msg; +my $conf = $lmconf->getConf(); + +print "Configuration loaded\n" if $debug; + +#============================================================================= +# Generate new key +#============================================================================= +my $rsa = Crypt::OpenSSL::RSA->generate_key(2048); +my $key_id = random_string("ssssssssss"); +my $keys = { + 'private' => $rsa->get_private_key_string(), + 'public' => $rsa->get_public_key_x509_string(), + 'id' => $key_id, +}; + +print "Private key generated:\n" . $keys->{private} . "\n" if $debug; +print "Public key generated:\n" . $keys->{public} . "\n" if $debug; +print "Key ID generated: " . $keys->{id} . "\n" if $debug; + +#============================================================================= +# Save configuration +#============================================================================= +$conf->{cfgAuthor} = 'Key rotation script'; + +$conf->{oidcServicePrivateKeySig} = $keys->{private}; +$conf->{oidcServicePublicKeySig} = $keys->{public}; +$conf->{oidcServiceKeyIdSig} = $keys->{id}; + +$lmconf->saveConf($conf) or die $Lemonldap::NG::Common::Conf::msg; + +print "Configuration saved\n" if $debug; + +exit 0; diff --git a/rpm/lemonldap-ng.spec b/rpm/lemonldap-ng.spec index 09d943324..37c4f26ed 100644 --- a/rpm/lemonldap-ng.spec +++ b/rpm/lemonldap-ng.spec @@ -475,6 +475,7 @@ rm -rf %{buildroot} %dir %{lm_sharedir}/bin %{lm_sharedir}/bin/convertConfig %{lm_sharedir}/bin/lmMigrateConfFiles2ini +%{lm_sharedir}/bin/rotateOidcKeys %dir %{lm_examplesdir} %dir %{lm_sharedir}/ressources %{lm_sharedir}/ressources/*