Create key rotation script (#184)

de347450 · Clément OUDOT · 38e944ec · de347450 · de347450 · de347450
Commit de347450 authored Jun 05, 2015 by Clément OUDOT
5 changed files
--- a/Makefile
+++ b/Makefile
@@ -244,6 +244,7 @@ install_bin:	install_conf_dir
 		${SRCPORTALDIR}/example/scripts/buildPortalWSDL \
 		${SRCCOMMONDIR}/scripts/convertConfig \
 		${SRCCOMMONDIR}/scripts/lmMigrateConfFiles2ini \
+		${SRCCOMMONDIR}/scripts/rotateOidcKeys \
 		${SRCMANAGERDIR}/scripts/lmConfigEditor \
 		${SRCMANAGERDIR}/scripts/lemonldap-ng-cli \
 			$(RBINDIR)
@@ -656,6 +657,7 @@ debian-diff:
 	@$(DIFF) lemonldap-ng-common/lib/Lemonldap/NG/Common.pm $(DIFFPREFIX)/usr/share/perl5/Lemonldap/NG/Common.pm ||true
 	@$(DIFF) lemonldap-ng-common/scripts/lmMigrateConfFiles2ini $(DIFFPREFIX)/usr/share/lemonldap-ng/bin/lmMigrateConfFiles2ini ||true
 	@$(DIFF) lemonldap-ng-common/scripts/convertConfig $(DIFFPREFIX)/usr/share/lemonldap-ng/bin/convertConfig ||true
+	@$(DIFF) lemonldap-ng-common/scripts/rotateOidcKeys $(DIFFPREFIX)/usr/share/lemonldap-ng/bin/rotateOidcKeys ||true
 	@# Manager
 	@$(DIFF) lemonldap-ng-manager/lib/Lemonldap/NG/Manager $(DIFFPREFIX)/usr/share/perl5/Lemonldap/NG/Manager ||true
 	@$(DIFF) lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm $(DIFFPREFIX)/usr/share/perl5/Lemonldap/NG/Manager.pm ||true
@@ -682,6 +684,7 @@ default-diff:
 	@$(DIFF) lemonldap-ng-common/lib/Lemonldap/NG/Common.pm /usr/local/share/perl/$(PERLVERSION)/Lemonldap/NG/Common.pm ||true
 	@$(DIFF) lemonldap-ng-common/scripts/lmMigrateConfFiles2ini $(LMPREFIX)/bin/lmMigrateConfFiles2ini ||true
 	@$(DIFF) lemonldap-ng-common/scripts/convertConfig $(LMPREFIX)/bin/convertConfig ||true
+	@$(DIFF) lemonldap-ng-common/scripts/rotateOidcKeys $(LMPREFIX)/bin/rotateOidcKeys ||true
 	@# Manager
 	@$(DIFF) lemonldap-ng-manager/lib/Lemonldap/NG/Manager /usr/local/share/perl/$(PERLVERSION)/Lemonldap/NG/Manager ||true
 	@$(DIFF) lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm /usr/local/share/perl/$(PERLVERSION)/Lemonldap/NG/Manager.pm ||true

--- a/debian/liblemonldap-ng-common-perl.install
+++ b/debian/liblemonldap-ng-common-perl.install
@@ -6,4 +6,5 @@
 /usr/share/lemonldap-ng/ressources
 /usr/share/lemonldap-ng/bin/convertConfig
 /usr/share/lemonldap-ng/bin/lmMigrateConfFiles2ini
+/usr/share/lemonldap-ng/bin/rotateOidcKeys
 /var/lib/lemonldap-ng/conf/
--- a/lemonldap-ng-common/MANIFEST
+++ b/lemonldap-ng-common/MANIFEST
@@ -45,6 +45,7 @@ META.yml
 README
 scripts/convertConfig
 scripts/lmMigrateConfFiles2ini
+scripts/rotateOidcKeys
 t/01-Common-Conf.t
 t/02-Common-Conf-File.t
 t/03-Common-Conf-CDBI.t

--- a/lemonldap-ng-common/scripts/rotateOidcKeys
+++ b/lemonldap-ng-common/scripts/rotateOidcKeys
+#!/usr/bin/perl
+#=============================================================================
+# Rotation of OpenID Connect keys
+#
+# This module is written to be used by cron to rotate keys.
+#
+# This is part of LemonLDAP::NG product, released under GPL
+#=============================================================================
+
+use strict;
+
+use Convert::PEM;
+use Crypt::OpenSSL::RSA;
+use Lemonldap::NG::Common::Conf;
+use String::Random qw(random_string);
+
+my $debug = 0;
+
+#=============================================================================
+# Load configuration
+#=============================================================================
+my $lmconf = Lemonldap::NG::Common::Conf->new()
+  or die $Lemonldap::NG::Common::Conf::msg;
+my $conf = $lmconf->getConf();
+
+print "Configuration loaded\n" if $debug;
+
+#=============================================================================
+# Generate new key
+#=============================================================================
+my $rsa    = Crypt::OpenSSL::RSA->generate_key(2048);
+my $key_id = random_string("ssssssssss");
+my $keys   = {
+    'private' => $rsa->get_private_key_string(),
+    'public'  => $rsa->get_public_key_x509_string(),
+    'id'      => $key_id,
+};
+
+print "Private key generated:\n" . $keys->{private} . "\n" if $debug;
+print "Public key generated:\n" . $keys->{public} . "\n"   if $debug;
+print "Key ID generated: " . $keys->{id} . "\n"            if $debug;
+
+#=============================================================================
+# Save configuration
+#=============================================================================
+$conf->{cfgAuthor} = 'Key rotation script';
+
+$conf->{oidcServicePrivateKeySig} = $keys->{private};
+$conf->{oidcServicePublicKeySig}  = $keys->{public};
+$conf->{oidcServiceKeyIdSig}      = $keys->{id};
+
+$lmconf->saveConf($conf) or die $Lemonldap::NG::Common::Conf::msg;
+
+print "Configuration saved\n" if $debug;
+
+exit 0;
--- a/rpm/lemonldap-ng.spec
+++ b/rpm/lemonldap-ng.spec
@@ -475,6 +475,7 @@ rm -rf %{buildroot}
 %dir %{lm_sharedir}/bin
 %{lm_sharedir}/bin/convertConfig
 %{lm_sharedir}/bin/lmMigrateConfFiles2ini
+%{lm_sharedir}/bin/rotateOidcKeys
 %dir %{lm_examplesdir}
 %dir %{lm_sharedir}/ressources
 %{lm_sharedir}/ressources/*