From: Martin Mares <mj@ucw.cz>
Date: Tue, 5 Jun 2007 14:26:48 +0000 (+0200)
Subject: Added script for creation of certificates.
X-Git-Tag: python-dummy-working~390
X-Git-Url: http://mj.ucw.cz/gitweb/?a=commitdiff_plain;h=f74ecb59285c192b6ea66db11921d642846be5d3;p=moe.git

Added script for creation of certificates.
---

diff --git a/submit/TODO b/submit/TODO
index c335010..39eb3e8 100644
--- a/submit/TODO
+++ b/submit/TODO
@@ -4,3 +4,4 @@ submitd:
 - Checking of contest time (and per-contestant exceptions)
 - Keeping history and pruning status files
 - Remember hashes
+- create tmp directory
diff --git a/submit/client-cert.tpl b/submit/client-cert.tpl
new file mode 100644
index 0000000..70761dc
--- /dev/null
+++ b/submit/client-cert.tpl
@@ -0,0 +1,88 @@
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "MO-Eval"
+
+# The organizational unit of the subject.
+#unit = "MO-Eval"
+
+# The locality of the subject.
+# locality =
+
+# The state of the certificate owner.
+#state = "xx"
+
+# The country of the subject. Two letter code.
+#country = CZ
+
+# The common name of the certificate owner.
+cn = "testuser"
+
+# A user id of the certificate owner.
+#uid = "clauper"
+
+# If the supported DN OIDs are not adequate you can set
+# any OID here.
+# For example set the X.520 Title and the X.520 Pseudonym
+# by using OID and string pairs.
+#dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal"
+
+# This is deprecated and should not be used in new
+# certificates.
+# pkcs9_email = "none@none.org"
+
+# The serial number of the certificate
+serial = 002
+
+# In how many days, counting from today, this certificate will expire.
+expiration_days = 700
+
+# X.509 v3 extensions
+
+# A dnsname in case of a WWW server.
+#dns_name = "localhost"
+
+# An IP address in case of a server.
+#ip_address = "192.168.1.1"
+
+# An email in case of a person
+#email = "mj@ucw.cz"
+
+# An URL that has CRLs (certificate revocation lists)
+# available. Needed in CA certificates.
+#crl_dist_points = "http://www.getcrl.crl/getcrl/"
+
+# Whether this is a CA certificate or not
+#ca
+
+# Whether this certificate will be used for a TLS client
+tls_www_client
+
+# Whether this certificate will be used for a TLS server
+#tls_www_server
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites).
+signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is prefered to use different
+# keys for encryption and signing.
+encryption_key
+
+# Whether this key will be used to sign other certificates.
+#cert_signing_key
+
+# Whether this key will be used to sign CRLs.
+#crl_signing_key
+
+# Whether this key will be used to sign code.
+#code_signing_key
+
+# Whether this key will be used to sign OCSP data.
+#ocsp_signing_key
+
+# Whether this key will be used for time stamping.
+#time_stamping_key
diff --git a/submit/config b/submit/config
new file mode 100644
index 0000000..dfece60
--- /dev/null
+++ b/submit/config
@@ -0,0 +1,68 @@
+# Configuration file for the submit server
+
+SubmitD {
+
+# Port number
+Port			8888
+
+# Maximum number of connections allowed
+MaxConn			4
+
+# Time in seconds after which inactive connections are closed (0=none)
+SessionTimeout		300
+
+# Maximum size of a request
+MaxRequestSize		4K
+
+# Maximum size of an attachment (i.e., a submitted solution)
+MaxAttachSize		256K
+
+# Number of bits for the Diffie-Hellman key exchange
+DHBits			1024
+
+# Certificate of our internal CA which is used to validate all contestants
+CACert			certs/ca-cert.pem
+
+# The certificate (issued by our CA) and secret key for this server
+ServerCert		certs/server-cert.pem
+ServerKey		certs/server-key.pem
+
+# Rules for accepting connections (first matching rule is used)
+Access {
+	# IP address range matched by this rule
+	IP		127.0.0.1
+
+	# Administrator access allowed
+	Admin		1
+
+	# Plain-text connections without any user authentication allowed
+	PlainText	0
+
+	# Maximum number of connections per IP address allowed
+	MaxConn		1
+}
+
+# Trace TLS parameters
+TraceTLS		1
+
+# Trace command and their results
+TraceCommands		1
+
+}
+
+# Competition tasks
+
+Tasks {
+	Task plans
+	Task { Name world; OpenData 10; }
+
+	Extension	c cpp pas
+	OpenDataExt	out
+}
+
+# Library configuration
+
+# Need to put temporary files locally to make sure they are on the same device
+# as the submission directories, so that we can rename the files to their final
+# locations.
+Tempfiles.Prefix	tmp/temp
diff --git a/submit/create-certs b/submit/create-certs
new file mode 100755
index 0000000..5e4abb2
--- /dev/null
+++ b/submit/create-certs
@@ -0,0 +1,32 @@
+#!/bin/sh
+# A script for creation of all the certificates used by submitd
+# (c) 2007 Martin Mares <mj@ucw.cz>
+
+set -e
+if [ ! -f submit/ca-cert.tpl ] ; then
+	echo >&2 "Please run from the MO root directory."
+	exit 1
+fi
+
+umask 033
+rm -rf certs
+mkdir certs
+
+echo "### Creating CA certificate ###"
+submit/privkey >certs/ca-key.pem
+certtool --generate-self-signed --load-privkey certs/ca-key.pem --outfile certs/ca-cert.pem --template submit/ca-cert.tpl
+
+echo "### Creating server certificate ###"
+submit/privkey >certs/server-key.pem
+certtool --generate-request --load-privkey certs/server-key.pem --outfile certs/server-req.pem --template submit/server-cert.tpl
+certtool --generate-certificate --load-request certs/server-req.pem --outfile certs/server-cert.pem --load-ca-certificate certs/ca-cert.pem --load-ca-privkey certs/ca-key.pem --template submit/server-cert.tpl
+
+seq=1
+for user in `bin/mo-get-users` ; do
+	seq=$(($seq+1))
+	echo "### Creating certificate for user #$seq ($user) ###"
+	sed <submit/client-cert.tpl >certs/$user-cert.tpl "s/cn = \".*\"/cn = \"$user\"/; s/serial = .*/serial = $seq/;"
+	submit/privkey >certs/$user-key.pem
+        certtool --generate-request --load-privkey certs/$user-key.pem --outfile certs/$user-req.pem --template certs/$user-cert.tpl
+        certtool --generate-certificate --load-request certs/$user-req.pem --outfile certs/$user-cert.pem --load-ca-certificate certs/ca-cert.pem --load-ca-privkey certs/ca-key.pem --template certs/$user-cert.tpl
+done
diff --git a/submit/submitd.c b/submit/submitd.c
index 4bc13ef..3aadc75 100644
--- a/submit/submitd.c
+++ b/submit/submitd.c
@@ -523,7 +523,7 @@ reject2: ;
 int main(int argc, char **argv)
 {
   setproctitle_init(argc, argv);
-  cf_def_file = "config";
+  cf_def_file = "submit/config";
   cf_declare_section("SubmitD", &submitd_conf, 0);
   cf_declare_section("Tasks", &tasks_conf, 0);
 
diff --git a/userlist b/userlist
index a0260b2..f852080 100644
--- a/userlist
+++ b/userlist
@@ -1,3 +1,2 @@
-mj	Martin Mares
-fox	Milan Straka
 authors	The Authors
+testuser	The Testuser