From b79f6bb7eef404a5f6448752a21ecdd40e9cdb0b Mon Sep 17 00:00:00 2001 From: jbjohnso Date: Wed, 27 Feb 2013 22:05:53 +0000 Subject: [PATCH] Check in more comments and code into the still yet non-functional powershell module git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@15273 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd --- .../share/xcat/netboot/windows/xcatlibs.psm1 | 46 ++++++++++++++++--- 1 file changed, 39 insertions(+), 7 deletions(-) diff --git a/xCAT-server/share/xcat/netboot/windows/xcatlibs.psm1 b/xCAT-server/share/xcat/netboot/windows/xcatlibs.psm1 index 1b9c725cc..beeea5ba5 100644 --- a/xCAT-server/share/xcat/netboot/windows/xcatlibs.psm1 +++ b/xCAT-server/share/xcat/netboot/windows/xcatlibs.psm1 @@ -1,20 +1,52 @@ # IBM(c) 2013 EPL license http://www.eclipse.org/legal/epl-v10.html # This function specifically validates that the peer we are talking to is signed by the xCAT blessed CA and no other CA Function xCAT-Verify-Cert ($sender, $cert, $chain, $polerrs) { + if ($polerrs -ne "None") { return $false } #if the overall policy suggests rejection, go with it + #now, system policy suggests that everything is ok, but we want to be more picky, because we + #are measuring something more specific than 'did any old CA sign this', we specifically want to assue the signer CA is xCAT's + #TODO: perhaps ignore the RemoteCertificateChainErrors condition and chase a chain of our own creation + #that chain could live outside the user or system wide root to avoid giving xCAT the power to sign certs for things it shouldn't foreach ($cert in $chain.chainElements) { - $cathumb=$cert.Certificate.thumbprint + if ($script:xcatcacert.thumbprint -eq $cert.Certificate.thumprint) { + return $true + } } - if ($scrpt:xcatcacert.thumbprint -ne $cathumb) { - return $false - } - return $true + return $false } #we import the xCAT certificate authority into the appropriate scope +#we have to use localmachine in order to avoid interactive prompt, meaning we need admin for this one, besides +#this means admin installs CA cert for everyone +#TODO: use cert:\currentuser\root when not administrator to facilitate xCAT-client case, take the prompt once Function xCAT-Import-CA ( $certpath ) { $script:xcatcacert=Import-Certificate -FilePath $certpath -CertStoreLocation Cert:\LocalMachine\root } -Function xCAT-Remove-CA () { - rm cert:\localmachine\root\$script:xcatcacert.thumbprint + +#this removes the xCAT CA from trust store, if user wishes to explicitly distrust xCAT post deploy +Function xCAT-Remove-CA ( $certpath ) { + xCAT-Import-CA($certpath) #this seems insane, but it's easiest way to make sure we have the correct path + rm $script:xcatcacert.PSPath } +#specify a client certificate to use in pfx format +#we put this one in the user's store instead of system wide +Function xCAT-Set-Client-Certificate ( $pfxPath ) { + $script:xcatclientcert=Import-pfxCertificate $pfxPath -certStoreLocation cert:\currentuser\my +} +Function xCAT-Remove-Client-Certificate( $pfxPath ) { + xCAT-Set-Client-Certificate($pfxpath) + rm cert:\currentuser\my\$script:xcatclientcert.thumbprint +} + +#key here is that we might have two certificates: +#-one intended to identify the system that was deployed by xcat +#-one intended to identify the user to do things like 'rpower' +#TODO: argument to specify whether this is a human or machine. Default would be human and machine invocation would be in scripts +Function xCAT-Select-Cert ($sender, $targetHost, $localCertificates, $remoteCertificate,$acceptableIssuers) { + $script:xcatclientcert +} +Function xCAT-Connect ( + Param( + $mgtServer, + $mgtServerAltName=$mgtServer + )