LILiK
/
ca_manager
5
0
Fork 0
Code Issues 0 Pull Requests 2 Releases 0 Wiki Activity
Easy CA management
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
214 Commits
7 Branches
218 KiB
 
Tree: d3723a9ef8
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd3723a9ef8'
${ noResults }
ca_manager/ca_manager/models/ssl.py

153 lines
5.0 KiB
Raw Blame History

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from playhouse.gfk import *
import os
from inspect import getsourcefile
import subprocess
from .authority import Authority
from .certificate import Certificate
from .request import SignRequest
from ..paths import *
import json
class HostSSLRequest(SignRequest):
def __init__(self, req_id, host_name, key_data):
super(HostSSLRequest, self).__init__(req_id)
self.host_name = host_name
self.key_data = key_data
@property
def name(self):
return 'Hostname: %s' % self.host_name
@property
def fields(self):
return [
('Hostname', self.host_name)
]
@property
def receiver(self):
return self.host_name
class CASSLRequest(SignRequest):
def __init__(self, req_id, ca_name, key_data):
super(CASSLRequest, self).__init__(req_id)
self.ca_name = ca_name
self.key_data = key_data
@property
def name(self):
return 'CA name: %s' % self.ca_name
@property
def fields(self):
return [
('CA name', self.ca_name)
]
@property
def receiver(self):
return self.ca_name
class SSLAuthority(Authority):
request_allowed = [HostSSLRequest, CASSLRequest, ]
ca_key_algorithm = 'des3'
key_length = '4096'
key_algorithm = 'sha256'
root_ca_validity = '3650'
ca_validity = '1825'
cert_validity = '365'
def generate(self):
if os.path.exists(self.path):
raise ValueError('A CA with the same id and type already exists')
confirm = input('Is a root CA? [y/N]> ')
if confirm == 'y':
self.isRoot = True
else:
self.isRoot = False
subprocess.check_output(['openssl',
'genrsa',
'-%s' % self.ca_key_algorithm,
'-out', '%s' % (self.path),
self.key_length])
if self.isRoot:
subprocess.check_output(['openssl',
'req',
'-extensions', 'v3_root_ca',
'-config', os.path.join(os.path.dirname(os.path.abspath(getsourcefile(lambda:0))), '../openssl-config/openssl.cnf'),
'-new',
'-x509',
'-days', self.root_ca_validity,
'-key', self.path,
# '-extensions', 'v3_ca'
'-out', '%s.pub' % self.path,
# '-config', "%s.conf"%self.path
])
else:
subprocess.check_output(['openssl',
'req',
'-new',
#'-x509',
# '-days', self.ca_validity,
'-key', self.path,
# '-extensions', 'v3_ca'
'-out', '%s.csr' % self.path,
# '-config', "%s.conf"%self.path
])
result_dict = {}
result_dict['keyType'] = 'ssl_ca'
result_dict['caName'] = self.ca_id
with open("%s.csr" % self.path, 'r') as f:
result_dict['keyData'] = "".join(f.readlines())
request = {'type': 'sign_request', 'request': result_dict}
print('Please sign the following request:')
print(json.dumps(request))
with open(self.path + '.serial', 'w') as stream:
stream.write(str(0))
def generate_certificate(self, request):
"""
Sign a *SSLRequest with this certification authority
"""
if not os.path.exists('%s.pub' % self.path) and not self.isRoot:
raise ValueError("The CA certificate '%s.pub' doesn't exists yet" % self.path)
pub_key_path = request.destination
cert_path = request.cert_destination
with open(pub_key_path, 'w') as stream:
stream.write(request.key_data)
subprocess.check_output(['openssl',
'x509',
'-req',
'-days', self.ca_validity,
'-in', pub_key_path,
'-CA', '%s.pub' % self.path,
'-CAkey', self.path,
'-CAcreateserial',
'-out', cert_path,
'-%s' % self.key_algorithm])
if not self.isRoot:
with open(cert_path, 'a') as cert_file:
with open('%s.pub' % self.path) as ca_cert_file:
cert_file.writelines(ca_cert_file.readlines())
return self.ca_validity