LILiK
/
ca_manager
5
0
Fork 0
Code Issues 0 Pull Requests 2 Releases 0 Wiki Activity
Easy CA management
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
57 Commits
7 Branches
218 KiB
Tree: 34abc053b3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '34abc053b3'
${ noResults }
ca_manager/certificate_requests.py

227 lines
6.3 KiB
Raw Normal View History

moved certificates, requests and authority classes out of ca_manager
8 years ago
add docs to modules
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
change base class Authority to accept a directory
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set path as property of Authority base class
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
 
  1. #!/usr/bin/env python3
  2. # -*- coding: utf-8 -*-
  3. 

  4. import os
  5. import os.path
  6. import sqlite3
  7. import subprocess
  8. 

  9. from paths import *
  10. 

  11. __doc__= """

  12. Module of classes to handle certificate requests
  13. """

  14. 

  15. class SignRequest(object):
  16.     def __init__(self, req_id):
  17.         self.req_id = req_id
  18. 

  19.     def get_name(self):
  20.         raise NotImplementedError()
  21. 

  22.     def get_fields(self):
  23.         raise NotImplementedError()
  24. 

  25. 

  26. class UserSSHRequest(SignRequest, object):
  27.     def __init__(self, req_id, user_name, root_requested, key_data):
  28.         super(UserSSHRequest, self).__init__(req_id)
  29. 

  30.         self.user_name = user_name
  31.         self.root_requested = root_requested
  32.         self.key_data = key_data
  33. 

  34.     def get_name(self):
  35.         return "User: %s [R:%d]" % (self.user_name, int(self.root_requested))
  36. 

  37.     def get_fields(self):
  38.         return [
  39.             ("User name", self.user_name),
  40.             ("Root access requested", 'yes' if self.root_requested else 'no')
  41.         ]
  42. 

  43.     def __str__(self):
  44.         return ("%s %s" % (self.req_id, self.user_name))
  45. 

  46. class HostSSLRequest(SignRequest, object):
  47.     def __init__(self, req_id, host_name, key_data):
  48.         super(HostSSLRequest, self).__init__(req_id)
  49. 

  50.         self.host_name = host_name
  51.         self.key_data = key_data
  52. 

  53.     def get_name(self):
  54.         return "Hostname: %s" % self.host_name
  55. 

  56.     def get_fields(self):
  57.         return [
  58.             ("Hostname", self.host_name)
  59.         ]
  60.     def __str__(self):
  61.         return ("%s %s" % (self.req_id, self.host_name))
  62. 

  63. class HostSSHRequest(SignRequest, object):
  64.     def __init__(self, req_id, host_name, key_data):
  65.         super(HostSSHRequest, self).__init__(req_id)
  66. 

  67.         self.host_name = host_name
  68.         self.key_data = key_data
  69. 

  70.     def get_name(self):
  71.         return "Hostname: %s" % self.host_name
  72. 

  73.     def get_fields(self):
  74.         return [
  75.             ("Hostname", self.host_name)
  76.         ]
  77.     def __str__(self):
  78.         return ("%s %s" % (self.req_id, self.host_name))
  79. 

  80. 

  81. class Authority(object):
  82.     ca_type = None
  83. 

  84.     def __init__(self, ca_id, name, ca_dir):
  85.         self.ca_id = ca_id
  86.         self.name = name
  87.         self.ca_dir = ca_dir
  88. 

  89.     @property
  90.     def path(self):
  91.         return os.path.join(self.ca_dir, self.ca_id)
  92. 

  93.     def generate(self):
  94.         raise NotImplementedError()
  95. 

  96.     def sign(self, request):
  97.         raise NotImplementedError()
  98. 

  99. 

  100. class SSHAuthority(Authority):
  101.     ca_type = 'ssh'
  102. 

  103.     key_algorithm = 'ed25519'
  104. 

  105.     user_validity = '+52w'
  106.     host_validity = '+52w'
  107. 

  108.     def generate(self):
  109.         if os.path.exists(self.path):
  110.             raise ValueError("A CA with the same id and type already exists")
  111. 

  112.         subprocess.check_output(['ssh-keygen',
  113.             '-f', self.path,
  114.             '-t', self.key_algorithm,
  115.             '-C', self.name])
  116. 

  117.         with open(self.path + '.serial', 'w') as stream:
  118.             stream.write(str(0))
  119. 

  120. 

  121.     def sign(self, request):
  122. 

  123.         assert type(request) in [UserSSHRequest, HostSSHRequest]
  124. 

  125.         pub_key_path = os.path.join(OUTPUT_PATH, request.req_id + '.pub')
  126.         cert_path = os.path.join(OUTPUT_PATH, request.req_id + '-cert.pub')
  127. 

  128.         with open(self.path + '.serial', 'r') as stream:
  129.             next_serial = int(stream.read())
  130.         with open(self.path + '.serial', 'w') as stream:
  131.             stream.write(str(next_serial + 1))
  132. 

  133.         with open(pub_key_path, 'w') as stream:
  134.             stream.write(request.key_data)
  135. 

  136.         ca_private_key = self.path
  137. 

  138.         if type(request) == UserSSHRequest:
  139.             login_names = [request.user_name]
  140.             if request.root_requested:
  141.                 login_names.append('root')
  142. 

  143.             subprocess.check_output(['ssh-keygen',
  144.                 '-s', ca_private_key,
  145.                 '-I', 'user_%s' % request.user_name,
  146.                 '-n', ','.join(login_names),
  147.                 '-V', self.user_validity,
  148.                 '-z', str(next_serial),
  149.                 pub_key_path])
  150.         elif type(request) == HostSSHRequest:
  151.             subprocess.check_output(['ssh-keygen',
  152.                 '-s', ca_private_key,
  153.                 '-I', 'host_%s' % request.host_name.replace('.', '_'),
  154.                 '-h',
  155.                 '-n', request.host_name,
  156.                 '-V', self.host_validity,
  157.                 '-z', str(next_serial),
  158.                 pub_key_path])
  159. 

  160.         return cert_path
  161. 

  162. class SSLAuthority(Authority):
  163.     ca_type = 'ssl'
  164. 

  165.     ca_key_algorithm = 'des3'
  166.     key_length = '4096'
  167. 

  168.     key_algorithm = 'sha256'
  169.     ca_validity = '365'
  170.     cert_validity = '365'
  171. 

  172.     def generate(self):
  173.         if os.path.exists(self.path):
  174.             raise ValueError("A CA with the same id and type already exists")
  175. 

  176.         subprocess.check_output(['openssl',
  177.             'genrsa',
  178.             '-%s'%self.ca_key_algorithm,
  179.             '-out', '%s'%(self.path),
  180.             self.key_length])
  181. 

  182.         subprocess.check_output(['openssl',
  183.             'req',
  184.             '-new',
  185.             '-x509',
  186.             '-days', self.ca_validity,
  187.             '-key', self.path,
  188.             # '-extensions', 'v3_ca'
  189.             '-out', "%s.pub"%self.path,
  190.             # '-config', "%s.conf"%self.path
  191.             ])
  192. 

  193.         with open(self.path + '.serial', 'w') as stream:
  194.             stream.write(str(0))
  195. 

  196. 

  197.     def sign(self, request):
  198.         OUTPUT_PATH
  199. 

  200.         assert type(request) in [HostSSLRequest]
  201. 

  202.         pub_key_path = os.path.join(OUTPUT_PATH, request.req_id + '.pub')
  203.         cert_path = os.path.join(OUTPUT_PATH, request.req_id + '-cert.pub')
  204. 

  205.         with open(self.path + '.serial', 'r') as stream:
  206.             next_serial = int(stream.read())
  207.         with open(self.path + '.serial', 'w') as stream:
  208.             stream.write(str(next_serial + 1))
  209. 

  210.         with open(pub_key_path, 'w') as stream:
  211.             stream.write(request.key_data)
  212. 

  213.         ca_private_key = self.path
  214. 

  215.         # openssl x509 -req -days 360 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt        # print()
  216.         subprocess.check_output(['openssl',
  217.                         'x509',
  218.                         '-req',
  219.                         '-days', self.ca_validity,
  220.                         '-in', pub_key_path,
  221.                         '-CA', "%s.pub"%self.path,
  222.                         '-CAkey', self.path,
  223.                         '-CAcreateserial',
  224.                         '-out', cert_path,
  225.                         '-%s'%self.key_algorithm])
  226. 

  227.         return cert_path