LILiK
/
ca_manager
5
0
Fork 0
Code Issues 0 Pull Requests 2 Releases 0 Wiki Activity
Easy CA management
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
73 Commits
7 Branches
218 KiB
Tree: 533be5191e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '533be5191e'
${ noResults }
ca_manager/certificate_requests.py

273 lines
7.4 KiB
Raw Normal View History

moved certificates, requests and authority classes out of ca_manager
8 years ago
add draft for RequestLoader proxy
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
add docs to modules
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
add repr magic to base classes
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
add path property to SignRequest
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
add draft for RequestLoader proxy
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
change base class Authority to accept a directory
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set path as property of Authority base class
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
add repr magic to base classes
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
 
  1. #!/usr/bin/env python3
  2. # -*- coding: utf-8 -*-
  3. 

  4. import os
  5. import os.path
  6. import sqlite3
  7. import subprocess
  8. import json
  9. 

  10. from paths import *
  11. 

  12. __doc__= """

  13. Module of classes to handle certificate requests
  14. """

  15. 

  16. class SignRequest(object):
  17.     def __init__(self, req_id):
  18.         self.req_id = req_id
  19. 

  20.     def __repr__(self):
  21.         return ( "%s %s" % ( str(self.__class__.__name__), str(self.req_id) ) )
  22. 

  23.     @property
  24.     def name(self):
  25.         raise NotImplementedError()
  26. 

  27.     @property
  28.     def fields(self):
  29.         raise NotImplementedError()
  30. 

  31.     @property
  32.     def path(self):
  33.         return os.path.join(REQUESTS_PATH, self.id)
  34. 

  35. class RequestLoader(object):
  36.     """

  37.     Context manager that loads a request from a file
  38.     and return a Request type
  39.     """

  40. 

  41.     def __init__(self, request_id):
  42.         self.request_id = request_id
  43.         self.request_dir = REQUESTS_PATH
  44. 

  45.     @property
  46.     def path(self):
  47.         return os.path.join(self.request_dir, self.request_id)
  48. 

  49.     def __enter__(self):
  50.         with open(self.path, 'r') as stream:
  51.             # read the json from a TextIO
  52.             # but let as_request handle 
  53.             # the conversion to a Python
  54.             # object
  55.             request_data = json.load(
  56.                 stream,
  57.                 )
  58.     
  59.     def __exit__(self, exc_type, exc_value, traceback):
  60.         if exc_type is not None:
  61.             print(exc_type, exc_value)
  62.             print(traceback)
  63. 

  64. class UserSSHRequest(SignRequest, object):
  65.     def __init__(self, req_id, user_name, root_requested, key_data):
  66.         super(UserSSHRequest, self).__init__(req_id)
  67. 

  68.         self.user_name = user_name
  69.         self.root_requested = root_requested
  70.         self.key_data = key_data
  71. 

  72.     @property
  73.     def name(self):
  74.         return "User: %s [R:%d]" % (self.user_name, int(self.root_requested))
  75. 

  76.     @property
  77.     def fields(self):
  78.         return [
  79.             ("User name", self.user_name),
  80.             ("Root access requested", 'yes' if self.root_requested else 'no')
  81.         ]
  82. 

  83.     def __str__(self):
  84.         return ("%s %s" % (self.req_id, self.user_name))
  85. 

  86. class HostSSLRequest(SignRequest, object):
  87.     def __init__(self, req_id, host_name, key_data):
  88.         super(HostSSLRequest, self).__init__(req_id)
  89. 

  90.         self.host_name = host_name
  91.         self.key_data = key_data
  92. 

  93.     @property
  94.     def name(self):
  95.         return "Hostname: %s" % self.host_name
  96. 

  97.     @property
  98.     def fields(self):
  99.         return [
  100.             ("Hostname", self.host_name)
  101.         ]
  102.     def __str__(self):
  103.         return ("%s %s" % (self.req_id, self.host_name))
  104. 

  105. class HostSSHRequest(SignRequest, object):
  106.     def __init__(self, req_id, host_name, key_data):
  107.         super(HostSSHRequest, self).__init__(req_id)
  108. 

  109.         self.host_name = host_name
  110.         self.key_data = key_data
  111. 

  112.     @property
  113.     def name(self):
  114.         return "Hostname: %s" % self.host_name
  115. 

  116.     @property
  117.     def fields(self):
  118.         return [
  119.             ("Hostname", self.host_name)
  120.         ]
  121.     def __str__(self):
  122.         return ("%s %s" % (self.req_id, self.host_name))
  123. 

  124. 

  125. class Authority(object):
  126.     ca_type = None
  127. 

  128.     def __init__(self, ca_id, name, ca_dir):
  129.         self.ca_id = ca_id
  130.         self.name = name
  131.         self.ca_dir = ca_dir
  132. 

  133.     @property
  134.     def path(self):
  135.         return os.path.join(self.ca_dir, self.ca_id)
  136. 

  137.     def generate(self):
  138.         raise NotImplementedError()
  139. 

  140.     def sign(self, request):
  141.         raise NotImplementedError()
  142. 

  143.     def __repr__(self):
  144.         return ( "%s %s" % ( self.__class__.__name__, self.ca_type ) )
  145. 

  146. class SSHAuthority(Authority):
  147.     ca_type = 'ssh'
  148. 

  149.     key_algorithm = 'ed25519'
  150. 

  151.     user_validity = '+52w'
  152.     host_validity = '+52w'
  153. 

  154.     def generate(self):
  155.         if os.path.exists(self.path):
  156.             raise ValueError("A CA with the same id and type already exists")
  157. 

  158.         subprocess.check_output(['ssh-keygen',
  159.             '-f', self.path,
  160.             '-t', self.key_algorithm,
  161.             '-C', self.name])
  162. 

  163.         with open(self.path + '.serial', 'w') as stream:
  164.             stream.write(str(0))
  165. 

  166. 

  167.     def sign(self, request):
  168. 

  169.         assert type(request) in [UserSSHRequest, HostSSHRequest]
  170. 

  171.         pub_key_path = os.path.join(OUTPUT_PATH, request.req_id + '.pub')
  172.         cert_path = os.path.join(OUTPUT_PATH, request.req_id + '-cert.pub')
  173. 

  174.         with open(self.path + '.serial', 'r') as stream:
  175.             next_serial = int(stream.read())
  176.         with open(self.path + '.serial', 'w') as stream:
  177.             stream.write(str(next_serial + 1))
  178. 

  179.         with open(pub_key_path, 'w') as stream:
  180.             stream.write(request.key_data)
  181. 

  182.         ca_private_key = self.path
  183. 

  184.         if type(request) == UserSSHRequest:
  185.             login_names = [request.user_name]
  186.             if request.root_requested:
  187.                 login_names.append('root')
  188. 

  189.             subprocess.check_output(['ssh-keygen',
  190.                 '-s', ca_private_key,
  191.                 '-I', 'user_%s' % request.user_name,
  192.                 '-n', ','.join(login_names),
  193.                 '-V', self.user_validity,
  194.                 '-z', str(next_serial),
  195.                 pub_key_path])
  196.         elif type(request) == HostSSHRequest:
  197.             subprocess.check_output(['ssh-keygen',
  198.                 '-s', ca_private_key,
  199.                 '-I', 'host_%s' % request.host_name.replace('.', '_'),
  200.                 '-h',
  201.                 '-n', request.host_name,
  202.                 '-V', self.host_validity,
  203.                 '-z', str(next_serial),
  204.                 pub_key_path])
  205. 

  206.         return cert_path
  207. 

  208. class SSLAuthority(Authority):
  209.     ca_type = 'ssl'
  210. 

  211.     ca_key_algorithm = 'des3'
  212.     key_length = '4096'
  213. 

  214.     key_algorithm = 'sha256'
  215.     ca_validity = '365'
  216.     cert_validity = '365'
  217. 

  218.     def generate(self):
  219.         if os.path.exists(self.path):
  220.             raise ValueError("A CA with the same id and type already exists")
  221. 

  222.         subprocess.check_output(['openssl',
  223.             'genrsa',
  224.             '-%s'%self.ca_key_algorithm,
  225.             '-out', '%s'%(self.path),
  226.             self.key_length])
  227. 

  228.         subprocess.check_output(['openssl',
  229.             'req',
  230.             '-new',
  231.             '-x509',
  232.             '-days', self.ca_validity,
  233.             '-key', self.path,
  234.             # '-extensions', 'v3_ca'
  235.             '-out', "%s.pub"%self.path,
  236.             # '-config', "%s.conf"%self.path
  237.             ])
  238. 

  239.         with open(self.path + '.serial', 'w') as stream:
  240.             stream.write(str(0))
  241. 

  242. 

  243.     def sign(self, request):
  244.         OUTPUT_PATH
  245. 

  246.         assert type(request) in [HostSSLRequest]
  247. 

  248.         pub_key_path = os.path.join(OUTPUT_PATH, request.req_id + '.pub')
  249.         cert_path = os.path.join(OUTPUT_PATH, request.req_id + '-cert.pub')
  250. 

  251.         with open(self.path + '.serial', 'r') as stream:
  252.             next_serial = int(stream.read())
  253.         with open(self.path + '.serial', 'w') as stream:
  254.             stream.write(str(next_serial + 1))
  255. 

  256.         with open(pub_key_path, 'w') as stream:
  257.             stream.write(request.key_data)
  258. 

  259.         ca_private_key = self.path
  260. 

  261.         # openssl x509 -req -days 360 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt        # print()
  262.         subprocess.check_output(['openssl',
  263.                         'x509',
  264.                         '-req',
  265.                         '-days', self.ca_validity,
  266.                         '-in', pub_key_path,
  267.                         '-CA', "%s.pub"%self.path,
  268.                         '-CAkey', self.path,
  269.                         '-CAcreateserial',
  270.                         '-out', cert_path,
  271.                         '-%s'%self.key_algorithm])
  272. 

  273.         return cert_path