LILiK
/
ca_manager
5
0
Fork 0
Code Issues 0 Pull Requests 2 Releases 0 Wiki Activity
Easy CA management
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
131 Commits
7 Branches
218 KiB
Tree: 62bb8261e6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '62bb8261e6'
${ noResults }
ca_manager/authority.py

205 lines
6.0 KiB
Raw Normal View History

moved certificates, requests and authority classes out of ca_manager
8 years ago
implement pickling for authority class
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
import certificate base class
8 years ago
split certificates from authorities
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
add docs to modules
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set allowed requests for each authority
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
let Authority class handle their save directory
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set path as property of Authority base class
8 years ago
implement truthy value for Authority base class
8 years ago
set path as property of Authority base class
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
implement pickling for authority class
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
add repr magic to base classes
8 years ago
show id instead of name when printing authorities
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set allowed requests for each authority
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
let Authority class handle their save directory
8 years ago
fix typo in ssh authority dir, pickle authority on creation
8 years ago
let Authority class handle their save directory
8 years ago
draft for __bool__ on SSHAuthority
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
refactor SSHAuthority generate method
8 years ago
fix typo in ssh authority dir, pickle authority on creation
8 years ago
add pickling to ca generation
8 years ago
refactor SSHAuthority generate method
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set allowed requests for each authority
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set output path for request and certificate
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
use destination from request class
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set allowed requests for each authority
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set allowed requests for each authority
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
let Authority class handle their save directory
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
change to authority allowed requests
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
 
  1. #!/usr/bin/env python3
  2. # -*- coding: utf-8 -*-
  3. 

  4. import os
  5. import os.path
  6. import pickle
  7. import subprocess
  8. 

  9. from paths import *
  10. from certificate import Certificate
  11. from request import UserSSHRequest, HostSSHRequest, HostSSLRequest
  12. 

  13. __doc__= """

  14. Module of classes to handle certificate requests
  15. """

  16. 

  17. class Authority(object):
  18.     request_allowed = []
  19. 

  20.     def __init__(self, ca_id, ca_dir = MANAGER_PATH):
  21.         self.ca_id = ca_id
  22.         self.ca_dir = ca_dir
  23. 

  24.     def __bool__(self):
  25.         return os.path.exists(self.path)
  26. 

  27.     @property
  28.     def path(self):
  29.         return os.path.join(self.ca_dir, self.ca_id)
  30. 

  31.     def generate(self):
  32.         """

  33.         Leave a dump of this class in the MANAGER_PATH
  34.         """

  35.         pickled_path = os.path.join(MANAGER_PATH, 'pickled_cas', self.ca_id)
  36.         with open(pickled_path, 'wb') as out:
  37.                 pickle.dump(self, out)
  38. 

  39.     def sign(self, request):
  40.         raise NotImplementedError()
  41. 

  42.     def __repr__(self):
  43.         return ( "%s %s" % ( self.__class__.__name__, self.ca_id ) )
  44. 

  45. class SSHAuthority(Authority):
  46. 

  47.     request_allowed = [ UserSSHRequest, HostSSHRequest, ]
  48. 

  49.     key_algorithm = 'ed25519'
  50. 

  51.     user_validity = '+52w'
  52.     host_validity = '+52w'
  53. 

  54.     def __init__(self, ca_id):
  55.         ssh_ca_dir = os.path.join(MANAGER_PATH, 'ssh_cas')
  56. 

  57.         super(SSHAuthority, self).__init__(ca_id, ssh_ca_dir)
  58. 

  59.     def __bool__(self):
  60.         """

  61.         For a SSH Authority we only need a private-public key couple,
  62.         moreover we request to have the next serial number
  63.         """

  64.         keys_couple_exist = os.path.exists(self.path) and os.path.exists(self.path + '.pub')
  65.         serial_exist = os.path.exists(self.path + '.serial')
  66. 

  67.         return keys_couple_exist and serial_exist
  68. 

  69.     def generate(self):
  70.         """

  71.         Generate a SSHAuthority if the files associated
  72.         do not exists
  73.         """

  74.         # check if the public key exists
  75.         if not self:
  76.             # let ssh-keygen do its job
  77.             subprocess.check_output(['ssh-keygen',
  78.                 '-f', self.path,
  79.                 '-t', self.key_algorithm,
  80.                 '-C', self.name])
  81. 

  82.             # write the serial file with a value of
  83.             # 0 for first certificate
  84.             with open(self.path + '.serial', 'w') as stream:
  85.                 stream.write(str(0))
  86. 

  87.             super(SSHAuthority, self).generate()
  88. 

  89. 

  90.         else:
  91.             raise ValueError('A CA with the same id and type already exists')
  92. 

  93. 

  94.     def sign(self, request):
  95. 

  96.         assert type(request) in self.request_allowed
  97. 

  98.         pub_key_path = request.destination
  99.         cert_path = Certificate(request.req_id).path
  100. 

  101.         with open(self.path + '.serial', 'r') as stream:
  102.             next_serial = int(stream.read())
  103.         with open(self.path + '.serial', 'w') as stream:
  104.             stream.write(str(next_serial + 1))
  105. 

  106.         with open(request.destination, 'w') as stream:
  107.             stream.write(request.key_data)
  108. 

  109.         ca_private_key = self.path
  110. 

  111.         if type(request) == UserSSHRequest:
  112.             login_names = [ request.user_name, ]
  113.             if request.root_requested:
  114.                 login_names.append('root')
  115. 

  116.             subprocess.check_output(['ssh-keygen',
  117.                 '-s', ca_private_key,
  118.                 '-I', 'user_%s' % request.user_name,
  119.                 '-n', ','.join(login_names),
  120.                 '-V', self.user_validity,
  121.                 '-z', str(next_serial),
  122.                 pub_key_path])
  123.         elif type(request) == HostSSHRequest:
  124.             subprocess.check_output(['ssh-keygen',
  125.                 '-s', ca_private_key,
  126.                 '-I', 'host_%s' % request.host_name.replace('.', '_'),
  127.                 '-h',
  128.                 '-n', request.host_name,
  129.                 '-V', self.host_validity,
  130.                 '-z', str(next_serial),
  131.                 pub_key_path])
  132. 

  133.         return cert_path
  134. 

  135. class SSLAuthority(Authority):
  136.     request_allowed = [ HostSSLRequest, ]
  137. 

  138.     ca_key_algorithm = 'des3'
  139.     key_length = '4096'
  140. 

  141.     key_algorithm = 'sha256'
  142.     ca_validity = '365'
  143.     cert_validity = '365'
  144. 

  145.     def __init__(self, ca_id):
  146.         ssl_ca_dir = os.path.join(MANAGER_PATH, 'ssl_ca')
  147. 

  148.         super(SSLAuthority, self).__init__(ca_id, ssl_ca_dir)
  149. 

  150.     def generate(self):
  151.         if os.path.exists(self.path):
  152.             raise ValueError("A CA with the same id and type already exists")
  153. 

  154.         subprocess.check_output(['openssl',
  155.             'genrsa',
  156.             '-%s'%self.ca_key_algorithm,
  157.             '-out', '%s'%(self.path),
  158.             self.key_length])
  159. 

  160.         subprocess.check_output(['openssl',
  161.             'req',
  162.             '-new',
  163.             '-x509',
  164.             '-days', self.ca_validity,
  165.             '-key', self.path,
  166.             # '-extensions', 'v3_ca'
  167.             '-out', "%s.pub"%self.path,
  168.             # '-config', "%s.conf"%self.path
  169.             ])
  170. 

  171.         with open(self.path + '.serial', 'w') as stream:
  172.             stream.write(str(0))
  173. 

  174. 

  175.     def sign(self, request):
  176.         OUTPUT_PATH
  177. 

  178.         assert type(request) in self.request_allowed
  179. 

  180.         pub_key_path = os.path.join(OUTPUT_PATH, request.req_id + '.pub')
  181.         cert_path = os.path.join(OUTPUT_PATH, request.req_id + '-cert.pub')
  182. 

  183.         with open(self.path + '.serial', 'r') as stream:
  184.             next_serial = int(stream.read())
  185.         with open(self.path + '.serial', 'w') as stream:
  186.             stream.write(str(next_serial + 1))
  187. 

  188.         with open(pub_key_path, 'w') as stream:
  189.             stream.write(request.key_data)
  190. 

  191.         ca_private_key = self.path
  192. 

  193.         # openssl x509 -req -days 360 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt        # print()
  194.         subprocess.check_output(['openssl',
  195.                         'x509',
  196.                         '-req',
  197.                         '-days', self.ca_validity,
  198.                         '-in', pub_key_path,
  199.                         '-CA', "%s.pub"%self.path,
  200.                         '-CAkey', self.path,
  201.                         '-CAcreateserial',
  202.                         '-out', cert_path,
  203.                         '-%s'%self.key_algorithm])
  204. 

  205.         return cert_path