LILiK
/
ca_manager
5
0
Fork 0
Code Issues 0 Pull Requests 2 Releases 0 Wiki Activity
Easy CA management
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
102 Commits
7 Branches
218 KiB
Tree: b0e8c69279
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b0e8c69279'
${ noResults }
ca_manager/request.py

302 lines
8.3 KiB
Raw Normal View History

moved certificates, requests and authority classes out of ca_manager
8 years ago
add draft for RequestLoader proxy
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
add docs to modules
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
add repr magic to base classes
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
add path property to SignRequest
8 years ago
fix SignRequest path attribute
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
add draft for RequestLoader proxy
8 years ago
remove previous API annotation
8 years ago
add correct Request generation inside RequestLoader
8 years ago
fix wrong data representation when reading JSON
8 years ago
add correct Request generation inside RequestLoader
8 years ago
fix wrong data representation when reading JSON
8 years ago
add correct Request generation inside RequestLoader
8 years ago
add draft for RequestLoader proxy
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set allowed requests for each authority
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
change base class Authority to accept a directory
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set path as property of Authority base class
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
add repr magic to base classes
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set allowed requests for each authority
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set allowed requests for each authority
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set allowed requests for each authority
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set allowed requests for each authority
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
 
  1. #!/usr/bin/env python3
  2. # -*- coding: utf-8 -*-
  3. 

  4. import os
  5. import os.path
  6. import sqlite3
  7. import subprocess
  8. import json
  9. 

  10. from paths import *
  11. 

  12. __doc__= """

  13. Module of classes to handle certificate requests
  14. """

  15. 

  16. class SignRequest(object):
  17.     def __init__(self, req_id):
  18.         self.req_id = req_id
  19. 

  20.     def __repr__(self):
  21.         return ( "%s %s" % ( str(self.__class__.__name__), str(self.req_id) ) )
  22. 

  23.     @property
  24.     def name(self):
  25.         raise NotImplementedError()
  26. 

  27.     @property
  28.     def fields(self):
  29.         raise NotImplementedError()
  30. 

  31.     @property
  32.     def path(self):
  33.         return os.path.join(REQUESTS_PATH, self.req_id)
  34. 

  35. 

  36. class RequestLoader(object):
  37.     """

  38.     Context manager that loads a request from a file
  39.     and return a Request type
  40.     """

  41. 

  42.     def __init__(self, request_id):
  43.         self.request_id = request_id
  44.         self.request_dir = REQUESTS_PATH
  45. 

  46.     @property
  47.     def path(self):
  48.         return os.path.join(self.request_dir, self.request_id)
  49. 

  50.     def __enter__(self):
  51.         with open(self.path, 'r') as stream:
  52.             request_data = json.load(
  53.                 stream,
  54.             )
  55. 

  56.             requester = request_data.get('userName', None) or request_data.get('hostName', None)
  57.             root_requested = request_data.get('rootRequested', False)
  58.             key_data = request_data.get('keyData', None)
  59. 

  60.             # attribute cannot be read from
  61.             # json, must add after decoding
  62.             request_id = self.request_id
  63. 

  64.             values = request_data.values()
  65. 

  66.             if 'ssh_user' in values:
  67.                 return UserSSHRequest(
  68.                         request_id,
  69.                         requester,
  70.                         root_requested,
  71.                         key_data,
  72.                         )
  73. 

  74.             elif 'ssh_host' in values:
  75.                 return HostSSHRequest(
  76.                         request_id,
  77.                         requester,
  78.                         key_data,
  79.                         )
  80. 

  81.             elif 'ssl_host' in values:
  82.                 return HostSSLRequest(
  83.                         request_id,
  84.                         requester,
  85.                         key_data,
  86.                         )
  87. 

  88.             else:
  89.                 # ultimate error, cannot be decoded
  90.                 return SignRequest(request_id)
  91.     
  92.     def __exit__(self, exc_type, exc_value, traceback):
  93.         if exc_type is not None:
  94.             print(exc_type, exc_value)
  95.             print(traceback)
  96. 

  97. class UserSSHRequest(SignRequest, object):
  98.     def __init__(self, req_id, user_name, root_requested, key_data):
  99.         super(UserSSHRequest, self).__init__(req_id)
  100. 

  101.         self.user_name = user_name
  102.         self.root_requested = root_requested
  103.         self.key_data = key_data
  104. 

  105.     @property
  106.     def name(self):
  107.         return "User: %s [R:%d]" % (self.user_name, int(self.root_requested))
  108. 

  109.     @property
  110.     def fields(self):
  111.         return [
  112.             ("User name", self.user_name),
  113.             ("Root access requested", 'yes' if self.root_requested else 'no')
  114.         ]
  115. 

  116. class HostSSLRequest(SignRequest, object):
  117.     def __init__(self, req_id, host_name, key_data):
  118.         super(HostSSLRequest, self).__init__(req_id)
  119. 

  120.         self.host_name = host_name
  121.         self.key_data = key_data
  122. 

  123.     @property
  124.     def name(self):
  125.         return "Hostname: %s" % self.host_name
  126. 

  127.     @property
  128.     def fields(self):
  129.         return [
  130.             ("Hostname", self.host_name)
  131.         ]
  132. 

  133. class HostSSHRequest(SignRequest, object):
  134.     def __init__(self, req_id, host_name, key_data):
  135.         super(HostSSHRequest, self).__init__(req_id)
  136. 

  137.         self.host_name = host_name
  138.         self.key_data = key_data
  139. 

  140.     @property
  141.     def name(self):
  142.         return "Hostname: %s" % self.host_name
  143. 

  144.     @property
  145.     def fields(self):
  146.         return [
  147.             ("Hostname", self.host_name)
  148.         ]
  149. 

  150. class Authority(object):
  151.     ca_type = None
  152.     request_allowed = []
  153. 

  154.     def __init__(self, ca_id, name, ca_dir):
  155.         self.ca_id = ca_id
  156.         self.name = name
  157.         self.ca_dir = ca_dir
  158. 

  159.     @property
  160.     def path(self):
  161.         return os.path.join(self.ca_dir, self.ca_id)
  162. 

  163.     def generate(self):
  164.         raise NotImplementedError()
  165. 

  166.     def sign(self, request):
  167.         raise NotImplementedError()
  168. 

  169.     def __repr__(self):
  170.         return ( "%s %s" % ( self.__class__.__name__, self.ca_type ) )
  171. 

  172. class SSHAuthority(Authority):
  173.     ca_type = 'ssh'
  174. 

  175.     request_allowed = [ UserSSHRequest, HostSSHRequest, ]
  176. 

  177.     key_algorithm = 'ed25519'
  178. 

  179.     user_validity = '+52w'
  180.     host_validity = '+52w'
  181. 

  182.     def generate(self):
  183.         if os.path.exists(self.path):
  184.             raise ValueError("A CA with the same id and type already exists")
  185. 

  186.         subprocess.check_output(['ssh-keygen',
  187.             '-f', self.path,
  188.             '-t', self.key_algorithm,
  189.             '-C', self.name])
  190. 

  191.         with open(self.path + '.serial', 'w') as stream:
  192.             stream.write(str(0))
  193. 

  194. 

  195.     def sign(self, request):
  196. 

  197.         assert type(request) in self.request_allowed
  198. 

  199.         pub_key_path = os.path.join(OUTPUT_PATH, request.req_id + '.pub')
  200.         cert_path = os.path.join(OUTPUT_PATH, request.req_id + '-cert.pub')
  201. 

  202.         with open(self.path + '.serial', 'r') as stream:
  203.             next_serial = int(stream.read())
  204.         with open(self.path + '.serial', 'w') as stream:
  205.             stream.write(str(next_serial + 1))
  206. 

  207.         with open(pub_key_path, 'w') as stream:
  208.             stream.write(request.key_data)
  209. 

  210.         ca_private_key = self.path
  211. 

  212.         if type(request) == UserSSHRequest:
  213.             login_names = [ request.user_name, ]
  214.             if request.root_requested:
  215.                 login_names.append('root')
  216. 

  217.             subprocess.check_output(['ssh-keygen',
  218.                 '-s', ca_private_key,
  219.                 '-I', 'user_%s' % request.user_name,
  220.                 '-n', ','.join(login_names),
  221.                 '-V', self.user_validity,
  222.                 '-z', str(next_serial),
  223.                 pub_key_path])
  224.         elif type(request) == HostSSHRequest:
  225.             subprocess.check_output(['ssh-keygen',
  226.                 '-s', ca_private_key,
  227.                 '-I', 'host_%s' % request.host_name.replace('.', '_'),
  228.                 '-h',
  229.                 '-n', request.host_name,
  230.                 '-V', self.host_validity,
  231.                 '-z', str(next_serial),
  232.                 pub_key_path])
  233. 

  234.         return cert_path
  235. 

  236. class SSLAuthority(Authority):
  237.     ca_type = 'ssl'
  238.     request_allowed = [ HostSSLRequest, ]
  239. 

  240.     ca_key_algorithm = 'des3'
  241.     key_length = '4096'
  242. 

  243.     key_algorithm = 'sha256'
  244.     ca_validity = '365'
  245.     cert_validity = '365'
  246. 

  247.     def generate(self):
  248.         if os.path.exists(self.path):
  249.             raise ValueError("A CA with the same id and type already exists")
  250. 

  251.         subprocess.check_output(['openssl',
  252.             'genrsa',
  253.             '-%s'%self.ca_key_algorithm,
  254.             '-out', '%s'%(self.path),
  255.             self.key_length])
  256. 

  257.         subprocess.check_output(['openssl',
  258.             'req',
  259.             '-new',
  260.             '-x509',
  261.             '-days', self.ca_validity,
  262.             '-key', self.path,
  263.             # '-extensions', 'v3_ca'
  264.             '-out', "%s.pub"%self.path,
  265.             # '-config', "%s.conf"%self.path
  266.             ])
  267. 

  268.         with open(self.path + '.serial', 'w') as stream:
  269.             stream.write(str(0))
  270. 

  271. 

  272.     def sign(self, request):
  273.         OUTPUT_PATH
  274. 

  275.         assert type(request) in [HostSSLRequest]
  276. 

  277.         pub_key_path = os.path.join(OUTPUT_PATH, request.req_id + '.pub')
  278.         cert_path = os.path.join(OUTPUT_PATH, request.req_id + '-cert.pub')
  279. 

  280.         with open(self.path + '.serial', 'r') as stream:
  281.             next_serial = int(stream.read())
  282.         with open(self.path + '.serial', 'w') as stream:
  283.             stream.write(str(next_serial + 1))
  284. 

  285.         with open(pub_key_path, 'w') as stream:
  286.             stream.write(request.key_data)
  287. 

  288.         ca_private_key = self.path
  289. 

  290.         # openssl x509 -req -days 360 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt        # print()
  291.         subprocess.check_output(['openssl',
  292.                         'x509',
  293.                         '-req',
  294.                         '-days', self.ca_validity,
  295.                         '-in', pub_key_path,
  296.                         '-CA', "%s.pub"%self.path,
  297.                         '-CAkey', self.path,
  298.                         '-CAcreateserial',
  299.                         '-out', cert_path,
  300.                         '-%s'%self.key_algorithm])
  301. 

  302.         return cert_path