LILiK
/
ca_manager
5
0
Fork 0
Code Issues 0 Pull Requests 2 Releases 0 Wiki Activity
Easy CA management
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
38 Commits
7 Branches
218 KiB
Tree: b1d94d822b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b1d94d822b'
${ noResults }
ca_manager/certificate_requests.py

219 lines
6.1 KiB
Raw Normal View History

moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
 
  1. #!/usr/bin/env python3
  2. # -*- coding: utf-8 -*-
  3. 

  4. import os
  5. import os.path
  6. import sqlite3
  7. import subprocess
  8. 

  9. from paths import *
  10. 

  11. class SignRequest(object):
  12.     def __init__(self, req_id):
  13.         self.req_id = req_id
  14. 

  15.     def get_name(self):
  16.         raise NotImplementedError()
  17. 

  18.     def get_fields(self):
  19.         raise NotImplementedError()
  20. 

  21. 

  22. class UserSSHRequest(SignRequest, object):
  23.     def __init__(self, req_id, user_name, root_requested, key_data):
  24.         super(UserSSHRequest, self).__init__(req_id)
  25. 

  26.         self.user_name = user_name
  27.         self.root_requested = root_requested
  28.         self.key_data = key_data
  29. 

  30.     def get_name(self):
  31.         return "User: %s [R:%d]" % (self.user_name, int(self.root_requested))
  32. 

  33.     def get_fields(self):
  34.         return [
  35.             ("User name", self.user_name),
  36.             ("Root access requested", 'yes' if self.root_requested else 'no')
  37.         ]
  38. 

  39.     def __str__(self):
  40.         return ("%s %s" % (self.req_id, self.user_name))
  41. 

  42. class HostSSLRequest(SignRequest, object):
  43.     def __init__(self, req_id, host_name, key_data):
  44.         super(HostSSLRequest, self).__init__(req_id)
  45. 

  46.         self.host_name = host_name
  47.         self.key_data = key_data
  48. 

  49.     def get_name(self):
  50.         return "Hostname: %s" % self.host_name
  51. 

  52.     def get_fields(self):
  53.         return [
  54.             ("Hostname", self.host_name)
  55.         ]
  56.     def __str__(self):
  57.         return ("%s %s" % (self.req_id, self.host_name))
  58. 

  59. class HostSSHRequest(SignRequest, object):
  60.     def __init__(self, req_id, host_name, key_data):
  61.         super(HostSSHRequest, self).__init__(req_id)
  62. 

  63.         self.host_name = host_name
  64.         self.key_data = key_data
  65. 

  66.     def get_name(self):
  67.         return "Hostname: %s" % self.host_name
  68. 

  69.     def get_fields(self):
  70.         return [
  71.             ("Hostname", self.host_name)
  72.         ]
  73.     def __str__(self):
  74.         return ("%s %s" % (self.req_id, self.host_name))
  75. 

  76. 

  77. class Authority(object):
  78.     ca_type = None
  79. 

  80.     def __init__(self, ca_id, name, path):
  81.         self.ca_id = ca_id
  82.         self.name = name
  83.         self.path = path
  84. 

  85.     def generate(self):
  86.         raise NotImplementedError()
  87. 

  88.     def sign(self, request):
  89.         raise NotImplementedError()
  90. 

  91. 

  92. class SSHAuthority(Authority):
  93.     ca_type = 'ssh'
  94. 

  95.     key_algorithm = 'ed25519'
  96. 

  97.     user_validity = '+52w'
  98.     host_validity = '+52w'
  99. 

  100.     def generate(self):
  101.         if os.path.exists(self.path):
  102.             raise ValueError("A CA with the same id and type already exists")
  103. 

  104.         subprocess.check_output(['ssh-keygen',
  105.             '-f', self.path,
  106.             '-t', self.key_algorithm,
  107.             '-C', self.name])
  108. 

  109.         with open(self.path + '.serial', 'w') as stream:
  110.             stream.write(str(0))
  111. 

  112. 

  113.     def sign(self, request):
  114. 

  115.         assert type(request) in [UserSSHRequest, HostSSHRequest]
  116. 

  117.         pub_key_path = os.path.join(OUTPUT_PATH, request.req_id + '.pub')
  118.         cert_path = os.path.join(OUTPUT_PATH, request.req_id + '-cert.pub')
  119. 

  120.         with open(self.path + '.serial', 'r') as stream:
  121.             next_serial = int(stream.read())
  122.         with open(self.path + '.serial', 'w') as stream:
  123.             stream.write(str(next_serial + 1))
  124. 

  125.         with open(pub_key_path, 'w') as stream:
  126.             stream.write(request.key_data)
  127. 

  128.         ca_private_key = self.path
  129. 

  130.         if type(request) == UserSSHRequest:
  131.             login_names = [request.user_name]
  132.             if request.root_requested:
  133.                 login_names.append('root')
  134. 

  135.             subprocess.check_output(['ssh-keygen',
  136.                 '-s', ca_private_key,
  137.                 '-I', 'user_%s' % request.user_name,
  138.                 '-n', ','.join(login_names),
  139.                 '-V', self.user_validity,
  140.                 '-z', str(next_serial),
  141.                 pub_key_path])
  142.         elif type(request) == HostSSHRequest:
  143.             subprocess.check_output(['ssh-keygen',
  144.                 '-s', ca_private_key,
  145.                 '-I', 'host_%s' % request.host_name.replace('.', '_'),
  146.                 '-h',
  147.                 '-n', request.host_name,
  148.                 '-V', self.host_validity,
  149.                 '-z', str(next_serial),
  150.                 pub_key_path])
  151. 

  152.         return cert_path
  153. 

  154. class SSLAuthority(Authority):
  155.     ca_type = 'ssl'
  156. 

  157.     ca_key_algorithm = 'des3'
  158.     key_length = '4096'
  159. 

  160.     key_algorithm = 'sha256'
  161.     ca_validity = '365'
  162.     cert_validity = '365'
  163. 

  164.     def generate(self):
  165.         if os.path.exists(self.path):
  166.             raise ValueError("A CA with the same id and type already exists")
  167. 

  168.         subprocess.check_output(['openssl',
  169.             'genrsa',
  170.             '-%s'%self.ca_key_algorithm,
  171.             '-out', '%s'%(self.path),
  172.             self.key_length])
  173. 

  174.         subprocess.check_output(['openssl',
  175.             'req',
  176.             '-new',
  177.             '-x509',
  178.             '-days', self.ca_validity,
  179.             '-key', self.path,
  180.             # '-extensions', 'v3_ca'
  181.             '-out', "%s.pub"%self.path,
  182.             # '-config', "%s.conf"%self.path
  183.             ])
  184. 

  185.         with open(self.path + '.serial', 'w') as stream:
  186.             stream.write(str(0))
  187. 

  188. 

  189.     def sign(self, request):
  190.         OUTPUT_PATH
  191. 

  192.         assert type(request) in [HostSSLRequest]
  193. 

  194.         pub_key_path = os.path.join(OUTPUT_PATH, request.req_id + '.pub')
  195.         cert_path = os.path.join(OUTPUT_PATH, request.req_id + '-cert.pub')
  196. 

  197.         with open(self.path + '.serial', 'r') as stream:
  198.             next_serial = int(stream.read())
  199.         with open(self.path + '.serial', 'w') as stream:
  200.             stream.write(str(next_serial + 1))
  201. 

  202.         with open(pub_key_path, 'w') as stream:
  203.             stream.write(request.key_data)
  204. 

  205.         ca_private_key = self.path
  206. 

  207.         # openssl x509 -req -days 360 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt        # print()
  208.         subprocess.check_output(['openssl',
  209.                         'x509',
  210.                         '-req',
  211.                         '-days', self.ca_validity,
  212.                         '-in', pub_key_path,
  213.                         '-CA', "%s.pub"%self.path,
  214.                         '-CAkey', self.path,
  215.                         '-CAcreateserial',
  216.                         '-out', cert_path,
  217.                         '-%s'%self.key_algorithm])
  218. 

  219.         return cert_path