LILiK
/
ca_manager
5
0
Fork 0
Code Issues 0 Pull Requests 2 Releases 0 Wiki Activity
Easy CA management
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
104 Commits
7 Branches
218 KiB
Tree: d6793412ed
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd6793412ed'
${ noResults }
ca_manager/authority.py

168 lines
4.8 KiB
Raw Normal View History

moved certificates, requests and authority classes out of ca_manager
8 years ago
split certificates from authorities
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
add docs to modules
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set allowed requests for each authority
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
change base class Authority to accept a directory
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set path as property of Authority base class
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
add repr magic to base classes
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set allowed requests for each authority
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set allowed requests for each authority
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set allowed requests for each authority
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set allowed requests for each authority
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
 
  1. #!/usr/bin/env python3
  2. # -*- coding: utf-8 -*-
  3. 

  4. import os
  5. import os.path
  6. import sqlite3
  7. import subprocess
  8. 

  9. from paths import *
  10. from request import UserSSHRequest, HostSSHRequest, HostSSLRequest
  11. 

  12. __doc__= """

  13. Module of classes to handle certificate requests
  14. """

  15. 

  16. class Authority(object):
  17.     ca_type = None
  18.     request_allowed = []
  19. 

  20.     def __init__(self, ca_id, name, ca_dir):
  21.         self.ca_id = ca_id
  22.         self.name = name
  23.         self.ca_dir = ca_dir
  24. 

  25.     @property
  26.     def path(self):
  27.         return os.path.join(self.ca_dir, self.ca_id)
  28. 

  29.     def generate(self):
  30.         raise NotImplementedError()
  31. 

  32.     def sign(self, request):
  33.         raise NotImplementedError()
  34. 

  35.     def __repr__(self):
  36.         return ( "%s %s" % ( self.__class__.__name__, self.ca_type ) )
  37. 

  38. class SSHAuthority(Authority):
  39.     ca_type = 'ssh'
  40. 

  41.     request_allowed = [ UserSSHRequest, HostSSHRequest, ]
  42. 

  43.     key_algorithm = 'ed25519'
  44. 

  45.     user_validity = '+52w'
  46.     host_validity = '+52w'
  47. 

  48.     def generate(self):
  49.         if os.path.exists(self.path):
  50.             raise ValueError("A CA with the same id and type already exists")
  51. 

  52.         subprocess.check_output(['ssh-keygen',
  53.             '-f', self.path,
  54.             '-t', self.key_algorithm,
  55.             '-C', self.name])
  56. 

  57.         with open(self.path + '.serial', 'w') as stream:
  58.             stream.write(str(0))
  59. 

  60. 

  61.     def sign(self, request):
  62. 

  63.         assert type(request) in self.request_allowed
  64. 

  65.         pub_key_path = os.path.join(OUTPUT_PATH, request.req_id + '.pub')
  66.         cert_path = os.path.join(OUTPUT_PATH, request.req_id + '-cert.pub')
  67. 

  68.         with open(self.path + '.serial', 'r') as stream:
  69.             next_serial = int(stream.read())
  70.         with open(self.path + '.serial', 'w') as stream:
  71.             stream.write(str(next_serial + 1))
  72. 

  73.         with open(pub_key_path, 'w') as stream:
  74.             stream.write(request.key_data)
  75. 

  76.         ca_private_key = self.path
  77. 

  78.         if type(request) == UserSSHRequest:
  79.             login_names = [ request.user_name, ]
  80.             if request.root_requested:
  81.                 login_names.append('root')
  82. 

  83.             subprocess.check_output(['ssh-keygen',
  84.                 '-s', ca_private_key,
  85.                 '-I', 'user_%s' % request.user_name,
  86.                 '-n', ','.join(login_names),
  87.                 '-V', self.user_validity,
  88.                 '-z', str(next_serial),
  89.                 pub_key_path])
  90.         elif type(request) == HostSSHRequest:
  91.             subprocess.check_output(['ssh-keygen',
  92.                 '-s', ca_private_key,
  93.                 '-I', 'host_%s' % request.host_name.replace('.', '_'),
  94.                 '-h',
  95.                 '-n', request.host_name,
  96.                 '-V', self.host_validity,
  97.                 '-z', str(next_serial),
  98.                 pub_key_path])
  99. 

  100.         return cert_path
  101. 

  102. class SSLAuthority(Authority):
  103.     ca_type = 'ssl'
  104.     request_allowed = [ HostSSLRequest, ]
  105. 

  106.     ca_key_algorithm = 'des3'
  107.     key_length = '4096'
  108. 

  109.     key_algorithm = 'sha256'
  110.     ca_validity = '365'
  111.     cert_validity = '365'
  112. 

  113.     def generate(self):
  114.         if os.path.exists(self.path):
  115.             raise ValueError("A CA with the same id and type already exists")
  116. 

  117.         subprocess.check_output(['openssl',
  118.             'genrsa',
  119.             '-%s'%self.ca_key_algorithm,
  120.             '-out', '%s'%(self.path),
  121.             self.key_length])
  122. 

  123.         subprocess.check_output(['openssl',
  124.             'req',
  125.             '-new',
  126.             '-x509',
  127.             '-days', self.ca_validity,
  128.             '-key', self.path,
  129.             # '-extensions', 'v3_ca'
  130.             '-out', "%s.pub"%self.path,
  131.             # '-config', "%s.conf"%self.path
  132.             ])
  133. 

  134.         with open(self.path + '.serial', 'w') as stream:
  135.             stream.write(str(0))
  136. 

  137. 

  138.     def sign(self, request):
  139.         OUTPUT_PATH
  140. 

  141.         assert type(request) in [HostSSLRequest]
  142. 

  143.         pub_key_path = os.path.join(OUTPUT_PATH, request.req_id + '.pub')
  144.         cert_path = os.path.join(OUTPUT_PATH, request.req_id + '-cert.pub')
  145. 

  146.         with open(self.path + '.serial', 'r') as stream:
  147.             next_serial = int(stream.read())
  148.         with open(self.path + '.serial', 'w') as stream:
  149.             stream.write(str(next_serial + 1))
  150. 

  151.         with open(pub_key_path, 'w') as stream:
  152.             stream.write(request.key_data)
  153. 

  154.         ca_private_key = self.path
  155. 

  156.         # openssl x509 -req -days 360 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt        # print()
  157.         subprocess.check_output(['openssl',
  158.                         'x509',
  159.                         '-req',
  160.                         '-days', self.ca_validity,
  161.                         '-in', pub_key_path,
  162.                         '-CA', "%s.pub"%self.path,
  163.                         '-CAkey', self.path,
  164.                         '-CAcreateserial',
  165.                         '-out', cert_path,
  166.                         '-%s'%self.key_algorithm])
  167. 

  168.         return cert_path