LILiK
/
ca_manager
5
0
Fork 0
Code Issues 0 Pull Requests 2 Releases 0 Wiki Activity
Easy CA management
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
69 Commits
7 Branches
218 KiB
Tree: fb4455e9fa
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fb4455e9fa'
${ noResults }
ca_manager/certificate_requests.py

235 lines
6.4 KiB
Raw Normal View History

moved certificates, requests and authority classes out of ca_manager
8 years ago
add docs to modules
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
switch from getter to property
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
change base class Authority to accept a directory
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
set path as property of Authority base class
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
migrate to subprocess.check_output
8 years ago
moved certificates, requests and authority classes out of ca_manager
8 years ago
 
  1. #!/usr/bin/env python3
  2. # -*- coding: utf-8 -*-
  3. 

  4. import os
  5. import os.path
  6. import sqlite3
  7. import subprocess
  8. 

  9. from paths import *
  10. 

  11. __doc__= """

  12. Module of classes to handle certificate requests
  13. """

  14. 

  15. class SignRequest(object):
  16.     def __init__(self, req_id):
  17.         self.req_id = req_id
  18. 

  19.     @property
  20.     def name(self):
  21.         raise NotImplementedError()
  22. 

  23.     @property
  24.     def fields(self):
  25.         raise NotImplementedError()
  26. 

  27. 

  28. class UserSSHRequest(SignRequest, object):
  29.     def __init__(self, req_id, user_name, root_requested, key_data):
  30.         super(UserSSHRequest, self).__init__(req_id)
  31. 

  32.         self.user_name = user_name
  33.         self.root_requested = root_requested
  34.         self.key_data = key_data
  35. 

  36.     @property
  37.     def name(self):
  38.         return "User: %s [R:%d]" % (self.user_name, int(self.root_requested))
  39. 

  40.     @property
  41.     def fields(self):
  42.         return [
  43.             ("User name", self.user_name),
  44.             ("Root access requested", 'yes' if self.root_requested else 'no')
  45.         ]
  46. 

  47.     def __str__(self):
  48.         return ("%s %s" % (self.req_id, self.user_name))
  49. 

  50. class HostSSLRequest(SignRequest, object):
  51.     def __init__(self, req_id, host_name, key_data):
  52.         super(HostSSLRequest, self).__init__(req_id)
  53. 

  54.         self.host_name = host_name
  55.         self.key_data = key_data
  56. 

  57.     @property
  58.     def name(self):
  59.         return "Hostname: %s" % self.host_name
  60. 

  61.     @property
  62.     def fields(self):
  63.         return [
  64.             ("Hostname", self.host_name)
  65.         ]
  66.     def __str__(self):
  67.         return ("%s %s" % (self.req_id, self.host_name))
  68. 

  69. class HostSSHRequest(SignRequest, object):
  70.     def __init__(self, req_id, host_name, key_data):
  71.         super(HostSSHRequest, self).__init__(req_id)
  72. 

  73.         self.host_name = host_name
  74.         self.key_data = key_data
  75. 

  76.     @property
  77.     def name(self):
  78.         return "Hostname: %s" % self.host_name
  79. 

  80.     @property
  81.     def fields(self):
  82.         return [
  83.             ("Hostname", self.host_name)
  84.         ]
  85.     def __str__(self):
  86.         return ("%s %s" % (self.req_id, self.host_name))
  87. 

  88. 

  89. class Authority(object):
  90.     ca_type = None
  91. 

  92.     def __init__(self, ca_id, name, ca_dir):
  93.         self.ca_id = ca_id
  94.         self.name = name
  95.         self.ca_dir = ca_dir
  96. 

  97.     @property
  98.     def path(self):
  99.         return os.path.join(self.ca_dir, self.ca_id)
  100. 

  101.     def generate(self):
  102.         raise NotImplementedError()
  103. 

  104.     def sign(self, request):
  105.         raise NotImplementedError()
  106. 

  107. 

  108. class SSHAuthority(Authority):
  109.     ca_type = 'ssh'
  110. 

  111.     key_algorithm = 'ed25519'
  112. 

  113.     user_validity = '+52w'
  114.     host_validity = '+52w'
  115. 

  116.     def generate(self):
  117.         if os.path.exists(self.path):
  118.             raise ValueError("A CA with the same id and type already exists")
  119. 

  120.         subprocess.check_output(['ssh-keygen',
  121.             '-f', self.path,
  122.             '-t', self.key_algorithm,
  123.             '-C', self.name])
  124. 

  125.         with open(self.path + '.serial', 'w') as stream:
  126.             stream.write(str(0))
  127. 

  128. 

  129.     def sign(self, request):
  130. 

  131.         assert type(request) in [UserSSHRequest, HostSSHRequest]
  132. 

  133.         pub_key_path = os.path.join(OUTPUT_PATH, request.req_id + '.pub')
  134.         cert_path = os.path.join(OUTPUT_PATH, request.req_id + '-cert.pub')
  135. 

  136.         with open(self.path + '.serial', 'r') as stream:
  137.             next_serial = int(stream.read())
  138.         with open(self.path + '.serial', 'w') as stream:
  139.             stream.write(str(next_serial + 1))
  140. 

  141.         with open(pub_key_path, 'w') as stream:
  142.             stream.write(request.key_data)
  143. 

  144.         ca_private_key = self.path
  145. 

  146.         if type(request) == UserSSHRequest:
  147.             login_names = [request.user_name]
  148.             if request.root_requested:
  149.                 login_names.append('root')
  150. 

  151.             subprocess.check_output(['ssh-keygen',
  152.                 '-s', ca_private_key,
  153.                 '-I', 'user_%s' % request.user_name,
  154.                 '-n', ','.join(login_names),
  155.                 '-V', self.user_validity,
  156.                 '-z', str(next_serial),
  157.                 pub_key_path])
  158.         elif type(request) == HostSSHRequest:
  159.             subprocess.check_output(['ssh-keygen',
  160.                 '-s', ca_private_key,
  161.                 '-I', 'host_%s' % request.host_name.replace('.', '_'),
  162.                 '-h',
  163.                 '-n', request.host_name,
  164.                 '-V', self.host_validity,
  165.                 '-z', str(next_serial),
  166.                 pub_key_path])
  167. 

  168.         return cert_path
  169. 

  170. class SSLAuthority(Authority):
  171.     ca_type = 'ssl'
  172. 

  173.     ca_key_algorithm = 'des3'
  174.     key_length = '4096'
  175. 

  176.     key_algorithm = 'sha256'
  177.     ca_validity = '365'
  178.     cert_validity = '365'
  179. 

  180.     def generate(self):
  181.         if os.path.exists(self.path):
  182.             raise ValueError("A CA with the same id and type already exists")
  183. 

  184.         subprocess.check_output(['openssl',
  185.             'genrsa',
  186.             '-%s'%self.ca_key_algorithm,
  187.             '-out', '%s'%(self.path),
  188.             self.key_length])
  189. 

  190.         subprocess.check_output(['openssl',
  191.             'req',
  192.             '-new',
  193.             '-x509',
  194.             '-days', self.ca_validity,
  195.             '-key', self.path,
  196.             # '-extensions', 'v3_ca'
  197.             '-out', "%s.pub"%self.path,
  198.             # '-config', "%s.conf"%self.path
  199.             ])
  200. 

  201.         with open(self.path + '.serial', 'w') as stream:
  202.             stream.write(str(0))
  203. 

  204. 

  205.     def sign(self, request):
  206.         OUTPUT_PATH
  207. 

  208.         assert type(request) in [HostSSLRequest]
  209. 

  210.         pub_key_path = os.path.join(OUTPUT_PATH, request.req_id + '.pub')
  211.         cert_path = os.path.join(OUTPUT_PATH, request.req_id + '-cert.pub')
  212. 

  213.         with open(self.path + '.serial', 'r') as stream:
  214.             next_serial = int(stream.read())
  215.         with open(self.path + '.serial', 'w') as stream:
  216.             stream.write(str(next_serial + 1))
  217. 

  218.         with open(pub_key_path, 'w') as stream:
  219.             stream.write(request.key_data)
  220. 

  221.         ca_private_key = self.path
  222. 

  223.         # openssl x509 -req -days 360 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt        # print()
  224.         subprocess.check_output(['openssl',
  225.                         'x509',
  226.                         '-req',
  227.                         '-days', self.ca_validity,
  228.                         '-in', pub_key_path,
  229.                         '-CA', "%s.pub"%self.path,
  230.                         '-CAkey', self.path,
  231.                         '-CAcreateserial',
  232.                         '-out', cert_path,
  233.                         '-%s'%self.key_algorithm])
  234. 

  235.         return cert_path