|
|
@ -14,6 +14,7 @@ from ..paths import * |
|
|
|
|
|
|
|
import json |
|
|
|
|
|
|
|
|
|
|
|
class HostSSLRequest(SignRequest): |
|
|
|
def __init__(self, req_id, host_name, key_data): |
|
|
|
super(HostSSLRequest, self).__init__(req_id) |
|
|
@ -23,18 +24,19 @@ class HostSSLRequest(SignRequest): |
|
|
|
|
|
|
|
@property |
|
|
|
def name(self): |
|
|
|
return "Hostname: %s" % self.host_name |
|
|
|
return 'Hostname: %s' % self.host_name |
|
|
|
|
|
|
|
@property |
|
|
|
def fields(self): |
|
|
|
return [ |
|
|
|
("Hostname", self.host_name) |
|
|
|
('Hostname', self.host_name) |
|
|
|
] |
|
|
|
|
|
|
|
@property |
|
|
|
def receiver(self): |
|
|
|
return self.host_name |
|
|
|
|
|
|
|
|
|
|
|
class CASSLRequest(SignRequest): |
|
|
|
def __init__(self, req_id, ca_name, key_data): |
|
|
|
super(CASSLRequest, self).__init__(req_id) |
|
|
@ -44,20 +46,21 @@ class CASSLRequest(SignRequest): |
|
|
|
|
|
|
|
@property |
|
|
|
def name(self): |
|
|
|
return "CA name: %s" % self.ca_name |
|
|
|
return 'CA name: %s' % self.ca_name |
|
|
|
|
|
|
|
@property |
|
|
|
def fields(self): |
|
|
|
return [ |
|
|
|
("CA name", self.ca_name) |
|
|
|
('CA name', self.ca_name) |
|
|
|
] |
|
|
|
|
|
|
|
@property |
|
|
|
def receiver(self): |
|
|
|
return self.ca_name |
|
|
|
|
|
|
|
|
|
|
|
class SSLAuthority(Authority): |
|
|
|
request_allowed = [ HostSSLRequest, CASSLRequest, ] |
|
|
|
request_allowed = [HostSSLRequest, CASSLRequest, ] |
|
|
|
|
|
|
|
ca_key_algorithm = 'des3' |
|
|
|
key_length = '4096' |
|
|
@ -69,7 +72,7 @@ class SSLAuthority(Authority): |
|
|
|
|
|
|
|
def generate(self): |
|
|
|
if os.path.exists(self.path): |
|
|
|
raise ValueError("A CA with the same id and type already exists") |
|
|
|
raise ValueError('A CA with the same id and type already exists') |
|
|
|
confirm = input('Is a root CA? [y/N]> ') |
|
|
|
if confirm == 'y': |
|
|
|
self.isRoot = True |
|
|
@ -77,55 +80,54 @@ class SSLAuthority(Authority): |
|
|
|
self.isRoot = False |
|
|
|
|
|
|
|
subprocess.check_output(['openssl', |
|
|
|
'genrsa', |
|
|
|
'-%s'%self.ca_key_algorithm, |
|
|
|
'-out', '%s'%(self.path), |
|
|
|
self.key_length]) |
|
|
|
'genrsa', |
|
|
|
'-%s' % self.ca_key_algorithm, |
|
|
|
'-out', '%s' % (self.path), |
|
|
|
self.key_length]) |
|
|
|
if self.isRoot: |
|
|
|
subprocess.check_output(['openssl', |
|
|
|
'req', |
|
|
|
'-extensions', 'v3_root_ca', |
|
|
|
'-config', os.path.join(os.path.dirname(os.path.abspath(getsourcefile(lambda:0))), '../openssl-config/openssl.cnf'), |
|
|
|
'-new', |
|
|
|
'-x509', |
|
|
|
'-days', self.root_ca_validity, |
|
|
|
'-key', self.path, |
|
|
|
# '-extensions', 'v3_ca' |
|
|
|
'-out', "%s.pub"%self.path, |
|
|
|
# '-config', "%s.conf"%self.path |
|
|
|
]) |
|
|
|
'req', |
|
|
|
'-extensions', 'v3_root_ca', |
|
|
|
'-config', os.path.join(os.path.dirname(os.path.abspath(getsourcefile(lambda:0))), '../openssl-config/openssl.cnf'), |
|
|
|
'-new', |
|
|
|
'-x509', |
|
|
|
'-days', self.root_ca_validity, |
|
|
|
'-key', self.path, |
|
|
|
# '-extensions', 'v3_ca' |
|
|
|
'-out', '%s.pub' % self.path, |
|
|
|
# '-config', "%s.conf"%self.path |
|
|
|
]) |
|
|
|
else: |
|
|
|
subprocess.check_output(['openssl', |
|
|
|
'req', |
|
|
|
'-new', |
|
|
|
#'-x509', |
|
|
|
# '-days', self.ca_validity, |
|
|
|
'-key', self.path, |
|
|
|
# '-extensions', 'v3_ca' |
|
|
|
'-out', "%s.csr"%self.path, |
|
|
|
# '-config', "%s.conf"%self.path |
|
|
|
]) |
|
|
|
'req', |
|
|
|
'-new', |
|
|
|
#'-x509', |
|
|
|
# '-days', self.ca_validity, |
|
|
|
'-key', self.path, |
|
|
|
# '-extensions', 'v3_ca' |
|
|
|
'-out', '%s.csr' % self.path, |
|
|
|
# '-config', "%s.conf"%self.path |
|
|
|
]) |
|
|
|
result_dict = {} |
|
|
|
result_dict['keyType'] = 'ssl_ca' |
|
|
|
result_dict['caName'] = self.ca_id |
|
|
|
with open("%s.csr"%self.path, 'r') as f: |
|
|
|
with open("%s.csr" % self.path, 'r') as f: |
|
|
|
result_dict['keyData'] = "".join(f.readlines()) |
|
|
|
|
|
|
|
request = { 'type': 'sign_request', 'request': result_dict } |
|
|
|
print("Please sign the following request:") |
|
|
|
request = {'type': 'sign_request', 'request': result_dict} |
|
|
|
print('Please sign the following request:') |
|
|
|
print(json.dumps(request)) |
|
|
|
|
|
|
|
with open(self.path + '.serial', 'w') as stream: |
|
|
|
stream.write(str(0)) |
|
|
|
|
|
|
|
|
|
|
|
def generate_certificate(self, request): |
|
|
|
""" |
|
|
|
Sign a *SSLRequest with this certification authority |
|
|
|
""" |
|
|
|
|
|
|
|
if not os.path.exists("%s.pub"%self.path) and not self.isRoot: |
|
|
|
raise ValueError("The CA certificate '%s.pub' doesn't exists yet"%self.path) |
|
|
|
if not os.path.exists('%s.pub' % self.path) and not self.isRoot: |
|
|
|
raise ValueError("The CA certificate '%s.pub' doesn't exists yet" % self.path) |
|
|
|
|
|
|
|
pub_key_path = request.destination |
|
|
|
cert_path = request.cert_destination |
|
|
@ -134,18 +136,18 @@ class SSLAuthority(Authority): |
|
|
|
stream.write(request.key_data) |
|
|
|
|
|
|
|
subprocess.check_output(['openssl', |
|
|
|
'x509', |
|
|
|
'-req', |
|
|
|
'-days', self.ca_validity, |
|
|
|
'-in', pub_key_path, |
|
|
|
'-CA', "%s.pub"%self.path, |
|
|
|
'-CAkey', self.path, |
|
|
|
'-CAcreateserial', |
|
|
|
'-out', cert_path, |
|
|
|
'-%s'%self.key_algorithm]) |
|
|
|
'x509', |
|
|
|
'-req', |
|
|
|
'-days', self.ca_validity, |
|
|
|
'-in', pub_key_path, |
|
|
|
'-CA', '%s.pub' % self.path, |
|
|
|
'-CAkey', self.path, |
|
|
|
'-CAcreateserial', |
|
|
|
'-out', cert_path, |
|
|
|
'-%s' % self.key_algorithm]) |
|
|
|
|
|
|
|
if not self.isRoot: |
|
|
|
with open(cert_path, "a") as cert_file: |
|
|
|
with open("%s.pub"%self.path) as ca_cert_file: |
|
|
|
with open(cert_path, 'a') as cert_file: |
|
|
|
with open('%s.pub' % self.path) as ca_cert_file: |
|
|
|
cert_file.writelines(ca_cert_file.readlines()) |
|
|
|
return self.ca_validity |