diff options
author | Endi S. Dewata <edewata@redhat.com> | 2017-07-20 08:03:44 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2017-07-20 08:03:44 +0200 |
commit | d57fd66d687211a0fa62ad515872749d2946bb8e (patch) | |
tree | 8b1f3233e66da75ad764888aefa6e1ee533cc82d /scripts | |
parent | f0f39288d640a0b0a755c49fdc08f1219c386ca7 (diff) | |
download | pki-dev-d57fd66d687211a0fa62ad515872749d2946bb8e.tar.gz pki-dev-d57fd66d687211a0fa62ad515872749d2946bb8e.tar.xz pki-dev-d57fd66d687211a0fa62ad515872749d2946bb8e.zip |
Added vault scripts.
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/vault-client-archive.sh | 90 | ||||
-rwxr-xr-x | scripts/vault-client-remove.sh | 54 | ||||
-rwxr-xr-x | scripts/vault-client-retrieve.sh | 87 | ||||
-rwxr-xr-x | scripts/vault-init.sh | 10 | ||||
-rwxr-xr-x | scripts/vault-server-archive.sh | 90 | ||||
-rwxr-xr-x | scripts/vault-server-remove.sh | 76 | ||||
-rwxr-xr-x | scripts/vault-server-retrieve.sh | 77 |
7 files changed, 484 insertions, 0 deletions
diff --git a/scripts/vault-client-archive.sh b/scripts/vault-client-archive.sh new file mode 100755 index 0000000..726b381 --- /dev/null +++ b/scripts/vault-client-archive.sh @@ -0,0 +1,90 @@ +#!/bin/python + +import base64 +import getopt +import subprocess +import sys + +from cryptography.fernet import Fernet +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC +from cryptography.hazmat.backends import default_backend + +import pki +import pki.client +import pki.crypto +import pki.key +import pki.kra +import pki.systemcert + +def usage(): + print "usage: vault-client-archive --user-id <user ID> --secret-id <secret ID> --vault-password <password> --secret <secret>" + +def main(argv): + + try: + opts, _ = getopt.getopt(argv[1:], 'hv', [ + 'user-id=', 'secret-id=', 'vault-password=', 'secret=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print 'ERROR: ' + str(e) + usage() + sys.exit(1) + + verbose = False + + user_id = None + secret_id = None + vault_password = None + secret = None + + for o, a in opts: + if o == '-v': + verbose = True + + elif o == '--user-id': + user_id = a + + elif o == '--secret-id': + secret_id = a + + elif o == '--vault-password': + vault_password = a + + elif o == '--secret': + secret = a + + if user_id is None or secret_id is None or vault_password is None or secret is None: + usage() + sys.exit(1) + + backend = default_backend() + + # generate key from vault password + kdf = PBKDF2HMAC( + algorithm=hashes.SHA256(), + length=32, + salt="0000000000000000", + iterations=100000, + backend=backend + ) + vault_key = base64.b64encode(kdf.derive(vault_password)) + + if verbose: + print "Vault Key: " + vault_key + + # encrypt secret with key + f = Fernet(vault_key) + data = f.encrypt(secret) + + if verbose: + print "Encrypted Secret: " + data + + # send user ID, secret ID, and encrypted secret to server + subprocess.check_call(['./vault-server-archive.sh', '--user-id', user_id, '--secret-id', secret_id, '--data', data]) + + print "Secret archived." + +if __name__ == '__main__': + main(sys.argv) diff --git a/scripts/vault-client-remove.sh b/scripts/vault-client-remove.sh new file mode 100755 index 0000000..731c918 --- /dev/null +++ b/scripts/vault-client-remove.sh @@ -0,0 +1,54 @@ +#!/bin/python + +import getopt +import subprocess +import sys + +from cryptography.fernet import Fernet +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC +from cryptography.hazmat.backends import default_backend + +import pki +import pki.client +import pki.crypto +import pki.key +import pki.kra +import pki.systemcert + +def usage(): + print "usage: ipa-client-remove --user-id <user ID> --secret-id <secret ID>" + +def main(argv): + + try: + opts, _ = getopt.getopt(argv[1:], 'hv', [ + 'user-id=', 'secret-id=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print 'ERROR: ' + str(e) + usage() + sys.exit(1) + + verbose = False + + user_id = None + secret_id = None + + for o, a in opts: + if o == '--v': + verbose = True + + elif o == '--user-id': + user_id = a + + elif o == '--secret-id': + secret_id = a + + subprocess.check_call(['./vault-server-remove.sh', '--user-id', user_id, '--secret-id', secret_id]) + + print "Secret removed." + +if __name__ == '__main__': + main(sys.argv) diff --git a/scripts/vault-client-retrieve.sh b/scripts/vault-client-retrieve.sh new file mode 100755 index 0000000..0980ddd --- /dev/null +++ b/scripts/vault-client-retrieve.sh @@ -0,0 +1,87 @@ +#!/bin/python + +import base64 +import getopt +import subprocess +import sys + +from cryptography.fernet import Fernet +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC +from cryptography.hazmat.backends import default_backend + +import pki +import pki.client +import pki.crypto +import pki.key +import pki.kra +import pki.systemcert + +def usage(): + print "usage: vault-client-retrieve --user-id <user ID> --secret-id <secret ID> --vault-password <password>" + +def main(argv): + + try: + opts, _ = getopt.getopt(argv[1:], 'hv', [ + 'user-id=', 'secret-id=', 'vault-password=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print 'ERROR: ' + str(e) + usage() + sys.exit(1) + + verbose = False + + user_id = None + secret_id = None + vault_password = None + + for o, a in opts: + if o == '-v': + verbose = True + + elif o == '--user-id': + user_id = a + + elif o == '--secret-id': + secret_id = a + + elif o == '--vault-password': + vault_password = a + + if user_id is None or secret_id is None or vault_password is None: + usage() + sys.exit(1) + + backend = default_backend() + + # generate key from vault password + kdf = PBKDF2HMAC( + algorithm=hashes.SHA256(), + length=32, + salt="0000000000000000", + iterations=100000, + backend=backend + ) + vault_key = base64.b64encode(kdf.derive(vault_password)) + + if verbose: + print "Vault Key: " + vault_key + + # send user ID, secret ID, and encrypted secret to server + p = subprocess.Popen(['./vault-server-retrieve.sh', '--user-id', user_id, '--secret-id', secret_id], stdout=subprocess.PIPE) + data = p.stdout.read().strip() + + if verbose: + print "Encrypted secret: " + data + + # decrypt secret with key + f = Fernet(vault_key) + secret = f.decrypt(data) + + print secret + +if __name__ == '__main__': + main(sys.argv) diff --git a/scripts/vault-init.sh b/scripts/vault-init.sh new file mode 100755 index 0000000..f6c5b4c --- /dev/null +++ b/scripts/vault-init.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +cd ~/.dogtag/pki-tomcat + +# export CA admin cert +openssl pkcs12 -nodes -in ca_admin_cert.p12 -out ca_admin_cert.pem -password file:ca/password.conf + +# get transport cert +certutil -L -d /var/lib/pki/pki-tomcat/alias -n "transportCert cert-pki-tomcat KRA" -a > transport.crt +certutil -A -d ca/alias -n "KRA Transport Certificte" -i transport.crt -a -t "u,u,u" diff --git a/scripts/vault-server-archive.sh b/scripts/vault-server-archive.sh new file mode 100755 index 0000000..659c929 --- /dev/null +++ b/scripts/vault-server-archive.sh @@ -0,0 +1,90 @@ +#!/bin/python + +import getopt +import sys + +import pki +import pki.client +import pki.crypto +import pki.key +import pki.kra +import pki.systemcert + +def usage(): + print "usage: vault-server-archive --user-id <user ID> --secret-id <secret ID> --data <data>" + +def main(argv): + + try: + opts, _ = getopt.getopt(argv[1:], 'c:d:hv', [ + 'user-id=', 'secret-id=', 'data=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print 'ERROR: ' + str(e) + usage() + sys.exit(1) + + verbose = False + + nssdb_directory = "/root/.dogtag/pki-tomcat/ca/alias" + nssdb_password = "Secret123" + + transport_cert_nickname = "KRA Transport Certificate" + admin_cert = "/root/.dogtag/pki-tomcat/ca_admin_cert.pem" + + scheme = 'https' + host = 'localhost' + port = '8443' + subsystem = 'kra' + + user_id = None + secret_id = None + data = None + + for o, a in opts: + if o == '-v': + verbose = True + + elif o == '-d': + nssdb_directory = a + + elif o == '-c': + nssdb_password = a + + elif o == '--user-id': + user_id = a + + elif o == '--secret-id': + secret_id = a + + elif o == '--data': + data = a + + if user_id is None or secret_id is None or data is None: + usage() + sys.exit(1) + + client_key_id = "%s:%s" % (user_id, secret_id) + if verbose: + print "Client Key ID: " + client_key_id + + crypto = pki.crypto.NSSCryptoProvider(nssdb_directory, nssdb_password) + crypto.initialize() + + conn = pki.client.PKIConnection(scheme, host, port, subsystem) + conn.set_authentication_cert(admin_cert) + + kra_client = pki.kra.KRAClient(conn, crypto, transport_cert_nickname) + key_client = kra_client.keys + + response = key_client.archive_key( + client_key_id, + pki.key.KeyClient.PASS_PHRASE_TYPE, + data) + + if verbose: + print "Key ID: " + str(response.get_key_id()) + +if __name__ == '__main__': + main(sys.argv) diff --git a/scripts/vault-server-remove.sh b/scripts/vault-server-remove.sh new file mode 100755 index 0000000..a66f2cf --- /dev/null +++ b/scripts/vault-server-remove.sh @@ -0,0 +1,76 @@ +#!/bin/python + +import getopt +import sys + +import pki +import pki.client +import pki.crypto +import pki.key +import pki.kra +import pki.systemcert + +def usage(): + print "usage: vault-server-remove --user-id <user ID> --secret-id <secret ID>" + +def main(argv): + + try: + opts, _ = getopt.getopt(argv[1:], 'c:d:hv', [ + 'user-id=', 'secret-id=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print 'ERROR: ' + str(e) + usage() + sys.exit(1) + + nssdb_directory = "/root/.dogtag/pki-tomcat/ca/alias" + nssdb_password = "Secret123" + + transport_cert_nickname = "KRA Transport Certificate" + admin_cert = "/root/.dogtag/pki-tomcat/ca_admin_cert.pem" + + scheme = 'https' + host = 'localhost' + port = '8443' + subsystem = 'kra' + + user_id = None + secret_id = None + + for o, a in opts: + if o == '-d': + nssdb_directory = a + + elif o == '-c': + nssdb_password = a + + elif o == '--user-id': + user_id = a + + elif o == '--secret-id': + secret_id = a + + if user_id is None or secret_id is None: + usage() + sys.exit(1) + + client_key_id = '%s:%s' % (user_id, secret_id) + + crypto = pki.crypto.NSSCryptoProvider(nssdb_directory, nssdb_password) + crypto.initialize() + + conn = pki.client.PKIConnection(scheme, host, port, subsystem) + conn.set_authentication_cert(admin_cert) + + kra_client = pki.kra.KRAClient(conn, crypto, transport_cert_nickname) + key_client = kra_client.keys + + key_info = key_client.get_active_key_info(client_key_id) + key_id = key_info.get_key_id() + + key_client.modify_key_status(key_id, pki.key.KeyClient.KEY_STATUS_INACTIVE) + +if __name__ == '__main__': + main(sys.argv) diff --git a/scripts/vault-server-retrieve.sh b/scripts/vault-server-retrieve.sh new file mode 100755 index 0000000..84652b1 --- /dev/null +++ b/scripts/vault-server-retrieve.sh @@ -0,0 +1,77 @@ +#!/bin/python + +import getopt +import sys + +import pki +import pki.client +import pki.crypto +import pki.key +import pki.kra + +def usage(): + print "usage: vault-server-retrieve --user-id <user ID> --secret-id <secret ID>" + +def main(argv): + + try: + opts, _ = getopt.getopt(argv[1:], 'c:d:hv', [ + 'user-id=', 'secret-id=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print 'ERROR: ' + str(e) + usage() + sys.exit(1) + + nssdb_directory = "/root/.dogtag/pki-tomcat/ca/alias" + nssdb_password = "Secret123" + + transport_cert_nickname = "KRA Transport Certificate" + admin_cert = "/root/.dogtag/pki-tomcat/ca_admin_cert.pem" + + scheme = 'https' + host = 'localhost' + port = '8443' + subsystem = 'kra' + + user_id = None + secret_id = None + + for o, a in opts: + if o == '-d': + nssdb_directory = a + + elif o == '-c': + nssdb_password = a + + elif o == '--user-id': + user_id = a + + elif o == '--secret-id': + secret_id = a + + if user_id is None or secret_id is None: + usage() + sys.exit(1) + + client_key_id = '%s:%s' % (user_id, secret_id) + + crypto = pki.crypto.NSSCryptoProvider(nssdb_directory, nssdb_password) + crypto.initialize() + + conn = pki.client.PKIConnection(scheme, host, port, subsystem) + conn.set_authentication_cert(admin_cert) + + kra_client = pki.kra.KRAClient(conn, crypto, transport_cert_nickname) + key_client = kra_client.keys + + key_info = key_client.get_active_key_info(client_key_id) + key_id = key_info.get_key_id() + + response = key_client.retrieve_key(key_id) + + print response.data + +if __name__ == '__main__': + main(sys.argv) |