summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-xscripts/vault-client-archive.sh90
-rwxr-xr-xscripts/vault-client-remove.sh54
-rwxr-xr-xscripts/vault-client-retrieve.sh87
-rwxr-xr-xscripts/vault-init.sh10
-rwxr-xr-xscripts/vault-server-archive.sh90
-rwxr-xr-xscripts/vault-server-remove.sh76
-rwxr-xr-xscripts/vault-server-retrieve.sh77
7 files changed, 484 insertions, 0 deletions
diff --git a/scripts/vault-client-archive.sh b/scripts/vault-client-archive.sh
new file mode 100755
index 0000000..726b381
--- /dev/null
+++ b/scripts/vault-client-archive.sh
@@ -0,0 +1,90 @@
+#!/bin/python
+
+import base64
+import getopt
+import subprocess
+import sys
+
+from cryptography.fernet import Fernet
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+from cryptography.hazmat.backends import default_backend
+
+import pki
+import pki.client
+import pki.crypto
+import pki.key
+import pki.kra
+import pki.systemcert
+
+def usage():
+ print "usage: vault-client-archive --user-id <user ID> --secret-id <secret ID> --vault-password <password> --secret <secret>"
+
+def main(argv):
+
+ try:
+ opts, _ = getopt.getopt(argv[1:], 'hv', [
+ 'user-id=', 'secret-id=', 'vault-password=', 'secret=',
+ 'verbose', 'help'])
+
+ except getopt.GetoptError as e:
+ print 'ERROR: ' + str(e)
+ usage()
+ sys.exit(1)
+
+ verbose = False
+
+ user_id = None
+ secret_id = None
+ vault_password = None
+ secret = None
+
+ for o, a in opts:
+ if o == '-v':
+ verbose = True
+
+ elif o == '--user-id':
+ user_id = a
+
+ elif o == '--secret-id':
+ secret_id = a
+
+ elif o == '--vault-password':
+ vault_password = a
+
+ elif o == '--secret':
+ secret = a
+
+ if user_id is None or secret_id is None or vault_password is None or secret is None:
+ usage()
+ sys.exit(1)
+
+ backend = default_backend()
+
+ # generate key from vault password
+ kdf = PBKDF2HMAC(
+ algorithm=hashes.SHA256(),
+ length=32,
+ salt="0000000000000000",
+ iterations=100000,
+ backend=backend
+ )
+ vault_key = base64.b64encode(kdf.derive(vault_password))
+
+ if verbose:
+ print "Vault Key: " + vault_key
+
+ # encrypt secret with key
+ f = Fernet(vault_key)
+ data = f.encrypt(secret)
+
+ if verbose:
+ print "Encrypted Secret: " + data
+
+ # send user ID, secret ID, and encrypted secret to server
+ subprocess.check_call(['./vault-server-archive.sh', '--user-id', user_id, '--secret-id', secret_id, '--data', data])
+
+ print "Secret archived."
+
+if __name__ == '__main__':
+ main(sys.argv)
diff --git a/scripts/vault-client-remove.sh b/scripts/vault-client-remove.sh
new file mode 100755
index 0000000..731c918
--- /dev/null
+++ b/scripts/vault-client-remove.sh
@@ -0,0 +1,54 @@
+#!/bin/python
+
+import getopt
+import subprocess
+import sys
+
+from cryptography.fernet import Fernet
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+from cryptography.hazmat.backends import default_backend
+
+import pki
+import pki.client
+import pki.crypto
+import pki.key
+import pki.kra
+import pki.systemcert
+
+def usage():
+ print "usage: ipa-client-remove --user-id <user ID> --secret-id <secret ID>"
+
+def main(argv):
+
+ try:
+ opts, _ = getopt.getopt(argv[1:], 'hv', [
+ 'user-id=', 'secret-id=',
+ 'verbose', 'help'])
+
+ except getopt.GetoptError as e:
+ print 'ERROR: ' + str(e)
+ usage()
+ sys.exit(1)
+
+ verbose = False
+
+ user_id = None
+ secret_id = None
+
+ for o, a in opts:
+ if o == '--v':
+ verbose = True
+
+ elif o == '--user-id':
+ user_id = a
+
+ elif o == '--secret-id':
+ secret_id = a
+
+ subprocess.check_call(['./vault-server-remove.sh', '--user-id', user_id, '--secret-id', secret_id])
+
+ print "Secret removed."
+
+if __name__ == '__main__':
+ main(sys.argv)
diff --git a/scripts/vault-client-retrieve.sh b/scripts/vault-client-retrieve.sh
new file mode 100755
index 0000000..0980ddd
--- /dev/null
+++ b/scripts/vault-client-retrieve.sh
@@ -0,0 +1,87 @@
+#!/bin/python
+
+import base64
+import getopt
+import subprocess
+import sys
+
+from cryptography.fernet import Fernet
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+from cryptography.hazmat.backends import default_backend
+
+import pki
+import pki.client
+import pki.crypto
+import pki.key
+import pki.kra
+import pki.systemcert
+
+def usage():
+ print "usage: vault-client-retrieve --user-id <user ID> --secret-id <secret ID> --vault-password <password>"
+
+def main(argv):
+
+ try:
+ opts, _ = getopt.getopt(argv[1:], 'hv', [
+ 'user-id=', 'secret-id=', 'vault-password=',
+ 'verbose', 'help'])
+
+ except getopt.GetoptError as e:
+ print 'ERROR: ' + str(e)
+ usage()
+ sys.exit(1)
+
+ verbose = False
+
+ user_id = None
+ secret_id = None
+ vault_password = None
+
+ for o, a in opts:
+ if o == '-v':
+ verbose = True
+
+ elif o == '--user-id':
+ user_id = a
+
+ elif o == '--secret-id':
+ secret_id = a
+
+ elif o == '--vault-password':
+ vault_password = a
+
+ if user_id is None or secret_id is None or vault_password is None:
+ usage()
+ sys.exit(1)
+
+ backend = default_backend()
+
+ # generate key from vault password
+ kdf = PBKDF2HMAC(
+ algorithm=hashes.SHA256(),
+ length=32,
+ salt="0000000000000000",
+ iterations=100000,
+ backend=backend
+ )
+ vault_key = base64.b64encode(kdf.derive(vault_password))
+
+ if verbose:
+ print "Vault Key: " + vault_key
+
+ # send user ID, secret ID, and encrypted secret to server
+ p = subprocess.Popen(['./vault-server-retrieve.sh', '--user-id', user_id, '--secret-id', secret_id], stdout=subprocess.PIPE)
+ data = p.stdout.read().strip()
+
+ if verbose:
+ print "Encrypted secret: " + data
+
+ # decrypt secret with key
+ f = Fernet(vault_key)
+ secret = f.decrypt(data)
+
+ print secret
+
+if __name__ == '__main__':
+ main(sys.argv)
diff --git a/scripts/vault-init.sh b/scripts/vault-init.sh
new file mode 100755
index 0000000..f6c5b4c
--- /dev/null
+++ b/scripts/vault-init.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+cd ~/.dogtag/pki-tomcat
+
+# export CA admin cert
+openssl pkcs12 -nodes -in ca_admin_cert.p12 -out ca_admin_cert.pem -password file:ca/password.conf
+
+# get transport cert
+certutil -L -d /var/lib/pki/pki-tomcat/alias -n "transportCert cert-pki-tomcat KRA" -a > transport.crt
+certutil -A -d ca/alias -n "KRA Transport Certificte" -i transport.crt -a -t "u,u,u"
diff --git a/scripts/vault-server-archive.sh b/scripts/vault-server-archive.sh
new file mode 100755
index 0000000..659c929
--- /dev/null
+++ b/scripts/vault-server-archive.sh
@@ -0,0 +1,90 @@
+#!/bin/python
+
+import getopt
+import sys
+
+import pki
+import pki.client
+import pki.crypto
+import pki.key
+import pki.kra
+import pki.systemcert
+
+def usage():
+ print "usage: vault-server-archive --user-id <user ID> --secret-id <secret ID> --data <data>"
+
+def main(argv):
+
+ try:
+ opts, _ = getopt.getopt(argv[1:], 'c:d:hv', [
+ 'user-id=', 'secret-id=', 'data=',
+ 'verbose', 'help'])
+
+ except getopt.GetoptError as e:
+ print 'ERROR: ' + str(e)
+ usage()
+ sys.exit(1)
+
+ verbose = False
+
+ nssdb_directory = "/root/.dogtag/pki-tomcat/ca/alias"
+ nssdb_password = "Secret123"
+
+ transport_cert_nickname = "KRA Transport Certificate"
+ admin_cert = "/root/.dogtag/pki-tomcat/ca_admin_cert.pem"
+
+ scheme = 'https'
+ host = 'localhost'
+ port = '8443'
+ subsystem = 'kra'
+
+ user_id = None
+ secret_id = None
+ data = None
+
+ for o, a in opts:
+ if o == '-v':
+ verbose = True
+
+ elif o == '-d':
+ nssdb_directory = a
+
+ elif o == '-c':
+ nssdb_password = a
+
+ elif o == '--user-id':
+ user_id = a
+
+ elif o == '--secret-id':
+ secret_id = a
+
+ elif o == '--data':
+ data = a
+
+ if user_id is None or secret_id is None or data is None:
+ usage()
+ sys.exit(1)
+
+ client_key_id = "%s:%s" % (user_id, secret_id)
+ if verbose:
+ print "Client Key ID: " + client_key_id
+
+ crypto = pki.crypto.NSSCryptoProvider(nssdb_directory, nssdb_password)
+ crypto.initialize()
+
+ conn = pki.client.PKIConnection(scheme, host, port, subsystem)
+ conn.set_authentication_cert(admin_cert)
+
+ kra_client = pki.kra.KRAClient(conn, crypto, transport_cert_nickname)
+ key_client = kra_client.keys
+
+ response = key_client.archive_key(
+ client_key_id,
+ pki.key.KeyClient.PASS_PHRASE_TYPE,
+ data)
+
+ if verbose:
+ print "Key ID: " + str(response.get_key_id())
+
+if __name__ == '__main__':
+ main(sys.argv)
diff --git a/scripts/vault-server-remove.sh b/scripts/vault-server-remove.sh
new file mode 100755
index 0000000..a66f2cf
--- /dev/null
+++ b/scripts/vault-server-remove.sh
@@ -0,0 +1,76 @@
+#!/bin/python
+
+import getopt
+import sys
+
+import pki
+import pki.client
+import pki.crypto
+import pki.key
+import pki.kra
+import pki.systemcert
+
+def usage():
+ print "usage: vault-server-remove --user-id <user ID> --secret-id <secret ID>"
+
+def main(argv):
+
+ try:
+ opts, _ = getopt.getopt(argv[1:], 'c:d:hv', [
+ 'user-id=', 'secret-id=',
+ 'verbose', 'help'])
+
+ except getopt.GetoptError as e:
+ print 'ERROR: ' + str(e)
+ usage()
+ sys.exit(1)
+
+ nssdb_directory = "/root/.dogtag/pki-tomcat/ca/alias"
+ nssdb_password = "Secret123"
+
+ transport_cert_nickname = "KRA Transport Certificate"
+ admin_cert = "/root/.dogtag/pki-tomcat/ca_admin_cert.pem"
+
+ scheme = 'https'
+ host = 'localhost'
+ port = '8443'
+ subsystem = 'kra'
+
+ user_id = None
+ secret_id = None
+
+ for o, a in opts:
+ if o == '-d':
+ nssdb_directory = a
+
+ elif o == '-c':
+ nssdb_password = a
+
+ elif o == '--user-id':
+ user_id = a
+
+ elif o == '--secret-id':
+ secret_id = a
+
+ if user_id is None or secret_id is None:
+ usage()
+ sys.exit(1)
+
+ client_key_id = '%s:%s' % (user_id, secret_id)
+
+ crypto = pki.crypto.NSSCryptoProvider(nssdb_directory, nssdb_password)
+ crypto.initialize()
+
+ conn = pki.client.PKIConnection(scheme, host, port, subsystem)
+ conn.set_authentication_cert(admin_cert)
+
+ kra_client = pki.kra.KRAClient(conn, crypto, transport_cert_nickname)
+ key_client = kra_client.keys
+
+ key_info = key_client.get_active_key_info(client_key_id)
+ key_id = key_info.get_key_id()
+
+ key_client.modify_key_status(key_id, pki.key.KeyClient.KEY_STATUS_INACTIVE)
+
+if __name__ == '__main__':
+ main(sys.argv)
diff --git a/scripts/vault-server-retrieve.sh b/scripts/vault-server-retrieve.sh
new file mode 100755
index 0000000..84652b1
--- /dev/null
+++ b/scripts/vault-server-retrieve.sh
@@ -0,0 +1,77 @@
+#!/bin/python
+
+import getopt
+import sys
+
+import pki
+import pki.client
+import pki.crypto
+import pki.key
+import pki.kra
+
+def usage():
+ print "usage: vault-server-retrieve --user-id <user ID> --secret-id <secret ID>"
+
+def main(argv):
+
+ try:
+ opts, _ = getopt.getopt(argv[1:], 'c:d:hv', [
+ 'user-id=', 'secret-id=',
+ 'verbose', 'help'])
+
+ except getopt.GetoptError as e:
+ print 'ERROR: ' + str(e)
+ usage()
+ sys.exit(1)
+
+ nssdb_directory = "/root/.dogtag/pki-tomcat/ca/alias"
+ nssdb_password = "Secret123"
+
+ transport_cert_nickname = "KRA Transport Certificate"
+ admin_cert = "/root/.dogtag/pki-tomcat/ca_admin_cert.pem"
+
+ scheme = 'https'
+ host = 'localhost'
+ port = '8443'
+ subsystem = 'kra'
+
+ user_id = None
+ secret_id = None
+
+ for o, a in opts:
+ if o == '-d':
+ nssdb_directory = a
+
+ elif o == '-c':
+ nssdb_password = a
+
+ elif o == '--user-id':
+ user_id = a
+
+ elif o == '--secret-id':
+ secret_id = a
+
+ if user_id is None or secret_id is None:
+ usage()
+ sys.exit(1)
+
+ client_key_id = '%s:%s' % (user_id, secret_id)
+
+ crypto = pki.crypto.NSSCryptoProvider(nssdb_directory, nssdb_password)
+ crypto.initialize()
+
+ conn = pki.client.PKIConnection(scheme, host, port, subsystem)
+ conn.set_authentication_cert(admin_cert)
+
+ kra_client = pki.kra.KRAClient(conn, crypto, transport_cert_nickname)
+ key_client = kra_client.keys
+
+ key_info = key_client.get_active_key_info(client_key_id)
+ key_id = key_info.get_key_id()
+
+ response = key_client.retrieve_key(key_id)
+
+ print response.data
+
+if __name__ == '__main__':
+ main(sys.argv)
generated by cgit (git 2.34.1) at 2024-05-03 05:44:22 +0000