From 182953df4760b72e3b1b58e00ea1cfa93396d570 Mon Sep 17 00:00:00 2001 From: Seth Vidal Date: Fri, 21 Sep 2007 00:05:52 -0400 Subject: add func/certs.py add __init__.py to make importing from func easier --- certs/master-keys.py | 44 ++++++++++++++++++ certs/slave-keys.py | 65 ++------------------------ func/__init__.py | 0 func/certs.py | 129 +++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 178 insertions(+), 60 deletions(-) create mode 100644 certs/master-keys.py create mode 100644 func/__init__.py create mode 100644 func/certs.py diff --git a/certs/master-keys.py b/certs/master-keys.py new file mode 100644 index 0000000..f576b77 --- /dev/null +++ b/certs/master-keys.py @@ -0,0 +1,44 @@ +#!/usr/bin/python -tt +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Library General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# Copyright (c) 2007 Red Hat, inc +#- Written by Seth Vidal skvidal @ fedoraproject.org + +import sys +import os +import os.path +import func.certs + + +cadir = '/etc/pki/func/ca' +ca_key_file = '%s/funcmaster.key' % cadir +ca_cert_file = '%s/funcmaster.crt' % cadir + + +def main(): + keypair = None + try: + if not os.path.exists(cadir): + os.makedirs(cadir) + if not os.path.exists(ca_key_file): + func.certs.create_ca(ca_key_file=ca_key_file, ca_cert_file=ca_cert_file) + except: + return 1 + + return 0 + + +if __name__ == "__main__": + sys.exit(main()) + diff --git a/certs/slave-keys.py b/certs/slave-keys.py index 5ac3227..e1f6a45 100644 --- a/certs/slave-keys.py +++ b/certs/slave-keys.py @@ -18,67 +18,12 @@ import sys import os import os.path -from OpenSSL import crypto -import socket - - -def_country = 'UN' -def_state = 'FC' -def_local = 'Func-ytown' -def_org = 'func' -def_ou = 'slave-key' +import func.certs cert_dir = '/etc/pki/func' key_file = '%s/slave.pem' % cert_dir csr_file = '%s/slave.csr' % cert_dir - -def make_cert(dest=None): - pkey = crypto.PKey() - pkey.generate_key(crypto.TYPE_RSA, 2048) - if dest: - destfo = open(dest, 'w') - destfo.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)) - destfo.close() - - return pkey - -def make_csr(pkey, dest=None, cn=None): - req = crypto.X509Req() - req.get_subject() - subj = req.get_subject() - subj.C = def_country - subj.ST = def_state - subj.L = def_local - subj.O = def_org - subj.OU = def_ou - if cn: - subj.CN = cn - else: - subj.CN = socket.getfqdn() - subj.emailAddress = 'root@%s' % subj.CN - - req.set_pubkey(pkey) - req.sign(pkey, 'md5') - if dest: - destfo = open(dest, 'w') - destfo.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)) - destfo.close() - - return req - -def retrieve_key_from_file(keyfile): - fo = open(keyfile, 'r') - buf = fo.read() - keypair = crypto.load_privatekey(crypto.FILETYPE_PEM, buf) - return keypair - -def retrieve_csr_from_file(csrfile) - fo = open(csrfile, 'r') - buf = fo.read() - csrreq = crypto.load_certificate_request(crypto.FILETYPE_PEM, buf) - return csrreq - def submit_csr_to_master(csrfile, master): # stuff happens here - I can just cram the csr in a POST if need be pass @@ -89,12 +34,12 @@ def main(): if not os.path.exists(cert_dir): os.makedirs(cert_dir) if not os.path.exists(key_file): - keypair = make_cert(dest=key_file) + keypair = func.certs.make_cert(dest=key_file) if not os.path.exists(csr_file): if not keypair: - keypair = retrieve_key_from_file(key_file) - csr = make_csr(keypair, dest=csr_file) - except: + keypair = func.certs.retrieve_key_from_file(key_file) + csr = func.certs.make_csr(keypair, dest=csr_file) + except: # need a little more specificity here return 1 return 0 diff --git a/func/__init__.py b/func/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/func/certs.py b/func/certs.py new file mode 100644 index 0000000..c9e004d --- /dev/null +++ b/func/certs.py @@ -0,0 +1,129 @@ +#!/usr/bin/python -tt +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Library General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# Copyright (c) 2007 Red Hat, inc +#- Written by Seth Vidal skvidal @ fedoraproject.org + +from OpenSSL import crypto +import socket + + +def_country = 'UN' +def_state = 'FC' +def_local = 'Func-ytown' +def_org = 'func' +def_ou = 'slave-key' + +def make_cert(dest=None): + pkey = crypto.PKey() + pkey.generate_key(crypto.TYPE_RSA, 2048) + if dest: + destfo = open(dest, 'w') + destfo.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)) + destfo.close() + + return pkey + +def make_csr(pkey, dest=None, cn=None): + req = crypto.X509Req() + req.get_subject() + subj = req.get_subject() + subj.C = def_country + subj.ST = def_state + subj.L = def_local + subj.O = def_org + subj.OU = def_ou + if cn: + subj.CN = cn + else: + subj.CN = socket.getfqdn() + subj.emailAddress = 'root@%s' % subj.CN + + req.set_pubkey(pkey) + req.sign(pkey, 'md5') + if dest: + destfo = open(dest, 'w') + destfo.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)) + destfo.close() + + return req + +def retrieve_key_from_file(keyfile): + fo = open(keyfile, 'r') + buf = fo.read() + keypair = crypto.load_privatekey(crypto.FILETYPE_PEM, buf) + return keypair + +def retrieve_csr_from_file(csrfile): + fo = open(csrfile, 'r') + buf = fo.read() + csrreq = crypto.load_certificate_request(crypto.FILETYPE_PEM, buf) + return csrreq + +def retrieve_cert_from_file(certfile): + fo = open(certfile, 'r') + buf = fo.read() + cert = crypto.load_certificate(crypto.FILETYPE_PEM, buf) + return cert + +def create_ca(CN="Func Certificate Authority", ca_key_file=None, ca_cert_file=None) + cakey = make_cert(dest=ca_key_file) + careq = make_csr(cakey, cn=CN) + cacert = crypto.X509() + cacert.set_serial_number(0) + cacert.gmtime_adj_notBefore(0) + cacert.gmtime_adj_notAfter(60*60*24*365*10) # 10 yrs - hard to beat this kind of cert! + cacert.set_issuer(careq.get_subject()) + cacert.set_subject(careq.get_subject()) + cacert.set_pubkey(careq.get_pubkey()) + cacert.sign(cakey, 'md5') + if ca_cert_file: + destfo = open(ca_cert_file, 'w') + destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert)) + destfo.close() + +def _get_serial_number(cadir): + serial = '%s/serial.txt' % cadir + i = 1 + if os.path.exists(serial): + f = open(serial, 'r').read() + f = f.replace('\n','') + i = int(f) + i+=1 + _set_serial_number(cadir, i) + return i + +def _set_serial_number(cadir, last): + serial = '%s/serial.txt' % cadir + f = open(serial, 'w') + f.write(last) + f.close() + + + +def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None) + cert = crypto.X509() + cert.set_serial_number(_get_serial_number(cadir)) + cert.gmtime_adj_notBefore(0) + cert.gmtime_adj_notAfter(60*60*24*365*10) # 10 yrs - hard to beat this kind of cert! + cert.set_issuer(cacert.get_subject()) + cert.set_subject(csr.get_subject()) + cert.set_pubkey(csr.get_pubkey()) + cert.sign(cakey, 'md5') + if slave_cert_file: + destfo = open(slave_cert_file, 'w') + destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) + destfo.close() + return cert + \ No newline at end of file -- cgit