Move to server, not client.

2 files changed, 600 insertions, 0 deletions

diff --git a/roles/fas_server/files/certhelper.py b/roles/fas_server/files/certhelper.py
new file mode 100755
index 000000000..76a48164f
--- /dev/null
+++ b/roles/fas_server/files/certhelper.py
@@ -0,0 +1,283 @@
+#!/usr/bin/python
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Library General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# Copyright 2005 Dan Williams <dcbw@redhat.com> and Red Hat, Inc.
+
+
+import sys, os, tempfile
+
+OPENSSL_PROG = '/usr/bin/openssl'
+
+def print_usage(prog):
+    print "\nUsage:\n"
+    print "  %s ca --outdir=<outdir> --name=<name>\n" % prog
+    print "  %s normal --outdir=<outdir> --name=<name> --cadir=<cadir> --caname=<ca-name>" % prog
+    print ""
+    print "        Types:"
+    print "           ca       - Build system Certificate Authority key & certificate"
+    print "           normal   - Key & certificate that works with the build server and builders"
+    print ""
+    print "Examples:\n"
+    print "    %s ca --outdir=/etc/plague/ca --name=my_ca" % prog
+    print "    %s normal --outdir=/etc/plague/server/certs --name=server --cadir=/etc/plague/ca --caname=my_ca" % prog
+    print "    %s normal --outdir=/etc/plague/builder/certs --name=builder1 --cadir=/etc/plague/ca --caname=my_ca" % prog
+    print "\n"
+
+
+class CertHelperException:
+    def __init__(self, message):
+        self.message = message
+
+
+class CertHelper:
+    def __init__(self, prog, outdir, name):
+        self._prog = prog
+        self._outdir = outdir
+        self._name = name
+
+    def dispatch(self, cmd, argslist):
+        if cmd.lower() == 'ca':
+            self._gencert_ca(argslist)
+        elif cmd.lower() == 'normal':
+            self._gencert_normal(argslist)
+        else:
+            print_usage(self._prog)
+
+    def _gencert_ca(self, args):
+        # Set up CA directory
+        if not os.path.exists(self._outdir):
+            os.makedirs(self._outdir)
+        try:
+            os.makedirs(os.path.join(self._outdir, 'certs'))
+            os.makedirs(os.path.join(self._outdir, 'crl'))
+            os.makedirs(os.path.join(self._outdir, 'newcerts'))
+            os.makedirs(os.path.join(self._outdir, 'private'))
+        except:
+            pass
+        cert_db = os.path.join(self._outdir, "index.txt")
+        os.system("/bin/touch %s" % cert_db)
+        serial = os.path.join(self._outdir, "serial")
+        if not os.path.exists(serial):
+            os.system("/bin/echo '01' > %s" % serial)
+
+        cnf = write_openssl_cnf(self._outdir, self._name, {})
+
+        # Create the CA key
+        key_file = os.path.join(self._outdir, "private", "cakey.pem")
+        cmd = "%s genrsa -out %s 4096" % (OPENSSL_PROG, key_file)
+        if os.system(cmd) != 0:
+            raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+
+        # Make the self-signed CA certificate
+        cert_file = os.path.join(self._outdir, "%s_ca_cert.pem" % self._name)
+        cmd = "%s req -config %s -new -x509 -days 3650 -key %s -out %s -extensions v3_ca" % (OPENSSL_PROG, cnf, key_file, cert_file)
+        if os.system(cmd) != 0:
+            raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+
+        os.remove(cnf)
+        print "Success.  Your Certificate Authority directory is: %s\n" % self._outdir
+
+    def _gencert_normal(self, args):
+        cadir = argfind(args, 'cadir')
+        if not cadir:
+            print_usage(self._prog)
+            sys.exit(1)
+        caname = argfind(args, 'caname')
+        if not caname:
+            print_usage(self._prog)
+            sys.exit(1)
+
+        cnf = write_openssl_cnf(cadir, caname, self._name, {})
+
+        # Generate key
+        key_file = os.path.join(self._outdir, "%s_key.pem" % self._name)
+        cmd = "%s genrsa -out %s 4096" % (OPENSSL_PROG, key_file)
+        if os.system(cmd) != 0:
+            raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+        print ""
+
+        # Generate the certificate request
+        req_file = os.path.join(self._outdir, "%s_req.pem" % self._name)
+        cmd = '%s req -config %s -new -nodes -out %s -key %s' % (OPENSSL_PROG, cnf, req_file, key_file)
+        if os.system(cmd) != 0:
+            raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+        print ""
+
+        # Sign the request with the CA's certificate and key
+        cert_file = os.path.join(self._outdir, "%s_cert.pem" % self._name)
+        cmd = '%s ca -config %s -days 3650 -out %s -infiles %s' % (OPENSSL_PROG, cnf, cert_file, req_file)
+        if os.system(cmd) != 0:
+            raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+        print ""
+
+        # Cat the normal cert and key together
+        key_and_cert = os.path.join(self._outdir, "%s_key_and_cert.pem" % self._name)
+        cmd = '/bin/cat %s %s > %s' % (key_file, cert_file, key_and_cert)
+        if os.system(cmd) != 0:
+            raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+
+        # Cleanup: remove the cert, key, and request files
+        cmd = "/bin/rm -f %s %s %s" % (key_file, req_file, cert_file)
+        if os.system(cmd) != 0:
+            raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
+
+        os.remove(cnf)
+        print "Success.  Your certificate and key file is: %s\n" % key_and_cert
+
+
+def write_openssl_cnf(home, ca_name, commonname, opt_dict):
+    (fd, name) = tempfile.mkstemp('', 'openssl_cnf_', dir=None, text=True)
+    os.write(fd, """
+##############################
+HOME = %s
+RANDFILE = .rand
+
+##############################
+[ ca ]
+default_ca = CA_default\n
+
+##############################
+[ CA_default ]
+
+dir = $HOME
+certs = $dir/certs
+crl_dir = $dir/crl
+database = $dir/index.txt
+new_certs_dir = $dir/newcerts
+
+certificate = $dir/cacert.pem
+private_key = $dir/private/cakey.pem
+serial = $dir/serial
+crl = $dir/crl.pem
+
+x509_extensions	= usr_cert
+
+name_opt 	= ca_default
+cert_opt 	= ca_default
+
+default_days	= 3650
+default_crl_days= 30
+default_md	= sha256
+preserve	= no
+
+policy		= policy_match
+
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+##############################
+[ req ]
+default_bits		= 4096
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+string_mask = MASK:0x2002
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= US
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= North Carolina
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Raleigh
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Fedora Project
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Fedora Builders
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_default		= %s
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+emailAddress_default		= buildsys@fedoraproject.org
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+##############################
+[ usr_cert ]
+
+basicConstraints=CA:FALSE
+nsComment			= "OpenSSL Generated Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+##############################
+[ v3_ca ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true
+
+""" % (home, commonname ))
+
+    return name
+
+def argfind(arglist, prefix):
+    val = None
+    for arg in arglist:
+        if arg.startswith('--%s=' % prefix):
+            val = arg
+            break
+    if not val:
+        return None
+    val = val.replace('--%s=' % prefix, '')
+    return val
+
+if __name__ == '__main__':
+    prog = sys.argv[0]
+    if len(sys.argv) < 3:
+        print_usage(prog)
+        sys.exit(1)
+
+    outdir = argfind(sys.argv, 'outdir')
+    if not outdir:
+        print_usage(prog)
+        sys.exit(1)
+
+    name = argfind(sys.argv, 'name')
+    if not name:
+        print_usage(prog)
+        sys.exit(1)
+
+    ch = CertHelper(prog, outdir, name)
+    try:
+        ch.dispatch(sys.argv[1], sys.argv)
+    except CertHelperException, e:
+        print e.message
+        sys.exit(1)
+
+    sys.exit(0)
+
diff --git a/roles/fas_server/files/fedora-ca-client-openssl.cnf b/roles/fas_server/files/fedora-ca-client-openssl.cnf
new file mode 100644
index 000000000..47536c9e9
--- /dev/null
+++ b/roles/fas_server/files/fedora-ca-client-openssl.cnf
@@ -0,0 +1,317 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= /var/lib/fedora-ca/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= .		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 4096
+default_md		= sha256
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+# we use PrintableString+UTF8String mask so if pure ASCII texts are used
+# the resulting certificates are compatible with Netscape
+string_mask = MASK:0x2002
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= US
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= North Carolina
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Raleigh
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Fedora Project
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+#challengePassword		= A challenge password
+#challengePassword_min		= 0
+#challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo