From 3b4f0db73e73912e39baa4a4c8b8c2e9ae3ab5be Mon Sep 17 00:00:00 2001 From: Karl MacMillan Date: Thu, 6 Dec 2007 17:17:43 -0500 Subject: Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs. --- ipa-server/ipaserver/certs.py | 192 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 192 insertions(+) create mode 100644 ipa-server/ipaserver/certs.py (limited to 'ipa-server/ipaserver/certs.py') diff --git a/ipa-server/ipaserver/certs.py b/ipa-server/ipaserver/certs.py new file mode 100644 index 00000000..55737605 --- /dev/null +++ b/ipa-server/ipaserver/certs.py @@ -0,0 +1,192 @@ +# Authors: Karl MacMillan +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 or later +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import os, stat, subprocess +import sha + +from ipa import ipautil + +class CertDB(object): + def __init__(self, dir): + self.secdir = dir + self.prefix = "new-" + + self.noise_fname = self.secdir + "/noise.txt" + self.passwd_fname = self.secdir + "/pwdfile.txt" + self.certdb_fname = self.secdir + "/cert8.db" + self.keydb_fname = self.secdir + "/key3.db" + self.cacert_fname = self.secdir + "/cacert.asc" + self.pk12_fname = self.secdir + "/cacert.p12" + self.pin_fname = self.secdir + "/pin.txt" + self.certreq_fname = self.secdir + "/tmpcertreq" + self.certder_fname = self.secdir + "/tmpcert.der" + + # We are going to set the owner of all of the cert + # files to the owner of the containing directory + # instead of that of the process. This works when + # this is called by root for a daemon that runs as + # a normal user + mode = os.stat(self.secdir) + self.uid = mode[stat.ST_UID] + self.gid = mode[stat.ST_GID] + + def set_perms(self, fname, write=False): + os.chown(fname, self.uid, self.gid) + perms = stat.S_IRUSR + if write: + perms |= stat.S_IWUSR + os.chmod(fname, perms) + + def gen_password(self): + return sha.sha(ipautil.ipa_generate_password()).hexdigest() + + def run_certutil(self, args, stdin=None): + new_args = ["/usr/bin/certutil", "-d", self.secdir] + new_args = new_args + args + ipautil.run(new_args, stdin) + + def create_noise_file(self): + ipautil.backup_file(self.noise_fname) + f = open(self.noise_fname, "w") + f.write(self.gen_password()) + self.set_perms(self.noise_fname) + + def create_passwd_file(self, passwd=True): + ipautil.backup_file(self.passwd_fname) + f = open(self.passwd_fname, "w") + if passwd: + f.write(self.gen_password()) + else: + f.write("\n") + f.close() + self.set_perms(self.passwd_fname) + + def create_certdbs(self): + ipautil.backup_file(self.certdb_fname) + ipautil.backup_file(self.keydb_fname) + self.run_certutil(["-N", + "-f", self.passwd_fname]) + self.set_perms(self.passwd_fname, write=True) + + def create_ca_cert(self): + # Generate the encryption key + self.run_certutil(["-G", "-z", self.noise_fname, "-f", self.passwd_fname]) + # Generate the self-signed cert + self.run_certutil(["-S", "-n", "CA certificate", + "-s", "cn=CAcert", + "-x", + "-t", "CT,,", + "-m", "1000", + "-v", "120", + "-z", self.noise_fname, + "-f", self.passwd_fname]) + # export the CA cert for use with other apps + ipautil.backup_file(self.cacert_fname) + self.run_certutil(["-L", "-n", "CA certificate", + "-a", + "-o", self.cacert_fname]) + self.set_perms(self.cacert_fname) + ipautil.backup_file(self.pk12_fname) + ipautil.run(["/usr/bin/pk12util", "-d", self.secdir, + "-o", self.pk12_fname, + "-n", "CA certificate", + "-w", self.passwd_fname, + "-k", self.passwd_fname]) + self.set_perms(self.pk12_fname) + + def load_cacert(self, cacert_fname): + self.run_certutil(["-A", "-n", "CA certificate", + "-t", "CT,CT,", + "-a", + "-i", cacert_fname]) + + def create_server_cert(self, nickname, name): + self.run_certutil(["-S", "-n", nickname, + "-s", name, + "-c", "CA certificate", + "-t", "u,u,u", + "-m", "1001", + "-v", "120", + "-z", self.noise_fname, + "-f", self.passwd_fname]) + + def request_cert(self, name): + self.run_certutil(["-R", "-s", name, + "-o", self.certreq_fname, + "-g", "1024", + "-z", self.noise_fname, + "-f", self.passwd_fname]) + + def issue_cert(self, certreq_fname, cert_fname): + p = subprocess.Popen(["/usr/bin/certutil", + "-d", self.secdir, + "-C", "-c", "CA certificate", + "-i", certreq_fname, + "-o", cert_fname, + "-m", "1002", + "-v", "120", + "-f", self.passwd_fname, + "-1", "-5"], + stdin=subprocess.PIPE, + stdout=subprocess.PIPE) + + # bah - this sucks, but I guess it isn't possible to fully + # control this with command line arguments + p.stdin.write("2\n9\nn\n1\n9\nn\n") + p.wait() + + + def add_cert(self, cert_fname, nickname): + self.run_certutil(["-A", "-n", nickname, + "-t", "u,u,u", + "-i", cert_fname, + "-f", cert_fname]) + + def create_server_cert_extca(self, nickname, name, other_certdb): + self.request_cert(name) + other_certdb.issue_cert(self.certreq_fname, self.certder_fname) + self.add_cert(self.certder_fname, nickname) + os.unlink(self.certreq_fname) + os.unlink(self.certder_fname) + + + def create_pin_file(self): + ipautil.backup_file(self.pin_fname) + f = open(self.pin_fname, "w") + f.write("Internal (Software) Token:") + pwd = open(self.passwd_fname) + f.write(pwd.read()) + f.close() + self.set_perms(self.pin_fname) + + def create_self_signed(self, passwd=True): + self.create_noise_file() + self.create_passwd_file(passwd) + self.create_certdbs() + self.create_ca_cert() + self.create_pin_file() + + def create_from_cacert(self, cacert_fname, passwd=False): + self.create_noise_file() + self.create_passwd_file(passwd) + self.create_certdbs() + self.load_cacert(cacert_fname) + + + -- cgit From 158b4e8ff4704b967d4049e2a16f9b32fbb33b80 Mon Sep 17 00:00:00 2001 From: Karl MacMillan Date: Tue, 11 Dec 2007 12:55:27 -0500 Subject: Commit corrected certs.py --- ipa-server/ipaserver/certs.py | 77 +++++++++++++++++++++++++++---------------- 1 file changed, 49 insertions(+), 28 deletions(-) (limited to 'ipa-server/ipaserver/certs.py') diff --git a/ipa-server/ipaserver/certs.py b/ipa-server/ipaserver/certs.py index 55737605..fb6b01d0 100644 --- a/ipa-server/ipaserver/certs.py +++ b/ipa-server/ipaserver/certs.py @@ -25,18 +25,29 @@ from ipa import ipautil class CertDB(object): def __init__(self, dir): self.secdir = dir - self.prefix = "new-" self.noise_fname = self.secdir + "/noise.txt" self.passwd_fname = self.secdir + "/pwdfile.txt" self.certdb_fname = self.secdir + "/cert8.db" self.keydb_fname = self.secdir + "/key3.db" + self.secmod_fname = self.secdir + "/secmod.db" self.cacert_fname = self.secdir + "/cacert.asc" self.pk12_fname = self.secdir + "/cacert.p12" self.pin_fname = self.secdir + "/pin.txt" self.certreq_fname = self.secdir + "/tmpcertreq" self.certder_fname = self.secdir + "/tmpcert.der" + # Making this a starting value that will generate + # unique values for the current DB is the + # responsibility of the caller for now. In the + # future we might automatically determine this + # for a given db. + self.cur_serial = 1000 + + self.cacert_name = "CA certificate" + self.valid_months = "120" + self.keysize = "1024" + # We are going to set the owner of all of the cert # files to the owner of the containing directory # instead of that of the process. This works when @@ -45,6 +56,11 @@ class CertDB(object): mode = os.stat(self.secdir) self.uid = mode[stat.ST_UID] self.gid = mode[stat.ST_GID] + + def next_serial(self): + r = self.cur_serial + self.cur_serial += 1 + return str(r) def set_perms(self, fname, write=False): os.chown(fname, self.uid, self.gid) @@ -80,6 +96,7 @@ class CertDB(object): def create_certdbs(self): ipautil.backup_file(self.certdb_fname) ipautil.backup_file(self.keydb_fname) + ipautil.backup_file(self.secmod_fname) self.run_certutil(["-N", "-f", self.passwd_fname]) self.set_perms(self.passwd_fname, write=True) @@ -88,14 +105,15 @@ class CertDB(object): # Generate the encryption key self.run_certutil(["-G", "-z", self.noise_fname, "-f", self.passwd_fname]) # Generate the self-signed cert - self.run_certutil(["-S", "-n", "CA certificate", + self.run_certutil(["-S", "-n", self.cacert_name, "-s", "cn=CAcert", "-x", "-t", "CT,,", - "-m", "1000", - "-v", "120", + "-m", self.next_serial(), + "-v", self.valid_months, "-z", self.noise_fname, "-f", self.passwd_fname]) + # export the CA cert for use with other apps ipautil.backup_file(self.cacert_fname) self.run_certutil(["-L", "-n", "CA certificate", @@ -111,43 +129,54 @@ class CertDB(object): self.set_perms(self.pk12_fname) def load_cacert(self, cacert_fname): - self.run_certutil(["-A", "-n", "CA certificate", + self.run_certutil(["-A", "-n", self.cacert_name, "-t", "CT,CT,", "-a", "-i", cacert_fname]) - def create_server_cert(self, nickname, name): - self.run_certutil(["-S", "-n", nickname, - "-s", name, - "-c", "CA certificate", - "-t", "u,u,u", - "-m", "1001", - "-v", "120", - "-z", self.noise_fname, - "-f", self.passwd_fname]) + def create_server_cert(self, nickname, name, other_certdb=None): + cdb = other_certdb + if not cdb: + cdb = self + self.request_cert(name) + cdb.issue_cert(self.certreq_fname, self.certder_fname) + self.add_cert(self.certder_fname, nickname) + os.unlink(self.certreq_fname) + os.unlink(self.certder_fname) def request_cert(self, name): self.run_certutil(["-R", "-s", name, "-o", self.certreq_fname, - "-g", "1024", + "-g", self.keysize, "-z", self.noise_fname, "-f", self.passwd_fname]) def issue_cert(self, certreq_fname, cert_fname): p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir, - "-C", "-c", "CA certificate", + "-C", "-c", self.cacert_name, "-i", certreq_fname, "-o", cert_fname, - "-m", "1002", - "-v", "120", + "-m", self.next_serial(), + "-v", self.valid_months, "-f", self.passwd_fname, "-1", "-5"], stdin=subprocess.PIPE, stdout=subprocess.PIPE) - # bah - this sucks, but I guess it isn't possible to fully - # control this with command line arguments + # Bah - this sucks, but I guess it isn't possible to fully + # control this with command line arguments. + # + # What this is requesting is: + # -1 (Create key usage extension) + # 2 - Key encipherment + # 9 - done + # n - not critical + # + # -5 (Create netscape cert type extension) + # 1 - SSL Server + # 9 - done + # n - not critical p.stdin.write("2\n9\nn\n1\n9\nn\n") p.wait() @@ -158,14 +187,6 @@ class CertDB(object): "-i", cert_fname, "-f", cert_fname]) - def create_server_cert_extca(self, nickname, name, other_certdb): - self.request_cert(name) - other_certdb.issue_cert(self.certreq_fname, self.certder_fname) - self.add_cert(self.certder_fname, nickname) - os.unlink(self.certreq_fname) - os.unlink(self.certder_fname) - - def create_pin_file(self): ipautil.backup_file(self.pin_fname) f = open(self.pin_fname, "w") -- cgit