Beispiel #1
0
    def fromTemplate(self, ca_name, password, template_name = 'default'):
        """
        Creates a CA from a template file.  Note that this function just creates a new CA from the template data, it
        does not allow modification of that data on the fly.  Load the new CA's config and modify it if you need
        to change it.

        :param ca_name: Display name of the CA.
        :param password: CA Password.
        :param template_name: Template name (NOT the file name!)

        """
        from conf.SSL import templates

        try:
            template_config = templates.getConfig(template_name)
        except templates.TemplateDoesNotExist:
            raise TemplateError("Template '%s' does not exist!" %template_name)

        # Create new CA config
        config_path = CA_Config.create(ca_name, template_config)

        # Fetch file system name from config
        fs_name = CA_Config.getFSName(ca_name)

        # Set up CA data on file system
        ca_path = CA_Roots.createCAStructure(fs_name)

        # Update CA config with path to data
        self.config = CA_Config.getConfig(ca_name)
        self.config['dir'] = ca_path      # dir has to be at top level for all the paths to work
        self.config['req']['input_password'] = password
        self.config['req']['output_password'] = password
        CA_Config.setConfig(ca_name, self.config)

        # Copy the CA password to the appropriate location
        nixcommon.touch("%s/.CApass" %ca_path, password, 0600)
        nixcommon.setFileAttribs(ca_path, self.ca_file_owner, self.ca_group, permissions=0740)

        # Create the CA itself
        # Not sure if I need the paths now that I have the config set?  Need to test this.
        os.chdir(ca_path)
        # Need to send password via -passin http://www.openssl.org/docs/apps/openssl.html
        new_key = self.runOpenSSL('req -new -newkey rsa:2048 -keyout keys/ca.key -out requests/ca.csr -config ' \
                                  '"%s"' %(config_path))
        create_ca = self.runOpenSSL('ca -batch -out ca.crt -days 9999 -keyfile keys/ca.key ' \
                                    '-selfsign -extensions v3_ca_has_san -config "%s" ' \
                                    '-passin file:"%s/.CApass" -infiles requests/ca.csr' %(config_path,ca_path))

        if new_key['return_value']:
            raise CACreationError(new_key['stderr'])

        if create_ca['return_value']:
            raise CACreationError(create_ca['stderr'])
Beispiel #2
0
def setConfig(ca_name, ca_config_data, create_config=False):
    """
    Sets an existing CA's config
    :param ca_name:
    :param ca_config_data:
    :return: String pointing to the config file.

    """
    dn = ca_config_data['req_distinguished_name']

    try:
        ca_path_name = r"%s/%s - %s.openssl.cnf" %(PATH,dn['0.organizationName_default'],
                                                   dn['organizationalUnitName_default'])
    except KeyError:
        raise CAConfigError('Invalid configuration dictionary!')

    # Make sure the path doesn't exist already
    if os.path.exists(ca_path_name) and create_config:
        raise CAConfigExistsError(ca_path_name)
    elif not os.path.exists(ca_path_name) and not create_config:
        raise CAConfigDoesNotExistError(ca_path_name)

    # Create the config
    if create_config:
        ca_config = sslconfigparser.SSLConfigParser(ca_path_name, no_auto_parse=True, create_config_file=True)
    # Just set the existing config
    else:
        ca_config = sslconfigparser.SSLConfigParser(ca_path_name)
    ca_config.write(ca_config_data)
    # Protect the config (it has the CA password in it)
    nixcommon.setFileAttribs(ca_path_name, integration_config['Settings']['caFSOwner'],
                             integration_config['Settings']['caFSGroup'], 0640)

    if create_config:
        db = nixsqlite.NixSQLite(DATABASE)
        # TODO: Escape queries!
        sql_query = 'insert into cas values ("%s","%s");' %(ca_name,ca_path_name)
        db.query(sql_query)

    return ca_path_name
Beispiel #3
0
def createCAStructure(fs_name):
    """
    Creates the CA filesystem structure using the provided name (from the config file name).

    :param fs_name: The filesystem name of the config (used to create the CA path).
    :return: String containing the newly created CA's path.

    """
    randgen = random.SystemRandom()
    ca_dirs = [('certsdb', 0750), ('requests',0750), ('keys',0700), ('certs',0755), ('crl',0755)]
    ca_path = "%s/%s" %(PATH,fs_name.rstrip('openssl.cnf'))

    # Create CA's root
    if not os.path.exists(ca_path):
        os.mkdir(ca_path)
        nixcommon.setFileAttribs(ca_path, ca_file_owner, ca_group, permissions=0755)
    else:
        raise CAExists(ca_path)


    # Make the CA directories
    for dir_info in ca_dirs:
        dir_path = '%s/%s' %(ca_path, dir_info[0])
        if not os.path.exists(dir_path):
            os.mkdir(dir_path)
            nixcommon.setFileAttribs(dir_path, ca_file_owner, ca_group, permissions=dir_info[1])

    # Create index and crlnumber files or OpenSSL will pitch a hell of a fit
    index_txt = "%s/index.txt" %ca_path
    crlnumber = "%s/crlnumber" %ca_path
    serial = "%s/serial" %ca_path
    rand = "%s/keys/.rand" %ca_path

    print index_txt, crlnumber

    nixcommon.touch(index_txt)
    nixcommon.setFileAttribs(index_txt, ca_file_owner, ca_group, permissions=0744)
    nixcommon.touch(crlnumber, '00')
    nixcommon.setFileAttribs(crlnumber, ca_file_owner, ca_group, permissions=0744)
    nixcommon.touch(serial, "%x" %randgen.getrandbits(128))
    nixcommon.setFileAttribs(crlnumber, ca_file_owner, ca_group, permissions=0744)
    nixcommon.touch(rand)
    nixcommon.setFileAttribs(crlnumber, ca_file_owner, ca_group, permissions=0744)

    return ca_path