def setup(self):
"""
Configure the RA with its own certificates.
:return:
"""
if CertificateManager.cert_file_exists("ra.cert"):
# Certificate exists
self.cert = CertificateManager.load_cert("ra.cert")
else:
# Not found, create new certificate for the RA
if self.verbose:
print("Generating new RA certificate.")
if self.ca is None or not isinstance(self.ca, CA):
raise ValueError("The \"ca\" field must be defined and instance of CA to setup an RA.")
# Create certificate own certificate on behalf of the CA
keys = CertificateManager.create_key_pair(self.default_key_type, self.default_key_size)
csr = CertificateManager.create_csr(keys, C="NO", ST="Oslo", L="Oslo", O=self.organisation, OU="RA",
CN="RA")
issuer = self.ca.get_root_certificate().get_issuer() # Issuer of root certificate (i.e. root CA)
cert = CertificateManager.create_cert(csr, self.get_next_serial(), issuer, self.ca.get_keys(), ca=True)
# Save certificate, keys and files
CertificateManager.save_cert(cert, CONFIG["pki"]["ra-cert-name"])
CertificateManager.save_pkey(keys, CONFIG["pki"]["ra-pkey-name"])
self.cert = cert
def setup(self, peer=None, epg=None):
# Load config
self.name = CONFIG["endpoints"]["server-name"]
self.address = CONFIG["endpoints"]["server-addr"]
self.port = CONFIG["endpoints"]["server-port"]
self.verbose = CONFIG["verbose"]
self.epg = epg
self.peer = peer
# Create Client peer
self.peer = EP(name=CONFIG["endpoints"]["client-name"],
address=CONFIG["endpoints"]["client-addr"],
port=CONFIG["endpoints"]["client-port"],
epg=CONFIG["endpoints"]["client-epg"])
# Load key material to create or request connection-specific certificate
server_pkey_name = CONFIG["pki"]["server-pkey-name"]
server_cert_name = CONFIG["pki"]["server-cert-name"]
if not CM.cert_file_exists(
server_pkey_name) or not CM.cert_file_exists(server_cert_name):
# Request certificate from RA
keys = CM.create_key_pair()
csr = CM.create_csr(keys)
request = CertificateRequest(self, self.peer, csr)
cert = self.ra.request_certificate(request)
if cert is None:
raise ConnectionError(
"Could not retrieve certificate needed to establish TLS connection."
)
# Save keys and certificate
CM.save_pkey(keys, server_pkey_name)
CM.save_cert(cert, server_cert_name)
self.cert = cert
self.keys = keys
else:
self.keys = CM.load_pkey(server_pkey_name)
self.cert = CM.load_cert(server_cert_name)
# Create context
self.context = SSL.Context(SSL.TLSv1_2_METHOD)
self.context.set_options(SSL.OP_NO_TLSv1_2)
self.context.set_verify(
SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
self.ssl_verify_cb)
self.context.set_ocsp_server_callback(self.ocsp_server_cb,
data=self.name)
self.context.use_privatekey(self.keys)
self.context.use_certificate(self.cert)
self.context.load_verify_locations(
CM.get_cert_path(CONFIG["pki"]["ca-cert-name"]))
def setup(self, peer, epg=None):
# Load config
self.name = CONFIG["endpoints"]["client-name"]
self.address = CONFIG["endpoints"]["client-addr"]
self.port = CONFIG["endpoints"]["client-port"]
self.verbose = CONFIG["verbose"]
self.epg = epg
self.peer = peer
# Load or request keys and certificate
client_pkey_name = CONFIG["pki"]["client-pkey-name"]
client_cert_name = CONFIG["pki"]["client-cert-name"]
self.ca_cert_name = CONFIG["pki"]["ca-cert-name"]
if not CM.cert_file_exists(
client_pkey_name) or not CM.cert_file_exists(client_cert_name):
# Request certificate from RA
keys = CM.create_key_pair()
csr = CM.create_csr(keys)
request = CertificateRequest(self, self.peer, csr)
cert = self.ra.request_certificate(request)
if cert is None:
raise ConnectionError(
"Could not retrieve certificate needed to establish TLS connection. "
"RA returned None.")
# Save keys and certificate
CM.save_pkey(keys, client_pkey_name)
CM.save_cert(cert, client_cert_name)
self.keys = keys
self.cert = cert
else:
self.keys = CM.load_pkey(client_pkey_name)
self.cert = CM.load_cert(client_cert_name)
# Define context
ctx = SSL.Context(SSL.TLSv1_2_METHOD)
ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
self.ssl_verify_cb)
ctx.set_verify_depth(2)
ctx.use_privatekey(self.keys)
ctx.use_certificate(self.cert)
ctx.load_verify_locations(
CM.get_cert_path(CONFIG["pki"]["ca-cert-name"]))
ctx.set_ocsp_client_callback(self.ocsp_client_callback, data=self.name)
self.context = ctx
def get_root_certificate():
"""
Get the certificate for the root CA
:return:
"""
if CertificateManager.cert_file_exists(CONFIG["pki"]["ca-cert-name"]):
# Certificate exists
return CertificateManager.load_cert(CONFIG["pki"]["ca-cert-name"])
else:
# Create CA certificate
pkey = CertificateManager.create_key_pair()
csr = CertificateManager.create_csr(pkey, O="AC-PKI", OU="CA", C="NO", ST="Oslo", L="Oslo",
CN="Root CA")
cert = CertificateManager.create_self_signed_cert(csr, pkey, RA.get_next_serial())
# Save files and return
CertificateManager.save_pkey(pkey, CONFIG["pki"]["ca-pkey-name"])
CertificateManager.save_cert(cert, CONFIG["pki"]["ca-cert-name"])
return cert
print("Created certs directory")
# Create CA certificate
if CertificateManager.cert_file_exists(
"ca.cert") and CertificateManager.cert_file_exists("ca.pkey"):
# Load existing
print("Loading existing CA certificate from file")
ca_cert = CertificateManager.load_cert("ca.cert")
ca_key_pair = CertificateManager.load_pkey("ca.pkey")
else:
# Generate new
print("Generating CA certificate")
ca_key_pair = CertificateManager.create_key_pair(crypto.TYPE_RSA, 2048)
csr = CertificateManager.create_csr(ca_key_pair,
C="NO",
ST="Oslo",
O="Corp",
OU="Blab")
ca_cert = CertificateManager.create_self_signed_cert(csr, ca_key_pair, 0)
CertificateManager.save_pkey(ca_key_pair, "ca.pkey")
CertificateManager.save_cert(ca_cert, "ca.cert")
# Create client certificate
if CertificateManager.cert_file_exists(
"client.cert") and CertificateManager.cert_file_exists("client.pkey"):
# Load existing
print("Loading existing client certificate from file")
client_cert = CertificateManager.load_cert("client.cert")
else:
# Generate new
print("Generating client certificate")