def genCaRpm_dependencies(d):
""" generates ssl cert RPM. """
gendir(d['--dir'])
ca_cert_name = os.path.basename(d['--ca-cert'])
ca_cert = os.path.join(d['--dir'], ca_cert_name)
dependencyCheck(ca_cert)
def genServerCertReq_dependencies(d):
""" private server cert request generation """
serverKeyPairDir = os.path.join(d['--dir'], d['--set-hostname'])
gendir(serverKeyPairDir)
server_key = os.path.join(serverKeyPairDir,
os.path.basename(d['--server-key']))
dependencyCheck(server_key)
def genPrivateCaKey(password, d, verbosity=0, forceYN=0):
""" private CA key generation """
gendir(d['--dir'])
ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key']))
if not forceYN and os.path.exists(ca_key):
sys.stderr.write("""\
ERROR: a CA private key already exists:
%s
If you wish to generate a new one, use the --force option.
""" % ca_key)
sys.exit(errnoGeneralError)
args = ("/usr/bin/openssl genrsa -passout pass:%s %s -out %s 4096" %
('%s', CRYPTO, repr(cleanupAbsPath(ca_key))))
if verbosity >= 0:
print("Generating private CA key: %s" % ca_key)
if verbosity > 1:
print("Commandline:", args % "PASSWORD")
try:
rotated = rotateFile(filepath=ca_key, verbosity=verbosity)
if verbosity >= 0 and rotated:
print("Rotated: %s --> %s" %
(d['--ca-key'], os.path.basename(rotated)))
except ValueError:
pass
cwd = chdir(_getWorkDir())
try:
ret, out_stream, err_stream = rhn_popen(args % repr(password))
finally:
chdir(cwd)
out = out_stream.read().decode('utf-8')
out_stream.close()
err = err_stream.read().decode('utf-8')
err_stream.close()
if ret:
raise GenPrivateCaKeyException("Certificate Authority private SSL "
"key generation failed:\n%s\n%s" %
(out, err))
if verbosity > 2:
if out:
print("STDOUT:", out)
if err:
print("STDERR:", err)
# permissions:
os.chmod(ca_key, 0o600)
def genServerKey(d, verbosity=0):
""" private server key generation """
serverKeyPairDir = os.path.join(d['--dir'],
d['--set-hostname'])
gendir(serverKeyPairDir)
server_key = os.path.join(serverKeyPairDir,
os.path.basename(d['--server-key']))
args = ("/usr/bin/openssl genrsa -out %s 2048"
% (repr(cleanupAbsPath(server_key))))
# generate the server key
if verbosity >= 0:
print("\nGenerating the web server's SSL private key: %s" % server_key)
if verbosity > 1:
print("Commandline:", args)
try:
rotated = rotateFile(filepath=server_key, verbosity=verbosity)
if verbosity >= 0 and rotated:
print("Rotated: %s --> %s" % (d['--server-key'],
os.path.basename(rotated)))
except ValueError:
pass
cwd = chdir(_getWorkDir())
try:
ret, out_stream, err_stream = rhn_popen(args)
finally:
chdir(cwd)
out = out_stream.read().decode('utf-8')
out_stream.close()
err = err_stream.read().decode('utf-8')
err_stream.close()
if ret:
raise GenServerKeyException("web server's SSL key generation failed:\n%s\n%s"
% (out, err))
if verbosity > 2:
if out:
print("STDOUT:", out)
if err:
print("STDERR:", err)
# permissions:
os.chmod(server_key, 0o600)
def genProxyServerTarball_dependencies(d):
""" dependency check for the step that generates RHN Proxy Server's
tar archive containing its SSL key set + CA certificate.
"""
serverKeySetDir = os.path.join(d['--dir'], d['--set-hostname'])
gendir(serverKeySetDir)
ca_cert = pathJoin(d['--dir'], d['--ca-cert'])
server_key = pathJoin(serverKeySetDir, d['--server-key'])
server_cert = pathJoin(serverKeySetDir, d['--server-cert'])
server_cert_req = pathJoin(serverKeySetDir, d['--server-cert-req'])
dependencyCheck(ca_cert)
dependencyCheck(server_key)
dependencyCheck(server_cert)
dependencyCheck(server_cert_req)
def genServerRpm_dependencies(d):
""" generates server's SSL key set RPM - dependencies check """
serverKeyPairDir = os.path.join(d['--dir'], d['--set-hostname'])
gendir(serverKeyPairDir)
server_key_name = os.path.basename(d['--server-key'])
server_key = os.path.join(serverKeyPairDir, server_key_name)
server_cert_name = os.path.basename(d['--server-cert'])
server_cert = os.path.join(serverKeyPairDir, server_cert_name)
server_cert_req_name = os.path.basename(d['--server-cert-req'])
server_cert_req = os.path.join(serverKeyPairDir, server_cert_req_name)
dependencyCheck(server_key)
dependencyCheck(server_cert)
dependencyCheck(server_cert_req)
def genPublicCaCert_dependencies(password, d, forceYN=0):
""" public CA certificate (client-side) generation """
gendir(d['--dir'])
ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key']))
ca_cert = os.path.join(d['--dir'], os.path.basename(d['--ca-cert']))
if not forceYN and os.path.exists(ca_cert):
sys.stderr.write("""\
ERROR: a CA public certificate already exists:
%s
If you wish to generate a new one, use the --force option.
""" % ca_cert)
sys.exit(errnoGeneralError)
dependencyCheck(ca_key)
if password is None:
sys.stderr.write('ERROR: a CA password must be supplied.\n')
sys.exit(errnoGeneralError)
def genServerCert_dependencies(password, d):
""" server cert generation and signing dependency check """
if password is None:
sys.stderr.write('ERROR: a CA password must be supplied.\n')
sys.exit(errnoGeneralError)
serverKeyPairDir = os.path.join(d['--dir'], d['--set-hostname'])
gendir(serverKeyPairDir)
ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key']))
ca_cert = os.path.join(d['--dir'], os.path.basename(d['--ca-cert']))
server_cert_req = os.path.join(serverKeyPairDir,
os.path.basename(d['--server-cert-req']))
ca_openssl_cnf = os.path.join(d['--dir'], CA_OPENSSL_CNF_NAME)
dependencyCheck(ca_openssl_cnf)
dependencyCheck(ca_key)
dependencyCheck(ca_cert)
dependencyCheck(server_cert_req)
