def __getstate__(self):
d = self.__dict__.copy()
del d["_TLSData__load_lock"]
del d["_TLSData__loaded"]
del d["_TLSData__exit"]
del d["_TLSData__ca_cert"]
del d["_TLSData__cert"]
del d["_TLSData__key"]
del d["_TLSData__watcher"]
d["__is_loaded"] = self.__loaded.is_set()
if self.__loaded.is_set():
d["__ca_cert_bytes"] = cert_to_bytes(self.__ca_cert)
d["__cert_bytes"] = cert_to_bytes(self.__cert)
d["__key_bytes"] = key_to_bytes(self.__key)
return d
def __init__(self, args: Namespace, ca_key: RSAPrivateKey, ca_cert: Certificate) -> None:
self.args = args
self._ca_key = ca_key
self._ca_cert = ca_cert
self._ca_cert_bytes = cert_to_bytes(ca_cert)
self._ca_cert_fingerprint = cert_fingerprint(ca_cert)
self._host_key, self._host_cert = self.create_host_certificate(ca_key, ca_cert)
def lookup(config: CoreConfig, db: StandardDatabase, temp_dir: Path) -> CertificateHandler:
args = config.args
# if we get a ca certificate from the command line, use it
if args.ca_cert and args.ca_cert_key:
ca_key = load_key_from_file(args.ca_cert_key, args.ca_cert_key_pass)
ca_cert = load_cert_from_file(args.ca_cert_cert)
log.info(f"Using CA certificate from command line. fingerprint:{cert_fingerprint(ca_cert)}")
return CertificateHandler(config, ca_key, ca_cert, temp_dir)
# otherwise, load from database or create it
sd = db.collection("system_data")
maybe_ca = sd.get("ca")
if maybe_ca and isinstance(maybe_ca.get("key"), str) and isinstance(maybe_ca.get("certificate"), str):
log.debug("Found existing certificate in data store.")
key = load_key_from_bytes(maybe_ca["key"].encode("utf-8"))
certificate = load_cert_from_bytes(maybe_ca["certificate"].encode("utf-8"))
log.info(f"Using CA certificate from database. fingerprint:{cert_fingerprint(certificate)}")
return CertificateHandler(config, key, certificate, temp_dir)
else:
wo = "with" if args.ca_cert_key_pass else "without"
key, certificate = bootstrap_ca()
log.info(
f"No ca certificate found - create new one {wo} passphrase. fingerprint:{cert_fingerprint(certificate)}"
)
key_string = key_to_bytes(key, args.ca_cert_key_pass).decode("utf-8")
certificate_string = cert_to_bytes(certificate).decode("utf-8")
sd.insert({"_key": "ca", "key": key_string, "certificate": certificate_string})
return CertificateHandler(config, key, certificate, temp_dir)
def __create_client_context(config: CoreConfig, ca_cert: Certificate) -> SSLContext:
# noinspection PyTypeChecker
ctx = create_default_context(purpose=Purpose.SERVER_AUTH)
if config.args.ca_cert:
ctx.load_verify_locations(cafile=config.args.ca_cert)
else:
ca_bytes = cert_to_bytes(ca_cert).decode("utf-8")
ctx.load_verify_locations(cadata=ca_bytes)
return ctx
def __init__(self, config: CoreConfig, ca_key: RSAPrivateKey, ca_cert: Certificate, temp_dir: Path) -> None:
self.config = config
self._ca_key = ca_key
self._ca_cert = ca_cert
self._ca_cert_bytes = cert_to_bytes(ca_cert)
self._ca_cert_fingerprint = cert_fingerprint(ca_cert)
self._host_key, self._host_cert = self.__create_host_certificate(config.api.host_certificate, ca_key, ca_cert)
self._host_context = self.__create_host_context(config, self._host_cert, self._host_key)
self._client_context = self.__create_client_context(config, ca_cert)
self._ca_bundle = temp_dir / "ca-bundle.crt"
self.__recreate_ca_file() # write the CA bundle to the temp dir
self._ca_cert_recreate = Periodic("recreate ca bundle file", self.__recreate_ca_file, timedelta(hours=1))
def lookup(args: Namespace, db: StandardDatabase, passphrase: Optional[str] = None) -> CertificateHandler:
sd = db.collection("system_data")
maybe_ca = sd.get("ca")
if maybe_ca and isinstance(maybe_ca.get("key"), str) and isinstance(maybe_ca.get("certificate"), str):
log.debug("Found existing certificate in data store.")
key = load_key_from_bytes(maybe_ca["key"].encode("utf-8"))
certificate = load_cert_from_bytes(maybe_ca["certificate"].encode("utf-8"))
return CertificateHandler(args, key, certificate)
else:
wo = "with" if passphrase else "without"
log.info(f"No ca certificate found - create a new one {wo} passphrase.")
key, certificate = bootstrap_ca()
key_string = key_to_bytes(key, passphrase).decode("utf-8")
certificate_string = cert_to_bytes(certificate).decode("utf-8")
sd.insert({"_key": "ca", "key": key_string, "certificate": certificate_string})
return CertificateHandler(args, key, certificate)
def sign(self, csr_bytes: bytes) -> Tuple[bytes, str]:
csr = load_csr_from_bytes(csr_bytes)
certificate = sign_csr(csr, self._ca_key, self._ca_cert)
return cert_to_bytes(certificate), cert_fingerprint(certificate)