def gen_jabberd_cert(d): """ generate the jabberd ssl cert from the server cert and key """ serverKeyPairDir = os.path.join(d['--dir'], getMachineName(d['--set-hostname'])) server_key = os.path.join(serverKeyPairDir, d['--server-key']) server_cert = os.path.join(serverKeyPairDir, d['--server-cert']) dependencyCheck(server_key) dependencyCheck(server_cert) jabberd_ssl_cert_name = os.path.basename(d['--jabberd-ssl-cert']) jabberd_ssl_cert = os.path.join(serverKeyPairDir, jabberd_ssl_cert_name) # Create the jabberd cert - need to concatenate the cert and the key # XXX there really should be some better error propagation here fd = None try: fd = os.open(jabberd_ssl_cert, os.O_WRONLY | os.O_CREAT) _copy_file_to_fd(cleanupAbsPath(server_cert), fd) _copy_file_to_fd(cleanupAbsPath(server_key), fd) finally: if fd: os.close(fd) return
def gen_jabberd_cert(d): """ generate the jabberd ssl cert from the server cert and key """ serverKeyPairDir = os.path.join(d['--dir'], getMachineName(d['--set-hostname'])) server_key = os.path.join(serverKeyPairDir, d['--server-key']) server_cert = os.path.join(serverKeyPairDir, d['--server-cert']) dependencyCheck(server_key) dependencyCheck(server_cert) jabberd_ssl_cert_name = os.path.basename(d['--jabberd-ssl-cert']) jabberd_ssl_cert = os.path.join(serverKeyPairDir, jabberd_ssl_cert_name ) # Create the jabberd cert - need to concatenate the cert and the key # XXX there really should be some better error propagation here fd = None try: fd = os.open(jabberd_ssl_cert, os.O_WRONLY | os.O_CREAT) _copy_file_to_fd(cleanupAbsPath(server_cert), fd) _copy_file_to_fd(cleanupAbsPath(server_key), fd) finally: if fd: os.close(fd) return
def appendOtherCACerts(d, ca_cert): if d['--other-ca-certs']: ca_cert_content = open(cleanupAbsPath(ca_cert)).read() for fname in d['--other-ca-certs'].split(','): with open(fname) as infile: content = infile.read() if content not in ca_cert_content: open(cleanupAbsPath(ca_cert), 'a').writelines(content) ca_cert_content = open(cleanupAbsPath(ca_cert)).read()
def __init__(self, filename=None): self.filename = filename if self.filename is None: self.filename = SERVER_OPENSSL_CNF_NAME if os.path.exists(os.path.join(DEFS['--dir'], 'katello_openssl.cnf')): self.filename = os.path.join(DEFS['--dir'], "katello_openssl.cnf") elif os.path.exists(os.path.join(DEFS['--dir'], 'openssl.cnf')): self.filename = os.path.join(DEFS['--dir'], "openssl.cnf") self.filename = cleanupAbsPath(self.filename)
def genPrivateCaKey(password, d, verbosity=0, forceYN=0): """ private CA key generation """ gendir(d['--dir']) ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key'])) if not forceYN and os.path.exists(ca_key): sys.stderr.write("""\ ERROR: a CA private key already exists: %s If you wish to generate a new one, use the --force option. """ % ca_key) sys.exit(errnoGeneralError) args = ("/usr/bin/openssl genrsa -passout pass:%s %s -out %s 2048" % ('%s', CRYPTO, repr(cleanupAbsPath(ca_key)))) if verbosity >= 0: print "Generating private CA key: %s" % ca_key if verbosity > 1: print "Commandline:", args % "PASSWORD" try: rotated = rotateFile(filepath=ca_key, verbosity=verbosity) if verbosity >= 0 and rotated: print "Rotated: %s --> %s" \ % (d['--ca-key'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args % repr(password)) finally: chdir(cwd) out = out_stream.read() out_stream.close() err = err_stream.read() err_stream.close() if ret: raise GenPrivateCaKeyException("Certificate Authority private SSL " "key generation failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # permissions: os.chmod(ca_key, 0600)
def genPrivateCaKey(password, d, verbosity=0, forceYN=0): """ private CA key generation """ gendir(d['--dir']) ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key'])) if not forceYN and os.path.exists(ca_key): sys.stderr.write("""\ ERROR: a CA private key already exists: %s If you wish to generate a new one, use the --force option. """ % ca_key) sys.exit(errnoGeneralError) args = ("/usr/bin/openssl genrsa -passout pass:%s %s -out %s 2048" % ('%s', CRYPTO, repr(cleanupAbsPath(ca_key)))) if verbosity >= 0: print "Generating private CA key: %s" % ca_key if verbosity > 1: print "Commandline:", args % "PASSWORD" try: rotated = rotateFile(filepath=ca_key, verbosity=verbosity) if verbosity>=0 and rotated: print "Rotated: %s --> %s" \ % (d['--ca-key'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args % repr(password)) finally: chdir(cwd) out = out_stream.read(); out_stream.close() err = err_stream.read(); err_stream.close() if ret: raise GenPrivateCaKeyException("Certificate Authority private SSL " "key generation failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # permissions: os.chmod(ca_key, 0600)
def genServerKey(d, verbosity=0): """ private server key generation """ serverKeyPairDir = os.path.join(d['--dir'], getMachineName(d['--set-hostname'])) gendir(serverKeyPairDir) server_key = os.path.join(serverKeyPairDir, os.path.basename(d['--server-key'])) args = ("/usr/bin/openssl genrsa -out %s 2048" % (repr(cleanupAbsPath(server_key)))) # generate the server key if verbosity >= 0: print "\nGenerating the web server's SSL private key: %s" % server_key if verbosity > 1: print "Commandline:", args try: rotated = rotateFile(filepath=server_key, verbosity=verbosity) if verbosity >= 0 and rotated: print "Rotated: %s --> %s" % (d['--server-key'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args) finally: chdir(cwd) out = out_stream.read() out_stream.close() err = err_stream.read() err_stream.close() if ret: raise GenServerKeyException( "web server's SSL key generation failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # permissions: os.chmod(server_key, 0600)
def genServerKey(d, verbosity=0): """ private server key generation """ serverKeyPairDir = os.path.join(d['--dir'], getMachineName(d['--set-hostname'])) gendir(serverKeyPairDir) server_key = os.path.join(serverKeyPairDir, os.path.basename(d['--server-key'])) args = ("/usr/bin/openssl genrsa -out %s 2048" % (repr(cleanupAbsPath(server_key)))) # generate the server key if verbosity >= 0: print "\nGenerating the web server's SSL private key: %s" % server_key if verbosity > 1: print "Commandline:", args try: rotated = rotateFile(filepath=server_key, verbosity=verbosity) if verbosity>=0 and rotated: print "Rotated: %s --> %s" % (d['--server-key'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args) finally: chdir(cwd) out = out_stream.read(); out_stream.close() err = err_stream.read(); err_stream.close() if ret: raise GenServerKeyException("web server's SSL key generation failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # permissions: os.chmod(server_key, 0600)
def genServerCertReq(d, verbosity=0): """ private server cert request generation """ serverKeyPairDir = os.path.join(d['--dir'], d['--set-hostname']) server_key = os.path.join(serverKeyPairDir, os.path.basename(d['--server-key'])) server_cert_req = os.path.join(serverKeyPairDir, os.path.basename(d['--server-cert-req'])) server_openssl_cnf = os.path.join(serverKeyPairDir, SERVER_OPENSSL_CNF_NAME) genServerCertReq_dependencies(d) # XXX: hmm.. should private_key, etc. be set for this before the write? # either that you pull the key/certs from the files all together? configFile = ConfigFile(server_openssl_cnf) configFile.save(d, caYN=0, verbosity=verbosity) ## generate the server cert request args = ("/usr/bin/openssl req -%s -text -config %s -new -key %s -out %s " % (MD, repr(cleanupAbsPath( configFile.filename)), repr(cleanupAbsPath(server_key)), repr(cleanupAbsPath(server_cert_req)))) if verbosity >= 0: print "\nGenerating web server's SSL certificate request: %s" % server_cert_req print "Using distinguished names:" for k in ('--set-country', '--set-state', '--set-city', '--set-org', '--set-org-unit', '--set-hostname', '--set-email'): print ' %s%s = "%s"' % (k, ' ' * (18 - len(k)), d[k]) if verbosity > 1: print "Commandline:", args try: rotated = rotateFile(filepath=server_cert_req, verbosity=verbosity) if verbosity >= 0 and rotated: print "Rotated: %s --> %s" % (d['--server-cert-req'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args) finally: chdir(cwd) out = out_stream.read() out_stream.close() err = err_stream.read() err_stream.close() if ret: raise GenServerCertReqException( "web server's SSL certificate request generation " "failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # permissions: os.chmod(server_cert_req, 0600)
def genPublicCaCert(password, d, verbosity=0, forceYN=0): """ public CA certificate (client-side) generation """ ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key'])) ca_cert_name = os.path.basename(d['--ca-cert']) ca_cert = os.path.join(d['--dir'], ca_cert_name) ca_openssl_cnf = os.path.join(d['--dir'], CA_OPENSSL_CNF_NAME) genPublicCaCert_dependencies(password, d, forceYN) configFile = ConfigFile(ca_openssl_cnf) if d.has_key('--set-hostname'): del d['--set-hostname'] configFile.save(d, caYN=1, verbosity=verbosity) args = ("/usr/bin/openssl req -passin pass:%s -text -config %s " "-new -x509 -days %s -%s -key %s -out %s" % ('%s', repr(cleanupAbsPath(configFile.filename)), repr(d['--cert-expiration']), MD, repr( cleanupAbsPath(ca_key)), repr(cleanupAbsPath(ca_cert)))) if verbosity >= 0: print "\nGenerating public CA certificate: %s" % ca_cert print "Using distinguishing variables:" for k in ('--set-country', '--set-state', '--set-city', '--set-org', '--set-org-unit', '--set-common-name', '--set-email'): print ' %s%s = "%s"' % (k, ' ' * (18 - len(k)), d[k]) if verbosity > 1: print "Commandline:", args % "PASSWORD" try: rotated = rotateFile(filepath=ca_cert, verbosity=verbosity) if verbosity >= 0 and rotated: print "Rotated: %s --> %s" \ % (d['--ca-cert'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args % repr(password)) finally: chdir(cwd) out = out_stream.read() out_stream.close() err = err_stream.read() err_stream.close() if ret: raise GenPublicCaCertException( "Certificate Authority public " "SSL certificate generation failed:\n%s\n" "%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err latest_txt = os.path.join(d['--dir'], 'latest.txt') fo = open(latest_txt, 'wb') fo.write('%s\n' % ca_cert_name) fo.close() # permissions: os.chmod(ca_cert, 0644) os.chmod(latest_txt, 0644)
def genServerRpm(d, verbosity=0): """ generates server's SSL key set RPM """ serverKeyPairDir = os.path.join(d['--dir'], getMachineName(d['--set-hostname'])) server_key_name = os.path.basename(d['--server-key']) server_key = os.path.join(serverKeyPairDir, server_key_name) server_cert_name = os.path.basename(d['--server-cert']) server_cert = os.path.join(serverKeyPairDir, server_cert_name) server_cert_req_name = os.path.basename(d['--server-cert-req']) server_cert_req = os.path.join(serverKeyPairDir, server_cert_req_name) jabberd_ssl_cert_name = os.path.basename(d['--jabberd-ssl-cert']) jabberd_ssl_cert = os.path.join(serverKeyPairDir, jabberd_ssl_cert_name ) server_rpm_name = os.path.basename(d['--server-rpm']) server_rpm = os.path.join(serverKeyPairDir, server_rpm_name) postun_scriptlet = os.path.join(d['--dir'], 'postun.scriptlet') genServerRpm_dependencies(d) if verbosity>=0: sys.stderr.write("\n...working...\n") # check for new installed RPM. # Work out the release number. hdr = getInstalledHeader(server_rpm_name) #find RPMs in the directory as well. filenames = glob.glob("%s-*.noarch.rpm" % server_rpm) if filenames: filename = sortRPMs(filenames)[-1] h = get_package_header(filename) if hdr is None: hdr = h else: comp = hdrLabelCompare(h, hdr) if comp > 0: hdr = h epo, ver, rel = None, '1.0', '0' if hdr is not None: epo, ver, rel = hdr['epoch'], hdr['version'], hdr['release'] # bump the release - and let's not be too smart about it # assume the release is a number. if rel: rel = str(int(rel)+1) description = SERVER_RPM_SUMMARY + """ Best practices suggests that this RPM should only be installed on the web server with this hostname: %s """ % d['--set-hostname'] # Determine which jabberd user exists: jabberd_user = None possible_jabberd_users = ['jabberd', 'jabber'] for juser_attempt in possible_jabberd_users: try: pwd.getpwnam(juser_attempt) jabberd_user = juser_attempt except: # user doesn't exist, try the next pass if jabberd_user is None: print ("WARNING: No jabber/jabberd user on system, skipping " + "jabberd.pem generation.") jabberd_cert_string = "" if jabberd_user is not None: jabberd_cert_string = \ "/etc/pki/spacewalk/jabberd/server.pem:0600,%s,%s=%s" % \ (jabberd_user, jabberd_user, repr(cleanupAbsPath(jabberd_ssl_cert))) ## build the server RPM args = (os.path.join(CERT_PATH, 'gen-rpm.sh') + " " "--name %s --version %s --release %s --packager %s --vendor %s " "--group 'Applications/System' --summary %s --description %s --postun %s " "/etc/pki/tls/private/%s:0600=%s " "/etc/pki/tls/certs/%s=%s " "/etc/pki/tls/certs/%s=%s " "%s" % (repr(server_rpm_name), ver, rel, repr(d['--rpm-packager']), repr(d['--rpm-vendor']), repr(SERVER_RPM_SUMMARY), repr(description), repr(cleanupAbsPath(postun_scriptlet)), repr(server_key_name), repr(cleanupAbsPath(server_key)), repr(server_cert_req_name), repr(cleanupAbsPath(server_cert_req)), repr(server_cert_name), repr(cleanupAbsPath(server_cert)), jabberd_cert_string )) serverRpmName = "%s-%s-%s" % (server_rpm, ver, rel) if verbosity >= 0: print """ Generating web server's SSL key pair/set RPM: %s.src.rpm %s.noarch.rpm""" % (serverRpmName, serverRpmName) if verbosity > 1: print "Commandline:", args if verbosity >= 4: print 'Current working directory:', os.getcwd() print "Writing postun_scriptlet:", postun_scriptlet open(postun_scriptlet, 'w').write(POST_UNINSTALL_SCRIPT) _disableRpmMacros() cwd = chdir(serverKeyPairDir) try: ret, out_stream, err_stream = rhn_popen(args) finally: chdir(cwd) _reenableRpmMacros() os.unlink(postun_scriptlet) out = out_stream.read(); out_stream.close() err = err_stream.read(); err_stream.close() if ret or not os.path.exists("%s.noarch.rpm" % serverRpmName): raise GenServerRpmException("web server's SSL key set RPM generation " "failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err os.chmod('%s.noarch.rpm' % serverRpmName, 0600) # generic the tarball necessary for RHN Proxy against hosted installations tarballFilepath = genProxyServerTarball(d, version=ver, release=rel, verbosity=verbosity) # write-out latest.txt information latest_txt = os.path.join(serverKeyPairDir, 'latest.txt') fo = open(latest_txt, 'wb') fo.write('%s.noarch.rpm\n' % os.path.basename(serverRpmName)) fo.write('%s.src.rpm\n' % os.path.basename(serverRpmName)) fo.write('%s\n' % os.path.basename(tarballFilepath)) fo.close() os.chmod(latest_txt, 0600) if verbosity >= 0: print """ Deploy the server's SSL key pair/set RPM: (NOTE: the Katello installer may do this step for you.) The "noarch" RPM needs to be deployed to the machine working as a web server, or RHN Satellite, or RHN Proxy. Presumably %s.""" % repr(d['--set-hostname']) return "%s.noarch.rpm" % serverRpmName
def genCaRpm(d, verbosity=0): """ generates ssl cert RPM. """ ca_cert_path = d['--ca-cert-dir'] ca_cert_name = os.path.basename(d['--ca-cert']) ca_cert = os.path.join(d['--dir'], ca_cert_name) ca_cert_rpm_name = os.path.basename(d['--ca-cert-rpm']) ca_cert_rpm = os.path.join(d['--dir'], ca_cert_rpm_name) genCaRpm_dependencies(d) if verbosity >= 0: sys.stderr.write("\n...working...") # Work out the release number. hdr = getInstalledHeader(ca_cert_rpm) #find RPMs in the directory filenames = glob.glob("%s-*.noarch.rpm" % ca_cert_rpm) if filenames: filename = sortRPMs(filenames)[-1] h = get_package_header(filename) if hdr is None: hdr = h else: comp = hdrLabelCompare(h, hdr) if comp > 0: hdr = h ver, rel = '1.0', '0' if hdr is not None: ver, rel = hdr['version'], hdr['release'] # bump the release - and let's not be too smart about it # assume the release is a number. if rel: rel = str(int(rel) + 1) # build the CA certificate RPM args = [ 'katello-certs-gen-rpm', "--name %s", "--version %s", "--release %s", "--packager %s", "--vendor %s", "--group 'Applications/System'", "--summary %s", "--description %s", os.path.join(ca_cert_path, "%s=%s") ] args = " ".join(args) args = args % ((repr(ca_cert_rpm_name), ver, rel, repr( d['--rpm-packager']), repr(d['--rpm-vendor']), repr(CA_CERT_RPM_SUMMARY), repr(CA_CERT_RPM_SUMMARY), repr(ca_cert_name), repr(cleanupAbsPath(ca_cert)))) clientRpmName = '%s-%s-%s' % (ca_cert_rpm, ver, rel) if verbosity >= 0: print """ Generating CA public certificate RPM: %s.src.rpm %s.noarch.rpm""" % (clientRpmName, clientRpmName) if verbosity > 1: print "Commandline:", args _disableRpmMacros() cwd = chdir(d['--dir']) try: ret, out_stream, err_stream = rhn_popen(args) except Exception: chdir(cwd) _reenableRpmMacros() raise chdir(cwd) _reenableRpmMacros() out = out_stream.read() out_stream.close() err = err_stream.read() err_stream.close() if ret or not os.path.exists("%s.noarch.rpm" % clientRpmName): raise GenCaCertRpmException("CA public SSL certificate RPM generation " "failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err os.chmod('%s.noarch.rpm' % clientRpmName, 0644) # write-out latest.txt information latest_txt = os.path.join(d['--dir'], 'latest.txt') fo = open(latest_txt, 'wb') fo.write('%s\n' % ca_cert_name) fo.write('%s.noarch.rpm\n' % os.path.basename(clientRpmName)) fo.write('%s.src.rpm\n' % os.path.basename(clientRpmName)) fo.close() os.chmod(latest_txt, 0644) if verbosity >= 0: print """ Make the public CA certficate publically available: (NOTE: the Katello installer may do this step for you.) The "noarch" RPM and raw CA certificate can be made publically accessible by copying it to the /var/www/html/pub directory of your Katello server.""" return '%s.noarch.rpm' % clientRpmName
def genServerCert(password, d, verbosity=0): """ server cert generation and signing """ serverKeyPairDir = os.path.join(d['--dir'], getMachineName(d['--set-hostname'])) genServerCert_dependencies(password, d) ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key'])) ca_cert = os.path.join(d['--dir'], os.path.basename(d['--ca-cert'])) server_cert_req = os.path.join(serverKeyPairDir, os.path.basename(d['--server-cert-req'])) server_cert = os.path.join(serverKeyPairDir, os.path.basename(d['--server-cert'])) ca_openssl_cnf = os.path.join(d['--dir'], CA_OPENSSL_CNF_NAME) index_txt = os.path.join(d['--dir'], 'index.txt') serial = os.path.join(d['--dir'], 'serial') try: os.unlink(index_txt) except: pass # figure out the serial file and truncate the index.txt file. ser = figureSerial(ca_cert, serial, index_txt) # need to insure the directory declared in the ca_openssl.cnf # file is current: configFile = ConfigFile(ca_openssl_cnf) configFile.updateDir() args = ("/usr/bin/openssl ca -extensions req_server_x509_extensions -passin pass:%s -outdir ./ -config %s " "-in %s -batch -cert %s -keyfile %s -startdate %s -days %s " "-md %s -out %s" % ('%s', repr(cleanupAbsPath(ca_openssl_cnf)), repr(cleanupAbsPath(server_cert_req)), repr(cleanupAbsPath(ca_cert)), repr(cleanupAbsPath(ca_key)), d['--startdate'], repr(d['--cert-expiration']), MD, repr(cleanupAbsPath(server_cert)))) if verbosity >= 0: print "\nGenerating/signing web server's SSL certificate: %s" % d['--server-cert'] if verbosity > 1: print "Commandline:", args % 'PASSWORD' try: rotated = rotateFile(filepath=server_cert, verbosity=verbosity) if verbosity>=0 and rotated: print "Rotated: %s --> %s" % (d['--server-cert'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args % repr(password)) finally: chdir(cwd) out = out_stream.read(); out_stream.close() err = err_stream.read(); err_stream.close() if ret: # signature for a mistyped CA password if string.find(err, "unable to load CA private key") != -1 \ and string.find(err, "error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c") != -1 \ and string.find(err, "error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c") != -1: raise GenServerCertException( "web server's SSL certificate generation/signing " "failed:\nDid you mistype your CA password?") else: raise GenServerCertException( "web server's SSL certificate generation/signing " "failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # permissions: os.chmod(server_cert, 0644) # cleanup duplicate XX.pem file: pemFilename = os.path.basename(string.upper(ser)+'.pem') if pemFilename != server_cert and os.path.exists(pemFilename): os.unlink(pemFilename) # cleanup the old index.txt file try: os.unlink(index_txt + '.old') except: pass # cleanup the old serial file try: os.unlink(serial + '.old') except: pass
def genServerCertReq(d, verbosity=0): """ private server cert request generation """ serverKeyPairDir = os.path.join(d['--dir'], getMachineName(d['--set-hostname'])) server_key = os.path.join(serverKeyPairDir, os.path.basename(d['--server-key'])) server_cert_req = os.path.join(serverKeyPairDir, os.path.basename(d['--server-cert-req'])) server_openssl_cnf = os.path.join(serverKeyPairDir, SERVER_OPENSSL_CNF_NAME) genServerCertReq_dependencies(d) # XXX: hmm.. should private_key, etc. be set for this before the write? # either that you pull the key/certs from the files all together? configFile = ConfigFile(server_openssl_cnf) if d.has_key('--set-common-name'): del d['--set-common-name'] configFile.save(d, caYN=0, verbosity=verbosity) ## generate the server cert request args = ("/usr/bin/openssl req -%s -text -config %s -new -key %s -out %s " % (MD, repr(cleanupAbsPath(configFile.filename)), repr(cleanupAbsPath(server_key)), repr(cleanupAbsPath(server_cert_req)))) if verbosity >= 0: print "\nGenerating web server's SSL certificate request: %s" % server_cert_req print "Using distinguished names:" for k in ('--set-country', '--set-state', '--set-city', '--set-org', '--set-org-unit', '--set-hostname', '--set-email'): print ' %s%s = "%s"' % (k, ' '*(18-len(k)), d[k]) if verbosity > 1: print "Commandline:", args try: rotated = rotateFile(filepath=server_cert_req, verbosity=verbosity) if verbosity>=0 and rotated: print "Rotated: %s --> %s" % (d['--server-cert-req'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args) finally: chdir(cwd) out = out_stream.read(); out_stream.close() err = err_stream.read(); err_stream.close() if ret: raise GenServerCertReqException( "web server's SSL certificate request generation " "failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # permissions: os.chmod(server_cert_req, 0600)
def genPublicCaCert(password, d, verbosity=0, forceYN=0): """ public CA certificate (client-side) generation """ ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key'])) ca_cert_name = os.path.basename(d['--ca-cert']) ca_cert = os.path.join(d['--dir'], ca_cert_name) ca_openssl_cnf = os.path.join(d['--dir'], CA_OPENSSL_CNF_NAME) genPublicCaCert_dependencies(password, d, forceYN) configFile = ConfigFile(ca_openssl_cnf) if d.has_key('--set-hostname'): del d['--set-hostname'] configFile.save(d, caYN=1, verbosity=verbosity) args = ("/usr/bin/openssl req -passin pass:%s -text -config %s " "-new -x509 -days %s -%s -key %s -out %s" % ('%s', repr(cleanupAbsPath(configFile.filename)), repr(d['--cert-expiration']), MD, repr(cleanupAbsPath(ca_key)), repr(cleanupAbsPath(ca_cert)))) if verbosity >= 0: print "\nGenerating public CA certificate: %s" % ca_cert print "Using distinguishing variables:" for k in ('--set-country', '--set-state', '--set-city', '--set-org', '--set-org-unit', '--set-common-name', '--set-email'): print ' %s%s = "%s"' % (k, ' '*(18-len(k)), d[k]) if verbosity > 1: print "Commandline:", args % "PASSWORD" try: rotated = rotateFile(filepath=ca_cert, verbosity=verbosity) if verbosity>=0 and rotated: print "Rotated: %s --> %s" \ % (d['--ca-cert'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args % repr(password)) finally: chdir(cwd) out = out_stream.read(); out_stream.close() err = err_stream.read(); err_stream.close() if ret: raise GenPublicCaCertException("Certificate Authority public " "SSL certificate generation failed:\n%s\n" "%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err latest_txt = os.path.join(d['--dir'], 'latest.txt') fo = open(latest_txt, 'wb') fo.write('%s\n' % ca_cert_name) fo.close() # permissions: os.chmod(ca_cert, 0644) os.chmod(latest_txt, 0644)
def genServerCert(password, d, verbosity=0): """ server cert generation and signing """ serverKeyPairDir = os.path.join(d['--dir'], d['--set-hostname']) genServerCert_dependencies(password, d) ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key'])) ca_cert = os.path.join(d['--dir'], os.path.basename(d['--ca-cert'])) server_cert_req = os.path.join(serverKeyPairDir, os.path.basename(d['--server-cert-req'])) server_cert = os.path.join(serverKeyPairDir, os.path.basename(d['--server-cert'])) ca_openssl_cnf = os.path.join(d['--dir'], CA_OPENSSL_CNF_NAME) index_txt = os.path.join(d['--dir'], 'index.txt') serial = os.path.join(d['--dir'], 'serial') purpose = d['--purpose'] try: os.unlink(index_txt) except: pass # figure out the serial file and truncate the index.txt file. ser = figureSerial(ca_cert, serial, index_txt) # need to insure the directory declared in the ca_openssl.cnf # file is current: configFile = ConfigFile(ca_openssl_cnf) configFile.updateDir() args = ( "/usr/bin/openssl ca -extensions req_%s_x509_extensions -passin pass:%s -outdir ./ -config %s " "-in %s -batch -cert %s -keyfile %s -startdate %s -days %s " "-md %s -out %s" % (purpose, '%s', repr(cleanupAbsPath(ca_openssl_cnf)), repr(cleanupAbsPath(server_cert_req)), repr(cleanupAbsPath(ca_cert)), repr(cleanupAbsPath(ca_key)), d['--startdate'], repr(d['--cert-expiration']), MD, repr(cleanupAbsPath(server_cert)))) if verbosity >= 0: print "\nGenerating/signing web server's SSL certificate: %s" % d[ '--server-cert'] if verbosity > 1: print "Commandline:", args % 'PASSWORD' try: rotated = rotateFile(filepath=server_cert, verbosity=verbosity) if verbosity >= 0 and rotated: print "Rotated: %s --> %s" % (d['--server-cert'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args % repr(password)) finally: chdir(cwd) out = out_stream.read() out_stream.close() err = err_stream.read() err_stream.close() if ret: # signature for a mistyped CA password if string.find(err, "unable to load CA private key") != -1 \ and string.find(err, "error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c") != -1 \ and string.find(err, "error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c") != -1: raise GenServerCertException( "web server's SSL certificate generation/signing " "failed:\nDid you mistype your CA password?") else: raise GenServerCertException( "web server's SSL certificate generation/signing " "failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # permissions: os.chmod(server_cert, 0644) # cleanup duplicate XX.pem file: pemFilename = os.path.basename(string.upper(ser) + '.pem') if pemFilename != server_cert and os.path.exists(pemFilename): os.unlink(pemFilename) # cleanup the old index.txt file try: os.unlink(index_txt + '.old') except: pass # cleanup the old serial file try: os.unlink(serial + '.old') except: pass
def _reenableRpmMacros(): mac = cleanupAbsPath('~/.rpmmacros') macTmp = cleanupAbsPath('~/RENAME_ME_BACK_PLEASE-lksjdflajsd.rpmmacros') if os.path.exists(macTmp): os.rename(macTmp, mac)
def genServerRpm(d, verbosity=0): """ generates server's SSL key set RPM """ serverKeyPairDir = os.path.join(d['--dir'], d['--set-hostname']) server_key_name = os.path.basename(d['--server-key']) server_key = os.path.join(serverKeyPairDir, server_key_name) server_cert_name = os.path.basename(d['--server-cert']) server_cert = os.path.join(serverKeyPairDir, server_cert_name) server_cert_req_name = os.path.basename(d['--server-cert-req']) server_cert_req = os.path.join(serverKeyPairDir, server_cert_req_name) server_rpm_name = os.path.basename(d['--server-rpm']) server_rpm = os.path.join(serverKeyPairDir, server_rpm_name) server_cert_dir = d['--server-cert-dir'] postun_scriptlet = os.path.join(d['--dir'], 'postun.scriptlet') genServerRpm_dependencies(d) if verbosity >= 0: sys.stderr.write("\n...working...\n") # check for new installed RPM. # Work out the release number. hdr = getInstalledHeader(server_rpm_name) #find RPMs in the directory as well. filenames = glob.glob("%s-*.noarch.rpm" % server_rpm) if filenames: filename = sortRPMs(filenames)[-1] h = get_package_header(filename) if hdr is None: hdr = h else: comp = hdrLabelCompare(h, hdr) if comp > 0: hdr = h ver, rel = '1.0', '0' if hdr is not None: ver, rel = hdr['version'], hdr['release'] # bump the release - and let's not be too smart about it # assume the release is a number. if rel: rel = str(int(rel) + 1) description = SERVER_RPM_SUMMARY + """ Best practices suggests that this RPM should only be installed on the web server with this hostname: %s """ % d['--set-hostname'] ## build the server RPM args = [ 'katello-certs-gen-rpm', "--name %s --version %s --release %s --packager %s --vendor %s ", "--group 'Applications/System' --summary %s --description %s --postun %s ", server_cert_dir + "/private/%s:0600=%s ", server_cert_dir + "/certs/%s=%s ", server_cert_dir + "/certs/%s=%s " ] args = " ".join(args) args = args % (repr(server_rpm_name), ver, rel, repr(d['--rpm-packager']), repr(d['--rpm-vendor']), repr(SERVER_RPM_SUMMARY), repr(description), repr(cleanupAbsPath(postun_scriptlet)), repr(server_key_name), repr( cleanupAbsPath(server_key)), repr(server_cert_req_name), repr(cleanupAbsPath(server_cert_req)), repr(server_cert_name), repr(cleanupAbsPath(server_cert))) serverRpmName = "%s-%s-%s" % (server_rpm, ver, rel) if verbosity >= 0: print """ Generating web server's SSL key pair/set RPM: %s.src.rpm %s.noarch.rpm""" % (serverRpmName, serverRpmName) if verbosity > 1: print "Commandline:", args if verbosity >= 4: print 'Current working directory:', os.getcwd() print "Writing postun_scriptlet:", postun_scriptlet open(postun_scriptlet, 'w').write(POST_UNINSTALL_SCRIPT) _disableRpmMacros() cwd = chdir(serverKeyPairDir) try: ret, out_stream, err_stream = rhn_popen(args) finally: chdir(cwd) _reenableRpmMacros() os.unlink(postun_scriptlet) out = out_stream.read() out_stream.close() err = err_stream.read() err_stream.close() if ret or not os.path.exists("%s.noarch.rpm" % serverRpmName): raise GenServerRpmException("web server's SSL key set RPM generation " "failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err os.chmod('%s.noarch.rpm' % serverRpmName, 0600) # generic the tarball necessary for RHN Proxy against hosted installations tarballFilepath = genProxyServerTarball(d, version=ver, release=rel, verbosity=verbosity) # write-out latest.txt information latest_txt = os.path.join(serverKeyPairDir, 'latest.txt') fo = open(latest_txt, 'wb') fo.write('%s.noarch.rpm\n' % os.path.basename(serverRpmName)) fo.write('%s.src.rpm\n' % os.path.basename(serverRpmName)) fo.write('%s\n' % os.path.basename(tarballFilepath)) fo.close() os.chmod(latest_txt, 0600) if verbosity >= 0: print """ Deploy the server's SSL key pair/set RPM: (NOTE: the Katello installer may do this step for you.) The "noarch" RPM needs to be deployed to the machine working as a web server, or RHN Satellite, or RHN Proxy. Presumably %s.""" % repr(d['--set-hostname']) return "%s.noarch.rpm" % serverRpmName
def genCaRpm(d, verbosity=0): """ generates ssl cert RPM. """ ca_cert_name = os.path.basename(d['--ca-cert']) ca_cert = os.path.join(d['--dir'], ca_cert_name) ca_cert_rpm_name = os.path.basename(d['--ca-cert-rpm']) ca_cert_rpm = os.path.join(d['--dir'], ca_cert_rpm_name) genCaRpm_dependencies(d) if verbosity>=0: sys.stderr.write("\n...working...") # Work out the release number. hdr = getInstalledHeader(ca_cert_rpm) #find RPMs in the directory filenames = glob.glob("%s-*.noarch.rpm" % ca_cert_rpm) if filenames: filename = sortRPMs(filenames)[-1] h = get_package_header(filename) if hdr is None: hdr = h else: comp = hdrLabelCompare(h, hdr) if comp > 0: hdr = h epo, ver, rel = None, '1.0', '0' if hdr is not None: epo, ver, rel = hdr['epoch'], hdr['version'], hdr['release'] # bump the release - and let's not be too smart about it # assume the release is a number. if rel: rel = str(int(rel)+1) # build the CA certificate RPM args = (os.path.join(CERT_PATH, 'gen-rpm.sh') + " " "--name %s --version %s --release %s --packager %s --vendor %s " "--group 'Applications/System' --summary %s --description %s " "/usr/share/katello/%s=%s" % (repr(ca_cert_rpm_name), ver, rel, repr(d['--rpm-packager']), repr(d['--rpm-vendor']), repr(CA_CERT_RPM_SUMMARY), repr(CA_CERT_RPM_SUMMARY), repr(ca_cert_name), repr(cleanupAbsPath(ca_cert)))) clientRpmName = '%s-%s-%s' % (ca_cert_rpm, ver, rel) if verbosity >= 0: print """ Generating CA public certificate RPM: %s.src.rpm %s.noarch.rpm""" % (clientRpmName, clientRpmName) if verbosity > 1: print "Commandline:", args _disableRpmMacros() cwd = chdir(d['--dir']) try: ret, out_stream, err_stream = rhn_popen(args) except Exception: chdir(cwd) _reenableRpmMacros() raise chdir(cwd) _reenableRpmMacros() out = out_stream.read(); out_stream.close() err = err_stream.read(); err_stream.close() if ret or not os.path.exists("%s.noarch.rpm" % clientRpmName): raise GenCaCertRpmException("CA public SSL certificate RPM generation " "failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err os.chmod('%s.noarch.rpm' % clientRpmName, 0644) # write-out latest.txt information latest_txt = os.path.join(d['--dir'], 'latest.txt') fo = open(latest_txt, 'wb') fo.write('%s\n' % ca_cert_name) fo.write('%s.noarch.rpm\n' % os.path.basename(clientRpmName)) fo.write('%s.src.rpm\n' % os.path.basename(clientRpmName)) fo.close() os.chmod(latest_txt, 0644) if verbosity >= 0: print """ Make the public CA certficate publically available: (NOTE: the Katello installer may do this step for you.) The "noarch" RPM and raw CA certificate can be made publically accessible by copying it to the /var/www/html/pub directory of your Katello server.""" return '%s.noarch.rpm' % clientRpmName