def fromTemplate(self, ca_name, password, template_name = 'default'):
"""
Creates a CA from a template file. Note that this function just creates a new CA from the template data, it
does not allow modification of that data on the fly. Load the new CA's config and modify it if you need
to change it.
:param ca_name: Display name of the CA.
:param password: CA Password.
:param template_name: Template name (NOT the file name!)
"""
from conf.SSL import templates
try:
template_config = templates.getConfig(template_name)
except templates.TemplateDoesNotExist:
raise TemplateError("Template '%s' does not exist!" %template_name)
# Create new CA config
config_path = CA_Config.create(ca_name, template_config)
# Fetch file system name from config
fs_name = CA_Config.getFSName(ca_name)
# Set up CA data on file system
ca_path = CA_Roots.createCAStructure(fs_name)
# Update CA config with path to data
self.config = CA_Config.getConfig(ca_name)
self.config['dir'] = ca_path # dir has to be at top level for all the paths to work
self.config['req']['input_password'] = password
self.config['req']['output_password'] = password
CA_Config.setConfig(ca_name, self.config)
# Copy the CA password to the appropriate location
nixcommon.touch("%s/.CApass" %ca_path, password, 0600)
nixcommon.setFileAttribs(ca_path, self.ca_file_owner, self.ca_group, permissions=0740)
# Create the CA itself
# Not sure if I need the paths now that I have the config set? Need to test this.
os.chdir(ca_path)
# Need to send password via -passin http://www.openssl.org/docs/apps/openssl.html
new_key = self.runOpenSSL('req -new -newkey rsa:2048 -keyout keys/ca.key -out requests/ca.csr -config ' \
'"%s"' %(config_path))
create_ca = self.runOpenSSL('ca -batch -out ca.crt -days 9999 -keyfile keys/ca.key ' \
'-selfsign -extensions v3_ca_has_san -config "%s" ' \
'-passin file:"%s/.CApass" -infiles requests/ca.csr' %(config_path,ca_path))
if new_key['return_value']:
raise CACreationError(new_key['stderr'])
if create_ca['return_value']:
raise CACreationError(create_ca['stderr'])
def __init__(self, database_location, new_database=False):
"""
Constructor
"""
# Create a new database if requested (provided it doesn't exist already)
if new_database and not os.path.exists(database_location):
nixcommon.touch(database_location)
elif new_database and os.path.exists(database_location):
raise DatabaseExistsError(database_location)
# Make sure the DB exists
if not os.path.exists(database_location):
raise DatabaseLocationError(database_location)
# Set up DB connection
self.db = sqlite3.connect(database_location)
self.cursor = self.db.cursor()
self.db.row_factory = sqlite3.Row
def test_touch(self, create_text_file, os_path_exists):
"""
Tests the touch command. NOTE: touch() is basically just a wrapped :meth:`createTextFile`.
"""
file_name = '/tmp/test_touch'
file_content = 'Some short content.'
# Mock the createTextFile function, we're just testing the logic in touch()
nixcommon.createTextFile = create_text_file
nixcommon.os.path.exists = os_path_exists
nixcommon.touch(file_name, file_content, 0755)
nixcommon.createTextFile.assert_called_with(file_name, file_content, 0755)
nixcommon.createTextFile.reset_mock()
# Test to make sure the 'file exists, no creation' logic works
nixcommon.os.path.exists.return_value = True
nixcommon.touch(file_name, file_content, 0755)
assert not nixcommon.createTextFile.called
def createCAStructure(fs_name):
"""
Creates the CA filesystem structure using the provided name (from the config file name).
:param fs_name: The filesystem name of the config (used to create the CA path).
:return: String containing the newly created CA's path.
"""
randgen = random.SystemRandom()
ca_dirs = [('certsdb', 0750), ('requests',0750), ('keys',0700), ('certs',0755), ('crl',0755)]
ca_path = "%s/%s" %(PATH,fs_name.rstrip('openssl.cnf'))
# Create CA's root
if not os.path.exists(ca_path):
os.mkdir(ca_path)
nixcommon.setFileAttribs(ca_path, ca_file_owner, ca_group, permissions=0755)
else:
raise CAExists(ca_path)
# Make the CA directories
for dir_info in ca_dirs:
dir_path = '%s/%s' %(ca_path, dir_info[0])
if not os.path.exists(dir_path):
os.mkdir(dir_path)
nixcommon.setFileAttribs(dir_path, ca_file_owner, ca_group, permissions=dir_info[1])
# Create index and crlnumber files or OpenSSL will pitch a hell of a fit
index_txt = "%s/index.txt" %ca_path
crlnumber = "%s/crlnumber" %ca_path
serial = "%s/serial" %ca_path
rand = "%s/keys/.rand" %ca_path
print index_txt, crlnumber
nixcommon.touch(index_txt)
nixcommon.setFileAttribs(index_txt, ca_file_owner, ca_group, permissions=0744)
nixcommon.touch(crlnumber, '00')
nixcommon.setFileAttribs(crlnumber, ca_file_owner, ca_group, permissions=0744)
nixcommon.touch(serial, "%x" %randgen.getrandbits(128))
nixcommon.setFileAttribs(crlnumber, ca_file_owner, ca_group, permissions=0744)
nixcommon.touch(rand)
nixcommon.setFileAttribs(crlnumber, ca_file_owner, ca_group, permissions=0744)
return ca_path