def write_configuration(cfg):
util.make_or_verify_dir(CONFIG_DIR, mode=0o755)
conf_name = Core.get_config_file_path()
with os.fdopen(
os.open(conf_name, os.O_WRONLY | os.O_CREAT | os.O_TRUNC,
0o600), 'w') as config_file:
config_file.write(cfg.to_string() + "\n\n")
return conf_name
def write_configuration(cfg):
util.make_or_verify_dir(CONFIG_DIR, mode=0o755)
conf_name = Core.get_config_file_path()
with os.fdopen(os.open(conf_name, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600), 'w') as config_file:
config_file.write('// \n')
config_file.write('// Config file generated: %s\n' % datetime.now().strftime("%Y-%m-%d %H:%M"))
config_file.write('// \n')
config_file.write(cfg.to_string() + "\n\n")
return conf_name
def backup_configuration(config):
cur_name = Core.get_config_file_path()
if os.path.exists(cur_name):
util.make_or_verify_dir(CONFIG_DIR_OLD, mode=0o644)
opath, otail = os.path.split(cur_name)
backup_path = os.path.join(CONFIG_DIR_OLD, otail)
fhnd, fname = util.unique_file(backup_path, 0o644)
with fhnd:
fhnd.write(config.to_string()+"\n")
return fname
def backup_passwords(self):
"""
Backups the generated passwords to /root/ejbca.passwords
:return:
"""
util.make_or_verify_dir(self.PASSWORDS_BACKUP_DIR, mode=0o600)
util.delete_file_backup(self.PASSWORDS_FILE,
chmod=0o600,
backup_dir=self.PASSWORDS_BACKUP_DIR)
with util.safe_open(self.PASSWORDS_FILE, chmod=0o600) as f:
f.write('httpsserver.password=%s\n' % self.http_pass)
f.write('java.trustpassword=%s\n' % self.java_pass)
f.write('superadmin.password=%s\n' % self.superadmin_pass)
f.flush()
def backup_previous_token_dir(self):
"""
Backs up the previous token database
:return:
"""
if os.path.exists(self.SOFTHSM_DB_DIR):
util.make_or_verify_dir(self.SOFTHSM_DB_BACKUP_DIR)
backup_slot_dir = util.dir_backup(
self.SOFTHSM_DB_DIR,
chmod=None,
backup_dir=self.SOFTHSM_DB_BACKUP_DIR)
return backup_slot_dir
return None
def jboss_backup_database(self):
"""
Removes original database, moving it to a backup location.
:return:
"""
jboss_dir = self.get_jboss_home()
db1 = os.path.join(jboss_dir, 'ejbcadb.h2.db')
db2 = os.path.join(jboss_dir, 'ejbcadb.trace.db')
db3 = os.path.join(jboss_dir, 'ejbcadb.lock.db')
util.make_or_verify_dir(self.DB_BACKUPS)
backup1 = util.delete_file_backup(db1, backup_dir=self.DB_BACKUPS)
backup2 = util.delete_file_backup(db2, backup_dir=self.DB_BACKUPS)
backup3 = util.delete_file_backup(db3, backup_dir=self.DB_BACKUPS)
return backup1, backup2, backup3
def init_token(self, user=None):
"""
Initializes a new SoftHSM token created by the configuration
:param user: user to initialize token under
:return:
"""
util.make_or_verify_dir(self.SOFTHSM_DB_DIR, mode=0o755)
cmd = 'softhsm --init-token --slot 0 --pin 0000 --so-pin 0000 --label ejbca'
if user is None:
out, err = util.run_script(cmd.split(' '))
return out, err
else:
util.chown(self.SOFTHSM_DB_DIR, user, user)
cmd_sudo = ['sudo', '-E', '-H', '-u', user, '/bin/bash', '-c', cmd]
return util.run_script(cmd_sudo)
def backup_current_config_file(self):
"""
Copies current configuration file to a new file - backup.
softhsm.conf -> 0001_softhsm.conf
Used when generating a new SoftHSM configuration file, to
preserve the old one if user accidentally reinitializes the system.
:return:
"""
cur_name = self.CONFIG_FILE
if os.path.exists(cur_name):
util.make_or_verify_dir(self.CONFIG_FILE_BACKUP_DIR)
return util.file_backup(cur_name,
chmod=None,
backup_dir=self.CONFIG_FILE_BACKUP_DIR)
return None
def _filecheck(self):
"""
Checks audit file, creates a new one if needed.
:return:
"""
if self.audit_file is None:
if self.to_root:
self.audit_file = os.path.join(self._get_root_dir(),
'eb-audit.json')
try:
logger.debug('Trying audit file %s' % self.audit_file)
util.make_or_verify_dir(self._get_root_dir(), mode=0o700)
return self._open_audit_file()
except (IOError, OSError):
pass
self.audit_file = os.path.join(os.getcwd(), self.CWD_SUBDIR,
'eb-audit.json')
try:
logger.debug('Trying audit file %s' % self.audit_file)
util.make_or_verify_dir(os.path.join(os.getcwd(),
self.CWD_SUBDIR),
mode=0o700)
return self._open_audit_file()
except (IOError, OSError):
pass
self.audit_file = os.path.join('/tmp', 'eb-audit.json')
try:
logger.debug('Trying audit file %s' % self.audit_file)
return self._open_audit_file()
except (IOError, OSError):
pass
self.audit_file = os.path.join(
'/tmp', 'eb-audit-%d.json' % int(time.time()))
if self.audit_ctr < 1:
logger.debug('Audit file %s' % self.audit_file)
return self._open_audit_file()
def new_identity(self, identities=None, id_dir=consts.CONFIG_DIR, backup_dir=consts.CONFIG_DIR_OLD):
"""
New identity - key pair for domain claim
"""
util.make_or_verify_dir(id_dir, mode=0o755)
util.make_or_verify_dir(backup_dir, mode=0o755)
self.key_path = os.path.join(id_dir, consts.IDENTITY_KEY)
self.crt_path = os.path.join(id_dir, consts.IDENTITY_CRT)
self.nonce_path = os.path.join(id_dir, consts.IDENTITY_NONCE)
util.delete_file_backup(self.key_path, 0o600, backup_dir=backup_dir)
util.delete_file_backup(self.crt_path, 0o600, backup_dir=backup_dir)
util.delete_file_backup(self.nonce_path, 0o600, backup_dir=backup_dir)
# Generate identity nonce - random bytes
self.id_nonce = get_random_vector(64)
self.id_string = self.anonymize_instance_id(self.info_loader.ami_instance_id)
# Generate new private key, 2048bit
self.key = OpenSSL.crypto.PKey()
self.key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
self.key_pem = OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, self.key)
self.key_crypto = util.load_pem_private_key(self.key_pem)
self.key_py = util.load_pem_private_key_pycrypto(self.key_pem)
# Generate certificate
id_to_use = identities if identities is not None else [self.id_string]
self.crt = util.gen_ss_cert(self.key, id_to_use, validity=(25 * 365 * 24 * 60 * 60))
self.crt_pem = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, self.crt)
self.crt_crypto = util.load_x509(self.crt_pem)
with util.safe_open(self.crt_path, 'wb', chmod=0o600) as crt_file:
crt_file.write(self.crt_pem)
with util.safe_open(self.key_path, 'wb', chmod=0o600) as key_file:
key_file.write(self.key_pem)
with util.safe_open(self.nonce_path, 'wb', chmod=0o600) as nonce_file:
nonce_file.write(self.id_nonce)
return self.key, self.crt, self.key_path, self.crt_path
def le_enroll(self, le_method=None):
"""
Enrolls to LetsEncrypt with specified domains
:return:
"""
# Password need to be stored anyway for future renewal / regeneration
self.config.ejbca_jks_password = self.http_pass
# If hostname is none/localhost, there is no point for lets encrypt here. Maybe later.
if self.hostname is None or self.hostname == 'localhost':
logger.info(
"Hostname is none/localhost, no letsencrypt operation will be performed"
)
return 1
if not self.check_hostname_domains_consistency():
raise ValueError('Hostname not in domains, should not happen')
self.lets_encrypt = letsencrypt.LetsEncrypt(
email=self.config.email,
domains=self.domains,
print_output=self.print_output,
staging=self.staging)
le_method = self.get_le_method(le_method=le_method)
ret, out, err = -1, None, None
if le_method == LE_VERIFY_DNS:
mdns = self.lets_encrypt.manual_dns(
expand=True, on_domain_challenge=self.le_dns)
ret, out, err = mdns.start()
else:
ret, out, err = self.lets_encrypt.certonly()
if ret != 0:
return 2
# LetsEncrypt certificate is OK. Create JKS.
# Backup previous JKS, delete the old one
jks_path = self.get_keystore_path()
util.make_or_verify_dir(self.DB_BACKUPS)
util.delete_file_backup(jks_path,
chmod=0o600,
backup_dir=self.DB_BACKUPS)
# Create new JKS
cert_dir = self.lets_encrypt.get_certificate_dir(self.hostname)
self.lets_encrypt_jks = letsencrypt.LetsEncryptToJks(
cert_dir=cert_dir,
jks_path=jks_path,
jks_alias=self.hostname,
password=self.http_pass,
print_output=self.print_output)
ret = self.lets_encrypt_jks.convert()
if ret != 0:
return 3
self.config.ejbca_domains = self.domains
self.config.ejbca_hostname = self.hostname
return 0
def init_log(self):
"""
Initializes logging
:return:
"""
util.make_or_verify_dir(self.logdir)