def run():
parser = get_parser(limit_options=["server_key", "server_cert", "server_csr", "ca_key", "ca_cert", "ca_serial"])
parser = add_hostname_option(parser)
(opts, args) = parser.parse_args()
hostname = opts.hostname
server_key = opts.server_key
server_cert = opts.server_cert
server_csr = opts.server_csr
ca_key = opts.ca_key
ca_cert = opts.ca_cert
ca_serial = opts.ca_serial
if not create_server_key(server_key):
print "Failed to create server key"
sys.exit(1)
if not create_server_csr(server_key, server_csr, hostname):
print "Failed to create server csr"
sys.exit(1)
if not create_server_cert(server_cert, server_csr, ca_cert, ca_key, ca_serial):
print "Failed to create server cert"
sys.exit(1)
print "Server Cert: %s" % (server_cert)
print "Server Key: %s" % (server_key)
return True
def run(default_install_dir="/etc/pki/splice", httpd_ssl_config_file="/etc/httpd/conf.d/ssl.conf"):
parser = get_parser(limit_options=["server_key", "server_cert", "ca_cert"])
#parser.add_option("--install_dir", action="store",
# help="Install directory for server SSL cert/key. Default is %s" % (default_install_dir),
# default=default_install_dir)
(opts, args) = parser.parse_args()
server_key = opts.server_key
server_cert = opts.server_cert
ca_cert = opts.ca_cert
#install_dir = opts.install_dir
#if not os.path.exists(install_dir):
# os.makedirs(install_dir)
#installed_server_key = os.path.join(install_dir, os.path.basename(server_key))
#installed_server_cert = os.path.join(install_dir, os.path.basename(server_cert))
#installed_ca_cert = os.path.join(install_dir, os.path.basename(ca_cert))
#if not copy_file(server_key, installed_server_key):
# print "Error installing server_key"
# sys.exit(1)
#if not copy_file(server_cert, installed_server_cert):
# print "Error installing server_cert"
# sys.exit(1)
#if not copy_file(ca_cert, installed_ca_cert):
# print "Error installing ca_cert"
# sys.exit(1)
if not comment_out_ssl_settings():
print "Unable to comment out the existing SSL settings in apache's ssl.conf"
sys.exit(1)
print "Apache's default ssl settings have been commented out"
#if not update_httpd_config(installed_server_key, installed_server_cert, installed_ca_cert):
if not update_httpd_config(server_key, server_cert, ca_cert, httpd_ssl_config_file):
print "Error updating httpd"
sys.exit(1)
print "Httpd ssl.conf has been updated"
if not restart_httpd():
print "Error restarting httpd"
sys.exit(1)
return True
def run():
parser = get_parser(limit_options=["ca_key", "ca_cert", "ca_serial"])
(opts, args) = parser.parse_args()
ca_key = opts.ca_key
ca_cert = opts.ca_cert
ca_serial = opts.ca_serial
if not create_ca_key(ca_key):
print "Failed to create CA key"
sys.exit(1)
if not create_ca_cert(ca_key, ca_cert):
print "Failed to create CA cert"
sys.exit(1)
if not create_serial(ca_serial):
print "Failed to create CA serial file: %s" % (ca_serial)
sys.exit(1)
print "CA Key: %s" % (ca_key)
print "CA Cert: %s" % (ca_cert)
return True
client_key, csr)
return run_command(cmd)
def create_client_cert(client_cert, client_csr, ca_cert, ca_key, extensions,
ent_name, ca_serial):
cmd = "openssl x509 -req -days 10950 -CA %s -CAkey %s -extfile %s -extensions %s -in %s -out %s -CAserial %s" \
% (ca_cert, ca_key, extensions, ent_name, client_csr, client_cert, ca_serial)
if not os.path.exists(ca_serial):
cmd = cmd + " -CAcreateserial"
return run_command(cmd)
if __name__ == "__main__":
parser = get_parser(limit_options=[
"client_key", "client_csr", "client_cert", "ca_key", "ca_cert", "ent",
"ext", "ca_serial"
])
(opts, args) = parser.parse_args()
client_key = opts.client_key
client_cert = opts.client_cert
client_csr = opts.client_csr
ca_key = opts.ca_key
ca_cert = opts.ca_cert
ent_name = opts.ent
extensions = opts.ext
ca_serial = opts.ca_serial
if not create_client_key(client_key):
print "Failed to create client key"
sys.exit(1)
return False
cmd = "sed -i 's/^SSLCertificateKeyFile.*/SSLCertificateKeyFile %s/' %s" % (server_key, httpd_ssl_confd)
if not run_command(cmd):
return False
#cmd = "sed -i 's/^SSLCACertificateFile.*/SSLCACertificateFile %s/' %s" % (ca_cert, httpd_ssl_confd)
#if not run_command(cmd):
# return False
return True
def enable_repo_auth(repo_auth_config="/etc/pulp/repo_auth.conf"):
cmd = "sed -i 's/enabled: false/enabled: true/' %s" % (repo_auth_config)
return run_command(cmd)
if __name__ == "__main__":
default_install_dir = "/etc/pki/pulp/content"
parser = get_parser(limit_options=["server_key", "server_cert", "ca_cert"])
parser.add_option("--install_dir", action="store",
help="Install directory for server SSL cert/key. Default is %s" % (default_install_dir),
default=default_install_dir)
(opts, args) = parser.parse_args()
server_key = opts.server_key
server_cert = opts.server_cert
ca_cert = opts.ca_cert
install_dir = opts.install_dir
if not os.path.exists(install_dir):
os.makedirs(install_dir)
installed_server_key = os.path.join(install_dir, os.path.basename(server_key))
installed_server_cert = os.path.join(install_dir, os.path.basename(server_cert))
installed_ca_cert = os.path.join(install_dir, os.path.basename(ca_cert))
if not copy_file(server_key, installed_server_key):
check_dirs(ca_key_name)
cmd = ("openssl req -new -x509 -days 10950 -key %s -out %s -subj '/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=Pulp/CN=Pulp-Root-CA'") % (ca_key_name, ca_cert_name)
return run_command(cmd)
def create_serial(ca_serial):
if not os.path.exists(os.path.dirname(ca_serial)):
os.makedirs(os.path.dirname(ca_serial))
f = open(ca_serial, "w")
try:
f.write("01")
finally:
f.close()
return True
if __name__ == "__main__":
parser = get_parser(limit_options=["ca_key", "ca_cert", "ca_serial"])
(opts, args) = parser.parse_args()
ca_key = opts.ca_key
ca_cert = opts.ca_cert
ca_serial = opts.ca_serial
if not create_ca_key(ca_key):
print "Failed to create CA key"
sys.exit(1)
if not create_ca_cert(ca_key, ca_cert):
print "Failed to create CA cert"
sys.exit(1)
if not create_serial(ca_serial):
#!/usr/bin/env python
import sys
from base import get_parser, run_command, add_hostname_option
if __name__ == "__main__":
parser = get_parser(limit_options=["ca_key", "ca_cert", "client_cert", "client_key"])
parser = add_hostname_option(parser)
opts, args = parser.parse_args()
ca_cert = opts.ca_cert
client_cert = opts.client_cert
client_key = opts.client_key
hostname = opts.hostname
url = "https://%s/pulp/repos/repos/pulp/pulp/fedora-15/i386/repodata/repomd.xml" % (hostname)
cmd = "curl --cacert %s --cert %s --key %s %s" % (ca_cert, client_cert, client_key, url)
result = run_command(cmd)
if result:
state, out, err = result
print "%s" % (out)
print "%s" % (err)
status = run_command(cmd)
if status:
state, out, err = status
cert_modulus = out
key_modulus = ""
cmd = "openssl rsa -noout -modulus -in %s " % (key)
status = run_command(cmd)
if status:
state, out, err = status
key_modulus = out
if cert_modulus and key_modulus and cert_modulus == key_modulus:
return True
return False
if __name__ == "__main__":
parser = get_parser()
opts, args = parser.parse_args()
ent_key = opts.ent_key
ent_cert = opts.ent_cert
ca_key = opts.ca_key
ca_cert = opts.ca_cert
#Check the matching server/key. They should have the same modulus
if not check_modulus(ca_key, ca_cert):
print 'Error, modulus for "%s" and "%s" are different' % (ca_key,ca_cert)
sys.exit(1)
if not check_modulus(ent_key, ent_cert):
print 'Error, modulus for "%s" and "%s" are different' % (ent_key,ent_cert)
sys.exit(1)
print "Checks passed"
return True
def revoke_cert(crl_path, cert_to_revoke, ca_cert, ca_key, ssl_conf):
# openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt
# rhel5 needs -md sha1, it complains about the 'default_md' option in openssl config
cmd = "openssl ca -revoke %s -keyfile %s -cert %s -config %s -md sha1" % (cert_to_revoke, ca_key, ca_cert, ssl_conf)
if not run_command(cmd):
return False
# openssl ca -gencrl -config openssl.cnf -keyfile ./Pulp_CA.key -cert Pulp_CA.cert -out my_crl.pem
cmd = "openssl ca -gencrl -keyfile %s -cert %s -out %s -config %s -crlexts crl_ext -md sha1" % (ca_key, ca_cert, crl_path, ssl_conf)
if not run_command(cmd):
return False
return True
if __name__ == "__main__":
parser = get_parser(limit_options=["index", "crlnumber", "ssl_conf_template_crl", "ssl_conf_crl", "ca_key", "ca_cert", "crl"])
(opts, args) = parser.parse_args()
index = opts.index
crlnumber = opts.crlnumber
ssl_conf_template_crl = opts.ssl_conf_template_crl
ssl_conf_crl = opts.ssl_conf_crl
ca_key = opts.ca_key
ca_cert = opts.ca_cert
crl = opts.crl
if len(args) < 1:
print "No certificate to revoke was given"
print "Please re-run with certificate to revoke as command line argument"
sys.exit(1)
if status:
state, out, err = status
cert_modulus = out
key_modulus = ""
cmd = "openssl rsa -noout -modulus -in %s " % (key)
status = run_command(cmd)
if status:
state, out, err = status
key_modulus = out
if cert_modulus and key_modulus and cert_modulus == key_modulus:
return True
return False
if __name__ == "__main__":
parser = get_parser()
opts, args = parser.parse_args()
ent_key = opts.ent_key
ent_cert = opts.ent_cert
ca_key = opts.ca_key
ca_cert = opts.ca_cert
#Check the matching server/key. They should have the same modulus
if not check_modulus(ca_key, ca_cert):
print 'Error, modulus for "%s" and "%s" are different' % (ca_key,
ca_cert)
sys.exit(1)
if not check_modulus(ent_key, ent_cert):
print 'Error, modulus for "%s" and "%s" are different' % (ent_key,
ent_cert)
# rhel5 needs -md sha1, it complains about the 'default_md' option in openssl config
cmd = "openssl ca -revoke %s -keyfile %s -cert %s -config %s -md sha1" % (
cert_to_revoke, ca_key, ca_cert, ssl_conf)
if not run_command(cmd):
return False
# openssl ca -gencrl -config openssl.cnf -keyfile ./Pulp_CA.key -cert Pulp_CA.cert -out my_crl.pem
cmd = "openssl ca -gencrl -keyfile %s -cert %s -out %s -config %s -crlexts crl_ext -md sha1" % (
ca_key, ca_cert, crl_path, ssl_conf)
if not run_command(cmd):
return False
return True
if __name__ == "__main__":
parser = get_parser(limit_options=[
"index", "crlnumber", "ssl_conf_template_crl", "ssl_conf_crl",
"ca_key", "ca_cert", "crl"
])
(opts, args) = parser.parse_args()
index = opts.index
crlnumber = opts.crlnumber
ssl_conf_template_crl = opts.ssl_conf_template_crl
ssl_conf_crl = opts.ssl_conf_crl
ca_key = opts.ca_key
ca_cert = opts.ca_cert
crl = opts.crl
if len(args) < 1:
print "No certificate to revoke was given"
print "Please re-run with certificate to revoke as command line argument"
sys.exit(1)
return run_command(cmd)
def create_serial(ca_serial):
if not os.path.exists(os.path.dirname(ca_serial)):
os.makedirs(os.path.dirname(ca_serial))
f = open(ca_serial, "w")
try:
f.write("01")
finally:
f.close()
return True
if __name__ == "__main__":
parser = get_parser(limit_options=["ca_key", "ca_cert", "ca_serial"])
(opts, args) = parser.parse_args()
ca_key = opts.ca_key
ca_cert = opts.ca_cert
ca_serial = opts.ca_serial
if not create_ca_key(ca_key):
print "Failed to create CA key"
sys.exit(1)
if not create_ca_cert(ca_key, ca_cert):
print "Failed to create CA cert"
sys.exit(1)
if not create_serial(ca_serial):
repos[repo_id] = {"id":repo_id}
for item,value in config.items(repo_id):
repos[repo_id][item] = value
return repos
def create_test_repo(repo_id, repo_feed, ca_cert, client_cert, client_key):
cmd = "sudo pulp-admin repo create --id %s --feed %s --consumer_ca %s --consumer_cert %s --consumer_key %s" % \
(repo_id, repo_feed, ca_cert, client_cert, client_key)
return run_command(cmd)
def sync_test_repo(repo_id):
cmd = "sudo pulp-admin repo sync --id %s -F" % (repo["id"])
return run_command(cmd)
if __name__ == "__main__":
parser = get_parser(description="Creat test repos",
limit_options=['ca_cert', 'client_key', 'client_cert'])
(opts, args) = parser.parse_args()
client_key = opts.client_key
client_cert = opts.client_cert
ca_cert = opts.ca_cert
repos = get_repo_info()
for repo in repos.values():
if not create_test_repo(repo["id"], repo["feed"], ca_cert, client_cert, client_key):
print "Failed to create repo <%s> with feed <%s>" % (repo["id"], repo["feed"])
sys.exit(1)
if not sync_test_repo(repo["id"]):
print "Failed to sync repo <%s>" % (repo["id"])
sys.exit(1)
