def gen_client_certs(ca, clients, directory=None, force=False): try: for client in filter(None, clients): cert = Cert.get_named(client) if not cert.cert: # client doesn't have a cert yet. generate it logger.info("Generating client certificate for {}" .format(client)) cert.cert = ca.sign_csr(cert.csr()) elif force: logger.info("Force regenerating client certificate for {}" .format(client)) cert.cert = ca.sign_csr(cert.csr()) else: # check the client's cert was issued by us, if not, regen casubject = ca.ca_cert.get_issuer() issuer = cert.cert.get_issuer() if casubject != issuer: logger.info("Client certification for {} was issued " \ "by another certificate authority. Re-issuing " \ "the cert".format(client)) cert.cert = ca.sign_csr(cert.csr()) cert.save() if directory: # Now write the archive to disk for easy retrieval tar_certs(ca.cert_string(), cert, directory) except TypeError as e: logger.warn("not generating client certificates, {}".format(e))
def __init__(self, ca_name, ezconfig=EzConfiguration().getProperties()): mode = ezconfig.get(EzCAHandler.PERSIST_MODE, "file") if mode == "file": store = FilePersist(EzCAHandler.TABLE_NAME) elif mode == "accumulo": raise NotImplementedError("accumulo persistance not supported by EzCA yet") else: store = MemoryPersist() EzbakeCA.setup(store=store) Cert.setup(store=store) self.store = store try: logger.info("Reading CA certificate {}".format(ca_name)) self.ca = EzbakeCA.get_named(ca_name) except KeyError: self.ca = EzbakeCA(name=ca_name) self.ca.save()
def _server_certs(self): """returns a dict of {ca_certs, certs, key} and their values""" ca_certs = ezbakeca.ca.pem_cert(self.ca.ca_cert) cert = Cert.get_named(self.SERVER_CERT_NAME) if not cert.cert: cert.cert = self.ca.sign_csr(cert.csr()) cert.save() key = ezbakeca.ca.pem_key(cert.private_key) cert = ezbakeca.ca.pem_cert(cert.cert) return {'ca_certs': ca_certs, 'cert': cert, 'key': key}
def test_init(self): name, owner, admins, level, visibilities, status, pk, x509 = self.cert_args() cert = Cert(name, owner, admins, level, visibilities, status, pk, x509) nt.assert_equal(name, cert.name) nt.assert_equal(owner, cert.owner) nt.assert_equal(admins, cert.admins) nt.assert_equal(level, cert.level) nt.assert_equal(visibilities, cert.visibility) nt.assert_equal(status, cert.status) nt.assert_equal(pk, cert.private_key) nt.assert_equal(x509, cert.cert)
def test_save_get_full(self): name, owner, admins, level, visibilities, status, pk, x509 = self.cert_args() cert = Cert(name, owner, admins, level, visibilities, status, pk, x509) nt.assert_equal(name, cert.name) nt.assert_equal(owner, cert.owner) nt.assert_equal(admins, cert.admins) nt.assert_equal(level, cert.level) nt.assert_equal(visibilities, cert.visibility) nt.assert_equal(status, cert.status) nt.assert_equal(pk, cert.private_key) nt.assert_equal(x509, cert.cert) cert.save() getter = Cert.get_named(name) nt.assert_equal(name, getter.name) nt.assert_equal(owner, getter.owner) nt.assert_equal(",".join(admins), getter.admins) nt.assert_equal(level, getter.level) nt.assert_equal(visibilities, getter.visibility) nt.assert_equal(status, getter.status) nt.assert_equal(ezbakeca.ca.pem_key(pk), getter.pkey_string()) nt.assert_equal(ezbakeca.ca.pem_cert(x509), getter.cert_string())
def init(config): ezConfig = load_configuration("config") setup_logging(config.verbose, ezConfig) clients = config.clients.split(',') # initialize the daos store = ezpersist_instance("file") EzbakeCA.setup(store=store) Cert.setup(store=store) if config.force: store.delete(config.name) try: # Try to get it first, to see if it already exists ca = EzbakeCA.get_named(config.name) logger.info("CA %s not regenerated because it already exists", config.name) except KeyError: # Create the CA ca = EzbakeCA(name=config.name, environment=config.env) ca.save() gen_client_certs(ca, clients, directory=config.outdir, force=config.force)
def test_csr(self): cert = Cert("Test2") nt.assert_is_instance(cert.csr(), OpenSSL.crypto.X509Req)
def test_generates_pk(self): cert = Cert("Test") nt.assert_is_not_none(cert.private_key)
def test_save_get_simple(self): name = "TestCert" Cert("TestCert").save() c = Cert.get_named(name) nt.assert_equal(name, c.name)
def setUp(self): Cert.setup(MemoryPersist())