def GenerateKeys(config, overwrite_keys=False):
"""Generate the keys we need for a GRR server."""
if not hasattr(key_utils, "MakeCACert"):
parser.error("Generate keys can only run with open source key_utils.")
if (config.Get("PrivateKeys.server_key", default=None)
and not overwrite_keys):
print(config.Get("PrivateKeys.server_key"))
raise RuntimeError(
"Config %s already has keys, use --overwrite_keys to "
"override." % config.parser)
length = grr_config.CONFIG["Server.rsa_key_length"]
print("All keys will have a bit length of %d." % length)
print("Generating executable signing key")
executable_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=length)
config.Set("PrivateKeys.executable_signing_private_key",
executable_key.AsPEM())
config.Set("Client.executable_signing_public_key",
executable_key.GetPublicKey().AsPEM())
print("Generating CA keys")
ca_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=length)
ca_cert = key_utils.MakeCACert(ca_key)
config.Set("CA.certificate", ca_cert.AsPEM())
config.Set("PrivateKeys.ca_key", ca_key.AsPEM())
print("Generating Server keys")
server_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=length)
server_cert = key_utils.MakeCASignedCert(u"grr", server_key, ca_cert,
ca_key)
config.Set("Frontend.certificate", server_cert.AsPEM())
config.Set("PrivateKeys.server_key", server_key.AsPEM())
print("Generating secret key for csrf protection.")
GenerateCSRFKey(config)
def RotateServerKey(cn=u"grr", keylength=4096):
"""This function creates and installs a new server key.
Note that
- Clients might experience intermittent connection problems after
the server keys rotated.
- It's not possible to go back to an earlier key. Clients that see a
new certificate will remember the cert's serial number and refuse
to accept any certificate with a smaller serial number from that
point on.
Args:
cn: The common name for the server to use.
keylength: Length in bits for the new server key.
Raises:
ValueError: There is no CA cert in the config. Probably the server
still needs to be initialized.
"""
ca_certificate = config.CONFIG["CA.certificate"]
ca_private_key = config.CONFIG["PrivateKeys.ca_key"]
if not ca_certificate or not ca_private_key:
raise ValueError("No existing CA certificate found.")
# Check the current certificate serial number
existing_cert = config.CONFIG["Frontend.certificate"]
serial_number = existing_cert.GetSerialNumber() + 1
EPrint("Generating new server key (%d bits, cn '%s', serial # %d)" %
(keylength, cn, serial_number))
server_private_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=keylength)
server_cert = key_utils.MakeCASignedCert(str(cn),
server_private_key,
ca_certificate,
ca_private_key,
serial_number=serial_number)
EPrint("Updating configuration.")
config.CONFIG.Set("Frontend.certificate",
server_cert.AsPEM().decode("ascii"))
config.CONFIG.Set("PrivateKeys.server_key",
server_private_key.AsPEM().decode("ascii"))
config.CONFIG.Write()
EPrint("Server key rotated, please restart the GRR Frontends.")
