def _run_ldclt(self, cmd):
result = None
self.log.debug("ldclt loadtest ...")
self.log.debug(format_cmd_list(cmd))
try:
result = ensure_str(subprocess.check_output(cmd))
# If verbose, capture / log the output.
except subprocess.CalledProcessError as e:
print(format_cmd_list(cmd))
print(result)
raise (e)
self.log.debug(result)
# The output looks like:
# ldclt[44308]: Average rate: 4017.60/thr (4017.60/sec), total: 40176
# ldclt[44308]: Number of samples achieved. Bye-bye...
# ldclt[44308]: All threads are dead - exit.
# ldclt[44308]: Global average rate: 40604.00/thr (4060.40/sec), total: 406040
# ldclt[44308]: Global number times "no activity" reports: never
# ldclt[44308]: Global no error occurs during this session.
# So we want the "global avg rate" per second.
section = None
for line in result.splitlines():
if 'Global average rate' in line:
section = line.split('(')[1].split(')')[0].split('/')[0]
return section
def create_rsa_ca(self, months=VALID):
"""
Create a self signed CA.
"""
# Wait a second to avoid an NSS bug with serial ids based on time.
time.sleep(1)
# Create noise.
self._generate_noise('%s/noise.txt' % self._certdb)
# Now run the command. Can we do this with NSS native?
cmd = [
'/usr/bin/certutil',
'-S',
'-n',
CA_NAME,
'-s',
ISSUER,
'-x',
'-g',
'%s' % KEYBITS,
'-t',
'CT,,',
'-v',
'%s' % months,
'-2',
'--keyUsage',
'certSigning',
'-d',
self._certdb,
'-z',
'%s/noise.txt' % self._certdb,
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
cmd_input = b'y\n\n' # responses to certutil questions
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
result = ensure_str(
run(cmd, check=True, stderr=PIPE, stdout=PIPE,
input=cmd_input).stdout)
self.log.debug("nss output: %s", result)
# Now extract the CAcert to a well know place.
# This allows us to point the cacert dir here and it "just works"
cmd = [
'/usr/bin/certutil',
'-L',
'-n',
CA_NAME,
'-d',
self._certdb,
'-a',
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
try:
certdetails = check_output(cmd, stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
raise ValueError(e.output.decode('utf-8').rstrip())
with open('%s/ca.crt' % self._certdb, 'w') as f:
f.write(ensure_str(certdetails))
self.openssl_rehash(self._certdb)
return True
def bind_loadtest(self, subtree, min=1000, max=9999, rounds=3):
# The bind users will be uid=userXXXX
digits = len('%s' % max)
cmd = [
'%s/bin/ldclt' % self.ds.prefix,
'-h',
self.ds.host,
'-p',
'%s' % self.ds.port,
'-N',
'%s' % rounds,
'-D',
'uid=user%s,%s' % ('X' * digits, subtree),
'-w',
'user%s' % ('X' * digits),
'-e',
"randombinddn,randombinddnlow=%s,randombinddnhigh=%s" % (min, max),
'-e',
'bindonly',
]
result = None
self.log.debug("ldclt loadtest ...")
self.log.debug(format_cmd_list(cmd))
try:
result = subprocess.check_output(cmd)
# If verbose, capture / log the output.
except subprocess.CalledProcessError as e:
print(format_cmd_list(cmd))
print(result)
raise (e)
self.log.debug(result)
def add_server_key_and_cert(self, input_key, input_cert):
if not os.path.exists(input_key):
raise ValueError(
"The key file ({}) does not exist".format(input_key))
if not os.path.exists(input_cert):
raise ValueError(
"The cert file ({}) does not exist".format(input_cert))
self._assert_not_chain(input_key)
self._assert_not_chain(input_cert)
self.log.debug(f"Importing key and cert -> {input_key}, {input_cert}")
p12_bundle = "%s/temp_server_key_cert.p12" % self._certdb
# Remove the p12 if it exists
if os.path.exists(p12_bundle):
os.remove(p12_bundle)
# Transform to p12
cmd = [
'openssl', 'pkcs12', '-export', '-in', input_cert, '-inkey',
input_key, '-out', p12_bundle, '-name', CERT_NAME, '-passout',
'pass:'******'-aes128'
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
try:
check_output(cmd, stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
raise ValueError(e.output.decode('utf-8').rstrip())
# Remove the server-cert if it exists, because else the import name fails.
try:
self.del_cert(CERT_NAME)
except:
pass
try:
# Import it
cmd = [
'pk12util',
'-v',
'-i',
p12_bundle,
'-d',
self._certdb,
'-k',
'%s/%s' % (self._certdb, PWD_TXT),
'-W',
"",
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
try:
check_output(cmd, stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
raise ValueError(e.output.decode('utf-8').rstrip())
finally:
# Remove the p12
if os.path.exists(p12_bundle):
os.remove(p12_bundle)
def create_rsa_ca(self, months=VALID):
"""
Create a self signed CA.
"""
# Wait a second to avoid an NSS bug with serial ids based on time.
time.sleep(1)
# Create noise.
self._generate_noise('%s/noise.txt' % self._certdb)
# Now run the command. Can we do this with NSS native?
cmd = [
'/usr/bin/certutil',
'-S',
'-n',
CA_NAME,
'-s',
ISSUER,
'-x',
'-g',
'%s' % KEYBITS,
'-t',
'CT,,',
'-v',
'%s' % months,
'--keyUsage',
'certSigning',
'-d',
self._certdb,
'-z',
'%s/noise.txt' % self._certdb,
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
result = ensure_str(check_output(cmd, stderr=subprocess.STDOUT))
self.log.debug("nss output: %s", result)
# Now extract the CAcert to a well know place.
# This allows us to point the cacert dir here and it "just works"
cmd = [
'/usr/bin/certutil',
'-L',
'-n',
CA_NAME,
'-d',
self._certdb,
'-a',
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
certdetails = check_output(cmd, stderr=subprocess.STDOUT)
with open('%s/ca.crt' % self._certdb, 'w') as f:
f.write(ensure_str(certdetails))
cmd = ['/usr/bin/c_rehash', self._certdb]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
check_output(cmd, stderr=subprocess.STDOUT)
return True
def import_rsa_crt(self, ca=None, crt=None):
"""Given a signed certificate from a ca, import the CA and certificate
to our database.
"""
assert ca is not None or crt is not None, "At least one parameter should be specified (ca or crt)"
if ca is not None:
shutil.copyfile(ca, '%s/ca.crt' % self._certdb)
self.openssl_rehash(self._certdb)
cmd = [
'/usr/bin/certutil',
'-A',
'-n',
CA_NAME,
'-t',
"CT,,",
'-a',
'-i',
'%s/ca.crt' % self._certdb,
'-d',
self._certdb,
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
check_output(cmd, stderr=subprocess.STDOUT)
if crt is not None:
cmd = [
'/usr/bin/certutil',
'-A',
'-n',
CERT_NAME,
'-t',
",,",
'-a',
'-i',
crt,
'-d',
self._certdb,
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
check_output(cmd, stderr=subprocess.STDOUT)
cmd = [
'/usr/bin/certutil', '-V', '-d', self._certdb, '-n', CERT_NAME,
'-u', 'YCV'
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
check_output(cmd, stderr=subprocess.STDOUT)
def add_cert(self, nickname, input_file, ca=False):
"""Add server or CA cert
"""
# Verify input_file exists
if not os.path.exists(input_file):
raise ValueError(
"The certificate file ({}) does not exist".format(input_file))
if ca:
trust_flags = "CT,,"
else:
trust_flags = ",,"
cmd = [
'/usr/bin/certutil',
'-A',
'-d',
self._certdb,
'-n',
nickname,
'-t',
trust_flags,
'-i',
input_file,
'-a',
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
self.log.debug("add_cert cmd: %s", format_cmd_list(cmd))
try:
check_output(cmd, stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
raise ValueError(e.output.decode('utf-8').rstrip())
def edit_cert_trust(self, nickname, trust_flags):
"""Edit trust flags
"""
# validate trust flags
flag_sections = trust_flags.split(',')
if len(flag_sections) != 3:
raise ValueError("Invalid trust flag format")
for section in flag_sections:
if len(section) > 6:
raise ValueError(
"Invalid trust flag format, too many flags in a section")
for c in trust_flags:
if c not in ['p', 'P', 'c', 'C', 'T', 'u', ',']:
raise ValueError("Invalid trust flag {}".format(c))
# Modify certificate flags
cmd = [
'/usr/bin/certutil',
'-M',
'-d',
self._certdb,
'-n',
nickname,
'-t',
trust_flags,
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
self.log.debug("edit_cert_trust cmd: %s", format_cmd_list(cmd))
check_output(cmd, stderr=subprocess.STDOUT)
def openssl_rehash(self, certdir):
"""
Compatibly run c_rehash (on old openssl versions) or openssl rehash (on
new ones). Prefers openssl rehash, because openssl on versions where
the rehash command doesn't exist, also doesn't correctly set the return
code. Instead, we parse the output of `openssl version` and try to
figure out if we have a new enough version to unconditionally run rehash.
"""
try:
openssl_version = check_output(['/usr/bin/openssl', 'version'
]).decode('utf-8').strip()
except subprocess.CalledProcessError as e:
raise ValueError(e.output.decode('utf-8').rstrip())
rehash_available = LegacyVersion(
openssl_version.split(' ')[1]) >= LegacyVersion('1.1.0')
if rehash_available:
cmd = ['/usr/bin/openssl', 'rehash', certdir]
else:
cmd = ['/usr/bin/c_rehash', certdir]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
try:
check_output(cmd, stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
raise ValueError(e.output.decode('utf-8').rstrip())
def rsa_ca_needs_renew(self):
"""Check is our self signed CA is expired or
will expire less than a minimum period of time (VALID_MIN)
"""
cmd = [
'/usr/bin/certutil',
'-L',
'-n',
CA_NAME,
'-d',
self._certdb,
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
try:
certdetails = check_output(cmd,
stderr=subprocess.STDOUT,
encoding='utf-8')
except subprocess.CalledProcessError as e:
raise ValueError(e.output.decode('utf-8').rstrip())
end_date_str = certdetails.split("Not After : ")[1].split("\n")[0]
date_format = '%a %b %d %H:%M:%S %Y'
end_date = datetime.strptime(end_date_str, date_format)
if end_date - datetime.now() < timedelta(days=VALID_MIN):
return True
else:
return False
def rsa_ca_sign_csr(self, csr_path, months=VALID):
""" Given a CSR, sign it with our CA certificate (if present). This
emits a signed certificate which can be imported with import_rsa_crt.
"""
crt_path = 'crt'.join(csr_path.rsplit('csr', 1))
ca_path = '%s/ca.crt' % self._certdb
cmd = [
'/usr/bin/certutil',
'-C',
'-d',
self._certdb,
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
'-v',
'%s' % months,
'-a',
'-i', csr_path,
'-o', crt_path,
'-c', CA_NAME,
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
check_output(cmd, stderr=subprocess.STDOUT)
return (ca_path, crt_path)
def reinit(self):
"""
Re-init (create) the nss db.
"""
# 48886: The DB that DS ships with is .... well, broken. Purge it!
assert self.remove_db()
try:
os.makedirs(self._certdb)
except FileExistsError:
pass
if self.dirsrv is None:
# Write a README to let people know what this is
readme_file = '%s/%s' % (self._certdb, 'README.txt')
if not os.path.exists(readme_file):
with open(readme_file, 'w') as f:
f.write("""
SSCA - Simple Self-Signed Certificate Authority
This is part of the 389 Directory Server project's lib389 toolkit. It
creates a simple, standalone certificate authority for testing and
development purposes. It's suitable for evaluation and testing purposes
only.
""")
# In the future we may add the needed option to avoid writing the pin
# files.
# Write the pin.txt, and the pwdfile.txt
prv_mask = os.umask(0o177)
try:
pin_file = '%s/%s' % (self._certdb, PIN_TXT)
if not os.path.exists(pin_file):
with open(pin_file, 'w') as f:
f.write('Internal (Software) Token:%s' % self.dbpassword)
pwd_text_file = '%s/%s' % (self._certdb, PWD_TXT)
if not os.path.exists(pwd_text_file):
with open(pwd_text_file, 'w') as f:
f.write('%s' % self.dbpassword)
finally:
prv_mask = os.umask(prv_mask)
# Init the db.
# 48886; This needs to be sql format ...
cmd = [
'/usr/bin/certutil', '-N', '-d', self._certdb, '-f',
'%s/%s' % (self._certdb, PWD_TXT), '-@',
'%s/%s' % (self._certdb, PWD_TXT)
]
self._generate_noise('%s/noise.txt' % self._certdb)
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
try:
result = ensure_str(check_output(cmd, stderr=subprocess.STDOUT))
except subprocess.CalledProcessError as e:
raise ValueError(e.output.decode('utf-8').rstrip())
self.log.debug("nss output: %s", result)
return True
def create_rsa_key_and_csr(self, alt_names=[], subject=None):
"""Create a new RSA key and the certificate signing request. This
request can be submitted to a CA for signing. The returned certificate
can be added with import_rsa_crt.
"""
csr_path = os.path.join(self._certdb, '%s.csr' % CERT_NAME)
if len(alt_names) == 0:
alt_names = self.detect_alt_names(alt_names)
if subject is None:
subject = self.generate_cert_subject(alt_names)
self.log.debug(f"CSR subject -> {subject}")
self.log.debug(f"CSR alt_names -> {alt_names}")
# Wait a second to avoid an NSS bug with serial ids based on time.
time.sleep(1)
# Create noise.
self._generate_noise('%s/noise.txt' % self._certdb)
cmd = [
'/usr/bin/certutil',
'-R',
# We want a dual purposes client and server cert
'--keyUsage',
'digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment',
'--nsCertType',
'sslClient,sslServer',
'--extKeyUsage',
'clientAuth,serverAuth',
'-s',
subject,
# We MUST issue with SANs else ldap wont verify the name.
'-8',
','.join(alt_names),
'-g',
'%s' % KEYBITS,
'-d',
self._certdb,
'-z',
'%s/noise.txt' % self._certdb,
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
'-a',
'-o',
csr_path,
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
try:
check_output(cmd, stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
raise ValueError(e.output.decode('utf-8').rstrip())
return csr_path
def display_cert_details(self, nickname):
cmd = [
'/usr/bin/certutil',
'-d',
self._certdb,
'-n',
nickname,
'-L',
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
self.log.debug("display_cert_details cmd: %s", format_cmd_list(cmd))
return check_output(cmd, stderr=subprocess.STDOUT, encoding='utf-8')
def del_cert(self, nickname):
"""Delete this certificate
"""
cmd = [
'/usr/bin/certutil',
'-D',
'-d',
self._certdb,
'-n',
nickname,
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
self.log.debug("del_cert cmd: %s", format_cmd_list(cmd))
check_output(cmd, stderr=subprocess.STDOUT)
def create_rsa_key_and_cert(self, alt_names=[], months=VALID):
"""
Create a key and a cert that is signed by the self signed ca
This will use the hostname from the DS instance, and takes a list of
extra names to take.
"""
alt_names = self.detect_alt_names(alt_names)
subject = self.generate_cert_subject(alt_names)
# Wait a second to avoid an NSS bug with serial ids based on time.
time.sleep(1)
# Create noise.
self._generate_noise('%s/noise.txt' % self._certdb)
cmd = [
'/usr/bin/certutil',
'-S',
'-n',
CERT_NAME,
'-s',
subject,
# We MUST issue with SANs else ldap wont verify the name.
'-8',
','.join(alt_names),
'-c',
CA_NAME,
'-g',
'%s' % KEYBITS,
'-t',
',,',
'-v',
'%s' % months,
'-d',
self._certdb,
'-z',
'%s/noise.txt' % self._certdb,
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
try:
result = ensure_str(check_output(cmd, stderr=subprocess.STDOUT))
except subprocess.CalledProcessError as e:
raise ValueError(e.output.decode('utf-8').rstrip())
self.log.debug("nss output: %s", result)
return True
def display_cert_details(self, nickname):
cmd = [
'/usr/bin/certutil',
'-d',
self._certdb,
'-n',
nickname,
'-L',
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
self.log.debug("display_cert_details cmd: %s", format_cmd_list(cmd))
try:
result = check_output(cmd, stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
raise ValueError(e.output.decode('utf-8').rstrip())
return ensure_str(result)
def del_cert(self, nickname):
"""Delete this certificate
"""
cmd = [
'/usr/bin/certutil',
'-D',
'-d',
self._certdb,
'-n',
nickname,
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
self.log.debug("del_cert cmd: %s", format_cmd_list(cmd))
try:
check_output(cmd, stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
raise ValueError(e.output.decode('utf-8').rstrip())
def _rsa_cert_key_exists(self, cert_tuple):
name = cert_tuple[0]
cmd = [
'/usr/bin/certutil',
'-K',
'-d',
self._certdb,
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
result = ensure_str(check_output(cmd, stderr=subprocess.STDOUT))
lines = result.split('\n')[1:-1]
key_list = []
for line in lines:
m = re.match('\<(?P<id>.*)\> (?P<type>\w+)\s+(?P<hash>\w+).*:(?P<name>.+)', line)
if name == m.group('name'):
return True
return False
def create_rsa_user(self, name, months=VALID):
"""
Create a key and cert for a user to authenticate to the directory.
Name is the uid of the account, and will become the CN of the cert.
"""
subject = USER_ISSUER.format(HOSTNAME=name)
if self._rsa_user_exists(name):
return subject
# Wait a second to avoid an NSS bug with serial ids based on time.
time.sleep(1)
cmd = [
'/usr/bin/certutil',
'-S',
'-n',
'%s%s' % (USER_PREFIX, name),
'-s',
subject,
'--keyUsage',
'digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment',
'--nsCertType',
'sslClient',
'--extKeyUsage',
'clientAuth',
'-c',
CA_NAME,
'-g',
'%s' % KEYBITS,
'-t',
',,',
'-v',
'%s' % months,
'-d',
self._certdb,
'-z',
'%s/noise.txt' % self._certdb,
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
result = ensure_str(check_output(cmd, stderr=subprocess.STDOUT))
self.log.debug("nss output: %s", result)
# Now extract this into PEM files that we can use.
# pk12util -o user-william.p12 -d . -k pwdfile.txt -n user-william -W ''
cmd = [
'pk12util',
'-d', self._certdb,
'-o', '%s/%s%s.p12' % (self._certdb, USER_PREFIX, name),
'-k', '%s/%s' % (self._certdb, PWD_TXT),
'-n', '%s%s' % (USER_PREFIX, name),
'-W', '""'
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
check_output(cmd, stderr=subprocess.STDOUT)
# openssl pkcs12 -in user-william.p12 -passin pass:'' -out file.pem -nocerts -nodes
# Extract the key
cmd = [
'openssl',
'pkcs12',
'-in', '%s/%s%s.p12' % (self._certdb, USER_PREFIX, name),
'-passin', 'pass:""',
'-out', '%s/%s%s.key' % (self._certdb, USER_PREFIX, name),
'-nocerts',
'-nodes'
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
check_output(cmd, stderr=subprocess.STDOUT)
# Extract the cert
cmd = [
'openssl',
'pkcs12',
'-in', '%s/%s%s.p12' % (self._certdb, USER_PREFIX, name),
'-passin', 'pass:""',
'-out', '%s/%s%s.crt' % (self._certdb, USER_PREFIX, name),
'-nokeys',
'-clcerts',
'-nodes'
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
check_output(cmd, stderr=subprocess.STDOUT)
# Convert the cert for userCertificate attr
cmd = [
'openssl',
'x509',
'-inform', 'PEM',
'-outform', 'DER',
'-in', '%s/%s%s.crt' % (self._certdb, USER_PREFIX, name),
'-out', '%s/%s%s.der' % (self._certdb, USER_PREFIX, name),
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
check_output(cmd, stderr=subprocess.STDOUT)
return subject
def renew_rsa_ca(self, months=VALID):
"""Renew the self signed CA."""
csr_path = os.path.join(self._certdb, 'CA_renew.csr')
crt_path = '%s/ca.crt' % self._certdb
# Create noise.
self._generate_noise('%s/noise.txt' % self._certdb)
# Generate a CSR for a new CA cert
cmd = [
'/usr/bin/certutil',
'-R',
'-s',
ISSUER,
'-g',
'%s' % KEYBITS,
'-k',
'NSS Certificate DB:%s' % CA_NAME,
'-d',
self._certdb,
'-z',
'%s/noise.txt' % self._certdb,
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
'-a',
'-o', csr_path,
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
check_output(cmd, stderr=subprocess.STDOUT)
# Sign the CSR with our old CA
cmd = [
'/usr/bin/certutil',
'-C',
'-d',
self._certdb,
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
'-a',
'-i', csr_path,
'-o', crt_path,
'-c', CA_NAME,
'--keyUsage',
'certSigning',
'-t',
'CT,,',
'-v',
'%s' % months,
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
check_output(cmd, stderr=subprocess.STDOUT)
cmd = ['/usr/bin/c_rehash', self._certdb]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
check_output(cmd, stderr=subprocess.STDOUT)
# Import the new CA to our DB instead of the old CA
cmd = [
'/usr/bin/certutil',
'-A',
'-n', CA_NAME,
'-t', "CT,,",
'-a',
'-i', crt_path,
'-d', self._certdb,
'-f', '%s/%s' % (self._certdb, PWD_TXT),
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
check_output(cmd, stderr=subprocess.STDOUT)
return crt_path
def import_rsa_crt(self, ca=None, crt=None):
"""Given a signed certificate from a ca, import the CA and certificate
to our database.
"""
assert ca is not None or crt is not None, "At least one parameter should be specified (ca or crt)"
if ca is not None:
if not os.path.exists(ca):
raise ValueError(
"The certificate file ({}) does not exist".format(ca))
self._assert_not_chain(ca)
shutil.copyfile(ca, '%s/ca.crt' % self._certdb)
self.openssl_rehash(self._certdb)
cmd = [
'/usr/bin/certutil',
'-A',
'-n',
CA_NAME,
'-t',
"CT,,",
'-a',
'-i',
'%s/ca.crt' % self._certdb,
'-d',
self._certdb,
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
try:
check_output(cmd, stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
raise ValueError(e.output.decode('utf-8').rstrip())
if crt is not None:
if not os.path.exists(crt):
raise ValueError(
"The certificate file ({}) does not exist".format(crt))
self._assert_not_chain(crt)
cmd = [
'/usr/bin/certutil',
'-A',
'-n',
CERT_NAME,
'-t',
",,",
'-a',
'-i',
crt,
'-d',
self._certdb,
'-f',
'%s/%s' % (self._certdb, PWD_TXT),
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
try:
check_output(cmd, stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
raise ValueError(e.output.decode('utf-8').rstrip())
cmd = [
'/usr/bin/certutil', '-V', '-d', self._certdb, '-n', CERT_NAME,
'-u', 'YCV'
]
self.log.debug("nss cmd: %s", format_cmd_list(cmd))
try:
check_output(cmd, stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
raise ValueError(e.output.decode('utf-8').rstrip())
def create_users(self, subtree, min=1000, max=9999, template=None):
"""
Creates users as user<min through max>. Password will be set to
password<number>
This will automatically work with the bind loadtest.
"""
# Should we check max > min?
# Create the template file given the data.
if template is None:
template = """
objectClass: top
objectclass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
sn: user[A]
cn: user[A]
givenName: user[A]
description: description [A]
userPassword: user[A]
mail: user[A]@example.com
uidNumber: 1[A]
gidNumber: 2[A]
shadowMin: 0
shadowMax: 99999
shadowInactive: 30
shadowWarning: 7
homeDirectory: /home/user[A]
loginShell: /bin/false
"""
with open('/tmp/ldclt_template_lib389.ldif', 'wb') as f:
f.write(template)
# call ldclt with the current rootdn and rootpass
digits = len('%s' % max)
cmd = [
'%s/ldclt' % self.ds.get_bin_dir(),
'-h',
self.ds.host,
'-p',
'%s' % self.ds.port,
'-D',
self.ds.binddn,
'-w',
self.ds.bindpw,
'-b',
subtree,
'-e',
'add,commoncounter',
'-e',
"object=/tmp/ldclt_template_lib389.ldif,rdn=uid:user[A=INCRNNOLOOP(%s;%s;%s)]"
% (min, max, digits),
]
result = None
self.log.debug("ldclt begining user create ...")
self.log.debug(format_cmd_list(cmd))
try:
result = subprocess.check_output(cmd)
# If verbose, capture / log the output.
except subprocess.CalledProcessError as e:
print(format_cmd_list(cmd))
print(result)
raise (e)
self.log.debug(result)
