def gen_client_certs(ca, clients, directory=None, force=False):
try:
for client in filter(None, clients):
cert = Cert.get_named(client)
if not cert.cert:
# client doesn't have a cert yet. generate it
logger.info("Generating client certificate for {}"
.format(client))
cert.cert = ca.sign_csr(cert.csr())
elif force:
logger.info("Force regenerating client certificate for {}"
.format(client))
cert.cert = ca.sign_csr(cert.csr())
else:
# check the client's cert was issued by us, if not, regen
casubject = ca.ca_cert.get_issuer()
issuer = cert.cert.get_issuer()
if casubject != issuer:
logger.info("Client certification for {} was issued " \
"by another certificate authority. Re-issuing " \
"the cert".format(client))
cert.cert = ca.sign_csr(cert.csr())
cert.save()
if directory:
# Now write the archive to disk for easy retrieval
tar_certs(ca.cert_string(), cert, directory)
except TypeError as e:
logger.warn("not generating client certificates, {}".format(e))
def gen_client_certs(ca, clients, directory=None, force=False):
try:
for client in filter(None, clients):
cert = Cert.get_named(client)
if not cert.cert:
# client doesn't have a cert yet. generate it
logger.info("Generating client certificate for {}"
.format(client))
cert.cert = ca.sign_csr(cert.csr())
elif force:
logger.info("Force regenerating client certificate for {}"
.format(client))
cert.cert = ca.sign_csr(cert.csr())
else:
# check the client's cert was issued by us, if not, regen
casubject = ca.ca_cert.get_issuer()
issuer = cert.cert.get_issuer()
if casubject != issuer:
logger.info("Client certification for {} was issued " \
"by another certificate authority. Re-issuing " \
"the cert".format(client))
cert.cert = ca.sign_csr(cert.csr())
cert.save()
if directory:
# Now write the archive to disk for easy retrieval
tar_certs(ca.cert_string(), cert, directory)
except TypeError as e:
logger.warn("not generating client certificates, {}".format(e))
def __init__(self, ca_name, ezconfig=EzConfiguration().getProperties()):
mode = ezconfig.get(EzCAHandler.PERSIST_MODE, "file")
if mode == "file":
store = FilePersist(EzCAHandler.TABLE_NAME)
elif mode == "accumulo":
raise NotImplementedError("accumulo persistance not supported by EzCA yet")
else:
store = MemoryPersist()
EzbakeCA.setup(store=store)
Cert.setup(store=store)
self.store = store
try:
logger.info("Reading CA certificate {}".format(ca_name))
self.ca = EzbakeCA.get_named(ca_name)
except KeyError:
self.ca = EzbakeCA(name=ca_name)
self.ca.save()
def __init__(self, ca_name, ezconfig=EzConfiguration().getProperties()):
mode = ezconfig.get(EzCAHandler.PERSIST_MODE, "file")
if mode == "file":
store = FilePersist(EzCAHandler.TABLE_NAME)
elif mode == "accumulo":
raise NotImplementedError("accumulo persistance not supported by EzCA yet")
else:
store = MemoryPersist()
EzbakeCA.setup(store=store)
Cert.setup(store=store)
self.store = store
try:
logger.info("Reading CA certificate {}".format(ca_name))
self.ca = EzbakeCA.get_named(ca_name)
except KeyError:
self.ca = EzbakeCA(name=ca_name)
self.ca.save()
def _server_certs(self):
"""returns a dict of {ca_certs, certs, key} and their values"""
ca_certs = ezbakeca.ca.pem_cert(self.ca.ca_cert)
cert = Cert.get_named(self.SERVER_CERT_NAME)
if not cert.cert:
cert.cert = self.ca.sign_csr(cert.csr())
cert.save()
key = ezbakeca.ca.pem_key(cert.private_key)
cert = ezbakeca.ca.pem_cert(cert.cert)
return {'ca_certs': ca_certs, 'cert': cert, 'key': key}
def _server_certs(self):
"""returns a dict of {ca_certs, certs, key} and their values"""
ca_certs = ezbakeca.ca.pem_cert(self.ca.ca_cert)
cert = Cert.get_named(self.SERVER_CERT_NAME)
if not cert.cert:
cert.cert = self.ca.sign_csr(cert.csr())
cert.save()
key = ezbakeca.ca.pem_key(cert.private_key)
cert = ezbakeca.ca.pem_cert(cert.cert)
return {'ca_certs': ca_certs, 'cert': cert, 'key': key}
def test_init(self):
name, owner, admins, level, visibilities, status, pk, x509 = self.cert_args()
cert = Cert(name, owner, admins, level, visibilities, status, pk, x509)
nt.assert_equal(name, cert.name)
nt.assert_equal(owner, cert.owner)
nt.assert_equal(admins, cert.admins)
nt.assert_equal(level, cert.level)
nt.assert_equal(visibilities, cert.visibility)
nt.assert_equal(status, cert.status)
nt.assert_equal(pk, cert.private_key)
nt.assert_equal(x509, cert.cert)
def test_save_get_full(self):
name, owner, admins, level, visibilities, status, pk, x509 = self.cert_args()
cert = Cert(name, owner, admins, level, visibilities, status, pk, x509)
nt.assert_equal(name, cert.name)
nt.assert_equal(owner, cert.owner)
nt.assert_equal(admins, cert.admins)
nt.assert_equal(level, cert.level)
nt.assert_equal(visibilities, cert.visibility)
nt.assert_equal(status, cert.status)
nt.assert_equal(pk, cert.private_key)
nt.assert_equal(x509, cert.cert)
cert.save()
getter = Cert.get_named(name)
nt.assert_equal(name, getter.name)
nt.assert_equal(owner, getter.owner)
nt.assert_equal(",".join(admins), getter.admins)
nt.assert_equal(level, getter.level)
nt.assert_equal(visibilities, getter.visibility)
nt.assert_equal(status, getter.status)
nt.assert_equal(ezbakeca.ca.pem_key(pk), getter.pkey_string())
nt.assert_equal(ezbakeca.ca.pem_cert(x509), getter.cert_string())
def init(config):
ezConfig = load_configuration("config")
setup_logging(config.verbose, ezConfig)
clients = config.clients.split(',')
# initialize the daos
store = ezpersist_instance("file")
EzbakeCA.setup(store=store)
Cert.setup(store=store)
if config.force:
store.delete(config.name)
try:
# Try to get it first, to see if it already exists
ca = EzbakeCA.get_named(config.name)
logger.info("CA %s not regenerated because it already exists", config.name)
except KeyError:
# Create the CA
ca = EzbakeCA(name=config.name, environment=config.env)
ca.save()
gen_client_certs(ca, clients, directory=config.outdir, force=config.force)
def init(config):
ezConfig = load_configuration("config")
setup_logging(config.verbose, ezConfig)
clients = config.clients.split(',')
# initialize the daos
store = ezpersist_instance("file")
EzbakeCA.setup(store=store)
Cert.setup(store=store)
if config.force:
store.delete(config.name)
try:
# Try to get it first, to see if it already exists
ca = EzbakeCA.get_named(config.name)
logger.info("CA %s not regenerated because it already exists", config.name)
except KeyError:
# Create the CA
ca = EzbakeCA(name=config.name, environment=config.env)
ca.save()
gen_client_certs(ca, clients, directory=config.outdir, force=config.force)
def test_csr(self):
cert = Cert("Test2")
nt.assert_is_instance(cert.csr(), OpenSSL.crypto.X509Req)
def test_generates_pk(self):
cert = Cert("Test")
nt.assert_is_not_none(cert.private_key)
def test_save_get_simple(self):
name = "TestCert"
Cert("TestCert").save()
c = Cert.get_named(name)
nt.assert_equal(name, c.name)
def setUp(self):
Cert.setup(MemoryPersist())
