def genPrivateCaKey(password, d, verbosity=0, forceYN=0): """ private CA key generation """ gendir(d['--dir']) ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key'])) if not forceYN and os.path.exists(ca_key): sys.stderr.write("""\ ERROR: a CA private key already exists: %s If you wish to generate a new one, use the --force option. """ % ca_key) sys.exit(errnoGeneralError) args = ("/usr/bin/openssl genrsa -passout pass:%s %s -out %s 2048" % ('%s', CRYPTO, repr(cleanupAbsPath(ca_key)))) if verbosity >= 0: print "Generating private CA key: %s" % ca_key if verbosity > 1: print "Commandline:", args % "PASSWORD" try: rotated = rotateFile(filepath=ca_key, verbosity=verbosity) if verbosity >= 0 and rotated: print "Rotated: %s --> %s" \ % (d['--ca-key'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args % repr(password)) finally: chdir(cwd) out = out_stream.read() out_stream.close() err = err_stream.read() err_stream.close() if ret: raise GenPrivateCaKeyException("Certificate Authority private SSL " "key generation failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # permissions: os.chmod(ca_key, 0600)
def figureSerial(caCertFilename, serialFilename, indexFilename): """ for our purposes we allow the same serial number for server certs BUT WE DO NOT ALLOW server certs and CA certs to share the same serial number. We blow away the index.txt file each time because we are less concerned with matching serials/signatures between server.crt's. """ # what serial # is the ca cert using (we need to increment from that) ret, outstream, errstream = rhn_popen([ '/usr/bin/openssl', 'x509', '-noout', '-serial', '-in', caCertFilename ]) out = outstream.read() outstream.close() errstream.read() errstream.close() assert not ret caSerial = string.split(string.strip(out), '=') assert len(caSerial) > 1 caSerial = caSerial[1] caSerial = eval('0x' + caSerial) # initialize the serial value (starting at whatever is in # serialFilename or 1) serial = 1 if os.path.exists(serialFilename): serial = string.strip(open(serialFilename, 'r').read()) if serial: serial = eval('0x' + serial) else: serial = 1 # make sure it is at least 1 more than the CA's serial code always # REMEMBER: openssl will incremented the serial number each time # as well. if serial <= caSerial: serial = incSerial(hex(caSerial)) serial = eval('0x' + serial) serial = fixSerial(hex(serial)) # create the serial file if it doesn't exist # write the digits to this file open(serialFilename, 'w').write(serial + '\n') os.chmod(serialFilename, 0600) # truncate the index.txt file. Less likely to have unneccessary clashes. open(indexFilename, 'w') os.chmod(indexFilename, 0600) return serial
def figureSerial(caCertFilename, serialFilename, indexFilename): """ for our purposes we allow the same serial number for server certs BUT WE DO NOT ALLOW server certs and CA certs to share the same serial number. We blow away the index.txt file each time because we are less concerned with matching serials/signatures between server.crt's. """ # what serial # is the ca cert using (we need to increment from that) ret, outstream, errstream = rhn_popen(['/usr/bin/openssl', 'x509', '-noout', '-serial', '-in', caCertFilename]) out = outstream.read() outstream.close() errstream.read() errstream.close() assert not ret caSerial = string.split(string.strip(out), '=') assert len(caSerial) > 1 caSerial = caSerial[1] caSerial = eval('0x'+caSerial) # initialize the serial value (starting at whatever is in # serialFilename or 1) serial = 1 if os.path.exists(serialFilename): serial = string.strip(open(serialFilename, 'r').read()) if serial: serial = eval('0x'+serial) else: serial = 1 # make sure it is at least 1 more than the CA's serial code always # REMEMBER: openssl will incremented the serial number each time # as well. if serial <= caSerial: serial = incSerial(hex(caSerial)) serial = eval('0x' + serial) serial = fixSerial(hex(serial)) # create the serial file if it doesn't exist # write the digits to this file open(serialFilename, 'w').write(serial+'\n') os.chmod(serialFilename, 0600) # truncate the index.txt file. Less likely to have unneccessary clashes. open(indexFilename, 'w') os.chmod(indexFilename, 0600) return serial
def genPrivateCaKey(password, d, verbosity=0, forceYN=0): """ private CA key generation """ gendir(d['--dir']) ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key'])) if not forceYN and os.path.exists(ca_key): sys.stderr.write("""\ ERROR: a CA private key already exists: %s If you wish to generate a new one, use the --force option. """ % ca_key) sys.exit(errnoGeneralError) args = ("/usr/bin/openssl genrsa -passout pass:%s %s -out %s 2048" % ('%s', CRYPTO, repr(cleanupAbsPath(ca_key)))) if verbosity >= 0: print "Generating private CA key: %s" % ca_key if verbosity > 1: print "Commandline:", args % "PASSWORD" try: rotated = rotateFile(filepath=ca_key, verbosity=verbosity) if verbosity>=0 and rotated: print "Rotated: %s --> %s" \ % (d['--ca-key'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args % repr(password)) finally: chdir(cwd) out = out_stream.read(); out_stream.close() err = err_stream.read(); err_stream.close() if ret: raise GenPrivateCaKeyException("Certificate Authority private SSL " "key generation failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # permissions: os.chmod(ca_key, 0600)
def genServerKey(d, verbosity=0): """ private server key generation """ serverKeyPairDir = os.path.join(d['--dir'], getMachineName(d['--set-hostname'])) gendir(serverKeyPairDir) server_key = os.path.join(serverKeyPairDir, os.path.basename(d['--server-key'])) args = ("/usr/bin/openssl genrsa -out %s 2048" % (repr(cleanupAbsPath(server_key)))) # generate the server key if verbosity >= 0: print "\nGenerating the web server's SSL private key: %s" % server_key if verbosity > 1: print "Commandline:", args try: rotated = rotateFile(filepath=server_key, verbosity=verbosity) if verbosity >= 0 and rotated: print "Rotated: %s --> %s" % (d['--server-key'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args) finally: chdir(cwd) out = out_stream.read() out_stream.close() err = err_stream.read() err_stream.close() if ret: raise GenServerKeyException( "web server's SSL key generation failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # permissions: os.chmod(server_key, 0600)
def genServerKey(d, verbosity=0): """ private server key generation """ serverKeyPairDir = os.path.join(d['--dir'], getMachineName(d['--set-hostname'])) gendir(serverKeyPairDir) server_key = os.path.join(serverKeyPairDir, os.path.basename(d['--server-key'])) args = ("/usr/bin/openssl genrsa -out %s 2048" % (repr(cleanupAbsPath(server_key)))) # generate the server key if verbosity >= 0: print "\nGenerating the web server's SSL private key: %s" % server_key if verbosity > 1: print "Commandline:", args try: rotated = rotateFile(filepath=server_key, verbosity=verbosity) if verbosity>=0 and rotated: print "Rotated: %s --> %s" % (d['--server-key'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args) finally: chdir(cwd) out = out_stream.read(); out_stream.close() err = err_stream.read(); err_stream.close() if ret: raise GenServerKeyException("web server's SSL key generation failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # permissions: os.chmod(server_key, 0600)
def genCaRpm(d, verbosity=0): """ generates ssl cert RPM. """ ca_cert_path = d['--ca-cert-dir'] ca_cert_name = os.path.basename(d['--ca-cert']) ca_cert = os.path.join(d['--dir'], ca_cert_name) ca_cert_rpm_name = os.path.basename(d['--ca-cert-rpm']) ca_cert_rpm = os.path.join(d['--dir'], ca_cert_rpm_name) genCaRpm_dependencies(d) if verbosity >= 0: sys.stderr.write("\n...working...") # Work out the release number. hdr = getInstalledHeader(ca_cert_rpm) #find RPMs in the directory filenames = glob.glob("%s-*.noarch.rpm" % ca_cert_rpm) if filenames: filename = sortRPMs(filenames)[-1] h = get_package_header(filename) if hdr is None: hdr = h else: comp = hdrLabelCompare(h, hdr) if comp > 0: hdr = h ver, rel = '1.0', '0' if hdr is not None: ver, rel = hdr['version'], hdr['release'] # bump the release - and let's not be too smart about it # assume the release is a number. if rel: rel = str(int(rel) + 1) # build the CA certificate RPM args = [ 'katello-certs-gen-rpm', "--name %s", "--version %s", "--release %s", "--packager %s", "--vendor %s", "--group 'Applications/System'", "--summary %s", "--description %s", os.path.join(ca_cert_path, "%s=%s") ] args = " ".join(args) args = args % ((repr(ca_cert_rpm_name), ver, rel, repr( d['--rpm-packager']), repr(d['--rpm-vendor']), repr(CA_CERT_RPM_SUMMARY), repr(CA_CERT_RPM_SUMMARY), repr(ca_cert_name), repr(cleanupAbsPath(ca_cert)))) clientRpmName = '%s-%s-%s' % (ca_cert_rpm, ver, rel) if verbosity >= 0: print """ Generating CA public certificate RPM: %s.src.rpm %s.noarch.rpm""" % (clientRpmName, clientRpmName) if verbosity > 1: print "Commandline:", args _disableRpmMacros() cwd = chdir(d['--dir']) try: ret, out_stream, err_stream = rhn_popen(args) except Exception: chdir(cwd) _reenableRpmMacros() raise chdir(cwd) _reenableRpmMacros() out = out_stream.read() out_stream.close() err = err_stream.read() err_stream.close() if ret or not os.path.exists("%s.noarch.rpm" % clientRpmName): raise GenCaCertRpmException("CA public SSL certificate RPM generation " "failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err os.chmod('%s.noarch.rpm' % clientRpmName, 0644) # write-out latest.txt information latest_txt = os.path.join(d['--dir'], 'latest.txt') fo = open(latest_txt, 'wb') fo.write('%s\n' % ca_cert_name) fo.write('%s.noarch.rpm\n' % os.path.basename(clientRpmName)) fo.write('%s.src.rpm\n' % os.path.basename(clientRpmName)) fo.close() os.chmod(latest_txt, 0644) if verbosity >= 0: print """ Make the public CA certficate publically available: (NOTE: the Katello installer may do this step for you.) The "noarch" RPM and raw CA certificate can be made publically accessible by copying it to the /var/www/html/pub directory of your Katello server.""" return '%s.noarch.rpm' % clientRpmName
def genServerCert(password, d, verbosity=0): """ server cert generation and signing """ serverKeyPairDir = os.path.join(d['--dir'], d['--set-hostname']) genServerCert_dependencies(password, d) ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key'])) ca_cert = os.path.join(d['--dir'], os.path.basename(d['--ca-cert'])) server_cert_req = os.path.join(serverKeyPairDir, os.path.basename(d['--server-cert-req'])) server_cert = os.path.join(serverKeyPairDir, os.path.basename(d['--server-cert'])) ca_openssl_cnf = os.path.join(d['--dir'], CA_OPENSSL_CNF_NAME) index_txt = os.path.join(d['--dir'], 'index.txt') serial = os.path.join(d['--dir'], 'serial') purpose = d['--purpose'] try: os.unlink(index_txt) except: pass # figure out the serial file and truncate the index.txt file. ser = figureSerial(ca_cert, serial, index_txt) # need to insure the directory declared in the ca_openssl.cnf # file is current: configFile = ConfigFile(ca_openssl_cnf) configFile.updateDir() args = ( "/usr/bin/openssl ca -extensions req_%s_x509_extensions -passin pass:%s -outdir ./ -config %s " "-in %s -batch -cert %s -keyfile %s -startdate %s -days %s " "-md %s -out %s" % (purpose, '%s', repr(cleanupAbsPath(ca_openssl_cnf)), repr(cleanupAbsPath(server_cert_req)), repr(cleanupAbsPath(ca_cert)), repr(cleanupAbsPath(ca_key)), d['--startdate'], repr(d['--cert-expiration']), MD, repr(cleanupAbsPath(server_cert)))) if verbosity >= 0: print "\nGenerating/signing web server's SSL certificate: %s" % d[ '--server-cert'] if verbosity > 1: print "Commandline:", args % 'PASSWORD' try: rotated = rotateFile(filepath=server_cert, verbosity=verbosity) if verbosity >= 0 and rotated: print "Rotated: %s --> %s" % (d['--server-cert'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args % repr(password)) finally: chdir(cwd) out = out_stream.read() out_stream.close() err = err_stream.read() err_stream.close() if ret: # signature for a mistyped CA password if string.find(err, "unable to load CA private key") != -1 \ and string.find(err, "error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c") != -1 \ and string.find(err, "error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c") != -1: raise GenServerCertException( "web server's SSL certificate generation/signing " "failed:\nDid you mistype your CA password?") else: raise GenServerCertException( "web server's SSL certificate generation/signing " "failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # permissions: os.chmod(server_cert, 0644) # cleanup duplicate XX.pem file: pemFilename = os.path.basename(string.upper(ser) + '.pem') if pemFilename != server_cert and os.path.exists(pemFilename): os.unlink(pemFilename) # cleanup the old index.txt file try: os.unlink(index_txt + '.old') except: pass # cleanup the old serial file try: os.unlink(serial + '.old') except: pass
def genServerCertReq(d, verbosity=0): """ private server cert request generation """ serverKeyPairDir = os.path.join(d['--dir'], d['--set-hostname']) server_key = os.path.join(serverKeyPairDir, os.path.basename(d['--server-key'])) server_cert_req = os.path.join(serverKeyPairDir, os.path.basename(d['--server-cert-req'])) server_openssl_cnf = os.path.join(serverKeyPairDir, SERVER_OPENSSL_CNF_NAME) genServerCertReq_dependencies(d) # XXX: hmm.. should private_key, etc. be set for this before the write? # either that you pull the key/certs from the files all together? configFile = ConfigFile(server_openssl_cnf) configFile.save(d, caYN=0, verbosity=verbosity) ## generate the server cert request args = ("/usr/bin/openssl req -%s -text -config %s -new -key %s -out %s " % (MD, repr(cleanupAbsPath( configFile.filename)), repr(cleanupAbsPath(server_key)), repr(cleanupAbsPath(server_cert_req)))) if verbosity >= 0: print "\nGenerating web server's SSL certificate request: %s" % server_cert_req print "Using distinguished names:" for k in ('--set-country', '--set-state', '--set-city', '--set-org', '--set-org-unit', '--set-hostname', '--set-email'): print ' %s%s = "%s"' % (k, ' ' * (18 - len(k)), d[k]) if verbosity > 1: print "Commandline:", args try: rotated = rotateFile(filepath=server_cert_req, verbosity=verbosity) if verbosity >= 0 and rotated: print "Rotated: %s --> %s" % (d['--server-cert-req'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args) finally: chdir(cwd) out = out_stream.read() out_stream.close() err = err_stream.read() err_stream.close() if ret: raise GenServerCertReqException( "web server's SSL certificate request generation " "failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # permissions: os.chmod(server_cert_req, 0600)
def genPublicCaCert(password, d, verbosity=0, forceYN=0): """ public CA certificate (client-side) generation """ ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key'])) ca_cert_name = os.path.basename(d['--ca-cert']) ca_cert = os.path.join(d['--dir'], ca_cert_name) ca_openssl_cnf = os.path.join(d['--dir'], CA_OPENSSL_CNF_NAME) genPublicCaCert_dependencies(password, d, forceYN) configFile = ConfigFile(ca_openssl_cnf) if d.has_key('--set-hostname'): del d['--set-hostname'] configFile.save(d, caYN=1, verbosity=verbosity) args = ("/usr/bin/openssl req -passin pass:%s -text -config %s " "-new -x509 -days %s -%s -key %s -out %s" % ('%s', repr(cleanupAbsPath(configFile.filename)), repr(d['--cert-expiration']), MD, repr( cleanupAbsPath(ca_key)), repr(cleanupAbsPath(ca_cert)))) if verbosity >= 0: print "\nGenerating public CA certificate: %s" % ca_cert print "Using distinguishing variables:" for k in ('--set-country', '--set-state', '--set-city', '--set-org', '--set-org-unit', '--set-common-name', '--set-email'): print ' %s%s = "%s"' % (k, ' ' * (18 - len(k)), d[k]) if verbosity > 1: print "Commandline:", args % "PASSWORD" try: rotated = rotateFile(filepath=ca_cert, verbosity=verbosity) if verbosity >= 0 and rotated: print "Rotated: %s --> %s" \ % (d['--ca-cert'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args % repr(password)) finally: chdir(cwd) out = out_stream.read() out_stream.close() err = err_stream.read() err_stream.close() if ret: raise GenPublicCaCertException( "Certificate Authority public " "SSL certificate generation failed:\n%s\n" "%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err latest_txt = os.path.join(d['--dir'], 'latest.txt') fo = open(latest_txt, 'wb') fo.write('%s\n' % ca_cert_name) fo.close() # permissions: os.chmod(ca_cert, 0644) os.chmod(latest_txt, 0644)
def genProxyServerTarball(d, version='1.0', release='1', verbosity=0): """ generates the RHN Proxy Server's tar archive containing its SSL key set + CA certificate """ genProxyServerTarball_dependencies(d) tarballFilepath = getTarballFilename(d, version, release)[1] tarballFilepath = pathJoin(d['--dir'], tarballFilepath) machinename = getMachineName(d['--set-hostname']) ca_cert = os.path.basename(d['--ca-cert']) server_key = pathJoin(machinename, d['--server-key']) server_cert = pathJoin(machinename, d['--server-cert']) server_cert_req = pathJoin(machinename, d['--server-cert-req']) jabberd_ssl_cert = os.path.join(machinename, d['--jabberd-ssl-cert']) ## build the server tarball args = '/bin/tar -cvf %s %s %s %s %s %s' \ % (repr(os.path.basename(tarballFilepath)), repr(ca_cert), repr(server_key), repr(server_cert), repr(server_cert_req), repr(jabberd_ssl_cert)) serverKeySetDir = pathJoin(d['--dir'], machinename) tarballFilepath2 = pathJoin(serverKeySetDir, tarballFilepath) if verbosity >= 0: print """ The most current RHN Proxy Server installation process against RHN hosted requires the upload of an SSL tar archive that contains the CA SSL public certificate and the web server's key set. Generating the web server's SSL key set and CA SSL public certificate archive: %s""" % tarballFilepath2 cwd = chdir(d['--dir']) try: if verbosity > 1: print "Current working directory:", os.getcwd() print "Commandline:", args ret, out_stream, err_stream = rhn_popen(args) finally: chdir(cwd) out = out_stream.read(); out_stream.close() err = err_stream.read(); err_stream.close() if ret or not os.path.exists(tarballFilepath): raise GenServerTarException( "CA SSL public certificate & web server's SSL key set tar archive\n" "generation failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # root baby! os.chmod(tarballFilepath, 0600) # copy tarball into machine build dir shutil.copy2(tarballFilepath, tarballFilepath2) os.unlink(tarballFilepath) if verbosity > 1: print """\ Moved to final home: %s ...moved to... %s""" % (tarballFilepath, tarballFilepath2) return tarballFilepath2
def genCaRpm(d, verbosity=0): """ generates ssl cert RPM. """ ca_cert_name = os.path.basename(d['--ca-cert']) ca_cert = os.path.join(d['--dir'], ca_cert_name) ca_cert_rpm_name = os.path.basename(d['--ca-cert-rpm']) ca_cert_rpm = os.path.join(d['--dir'], ca_cert_rpm_name) genCaRpm_dependencies(d) if verbosity>=0: sys.stderr.write("\n...working...") # Work out the release number. hdr = getInstalledHeader(ca_cert_rpm) #find RPMs in the directory filenames = glob.glob("%s-*.noarch.rpm" % ca_cert_rpm) if filenames: filename = sortRPMs(filenames)[-1] h = get_package_header(filename) if hdr is None: hdr = h else: comp = hdrLabelCompare(h, hdr) if comp > 0: hdr = h epo, ver, rel = None, '1.0', '0' if hdr is not None: epo, ver, rel = hdr['epoch'], hdr['version'], hdr['release'] # bump the release - and let's not be too smart about it # assume the release is a number. if rel: rel = str(int(rel)+1) # build the CA certificate RPM args = (os.path.join(CERT_PATH, 'gen-rpm.sh') + " " "--name %s --version %s --release %s --packager %s --vendor %s " "--group 'Applications/System' --summary %s --description %s " "/usr/share/katello/%s=%s" % (repr(ca_cert_rpm_name), ver, rel, repr(d['--rpm-packager']), repr(d['--rpm-vendor']), repr(CA_CERT_RPM_SUMMARY), repr(CA_CERT_RPM_SUMMARY), repr(ca_cert_name), repr(cleanupAbsPath(ca_cert)))) clientRpmName = '%s-%s-%s' % (ca_cert_rpm, ver, rel) if verbosity >= 0: print """ Generating CA public certificate RPM: %s.src.rpm %s.noarch.rpm""" % (clientRpmName, clientRpmName) if verbosity > 1: print "Commandline:", args _disableRpmMacros() cwd = chdir(d['--dir']) try: ret, out_stream, err_stream = rhn_popen(args) except Exception: chdir(cwd) _reenableRpmMacros() raise chdir(cwd) _reenableRpmMacros() out = out_stream.read(); out_stream.close() err = err_stream.read(); err_stream.close() if ret or not os.path.exists("%s.noarch.rpm" % clientRpmName): raise GenCaCertRpmException("CA public SSL certificate RPM generation " "failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err os.chmod('%s.noarch.rpm' % clientRpmName, 0644) # write-out latest.txt information latest_txt = os.path.join(d['--dir'], 'latest.txt') fo = open(latest_txt, 'wb') fo.write('%s\n' % ca_cert_name) fo.write('%s.noarch.rpm\n' % os.path.basename(clientRpmName)) fo.write('%s.src.rpm\n' % os.path.basename(clientRpmName)) fo.close() os.chmod(latest_txt, 0644) if verbosity >= 0: print """ Make the public CA certficate publically available: (NOTE: the Katello installer may do this step for you.) The "noarch" RPM and raw CA certificate can be made publically accessible by copying it to the /var/www/html/pub directory of your Katello server.""" return '%s.noarch.rpm' % clientRpmName
def genServerCert(password, d, verbosity=0): """ server cert generation and signing """ serverKeyPairDir = os.path.join(d['--dir'], getMachineName(d['--set-hostname'])) genServerCert_dependencies(password, d) ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key'])) ca_cert = os.path.join(d['--dir'], os.path.basename(d['--ca-cert'])) server_cert_req = os.path.join(serverKeyPairDir, os.path.basename(d['--server-cert-req'])) server_cert = os.path.join(serverKeyPairDir, os.path.basename(d['--server-cert'])) ca_openssl_cnf = os.path.join(d['--dir'], CA_OPENSSL_CNF_NAME) index_txt = os.path.join(d['--dir'], 'index.txt') serial = os.path.join(d['--dir'], 'serial') try: os.unlink(index_txt) except: pass # figure out the serial file and truncate the index.txt file. ser = figureSerial(ca_cert, serial, index_txt) # need to insure the directory declared in the ca_openssl.cnf # file is current: configFile = ConfigFile(ca_openssl_cnf) configFile.updateDir() args = ("/usr/bin/openssl ca -extensions req_server_x509_extensions -passin pass:%s -outdir ./ -config %s " "-in %s -batch -cert %s -keyfile %s -startdate %s -days %s " "-md %s -out %s" % ('%s', repr(cleanupAbsPath(ca_openssl_cnf)), repr(cleanupAbsPath(server_cert_req)), repr(cleanupAbsPath(ca_cert)), repr(cleanupAbsPath(ca_key)), d['--startdate'], repr(d['--cert-expiration']), MD, repr(cleanupAbsPath(server_cert)))) if verbosity >= 0: print "\nGenerating/signing web server's SSL certificate: %s" % d['--server-cert'] if verbosity > 1: print "Commandline:", args % 'PASSWORD' try: rotated = rotateFile(filepath=server_cert, verbosity=verbosity) if verbosity>=0 and rotated: print "Rotated: %s --> %s" % (d['--server-cert'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args % repr(password)) finally: chdir(cwd) out = out_stream.read(); out_stream.close() err = err_stream.read(); err_stream.close() if ret: # signature for a mistyped CA password if string.find(err, "unable to load CA private key") != -1 \ and string.find(err, "error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c") != -1 \ and string.find(err, "error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c") != -1: raise GenServerCertException( "web server's SSL certificate generation/signing " "failed:\nDid you mistype your CA password?") else: raise GenServerCertException( "web server's SSL certificate generation/signing " "failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # permissions: os.chmod(server_cert, 0644) # cleanup duplicate XX.pem file: pemFilename = os.path.basename(string.upper(ser)+'.pem') if pemFilename != server_cert and os.path.exists(pemFilename): os.unlink(pemFilename) # cleanup the old index.txt file try: os.unlink(index_txt + '.old') except: pass # cleanup the old serial file try: os.unlink(serial + '.old') except: pass
def genServerCertReq(d, verbosity=0): """ private server cert request generation """ serverKeyPairDir = os.path.join(d['--dir'], getMachineName(d['--set-hostname'])) server_key = os.path.join(serverKeyPairDir, os.path.basename(d['--server-key'])) server_cert_req = os.path.join(serverKeyPairDir, os.path.basename(d['--server-cert-req'])) server_openssl_cnf = os.path.join(serverKeyPairDir, SERVER_OPENSSL_CNF_NAME) genServerCertReq_dependencies(d) # XXX: hmm.. should private_key, etc. be set for this before the write? # either that you pull the key/certs from the files all together? configFile = ConfigFile(server_openssl_cnf) if d.has_key('--set-common-name'): del d['--set-common-name'] configFile.save(d, caYN=0, verbosity=verbosity) ## generate the server cert request args = ("/usr/bin/openssl req -%s -text -config %s -new -key %s -out %s " % (MD, repr(cleanupAbsPath(configFile.filename)), repr(cleanupAbsPath(server_key)), repr(cleanupAbsPath(server_cert_req)))) if verbosity >= 0: print "\nGenerating web server's SSL certificate request: %s" % server_cert_req print "Using distinguished names:" for k in ('--set-country', '--set-state', '--set-city', '--set-org', '--set-org-unit', '--set-hostname', '--set-email'): print ' %s%s = "%s"' % (k, ' '*(18-len(k)), d[k]) if verbosity > 1: print "Commandline:", args try: rotated = rotateFile(filepath=server_cert_req, verbosity=verbosity) if verbosity>=0 and rotated: print "Rotated: %s --> %s" % (d['--server-cert-req'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args) finally: chdir(cwd) out = out_stream.read(); out_stream.close() err = err_stream.read(); err_stream.close() if ret: raise GenServerCertReqException( "web server's SSL certificate request generation " "failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # permissions: os.chmod(server_cert_req, 0600)
def genPublicCaCert(password, d, verbosity=0, forceYN=0): """ public CA certificate (client-side) generation """ ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key'])) ca_cert_name = os.path.basename(d['--ca-cert']) ca_cert = os.path.join(d['--dir'], ca_cert_name) ca_openssl_cnf = os.path.join(d['--dir'], CA_OPENSSL_CNF_NAME) genPublicCaCert_dependencies(password, d, forceYN) configFile = ConfigFile(ca_openssl_cnf) if d.has_key('--set-hostname'): del d['--set-hostname'] configFile.save(d, caYN=1, verbosity=verbosity) args = ("/usr/bin/openssl req -passin pass:%s -text -config %s " "-new -x509 -days %s -%s -key %s -out %s" % ('%s', repr(cleanupAbsPath(configFile.filename)), repr(d['--cert-expiration']), MD, repr(cleanupAbsPath(ca_key)), repr(cleanupAbsPath(ca_cert)))) if verbosity >= 0: print "\nGenerating public CA certificate: %s" % ca_cert print "Using distinguishing variables:" for k in ('--set-country', '--set-state', '--set-city', '--set-org', '--set-org-unit', '--set-common-name', '--set-email'): print ' %s%s = "%s"' % (k, ' '*(18-len(k)), d[k]) if verbosity > 1: print "Commandline:", args % "PASSWORD" try: rotated = rotateFile(filepath=ca_cert, verbosity=verbosity) if verbosity>=0 and rotated: print "Rotated: %s --> %s" \ % (d['--ca-cert'], os.path.basename(rotated)) except ValueError: pass cwd = chdir(_getWorkDir()) try: ret, out_stream, err_stream = rhn_popen(args % repr(password)) finally: chdir(cwd) out = out_stream.read(); out_stream.close() err = err_stream.read(); err_stream.close() if ret: raise GenPublicCaCertException("Certificate Authority public " "SSL certificate generation failed:\n%s\n" "%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err latest_txt = os.path.join(d['--dir'], 'latest.txt') fo = open(latest_txt, 'wb') fo.write('%s\n' % ca_cert_name) fo.close() # permissions: os.chmod(ca_cert, 0644) os.chmod(latest_txt, 0644)
def genProxyServerTarball(d, version='1.0', release='1', verbosity=0): """ generates the RHN Proxy Server's tar archive containing its SSL key set + CA certificate """ genProxyServerTarball_dependencies(d) tarballFilepath = getTarballFilename(d, version, release)[1] tarballFilepath = pathJoin(d['--dir'], tarballFilepath) machinename = d['--set-hostname'] ca_cert = os.path.basename(d['--ca-cert']) server_key = pathJoin(machinename, d['--server-key']) server_cert = pathJoin(machinename, d['--server-cert']) server_cert_req = pathJoin(machinename, d['--server-cert-req']) ## build the server tarball args = '/bin/tar -cvf %s %s %s %s %s' \ % (repr(os.path.basename(tarballFilepath)), repr(ca_cert), repr(server_key), repr(server_cert), repr(server_cert_req)) serverKeySetDir = pathJoin(d['--dir'], machinename) tarballFilepath2 = pathJoin(serverKeySetDir, tarballFilepath) if verbosity >= 0: print """ The most current RHN Proxy Server installation process against RHN hosted requires the upload of an SSL tar archive that contains the CA SSL public certificate and the web server's key set. Generating the web server's SSL key set and CA SSL public certificate archive: %s""" % tarballFilepath2 cwd = chdir(d['--dir']) try: if verbosity > 1: print "Current working directory:", os.getcwd() print "Commandline:", args ret, out_stream, err_stream = rhn_popen(args) finally: chdir(cwd) out = out_stream.read() out_stream.close() err = err_stream.read() err_stream.close() if ret or not os.path.exists(tarballFilepath): raise GenServerTarException( "CA SSL public certificate & web server's SSL key set tar archive\n" "generation failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err # root baby! os.chmod(tarballFilepath, 0600) # copy tarball into machine build dir shutil.copy2(tarballFilepath, tarballFilepath2) os.unlink(tarballFilepath) if verbosity > 1: print """\ Moved to final home: %s ...moved to... %s""" % (tarballFilepath, tarballFilepath2) return tarballFilepath2
def genServerRpm(d, verbosity=0): """ generates server's SSL key set RPM """ serverKeyPairDir = os.path.join(d['--dir'], d['--set-hostname']) server_key_name = os.path.basename(d['--server-key']) server_key = os.path.join(serverKeyPairDir, server_key_name) server_cert_name = os.path.basename(d['--server-cert']) server_cert = os.path.join(serverKeyPairDir, server_cert_name) server_cert_req_name = os.path.basename(d['--server-cert-req']) server_cert_req = os.path.join(serverKeyPairDir, server_cert_req_name) server_rpm_name = os.path.basename(d['--server-rpm']) server_rpm = os.path.join(serverKeyPairDir, server_rpm_name) server_cert_dir = d['--server-cert-dir'] postun_scriptlet = os.path.join(d['--dir'], 'postun.scriptlet') genServerRpm_dependencies(d) if verbosity >= 0: sys.stderr.write("\n...working...\n") # check for new installed RPM. # Work out the release number. hdr = getInstalledHeader(server_rpm_name) #find RPMs in the directory as well. filenames = glob.glob("%s-*.noarch.rpm" % server_rpm) if filenames: filename = sortRPMs(filenames)[-1] h = get_package_header(filename) if hdr is None: hdr = h else: comp = hdrLabelCompare(h, hdr) if comp > 0: hdr = h ver, rel = '1.0', '0' if hdr is not None: ver, rel = hdr['version'], hdr['release'] # bump the release - and let's not be too smart about it # assume the release is a number. if rel: rel = str(int(rel) + 1) description = SERVER_RPM_SUMMARY + """ Best practices suggests that this RPM should only be installed on the web server with this hostname: %s """ % d['--set-hostname'] ## build the server RPM args = [ 'katello-certs-gen-rpm', "--name %s --version %s --release %s --packager %s --vendor %s ", "--group 'Applications/System' --summary %s --description %s --postun %s ", server_cert_dir + "/private/%s:0600=%s ", server_cert_dir + "/certs/%s=%s ", server_cert_dir + "/certs/%s=%s " ] args = " ".join(args) args = args % (repr(server_rpm_name), ver, rel, repr(d['--rpm-packager']), repr(d['--rpm-vendor']), repr(SERVER_RPM_SUMMARY), repr(description), repr(cleanupAbsPath(postun_scriptlet)), repr(server_key_name), repr( cleanupAbsPath(server_key)), repr(server_cert_req_name), repr(cleanupAbsPath(server_cert_req)), repr(server_cert_name), repr(cleanupAbsPath(server_cert))) serverRpmName = "%s-%s-%s" % (server_rpm, ver, rel) if verbosity >= 0: print """ Generating web server's SSL key pair/set RPM: %s.src.rpm %s.noarch.rpm""" % (serverRpmName, serverRpmName) if verbosity > 1: print "Commandline:", args if verbosity >= 4: print 'Current working directory:', os.getcwd() print "Writing postun_scriptlet:", postun_scriptlet open(postun_scriptlet, 'w').write(POST_UNINSTALL_SCRIPT) _disableRpmMacros() cwd = chdir(serverKeyPairDir) try: ret, out_stream, err_stream = rhn_popen(args) finally: chdir(cwd) _reenableRpmMacros() os.unlink(postun_scriptlet) out = out_stream.read() out_stream.close() err = err_stream.read() err_stream.close() if ret or not os.path.exists("%s.noarch.rpm" % serverRpmName): raise GenServerRpmException("web server's SSL key set RPM generation " "failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err os.chmod('%s.noarch.rpm' % serverRpmName, 0600) # generic the tarball necessary for RHN Proxy against hosted installations tarballFilepath = genProxyServerTarball(d, version=ver, release=rel, verbosity=verbosity) # write-out latest.txt information latest_txt = os.path.join(serverKeyPairDir, 'latest.txt') fo = open(latest_txt, 'wb') fo.write('%s.noarch.rpm\n' % os.path.basename(serverRpmName)) fo.write('%s.src.rpm\n' % os.path.basename(serverRpmName)) fo.write('%s\n' % os.path.basename(tarballFilepath)) fo.close() os.chmod(latest_txt, 0600) if verbosity >= 0: print """ Deploy the server's SSL key pair/set RPM: (NOTE: the Katello installer may do this step for you.) The "noarch" RPM needs to be deployed to the machine working as a web server, or RHN Satellite, or RHN Proxy. Presumably %s.""" % repr(d['--set-hostname']) return "%s.noarch.rpm" % serverRpmName
def genServerRpm(d, verbosity=0): """ generates server's SSL key set RPM """ serverKeyPairDir = os.path.join(d['--dir'], getMachineName(d['--set-hostname'])) server_key_name = os.path.basename(d['--server-key']) server_key = os.path.join(serverKeyPairDir, server_key_name) server_cert_name = os.path.basename(d['--server-cert']) server_cert = os.path.join(serverKeyPairDir, server_cert_name) server_cert_req_name = os.path.basename(d['--server-cert-req']) server_cert_req = os.path.join(serverKeyPairDir, server_cert_req_name) jabberd_ssl_cert_name = os.path.basename(d['--jabberd-ssl-cert']) jabberd_ssl_cert = os.path.join(serverKeyPairDir, jabberd_ssl_cert_name ) server_rpm_name = os.path.basename(d['--server-rpm']) server_rpm = os.path.join(serverKeyPairDir, server_rpm_name) postun_scriptlet = os.path.join(d['--dir'], 'postun.scriptlet') genServerRpm_dependencies(d) if verbosity>=0: sys.stderr.write("\n...working...\n") # check for new installed RPM. # Work out the release number. hdr = getInstalledHeader(server_rpm_name) #find RPMs in the directory as well. filenames = glob.glob("%s-*.noarch.rpm" % server_rpm) if filenames: filename = sortRPMs(filenames)[-1] h = get_package_header(filename) if hdr is None: hdr = h else: comp = hdrLabelCompare(h, hdr) if comp > 0: hdr = h epo, ver, rel = None, '1.0', '0' if hdr is not None: epo, ver, rel = hdr['epoch'], hdr['version'], hdr['release'] # bump the release - and let's not be too smart about it # assume the release is a number. if rel: rel = str(int(rel)+1) description = SERVER_RPM_SUMMARY + """ Best practices suggests that this RPM should only be installed on the web server with this hostname: %s """ % d['--set-hostname'] # Determine which jabberd user exists: jabberd_user = None possible_jabberd_users = ['jabberd', 'jabber'] for juser_attempt in possible_jabberd_users: try: pwd.getpwnam(juser_attempt) jabberd_user = juser_attempt except: # user doesn't exist, try the next pass if jabberd_user is None: print ("WARNING: No jabber/jabberd user on system, skipping " + "jabberd.pem generation.") jabberd_cert_string = "" if jabberd_user is not None: jabberd_cert_string = \ "/etc/pki/spacewalk/jabberd/server.pem:0600,%s,%s=%s" % \ (jabberd_user, jabberd_user, repr(cleanupAbsPath(jabberd_ssl_cert))) ## build the server RPM args = (os.path.join(CERT_PATH, 'gen-rpm.sh') + " " "--name %s --version %s --release %s --packager %s --vendor %s " "--group 'Applications/System' --summary %s --description %s --postun %s " "/etc/pki/tls/private/%s:0600=%s " "/etc/pki/tls/certs/%s=%s " "/etc/pki/tls/certs/%s=%s " "%s" % (repr(server_rpm_name), ver, rel, repr(d['--rpm-packager']), repr(d['--rpm-vendor']), repr(SERVER_RPM_SUMMARY), repr(description), repr(cleanupAbsPath(postun_scriptlet)), repr(server_key_name), repr(cleanupAbsPath(server_key)), repr(server_cert_req_name), repr(cleanupAbsPath(server_cert_req)), repr(server_cert_name), repr(cleanupAbsPath(server_cert)), jabberd_cert_string )) serverRpmName = "%s-%s-%s" % (server_rpm, ver, rel) if verbosity >= 0: print """ Generating web server's SSL key pair/set RPM: %s.src.rpm %s.noarch.rpm""" % (serverRpmName, serverRpmName) if verbosity > 1: print "Commandline:", args if verbosity >= 4: print 'Current working directory:', os.getcwd() print "Writing postun_scriptlet:", postun_scriptlet open(postun_scriptlet, 'w').write(POST_UNINSTALL_SCRIPT) _disableRpmMacros() cwd = chdir(serverKeyPairDir) try: ret, out_stream, err_stream = rhn_popen(args) finally: chdir(cwd) _reenableRpmMacros() os.unlink(postun_scriptlet) out = out_stream.read(); out_stream.close() err = err_stream.read(); err_stream.close() if ret or not os.path.exists("%s.noarch.rpm" % serverRpmName): raise GenServerRpmException("web server's SSL key set RPM generation " "failed:\n%s\n%s" % (out, err)) if verbosity > 2: if out: print "STDOUT:", out if err: print "STDERR:", err os.chmod('%s.noarch.rpm' % serverRpmName, 0600) # generic the tarball necessary for RHN Proxy against hosted installations tarballFilepath = genProxyServerTarball(d, version=ver, release=rel, verbosity=verbosity) # write-out latest.txt information latest_txt = os.path.join(serverKeyPairDir, 'latest.txt') fo = open(latest_txt, 'wb') fo.write('%s.noarch.rpm\n' % os.path.basename(serverRpmName)) fo.write('%s.src.rpm\n' % os.path.basename(serverRpmName)) fo.write('%s\n' % os.path.basename(tarballFilepath)) fo.close() os.chmod(latest_txt, 0600) if verbosity >= 0: print """ Deploy the server's SSL key pair/set RPM: (NOTE: the Katello installer may do this step for you.) The "noarch" RPM needs to be deployed to the machine working as a web server, or RHN Satellite, or RHN Proxy. Presumably %s.""" % repr(d['--set-hostname']) return "%s.noarch.rpm" % serverRpmName