Esempio n. 1
0
    def __init__(self, options):
        """
        contructor for OpenSIPS-Cli
        """

        self.debug = options.debug
        self.execute = options.execute
        self.command = options.command
        self.modules_dir_inserted = None

        if self.debug:
            logger.setLevel("DEBUG")

        if not options.config:
            cfg_file = None
            for f in defaults.CFG_PATHS:
                if os.path.isfile(f) and os.access(f, os.R_OK):
                    # found a valid config file
                    cfg_file = f
                    break
        else:
            cfg_file = options.config
        if not cfg_file:
            logger.debug("no config file found in any of {}".format(", ".join(
                defaults.CFG_PATHS)))
        else:
            logger.debug("using config file {}".format(cfg_file))

        # __init__ of the configuration file
        cfg.parse(cfg_file)
        if not cfg.has_instance(options.instance):
            logger.warning(
                "Unknown instance '{}'! Using default instance '{}'!".format(
                    options.instance, defaults.DEFAULT_SECTION))
            instance = defaults.DEFAULT_SECTION
        else:
            instance = options.instance
        cfg.set_instance(instance)
        cfg.set_custom_options(options.extra_options)

        if not self.execute:
            # __init__ of cmd.Cmd module
            cmd.Cmd.__init__(self)

        # Opening the current working instance
        self.update_instance(cfg.current_instance)
Esempio n. 2
0
    def do_rootCA(self, params):
        global cfg
        logger.info("Preparing to generate CA cert + key...")

        # TODO
        # separate cli.cfg files for TLS are fully deprecated, this if block is
        # only kept for backwards-compatibility.  Remove starting from v3.2! <3
        if cfg.exists('tls_ca_config'):
            tls_cfg = cfg.get('tls_ca_config')
            cfg = OpenSIPSCLIConfig()
            cfg.parse(tls_cfg)

        ca_dir = cfg.read_param("tls_ca_dir", "Output directory",
                                "/etc/opensips/tls/rootCA/")
        cert_file = cfg.read_param("tls_ca_cert_file", "Output cert file",
                                   "cacert.pem")
        key_file = cfg.read_param("tls_ca_key_file", "Output key file",
                                  "private/cakey.pem")
        c_f = join(ca_dir, cert_file)
        k_f = join(ca_dir, key_file)

        if (exists(c_f) or exists(k_f)) and not cfg.read_param(
                "tls_ca_overwrite",
                "CA certificate or key already exists, overwrite?", "yes",
                True):
            return

        # create a self-signed cert
        cert = crypto.X509()

        cert.get_subject().CN = cfg.read_param("tls_ca_common_name",
                                               "Website address (CN)",
                                               "opensips.org")
        cert.get_subject().C = cfg.read_param("tls_ca_country", "Country (C)",
                                              "RO")
        cert.get_subject().ST = cfg.read_param("tls_ca_state", "State (ST)",
                                               "Bucharest")
        cert.get_subject().L = cfg.read_param("tls_ca_locality",
                                              "Locality (L)", "Bucharest")
        cert.get_subject().O = cfg.read_param("tls_ca_organisation",
                                              "Organization (O)", "OpenSIPS")
        cert.get_subject().OU = cfg.read_param("tls_ca_organisational_unit",
                                               "Organisational Unit (OU)",
                                               "Project")
        cert.set_serial_number(randrange(100000))
        cert.gmtime_adj_notBefore(0)
        notafter = int(
            cfg.read_param("tls_ca_notafter", "Certificate validity (seconds)",
                           315360000))
        cert.gmtime_adj_notAfter(notafter)
        cert.set_issuer(cert.get_subject())

        # create a key pair
        key = crypto.PKey()
        key_size = int(
            cfg.read_param("tls_ca_key_size", "RSA key size (bits)", 4096))
        key.generate_key(crypto.TYPE_RSA, key_size)

        cert.set_pubkey(key)
        md = cfg.read_param("tls_ca_md", "Digest Algorithm", "SHA1")
        cert.sign(key, md)

        try:
            if not exists(dirname(c_f)):
                makedirs(dirname(c_f))
            open(c_f, "wt").write(
                crypto.dump_certificate(crypto.FILETYPE_PEM,
                                        cert).decode('utf-8'))
        except Exception as e:
            logger.exception(e)
            logger.error("Failed to write to %s", c_f)
            return

        try:
            if not exists(dirname(k_f)):
                makedirs(dirname(k_f))
            open(k_f, "wt").write(
                crypto.dump_privatekey(crypto.FILETYPE_PEM,
                                       key).decode('utf-8'))
        except Exception as e:
            logger.exception(e)
            logger.error("Failed to write to %s", k_f)
            return

        logger.info("CA certificate created in " + c_f)
        logger.info("CA private key created in " + k_f)
Esempio n. 3
0
    def do_userCERT(self, params):
        global cfg
        logger.info("Preparing to generate user cert + key + CA list...")

        # TODO
        # separate cli.cfg files for TLS are fully deprecated, this if block is
        # only kept for backwards-compatibility.  Remove starting from v3.2! <3
        if cfg.exists('tls_user_config'):
            tls_cfg = cfg.get('tls_user_config')
            cfg = OpenSIPSCLIConfig()
            cfg.parse(tls_cfg)

        user_dir = cfg.read_param("tls_user_dir", "Output directory", "/etc/opensips/tls/user/")
        cert_file = cfg.read_param("tls_user_cert_file", "Output cert file", "user-cert.pem")
        key_file = cfg.read_param("tls_user_key_file", "Output key file", "user-privkey.pem")
        calist_file = cfg.read_param("tls_user_calist_file", "Output CA list file", "user-calist.pem")

        c_f = join(user_dir, cert_file)
        k_f = join(user_dir, key_file)
        ca_f = join(user_dir, calist_file)

        if (exists(c_f) or exists(k_f) or exists(ca_f)) and not cfg.read_param("tls_user_overwrite",
                "User certificate, key or CA list file already exists, overwrite?", "yes", True):
            return

        cacert = cfg.read_param("tls_user_cacert", "CA cert file", "/etc/opensips/tls/rootCA/cacert.pem")
        cakey = cfg.read_param("tls_user_cakey", "CA key file", "/etc/opensips/tls/rootCA/private/cakey.pem")

        try:
            ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(cacert, 'rt').read())
        except Exception as e:
            logger.exception(e)
            logger.error("Failed to load %s", cacert)
            return

        try:
            ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(cakey, 'rt').read())
        except Exception as e:
            logger.exception(e)
            logger.error("Failed to load %s", cakey)
            return

        # create a self-signed cert
        cert = crypto.X509()

        cert.set_version(2)
        cert.get_subject().CN = cfg.read_param("tls_user_common_name", "Website address (CN)", "www.opensips.org")
        cert.get_subject().C = cfg.read_param("tls_user_country", "Country (C)", "RO")
        cert.get_subject().ST = cfg.read_param("tls_user_state", "State (ST)", "Bucharest")
        cert.get_subject().L = cfg.read_param("tls_user_locality", "Locality (L)", "Bucharest")
        cert.get_subject().O = cfg.read_param("tls_user_organisation", "Organization (O)", "OpenSIPS")
        cert.get_subject().OU = cfg.read_param("tls_user_organisational_unit", "Organisational Unit (OU)", "Project")

        cert.set_serial_number(randrange(100000))
        cert.gmtime_adj_notBefore(0)
        notafter = int(cfg.read_param("tls_user_notafter", "Certificate validity (seconds)", 315360000))
        cert.gmtime_adj_notAfter(notafter)
        cert.set_issuer(ca_cert.get_subject())

        extensions = [
            crypto.X509Extension(b'basicConstraints', False, b'CA:FALSE'),
            crypto.X509Extension(b'extendedKeyUsage', False, b'clientAuth,serverAuth')
        ]

        cert.add_extensions(extensions)

        # create a key pair
        key = crypto.PKey()
        key_size = int(cfg.read_param("tls_user_key_size", "RSA key size (bits)", 4096))
        key.generate_key(crypto.TYPE_RSA, key_size)

        cert.set_pubkey(key)
        md = cfg.read_param("tls_user_md", "Digest Algorithm", "SHA256")
        cert.sign(ca_key, md)

        try:
            if not exists(dirname(c_f)):
                makedirs(dirname(c_f))
            open(c_f, "wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8'))
        except Exception as e:
            logger.exception(e)
            logger.error("Failed to write to %s", c_f)
            return

        try:
            if not exists(dirname(k_f)):
                makedirs(dirname(k_f))
            open(k_f, "wt").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key).decode('utf-8'))
        except Exception as e:
            logger.exception(e)
            logger.error("Failed to write to %s", k_f)
            return

        try:
            if not exists(dirname(ca_f)):
                makedirs(dirname(ca_f))
            open(ca_f, "wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert).decode('utf-8'))
        except Exception as e:
            logger.exception(e)
            logger.error("Failed to write to %s", ca_f)
            return

        logger.info("user certificate created in " + c_f)
        logger.info("user private key created in " + k_f)
        logger.info("user CA list (chain of trust) created in " + ca_f)