def get_keypair(config = None):
if not config:
config = SfaConfig()
hierarchy = Hierarchy()
key_dir= hierarchy.basedir
data_dir = config.data_path
keyfile =data_dir + os.sep + "server.key"
certfile = data_dir + os.sep + "server.cert"
# check if files already exist
if os.path.exists(keyfile) and os.path.exists(certfile):
return (keyfile, certfile)
# create temp keypair server key and certificate
(_, tmp_keyfile) = tempfile.mkstemp(suffix='.pkey', prefix='tmpkey', dir='/tmp')
(_, tmp_certfile) = tempfile.mkstemp(suffix='.cert', prefix='tmpcert', dir='/tmp')
tmp_key = Keypair(create=True)
tmp_key.save_to_file(tmp_keyfile)
tmp_cert = Certificate(subject='subject')
tmp_cert.set_issuer(key=tmp_key, subject='subject')
tmp_cert.set_pubkey(tmp_key)
tmp_cert.save_to_file(tmp_certfile, save_parents=True)
# request real pkey from registry
api = ComponentAPI(key_file=tmp_keyfile, cert_file=tmp_certfile)
registry = api.get_registry()
registry.get_key()
key = Keypair(filename=keyfile)
cert = Certificate(subject=hrn)
cert.set_issuer(key=key, subject=hrn)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(certfile, save_parents=True)
return (keyfile, certfile)
def get_cert_file(self, key_file):
cert_file = os.path.join(self.options.sfi_dir, self.user.replace(self.authority + '.', '') + ".cert")
if (os.path.isfile(cert_file)):
# we'd perfer to use Registry issued certs instead of self signed certs.
# if this is a Registry cert (GID) then we are done
gid = GID(filename=cert_file)
if gid.get_urn():
return cert_file
# generate self signed certificate
k = Keypair(filename=key_file)
cert = Certificate(subject=self.user)
cert.set_pubkey(k)
cert.set_issuer(k, self.user)
cert.sign()
self.logger.info("Writing self-signed certificate to %s"%cert_file)
cert.save_to_file(cert_file)
self.cert = cert
# try to get registry issued cert
try:
self.logger.info("Getting Registry issued cert")
self.read_config()
# *hack. need to set registyr before _get_gid() is called
self.registry = xmlrpcprotocol.get_server(self.reg_url, key_file, cert_file, timeout=self.options.timeout, verbose=self.options.debug)
gid = self._get_gid(type='user')
self.registry = None
self.logger.info("Writing certificate to %s"%cert_file)
gid.save_to_file(cert_file)
except:
self.logger.info("Failed to download Registry issued cert")
return cert_file
def init_self_signed_cert(hrn, key, server_cert_file):
logger.debug("generating self signed cert")
# generate self signed certificate
cert = Certificate(subject=hrn)
cert.set_issuer(key=key, subject=hrn)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(server_cert_file)
def create_server_keypair(keyfile=None, certfile=None, hrn="component", verbose=False):
"""
create the server key/cert pair in the right place
"""
key = Keypair(filename=keyfile)
key.save_to_file(keyfile)
cert = Certificate(subject=hrn)
cert.set_issuer(key=key, subject=hrn)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(certfile, save_parents=True)
def self_signed_cert_produce(self, output):
self.assert_private_key()
private_key_filename = self.private_key_filename()
keypair = Keypair(filename=private_key_filename)
self_signed = Certificate(subject=self.hrn)
self_signed.set_pubkey(keypair)
self_signed.set_issuer(keypair, self.hrn)
self_signed.sign()
self_signed.save_to_file(output)
#self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\
#(self.hrn,output))
return output
def self_signed_cert_produce (self,output):
self.assert_private_key()
private_key_filename = self.private_key_filename()
keypair=Keypair(filename=private_key_filename)
self_signed = Certificate (subject = self.hrn)
self_signed.set_pubkey (keypair)
self_signed.set_issuer (keypair, self.hrn)
self_signed.sign ()
self_signed.save_to_file (output)
self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\
(self.hrn,output))
return output
def create_server_keypair(keyfile=None,
certfile=None,
hrn="component",
verbose=False):
"""
create the server key/cert pair in the right place
"""
key = Keypair(filename=keyfile)
key.save_to_file(keyfile)
cert = Certificate(subject=hrn)
cert.set_issuer(key=key, subject=hrn)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(certfile, save_parents=True)
def get_node_key(registry=None, verbose=False):
# this call requires no authentication,
# so we can generate a random keypair here
subject="component"
(kfd, keyfile) = tempfile.mkstemp()
(cfd, certfile) = tempfile.mkstemp()
key = Keypair(create=True)
key.save_to_file(keyfile)
cert = Certificate(subject=subject)
cert.set_issuer(key=key, subject=subject)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(certfile)
registry = server_proxy(url = registry, keyfile=keyfile, certfile=certfile)
registry.get_key_from_incoming_ip()
def get_node_key(self):
# this call requires no authentication,
# so we can generate a random keypair here
subject="component"
(kfd, keyfile) = tempfile.mkstemp()
(cfd, certfile) = tempfile.mkstemp()
key = Keypair(create=True)
key.save_to_file(keyfile)
cert = Certificate(subject=subject)
cert.set_issuer(key=key, subject=subject)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(certfile)
registry = self.get_registry()
# the registry will scp the key onto the node
registry.get_key()
def get_node_key(registry=None, verbose=False):
# this call requires no authentication,
# so we can generate a random keypair here
subject = "component"
(kfd, keyfile) = tempfile.mkstemp()
(cfd, certfile) = tempfile.mkstemp()
key = Keypair(create=True)
key.save_to_file(keyfile)
cert = Certificate(subject=subject)
cert.set_issuer(key=key, subject=subject)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(certfile)
registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile)
registry.get_key_from_incoming_ip()
def get_node_key(self):
# this call requires no authentication,
# so we can generate a random keypair here
subject = "component"
(kfd, keyfile) = tempfile.mkstemp()
(cfd, certfile) = tempfile.mkstemp()
key = Keypair(create=True)
key.save_to_file(keyfile)
cert = Certificate(subject=subject)
cert.set_issuer(key=key, subject=subject)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(certfile)
registry = self.get_registry()
# the registry will scp the key onto the node
registry.get_key_from_incoming_ip()
