def addfile(self, name, contents): """Adds a new file to the CA repository The file is scheduled for addition, you must make sure you call commit before closing the class or the file will not be committed name must refer to a valid path within the repository (eg. it should not contain uplevel references '../' or references to directories that do not exists. """ filename = self._checkName(name) # Write the file to the working directory try: fd = open(filename, "w") fd.write(contents) fd.close() except: raise ccs_ca_error("Could not write new file!", sys.exc_info()) # Schedule it for addition client.svn_client_add(filename, False, self.ctx, self.pool) log_info("CA: Marked %s for addition to repository" % name) return filename
def initConfFile(self): """Initialises the CA configuration file""" signdays = config_get("ca", "signdays", DEFAULT_SIGN_DAYS) site_name = config_get_required("network", "site_name") domain = config_get_required("network", "domain") fd = open("%s/ca.cnf" % self.rDir, "w") fd.write("""# # OpenSSL configuration file for the CRCnet Configuration System CA # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = $ENV::CCS_CA_DIR # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/certs # default place for new certs. certificate = $dir/cacert.pem # The CA certificate private_key = $dir/cakey.pem # The private key serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number crl = $dir/crl.pem # The current CRL RANDFILE = $dir/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options default_days = %s # how long to certify for default_crl_days = 30 # how long before next CRL default_md = sha1 # which md to use. preserve = no # keep passed DN ordering policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = optional localityName = optional organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # Extensions to add to self signed certs string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = NZ countryName_min = 2 countryName_max = 2 localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) 0.organizationName_default = %s organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = CRCnet Configuration System commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name # These extensions are added when 'ca' signs a request. [ usr_cert ] basicConstraints = CA:FALSE # nsCertType = server # nsCertType = client # This will be displayed in Netscape's comment listbox. nsComment = "Signed by the CRCnet Configuration System" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer nsRevocationUrl = https://%s/certs/crl.pem # Extensions to add to a certificate request [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment # Extensions for a typical CA [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true # CRL extensions. [ crl_ext ] authorityKeyIdentifier = keyid:always,issuer:always """ % (signdays, site_name, domain)) fd.close() client.svn_client_add("%s/ca.cnf" % self.rDir, False, \ self.ctx, self.pool) log_info("CA: Initialised configuration file") return
def checkRepoStructure(self): """Checks the repository has all the required infrastructure. CA itself (cannot be automatically created) cacert.pem The CA certificate cakey.pem The CA private key The remaining infrastructure is automatically created if not present certs/ Signed certificates crl/ Certificate Revocation Lists crlnumber Current CRL serial number serial Current certificate serial number index.txt Certificate database ca.cnf CA Configuration File """ if self.mParentSession is None or self.mChangeset is None: log_warn("Cannot check repository structure on a read-only " \ "revision") return # Is the certification authority cert and key present? if not os.path.exists("%s/cacert.pem" % self.rDir): raise ccs_ca_error("certificate not found in repository!") if not os.path.exists("%s/cakey.pem" % self.rDir): raise ccs_ca_error("key not found in repository!") # Check for required directories s = 0 flag = 0 if not os.path.exists("%s/certs" % self.rDir): # Storage directory for signed certificates needs creating ensureDirExists("%s/certs" % self.rDir) client.svn_client_add("%s/certs" % self.rDir, False, self.ctx, \ self.pool) s+=1 log_info("CA: Certificate storage directory created") # Check for required files if not os.path.exists("%s/crlnumber" % self.rDir): # CRL number needs initialising fd = open("%s/crlnumber" % self.rDir, "w") fd.write("00\n") fd.close() client.svn_client_add("%s/crlnumber" % self.rDir, False, \ self.ctx, self.pool) s+=1 log_info("CA: CRL number initialised to 0x00") if not os.path.exists("%s/index.txt" % self.rDir): # Certificate list needs initialising fd = open("%s/index.txt" % self.rDir, "w") fd.close() fd = open("%s/index.txt.attr" % self.rDir, "w") fd.close() client.svn_client_add("%s/index.txt" % self.rDir, False, \ self.ctx, self.pool) client.svn_client_add("%s/index.txt.attr" % self.rDir, False, \ self.ctx, self.pool) s+=1 log_info("CA: Certificate list initialised") if not os.path.exists("%s/serial" % self.rDir): # Serial number needs initialising fd = open("%s/serial" % self.rDir, "w") fd.write("00\n") fd.close() s+=1 client.svn_client_add("%s/serial" % self.rDir, False, \ self.ctx, self.pool) log_info("CA: Serial number initialised to 0x00") if not os.path.exists("%s/ca.cnf" % self.rDir): # Configuration file needs initialising self.initConfFile() flag=1 # Check svn:ignore is set if not self.hasIgnore(self.rDir, "*.old"): self.propadd(self.rDir, "svn:ignore", "*.old") flag=1 if s>0: flag=1 if flag==0: # All ok return if s>0 and s!=4: # Warn if only partial changes were made log_warn("CA: Initialised from incomplete state!") # Commit the changes r = self.checkin("Initialising Certificate Authority") #i = client.svn_client_commit([self.rDir], False, self.ctx, self.pool) #self.saveRevProps(i.revision, "Initialising Certificate Authority") if r > 0 : log_info("CA: Structure initialised in revision %s" % r) return r