def setup(self, peer=None, epg=None): # Load config self.name = CONFIG["endpoints"]["server-name"] self.address = CONFIG["endpoints"]["server-addr"] self.port = CONFIG["endpoints"]["server-port"] self.verbose = CONFIG["verbose"] self.epg = epg self.peer = peer # Create Client peer self.peer = EP(name=CONFIG["endpoints"]["client-name"], address=CONFIG["endpoints"]["client-addr"], port=CONFIG["endpoints"]["client-port"], epg=CONFIG["endpoints"]["client-epg"]) # Load key material to create or request connection-specific certificate server_pkey_name = CONFIG["pki"]["server-pkey-name"] server_cert_name = CONFIG["pki"]["server-cert-name"] if not CM.cert_file_exists( server_pkey_name) or not CM.cert_file_exists(server_cert_name): # Request certificate from RA keys = CM.create_key_pair() csr = CM.create_csr(keys) request = CertificateRequest(self, self.peer, csr) cert = self.ra.request_certificate(request) if cert is None: raise ConnectionError( "Could not retrieve certificate needed to establish TLS connection." ) # Save keys and certificate CM.save_pkey(keys, server_pkey_name) CM.save_cert(cert, server_cert_name) self.cert = cert self.keys = keys else: self.keys = CM.load_pkey(server_pkey_name) self.cert = CM.load_cert(server_cert_name) # Create context self.context = SSL.Context(SSL.TLSv1_2_METHOD) self.context.set_options(SSL.OP_NO_TLSv1_2) self.context.set_verify( SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, self.ssl_verify_cb) self.context.set_ocsp_server_callback(self.ocsp_server_cb, data=self.name) self.context.use_privatekey(self.keys) self.context.use_certificate(self.cert) self.context.load_verify_locations( CM.get_cert_path(CONFIG["pki"]["ca-cert-name"]))
def setup(self): """ Configure the RA with its own certificates. :return: """ if CertificateManager.cert_file_exists("ra.cert"): # Certificate exists self.cert = CertificateManager.load_cert("ra.cert") else: # Not found, create new certificate for the RA if self.verbose: print("Generating new RA certificate.") if self.ca is None or not isinstance(self.ca, CA): raise ValueError("The \"ca\" field must be defined and instance of CA to setup an RA.") # Create certificate own certificate on behalf of the CA keys = CertificateManager.create_key_pair(self.default_key_type, self.default_key_size) csr = CertificateManager.create_csr(keys, C="NO", ST="Oslo", L="Oslo", O=self.organisation, OU="RA", CN="RA") issuer = self.ca.get_root_certificate().get_issuer() # Issuer of root certificate (i.e. root CA) cert = CertificateManager.create_cert(csr, self.get_next_serial(), issuer, self.ca.get_keys(), ca=True) # Save certificate, keys and files CertificateManager.save_cert(cert, CONFIG["pki"]["ra-cert-name"]) CertificateManager.save_pkey(keys, CONFIG["pki"]["ra-pkey-name"]) self.cert = cert
def setup(self, peer, epg=None): # Load config self.name = CONFIG["endpoints"]["client-name"] self.address = CONFIG["endpoints"]["client-addr"] self.port = CONFIG["endpoints"]["client-port"] self.verbose = CONFIG["verbose"] self.epg = epg self.peer = peer # Load or request keys and certificate client_pkey_name = CONFIG["pki"]["client-pkey-name"] client_cert_name = CONFIG["pki"]["client-cert-name"] self.ca_cert_name = CONFIG["pki"]["ca-cert-name"] if not CM.cert_file_exists( client_pkey_name) or not CM.cert_file_exists(client_cert_name): # Request certificate from RA keys = CM.create_key_pair() csr = CM.create_csr(keys) request = CertificateRequest(self, self.peer, csr) cert = self.ra.request_certificate(request) if cert is None: raise ConnectionError( "Could not retrieve certificate needed to establish TLS connection. " "RA returned None.") # Save keys and certificate CM.save_pkey(keys, client_pkey_name) CM.save_cert(cert, client_cert_name) self.keys = keys self.cert = cert else: self.keys = CM.load_pkey(client_pkey_name) self.cert = CM.load_cert(client_cert_name) # Define context ctx = SSL.Context(SSL.TLSv1_2_METHOD) ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, self.ssl_verify_cb) ctx.set_verify_depth(2) ctx.use_privatekey(self.keys) ctx.use_certificate(self.cert) ctx.load_verify_locations( CM.get_cert_path(CONFIG["pki"]["ca-cert-name"])) ctx.set_ocsp_client_callback(self.ocsp_client_callback, data=self.name) self.context = ctx
def get_root_certificate(): """ Get the certificate for the root CA :return: """ if CertificateManager.cert_file_exists(CONFIG["pki"]["ca-cert-name"]): # Certificate exists return CertificateManager.load_cert(CONFIG["pki"]["ca-cert-name"]) else: # Create CA certificate pkey = CertificateManager.create_key_pair() csr = CertificateManager.create_csr(pkey, O="AC-PKI", OU="CA", C="NO", ST="Oslo", L="Oslo", CN="Root CA") cert = CertificateManager.create_self_signed_cert(csr, pkey, RA.get_next_serial()) # Save files and return CertificateManager.save_pkey(pkey, CONFIG["pki"]["ca-pkey-name"]) CertificateManager.save_cert(cert, CONFIG["pki"]["ca-cert-name"]) return cert
def get_keys(): pkey_name = CONFIG["pki"]["ca-pkey-name"] if CertificateManager.cert_file_exists(pkey_name): return CertificateManager.load_pkey(pkey_name)
import os """ This file creates the basic certificates needed to use the AC-PKI system. The program should be called from the general config script. If files already exist, this script WILL NOT replace them by default. Note that certificate files ARE NOT shared via Git and will therefore need to be created on each individual system. """ print("Setting up certificates...") # Create certs directory if it does not already exist if not os.path.exists(CertificateManager.get_cert_path()): os.makedirs(CertificateManager.get_cert_path()) print("Created certs directory") # Create CA certificate if CertificateManager.cert_file_exists( "ca.cert") and CertificateManager.cert_file_exists("ca.pkey"): # Load existing print("Loading existing CA certificate from file") ca_cert = CertificateManager.load_cert("ca.cert") ca_key_pair = CertificateManager.load_pkey("ca.pkey") else: # Generate new print("Generating CA certificate") ca_key_pair = CertificateManager.create_key_pair(crypto.TYPE_RSA, 2048) csr = CertificateManager.create_csr(ca_key_pair, C="NO", ST="Oslo", O="Corp", OU="Blab") ca_cert = CertificateManager.create_self_signed_cert(csr, ca_key_pair, 0) CertificateManager.save_pkey(ca_key_pair, "ca.pkey")