def __init__(self, config): self.cfg = config usename = utils.get_hostname() mycn = '%s-CA-KEY' % usename # TODO: Make extensions confi self.ca_key_file = '%s/certmaster.key' % self.cfg.cadir self.ca_cert_file = '%s/certmaster.crt' % self.cfg.cadir self.logger = logging.getLogger(__name__) self.audit_logger = logging.getLogger('audit') # if ca_key_file exists and ca_cert_file is missing == minion only setup if os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file): raise Exception("Unable to initialize certmaster service; CA key/cert files do not exist.") try: if not os.path.exists(self.cfg.cadir): os.makedirs(self.cfg.cadir) if not os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file): certs.create_ca(CN=mycn, ca_key_file=self.ca_key_file, ca_cert_file=self.ca_cert_file) except (IOError, OSError), e: raise Exception('Cannot make certmaster certificate authority keys/certs, aborting: %s' % e)
def __init__(self, config): self.cfg = config usename = utils.get_hostname() mycn = '%s-CA-KEY' % usename # TODO: Make extensions configurable self.ca_key_file = '%s/ca.key' % self.cfg.cadir self.ca_cert_file = '%s/ca.crt' % self.cfg.cadir self.logger = logging.getLogger(__name__) self.audit_logger = logging.getLogger('audit') # if ca_key_file exists and ca_cert_file is missing == minion only setup if os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file): raise Exception("Unable to initialize certify service; CA key/cert files do not exist.") try: if not os.path.exists(self.cfg.cadir): os.makedirs(self.cfg.cadir) if not os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file): # TODO: configure all other optional args (cacert, cakey) = certs.create_ca(CN=mycn) with open(self.ca_key_file, 'wt') as f: certs.dump_to_file(cakey, self.ca_key_file) self.logger.info("Created CA Key %s", self.ca_key_file) with open(self.ca_cert_file, 'wt') as f: certs.dump_to_file(cacert, self.ca_cert_file) self.logger.info("Created CA Cert %s", self.ca_cert_file) except (IOError, OSError), e: raise Exception('Cannot make certify certificate authority keys/certs, aborting: %s' % e)
def create_minion_keys(CN, C=None, ST=None, L=None, O=None, OU=None, emailAddress=None, hashalgorithm='sha1'): """ """ log = logger() cert_dir = minion_config.cert_dir master_uri = 'http://%s:%s/' % (minion_config.certify, minion_config.certify_port) filename = CN if filename is None: filename = utils.get_hostname() if filename is None: raise exc.CMException( "Could not determine a hostname other than localhost") # use lowercase letters for filenames filename = filename.lower() # XXX: Other normalization? # TODO: Make the extensions configurable? key_file = '%s/%s.pem' % (cert_dir, filename) csr_file = '%s/%s.csr' % (cert_dir, filename) cert_file = '%s/%s.cert' % (cert_dir, filename) ca_cert_file = '%s/ca.cert' % cert_dir if os.path.exists(cert_file) and os.path.exists(ca_cert_file): log.debug("cert file already exists: %s" % cert_file) return keypair = None try: if not os.path.exists(cert_dir): os.makedirs(cert_dir) force_recreate_csr = False if os.path.exists(key_file): keypair = certs.retrieve_key_from_file(key_file) else: keypair = certs.make_keypair() certs.dump_to_file(keypair, key_file, mode=0600) force_recreate_csr = True if not os.path.exists(csr_file) or force_recreate_csr: csr = certs.make_csr(keypair, CN=CN, C=C, ST=ST, L=L, O=O, OU=OU, emailAddress=emailAddress, hashalgorithm=hashalgorithm) certs.dump_to_file(csr, csr_file, mode=0644) except object as e: log.exception(e) log.exception("Could not create local keypair or csr for session.") raise exc.CMException( "Could not create local keypair or csr for session") result = False while not result: try: log.debug("submitting CSR: %s to certify %s" % (csr_file, master_uri)) (result, cert_string, ca_cert_string) = submit_csr_to_master(csr_file, master_uri) except socket.error: log.warning("Could not connect to server at %s" % master_uri, exc_info=True) if not result: log.warning("no response from certify %s, sleeping 10 seconds" % master_uri) time.sleep(10) if result: log.debug("received certificate from certify %s, storing to %s" % (master_uri, cert_file)) if not keypair: keypair = certs.retrieve_key_from_file(key_file) valid = certs.check_cert_key_match(cert_string, keypair) if not valid: log.info( "certificate does not match key (run certify-ca --clean first?)" ) sys.stderr.write( "certificate does not match key (run certify-ca --clean first?)\n" ) return cert_fd = os.open(cert_file, os.O_RDWR | os.O_CREAT, 0644) os.write(cert_fd, cert_string) os.close(cert_fd) ca_cert_fd = os.open(ca_cert_file, os.O_RDWR | os.O_CREAT, 0644) os.write(ca_cert_fd, ca_cert_string) os.close(ca_cert_fd)
def create_minion_keys(CN, C=None, ST=None, L=None, O=None, OU=None, emailAddress=None, hashalgorithm='sha1'): """ """ log = logger() cert_dir = minion_config.cert_dir master_uri = 'http://%s:%s/' % (minion_config.certmaster, minion_config.certmaster_port) filename = CN if filename is None: filename = utils.get_hostname() if filename is None: raise exc.CMException("Could not determine a hostname other than localhost") # use lowercase letters for filenames filename = filename.lower() # XXX: Other normalization? # TODO: Make the extensions configurable? key_file = '%s/%s.pem' % (cert_dir, filename) csr_file = '%s/%s.csr' % (cert_dir, filename) cert_file = '%s/%s.cert' % (cert_dir, filename) ca_cert_file = '%s/ca.cert' % cert_dir if os.path.exists(cert_file) and os.path.exists(ca_cert_file): log.debug("cert file already exists: %s" % cert_file) return keypair = None try: if not os.path.exists(cert_dir): os.makedirs(cert_dir) force_recreate_csr = False if os.path.exists(key_file): keypair = certs.retrieve_key_from_file(key_file) else: keypair = certs.make_keypair() certs.dump_to_file(keypair, key_file, mode=0600) force_recreate_csr = True if not os.path.exists(csr_file) or force_recreate_csr: csr = certs.make_csr(keypair, CN=CN, C=C, ST=ST, L=L, O=O, OU=OU, emailAddress=emailAddress, hashalgorithm=hashalgorithm) certs.dump_to_file(csr, csr_file, mode=0644) except: log.exception("Could not create local keypair or csr for session.") raise exc.CMException("Could not create local keypair or csr for session") result = False while not result: try: log.debug("submitting CSR: %s to certmaster %s" % (csr_file, master_uri)) (result, cert_string, ca_cert_string) = submit_csr_to_master(csr_file, master_uri) except socket.error: log.warning("Could not connect to server at %s" % master_uri, exc_info=True) if not result: log.warning("no response from certmaster %s, sleeping 10 seconds" % master_uri) time.sleep(10) if result: log.debug("received certificate from certmaster %s, storing to %s" % (master_uri, cert_file)) if not keypair: keypair = certs.retrieve_key_from_file(key_file) valid = certs.check_cert_key_match(cert_string, keypair) if not valid: log.info("certificate does not match key (run certmaster-ca --clean first?)") sys.stderr.write("certificate does not match key (run certmaster-ca --clean first?)\n") return cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644) os.write(cert_fd, cert_string) os.close(cert_fd) ca_cert_fd = os.open(ca_cert_file, os.O_RDWR|os.O_CREAT, 0644) os.write(ca_cert_fd, ca_cert_string) os.close(ca_cert_fd)