class EzCAHandler: TABLE_NAME = "_EZ_CA_" SERVER_CERT_NAME = "EzCAService" PERSIST_MODE = "ezca.persist.mode" CLIENT_CERTS = "ezca.autogen.clients" CLIENT_CERT_O = "ezca.autogen.clients.out" CLIENT_CERT_O_DEF = "gen" def __init__(self, ca_name, ezconfig=EzConfiguration().getProperties()): mode = ezconfig.get(EzCAHandler.PERSIST_MODE, "file") if mode == "file": store = FilePersist(EzCAHandler.TABLE_NAME) elif mode == "accumulo": raise NotImplementedError("accumulo persistance not supported by EzCA yet") else: store = MemoryPersist() EzbakeCA.setup(store=store) Cert.setup(store=store) self.store = store try: logger.info("Reading CA certificate {}".format(ca_name)) self.ca = EzbakeCA.get_named(ca_name) except KeyError: self.ca = EzbakeCA(name=ca_name) self.ca.save() def _server_certs(self): """returns a dict of {ca_certs, certs, key} and their values""" ca_certs = ezbakeca.ca.pem_cert(self.ca.ca_cert) cert = Cert.get_named(self.SERVER_CERT_NAME) if not cert.cert: cert.cert = self.ca.sign_csr(cert.csr()) cert.save() key = ezbakeca.ca.pem_key(cert.private_key) cert = ezbakeca.ca.pem_cert(cert.cert) return {'ca_certs': ca_certs, 'cert': cert, 'key': key} def ping(self): return True def getMetricRegistryThrift(self): return ezmetrics.ttypes.MetricRegistryThrift() def csr(self, token, csr): csr = ezbakeca.ca.load_csr(csr) # but since this is a Protect component, and we are only allowing # access to this service by trusted cert CNs, I can accept that. # still, we must log what's happening. logger.info("CSR signing request for Subject: {}. Token security ID: {}, " "target security ID: {}, userInfo: {}".format(csr.get_subject(), token.validity.issuedTo, token.validity.issuedFor, token.tokenPrincipal.principal)) # sign the csr and get the cert cert = self.ca.sign_csr(csr) # return the cert as pem return ezbakeca.ca.pem_cert(cert)
class EzCAHandler: TABLE_NAME = "_EZ_CA_" SERVER_CERT_NAME = "EzCAService" PERSIST_MODE = "ezca.persist.mode" CLIENT_CERTS = "ezca.autogen.clients" CLIENT_CERT_O = "ezca.autogen.clients.out" CLIENT_CERT_O_DEF = "gen" def __init__(self, ca_name, ezconfig=EzConfiguration().getProperties()): mode = ezconfig.get(EzCAHandler.PERSIST_MODE, "file") if mode == "file": store = FilePersist(EzCAHandler.TABLE_NAME) elif mode == "accumulo": raise NotImplementedError("accumulo persistance not supported by EzCA yet") else: store = MemoryPersist() EzbakeCA.setup(store=store) Cert.setup(store=store) self.store = store try: logger.info("Reading CA certificate {}".format(ca_name)) self.ca = EzbakeCA.get_named(ca_name) except KeyError: self.ca = EzbakeCA(name=ca_name) self.ca.save() def _server_certs(self): """returns a dict of {ca_certs, certs, key} and their values""" ca_certs = ezbakeca.ca.pem_cert(self.ca.ca_cert) cert = Cert.get_named(self.SERVER_CERT_NAME) if not cert.cert: cert.cert = self.ca.sign_csr(cert.csr()) cert.save() key = ezbakeca.ca.pem_key(cert.private_key) cert = ezbakeca.ca.pem_cert(cert.cert) return {'ca_certs': ca_certs, 'cert': cert, 'key': key} def ping(self): return True def csr(self, token, csr): csr = ezbakeca.ca.load_csr(csr) # but since this is a Protect component, and we are only allowing # access to this service by trusted cert CNs, I can accept that. # still, we must log what's happening. logger.info("CSR signing request for Subject: {}. Token security ID: {}, " "target security ID: {}, userInfo: {}".format(csr.get_subject(), token.validity.issuedTo, token.validity.issuedFor, token.tokenPrincipal.principal)) # sign the csr and get the cert cert = self.ca.sign_csr(csr) # return the cert as pem return ezbakeca.ca.pem_cert(cert)
def __init__(self, ca_name, ezconfig=EzConfiguration().getProperties()): mode = ezconfig.get(EzCAHandler.PERSIST_MODE, "file") if mode == "file": store = FilePersist(EzCAHandler.TABLE_NAME) elif mode == "accumulo": raise NotImplementedError("accumulo persistance not supported by EzCA yet") else: store = MemoryPersist() EzbakeCA.setup(store=store) Cert.setup(store=store) self.store = store try: logger.info("Reading CA certificate {}".format(ca_name)) self.ca = EzbakeCA.get_named(ca_name) except KeyError: self.ca = EzbakeCA(name=ca_name) self.ca.save()
def init(config): ezConfig = load_configuration("config") setup_logging(config.verbose, ezConfig) clients = config.clients.split(',') # initialize the daos store = ezpersist_instance("file") EzbakeCA.setup(store=store) Cert.setup(store=store) if config.force: store.delete(config.name) try: # Try to get it first, to see if it already exists ca = EzbakeCA.get_named(config.name) logger.info("CA %s not regenerated because it already exists", config.name) except KeyError: # Create the CA ca = EzbakeCA(name=config.name, environment=config.env) ca.save() gen_client_certs(ca, clients, directory=config.outdir, force=config.force)