def charger_certificats(self):
secret_path = path.abspath(self.secret_path)
os.makedirs(secret_path, exist_ok=True) # Creer path secret, au besoin
# Charger information certificat monitor
cert_pem = self._charger_certificat_docker('pki.monitor.cert')
with open(path.join(secret_path, 'pki.monitor.key.pem'),
'rb') as fichiers:
key_pem = fichiers.read()
clecert_monitor = EnveloppeCleCert()
clecert_monitor.from_pem_bytes(key_pem, cert_pem)
self.clecert_monitor = clecert_monitor
# Conserver reference au cert monitor pour middleware
self.certificats[
GestionnaireCertificats.
MONITOR_CERT_PATH] = self.certificats['pki.monitor.cert']
self.certificats[
GestionnaireCertificats.MONITOR_KEY_FILE] = 'pki.monitor.key.pem'
# with open(path.join(secret_path, ConstantesServiceMonitor.FICHIER_MONGO_MOTDEPASSE), 'r') as fichiers:
# self._passwd_mongo = fichiers.read()
# with open(path.join(secret_path, ConstantesServiceMonitor.FICHIER_MQ_MOTDEPASSE), 'r') as fichiers:
# self._passwd_mq = fichiers.read()
# Charger le certificat de millegrille
self._charger_certificat_docker('pki.millegrille.cert')
class EnvCert:
def __init__(self):
self._logger = logging.getLogger('%s.%s' %
(__name__, self.__class__.__name__))
self.dict_ca = dict()
self.cle_millegrille = EnveloppeCleCert() # EnveloppeCleCert
self.ca_autorite = EnveloppeCleCert() # EnveloppeCleCert
self.renouvelleur = None
def charger(self):
with open('/home/mathieu/mgdev/certs/pki.ca.root.cert', 'rb') as f:
ca_cert = f.read()
self.ca_autorite.cert_from_pem_bytes(ca_cert)
with open('/home/mathieu/mgdev/certs/pki.ca.passwords', 'r') as f:
passwords = json.load(f)
with open('/home/mathieu/mgdev/certs/pki.ca.millegrille.cert',
'rb') as f:
mg_cert = f.read()
with open('/home/mathieu/mgdev/certs/pki.ca.millegrille.key',
'rb') as f:
mg_key = f.read()
self.cle_millegrille.from_pem_bytes(
mg_key, mg_cert, passwords['pki.ca.millegrille'].encode('utf-8'))
self.charger_ca_chaine()
self.renouvelleur = RenouvelleurCertificat('testMG', self.dict_ca,
self.cle_millegrille,
self.ca_autorite)
def charger_ca_chaine(self):
self.dict_ca = dict()
ca_chain_file = '/home/mathieu/mgdev/certs/pki.ca.millegrille.fullchain'
with open(ca_chain_file, 'r') as fichier:
chaine = fichier.read()
certs = chaine.split('-----END CERTIFICATE-----')
for cert in certs[0:-1]:
cert = '%s-----END CERTIFICATE-----\n' % cert
self._logger.warning("Loading CA cert :\n%s" % cert)
cert = cert.encode('utf-8')
x509_cert = x509.load_pem_x509_certificate(
cert, backend=default_backend())
skid = EnveloppeCleCert.get_subject_identifier(x509_cert)
self.dict_ca[skid] = x509_cert
def charger_certificats(self):
secret_path = path.abspath(self.secret_path)
# Charger mots de passes middleware
with open(
path.join(secret_path,
ConstantesServiceMonitor.FICHIER_MONGO_MOTDEPASSE),
'r') as fichiers:
self._passwd_mongo = fichiers.read()
with open(
path.join(secret_path,
ConstantesServiceMonitor.FICHIER_MQ_MOTDEPASSE),
'r') as fichiers:
self._passwd_mq = fichiers.read()
# Charger information certificat monitor
clecert_monitor = EnveloppeCleCert()
with open(path.join(secret_path, 'pki.monitor_dependant.key.pem'),
'rb') as fichiers:
key_pem = fichiers.read()
try:
cert_pem = self._charger_certificat_docker(
'pki.monitor_dependant.cert')
clecert_monitor.from_pem_bytes(key_pem, cert_pem)
# Conserver reference au cert monitor
self.certificats[
GestionnaireCertificats.MONITOR_CERT_PATH] = self.certificats[
'pki.monitor_dependant.cert']
self.certificats[
GestionnaireCertificats.
MONITOR_KEY_FILE] = 'pki.monitor_dependant.key.pem'
except AttributeError:
self.__logger.info(
"Certificat monitor_dependant non trouve, on va l'attendre")
clecert_monitor.key_from_pem_bytes(key_pem)
self.clecert_monitor = clecert_monitor
# Charger le certificat de millegrille, chaine pour intermediaire
self._charger_certificat_docker('pki.millegrille.cert')
def __init__(self):
self.idmg = 'JPtGcNcFSkfSdw49YsDpQHKxqTHMitpbPZW17a2JC54T'
self.chaine_pem = [
"""
-----BEGIN CERTIFICATE-----
MIIDfTCCAmWgAwIBAgIJYGYjdUZ4mWUAMA0GCSqGSIb3DQEBDQUAMCcxDzANBgNV
BAMTBlJhY2luZTEUMBIGA1UEChMLTWlsbGVHcmlsbGUwHhcNMjAwODE0MTMzNTAw
WhcNMjMwODE3MTMzNTAwWjB9MS0wKwYDVQQDEyRmMDNhYTQyNi04Mjc5LTQyMDYt
YWYyYy0wNjA5N2IyMmY2MTYxFTATBgNVBAsTDE5vZXVkUHJvdGVnZTE1MDMGA1UE
ChMsSlB0R2NOY0ZTa2ZTZHc0OVlzRHBRSEt4cVRITWl0cGJQWlcxN2EySkM1NFQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbi6hszfap+SF2vPoJx/1t
1k4AZNUWpxpD7zTVw9gjl8re2hHjDne99w4r3bPOyDUjh6A4hWC77bQ/yTa/UQPO
LVHdU3DcbjshxCYv/TebwikEct4EoYjxQZgt6ov4rhhyyEqPK1UFvHsNkjZWH1qM
ocoHA2IeeDZqhi9mRGeKsZ7vPOYI/9RN3lQMEYUqIQI0Tx+rVEXIGT7g6WSuKwN2
O9Q1Ktqb7z6w491UkPTxukM2DkZCglSRXEnfw8Psc2c6yN1TKHgsGzf299d3zkF2
c0ZtI8rqQ9tebX1zZCyYOLZrZXWP73kr89Qnp0b3d78vB2uEHW1ioPhNstRcIQPf
AgMBAAGjVjBUMBIGA1UdEwEB/wQIMAYBAf8CAQQwHQYDVR0OBBYEFAAvK7SYudlb
e3wdxyjBcEQz/6uFMB8GA1UdIwQYMBaAFLBXLIVvPd0v2/PRpsXEhxv3SitkMA0G
CSqGSIb3DQEBDQUAA4IBAQBNR6bWpOLfEL/ERZsuCzX04YchFy7gNuCSphzhFpGx
V3gApShKPKja94V2FmcvbHqmiCnU2SK5/q7YB9X7RElYJRktl50DIUw3puKfaYS0
965K4ZIyuhA452G+OdgrvJzE29E6op19z1SAKvzqhk3e/SFrEmrsKisGAA2HGL8Q
E+cGvtDYc/b4YE0YmK4b6+PyGSF+2HDr9D9lEsavn5tJaWLjBiGp2BTKagShOpNX
VPk6OgYoAWz9RULV/jMSVrC/fm8cogmWT0TJ2NFR305iI9bv7zHKtQ7p/MjxNQN2
wh0FLaiqSb+Dd+LZiMlWm7tF2Z5vuqC1EMdbjTYVBU23
-----END CERTIFICATE-----
""", """
-----BEGIN CERTIFICATE-----
MIIDKDCCAhCgAwIBAgIKAol2BgZkgwIwADANBgkqhkiG9w0BAQ0FADAnMQ8wDQYD
VQQDEwZSYWNpbmUxFDASBgNVBAoTC01pbGxlR3JpbGxlMB4XDTIwMDgwNTE3MTky
NVoXDTIxMDgwNTE3MTkyNVowJzEPMA0GA1UEAxMGUmFjaW5lMRQwEgYDVQQKEwtN
aWxsZUdyaWxsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKHD5H6t
svTC1rkQ0jDq51/5ht72LroSubFIM6SGd4PeofKGk2LCLce8IGC9zz08lXa8WMkr
I9yAxf3P0WK2UEZFXsvGJ0EvBXyewZDEX+Lfp12zyBuKGRK5rjUYFCdbEiO+qVCq
Pvqb4VU4ffbAFvuWRulSfvD5udC2PY1xRxNQytAnbs3jRJSzcFiGDk50bwG5JD/i
TZwtnm6OQYcxnckNZgzz8G34wZEAwz1f5a941nV+Tnnod+7t6kdkLFenMUtVPrd8
hVwHzitBUkBP8OsTvS/AGvyMrz/1XT1+MxwShq8o8S2fp7YGdR8eeb1uUfJLzLu8
rGB5vMOoiiGOkNkCAwEAAaNWMFQwEgYDVR0TAQH/BAgwBgEB/wIBBTAdBgNVHQ4E
FgQUsFcshW893S/b89GmxcSHG/dKK2QwHwYDVR0jBBgwFoAUsFcshW893S/b89Gm
xcSHG/dKK2QwDQYJKoZIhvcNAQENBQADggEBAKD7W6UKrnPpIXzrFVXs0EOYZi1u
IUEOBA0yoJyUQuLcyb+nNCUf9FPjyh1xGrtHLgMwNuIj3EqB3AvzZs+t9kyJ+aun
RaGxOSd6ytQzRW4LcpUNeBs0oCkTftlXGZRBU/ZgaMNQvk7b1R5MaBOtBnUkDsRA
/+bdPl2gpOCUFdNK53805Z8cgV0QXQKNPgM06EVT1URWsy9Z3O6BA57Xq3kEZOtJ
oJMuyy7g7/iRiAfXsys7ZoDgPET8SL3R0UbvUTXXI5jM2+jchBqucI6YSEjJmgBQ
TNQc8kgLqRI+hI8Ri62/ZsEeUmyn5VOrq+oPOsFc1wBS8ErdxXLln77cEEk=
-----END CERTIFICATE-----
"""
]
self.cle_pem = """
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA24uobM32qfkhdrz6Ccf9bdZOAGTVFqcaQ+801cPYI5fK3toR
4w53vfcOK92zzsg1I4egOIVgu+20P8k2v1EDzi1R3VNw3G47IcQmL/03m8IpBHLe
BKGI8UGYLeqL+K4YcshKjytVBbx7DZI2Vh9ajKHKBwNiHng2aoYvZkRnirGe7zzm
CP/UTd5UDBGFKiECNE8fq1RFyBk+4OlkrisDdjvUNSram+8+sOPdVJD08bpDNg5G
QoJUkVxJ38PD7HNnOsjdUyh4LBs39vfXd85BdnNGbSPK6kPbXm19c2QsmDi2a2V1
j+95K/PUJ6dG93e/LwdrhB1tYqD4TbLUXCED3wIDAQABAoIBAQCPCvN10MxB+rw+
7OnMra0Ff3fa8deUptOKJ7S5Ap00s5XOlS7KTYbfErT9B7o7pF5bA+b0bJKWX03t
sWAmTta34vdPySnjtT55xZ9L7SPqLBslduIJCmZ7Kk3IvOTt5iCvyKgrmAQRdLiI
IxecDVml/1PuNdocGB78UOlZLIB58AM9m3zHE0I4UDBL1Uo7q+GagklisDKkYjzU
Blxr8lkvisJniPHkOJj4DRGpXG9bJAoTTwya6tISpMNQRtOPu4lN7CzkK9CXvM/a
l8Eu9rYVzg7m3Q0jdvwiNZWEIFMLuDEi0ijWcEPurH/wV0LMIVQFe1LA7swg8BjC
PjiRExDhAoGBAPrXchrGJUAt1mx2nb9a4OJ2YRlpBkN0pPB0rsBg1AUf4raTTcwb
5S2sDqkn0zwVA3aWhWFkzTJgBlC6Ykn1xsa2VSGP1JchxAl6EgKiWxSHNkaiiBM2
Fo8jjRscMb8T0sjgDEjlmvrERDGSrJtmEPQjGTcDlsOZDlFphls3eQZ1AoGBAOAP
dE2hxX3G8zSD+/90a7bbhfhqfOJta7a6Sv6NwshR9bnI1kLqjJbg32jY15HSvdGL
Em1U5duI/oy+lZCQBBSaGSnPmhFRPqa1o8nPYh5Zz2aLroTWIjiIweGx4hJQ8F3a
wSjG3HQNLZ3y0ppH+FvH2gLuZh1CPsd95lXMjR6DAoGAKh8VhRNy2+UWlZ4RfTmI
e96/DWJKb/ddXxdo5Nsdn0KsclYoATdJ87Jpv9P1L6ijrT03ZpRjtKrVRKcXrC2+
VE3326voWfyMi77Y2WJkAv11isTuLrOtdBnXLw8790cf5SViSrdrn+JnRR/JJkss
W6KtMETFA1FnSxp6OkUFaKUCf37oQfe2qSWUiiw0lYcbaecob7lEl3eogln9Kn0D
zk+oHIYeOz2rm/XZaLD6IR93PgxxuP40F/1Amu0dBZnb+HOy1I3aCGnGmrXSK/Mi
g3CtbcunUjHrF3bt/uLW3jWBoqOGQ+HUwQj6bdwIrUC1gvZ5PAJtBWmNHAHiTZRL
R6MCgYEA6Tr6PMVlKw60m05y1S5zv6FGuUjZrepdKc1gw1U+LG3YztoykF6g+cK4
a3CFRrd9Rbz08P9l2kXM8YWaZVxH38MbOcoVhP7Al3N4ntV+y+dKW3y8IdGYcFRv
PZgCLivK4AyUNpjfeOyrmio+GqiRKt6aVCA4Ht5Az8c5j1atiZM=
-----END RSA PRIVATE KEY-----
"""
clecert_millegrille = EnveloppeCleCert()
clecert_millegrille.cert_from_pem_bytes(
self.chaine_pem[1].encode('utf-8'))
clecert_inter = EnveloppeCleCert()
clecert_inter.from_pem_bytes(self.cle_pem.encode('utf-8'),
self.chaine_pem[0].encode('utf-8'))
dict_ca = {
clecert_millegrille.fingerprint: clecert_millegrille,
clecert_inter.fingerprint: clecert_inter
}
self.renouvelleur = RenouvelleurCertificat(self.idmg, dict_ca,
clecert_inter,
clecert_millegrille)
def recevoir_trousseau(self, trousseaux: dict):
for trousseau in trousseaux:
idmg = trousseau[Constantes.CONFIG_IDMG]
configuration = self._millegrilles[idmg]
configuration[
ConstantesHebergement.CORRELATION_TROUSSEAU_MODULE] = trousseau
# Extraire cle-cert du trousseau
certificat_pem = trousseau[Constantes.ConstantesSecurityPki.
LIBELLE_CERTIFICAT_PEM].encode('utf-8')
cle_pem = trousseau['cle'].encode('utf-8')
motdepasse_chiffre = trousseau['motdepasse_chiffre']
# Dechiffrer mot de passe, charger cle privee et certificat
signateur = self.contexte.signateur_transactions
motdepasse = signateur.dechiffrage_asymmetrique(
motdepasse_chiffre.encode('utf-8'))
clecert = EnveloppeCleCert()
clecert.from_pem_bytes(cle_pem, certificat_pem, motdepasse)
clecert.password = None
configuration['clecert'] = clecert
certificats = trousseau['certificats']
# Au besoin, charger cle et passwd intermediaire (pour maitre des cles)
intermediaire_passwd_chiffre = trousseau.get(
'intermediaire_passwd')
intermediaire_cle = trousseau.get('intermediaire_cle')
intermediaire_cert = certificats['intermediaire']
if intermediaire_passwd_chiffre and intermediaire_cle:
intermediaire_passwd = signateur.dechiffrage_asymmetrique(
intermediaire_passwd_chiffre.encode('utf-8'))
# Verifier que la cle fonctionne
clecert_intermediaire = EnveloppeCleCert()
clecert_intermediaire.from_pem_bytes(
intermediaire_cle.encode('utf-8'),
intermediaire_cert.encode('utf-8'), intermediaire_passwd)
clecert_intermediaire.password = None
configuration['intermediaire_clecert'] = clecert_intermediaire
# Charger la chaine de certificats pour se connecter a l'hote
certificat_pem_str = str(certificat_pem, 'utf-8')
chaine_hote = [
certificat_pem_str,
certificats['hebergement'],
certificats['hote_pem'],
]
chaine_cert = [
certificat_pem_str,
intermediaire_cert,
]
configuration['chaine_hote'] = chaine_hote
configuration['chaine_cert'] = chaine_cert
configuration['millegrille'] = certificats['millegrille']
configuration['cle'] = str(clecert.private_key_bytes, 'utf-8')
self.ajouter_compte(idmg, chaine_hote)