def __init__(self, options):
"""
contructor for OpenSIPS-Cli
"""
self.debug = options.debug
self.execute = options.execute
self.command = options.command
self.modules_dir_inserted = None
if self.debug:
logger.setLevel("DEBUG")
if not options.config:
cfg_file = None
for f in defaults.CFG_PATHS:
if os.path.isfile(f) and os.access(f, os.R_OK):
# found a valid config file
cfg_file = f
break
else:
cfg_file = options.config
if not cfg_file:
logger.debug("no config file found in any of {}".format(", ".join(
defaults.CFG_PATHS)))
else:
logger.debug("using config file {}".format(cfg_file))
# __init__ of the configuration file
cfg.parse(cfg_file)
if not cfg.has_instance(options.instance):
logger.warning(
"Unknown instance '{}'! Using default instance '{}'!".format(
options.instance, defaults.DEFAULT_SECTION))
instance = defaults.DEFAULT_SECTION
else:
instance = options.instance
cfg.set_instance(instance)
cfg.set_custom_options(options.extra_options)
if not self.execute:
# __init__ of cmd.Cmd module
cmd.Cmd.__init__(self)
# Opening the current working instance
self.update_instance(cfg.current_instance)
def do_rootCA(self, params):
global cfg
logger.info("Preparing to generate CA cert + key...")
# TODO
# separate cli.cfg files for TLS are fully deprecated, this if block is
# only kept for backwards-compatibility. Remove starting from v3.2! <3
if cfg.exists('tls_ca_config'):
tls_cfg = cfg.get('tls_ca_config')
cfg = OpenSIPSCLIConfig()
cfg.parse(tls_cfg)
ca_dir = cfg.read_param("tls_ca_dir", "Output directory",
"/etc/opensips/tls/rootCA/")
cert_file = cfg.read_param("tls_ca_cert_file", "Output cert file",
"cacert.pem")
key_file = cfg.read_param("tls_ca_key_file", "Output key file",
"private/cakey.pem")
c_f = join(ca_dir, cert_file)
k_f = join(ca_dir, key_file)
if (exists(c_f) or exists(k_f)) and not cfg.read_param(
"tls_ca_overwrite",
"CA certificate or key already exists, overwrite?", "yes",
True):
return
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().CN = cfg.read_param("tls_ca_common_name",
"Website address (CN)",
"opensips.org")
cert.get_subject().C = cfg.read_param("tls_ca_country", "Country (C)",
"RO")
cert.get_subject().ST = cfg.read_param("tls_ca_state", "State (ST)",
"Bucharest")
cert.get_subject().L = cfg.read_param("tls_ca_locality",
"Locality (L)", "Bucharest")
cert.get_subject().O = cfg.read_param("tls_ca_organisation",
"Organization (O)", "OpenSIPS")
cert.get_subject().OU = cfg.read_param("tls_ca_organisational_unit",
"Organisational Unit (OU)",
"Project")
cert.set_serial_number(randrange(100000))
cert.gmtime_adj_notBefore(0)
notafter = int(
cfg.read_param("tls_ca_notafter", "Certificate validity (seconds)",
315360000))
cert.gmtime_adj_notAfter(notafter)
cert.set_issuer(cert.get_subject())
# create a key pair
key = crypto.PKey()
key_size = int(
cfg.read_param("tls_ca_key_size", "RSA key size (bits)", 4096))
key.generate_key(crypto.TYPE_RSA, key_size)
cert.set_pubkey(key)
md = cfg.read_param("tls_ca_md", "Digest Algorithm", "SHA1")
cert.sign(key, md)
try:
if not exists(dirname(c_f)):
makedirs(dirname(c_f))
open(c_f, "wt").write(
crypto.dump_certificate(crypto.FILETYPE_PEM,
cert).decode('utf-8'))
except Exception as e:
logger.exception(e)
logger.error("Failed to write to %s", c_f)
return
try:
if not exists(dirname(k_f)):
makedirs(dirname(k_f))
open(k_f, "wt").write(
crypto.dump_privatekey(crypto.FILETYPE_PEM,
key).decode('utf-8'))
except Exception as e:
logger.exception(e)
logger.error("Failed to write to %s", k_f)
return
logger.info("CA certificate created in " + c_f)
logger.info("CA private key created in " + k_f)
def do_userCERT(self, params):
global cfg
logger.info("Preparing to generate user cert + key + CA list...")
# TODO
# separate cli.cfg files for TLS are fully deprecated, this if block is
# only kept for backwards-compatibility. Remove starting from v3.2! <3
if cfg.exists('tls_user_config'):
tls_cfg = cfg.get('tls_user_config')
cfg = OpenSIPSCLIConfig()
cfg.parse(tls_cfg)
user_dir = cfg.read_param("tls_user_dir", "Output directory", "/etc/opensips/tls/user/")
cert_file = cfg.read_param("tls_user_cert_file", "Output cert file", "user-cert.pem")
key_file = cfg.read_param("tls_user_key_file", "Output key file", "user-privkey.pem")
calist_file = cfg.read_param("tls_user_calist_file", "Output CA list file", "user-calist.pem")
c_f = join(user_dir, cert_file)
k_f = join(user_dir, key_file)
ca_f = join(user_dir, calist_file)
if (exists(c_f) or exists(k_f) or exists(ca_f)) and not cfg.read_param("tls_user_overwrite",
"User certificate, key or CA list file already exists, overwrite?", "yes", True):
return
cacert = cfg.read_param("tls_user_cacert", "CA cert file", "/etc/opensips/tls/rootCA/cacert.pem")
cakey = cfg.read_param("tls_user_cakey", "CA key file", "/etc/opensips/tls/rootCA/private/cakey.pem")
try:
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(cacert, 'rt').read())
except Exception as e:
logger.exception(e)
logger.error("Failed to load %s", cacert)
return
try:
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(cakey, 'rt').read())
except Exception as e:
logger.exception(e)
logger.error("Failed to load %s", cakey)
return
# create a self-signed cert
cert = crypto.X509()
cert.set_version(2)
cert.get_subject().CN = cfg.read_param("tls_user_common_name", "Website address (CN)", "www.opensips.org")
cert.get_subject().C = cfg.read_param("tls_user_country", "Country (C)", "RO")
cert.get_subject().ST = cfg.read_param("tls_user_state", "State (ST)", "Bucharest")
cert.get_subject().L = cfg.read_param("tls_user_locality", "Locality (L)", "Bucharest")
cert.get_subject().O = cfg.read_param("tls_user_organisation", "Organization (O)", "OpenSIPS")
cert.get_subject().OU = cfg.read_param("tls_user_organisational_unit", "Organisational Unit (OU)", "Project")
cert.set_serial_number(randrange(100000))
cert.gmtime_adj_notBefore(0)
notafter = int(cfg.read_param("tls_user_notafter", "Certificate validity (seconds)", 315360000))
cert.gmtime_adj_notAfter(notafter)
cert.set_issuer(ca_cert.get_subject())
extensions = [
crypto.X509Extension(b'basicConstraints', False, b'CA:FALSE'),
crypto.X509Extension(b'extendedKeyUsage', False, b'clientAuth,serverAuth')
]
cert.add_extensions(extensions)
# create a key pair
key = crypto.PKey()
key_size = int(cfg.read_param("tls_user_key_size", "RSA key size (bits)", 4096))
key.generate_key(crypto.TYPE_RSA, key_size)
cert.set_pubkey(key)
md = cfg.read_param("tls_user_md", "Digest Algorithm", "SHA256")
cert.sign(ca_key, md)
try:
if not exists(dirname(c_f)):
makedirs(dirname(c_f))
open(c_f, "wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8'))
except Exception as e:
logger.exception(e)
logger.error("Failed to write to %s", c_f)
return
try:
if not exists(dirname(k_f)):
makedirs(dirname(k_f))
open(k_f, "wt").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key).decode('utf-8'))
except Exception as e:
logger.exception(e)
logger.error("Failed to write to %s", k_f)
return
try:
if not exists(dirname(ca_f)):
makedirs(dirname(ca_f))
open(ca_f, "wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert).decode('utf-8'))
except Exception as e:
logger.exception(e)
logger.error("Failed to write to %s", ca_f)
return
logger.info("user certificate created in " + c_f)
logger.info("user private key created in " + k_f)
logger.info("user CA list (chain of trust) created in " + ca_f)