def check_ca_clones(self): for host in self.clone_cas: cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort # Reach out and get some certs, to serve as a data and connectivity check try: connection = PKIConnection(protocol='https', hostname=host.Hostname, port=host.SecurePort, verify=False) cert_client = CertClient(connection) # get the first 3 in case we cant to make a sanity check of replicated data certs = cert_client.list_certs(size=3) if certs is not None and len(certs.cert_data_info_list) == 3: logger.info('Cert data successfully obtained from clone.') else: raise BaseException('CA clone problem reading data.' + cur_clone_msg) except BaseException as e: logger.error("Internal server error %s", e) raise BaseException('Internal error testing CA clone.' + cur_clone_msg) return
def __init__(self, connection, cert_sn, number_of_tests_per_client): super().__init__() self.connection = connection self.number_of_tests_per_client = number_of_tests_per_client self.cert_sn = cert_sn self.cert_client = CertClient(self.connection) return
def connection(self): connection = PKIConnection(protocol=self.protocol, hostname=self.hostname, port=self.port) connection.set_authentication_cert(self.cert) client = CertClient(connection) return client
class TestClient(threading.Thread): def __init__(self, connection, cert_sn, number_of_tests_per_client): super().__init__() self.connection = connection self.number_of_tests_per_client = number_of_tests_per_client self.cert_sn = cert_sn self.cert_client = CertClient(self.connection) return def run(self): # execute the specified number of tests for sn in range(self.number_of_tests_per_client): try: start = timer() log.info("Revoking Cert : {}".format(self.cert_sn[sn])) revoke_data = self.cert_client.revoke_cert( self.cert_sn[sn], revocation_reason='Key_Compromise') end = timer() revocation_times.append(int(end - start)) except Exception as error: log.error(error) return
log = logging.getLogger() logging.basicConfig(stream=sys.stdout, level=logging.INFO) args = parser.parse_args() # Create a PKIConnection object that stores the details of the CA. connection = PKIConnection('https', args.hostname, args.port, cert_paths=args.ca_cert_path) # The pem file used for authentication. Created from a p12 file using the # command - # openssl pkcs12 -in <p12_file_path> -out /tmp/auth.pem -nodes connection.set_authentication_cert(args.client_cert) # Instantiate the CertClient cert_client = CertClient(connection) class cert_enroll(object): """ #This class will enroll the certificate. """ def __init__(self, sn_uid): """ Constructor """ # Enrolling an user certificate inputs = dict() inputs['cert_request_type'] = 'pkcs10'
def check(self): if not self.instance.exists(): logger.debug('Invalid instance: %s', self.instance.name) yield Result(self, constants.CRITICAL, msg='Invalid PKI instance: %s' % self.instance.name) return self.instance.load() ca = self.instance.get_subsystem('ca') if not ca: logger.info( "No CA configured, skipping dogtag CA connectivity check") return try: # Make a plain HTTP GET request to /ca/admin/ca/getStatus REST api end point # and check if the CA is ready if ca.is_ready(): logger.debug("CA instance is running") # Make a plain HTTPS GET to "find" one certificate, to test that # the server is up AND is able to respond back connection = PKIConnection(protocol='https', hostname='localhost', port='8443', verify=False) cert_client = CertClient(connection) cert = cert_client.list_certs(size=1) cert_info = cert.cert_data_info_list[0] if cert_info: # All we care is whether the serial_number is not NONE if cert_info.serial_number: logger.info("Serial number of retrieved cert: %s", cert_info.serial_number) yield Result(self, constants.SUCCESS, serial_number=cert_info.serial_number, subject_dn=cert_info.subject_dn) else: logger.info( "Serial number cannot retrieved for cert: %s", cert_info) yield Result( self, constants.ERROR, msg= "Unable to read serial number from retrieved cert", cert_info=cert_info, serverURI=connection.serverURI, cert_url=cert_client.cert_url) else: logger.info( "Request was made but none of the certs were retrieved" ) yield Result( self, constants.ERROR, msg= "PKI server is up. But, unable to retrieve any certs", serverURI=connection.serverURI, rest_path=cert_client.cert_url) else: yield Result(self, constants.CRITICAL, msg='CA subsystem is down') except BaseException as e: logger.error("Internal server error %s", e) yield Result(self, constants.CRITICAL, msg="Internal server error. Is your CA subsystem and " "LDAP database up?", instance_name=self.instance.name, exception="%s" % e)