def addfile(self, name, contents):
"""Adds a new file to the CA repository
The file is scheduled for addition, you must make sure you call
commit before closing the class or the file will not be committed
name must refer to a valid path within the repository (eg. it should
not contain uplevel references '../' or references to directories
that do not exists.
"""
filename = self._checkName(name)
# Write the file to the working directory
try:
fd = open(filename, "w")
fd.write(contents)
fd.close()
except:
raise ccs_ca_error("Could not write new file!", sys.exc_info())
# Schedule it for addition
client.svn_client_add(filename, False, self.ctx, self.pool)
log_info("CA: Marked %s for addition to repository" % name)
return filename
def initConfFile(self):
"""Initialises the CA configuration file"""
signdays = config_get("ca", "signdays", DEFAULT_SIGN_DAYS)
site_name = config_get_required("network", "site_name")
domain = config_get_required("network", "domain")
fd = open("%s/ca.cnf" % self.rDir, "w")
fd.write("""#
# OpenSSL configuration file for the CRCnet Configuration System CA
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::CCS_CA_DIR # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/certs # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
private_key = $dir/cakey.pem # The private key
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = %s # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = optional
localityName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # Extensions to add to self signed certs
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = NZ
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = %s
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = CRCnet Configuration System
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
# These extensions are added when 'ca' signs a request.
[ usr_cert ]
basicConstraints = CA:FALSE
# nsCertType = server
# nsCertType = client
# This will be displayed in Netscape's comment listbox.
nsComment = "Signed by the CRCnet Configuration System"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
nsRevocationUrl = https://%s/certs/crl.pem
# Extensions to add to a certificate request
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# Extensions for a typical CA
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
# CRL extensions.
[ crl_ext ]
authorityKeyIdentifier = keyid:always,issuer:always
""" % (signdays, site_name, domain))
fd.close()
client.svn_client_add("%s/ca.cnf" % self.rDir, False, \
self.ctx, self.pool)
log_info("CA: Initialised configuration file")
return
def checkRepoStructure(self):
"""Checks the repository has all the required infrastructure.
CA itself (cannot be automatically created)
cacert.pem The CA certificate
cakey.pem The CA private key
The remaining infrastructure is automatically created if not present
certs/ Signed certificates
crl/ Certificate Revocation Lists
crlnumber Current CRL serial number
serial Current certificate serial number
index.txt Certificate database
ca.cnf CA Configuration File
"""
if self.mParentSession is None or self.mChangeset is None:
log_warn("Cannot check repository structure on a read-only " \
"revision")
return
# Is the certification authority cert and key present?
if not os.path.exists("%s/cacert.pem" % self.rDir):
raise ccs_ca_error("certificate not found in repository!")
if not os.path.exists("%s/cakey.pem" % self.rDir):
raise ccs_ca_error("key not found in repository!")
# Check for required directories
s = 0
flag = 0
if not os.path.exists("%s/certs" % self.rDir):
# Storage directory for signed certificates needs creating
ensureDirExists("%s/certs" % self.rDir)
client.svn_client_add("%s/certs" % self.rDir, False, self.ctx, \
self.pool)
s+=1
log_info("CA: Certificate storage directory created")
# Check for required files
if not os.path.exists("%s/crlnumber" % self.rDir):
# CRL number needs initialising
fd = open("%s/crlnumber" % self.rDir, "w")
fd.write("00\n")
fd.close()
client.svn_client_add("%s/crlnumber" % self.rDir, False, \
self.ctx, self.pool)
s+=1
log_info("CA: CRL number initialised to 0x00")
if not os.path.exists("%s/index.txt" % self.rDir):
# Certificate list needs initialising
fd = open("%s/index.txt" % self.rDir, "w")
fd.close()
fd = open("%s/index.txt.attr" % self.rDir, "w")
fd.close()
client.svn_client_add("%s/index.txt" % self.rDir, False, \
self.ctx, self.pool)
client.svn_client_add("%s/index.txt.attr" % self.rDir, False, \
self.ctx, self.pool)
s+=1
log_info("CA: Certificate list initialised")
if not os.path.exists("%s/serial" % self.rDir):
# Serial number needs initialising
fd = open("%s/serial" % self.rDir, "w")
fd.write("00\n")
fd.close()
s+=1
client.svn_client_add("%s/serial" % self.rDir, False, \
self.ctx, self.pool)
log_info("CA: Serial number initialised to 0x00")
if not os.path.exists("%s/ca.cnf" % self.rDir):
# Configuration file needs initialising
self.initConfFile()
flag=1
# Check svn:ignore is set
if not self.hasIgnore(self.rDir, "*.old"):
self.propadd(self.rDir, "svn:ignore", "*.old")
flag=1
if s>0: flag=1
if flag==0:
# All ok
return
if s>0 and s!=4:
# Warn if only partial changes were made
log_warn("CA: Initialised from incomplete state!")
# Commit the changes
r = self.checkin("Initialising Certificate Authority")
#i = client.svn_client_commit([self.rDir], False, self.ctx, self.pool)
#self.saveRevProps(i.revision, "Initialising Certificate Authority")
if r > 0 :
log_info("CA: Structure initialised in revision %s" % r)
return r
