def appendOtherCACerts(d, ca_cert):
if d['--other-ca-certs']:
ca_cert_content = open(cleanupAbsPath(ca_cert)).read()
for fname in d['--other-ca-certs'].split(','):
with open(fname) as infile:
content = infile.read()
if content not in ca_cert_content:
open(cleanupAbsPath(ca_cert), 'a').writelines(content)
ca_cert_content = open(cleanupAbsPath(ca_cert)).read()
def __init__(self, filename=None):
self.filename = filename
if self.filename is None:
self.filename = SERVER_OPENSSL_CNF_NAME
if os.path.exists(
os.path.join(DEFS['--dir'], 'katello_openssl.cnf')):
self.filename = os.path.join(DEFS['--dir'],
"katello_openssl.cnf")
elif os.path.exists(os.path.join(DEFS['--dir'], 'openssl.cnf')):
self.filename = os.path.join(DEFS['--dir'], "openssl.cnf")
self.filename = cleanupAbsPath(self.filename)
def genPrivateCaKey(password, d, verbosity=0, forceYN=0):
""" private CA key generation """
gendir(d['--dir'])
ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key']))
if not forceYN and os.path.exists(ca_key):
sys.stderr.write("""\
ERROR: a CA private key already exists:
%s
If you wish to generate a new one, use the --force option.
""" % ca_key)
sys.exit(errnoGeneralError)
args = ("/usr/bin/openssl genrsa -passout pass:%s %s -out %s 4096" %
('%s', CRYPTO, repr(cleanupAbsPath(ca_key))))
if verbosity >= 0:
print("Generating private CA key: %s" % ca_key)
if verbosity > 1:
print("Commandline:", args % "PASSWORD")
try:
rotated = rotateFile(filepath=ca_key, verbosity=verbosity)
if verbosity >= 0 and rotated:
print("Rotated: %s --> %s" %
(d['--ca-key'], os.path.basename(rotated)))
except ValueError:
pass
cwd = chdir(_getWorkDir())
try:
ret, out_stream, err_stream = rhn_popen(args % repr(password))
finally:
chdir(cwd)
out = out_stream.read().decode('utf-8')
out_stream.close()
err = err_stream.read().decode('utf-8')
err_stream.close()
if ret:
raise GenPrivateCaKeyException("Certificate Authority private SSL "
"key generation failed:\n%s\n%s" %
(out, err))
if verbosity > 2:
if out:
print("STDOUT:", out)
if err:
print("STDERR:", err)
# permissions:
os.chmod(ca_key, 0o600)
def genServerKey(d, verbosity=0):
""" private server key generation """
serverKeyPairDir = os.path.join(d['--dir'],
d['--set-hostname'])
gendir(serverKeyPairDir)
server_key = os.path.join(serverKeyPairDir,
os.path.basename(d['--server-key']))
args = ("/usr/bin/openssl genrsa -out %s 2048"
% (repr(cleanupAbsPath(server_key))))
# generate the server key
if verbosity >= 0:
print("\nGenerating the web server's SSL private key: %s" % server_key)
if verbosity > 1:
print("Commandline:", args)
try:
rotated = rotateFile(filepath=server_key, verbosity=verbosity)
if verbosity >= 0 and rotated:
print("Rotated: %s --> %s" % (d['--server-key'],
os.path.basename(rotated)))
except ValueError:
pass
cwd = chdir(_getWorkDir())
try:
ret, out_stream, err_stream = rhn_popen(args)
finally:
chdir(cwd)
out = out_stream.read().decode('utf-8')
out_stream.close()
err = err_stream.read().decode('utf-8')
err_stream.close()
if ret:
raise GenServerKeyException("web server's SSL key generation failed:\n%s\n%s"
% (out, err))
if verbosity > 2:
if out:
print("STDOUT:", out)
if err:
print("STDERR:", err)
# permissions:
os.chmod(server_key, 0o600)
def genServerRpm(d, verbosity=0):
""" generates server's SSL key set RPM """
serverKeyPairDir = os.path.join(d['--dir'], d['--set-hostname'])
server_key_name = os.path.basename(d['--server-key'])
server_key = os.path.join(serverKeyPairDir, server_key_name)
server_cert_name = os.path.basename(d['--server-cert'])
server_cert = os.path.join(serverKeyPairDir, server_cert_name)
server_cert_req_name = os.path.basename(d['--server-cert-req'])
server_cert_req = os.path.join(serverKeyPairDir, server_cert_req_name)
server_rpm_name = os.path.basename(d['--server-rpm'])
server_rpm = os.path.join(serverKeyPairDir, server_rpm_name)
server_cert_dir = d['--server-cert-dir']
postun_scriptlet = os.path.join(d['--dir'], 'postun.scriptlet')
genServerRpm_dependencies(d)
if verbosity >= 0:
sys.stderr.write("\n...working...\n")
# check for new installed RPM.
# Work out the release number.
hdr = getInstalledHeader(server_rpm_name)
# find RPMs in the directory as well.
filenames = glob.glob("%s-[0-9]*.noarch.rpm" % server_rpm)
if filenames:
filename = sortRPMs(filenames)[-1]
h = get_package_header(filename)
if hdr is None:
hdr = h
else:
comp = hdrLabelCompare(h, hdr)
if comp > 0:
hdr = h
ver, rel = '1.0', '0'
if hdr is not None:
ver = str(hdr['version'].decode('utf-8'))
rel = str(hdr['release'].decode('utf-8'))
# bump the release - and let's not be too smart about it
# assume the release is a number.
if rel:
rel = str(int(rel) + 1)
description = SERVER_RPM_SUMMARY + """
Best practices suggests that this RPM should only be installed on the web
server with this hostname: %s
""" % d['--set-hostname']
# build the server RPM
args = [
'katello-certs-gen-rpm',
"--name %s --version %s --release %s --packager %s --vendor %s ",
"--group 'Applications/System' --summary %s --description %s --postun %s ",
server_cert_dir + "/private/%s:0600=%s ",
server_cert_dir + "/certs/%s=%s ", server_cert_dir + "/certs/%s=%s "
]
args = " ".join(args)
args = args % (repr(server_rpm_name), ver, rel, repr(d['--rpm-packager']),
repr(d['--rpm-vendor']), repr(SERVER_RPM_SUMMARY),
repr(description), repr(cleanupAbsPath(postun_scriptlet)),
repr(server_key_name), repr(
cleanupAbsPath(server_key)), repr(server_cert_req_name),
repr(cleanupAbsPath(server_cert_req)),
repr(server_cert_name), repr(cleanupAbsPath(server_cert)))
serverRpmName = "%s-%s-%s" % (server_rpm, ver, rel)
if verbosity >= 0:
print("""
Generating web server's SSL key pair/set RPM:
%s.src.rpm
%s.noarch.rpm""" % (serverRpmName, serverRpmName))
if verbosity > 1:
print("Commandline:", args)
if verbosity >= 4:
print('Current working directory:', os.getcwd())
print("Writing postun_scriptlet:", postun_scriptlet)
with open(postun_scriptlet, 'w') as scriptlet_fp:
scriptlet_fp.write(POST_UNINSTALL_SCRIPT)
_disableRpmMacros()
cwd = chdir(serverKeyPairDir)
try:
ret, out_stream, err_stream = rhn_popen(args)
finally:
chdir(cwd)
_reenableRpmMacros()
os.unlink(postun_scriptlet)
out = out_stream.read().decode('utf-8')
out_stream.close()
err = err_stream.read().decode('utf-8')
err_stream.close()
if ret or not os.path.exists("%s.noarch.rpm" % serverRpmName):
raise GenServerRpmException("web server's SSL key set RPM generation "
"failed:\n%s\n%s" % (out, err))
if verbosity > 2:
if out:
print("STDOUT:", out)
if err:
print("STDERR:", err)
os.chmod('%s.noarch.rpm' % serverRpmName, 0o600)
# write-out latest.txt information
latest_txt = os.path.join(serverKeyPairDir, 'latest.txt')
with open(latest_txt, 'w') as latest_fp:
latest_fp.write('%s.noarch.rpm\n' % os.path.basename(serverRpmName))
latest_fp.write('%s.src.rpm\n' % os.path.basename(serverRpmName))
os.chmod(latest_txt, 0o600)
if verbosity >= 0:
print("""
Deploy the server's SSL key pair/set RPM:
(NOTE: the Katello installer may do this step for you.)
The "noarch" RPM needs to be deployed to the machine working as a
web server, or RHN Satellite, or RHN Proxy.
Presumably %s.""" % repr(d['--set-hostname']))
return "%s.noarch.rpm" % serverRpmName
def genCaRpm(d, verbosity=0):
""" generates ssl cert RPM. """
ca_cert_path = d['--ca-cert-dir']
ca_cert_name = os.path.basename(d['--ca-cert'])
ca_cert = os.path.join(d['--dir'], ca_cert_name)
ca_cert_rpm_name = os.path.basename(d['--ca-cert-rpm'])
ca_cert_rpm = os.path.join(d['--dir'], ca_cert_rpm_name)
genCaRpm_dependencies(d)
appendOtherCACerts(d, ca_cert)
if verbosity >= 0:
sys.stderr.write("\n...working...")
# Work out the release number.
hdr = getInstalledHeader(ca_cert_rpm)
# find RPMs in the directory
filenames = glob.glob("%s-[0-9]*.noarch.rpm" % ca_cert_rpm)
if filenames:
filename = sortRPMs(filenames)[-1]
h = get_package_header(filename)
if hdr is None:
hdr = h
else:
comp = hdrLabelCompare(h, hdr)
if comp > 0:
hdr = h
ver, rel = '1.0', '0'
if hdr is not None:
ver = str(hdr['version'].decode('utf-8'))
rel = str(hdr['release'].decode('utf-8'))
# bump the release - and let's not be too smart about it
# assume the release is a number.
if rel:
rel = str(int(rel) + 1)
# build the CA certificate RPM
args = [
'katello-certs-gen-rpm', "--name %s", "--version %s", "--release %s",
"--packager %s", "--vendor %s", "--group 'Applications/System'",
"--summary %s", "--description %s",
os.path.join(ca_cert_path, "%s=%s")
]
args = " ".join(args)
args = args % ((repr(ca_cert_rpm_name), ver, rel, repr(
d['--rpm-packager']), repr(d['--rpm-vendor']),
repr(CA_CERT_RPM_SUMMARY), repr(CA_CERT_RPM_SUMMARY),
repr(ca_cert_name), repr(cleanupAbsPath(ca_cert))))
clientRpmName = '%s-%s-%s' % (ca_cert_rpm, ver, rel)
if verbosity >= 0:
print("""
Generating CA public certificate RPM:
%s.src.rpm
%s.noarch.rpm""" % (clientRpmName, clientRpmName))
if verbosity > 1:
print("Commandline:", args)
_disableRpmMacros()
cwd = chdir(d['--dir'])
try:
ret, out_stream, err_stream = rhn_popen(args)
except Exception:
chdir(cwd)
_reenableRpmMacros()
raise
chdir(cwd)
_reenableRpmMacros()
out = out_stream.read().decode('utf-8')
out_stream.close()
err = err_stream.read().decode('utf-8')
err_stream.close()
if ret or not os.path.exists("%s.noarch.rpm" % clientRpmName):
raise GenCaCertRpmException("CA public SSL certificate RPM generation "
"failed:\n%s\n%s" % (out, err))
if verbosity > 2:
if out:
print("STDOUT:", out)
if err:
print("STDERR:", err)
os.chmod('%s.noarch.rpm' % clientRpmName, 0o644)
# write-out latest.txt information
latest_txt = os.path.join(d['--dir'], 'latest.txt')
with open(latest_txt, 'w') as latest_fp:
latest_fp.write('%s\n' % ca_cert_name)
latest_fp.write('%s.noarch.rpm\n' % os.path.basename(clientRpmName))
latest_fp.write('%s.src.rpm\n' % os.path.basename(clientRpmName))
os.chmod(latest_txt, 0o644)
if verbosity >= 0:
print("""
Make the public CA certficate publically available:
(NOTE: the Katello installer may do this step for you.)
The "noarch" RPM and raw CA certificate can be made publically accessible
by copying it to the /var/www/html/pub directory of your Katello server."""
)
return '%s.noarch.rpm' % clientRpmName
def _reenableRpmMacros():
mac = cleanupAbsPath('~/.rpmmacros')
macTmp = cleanupAbsPath('~/RENAME_ME_BACK_PLEASE-lksjdflajsd.rpmmacros')
if os.path.exists(macTmp):
os.rename(macTmp, mac)
def genServerCert(password, d, verbosity=0):
""" server cert generation and signing """
serverKeyPairDir = os.path.join(d['--dir'], d['--set-hostname'])
genServerCert_dependencies(password, d)
ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key']))
ca_cert = os.path.join(d['--dir'], os.path.basename(d['--ca-cert']))
server_cert_req = os.path.join(serverKeyPairDir,
os.path.basename(d['--server-cert-req']))
server_cert = os.path.join(serverKeyPairDir,
os.path.basename(d['--server-cert']))
ca_openssl_cnf = os.path.join(d['--dir'], CA_OPENSSL_CNF_NAME)
index_txt = os.path.join(d['--dir'], 'index.txt')
serial = os.path.join(d['--dir'], 'serial')
purpose = d['--purpose']
try:
os.unlink(index_txt)
except OSError:
pass
# figure out the serial file and truncate the index.txt file.
ser = figureSerial(ca_cert, serial, index_txt)
# need to insure the directory declared in the ca_openssl.cnf
# file is current:
configFile = ConfigFile(ca_openssl_cnf)
configFile.updateDir()
args = (
"/usr/bin/openssl ca -extensions req_%s_x509_extensions -passin pass:%s -outdir ./ -config %s "
"-in %s -batch -cert %s -keyfile %s -startdate %s -days %s "
"-md %s -out %s" %
(purpose, '%s', repr(cleanupAbsPath(ca_openssl_cnf)),
repr(cleanupAbsPath(server_cert_req)), repr(cleanupAbsPath(ca_cert)),
repr(cleanupAbsPath(ca_key)), d['--startdate'],
repr(d['--cert-expiration']), MD, repr(cleanupAbsPath(server_cert))))
if verbosity >= 0:
print("\nGenerating/signing web server's SSL certificate: %s" %
d['--server-cert'])
if verbosity > 1:
print("Commandline:", args % 'PASSWORD')
try:
rotated = rotateFile(filepath=server_cert, verbosity=verbosity)
if verbosity >= 0 and rotated:
print("Rotated: %s --> %s" %
(d['--server-cert'], os.path.basename(rotated)))
except ValueError:
pass
cwd = chdir(_getWorkDir())
try:
ret, out_stream, err_stream = rhn_popen(args % repr(password))
finally:
chdir(cwd)
out = out_stream.read().decode('utf-8')
out_stream.close()
err = err_stream.read().decode('utf-8')
err_stream.close()
if ret:
# signature for a mistyped CA password
if "unable to load CA private key" in err \
and "error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c" in err \
and "error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c" in err:
raise GenServerCertException(
"web server's SSL certificate generation/signing "
"failed:\nDid you mistype your CA password?")
else:
raise GenServerCertException(
"web server's SSL certificate generation/signing "
"failed:\n%s\n%s" % (out, err))
if verbosity > 2:
if out:
print("STDOUT:", out)
if err:
print("STDERR:", err)
# permissions:
os.chmod(server_cert, 0o644)
# cleanup duplicate XX.pem file:
pemFilename = os.path.basename(ser.upper() + '.pem')
if pemFilename != server_cert and os.path.exists(pemFilename):
os.unlink(pemFilename)
# cleanup the old index.txt file
try:
os.unlink(index_txt + '.old')
except OSError:
pass
# cleanup the old serial file
try:
os.unlink(serial + '.old')
except OSError:
pass
def genServerCertReq(d, verbosity=0):
""" private server cert request generation """
serverKeyPairDir = os.path.join(d['--dir'], d['--set-hostname'])
server_key = os.path.join(serverKeyPairDir,
os.path.basename(d['--server-key']))
server_cert_req = os.path.join(serverKeyPairDir,
os.path.basename(d['--server-cert-req']))
server_openssl_cnf = os.path.join(serverKeyPairDir,
SERVER_OPENSSL_CNF_NAME)
genServerCertReq_dependencies(d)
# XXX: hmm.. should private_key, etc. be set for this before the write?
# either that you pull the key/certs from the files all together?
configFile = ConfigFile(server_openssl_cnf)
configFile.save(d, caYN=0, verbosity=verbosity)
# generate the server cert request
args = ("/usr/bin/openssl req -%s -text -config %s -new -key %s -out %s " %
(MD, repr(cleanupAbsPath(
configFile.filename)), repr(cleanupAbsPath(server_key)),
repr(cleanupAbsPath(server_cert_req))))
if verbosity >= 0:
print("\nGenerating web server's SSL certificate request: %s" %
server_cert_req)
print("Using distinguished names:")
for k in ('--set-country', '--set-state', '--set-city', '--set-org',
'--set-org-unit', '--set-hostname', '--set-email'):
print(' %s%s = "%s"' % (k, ' ' * (18 - len(k)), d[k]))
if verbosity > 1:
print("Commandline:", args)
try:
rotated = rotateFile(filepath=server_cert_req, verbosity=verbosity)
if verbosity >= 0 and rotated:
print("Rotated: %s --> %s" %
(d['--server-cert-req'], os.path.basename(rotated)))
except ValueError:
pass
cwd = chdir(_getWorkDir())
try:
ret, out_stream, err_stream = rhn_popen(args)
finally:
chdir(cwd)
out = out_stream.read().decode('utf-8')
out_stream.close()
err = err_stream.read().decode('utf-8')
err_stream.close()
if ret:
raise GenServerCertReqException(
"web server's SSL certificate request generation "
"failed:\n%s\n%s" % (out, err))
if verbosity > 2:
if out:
print("STDOUT:", out)
if err:
print("STDERR:", err)
# permissions:
os.chmod(server_cert_req, 0o600)
def genPublicCaCert(password, d, verbosity=0, forceYN=0):
""" public CA certificate (client-side) generation """
ca_key = os.path.join(d['--dir'], os.path.basename(d['--ca-key']))
ca_cert_name = os.path.basename(d['--ca-cert'])
ca_cert = os.path.join(d['--dir'], ca_cert_name)
ca_openssl_cnf = os.path.join(d['--dir'], CA_OPENSSL_CNF_NAME)
genPublicCaCert_dependencies(password, d, forceYN)
configFile = ConfigFile(ca_openssl_cnf)
if '--set-hostname' in d:
del d['--set-hostname']
configFile.save(d, caYN=1, verbosity=verbosity)
args = ("/usr/bin/openssl req -passin pass:%s -text -config %s "
"-new -x509 -days %s -%s -key %s -out %s" %
('%s', repr(cleanupAbsPath(configFile.filename)),
repr(d['--cert-expiration']), MD, repr(
cleanupAbsPath(ca_key)), repr(cleanupAbsPath(ca_cert))))
if verbosity >= 0:
print("\nGenerating public CA certificate: %s" % ca_cert)
print("Using distinguishing variables:")
for k in ('--set-country', '--set-state', '--set-city', '--set-org',
'--set-org-unit', '--set-common-name', '--set-email'):
print(' %s%s = "%s"' % (k, ' ' * (18 - len(k)), d[k]))
if verbosity > 1:
print("Commandline:", args % "PASSWORD")
try:
rotated = rotateFile(filepath=ca_cert, verbosity=verbosity)
if verbosity >= 0 and rotated:
print("Rotated: %s --> %s" %
(d['--ca-cert'], os.path.basename(rotated)))
except ValueError:
pass
cwd = chdir(_getWorkDir())
try:
ret, out_stream, err_stream = rhn_popen(args % repr(password))
finally:
chdir(cwd)
out = out_stream.read().decode('utf-8')
out_stream.close()
err = err_stream.read().decode('utf-8')
err_stream.close()
if ret:
raise GenPublicCaCertException(
"Certificate Authority public "
"SSL certificate generation failed:\n%s\n"
"%s" % (out, err))
if verbosity > 2:
if out:
print("STDOUT:", out)
if err:
print("STDERR:", err)
appendOtherCACerts(d, ca_cert)
latest_txt = os.path.join(d['--dir'], 'latest.txt')
with open(latest_txt, 'w') as latest_fp:
latest_fp.write("%s\n" % ca_cert_name)
# permissions:
os.chmod(ca_cert, 0o644)
os.chmod(latest_txt, 0o644)
