def create_root_certificate(ca_password, ca_crt_path, ca_key_path,
config_path):
"""
function : create root ca file
input : rand pass, dir path of certificates, config path
output : NA
"""
if not os.path.isfile(config_path):
raise Exception(Errors.FILE_DIR_PATH['gauss_0102'] % config_path)
CommonTools.mkdir_with_mode(os.path.dirname(ca_crt_path),
Constant.AUTH_COMMON_DIR_STR)
CommonTools.mkdir_with_mode(os.path.dirname(ca_key_path),
Constant.AUTH_COMMON_DIR_STR)
ca_req_path = os.path.realpath(
os.path.join(os.path.dirname(ca_crt_path), Constant.CA_ROOT_REQ))
# create ca key file
cmd = "%s echo '%s' |openssl genrsa -aes256 -passout stdin -out %s 2048" % (
Constant.CMD_PREFIX, ca_password, ca_key_path)
cmd += " && %s" % Constant.SHELL_CMD_DICT['changeMode'] % (
Constant.AUTH_COMMON_FILE_STR, ca_key_path)
status, output = CommonTools.get_status_output_error(cmd, mixed=True)
if status != 0:
raise Exception(Errors.EXECUTE_RESULT['gauss_0414'] %
'ca root key file')
# 2 create ca req file
cmd = "%s echo '%s' | openssl req -new -out %s -key %s -config %s -passin stdin" % (
Constant.CMD_PREFIX, ca_password, ca_req_path, ca_key_path,
config_path)
cmd += " && %s" % Constant.SHELL_CMD_DICT['changeMode'] % (
Constant.AUTH_COMMON_FILE_STR, ca_req_path)
status, output = CommonTools.get_status_output_error(cmd, mixed=True)
if status != 0:
raise Exception(Errors.EXECUTE_RESULT['gauss_0414'] %
'ca root req file')
# 3 create ca crt file
cmd = "%s echo '%s' | openssl x509 -req -in %s " \
"-signkey %s -days %s -out %s -passin stdin" % (
Constant.CMD_PREFIX, ca_password, ca_req_path,
ca_key_path, Constant.CA_ROOT_VALID_DATE, ca_crt_path)
cmd += " && %s" % Constant.SHELL_CMD_DICT['changeMode'] % (
Constant.AUTH_COMMON_FILE_STR, ca_crt_path)
status, output = CommonTools.get_status_output_error(cmd, mixed=True)
if status != 0:
raise Exception(Errors.EXECUTE_RESULT['gauss_0414'] %
'ca root crt file')
CommonTools.remove_files([ca_req_path])
g.logger.info(
'Successfully generate ca root certificate, file path[%s].' %
ca_crt_path)
def get_rand_str():
"""
function: get random passwd
input: NA
output: passwd
"""
uppercmd = 'openssl rand -base64 12 | tr "[0-9][a-z]" "[A-Z]" | tr -d [/+=] |cut -c 1-3'
lowercmd = 'openssl rand -base64 12 | tr "[0-9][A-Z]" "[a-z]" | tr -d [/+=] |cut -c 1-4'
numcmd = 'openssl rand -base64 12 | md5sum | tr "[a-z]" "[0-9]" |cut -c 1-3'
strcmd = 'openssl rand -base64 48 | tr "[0-9][a-z][A-Z]" "[~@_#*]" | tr -d [/+=] |cut -c 1-1'
upper_code, upper_output, upper_error = CommonTools.get_status_output_error(
uppercmd)
lower_code, lower_output, lower_error = CommonTools.get_status_output_error(
lowercmd)
num_code, num_output, num_error = CommonTools.get_status_output_error(
numcmd)
str_code, str_output, str_error = CommonTools.get_status_output_error(
strcmd)
if any([upper_code, lower_code, num_code, str_code]):
raise Exception(Errors.EXECUTE_RESULT['gauss_0412'] %
str([upper_code, lower_code, num_code, str_code]))
rand_pwd = 'G' + upper_output.strip() + lower_output.strip() + \
num_output.strip() + str_output.strip()
if len(rand_pwd) == Constant.RANDOM_PASSWD_LEN:
return rand_pwd
rand_pwd = "G"
cmd_tuple = (uppercmd, lowercmd, numcmd, strcmd)
out_tuple = (upper_output.strip(), lower_output.strip(),
num_output.strip(), str_output.strip())
str_len = (3, 4, 3, 1)
for i in range(4):
if len(out_tuple[i]) != str_len[i]:
count = 0
while True:
count += 1
_, output, _ = CommonTools.get_status_output_error(
cmd_tuple[i])
if len(output.strip()) == str_len[i]:
rand_pwd += output.strip()
break
if count > 100:
raise Exception(Errors.EXECUTE_RESULT['gauss_0413'] %
(cmd_tuple[i], 'generate rand pwd'))
else:
rand_pwd += out_tuple[i].strip()
return rand_pwd
def create_ca_certificate_with_script(ca_password,
ssl_password,
ca_crt_path,
ca_key_path,
config_path,
out_crt_path,
out_key_path,
ip,
crt_type='server'):
"""
function : create server ca file or client ca file with shell script.
input : rand pass, dir path of certificates, config path
"""
if not os.path.isfile(config_path):
raise Exception(Errors.FILE_DIR_PATH['gauss_0102'] %
'config file:%s' % config_path)
if not os.path.isfile(ca_crt_path):
raise Exception(Errors.FILE_DIR_PATH['gauss_0102'] %
'ca crt file:%s' % ca_crt_path)
if not os.path.isfile(ca_key_path):
raise Exception(Errors.FILE_DIR_PATH['gauss_0102'] %
'ca key file:%s' % ca_key_path)
CommonTools.mkdir_with_mode(os.path.dirname(out_key_path),
Constant.AUTH_COMMON_DIR_STR)
CommonTools.mkdir_with_mode(os.path.dirname(out_crt_path),
Constant.AUTH_COMMON_DIR_STR)
ca_req_path = os.path.realpath(
os.path.join(os.path.dirname(ca_crt_path), Constant.CA_REQ))
pwd = "%s %s" % (ca_password, ssl_password)
script_path = os.path.join(os.path.dirname(os.path.realpath(__file__)),
'bin/gen_certificate.sh')
cmd = "unset LD_LIBRARY_PATH && echo '%s' | sh %s %s %s %s %s %s %s %s" % (
pwd, script_path, ca_crt_path, ca_key_path, out_crt_path,
out_key_path, ca_req_path, ip, crt_type)
status, output = CommonTools.get_status_output_error(cmd, mixed=True)
if status != 0:
raise Exception(Errors.EXECUTE_RESULT['gauss_0414'] %
'ca crt file' + output)
g.logger.info("Successfully generate %s ssl cert for node[%s]." %
(crt_type, ip))
def create_ca_certificate(ca_password,
ssl_password,
ca_crt_path,
ca_key_path,
config_path,
out_crt_path,
out_key_path,
ip,
crt_type='server'):
"""
function : create server ca file or client ca file.
input : rand pass, dir path of certificates, config path
output : NA
"""
if not os.path.isfile(config_path):
raise Exception(Errors.FILE_DIR_PATH['gauss_0102'] %
'config file:%s' % config_path)
if not os.path.isfile(ca_crt_path):
raise Exception(Errors.FILE_DIR_PATH['gauss_0102'] %
'ca crt file:%s' % ca_crt_path)
if not os.path.isfile(ca_key_path):
raise Exception(Errors.FILE_DIR_PATH['gauss_0102'] %
'ca key file:%s' % ca_key_path)
CommonTools.mkdir_with_mode(os.path.dirname(out_key_path),
Constant.AUTH_COMMON_DIR_STR)
CommonTools.mkdir_with_mode(os.path.dirname(out_crt_path),
Constant.AUTH_COMMON_DIR_STR)
# create ca key file
cmd = "%s echo '%s' | openssl genrsa -aes256 -passout stdin -out %s 2048" % (
Constant.CMD_PREFIX, ssl_password, out_key_path)
cmd += " && %s" % Constant.SHELL_CMD_DICT['changeMode'] % (
Constant.AUTH_COMMON_FILE_STR, out_key_path)
status, output = CommonTools.get_status_output_error(cmd, mixed=True)
if status != 0:
raise Exception(Errors.EXECUTE_RESULT['gauss_0414'] %
'ca key file' + output)
ca_req_path = os.path.realpath(
os.path.join(os.path.dirname(ca_crt_path), Constant.CA_REQ))
# create ca req file
openssl_conf_env = "export OPENSSL_CONF=%s" % config_path
cmd = '%s %s && echo "%s" | openssl req -new -out %s -key %s ' \
'-passin stdin -subj "/C=CN/ST=Some-State/O=%s/CN=%s"' % (
Constant.CMD_PREFIX, openssl_conf_env, ssl_password,
ca_req_path, out_key_path, crt_type, ip)
cmd += " && %s" % Constant.SHELL_CMD_DICT['changeMode'] % (
Constant.AUTH_COMMON_FILE_STR, ca_req_path)
status, output = CommonTools.get_status_output_error(cmd, mixed=True)
if status != 0:
raise Exception(Errors.EXECUTE_RESULT['gauss_0414'] %
'ca req file' + output)
# create server or client ca crt file
cmd = '%s echo "%s" | openssl x509 -req -in %s -out %s -passin stdin ' \
'-sha256 -CAcreateserial -days %s -CA %s -CAkey %s' % (
Constant.CMD_PREFIX, ca_password, ca_req_path, out_crt_path,
Constant.CA_VALID_DATE, ca_crt_path, ca_key_path)
cmd += " && %s" % Constant.SHELL_CMD_DICT['changeMode'] % (
Constant.AUTH_COMMON_FILE_STR, out_crt_path)
status, output = CommonTools.get_status_output_error(cmd, mixed=True)
if status != 0:
raise Exception(Errors.EXECUTE_RESULT['gauss_0414'] %
'ca crt file')
CommonTools.remove_files([ca_req_path])
g.logger.info("Successfully generate %s ssl cert for node[%s]." %
(crt_type, ip))
