def get_cert_hashes(self, certauth, hostglobs=None):
certglob = "%s/*.cert" % (certauth.certroot)
certfiles = []
globs = "*"
if hostglobs:
globs = hostglobs
for hostglob in globs:
certglob = "%s/%s.cert" % (certauth.certroot, hostglob)
certfiles = certfiles + glob.glob(certglob)
cert_hashes = []
for certfile in certfiles:
cert = certs.retrieve_cert_from_file(certfile)
cert_hashes.append("%s-%s" % (cert.get_subject().CN, cert.subject_name_hash()))
return cert_hashes
def get_cert_hashes(self, hostglobs=None):
certglob = "%s/*.cert" % (self.cfg.certroot)
certfiles = []
globs = "*"
if hostglobs:
globs = hostglobs
for hostglob in globs:
certglob = "%s/%s.cert" % (self.cfg.certroot, hostglob)
certfiles = certfiles + glob.glob(certglob)
cert_hashes = []
for certfile in certfiles:
cert = certs.retrieve_cert_from_file(certfile)
cert_hashes.append("%s-%s" % (cert.get_subject().CN, cert.subject_name_hash()))
return cert_hashes
def __init__(self, conf_file=CERTMASTER_CONFIG):
self.cfg = read_config(conf_file, CMConfig)
usename = utils.get_hostname(talk_to_certmaster=False)
self.logger = logger.Logger().logger
self.audit_logger = logger.AuditLogger()
self.cakey = {}
self.cacert = {}
for (s_caname,a_ca) in self.cfg.ca.iteritems():
s_cadir = a_ca.cadir
if s_caname == "":
mycn = '%s-CA-KEY' % usename
else:
mycn = '%s-%s-CA-KEY' % (s_caname.upper(),usename)
s_ca_key_file = '%s/certmaster.key' % s_cadir
s_ca_cert_file = '%s/certmaster.crt' % s_cadir
# if ca_key_file exists and ca_cert_file is missing == minion only setup
if os.path.exists(s_ca_key_file) and not os.path.exists(s_ca_cert_file):
continue
try:
if not os.path.exists(s_cadir):
os.makedirs(s_cadir)
if not os.path.exists(s_ca_key_file) and not os.path.exists(s_ca_cert_file):
certs.create_ca(CN=mycn, ca_key_file=s_ca_key_file, ca_cert_file=s_ca_cert_file, hash_function=a_ca.hash_function)
except (IOError, OSError), e:
print 'Cannot make certmaster certificate authority keys/certs for CA %s, aborting: %s' % (s_caname, e)
sys.exit(1)
# open up the cakey and cacert so we have them available
a_ca.cakey = certs.retrieve_key_from_file(s_ca_key_file)
a_ca.cacert = certs.retrieve_cert_from_file(s_ca_cert_file)
for dirpath in [a_ca.cadir, a_ca.certroot, a_ca.csrroot, a_ca.csrroot]:
if not os.path.exists(dirpath):
os.makedirs(dirpath)
class CertMaster(object):
def __init__(self, conf_file=CERTMASTER_CONFIG):
self.cfg = read_config(conf_file, CMConfig)
usename = utils.get_hostname(talk_to_certmaster=False)
mycn = '%s-CA-KEY' % usename
self.ca_key_file = '%s/certmaster.key' % self.cfg.cadir
self.ca_cert_file = '%s/certmaster.crt' % self.cfg.cadir
self.logger = logger.Logger().logger
self.audit_logger = logger.AuditLogger()
# if ca_key_file exists and ca_cert_file is missing == minion only setup
if os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file):
return
try:
if not os.path.exists(self.cfg.cadir):
os.makedirs(self.cfg.cadir)
if not os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file):
certs.create_ca(CN=mycn, ca_key_file=self.ca_key_file, ca_cert_file=self.ca_cert_file)
except (IOError, OSError), e:
print 'Cannot make certmaster certificate authority keys/certs, aborting: %s' % e
sys.exit(1)
# open up the cakey and cacert so we have them available
self.cakey = certs.retrieve_key_from_file(self.ca_key_file)
self.cacert = certs.retrieve_cert_from_file(self.ca_cert_file)
for dirpath in [self.cfg.cadir, self.cfg.certroot, self.cfg.csrroot]:
if not os.path.exists(dirpath):
os.makedirs(dirpath)
# setup handlers
self.handlers = {
'wait_for_cert': self.wait_for_cert,
}
oldsha = hashlib.new(certauth.hash_function)
oldsha.update(oldcsrbuf)
olddig = oldsha.hexdigest()
newsha = hashlib.new(certauth.hash_function)
newsha.update(csrbuf)
newdig = newsha.hexdigest()
if not newdig == olddig:
self.logger.info("A cert for %s already exists and does not match the requesting cert" % (requesting_host))
# XXX raise a proper fault
return False, '', '', ret_warning
# look for a cert:
# if we have it, then return True, etc, etc
if os.path.exists(certfile):
slavecert = certs.retrieve_cert_from_file(certfile)
cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, slavecert)
cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, certauth.cacert)
if with_triggers:
self._run_triggers(requesting_host,'/var/lib/certmaster/triggers/request/post/*')
return True, cert_buf, cacert_buf, ret_warning
# if we don't have a cert then:
# if we're autosign then sign it, write out the cert and return True, etc, etc
# else write out the csr
if certauth.autosign:
cert_fn = self.sign_this_csr(csrreq,certauth)
cert = certs.retrieve_cert_from_file(cert_fn)
cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, certauth.cacert)
oldsha = hashlib.new('sha1')
oldsha.update(oldcsrbuf)
olddig = oldsha.hexdigest()
newsha = hashlib.new('sha1')
newsha.update(csrbuf)
newdig = newsha.hexdigest()
if not newdig == olddig:
self.logger.info("A cert for %s already exists and does not match the requesting cert" % (requesting_host))
# XXX raise a proper fault
return False, '', ''
# look for a cert:
# if we have it, then return True, etc, etc
if os.path.exists(certfile):
slavecert = certs.retrieve_cert_from_file(certfile)
cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, slavecert)
cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cacert)
if with_triggers:
self._run_triggers(requesting_host,'/var/lib/certmaster/triggers/request/post/*')
return True, cert_buf, cacert_buf
# if we don't have a cert then:
# if we're autosign then sign it, write out the cert and return True, etc, etc
# else write out the csr
if self.cfg.autosign:
cert_fn = self.sign_this_csr(csrreq)
cert = certs.retrieve_cert_from_file(cert_fn)
cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cacert)
