def sing_req_by_server(id_client_req, cert_path, data_path, auto = False): server_cert = cert_path + '/root.crt' server_key = cert_path + '/root.key' if id_client_req: try: int (id_client_req) except: print _("The certificate number must be int") return 1 cl_req = data_path + '/client_certs/%s.csr' %id_client_req cl_cert = data_path + '/client_certs/%s.crt' %id_client_req if not os.path.exists(cl_req): print _("Signature request %s not found") %cl_req return 1 if os.path.exists(cl_cert): print _("Certificate %s now exists") %cl_cert return 1 if auto: group_name = "all" else: group_name = "%s" %raw_input \ (_("Enter the group of the new certificate "\ "(group name or 'all'): ")) config = data_path + '/client_certs/ssl-client.cfg' if os.path.exists(config): os.unlink(config) from M2Crypto import X509, EVP sr_cert = X509.load_cert(server_cert) sr_key_inst = EVP.load_key(server_key) cl_req_inst = X509.load_request(cl_req) from create_cert import makeCert cl_cert_inst = makeCert(cl_req_inst, sr_key_inst, sr_cert.get_issuer(), client_cert = True, group = group_name) cl_cert_inst.save_pem(cl_cert) #print 'startdate = ', startdate #cfg_text = (#"[ ssl_client ]\n" #"basicConstraints = CA:FALSE\n" #"nsCertType = client\n" #"keyUsage = digitalSignature, keyEncipherment\n" #"extendedKeyUsage = clientAuth\n" #"nsComment = %s\n" %group) #print 'config = ', cfg_text #fc = open(config, 'w') #fc.write(cfg_text) #fc.close() #cmd=("openssl x509 -req -days 11000 -CA %s -CAkey %s -CAcreateserial " #"-extfile %s -extensions ssl_client -in %s -out %s") \ #%(server_cert, server_key, config, cl_req, cl_cert) #print cmd #PIPE = subprocess.PIPE #p = subprocess.Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, #stderr=subprocess.STDOUT, close_fds=True) #p.wait() if os.path.exists(cl_cert): print _("Certificate %s is signed") %cl_cert else: print _("Certificate %s has not been signed") %cl_cert return 0
def check_server_certificate(cert, key, cert_path, args, port, auto = False): if not os.path.isdir(cert_path): os.makedirs(cert_path) # generate a root certificate if args.gen_root_cert: if auto: c = 'n' else: c = raw_input (_("Enter the certificate date manually? [y]/n: ")) from M2Crypto import X509 name = X509.X509_Name() ob = DataVarsCore() ob.importCore() if not ob.flIniFile(): sys.exit(1) lang = ob.Get('os_locale_locale')[:2] host_name = socket.getfqdn() if c.lower() in ['n', 'no']: name.CN = host_name #(Common Name); name.OU = 'www.calculate-linux.ru' # (Organization Unit); name.O = 'calculate-linux'# (Organization Name); name.L = host_name+':'+str(port) # (Locality Name); name.ST = 'Spb'# (State Name); name.C = lang # (Country); else: print _('Do not use spaces or tabs.') host_name = socket.getfqdn() name.CN = raw_input (_('Hostname [%s] : ') %host_name) if name.CN in ['', None]: name.CN = host_name name.OU = raw_input (_('Organization unit: ')) if not name.OU: name.OU = '' else: name.OU.replace(' ', '_').replace('\t', '_') name.O = raw_input (_('Organization name: ')) if not name.O: name.O = '' else: name.O.replace(' ', '_').replace('\t', '_') network = _('Full network address (host:port)') name.L = raw_input (network + ' [%s:%d]: ' \ %(host_name, port)) if name.L in ['', None]: name.L = host_name + ':' + str(port) name.ST = raw_input (_('City: ')) if not name.ST: name.ST = '' else: name.ST.replace(' ', '_').replace('\t', '_') name.C = raw_input (_('Country (two letters only!) [%s]: ') %lang) if not name.C: name.C = lang from create_cert import passphrase_callback, generateRSAKey, \ makePKey, makeCert # Generating public key rsa = generateRSAKey() rsa.save_key(cert_path+'/root.key'+'_pub', cipher = None, \ callback=passphrase_callback) # Generating private key pkey = makePKey(rsa) pkey.save_key(cert_path+'/root.key', cipher = None, \ callback=passphrase_callback) # Generating request # req = makeRequest(rsa, pkey, host_name, port) req = X509.Request() req.set_version(req.get_version()) req.set_pubkey(pkey) req.set_subject_name(name) ext1 = X509.new_extension('Comment', 'Auto Generated') extstack = X509.X509_Extension_Stack() extstack.push(ext1) req.add_extensions(extstack) req.sign(pkey, 'md5') req.save_pem(cert_path + '/root.csr') # Generating Certificate cert = makeCert(req, pkey, name) cert.save_pem(cert_path + '/root.crt') # add certificate in trusted fd = open(cert_path+'/ca_root.crt', 'a') try: fd.write(open(cert_path+'/root.crt', 'r').read()) except: print _('error writing to (reading from) files in directory %s') \ %cert_path fd.close() print _("OK") # use self root certificate as server certificate elif args.use_root_cert: if not os.path.exists(cert_path+'/root.crt'): print _('root certificate not found (use cl-core with ' 'option --gen-root-cert)') return 1 print _('Using the root certificate as the server certificate') # use root certificate as server certificate ft = open(cert_path+'/root.crt', 'rb') fd = open(cert_path+'/server.crt', 'wb') ft.seek(0) fd.write(ft.read()) ft.close() fd.close() ft = open(cert_path+'/root.key', 'rb') fd = open(cert_path+'/server.key', 'wb') ft.seek(0) fd.write(ft.read()) ft.close() fd.close() print _("OK") return 0 # send a certificate signing request to another server elif args.host: port = args.port if args.port else 8888 url = "https://%s:%d/?wsdl" %(args.host, port) print url + '\n' + _("connecting...") from sudsds.client import Client from client_class import HTTPSClientsCertTransport from urllib2 import URLError try: client = Client(url, \ transport = HTTPSClientsCertTransport(None, None, None)) except (KeyboardInterrupt, URLError): print '\n'+_("Close. Connection Error.") return 1 serv_host_name = client.service.get_server_host_name() if os.path.exists(key) and os.path.exists(cert_path + '/server.csr'): print _("the private key and request now exist") ask = raw_input(_("Create a new private key and request?")+\ " y/[n]: ") if ask.lower() in ['y','yes']: new_key_req(key, cert_path, serv_host_name, port) else: new_key_req(key, cert_path, serv_host_name, port) ip = getIpLocal() mac = getHwAddr() data = open(cert_path + '/server.csr').read() res = client.service.post_server_request(request = data, ip = ip,\ mac = mac) if int(res) < 0: print _("This server is not enabled to sign certificates!") return 1 fc = open(cert_path + '/req_id', 'w') fc.write(res) fc.close() print _("Your request ID = %s") %res return 0 # get a signed certificate from another server elif args.root_host: if not os.path.exists(cert_path + '/req_id'): print _("request not sent or file %s deleted") \ %(cert_path + '/req_id') return 1 fc = open(cert_path + '/req_id', 'r') req_id = fc.read() fc.close() port = args.port if args.port else 8888 url = "https://%s:%d/?wsdl" %(args.root_host, port) print url + '\n' + _("connecting...") from sudsds.client import Client from client_class import HTTPSClientsCertTransport try: client = Client(url, \ transport = HTTPSClientsCertTransport(None, None, None)) except KeyboardInterrupt: print '\n'+_("Close. Connection Error.") request = open(cert_path + '/server.csr').read() md5 = hashlib.md5() md5.update(request) md5sum = md5.hexdigest() result = client.service.get_server_cert(req_id, md5sum) cert = result[0][0] ca_root = result[0][1] if cert == '1': print _('The signature request was rejected!') return 1 elif cert == '2': print _("The signature request has not been examined yet.") print _("Your request ID = %s") %req_id return 1 elif cert == '3': print _('The signature request does not match earlier data.') return 1 elif cert == '4': print _("The request was sent from another IP.") return 1 fc = open(cert_path + '/server.crt', 'w') fc.write(cert) fc.close() os.unlink(cert_path + '/req_id') print _('Certificate saved. Your certificate ID = %s') %req_id fd = open(cert_path + '/ca_root.crt', 'w') if ca_root: fd.write(ca_root) #fd.write(cert) if os.path.exists(cert_path + '/ca_root.crt'): fd.write(open(cert_path + '/ca_root.crt', 'r').read()) fd.close() return 0