def sing_req_by_server(id_client_req, cert_path, data_path, auto = False):
server_cert = cert_path + '/root.crt'
server_key = cert_path + '/root.key'
if id_client_req:
try:
int (id_client_req)
except:
print _("The certificate number must be int")
return 1
cl_req = data_path + '/client_certs/%s.csr' %id_client_req
cl_cert = data_path + '/client_certs/%s.crt' %id_client_req
if not os.path.exists(cl_req):
print _("Signature request %s not found") %cl_req
return 1
if os.path.exists(cl_cert):
print _("Certificate %s now exists") %cl_cert
return 1
if auto:
group_name = "all"
else:
group_name = "%s" %raw_input \
(_("Enter the group of the new certificate "\
"(group name or 'all'): "))
config = data_path + '/client_certs/ssl-client.cfg'
if os.path.exists(config):
os.unlink(config)
from M2Crypto import X509, EVP
sr_cert = X509.load_cert(server_cert)
sr_key_inst = EVP.load_key(server_key)
cl_req_inst = X509.load_request(cl_req)
from create_cert import makeCert
cl_cert_inst = makeCert(cl_req_inst, sr_key_inst, sr_cert.get_issuer(),
client_cert = True, group = group_name)
cl_cert_inst.save_pem(cl_cert)
#print 'startdate = ', startdate
#cfg_text = (#"[ ssl_client ]\n"
#"basicConstraints = CA:FALSE\n"
#"nsCertType = client\n"
#"keyUsage = digitalSignature, keyEncipherment\n"
#"extendedKeyUsage = clientAuth\n"
#"nsComment = %s\n" %group)
#print 'config = ', cfg_text
#fc = open(config, 'w')
#fc.write(cfg_text)
#fc.close()
#cmd=("openssl x509 -req -days 11000 -CA %s -CAkey %s -CAcreateserial "
#"-extfile %s -extensions ssl_client -in %s -out %s") \
#%(server_cert, server_key, config, cl_req, cl_cert)
#print cmd
#PIPE = subprocess.PIPE
#p = subprocess.Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE,
#stderr=subprocess.STDOUT, close_fds=True)
#p.wait()
if os.path.exists(cl_cert):
print _("Certificate %s is signed") %cl_cert
else:
print _("Certificate %s has not been signed") %cl_cert
return 0
def check_server_certificate(cert, key, cert_path, args, port, auto = False):
if not os.path.isdir(cert_path):
os.makedirs(cert_path)
# generate a root certificate
if args.gen_root_cert:
if auto:
c = 'n'
else:
c = raw_input (_("Enter the certificate date manually? [y]/n: "))
from M2Crypto import X509
name = X509.X509_Name()
ob = DataVarsCore()
ob.importCore()
if not ob.flIniFile():
sys.exit(1)
lang = ob.Get('os_locale_locale')[:2]
host_name = socket.getfqdn()
if c.lower() in ['n', 'no']:
name.CN = host_name #(Common Name);
name.OU = 'www.calculate-linux.ru' # (Organization Unit);
name.O = 'calculate-linux'# (Organization Name);
name.L = host_name+':'+str(port) # (Locality Name);
name.ST = 'Spb'# (State Name);
name.C = lang # (Country);
else:
print _('Do not use spaces or tabs.')
host_name = socket.getfqdn()
name.CN = raw_input (_('Hostname [%s] : ') %host_name)
if name.CN in ['', None]:
name.CN = host_name
name.OU = raw_input (_('Organization unit: '))
if not name.OU:
name.OU = ''
else:
name.OU.replace(' ', '_').replace('\t', '_')
name.O = raw_input (_('Organization name: '))
if not name.O:
name.O = ''
else:
name.O.replace(' ', '_').replace('\t', '_')
network = _('Full network address (host:port)')
name.L = raw_input (network + ' [%s:%d]: ' \
%(host_name, port))
if name.L in ['', None]:
name.L = host_name + ':' + str(port)
name.ST = raw_input (_('City: '))
if not name.ST:
name.ST = ''
else:
name.ST.replace(' ', '_').replace('\t', '_')
name.C = raw_input (_('Country (two letters only!) [%s]: ') %lang)
if not name.C:
name.C = lang
from create_cert import passphrase_callback, generateRSAKey, \
makePKey, makeCert
# Generating public key
rsa = generateRSAKey()
rsa.save_key(cert_path+'/root.key'+'_pub', cipher = None, \
callback=passphrase_callback)
# Generating private key
pkey = makePKey(rsa)
pkey.save_key(cert_path+'/root.key', cipher = None, \
callback=passphrase_callback)
# Generating request
# req = makeRequest(rsa, pkey, host_name, port)
req = X509.Request()
req.set_version(req.get_version())
req.set_pubkey(pkey)
req.set_subject_name(name)
ext1 = X509.new_extension('Comment', 'Auto Generated')
extstack = X509.X509_Extension_Stack()
extstack.push(ext1)
req.add_extensions(extstack)
req.sign(pkey, 'md5')
req.save_pem(cert_path + '/root.csr')
# Generating Certificate
cert = makeCert(req, pkey, name)
cert.save_pem(cert_path + '/root.crt')
# add certificate in trusted
fd = open(cert_path+'/ca_root.crt', 'a')
try:
fd.write(open(cert_path+'/root.crt', 'r').read())
except:
print _('error writing to (reading from) files in directory %s') \
%cert_path
fd.close()
print _("OK")
# use self root certificate as server certificate
elif args.use_root_cert:
if not os.path.exists(cert_path+'/root.crt'):
print _('root certificate not found (use cl-core with '
'option --gen-root-cert)')
return 1
print _('Using the root certificate as the server certificate')
# use root certificate as server certificate
ft = open(cert_path+'/root.crt', 'rb')
fd = open(cert_path+'/server.crt', 'wb')
ft.seek(0)
fd.write(ft.read())
ft.close()
fd.close()
ft = open(cert_path+'/root.key', 'rb')
fd = open(cert_path+'/server.key', 'wb')
ft.seek(0)
fd.write(ft.read())
ft.close()
fd.close()
print _("OK")
return 0
# send a certificate signing request to another server
elif args.host:
port = args.port if args.port else 8888
url = "https://%s:%d/?wsdl" %(args.host, port)
print url + '\n' + _("connecting...")
from sudsds.client import Client
from client_class import HTTPSClientsCertTransport
from urllib2 import URLError
try:
client = Client(url, \
transport = HTTPSClientsCertTransport(None, None, None))
except (KeyboardInterrupt, URLError):
print '\n'+_("Close. Connection Error.")
return 1
serv_host_name = client.service.get_server_host_name()
if os.path.exists(key) and os.path.exists(cert_path + '/server.csr'):
print _("the private key and request now exist")
ask = raw_input(_("Create a new private key and request?")+\
" y/[n]: ")
if ask.lower() in ['y','yes']:
new_key_req(key, cert_path, serv_host_name, port)
else:
new_key_req(key, cert_path, serv_host_name, port)
ip = getIpLocal()
mac = getHwAddr()
data = open(cert_path + '/server.csr').read()
res = client.service.post_server_request(request = data, ip = ip,\
mac = mac)
if int(res) < 0:
print _("This server is not enabled to sign certificates!")
return 1
fc = open(cert_path + '/req_id', 'w')
fc.write(res)
fc.close()
print _("Your request ID = %s") %res
return 0
# get a signed certificate from another server
elif args.root_host:
if not os.path.exists(cert_path + '/req_id'):
print _("request not sent or file %s deleted") \
%(cert_path + '/req_id')
return 1
fc = open(cert_path + '/req_id', 'r')
req_id = fc.read()
fc.close()
port = args.port if args.port else 8888
url = "https://%s:%d/?wsdl" %(args.root_host, port)
print url + '\n' + _("connecting...")
from sudsds.client import Client
from client_class import HTTPSClientsCertTransport
try:
client = Client(url, \
transport = HTTPSClientsCertTransport(None, None, None))
except KeyboardInterrupt:
print '\n'+_("Close. Connection Error.")
request = open(cert_path + '/server.csr').read()
md5 = hashlib.md5()
md5.update(request)
md5sum = md5.hexdigest()
result = client.service.get_server_cert(req_id, md5sum)
cert = result[0][0]
ca_root = result[0][1]
if cert == '1':
print _('The signature request was rejected!')
return 1
elif cert == '2':
print _("The signature request has not been examined yet.")
print _("Your request ID = %s") %req_id
return 1
elif cert == '3':
print _('The signature request does not match earlier data.')
return 1
elif cert == '4':
print _("The request was sent from another IP.")
return 1
fc = open(cert_path + '/server.crt', 'w')
fc.write(cert)
fc.close()
os.unlink(cert_path + '/req_id')
print _('Certificate saved. Your certificate ID = %s') %req_id
fd = open(cert_path + '/ca_root.crt', 'w')
if ca_root:
fd.write(ca_root)
#fd.write(cert)
if os.path.exists(cert_path + '/ca_root.crt'):
fd.write(open(cert_path + '/ca_root.crt', 'r').read())
fd.close()
return 0
